Securing Networks with PIX and ASA
VLANs: This topic explains the VLAN capabilities of Cisco security appliances. With Cisco PIX Security Appliance Software v6.3 and higher and Cisco PIX and ASA Security Appliance Software v7.0 and higher, the administrator can assign VLANs to physical interfaces on the security appliance or configure multiple logical interfaces on a single physical interface and assign each logical interface to a specific VLAN. A VLAN connects devices on one or more physical LAN segments so that the VLAN can act as though it is attached to the same physical LAN. VLANs make this connection based on logical (software) connections instead of physical connections, which makes them extremely flexible because you can configure and reconfigure which segments belong to which VLAN entirely through software. Cisco PIX Series 500 Security Appliances (except for the 501, 506, and 506E) and Cisco ASA 5500 Series Adaptive Security Appliances support only 802.1q VLANs. Specifically, they support multiple 802.1q VLANs on a physical interface and the ability to receive and send 802.1q-tagged packets. VLANs are not supported on the Cisco PIX 501, 506, and 506E Security Appliances. Cisco security appliances do not currently support executable commands for LAN trunks (the physical and logical connection between two switches) because the security appliances do not negotiate or participate in any bridging protocols. The security appliances display the VLANs only on the LAN trunk. It considers the state of the LAN trunk to be the same as the state of the physical interface. If the link is up on the physical Ethernet, then the security appliance considers the trunk as up as soon as a VLAN has been assigned or configured for it. Additionally, the VLAN is active as soon as you assign or configure a VLAN identifier (ID) on the physical Ethernet interface of the security appliance.