Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
649
Views
0
Helpful
3
Replies

one ASA5540 with two 3750 connections

Go to solution
Dennis_an83
Level 1
Level 1

‎01-10-2013 02:01 AM - edited ‎03-11-2019 05:45 PM

Dear Experts,

i have two CAT3750 need to place in L3, and it supposed that used as L3 switches by SVI for L2 routing, and I want to these two configured as redundancy by HSRP. but now I can only have one ASA5540 to connects these of L3 switches.

so, here is my questions:

1. does ASA5540 support multi vlan?

2. does it support spanning tree protocol?

3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

4. if you have any better than above idea to achive network redundancy please let me know.

any advise would be very appriciated!

thanks!

Taixing

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎01-10-2013 02:53 AM 

1. does ASA5540 support multi vlan?
2. does it support spanning tree protocol?
3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

no, no and yes ...

for 3) the swiches can pass HSRP, but that has nothing to do with the ASA. The ASA just uses the SVI- or standby IP as a next hop.

4. if you have any better than above idea to achive network redundancy please let me know.

If you can stack the two switches, then you can build an etherchannel from the ASA to the two stack-members. If stacking is not an option, the ASA has the feature of "redundant interfaces". The primary interface goes to the first switch, the secondary interface is connected to the second switch. Here is a reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329357

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎01-10-2013 02:53 AM 

1. does ASA5540 support multi vlan?
2. does it support spanning tree protocol?
3. if I've choiced to use trunking between two L3 switches, does it can pass through HSRP hello msg?

no, no and yes ...

for 3) the swiches can pass HSRP, but that has nothing to do with the ASA. The ASA just uses the SVI- or standby IP as a next hop.

4. if you have any better than above idea to achive network redundancy please let me know.

If you can stack the two switches, then you can build an etherchannel from the ASA to the two stack-members. If stacking is not an option, the ASA has the feature of "redundant interfaces". The primary interface goes to the first switch, the secondary interface is connected to the second switch. Here is a reference:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329357

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful

Go to solution
Dennis_an83
Level 1
Level 1
In response to Karsten Iwen

‎01-10-2013 06:28 PM

Hi iwen,

thanks for your details reply!

for your answer 4, yes, the stacking is not preferred.

so, if using "redundant interfaces" in ASA, is that standby interface will block any of traffic through it? does it physically looks like down?

if not, then how it can prevent the looping issue when the 4 interfaces belong same vlan?

one more question, when the active port will switch over to standby port? it is base on hard ware failre software?

i mean, if primary's 3750 uplink port down, then does ASA switch over to standby interface? and how long time will be takes for switch over? it is configurable?

thanks.

Taixing

Message was edited by: Taixing An

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to Dennis_an83

‎01-11-2013 01:09 AM

The switchover of the redundant inteface is based on the link-status. The redundant interface always uses the MAC-address of the primary member. When switching to the secondary link, a gratious ARP is sent to update the MAC-address-tables of the other switches. With that the ASA doesn't care if the uplink on the primary switch is down. The traffic will flow then from the ASA to the primaey switch and from there to the secondary switch.

The switchover will take a couple of seconds until all is converged.

Not to forget one drawback: Redndant interfaces don't support subinterfaces.

The best solution would really be to have two ASAs in FO connected to two switches.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card