cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1116
Views
0
Helpful
4
Replies

ASA 5510 in HA with redundant switches

Hi guys,

Got a problem and need some advice.

I am about to migrate from ASA 5505 to ASA5510 (see the attached diagram).This is the current topology and it is about to remain with the new ASAs.

The ASAs are/will be in HA mode.

I am experiencing  problems with VLAN configuration on 5510.

Currently I got on 5505 configured VLANs which are allowed on the trunks to the switches (any asa to any switch).

interface Ethernet0/1

switchport trunk allowed vlan 1,100,200,300,400

switchport trunk native vlan 1

switchport mode trunk

!            

interface Ethernet0/2

switchport trunk allowed vlan 1,100,200,300,400

switchport trunk native vlan 1

switchport mode trunk

!            

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3

and so on for the other VLANs

Now with the 5510 I don't have the opportunity to configure VLANs and their respective IP addresses, just can add trunks(that authomatically enables the vlan) and configure IP addreses on those.

interface Ethernet0/1.1

vlan 1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3

Would it be possible someone to advice how to procceed with this - I will need to connect to both switches, but how the IP address will be the same on both ports (even if one goes down).

Any help will be highly appreciated.

Thank you very much.

1 Accepted Solution

Accepted Solutions

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Only option configuration wise I can think of would be using Redundant interfaces

interface Redundant1

member-interface FastEthernet0/1

member-interface FastEthernet0/2

interface Redundant1.100

description LAN

vlan 100

nameif LAN

ip address 10.10.100.1 255.255.255.0 standby 10.10.100.2

interface Redundant1.200

description DMZ

vlan 200

nameif DMZ

ip address 10.10.200.1 255.255.255.0 standby 10.10.200.2

interface Redundant1.300

description WIRELESS

vlan 300

nameif WLAN

ip address 10.10.30.1 255.255.255.0 standby 10.10.30.2

And so on.

Though I have to say I have never tried this in a Failover setup

Have a look at the ASA Configuration Guide for more details

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

Please remember to mark replys as the correct answer if they did answer your question.

Ask more if needed

- Jouni

View solution in original post

4 Replies 4

sokakkar
Cisco Employee
Cisco Employee

Hi Nikolay,

Let say ASA on left is active unit. Traffic takes path from ASA to port 5 to 1 and out.

Scenario 1: Switch on left goes down. ASA will fail  over and ASA on right will be active and can use switch on right to send  traffic.

Scenario 2: Port 5 goes down, again ASA will fail over  and ASA on right will be active and can use switch on right to send  traffic.

Scenario 3: Port 1 goes down, traffic will move from ASA on left to 5->3->4->2 and out (switch redundency).

Does that solve your purpose?

Let me know if you have any questions.

HTH.

-

Sourav

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

Only option configuration wise I can think of would be using Redundant interfaces

interface Redundant1

member-interface FastEthernet0/1

member-interface FastEthernet0/2

interface Redundant1.100

description LAN

vlan 100

nameif LAN

ip address 10.10.100.1 255.255.255.0 standby 10.10.100.2

interface Redundant1.200

description DMZ

vlan 200

nameif DMZ

ip address 10.10.200.1 255.255.255.0 standby 10.10.200.2

interface Redundant1.300

description WIRELESS

vlan 300

nameif WLAN

ip address 10.10.30.1 255.255.255.0 standby 10.10.30.2

And so on.

Though I have to say I have never tried this in a Failover setup

Have a look at the ASA Configuration Guide for more details

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

Please remember to mark replys as the correct answer if they did answer your question.

Ask more if needed

- Jouni

Nikolay- As Jauni pointed, you can use redundant interfaces as well provided you've free interfaces available on your ASA 5510.

-

Sourav

Thanks for your hepl guys!

It seems to me that Jouni answer will solve my issue, but will test it and let you know.

Thanks once again.

Best regards,

Nikolay

Review Cisco Networking for a $25 gift card