Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA vLAN implementation

I'm evaluating the ASA 5520 specifically for vLAN implementation. I create several vLAN logical interfaces and associated IPs on a single physical interface representing different internal client groups. Now if I set the Security Level to 0 for each vLAN then traffic can cross from one vLAN to another which I don't want. Now, if I set the Security level different for each vLAN interface then vLANs with higher levels can access lower ones but not vica versa, again I don't want one vLAN to be able to access another.

To prevent this inter-vLAN communication must I create a security policy for each vLAN to stop it accessing every other vLAN ? For 100 vLANs thats a lot of security policies to create ! Or can I simply just turn of Security Levels on these logical vLAN interfaces ?

Any help/direction appreciated.

New Member

Re: ASA vLAN implementation

If the individual VLANs cannot access each other, is there something you do want them to access? I don't believe you can turn off security levels. You could make all the VLAN interfaces have the same security level and do not enable the "same-security-traffic permit inter-interface' command.

New Member

Re: ASA vLAN implementation

I would like by default to prevent all traffic between vLANs but then control what

access one vLAN has to another, i.e., one vLAN hosts servers so client vLANs require

access to certain ports in the server vLAN.

If I set all vLANs to the same Security Level and do not enable 'same-security-traffic permit inter-interface', then I am prevented from creating security policies under ASDM (to allow traffic from one vLAN to another) with a warning informing me that "No communication is allowed between two interfaces which have the same security level".

If I enable the 'same-security-traffic permit inter-interface', then vLANs with a higher Security Level to another vLAN have full unconstrained access, unless I create Security Policies to prevent this, a lot of security policies if you're using 100 vLANs.


Re: ASA vLAN implementation

Hi Paul,

I believe you need the (no nat-control) command which then does not require you to have the nat & global commands to pass the traffic, and it will pass the traffic based on the access-list configured, and it will nat them to the egress interface I believe...

I hope this helps, please rate if it does!

CreatePlease login to create content