03-23-2009 04:53 AM - edited 03-06-2019 04:45 AM
How to configure a Layer 3 switch to support two Metro Ethernet load balance and have a Cisco ASA firewall on the inside. Is there any sample configuration.
03-23-2009 05:55 AM
Hello Jose,
you need to take some design decisions:
are you going to use a dynamic routing protocol on the metro ethernet links to be able to detect remote end failure ?
example with OSPF:
assign two IP subnets one to each Metro ethernet link
metro E link1: 10.10.10.0/24
metro E link2: 10.10.20.0/24
client vlan with ASA: 10.10.30.0/24
internal client vlans behind ASA:
10.100.0.0/16
router ospf 10
network 10.10.10.0 0.0.0.255 area 0
network 10.10.20.0 0.0.0.255 area 0
network 10.10.30.0 0.0.0.255 area 0
the ASA can talk OSPF too or it can use static default route
in any case some device, the ASA or the L3 switch needs to advertise in OSPF the client/server vlans behind the ASA.
if it the ASA and the ip subnets are connected you can use the network area command
if you decide to use static routes between the ASA and the L3 switch the L3 switch has to redistribute the static routes in OSPF
router ospf 10
red static subnets
note: OSPF automatically load balances and perform fail-over over up to 4 paths.
on the remote site devices at the other ends of the metro ethernet links you should do the same using the same commands
Hope to help
Giuseppe
03-23-2009 06:07 AM
Thanks for the quick response. I still have a question. Since these circuits are going to be to the Internet the provider is going to assign two external address and the address that I assign to the ASA will need to be external.Do I nat the ASA interface? Let me know.
Thanks,
Jose
03-23-2009 06:32 AM
Hello Jose,
usually metro ethernet links are seen as L2 services if this is not the case my previuos post is useless.
so you have two internet links with public ip addresses you need to think to some form of tunneling to avoid to expose your internal traffic
Hope to help
Giuseppe
03-23-2009 06:44 AM
Thanks, Let me ask the provider and I will get back to you.
03-25-2009 07:09 AM
Here is the scenario. is a point to point Metro E. One end will have a Cisco 3750 and the other end will have a Cisco 2821. Both Data and voice is going to pass over this circuit. Is there any special IOS I need to get to 3750 to be able to run this application with Qos. Let me know.
03-25-2009 08:04 AM
Hello Jose,
the configuration of my first post should apply to your scenario.
you need an IOS that allows to use a routing protocol on c3750
OSPF and BGP requires ip services image:
IP routing protocols for load balancing and for constructing scalable, routed backbones:
-RIP Versions 1 and 2
>> -OSPF (requires the IP services image)
-Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 to utilize IPv6 transport, communicate with IPv6 peers, and advertise IPv6 routes
-Border Gateway Protocol (BGP) Version 4 (requires the IP services image)
see
modular QoS is supported.
Hope to help
Giuseppe
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide