Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
4
Replies

Transparent Firewall on Trunk Links

avilt
Level 3
Level 3

‎01-04-2014 02:10 AM - edited ‎03-11-2019 08:24 PM

Can we implement the ASA firewall in transparent mode in between the trunk links? Example I have a trunk link between L2 and L3 switch. Can I put the ASA firewall in between them? Is there any special configuration needed?

1 person had this problem
Labels:
0 Helpful
4 Replies 4

johnlloyd_13
Level 9
Level 9

‎01-04-2014 04:35 AM

Hi,

Yes, you can insert the ASA between the switches and act as a Layer 2 firewall.

You'll need to issue the 'firewall transparent' global config command. Note this command will auto clear all existing config.

Sent from Cisco Technical Support iPhone App

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni

‎01-04-2014 12:34 PM

Hello avilt,

As John said you can place it in transparent mode.

As a quick reminder there is no need to use a Ether-Type ACL in order to allow BPDU packets as they are allowed by default (CDP and IPv6 packets are not).

So Spanning-tree will still be used between the trunk links through the ASA.

Any other question you have let us know!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

avilt
Level 3
Level 3
In response to Julio Carvajal

‎02-07-2014 01:14 PM

I have tried this in a lab environment and it is not at all working. The trunk link carries multiple vlan traffic and each packet is tagged with vlan number. How can the firewall in transparent mode inspect the vlan tagged traffic?

The same setup with normal lan link works fine.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to avilt

‎02-08-2014 12:36 PM

to my understanding you will need to create multiple subinterfaces on each link on the transparent firewall, and associate each of those subinterfaces with the respective VLAN and (i believe) you need to associate a seperate BVI interface for each subinterface...though this I am a little unsure of.

Once this is done, traffic should pass as expected.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card