Configuration of V-lans

Unanswered Question
Jan 22nd, 2009

Hi, We have purchased a new HP L2 Switch and want to connect with Firewall. What is our requirment is mentioned below:

1) Create three V-Lan on L2 Swicth and connect with Firewall via single cable by making Trunk Port.

2) Want to implement ASA Failover which will also connect with switch.

Now I am being massive to think how its possible. Experts I would have your recommendation regarding Network upgradation.

Please suggest

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 01/22/2009 - 11:11

Hi,

1) sure you can trunk between HP switch and ASA appliance as long HP switch supports 802.1q standard I m sure it does, simply configure L2 vlans in the switch and associate vlans with ASA subinterfaces which will be required for dot1q trunking. Depending on which ASA5500 model you will used will depend on how many vlans can the ASA support.

You can see this information in Virtual interfaces (VLANs) in this link

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

2) Absolutely, you can implement ASA failover through a single switch but be aware this is a single point of failure ( the switch ), you can use two switches down the road and connect switch1 to ASA1 and switch2 to ASA2 as well as configure a trunk between the switches.

Also be aware of what type of Failover support on ASA you will required, ALL ASA models support regular failover and statefull failover, exept ASA5505 does not support stateful failover.

If you need info on statefull see this link for details.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

Your requirement is not to bad, just come up with a skect of requirements in terms of subnets, dmz's, wireless segments etc.. to then build your architecture.

Regards

PLS rate any helpful posts

ray_stone Fri, 01/23/2009 - 00:48

Thanks for your feedback.

Still some confusion!!!! I have make one V-lan (Vlan 100 Test) on FW and assigned IP 192.168.12.1 and same V-lan has created on the L2 Switch. The same V-lan SVI is connected with FW Test V-lan Interface. The Switch IP is 192.168.12.2 and which I can access when I connect switch default V-lan Interface after switching the FW connected cable from Test Vlan SVI to Def V-Lan Interface. Now qusetion is, why I am not able to access the swicth from my 12.1 Network even its connected on the same V-lan. Please suggest

JORGE RODRIGUEZ Fri, 01/23/2009 - 04:20

Im not sure I clearly understand , could PLS post sanatize ASA configuration to understand the flow.

Assuming you have created all L2 vlans in switch as well as respective logical sibinterfaces in asa , trunking in switch etc.. , in ASA to communicate between interfaces you need NAT functionality, as well as access control list depending on security levels you have assigned.

ray_stone Fri, 01/23/2009 - 10:28

Hi Jorge, I am very much understandable of provided your point's and am ready to go with that. As I have already cleared that we have HP L2 Switch which we will use it. Now what scenario I have drawn it, following mention:

VLAN Conf (100-NOC) ---IP Address 192.168.12.1/24-ETH1--ASA--------connected----Switch-----VLAN (100 NOC) ---ETH 1-12.

Now when I connect my laptop with assigned IP 192.168.12.234/24 with Switch port eth 1 then I must ping a machine Gateway which is 192.168.12.1 which I am not able to do it.

I am very much sure ASA configuration is fine but I am not very confidence with configuration done on Switch. The attached file is a Switch configuration file for your reference. Please suggest….

Thanks

Actions

This Discussion