amyassein
asked on
What is the benefit of using Vlans in Cisco ASA/PIX?
Hi,
I've been configuring different set of firewalls from different vendors except Cisco ASA/PIX. I am currently working on a project for deploying and configuring Cisco ASA 5510 appliance in a routed L3 Mode. I've read lots of articles and e-books for how to deal with the ASA. However, the thing that confuses me is why Cisco is using the concept of Vlans in its firewalls!. Even though i have multiple Vlans exists in my switched network, i find it not necessary to configure Vlans in ASA.
The normal configuraton that i used to do in any firewall is, connecting an "inside" physical interface to the LAN switch and "outside" interface to the gateway switch. Then, configure the firewall to reach the Vlans in the internal switch by using simple static routes. By this way, the firewall is aware of the remote subnets or Vlans in the switch. The internal hosts gateway normally would be the SVI or Vlan interface in each Vlan. Default route (or default gateway) is created in the internal switch to the "inside" firewall interface.
So, the question, why do i need to create Vlans in the Cisco ASA/PIX to know about my internal Vlans? .... I beleive there is a benefit for it but it is not mentioned in any Cisco pages. Almost all the Cisco websites pages i visited are talking about configurations/Know-how and but not Know-why.
Appreciate your quick response.
A.Y.
I've been configuring different set of firewalls from different vendors except Cisco ASA/PIX. I am currently working on a project for deploying and configuring Cisco ASA 5510 appliance in a routed L3 Mode. I've read lots of articles and e-books for how to deal with the ASA. However, the thing that confuses me is why Cisco is using the concept of Vlans in its firewalls!. Even though i have multiple Vlans exists in my switched network, i find it not necessary to configure Vlans in ASA.
The normal configuraton that i used to do in any firewall is, connecting an "inside" physical interface to the LAN switch and "outside" interface to the gateway switch. Then, configure the firewall to reach the Vlans in the internal switch by using simple static routes. By this way, the firewall is aware of the remote subnets or Vlans in the switch. The internal hosts gateway normally would be the SVI or Vlan interface in each Vlan. Default route (or default gateway) is created in the internal switch to the "inside" firewall interface.
So, the question, why do i need to create Vlans in the Cisco ASA/PIX to know about my internal Vlans? .... I beleive there is a benefit for it but it is not mentioned in any Cisco pages. Almost all the Cisco websites pages i visited are talking about configurations/Know-how and but not Know-why.
Appreciate your quick response.
A.Y.
ASKER
Hi,
Thanks for your response. I understand that but again, what is the benefit? ... Is it a performance benefit because we are just using Vlans and not using routing or what? ... In this case, the firewall will act as L2 switch by forwarding frames instead of packets, am i right? ... Then what is the difference between this scenario and transparent mode? ... I am confused :)
Thanks
Thanks for your response. I understand that but again, what is the benefit? ... Is it a performance benefit because we are just using Vlans and not using routing or what? ... In this case, the firewall will act as L2 switch by forwarding frames instead of packets, am i right? ... Then what is the difference between this scenario and transparent mode? ... I am confused :)
Thanks
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
"Instead of having all the VLAN's behind the firewall, the firewall sits in between the VLAN's just like between the inside and the outside."
Does it mean i can use access lists in ASA to protect accessing between Vlans? Why not then using access lists in the L3 switch instead? ... If this is the case, why Cisco gives you the option to configure VLAN in the outside interface facing the internet cloud as well? ... Do hosts in internet will use VLANs? :)
"Another thing I make use of after implementing the vlan's on my ASA is that I could easily set up a dhcp server for each VLAN (well that an advantage for me :)."
Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.
"On the other hand, if you just want to do inter VLAN routing it's better to do that on a Layer 3 switch."
InterVlan routing is enabled already in my L3 switch, of course.
"So for one there are benefits to using vlan's, for other those might not be benefits at all. It depends on what you want to do, there is no single best solution. "
I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.
Thanks for your feedback.
Does it mean i can use access lists in ASA to protect accessing between Vlans? Why not then using access lists in the L3 switch instead? ... If this is the case, why Cisco gives you the option to configure VLAN in the outside interface facing the internet cloud as well? ... Do hosts in internet will use VLANs? :)
"Another thing I make use of after implementing the vlan's on my ASA is that I could easily set up a dhcp server for each VLAN (well that an advantage for me :)."
Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.
"On the other hand, if you just want to do inter VLAN routing it's better to do that on a Layer 3 switch."
