topic Issue configuring multiple ISPs under subinterfaces in Network Security

Issue configuring multiple ISPs under subinterfaces

Stephen Fung — Tue, 12 Mar 2019 09:16:05 GMT

Hi guys,

Background: 2 Cisco 2911 for two ISPs -> two physical ports on a Cisco 2960 switch -> a single port on ASA5520

I am running out of ports on a the ASA so I am thinking if i could do this the following way:

----------------------------
ON ASA
----------------------------

interface GigabitEthernet0/1
no ip address
duplex auto
speed auto
!
interface GigabitEthernet0/1.1
description ISP1
encapsulation dot1Q 1
nameif OUTSIDE
ip address 202.X.X.100 255.255.255.0
!
interface GigabitEthernet0/1.11
description ISP2
encapsulation dot1Q 11
nameif OUTSIDE11
ip address 102.X.X.100 255.255.255.0
!

---------------------------
ON SWITCH
---------------------------

interface GigabitEthernet1/0/1
description to ASA GE01
switchport trunk allowed vlan 1,11
switchport mode trunk
!
interface GigabitEthernet1/0/10
description ISP1
switchport mode access
switchport access vlan 1
!
interface GigabitEthernet1/0/20
description ISP2
switchport mode access
switchport access vlan 11
!
interface vlan 1
ip address 202.X.X.99 255.255.255.0
!
interface vlan 11
ip address 102.X.X.99 255.255.255.0
!

However, I am not able to ping each other after configuring the vlans and the subinterfaces.

Any comment would be appreciated.

Thanks,
Stephen

On Cisco ASA, the

Ajay Saini — Tue, 25 Apr 2017 18:04:48 GMT

On Cisco ASA, the subinterface should have 'vlan x' parameter. Could you please try not add the config as per below example and test:

interface GigabitEthernet0/0

no shut

interface GigabitEthernet0/0.100

vlan 100

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

interface GigabitEthernet0/0.200

vlan 200

nameif dmz

security-level 50

ip add 192.168.10.1 255.255.255.0 standby 192.168.10.2

Please update the post once you have the results.

As AJ mentioned the vlan

cofee — Wed, 26 Apr 2017 01:31:48 GMT

As AJ mentioned the vlan syntax under ASA sub interfaces appear to be incorrect. Can you Ping SVIs locally from the switch? If not make sure that both SVIs are up up "sh ip int brief". Is there a specific reason that you created SVIs for both vlans on your edge switch?