Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1093
Views
0
Helpful
0
Replies

Configuration of the Cisco ISR 4431/K9 in front of Cisco ASA 5515-X Active/Stand-by cluster

RetroGrade11
Level 1
Level 1

‎09-09-2016 11:58 AM - edited ‎03-05-2019 04:40 AM

Hi Cisco Community,

We currently have HP MSR 50-40 router sitting in front of our Cisco ASA 5515-X Active/Standby cluster that has ISP internet connection coming in from the ISP switch, which then distributes this connection to active ASA node and standby ASA node for redundancy.

The topology looks like this:

Internet -> ISP switch -> HP MSR Internet Router -> Cisco ASA firewall cluster -> HP core switch (LAN)

 We have recently purchased Cisco ISR 4431/K9 router to replace HP MSR 50-40 with it. However, here is the issue I’m running into. The current HP MSR 50-40 router interfaces are configured with “port link-mode bridge” command, which in effect renders them as layer 2 switch interfaces. In order for me to use the same setup, I would have to obtain a switch module for the ISR to be able to access switchport command on the ISR, as it’s currently not available. While researching the workaround, I came across something called “service-instance” and “bridge-domain” that may allow me to create group of interfaces on the ISR to act as Layer 2 in order to achieve similar goal.

Does anyone know if using service-instance with bridge-domain is a feasible approach? I’m providing a sample of my ISR config below. If this is a valid approach, do you think the config below will work?

 

version 15.5

service timestamps debug datetime msec

service timestamps log datetime msec

no platform punt-keepalive disable-kernel-core

!

hostname Router

!

boot-start-marker

boot-end-marker

!

vrf definition Mgmt-intf

 !

 address-family ipv4

 exit-address-family

 !

 address-family ipv6

 exit-address-family

!

no aaa new-model

!

subscriber templating

!

multilink bundle-name authenticated

!

spanning-tree extend system-id

!

redundancy

 mode none

!

vlan internal allocation policy ascending

!

ip tftp source-interface GigabitEthernet0

ip ssh source-interface GigabitEthernet0

!

bridge irb

!

interface GigabitEthernet0/0/0

 description To ISP Switch

 no ip address

 negotiation auto

 no mop enabled

 service instance 1 ethernet

  encapsulation default

  bridge-domain 1

 !

!

interface GigabitEthernet0/0/1

 description To ASA1

 no ip address

 negotiation auto

 no mop enabled

 service instance 1 ethernet

  encapsulation default

  bridge-domain 1

 !

!

interface GigabitEthernet0/0/2

 description To ASA2

 no ip address

 negotiation auto

 no mop enabled

 service instance 1 ethernet

  encapsulation default

  bridge-domain 1

 !

!

interface GigabitEthernet0

 description GE0 to Core

 vrf forwarding Mgmt-intf

 ip address 10.x.x.x 255.255.255.0

 negotiation auto

 no mop enabled

!

interface Vlan1

 no ip address

 no mop enabled

!

interface BDI1

 ip address 12.x.x.x 255.x.x.x

!

router ospf 711

 network 10.x.x.x 0.0.0.0 area 0.0.1.1

!

ip forward-protocol nd

no ip http server

no ip http secure-server

ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 10.x.x.x

ip ospf name-lookup

!

access-list 100 permit ip any any

!

bridge 1 protocol dec

!

control-plane

!

line con 0

 stopbits 1

line aux 0

 stopbits 1

line vty 0 4

!

end

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents