What is the benefit of using Vlans in Cisco ASA/PIX?

Hi,

I've been configuring different set of firewalls from different vendors except Cisco ASA/PIX. I am currently working on a project for deploying and configuring Cisco ASA 5510 appliance in a routed L3 Mode. I've read lots of articles and e-books for how to deal with the ASA. However, the thing that confuses me is why Cisco is using the concept of Vlans in its firewalls!. Even though i have multiple Vlans exists in my switched network, i find it not necessary to configure Vlans in ASA.

The normal configuraton that i used to do in any firewall is, connecting an "inside" physical interface to the LAN switch  and "outside" interface to the gateway switch. Then, configure the firewall to reach the Vlans in the internal switch by using simple static routes. By this way, the firewall is aware of the remote subnets or Vlans in the switch. The internal hosts gateway normally would be the SVI or Vlan interface in each Vlan. Default route (or default gateway) is created in the internal switch to the "inside" firewall interface.

So, the question, why do i need to create Vlans in the Cisco ASA/PIX to know about my internal Vlans? .... I beleive there is a benefit for it but it is not mentioned in any Cisco pages. Almost all the Cisco websites pages i visited are talking about configurations/Know-how and but not Know-why.

Appreciate your quick response.

A.Y.
LVL 1
amyasseinAsked:
Who is Participating?
 
Ernie BeekExpertCommented:
No it's not a performance benefit. It's a benefit from a security point of view. Instead of having all the VLAN's behind the firewall, the firewall sits in between the VLAN's just like between the inside and the outside. That way you can profit from all the options of the firewall with regards to inspecting, controlling, protecting, etc.
If all VLAN's are 'equal' then there might be no need for something like that.

Another thing I make use of after implementing the vlan's on my ASA is that I could easily set up a dhcp server for each VLAN (well that an advantage for me :).

On the other hand, if you just want to do inter VLAN routing it's better to do that on a Layer 3 switch.

So for one there are benefits to using vlan's, for other those might not be benefits at all. It depends on what you want to do, there is no single best solution.
0
 
Ernie BeekExpertCommented:
Wel one of the thing we use it for is to configure multiple virtual interfaces (subinterfaces) on the same physical interface, thus extending the number of security zones (firewall “legs”) on your network. Each subinterface belongs to a different Layer2 VLAN, with a separate Layer3 subnet.
That way we have the firewall in between the VLANs instead of only seeing them as remote subnets.
0
 
amyasseinAuthor Commented:
Hi,

Thanks for your response. I understand that but again, what is the benefit? ... Is it a performance benefit because we are just using Vlans and not using routing or what? ... In this case, the firewall will act as L2 switch by forwarding frames instead of packets, am i right? ... Then what is the difference between this scenario and transparent mode? ... I am confused :)

Thanks
0
Simple Misconfiguration =Network Vulnerability

In this technical webinar, AlgoSec will present several examples of common misconfigurations; including a basic device change, business application connectivity changes, and data center migrations. Learn best practices to protect your business from attack.

 
amyasseinAuthor Commented:
"Instead of having all the VLAN's behind the firewall, the firewall sits in between the VLAN's just like between the inside and the outside."

Does it mean i can use access lists in ASA to protect accessing between Vlans? Why not then using access lists in the L3 switch instead? ... If this is the case, why Cisco gives you the option to configure VLAN in the outside interface facing the internet cloud as well? ... Do hosts in internet will use VLANs? :)

"Another thing I make use of after implementing the vlan's on my ASA is that I could easily set up a dhcp server for each VLAN (well that an advantage for me :)."

Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.

"On the other hand, if you just want to do inter VLAN routing it's better to do that on a Layer 3 switch."

InterVlan routing is enabled already in my L3 switch, of course.


"So for one there are benefits to using vlan's, for other those might not be benefits at all. It depends on what you want to do, there is no single best solution. "

I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.

Thanks for your feedback.
0
 
arnoldCommented:
A broadcast packet can not cross boundries including a VLAN.
If you have 4 VLANs, you need to have a DHCP server on each VLAN.
The ASA can be configured to have a DHCP relay agent listening on each VLAN and then forward these requests to a single DHCP server with multiple scopes for the various segments.
Adding ACL to the switch will add overhead where each packet on the switch might be inspected.  The ASA will only see/inspect packets that try to cross the VLAN boundries.

Like anything, the price must match the value the item brings, you do not have to use the VLAN feature, you can make sure that the interfaces are members of the same primary VLAN.

0
 
amyasseinAuthor Commented:
We are not talking about DHCP here.

Please double check the forum name before you post as it really frustrates me.
0
 
Ernie BeekExpertCommented:
Does it mean i can use access lists in ASA to protect accessing between Vlans? Why not then using access lists in the L3 switch instead? ... If this is the case, why Cisco gives you the option to configure VLAN in the outside interface facing the internet cloud as well? ... Do hosts in internet will use VLANs? :)
An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example.

Sorry, this answer is not related to my main question in the forum. ("What is the benefit of using VLANS in ASA?") ... DHCP is not a direct benefit of using Vlans in ASA. You can just use the L3 switch's DHCP server better.
I know, but for me this is most certainly a benefit (some benefits are subjective) and better than a switches DHCP :)

InterVlan routing is enabled already in my L3 switch, of course.
.........

I agree but for sure Cisco made all these tailored features for the customers to provide benefits not just deploy a toy and it will work.
Just keep in mind that there are lots of sites who do have an ASA but no L3 switches. If you have all the good stuf like you have ;) there is bound to be an overlap in functionality.
0
 
amyasseinAuthor Commented:
Arnold,

I know you are helping and i really thank for your valuable feedback but, If Cisco knew that access lists would create overhead, they wouldn't invent them in the first place in their ASA. About the broadcast, the ASA is already a L3 device which isolates networks thus preventing broadcast to pass. So, there will be no broadcast passing even if you don't configure Vlans in the ASA. I think there is other benefit behind it.

Thanks man
0
 
amyasseinAuthor Commented:
"there is bound to be an overlap in functionality."

What does that mean? ... The L3 switch that i am talking about is part of the infrastructure as distribution L3 switch and the ASA is connected to it. All sites should have this layer if we are talking about medium size to enterprise level.

"An ASA does more than just applying ACL's..... On the outside you can use VLAN's to assign multiple interfaces to it for loadbalancing for example."

HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))

Thanks man.
0
 
Ernie BeekExpertCommented:
What does that mean? ... The L3 switch that i am talking about is part of the infrastructure as distribution L3 switch and the ASA is connected to it. All sites should have this layer if we are talking about medium size to enterprise level.

Hehehe, you'd be surprised...

HAHA, you can still capable of doing loadbalancing using physical interfaces not logical such as Vlans. However, this answer is very interesting because VLANS is useful if you have limited physical interfaces in your firewall, maybe it is one of the benefits. :))

Well I'm glad I can still make you smile. Well yeah, I have only six interfaces and about fifteen DMZ's so it's usefull ;)
0
 
arnoldCommented:
The ACL's are there to provide access control lists, CISCO is fully aware that employing ACL's ads to the overhead (cpu/memory usage).
A benefit is usually seen in several ways rather than in a single option.

Those who can afford it i.e. larger enterprises will put ASA/PIX between "sections" on their LAN.
i.e. they will limit what and from where access to the database servers is permitted, then they will have an application section, etc.
You could use a single ASA with VLANs to separate those section, the issue then comes into play on whether the amount of data flowing through and between the segments can be handled by the ASA.
0
 
amyasseinAuthor Commented:
Sorry guys for the delay.

Any other suggestions you can share about this topic? ... I need to get the most out of this topic before i start my project.

Thx
A.Y.
0
 
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.