cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4966
Views
5
Helpful
18
Replies

EtherChannel between cisco devices need help

vandamt01
Level 1
Level 1

Hello,

At our company we use 2 asa 5525 firewalls in active/standby mode.

Both of them are connected to a single cisco router.

The goal is to have the cisco router to automatically send traffic to the active firewall (regardless which firewall is active at that point).

To solve this would it be possible to create an EtherChannel with 2 ports on the cisco router and then have 1 link going to the active firewall and 1 link to the standby firewall.

If the active firewall fails and the standby firewall takes over, will the standby firewall receive all the traffic that normally would go to the active firewall without any downtime?

Will this work or does another solution exists for this? Its important for us that the hosts on the network suffer small to none downtime at all.

The topology can be found in the following image.

topology.png

2 Accepted Solutions

Accepted Solutions

Joris

With active/standby you cannot user L3 connections to the firewall.

For failover to work you need the inside interfaces in the same vlan. So you simply -

1) create a new vlan  and allocate  new IP subnet

2) create an SVI on the 3750 and give it an IP from that subnet

3) give each inside interface of the firewalls an IP from the same subnet

4) add a default route on the 3750 pointing to the active firewall IP

5) on the firewall any routes for the internal networks point to the SVI IP address

Note you could run a dynamic routing protocol between the 3750 and the firewalls if you would rather do that although when i last did ASAs the standby does not participate in the routing protcol so if it fails over new adjancencies need to be established. This may have changed but with statics you don't get that delay.

You obviously also need failover setup and the outside interfaces and any DMZs must also be in their own vlan ie

both outside interfaces must have their own vlan and if you have a DMZ those interfaces must be in the same vlan.

Just to be clear they would all be different vlans.

Finally you can reuse an existing vlan for the inside interfaces but it is a good idea to have a dedicated vlan for this.

Jon

View solution in original post

Thank you!

System is online!

I created VLAN 101 ROUTING, set the VSI to 192.168.101.1 en changed the original L3 uplinks to L2 access ports in VLAN101, and it worked.

This was our first experience on this so, beginner mistake I guess.

We don' have enough fiber ports for dual links (etherchannel) to the firewall, so we are not going to do that.

Only question I still have is, how fast the L3 switch will converge if I pull out the uplink to the active firewall.

I think the firewall will notice this quite fast and set the Standby to Active, but I am not sure if the L3 switch will detect this fast. Will test this later.

Thanks again to all of you

View solution in original post

18 Replies 18

chandra_rc16
Level 4
Level 4

Hi Tim,

You are indirectly trying to implement VPC (Virtual Port Channel). But I'm not sure about which devices support it.

Just FYI: Here is the link that explain the concept of VPC.

http://www.cisco.com/c/en/us/products/collateral/switches/nexus-5000-series-switches/configuration_guide_c07-543563.html

Don't forget to rate the posts that are helpful.

Regards,
Chandu

Regards, Chandu

Hello,

Thank you for responding.

VPC or VSS would work normally but our ASA does not support it so its not going to for us sadly enough.

Do you have any other suggestions to solve this problem?

Regards

Jon Marshall
Hall of Fame
Hall of Fame

Tim

You can't do this because you cannot have the same etherchannel spread between an active and standby firewall.

Because they are active/standby then the inside interfaces need to be in the same vlan/IP subnet which i guess is why you are asking about etherchannel.

The common solution is to use a L2 switch between the firewalls and the router and you have a common vlan that the active and standby inside interfaces and the router interface are in. Then you just have a route on the router pointing to the active firewall IP and on the firewall a route for the internal subnets pointing to the router interface.

You could possibly use bridging on the router which would allow you to have two interfaces on the same router in the same IP subnet and connect one interface to the active firewall and one to the standby. But i cannot say for sure this would work as i have never done it with ASAs.

I have always used a switch (or switches) in between.

Jon

Hey,

thank you for answering.

We do not have a spare L2 switch that we can use and for briding apparently its only supported in transparent mode (i can be wrong tho but i have not seen this in routed mode yet) and our firewalls are in routed mode so that's not possible either.

Tim

You want the router interfaces to be in bridging mode ie. there is no routing you are simply connecting two interfaces into the same IP subnet which is exactly what you.

So you have a common IP subnet and the BVI on the router is assigned an IP from that subnet as are the inside interfaces of the ASAs.

Like i say i have not tried it but you don't need routing between the bridged interfaces, in fact you don't want that. You do need to route between other interfaces on the router and the BVI but that should not be a problem.

Perhaps i am not understanding what you mean ?

Jon

Tim

Apologies i didn't explain it very well.

I didn't mean you needed the firewalls in transparent mode, they are fine in routed mode. I was talking about using bridging on the router interfaces so you can have a connection to each firewall and have both interfaces in the same IP subnet by using a BVI.

