07-19-2010 09:20 PM - edited 03-11-2019 11:13 AM
is there is a way to create vlans on asa 5520. i am looking at assigning two asa ports on a single vlan.
Please help with suggestions.
Thanks in advance.
Solved! Go to Solution.
07-23-2010 10:37 AM
Hello,
Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).
Hope this helps.
Regards,
NT
07-19-2010 09:53 PM
You can do it as explained in http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006
Here is an example
interface gigabitethernet0/1.100
vlan vlan_id
no shut
I hope it helps.
PK
07-19-2010 10:44 PM
thanks for the input, so it means it has to be a subinterface. not a normal vlan creation on firewall.
i have an ASA which has to be connected to a pair of switches ( linked by etherchannel ). to this, if asa interface is connected to one of these switch,
it will not be reliable in case any of the switch pair goes down.
is there a way to maintain reliability if asa is to connect to these switches.
thanks.
07-20-2010 05:33 AM
Hello,
You can use the concept of Redundant interfaces and put multiple interfaces in one group. This will ensure that if one switch goes down, the other one will takeover.
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296
Remember that the redundant interfaces will not load balance but just act as backup interface
in the event the primary interface goes down.
Hope this helps.
Regards,
NT
07-21-2010 07:11 PM
thanks. attached is a rough diagram for the scenario which i am trying to work with.
this one asa is to be connected to switches as shown. tring to work out in such a way that if one switch fails, the connection remains via other one.
does it fit right if asa lan ( dual ports ) are connected to both switches and sort of hsrp used on switch/router interface or anything that can be done on asa configuration wise.
any other way around this will be highly helpful..
Thanks.
07-22-2010 06:21 AM
You can create the redundant interface on the ASA that will have 2 members, each connected to one switch (you are wasting 1 ASA interface in that case). The switches/routers can run HSRP for the 2 interfaces that connect to the ASA redundant members.
That way if an interface fails on the ASA the switches will still reach the other and vice versa.
I hope it helps.
PK
07-22-2010 08:40 PM
Thanks for your reply. Sorry, i didnt get it totally. My aim was to use the two switches as in diagram, so there is no dependency if one of them fails and results in loss of connection.
which also brings me to the question as, what ip subnets (same?) will asa's two interfaces take.
please correct if my understanding is wrong.
07-22-2010 08:55 PM
When you create the redundant interface, you specify the interfaces you want to put into the redundant interface and then continue to configure the redundant interface as a logical interface.
An example will show this a bit better:
hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 192.168.1.5 255.255.255.0
07-23-2010 10:37 AM
Hello,
Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).
Hope this helps.
Regards,
NT
07-23-2010 08:28 PM
Thanks to all for the great explanation, i got the point being made here.
this, as per my understanding will work as redundant on the asa interface. however, based on the network diagram earlier, if the switch-1 interface connected to router-1 fails, will it create a sort of asymmetric scenario for traffic flowing back & forth the asa? and how wil the asa interface react to this.
if the switch-1 interface connected to asa fails, i would see that asa would use the other member interface to pass the traffic.
Appreciate all help provided, thanks.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: