VLANs: This topic explains the VLAN capabilities of Cisco security appliances. With Cisco PIX Security Appliance Software v6.3 and higher and Cisco PIX and ASA Security Appliance Software v7.0 and higher, the administrator can assign VLANs to physical interfaces on the security appliance or configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN. A VLAN connects devices on one or more physical LAN segments so that the VLAN can act as though it is attached to the same physical LAN. VLANs make this connection based on logical (software) connections instead of physical connections, which makes them extremely flexible because you can configure and reconfigure which segments belong to which VLAN entirely through software. Cisco PIX Series 500 Security Appliances (except for the 501, 506, and 506E) and Cisco ASA 5500 Series Adaptive Security Appliances support only 802.1q VLANs. Specifically, they support multiple 802.1q VLANs on a physical interface and the ability to receive and send 802.1q-tagged packets. VLANs are not supported on the Cisco PIX 501, 506, and 506E Security Appliances. Cisco security appliances do not currently support executable commands for LAN trunks (the physical and logical connection between two switches) because the security appliances do not negotiate or participate in any bridging protocols. The security appliances display the VLANs only on the LAN trunk. It considers the state of the LAN trunk to be the same as the state of the physical interface. If the link is up on the physical Ethernet, then the security appliance considers the trunk as up as soon as a VLAN has been assigned or configured for it. Additionally, the VLAN is active as soon as you assign or configure a VLAN identifier (ID) on the physical Ethernet interface of the security appliance.

Security Context Overview: This topic provides an overview of security contexts. You can partition a single security appliance into multiple virtual firewalls, known as security contexts. Each context is an independent firewall, with its own security policy, interfaces, and administrators. Having multiple contexts is similar to having multiple stand-alone firewalls. Each context has its own configuration that identifies the security policy, interfaces, and almost all the options you can configure on a stand-alone firewall. If desired, you can allow individual context administrators to implement the security policy on the context. Some resources are controlled by the overall system administrator, such as VLANs and system resources, so that one context cannot affect other contexts inadvertently. The system administrator adds and manages contexts by configuring them in the system configuration, which identifies basic settings for the security appliance. The system administrator has privileges to manage all contexts. The system configuration does not include any network interfaces or network settings for itself; rather, when the system needs to access network resources (such as downloading the contexts from the server), it uses one of the contexts that is designated as the admin context. The admin context is just like any other context, except that when a user logs into the admin context, that user has system administrator rights and can access the system execution space and all other contexts. Typically, the admin context provides network access to network-wide resources, such as a syslog server or context configuration server.