Re: ASA 5505 local interface redundancy?

keithsauer507 · ‎02-08-2018

Hello,

We have two ASA 5505 8 port, basic licence devices that are used to allow a third party VPN to interface with systems on our network. Currently 3 of the 8 ports are connected an in use. One port is the local interface, another port is an outside IP address on ISP1, and the third port is another outside IP address on ISP2. Using IP SLA if the first ISP goes down, the VPN will go over ISP2. So we have failover on the outside which is pretty simple since they are two differnt outside networks.

Internally is another story. I can only have these ASA 5505's terminate to our Core 1 switch. However I would like to link up another port to our Core 2 switch. That way if Core 1 is down for a software upgrade or system failure, the VPN still has connectivity outside AND inside via Core 2.

I'm not sure there is a way to do it. I think I could connect another port in the same vlan to Core2, and perhaps Spanning Tree would take over in Core 2 and put that port into blocking state. But then the question is how long will it go into forwarding if Core 1 is down (or maybe its just a cabling issue). There has to be a more elegant solution to this issue. Although we have 2 ASA5505's, one is for Vendor A and one is for Vendor B. I don't think we can combine both Vendors across both ASA's and use something like HSRP between them. I don't think HSRP is an option. We have to be careful too since its just the basic licence. Its running 8.2(5) if I recall correctly).

Thanks for any insight you have.

Richard Burts · ‎02-08-2018

Perhaps there is something in your explanation that I am not understanding. I can understand having a port connect to Inside and a port connect to ISP 1 and a port connect to ISP 2 on one ASA. How does the second ASA fit in to this?

Am I correct in assuming that your config of the 5505 creates a vlan for ISP 1 and assigns a single port to it, creates another vlan for ISP 2 and assigns a port to it, and creates a vlan for Inside and assign a port to it? If that is the case then what is the issue with assigning another port to the Inside vlan and connecting core 2 to it?

HTH

Rick

HTH

Rick

keithsauer507 · ‎02-08-2018

Your correct, vlan 1 is internal, vlan 2 is ISP1 and vlan 3 is ISP2.

My concern with putting a second interface in vlan 1 to the other core switch, wouldn't that create a network loop?

Would switchport protected work on an asa5505 if I put both vlan 1 ports on it? That way the broadcast / multicast traffic on both switches wont loop through that since all traffic has to go to the gateway vlan SVI.

I'm not sure if switchport protected is a valid command on these or not.

The reason I have two of them is because one is for one vendor, and another is for a different vendor. Two totally different companies doing completely different things.

Richard Burts · ‎02-08-2018

Thanks for the clarification about why two ASAs.

Yes if you connect a second ASA port to the Inside vlan then it creates a loop. And that is what Spanning Tree is for.

HTH

Rick

HTH

Rick

keithsauer507 · ‎02-08-2018

Spanning tree is not supported on the ASA. But your thinking the upstream switch will take care of it?

Similar to someone plugging in a "dumb hub" or "dumb switch" ... the end device doesn't need to support it, the switch just sees the loop and blocks one of the ports.