Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA IPS inline in bridge mode on a trunked interface

Hi,

I'm trying to figure out how to deploy a Cisco ASA 5512-X IPS inline in bridge mode on an ethernet trunked interface.

switch1--------------vlan10,20----------------ASA IPS--------------vlan10,20----------------switch2

I basically want to drop the IPS inline without changing the existing switch configuration. Its works fine on a non trunked interface but when I configure it similar to the config below I hit the issue that I cant assign 2 separate interfaces to the same VLAN. The exact error is as follows

ERROR: VLAN 10 has been assigned to another interface.

This is such a common scenario I cant imagine there isnt a solution but I cant find one.  Does anyone know ?

Thanks in advance

interface Ethernet0/2.10
vlan 10
nameif INSIDETEN
security-level 100
bridge-group 10
!
interface Ethernet0/2.20
vlan 20
nameif INSIDETWENTY
security-level 100
bridge-group 20
!
interface Ethernet0/3.10
vlan 10
nameif OUTSIDETEN
security-level 0
bridge-group 10
!
interface Ethernet0/3.20
vlan 20
nameif OUTSIDETWENTY
security-level 0
bridge-group 20
!
interface BVI10
ip address x.x.x.x y.y.y.y

interface BVI20
ip address x.x.x.x y.y.y.y

It doesn't work, I can't configure the VLANs on two different interfaces.

ASA(config-subif)# vlan 10
ERROR: VLAN 10 has been assigned to another interface

 

Everyone's tags (1)
1 REPLY
Cisco Employee

You can associate VLANs in

You can associate VLANs in pairs on a physical interface. This is known as inline VLAN pair mode. Packets received on one of the paired VLANs are analyzed and then forwarded to the other VLAN in the pair. but the ASA IPS modules (ASA 5500 AIP SSM, ASA 5500-X IPS SSP, and ASA 5585-X IPS SSP) do not support inline VLAN pairs. For more information you can check the following configuration guide.

http://www.cisco.com/c/en/us/td/docs/security/ips/7-1/configuration/guide/cli/cliguide71/cli_interfaces.html

 

306
Views
0
Helpful
1
Replies