Switch vs. ASA
- Separate Vlan
If same switch is used by ASA for outside and inside connection, then separate vlan is used for outside and inside interface.
If different switches are used by asa, then same vlan id can be used for inside and outside interface.
The principle is to make sure ASA is the only path for traffic to flow through, and not bypassed thru switch.
- Unknown frame flooding process
-Switch floods the frame to all ports of the same vlan.
-ASA take advantage of ARP process to figure out the MAC, either forward if MAC is known or drop it if unknown.
- Spanning-Tree
-Switch participates in SPT by default to prevent L2 loop.
-ASA does not participate SPT, thus L2 Loop prevention must be made/confirmed manually.
- Level of frame processing
-Switch forward/filter frame at L2.
-ASA forward frame at L2 but filter/manipulate it from L2~L7.
Restriction of TP mode
■ Support only two interfaces (physical or VLAN).
■ IPSec vpn and WebVPN is not supported.
■ CDP (Cisco Discovery Protocol) and IPv6 packets are dropped.
■ Ethernet frames that don’t have a valid Ether-Type greater than or equal to 0x600 are dropped;
Exception can be made by ether-type acl.
■ NAT is not supported untile version 8.
■ QoS with LLQ is not supported as a policy.
■ Routing is unsupported.
ARP inspection
- ARP packet is allowed by default.
- It solve the problem caused by spoofed arp reply or rogue gratuitous arp.
- ARP inspection is enabled on an interface-by-interface basis.
- Drop packet when incorrect IP-MAC combination or source mac with wrong interface within arp reply.
Configuration
Enable transparent mode
asa(config)#firewall transparent
asa#show firewall
Configuring management IP
ass(config)# ip address IP_address [subnet_mask] [standby IP_address]
MAC address table manipulation
assa# show mac-address-table
asa(config)# mac-address-table aging-time minutes
asa(config)# mac-address-table static logical_if_name mac_address
asa(config)# mac-learn logical_if_name disable
Ether-type ACL (non-IP traffic)
asa(config)# access-list ACL_ID ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_#_of_protocol} [log]
ARP Inspection
asa(config)# arp-inspection logical_if_name enable [flood | no-flood]
asa(config)# arp logical_if_name IP_address MAC_address
asa# show arp-inspection
asa# show arp
發表文章
