Pranay

Please bear with me as I want to understand this.

You have one switch and an ASA connected with two subinterfaces to that switch.

And you have two vlans eg. vlan 100 and 200 as in this example.

There is one IP subnet and for vlan 100 you have an SVI on the switch and some clients.

In vlan 200 you also have some clients and you want to firewall between the clients in vlan 100 and vlan 200.

There is no SVI for vlan 200.

The default gateway of all clients is the vlan 100 SVI IP address.

Will this work ?

Jon

okay I am my off-shift and can answer your queries with more clarity :-). So in your case do vlan 200 and vlan 100 have IP address from same subnet or different?

Same subnet and same default gateway but the default gateway is the SVI for vlan 100.

So clients in vlan 200 cannot go to that SVI directly ie they would have to go via the firewall.

Jon

this is exactly what i am trying to do but the other way round.... i was expecting subint and vlans with transparent mode to act like a bump which its not due to SVI on the switch...

for arguments sake i dont see it being a bad design when you are short of funds and ports on ASA, only option is to sub int the ports rather than spending $$ on new hardware. Would you try to work your way with the virtual [subint/vlan] technologies or rather spend on the hardware?

this is exactly what i am trying to do but the other way round

Yes, that's why I asked originally if there was a typo in your diagram before we got sidetracked :-)

I'm not entirely convinced me and Pranay are answering the same scenario which is why I am trying to clarify as much for my own understanding as anything else.

I assumed it was because of subinterfaces but in the last scenario Pranay posted the ping worked suggesting the ASA can pass traffic between subinterfaces in transparent mode.

The client to client ping didn't work as I understand it because all clients are in the same vlan ie. vlan 100 so the traffic never goes to the firewall.

That was why I asked about the setup ie. all clients in the same vlan because then you wouldn't need transparent mode and actually it wouldn't work.

Pranay obviously knows this better than I do so we'll wait on his response.

Jon

Okay so lets discuss the use of subinterface from ASA point of view first.

the subinterface with vlan in transparent mode is only used for carrying traffic from one interface and pass it on to other interface. It doesn't exactly work like switch where traffic received on one vlan will be only passed in same vlan. To avoid the confusion Cisco now term it as BVI. Where you can keep two separate vlan under same BVI. What this does it say I have following configuation on ASA

interface gi0/1.100

   vlan 100

   nameif inside

  bridge-group 10

interface gi0/1.200

  vlan 200

  bridge-group 10

  nameif outside

So this BVI interface bridges between vlan 100 and 200. It means if traffic is coming from vlan 100, ASA switches vlan 100 with vlan 200 and forwards the traffic

so there points to remember

1) transparent firewall is a switch with two interface with layer 2 capability.

2) transparent firewall cannot be used for routing

3) transparent firewall cannot do U-TURN of traffic (if you will do a "same-secuirty traffic permit intra-interface " it will give you error)

Now coming to the topic of discussion.

                                                                  vlan 200, vlan 100                           

                 client 1 (vlan 100)------  switch  -----------------------gi0/1 ASA

               10.x.10.100 /24)                 |               trunk

                                                          |

                                                          |                            

                           client 2 (vlan 200)  10.x.10.200/24

okay now 10.x.10.100 has to ping 10.x.10.200

1) Client find the destination is same network. So no question of default gateway coming into picture.  client 1 will try to find mac address of client 2. Hence it will send an arp broadcast

2) Switch receives  arp broadcast on vlan 100. Switch sends this broadcast to all interface which is in vlan 100 (this is important). On the trunk link switch will add vlan tag 100 in broadcast mac address.

3) ASA will receive  this broadcast and since it is mac with vlan tag 100, it it will mark it in inside interface.

here ASA will have the information

inside mac address of client

4) Now since it is BVI, so ASA will simply change the broadcast mac with vlan 200.

5) When the switch will get this brodcast, since it has received it from vlan 200. So it will forward it out of all interface with vlan 200.  (This is where in Amar's case since there is no interface in vlan 200, ARP dies here.)

6) Client 2 will now receive arp broadcast opens it and finds it related to it.

This procedure will be repeated since client 2 also needs client 1 mac address.

Any other questions?

Any other questions?

So are you saying the scenario I posted will work ?

I know Amar's didn't because there were no clients in vlan 200 in his scenario but I'm talking about the specific scenario I posted.

Jon

yes, if he is ready to put host in vlan 200 it will. However the question is it will only work when a host from vlan 100 will try to ping in vlan 200. For same vlan traffic won't  go through firewall. which was the case earlier.

Pranay

Firstly thanks for taking the time to work this through with me as I wanted to make sure I really understood it.

I think all the confusion I had came from this in an earlier post when I responded to you and said -

just to clarify, if the diagram is wrong and the 10.x.100.20 client is in vlan 200 then it should work shouldn't it ? 

and you said no it wouldn't work which lead me off into all these threads :-)

No criticism intended at all, I am just trying to explain why I kept pestering you about how it worked because I thought my understanding of how the ASA works in transparent mode all this time had been wrong.

I think we just interpreted the original question differently from each other.

Jon

ya may be I was responding from office so I missed few points which lead to this, I was answering it in perspective. As diagram was bit confusing initially. Bur I think now things should be clear.

I am happy that you gave me time to explain.

Thanks a lot

however, have you thought about it. if we make this design what will be the svi 200 IP address which will be act as default gateway of host in vlan 200. I don't think switch will allow two svi IP in same subnet

well we can discuss that later on....Though this confirms my apprehension of bad design.

I'm logging off now as it's late where I am.

I'm not sure how this is bad design other than the fact it is using subinterfaces rather than physical ones which I still don't quite follow.

Unless you mean using one switch but in effect this is exactly how an FWSM would act in transparent mode on a 6500 so I can't see what adding another switch to the equation would bring.

But then there's an awful lot of things I don't know (a lot more than I know !) so always open to other opinions.

Once again, many thanks for your time.

Jon