cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
902
Views
12
Helpful
9
Replies

asa vlan

suthomas1
Level 6
Level 6

is there is a way to create vlans on asa 5520. i am looking at assigning two asa ports on a single vlan.

Please help with suggestions.

Thanks in advance.

1 Accepted Solution

Accepted Solutions

Hello,

Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).

Hope this helps.

Regards,

NT

View solution in original post

9 Replies 9

Panos Kampanakis
Cisco Employee
Cisco Employee

You can do it as explained in http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/intrface.html#wp1044006

Here is an example

interface gigabitethernet0/1.100  
  vlan vlan_id

  no shut

I hope it helps.

PK

thanks for the input, so it means it has to be a subinterface. not a normal vlan creation on firewall.

i have an ASA which has to be connected to a pair of switches ( linked by etherchannel ). to this, if asa interface is connected to one of these switch,

it will not be reliable in case any of the switch pair goes down.

is there a way to maintain reliability if asa is to connect to these switches.

thanks.

Hello,

You can use the concept of Redundant interfaces and put multiple interfaces in one group. This will ensure that if one switch goes down, the other one will takeover.

hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1

https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

Remember that the redundant interfaces will not load balance but just act as backup interface
in the event the primary interface goes down.

Hope this helps.

Regards,

NT

thanks. attached is a rough diagram for the scenario which i am trying to work with.

this one asa is to be connected to switches as shown. tring to work out in such a way that if one switch fails, the connection remains via other one.

does it fit right if asa lan ( dual ports ) are connected to both switches and sort of hsrp used on switch/router interface or anything that can be done on asa configuration wise.

any other way around this will be highly helpful..

Thanks.

You can create the redundant interface on the ASA that will have 2 members, each connected to one switch (you are wasting 1 ASA interface in that case). The switches/routers can run HSRP for the 2 interfaces that connect to the ASA redundant members.

That way if an interface fails on the ASA the switches will still reach the other and vice versa.

I hope it helps.

PK

Thanks for your reply. Sorry, i didnt get it totally. My aim was to use the two switches as in diagram, so there is no dependency if one of them fails and results in loss of connection.

which also brings me to the question as, what ip subnets (same?) will asa's two interfaces take.

please correct if my understanding is wrong.

When you create the redundant interface, you specify the interfaces you want to put into the redundant interface and then continue to configure the redundant interface as a logical interface.

An example will show this a bit better:

hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 192.168.1.5 255.255.255.0

Hello,

Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).

Hope this helps.

Regards,

NT

Thanks to all for the great explanation, i got the point being made here.

this, as per my understanding will work as redundant on the asa interface. however, based on the network diagram earlier, if the switch-1 interface connected to router-1 fails, will it create a sort of asymmetric scenario for traffic flowing back & forth the asa? and how wil the asa interface react to this.

if the switch-1 interface connected to asa fails, i would see that asa would use the other member interface to pass the traffic.

Appreciate all help provided, thanks.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: