11-29-2013 12:49 AM - edited 03-11-2019 08:10 PM
Hi All,
we have one ASA 5505 and a pair of cisco 2960s switch connected in stack.
We would like to connect one interface of the to switch1 and another interface to switch2 for redundancy purpose, switch1 and switch2 are in stack.
I've read ASA 5505 does not support etherchannel and redundant interface.
How can we proceed to have redundancy on inside link.
Best Regards.
11-30-2013 02:39 PM
You could connect each switch to a seperate interface on the 5505 and trunk the connections (you can only configure trunks if you have the security plus license). Then connect two linkes between the switches and configure them in an etherchannel and trunk them. This should give you the redundancy you are looking for.
Otherwise you will need to upgrade to an ASA hardware that supports ether-channels and redundant interfaces, 5512 or higher.
--
Please remember to rate and select a correct answer.
11-30-2013 11:36 PM
Hello,
Remember that the ASA 5505 has an embedded switch on it so let's say you have an INSIDE and OUTSIDE VLAN.
So Totally agree with Marius here
SWITCH 1 ________TRUNK_________ Port1
| | ASA
| |
SWITCH 2 _________TRUNK_________Port2
Run the Port-Channel between the switches and let Spanning-Tree do it's part.
Configure a logical interface on the ASA and configure the l2 ports as trunks.
For this you will need the security plus as mentioned by Marius.
Note: The other way would be getting a second box to run active/standby
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-01-2013 11:12 PM
Hi all,
Thanks for your advices.
We've just upgraded the license into security plus. We've noticed that if the interface between switch and firewall is configured as trunk, we cannot reach the gateway (vlan configured in the ASA) from a pc connected to the switch.
when it is configured as access, the ping respond.
How to solve this issue?
Best Regards.
12-01-2013 11:19 PM
Hello,
Great to hear that we are moving forward
Can you share the ASA configuration?
Rate all of the helpful posts!!!
Regards,
Jcarvaja
Follow me on http://laguiadelnetworking.com
12-01-2013 11:44 PM
As Julio mentioned, we would need to see the full sanitized configuration of the ASA to be able to further help you.
--
Please remember to rate and select a correct answer
12-02-2013 12:44 AM
Hi,
Please, find below the configuration of the ASA.
**************************************
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
!
interface Ethernet0/5
!
interface Ethernet0/6
description Test LAN
switchport trunk allowed vlan 1,20,22
switchport mode trunk
!
interface Ethernet0/7
description Test LAN Backup
switchport trunk allowed vlan 1,20,22
switchport mode trunk
!
interface Vlan1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address
!
global (inside) 1 192.168.1.150-192.168.1.200 netmask 255.0.0.0
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 XXXX 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
**************************************
when we connect the cable between the switch and ASA to e0/2, we can ping the gateway. but when we connect it to e0/6, the ping does not respond.
Best Regards
12-02-2013 12:54 AM
You need to add the native VLAN configuration to the interfaces. Assuming you are using the default native VLAN on the switches, add the following command to the interfaces (change the native VLAN ID if required)
switchport trunk native vlan 1
--
Please remember to rate and select a correct answer
12-02-2013 03:51 AM
Hi,
Thanks for your reply.
We will do the test and let you know.
Best Regards
12-19-2013 05:37 AM
Hi,
when using and allowing other vlans than native vlan on the trunk port, everything is working fine.
Thanks a lot for your help and your time.
Best Regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide