09-21-2017 12:27 AM - edited 02-21-2020 06:20 AM
Hello for my mpls provider I need to have two outside interfaces. I could do it with the 5505 using vlans.
Whit this model on 9.7 I just have bvi interfaces, If I use the bvi1 as the outside interface I cannot ping anything, It just works with the physical interface.
How can I have two outside interfaces with the same ip address?
regards
Solved! Go to Solution.
10-23-2017 01:54 AM
I found the solution, first is required IOS 9.7, then bridge both interfaces, type a nameif for each one, create 3 ACLS, first ACL will match is the physical one next the bridge one
interface GigabitEthernet1/1
bridge-group 2
nameif Outside1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 2
nameif Outside2
security-level 100
!
interface BVI2
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x
!
access-list Outside_access_in extended permit ip any any
access-list Outside2_access_in extended permit ip any any
access-list Outside1_access_in_1 extended permit ip any any
access-group Outside_access_in in interface Outside
access-group Outside1_access_in_1 in interface Outside1
access-group Outside2_access_in in interface Outside2
this solves the problem.
regards
09-21-2017 06:44 AM - edited 09-21-2017 06:44 AM
Hi,
You can´t as far as I know. This is not only for Firewall, any device I ever touched dont allow two different interface to have the same IP address, for obvious reason.
By the way, a service provide should never request something like that.
09-21-2017 07:04 AM
Hi lmediavilla,
You can use feature called Redundant interface. A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. Below is the config example:
nterface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
!
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
10-23-2017 01:54 AM
I found the solution, first is required IOS 9.7, then bridge both interfaces, type a nameif for each one, create 3 ACLS, first ACL will match is the physical one next the bridge one
interface GigabitEthernet1/1
bridge-group 2
nameif Outside1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 2
nameif Outside2
security-level 100
!
interface BVI2
nameif Outside
security-level 0
ip address x.x.x.x x.x.x.x
!
access-list Outside_access_in extended permit ip any any
access-list Outside2_access_in extended permit ip any any
access-list Outside1_access_in_1 extended permit ip any any
access-group Outside_access_in in interface Outside
access-group Outside1_access_in_1 in interface Outside1
access-group Outside2_access_in in interface Outside2
this solves the problem.
regards
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide