topic ASA behind ASR design question in Network Security https://community.cisco.com/t5/network-security/asa-behind-asr-design-question/m-p/2864787#M158862 <P>Hi,</P> <P>I have two ASAs in active/passive failover mode behind a pair of two ASR1001 edge router.</P> <P>Therefore both ASAs need a link to both routers and in case of failover the IP moves to</P> <P>the standby box. So to establish OSPF neighborship it needs on both&nbsp;ASRs two L2 trunk links I think to both ASAs. But on the ASR it's</P> <P>not possible to create a interface vlan like on a Cat6500 or so.</P> <P>With int gi0/1.&lt;vlanid&gt; and int gi0/2.&lt;vlanid&gt; it does not work because only one interface</P> <P>can be assigned an IP in the same subnet. I also tried to establish a port channel from the ASR to the active and standby ASA but</P> <P>that also does not seem to work.</P> <P>Can anyone give me a hint how to do design that?</P> <P>Many thanks,</P> <P>Chris</P> <P></P> Tue, 26 Mar 2019 00:58:16 GMT Christian Boesch 2019-03-26T00:58:16Z ASA behind ASR design question https://community.cisco.com/t5/network-security/asa-behind-asr-design-question/m-p/2864787#M158862 <P>Hi,</P> <P>I have two ASAs in active/passive failover mode behind a pair of two ASR1001 edge router.</P> <P>Therefore both ASAs need a link to both routers and in case of failover the IP moves to</P> <P>the standby box. So to establish OSPF neighborship it needs on both&nbsp;ASRs two L2 trunk links I think to both ASAs. But on the ASR it's</P> <P>not possible to create a interface vlan like on a Cat6500 or so.</P> <P>With int gi0/1.&lt;vlanid&gt; and int gi0/2.&lt;vlanid&gt; it does not work because only one interface</P> <P>can be assigned an IP in the same subnet. I also tried to establish a port channel from the ASR to the active and standby ASA but</P> <P>that also does not seem to work.</P> <P>Can anyone give me a hint how to do design that?</P> <P>Many thanks,</P> <P>Chris</P> <P></P> Tue, 26 Mar 2019 00:58:16 GMT https://community.cisco.com/t5/network-security/asa-behind-asr-design-question/m-p/2864787#M158862 Christian Boesch 2019-03-26T00:58:16Z You'll need a switch on which https://community.cisco.com/t5/network-security/asa-behind-asr-design-question/m-p/2864788#M158868 <P>You'll need a switch on which you can create a VLAN so you can have all four interfaces in the same layer 2 domain.</P> Thu, 03 Mar 2016 07:58:15 GMT https://community.cisco.com/t5/network-security/asa-behind-asr-design-question/m-p/2864788#M158868 Philip D'Ath 2016-03-03T07:58:15Z