I'm evaluating the ASA 5520 specifically for vLAN implementation. I create several vLAN logical interfaces and associated IPs on a single physical interface representing different internal client groups. Now if I set the Security Level to 0 for each vLAN then traffic can cross from one vLAN to another which I don't want. Now, if I set the Security level different for each vLAN interface then vLANs with higher levels can access lower ones but not vica versa, again I don't want one vLAN to be able to access another.
To prevent this inter-vLAN communication must I create a security policy for each vLAN to stop it accessing every other vLAN ? For 100 vLANs thats a lot of security policies to create ! Or can I simply just turn of Security Levels on these logical vLAN interfaces ?
If the individual VLANs cannot access each other, is there something you do want them to access? I don't believe you can turn off security levels. You could make all the VLAN interfaces have the same security level and do not enable the "same-security-traffic permit inter-interface' command.
I would like by default to prevent all traffic between vLANs but then control what
access one vLAN has to another, i.e., one vLAN hosts servers so client vLANs require
access to certain ports in the server vLAN.
If I set all vLANs to the same Security Level and do not enable 'same-security-traffic permit inter-interface', then I am prevented from creating security policies under ASDM (to allow traffic from one vLAN to another) with a warning informing me that "No communication is allowed between two interfaces which have the same security level".
If I enable the 'same-security-traffic permit inter-interface', then vLANs with a higher Security Level to another vLAN have full unconstrained access, unless I create Security Policies to prevent this, a lot of security policies if you're using 100 vLANs.
I believe you need the (no nat-control) command which then does not require you to have the nat & global commands to pass the traffic, and it will pass the traffic based on the access-list configured, and it will nat them to the egress interface I believe...
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :