Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transparent Firewall on Trunk Links

Can we implement the ASA firewall in transparent mode in between the trunk links? Example I have a trunk link between L2 and L3 switch. Can I put the ASA firewall in between them? Is there any special configuration needed?

4 REPLIES

Re: Transparent Firewall on Trunk Links

Hi,

Yes, you can insert the ASA between the switches and act as a Layer 2 firewall.

You'll need to issue the 'firewall transparent' global config command. Note this command will auto clear all existing config.

Sent from Cisco Technical Support iPhone App

Re: Transparent Firewall on Trunk Links

Hello avilt,

As John said you can place it in transparent mode.

As a quick reminder there is no need to use a Ether-Type ACL in order to allow BPDU packets as they are allowed by default (CDP and IPv6 packets are not).

So Spanning-tree will still be used between the trunk links through the ASA.

Any other question you have let us know!

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
New Member

Transparent Firewall on Trunk Links

I have tried this in a lab environment and it is not at all working. The trunk link carries multiple vlan traffic and each packet is tagged with vlan number. How can the firewall in transparent mode inspect the vlan tagged traffic?

The same setup with normal lan link works fine.

VIP Green

Transparent Firewall on Trunk Links

to my understanding you will need to create multiple subinterfaces on each link on the transparent firewall, and associate each of those subinterfaces with the respective VLAN and (i believe) you need to associate a seperate BVI interface for each subinterface...though this I am a little unsure of.

Once this is done, traffic should pass as expected.

--
Please remember to rate and select a correct answer

--

Please remember to rate and select a correct answer
500
Views
0
Helpful
4
Replies
CreatePlease login to create content