InterVlan routing is enabled already in my L3 switch, of course.
"So for one there are benefits to using vlan's, for other those might not be benefits at all. It depends on what you want to do, there is no single best solution. "
I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.
Thanks for your feedback.
A broadcast packet can not cross boundries including a VLAN.
If you have 4 VLANs, you need to have a DHCP server on each VLAN.
The ASA can be configured to have a DHCP relay agent listening on each VLAN and then forward these requests to a single DHCP server with multiple scopes for the various segments.
Adding ACL to the switch will add overhead where each packet on the switch might be inspected. The ASA will only see/inspect packets that try to cross the VLAN boundries.
Like anything, the price must match the value the item brings, you do not have to use the VLAN feature, you can make sure that the interfaces are members of the same primary VLAN.
If you have 4 VLANs, you need to have a DHCP server on each VLAN.
The ASA can be configured to have a DHCP relay agent listening on each VLAN and then forward these requests to a single DHCP server with multiple scopes for the various segments.
Adding ACL to the switch will add overhead where each packet on the switch might be inspected. The ASA will only see/inspect packets that try to cross the VLAN boundries.
Like anything, the price must match the value the item brings, you do not have to use the VLAN feature, you can make sure that the interfaces are members of the same primary VLAN.
ASKER
We are not talking about DHCP here.
Please double check the forum name before you post as it really frustrates me.
Please double check the forum name before you post as it really frustrates me.
Does it mean i can use access lists in ASA to protect accessing between Vlans? Why not then using access lists in the L3 switch instead? ... If this is the case, why Cisco gives you the option to configure VLAN in the outside interface facing the internet cloud as well? ... Do hosts in internet will use VLANs? :)
An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example.
Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.
I know, but for me this is most certainly a benefit (some benefits are subjective) and better than a switches DHCP :)
InterVlan routing is enabled already in my L3 switch, of course.
.........
I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.
Just keep in mind that there are lots of sites who do have an ASA but no L3 switches. If you have all the good stuf like you have ;) there is bound to be an overlap in functionality.
An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example.
Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.
I know, but for me this is most certainly a benefit (some benefits are subjective) and better than a switches DHCP :)
InterVlan routing is enabled already in my L3 switch, of course.
.........
I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.
Just keep in mind that there are lots of sites who do have an ASA but no L3 switches. If you have all the good stuf like you have ;) there is bound to be an overlap in functionality.
ASKER
Arnold,
I know you are helping and i really thank for your valuable feedback but, If Cisco knew that access lists would create overhead, they wouldn't invent them in the first place in their ASA. About the broadcast, the ASA is already a L3 device which isolates networks thus preventing broadcast to pass. So, there will be no broadcast passing even if you don't configure Vlans in the ASA. I think there is other benefit behind it.
Thanks man
I know you are helping and i really thank for your valuable feedback but, If Cisco knew that access lists would create overhead, they wouldn't invent them in the first place in their ASA. About the broadcast, the ASA is already a L3 device which isolates networks thus preventing broadcast to pass. So, there will be no broadcast passing even if you don't configure Vlans in the ASA. I think there is other benefit behind it.
Thanks man
ASKER
"there is bound to be an overlap in functionality."
What does that mean? ... The L3 switch that i am talking about is part of the infrastructure as distribution L3 switch and the ASA is connected to it. All sites should have this layer if we are talking about medium size to enterprise level.
"An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example."
HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))
Thanks man.
What does that mean? ... The L3 switch that i am talking about is part of the infrastructure as distribution L3 switch and the ASA is connected to it. All sites should have this layer if we are talking about medium size to enterprise level.
"An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example."
HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))
Thanks man.
What does that mean? ... The L3 switch that i am talking about is part of the infrastructure as distribution L3 switch and the ASA is connected to it. All sites should have this layer if we are talking about medium size to enterprise level.
Hehehe, you'd be surprised...
HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))
Well I'm glad I can still make you smile. Well yeah, I have only six interfaces and about fifteen DMZ's so it's usefull ;)
Hehehe, you'd be surprised...
HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))
Well I'm glad I can still make you smile. Well yeah, I have only six interfaces and about fifteen DMZ's so it's usefull ;)
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
Sorry guys for the delay.
Any other suggestions you can share about this topic? ... I need to get the most out of this topic before i start my project.
Thx
A.Y.
Any other suggestions you can share about this topic? ... I need to get the most out of this topic before i start my project.
Thx
A.Y.
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
That way we have the firewall in between the VLANs instead of only seeing them as remote subnets.