Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Is it possible for SA540 to work in transparent bridge mode?

Hi all,

I've been considering to use a Cisco SA540 in an industrial project; please consider Scenario 1 and 2 files attached (bear with me - I'm an engineer, not an artist).

All networks mentioned in both scenarios are regular and well known Ethernet TCP/IP networks. The Corporate Network and Automation Network (including the DMZ) are in different subnets. The Corporate Network is the biggest one, similar to any company's corporate network you all know. The Automation Network exists for the purpose of operating and maintaining the industry process; it's smaller but highly critical. Only specific staff (automation staff and dedicated operators) have access to it. Although many devices and networks in the Automation Network are industry specific - not so well known, a small segment of it is plain Ethernet TCP/IP, as I've already stated. The Automation Network has a DMZ, where we lay servers that provide industry process information for the Corporate Network.

Scenario 2 may look at a first glance the best option, since it's simpler, doesn't require another router and benefits from Cisco SA540 support for both a LAN and a DMZ. The problem with Scenario 2 is the following:

  • Since both networks are maintained by different teams under different management, TI staff would have absolute control over the Cisco SA540. This way automation staff could not grant that the Automation Network is really protected from the Corporate Network.
  • TI staff may even demand for another device to interface with the Automation Network - which is not Cisco SA540, since they rule everything that lives in the Corporate Network. In this case, I have my hands tied!

Scenario 1 solves the above problems. Since automation would have absolute control over the Cisco SA540, they could grant security for the Automation Network (except for DMZ, but that's the reason why it is called a DMZ!). TI staff could ask for any router they prefer to interface with the DMZ, I would never mind about it.

Considering the above, I will probably be forced to adopt Scenario 1 instead of Scenario 2. So here comes my question: is it possible for Cisco SA540 to work with the same subnet for both WAN and LAN interfaces (in Scenario 1, no DMZ interface is required)? In other words, is it possible for Cisco SA540 to work in transparent bridge mode? I've been through all of the Cisco SA540 Administration Manual and as far as I could understand, routing is not an option - it is demanding.

Although I understand I could adopt Scenario 1 and still have different subnets for DMZ and the rest of the Automation Network by connecting the DMZ to the WAN interface and the rest of the Automation Network to the LAN interface in the Cisco SA540, I believe it's not worth the effort. The Automation Network is so small and we do all we can to keep it as simple as possible.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Green

Re: Is it possible for SA540 to work in transparent bridge mode?

Hello Adriano,

I tested your proposal, to have the LAN and WAN on the same public subnet with 128 available addresses.

Example:

WAN static: 45.67.123.127 / 25

LAN static: 45.67.123.2 / 25

LAN DHCP scope: 45.67.123.3~126 /25

After verifying the WAN interface is up, the local subnet did not work and is unable to router to the internet. So the device is not able to transparent bridge.

You may look in to the RV0xx series, as they do have a transparent bridge function.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
5 REPLIES
New Member

Re: Is it possible for SA540 to work in transparent bridge mode?

Using alpha layer for the PNGs wasn't a happy choice. I've reattached the files in this post with no alpha layer.

Regards,

Adriano

Green

Re: Is it possible for SA540 to work in transparent bridge mode?

Hello Adriano,

I tested your proposal, to have the LAN and WAN on the same public subnet with 128 available addresses.

Example:

WAN static: 45.67.123.127 / 25

LAN static: 45.67.123.2 / 25

LAN DHCP scope: 45.67.123.3~126 /25

After verifying the WAN interface is up, the local subnet did not work and is unable to router to the internet. So the device is not able to transparent bridge.

You may look in to the RV0xx series, as they do have a transparent bridge function.

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

Re: Is it possible for SA540 to work in transparent bridge mode?

Hi Thomas,

Thanks a lot for your reply. As I feared, it doesn't work.

I've checked your suggestion and took a look into RV0xx family. Unfortunatelly it doesn't seem to have Gigabit interfaces, which is a must for me. Also RV0xx family is much more about routing than security; I'm more interested in security features than in routing features.

I'm not familiar with all product families from Cisco, but my basic requirements for such a device are:

  • Transparent bridge mode firewall
  • Gigabit Ethernet interfaces
  • ~1 gigabit firewall throughput desirable, but not absolutely necessary
  • 19" rack mountable
  • Simple, easy-to-use and intuitive GUI for device configuration
  • Simplest solution possible, i.e. best cost-benefit

I believe know I may want to go ASA55xx family. I was afraid about the "Simple, easy-to-use and intuitive GUI for device configuration" concerning ASA55xx, but I just found out about ASDM, which seems to be a great solution. A quick glance at all models shows me ASA5512-X satisfies all my basic requirements.

Best regards,

Adriano

Green

Re: Is it possible for SA540 to work in transparent bridge mode?

Adriano, there is a RV042G, which supports the gig ports and a 800 mbps nat throughput. Here is the datasheet

http://www.cisco.com/en/US/prod/collateral/routers/ps10907/ps9923/ps12262/data_sheet_c78-706724.html

If you are using a DSL connection, the SRP527/547 models may be an alternative. These models support the RFC 1483 Bridges EOA Please note the SRP547 should be 10/100/1000. Also note the SRP521/541 are Fast Ethernet units and they do differ from the SRP527/547. The main selling point of these devices are the FXS/FXO ports. So this may also be a bit of an "unfocused" solution. But it's worth throwing the idea out there!

Here is the admin guide;

http://www.cisco.com/en/US/docs/voice_ip_comm/unified_communications/srp540_series/administration/srp500_AG_2567701.pdf

Here is the datasheet;

http://www.cisco.com/en/US/prod/collateral/voicesw/ps6790/gatecont/ps10500/data_sheet_c78-550705.pdf

-Tom Please mark answered for helpful posts http://blogs.cisco.com/smallbusiness/
New Member

Re: Is it possible for SA540 to work in transparent bridge mode?

Hello Thomas,

Once again, thanks for the valuable feedback. I'll make all necessary considerations to set up my final choice.

Regards,

Adriano

947
Views
0
Helpful
5
Replies
CreatePlease to create content