Solved: ASA 5510 in HA with redundant switches

Nikolay Kirtchev · ‎05-02-2013

Hi guys,

Got a problem and need some advice.

I am about to migrate from ASA 5505 to ASA5510 (see the attached diagram).This is the current topology and it is about to remain with the new ASAs.

The ASAs are/will be in HA mode.

I am experiencing problems with VLAN configuration on 5510.

Currently I got on 5505 configured VLANs which are allowed on the trunks to the switches (any asa to any switch).

interface Ethernet0/1

switchport trunk allowed vlan 1,100,200,300,400

switchport trunk native vlan 1

switchport mode trunk

!

interface Ethernet0/2

switchport trunk allowed vlan 1,100,200,300,400

switchport trunk native vlan 1

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3

and so on for the other VLANs

Now with the 5510 I don't have the opportunity to configure VLANs and their respective IP addresses, just can add trunks(that authomatically enables the vlan) and configure IP addreses on those.

interface Ethernet0/1.1

vlan 1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.3

Would it be possible someone to advice how to procceed with this - I will need to connect to both switches, but how the IP address will be the same on both ports (even if one goes down).

Any help will be highly appreciated.

Thank you very much.

Jouni Forss · ‎05-02-2013

Hi,

Only option configuration wise I can think of would be using Redundant interfaces

interface Redundant1

member-interface FastEthernet0/1

member-interface FastEthernet0/2

interface Redundant1.100

description LAN

vlan 100

nameif LAN

ip address 10.10.100.1 255.255.255.0 standby 10.10.100.2

interface Redundant1.200

description DMZ

vlan 200

nameif DMZ

ip address 10.10.200.1 255.255.255.0 standby 10.10.200.2

interface Redundant1.300

description WIRELESS

vlan 300

nameif WLAN

ip address 10.10.30.1 255.255.255.0 standby 10.10.30.2

And so on.

Though I have to say I have never tried this in a Failover setup

Have a look at the ASA Configuration Guide for more details

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

Please remember to mark replys as the correct answer if they did answer your question.

Ask more if needed

- Jouni

View solution in original post

sokakkar · ‎05-02-2013

Hi Nikolay,

Let say ASA on left is active unit. Traffic takes path from ASA to port 5 to 1 and out.

Scenario 1: Switch on left goes down. ASA will fail over and ASA on right will be active and can use switch on right to send traffic.

Scenario 2: Port 5 goes down, again ASA will fail over and ASA on right will be active and can use switch on right to send traffic.

Scenario 3: Port 1 goes down, traffic will move from ASA on left to 5->3->4->2 and out (switch redundency).

Does that solve your purpose?

Let me know if you have any questions.

HTH.

-

Sourav

Jouni Forss · ‎05-02-2013

Hi,