I was wondering if anyone knew whether or not you can connect an ASR1000 to two separate switches using the same VLAN? If this was an ISR G2 I could have used a BVI interface or installed a switch card and used VLANs. BVI and VLAN doesn't seem to exist. A BDI sounds like it could work however I was having problems getting mac-resolution to work using it. At this stage all I need to know is the design and feature to use for this type of design with an ASR.
Basic topology is:
DMZ SW #1 ----- DMZ SW #2
Firewall #1 Firewall #2
Core #1 ------ Core #2
NOTE: DMZ switches aren't stacked so I can't use a port-channel.
Is it possible to connect an ASR like this and have it function? I'm pretty new to the IOS XE platform so any advice is welcome!
The answer is it can't be done.
The best option is to stack the switches and run LACP from ASR to Switches. I can't do this as the switches won't stack.
Another option is to run the switches in L3 mode and have separate VLANs between DMZ switch and ASR. i.e. DMZ SW 1 to ASR = 10.1.1.x/24 and DMZ SW2 to ASR = 10.1.2.x/24 and use L3 routing failover.
For me, I am going to cut back to a single DMZ switch as that works in the topology/customer I am working with (single DMZ switch + single ASR router).
Worked with Cisco design team to validate this.
Are the ASA fws in a HA setting ?
Are the cores switches stack or applicable to be stacked
Just to validate the ISR can run individual or aggregated but really would like to know what are you trying to accomplish with this design?
Looking at you hardware setup, possible to:
ASR performing dynamic routing between WAN and FWs,
DMZ switches l2 handoffs between ASR and FWS
FW's in High Availability paring between ASR with Core switch(s)- (stacked)
Cores switchs performing L3 inter-lvan routing and have a default route pointing toward ASA HA virtual next-hop
No requirement for BDI...