Like i say i have never done this but from Paul's testing you can see that it is the router where you need the bridging, not the firewalls.

It may be a possible solution if you don't have a spare switch.

Jon

Hi,

You should have a switch in the middle. This will fix your problem.

When the second ASA FW will take over, it will take the IP and MAC address of the Primary and send a

gratuitous ARP which will make the Router send traffic to second ASA.

Key is that you need a L2 switch between.

Mahadev Patil
Level 1
Level 1

Hi Tim,

It's not possible because router is not working on NX-OS. NX-OS provied this option to create Ether-Chaneel between two Device.

one option you can use cisco IP SLA.

Mahadev

Hello

"You could possibly use bridging on the router which would allow you to  have two interfaces on the same router in the same IP subnet and connect  one interface to the active firewall and one to the standby. But i  cannot say for sure this would work as i have never done it with ASAs"

Please see below:

ASA1
====

.interface GigabitEthernet0

nameif inside1

security-level 100

ip address 192.168.1.10 255.255.255.0

ASA2
====

.interface GigabitEthernet0

nameif inside2

security-level 100

ip address 192.168.1.11 255.255.255.0

router

=====

bridge irb

bridge 100 protocol ieee

bridge 100 route ip

interface FastEthernet0/0

Description Link to ASA1

bridge-group 100

interface FastEthernet0/1

Description Link to ASA2

bridge-group 100

interface BVI100

ip address 192.168.1.254 255.255.255.0

R1#ping 192.168.1.10

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.10, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/34/72 ms

R1#ping 192.168.1.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 8/38/88 ms

asa1#  ping 192.168.1.11

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.11, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms


asa1#ping 192.168.1.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 10/34/50 ms

NOTE:

You can also NOT apply an ip address to the BVI interface and you would still be able to ping between the FW'S

res

Paul


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Jon Marshall
Hall of Fame
Hall of Fame

Paul

Thanks for labbing that up.

I was pretty sure it would work but couldn't say for sure as i have never used it before.

Jon

Hello Jon

No problem, glad i could verify this for you.

res

Paul

Please don't forget to rate any posts that have been helpful.

Thanks.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Joris Syen
Level 1
Level 1

Hello I am a friend of Tim,

As far as I can read your reactions (thankfully), an additional switch would be the solution?

Point is, the cisco router is actually a Cisco 3750X which is a stacked L3 switch with lots of free ports.

We cannot ask to spend another 2K on redundant stacked 2960 switches just for 4 connections.

So if I understand correctly, if we would link the routed L3 switch etherchannel ports physically to itself, to another Etherchannel on the same switch, in a specific VLAN, and then we would create an additional 2 ports in that VLAN that are L2, and then uplink those links to both Firewalls (Active/Standby), this would work??

But how can you explain such a 'solution' to customers, there most be a better way?

The ports on the L3 switch are now configured as an Etherchannel, and this is working as long as only 1 link is connected. If the 2nd link is connected to the Standby Firewall, we lose connection, even if that Firewall is just a standby. Isnt there a possibility to just 'disable' this port until a link failure (on another link) is detected and then failover? Instead of keeping this connection 'active' while it is a standby Firewall?

Hello

As Jon as suggested either

Plug the fw,s into two free ports of switched stack and assign them to the same access vlan

Or

On the router
Bridge the two exiting fw interfaces as shown previously


Res
Paul

Sent from Cisco Technical Support iPad App


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thank you for your reply,

"Plug the fw,s into two free ports of switched stack and assign them to the same access vlan".

I am not sure how, see, the link between Router Stack and Firewalls is not in a VLAN, it is not a L2 link, it is a L3 'routed' link on an etherchannel with IP address 192.168.101.1 and the firewall has IP address 192.168.101.2 on the receiving interface. The 101 network is not a VLAN, it contains only 2 IP addresses namely the routing interfaces. Is it possible to create a VLAN for this then? The gateway of the L3 switch is 192.168.101.2 and static routes are added on the firewall for the traffic that needs to go down.

"Or

On the router

Bridge the two exiting fw interfaces as shown previously"

do you mean this:

"

ASA1
====

.interface GigabitEthernet0

nameif inside1

security-level 100

ip address 192.168.1.10 255.255.255.0

ASA2
====

.interface GigabitEthernet0

nameif inside2

security-level 100

ip address 192.168.1.11 255.255.255.0

router

=====

bridge irb

bridge 100 protocol ieee

bridge 100 route ip

interface FastEthernet0/0

Description Link to ASA1

bridge-group 100

interface FastEthernet0/1

Description Link to ASA2

bridge-group 100

interface BVI100

ip address 192.168.1.254 255.255.255.0" ?

Is this possible in an Active Standby configuration?

As far as I know, I can only set 1 gateway address on the L3 router switch, and the Standby Firewall has no possibitiy to provide another routing IP address then the Active Firewall. 

Thank you