asa vlan

Answered Question
Jul 19th, 2010
User Badges:

is there is a way to create vlans on asa 5520. i am looking at assigning two asa ports on a single vlan.


Please help with suggestions.


Thanks in advance.

Correct Answer by Nagaraja Thanthry about 7 years 10 hours ago

Hello,


Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).


Hope this helps.


Regards,


NT

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.4 (5 ratings)
Loading.
suthomas1 Mon, 07/19/2010 - 22:44
User Badges:

thanks for the input, so it means it has to be a subinterface. not a normal vlan creation on firewall.


i have an ASA which has to be connected to a pair of switches ( linked by etherchannel ). to this, if asa interface is connected to one of these switch,

it will not be reliable in case any of the switch pair goes down.

is there a way to maintain reliability if asa is to connect to these switches.


thanks.

Nagaraja Thanthry Tue, 07/20/2010 - 05:33
User Badges:
  • Cisco Employee,

Hello,


You can use the concept of Redundant interfaces and put multiple interfaces in one group. This will ensure that if one switch goes down, the other one will takeover.


hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1

https://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1062296

Remember that the redundant interfaces will not load balance but just act as backup interface
in the event the primary interface goes down.

Hope this helps.

Regards,

NT

suthomas1 Wed, 07/21/2010 - 19:11
User Badges:

thanks. attached is a rough diagram for the scenario which i am trying to work with.

this one asa is to be connected to switches as shown. tring to work out in such a way that if one switch fails, the connection remains via other one.


does it fit right if asa lan ( dual ports ) are connected to both switches and sort of hsrp used on switch/router interface or anything that can be done on asa configuration wise.


any other way around this will be highly helpful..


Thanks.

Attachment: 
Panos Kampanakis Thu, 07/22/2010 - 06:21
User Badges:
  • Cisco Employee,

You can create the redundant interface on the ASA that will have 2 members, each connected to one switch (you are wasting 1 ASA interface in that case). The switches/routers can run HSRP for the 2 interfaces that connect to the ASA redundant members.


That way if an interface fails on the ASA the switches will still reach the other and vice versa.


I hope it helps.


PK

suthomas1 Thu, 07/22/2010 - 20:40
User Badges:

Thanks for your reply. Sorry, i didnt get it totally. My aim was to use the two switches as in diagram, so there is no dependency if one of them fails and results in loss of connection.

which also brings me to the question as, what ip subnets (same?) will asa's two interfaces take.


please correct if my understanding is wrong.

August Ritchie Thu, 07/22/2010 - 20:55
User Badges:
  • Bronze, 100 points or more

When you create the redundant interface, you specify the interfaces you want to put into the redundant interface and then continue to configure the redundant interface as a logical interface.


An example will show this a bit better:



hostname(config)# interface redundant 1
hostname(config-if)# member-interface gigabitethernet 0/0
hostname(config-if)# member-interface gigabitethernet 0/1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 192.168.1.5 255.255.255.0

Correct Answer
Nagaraja Thanthry Fri, 07/23/2010 - 10:37
User Badges:
  • Cisco Employee,

Hello,


Redundant interface is a way of creating backup interfaces on the firewall. It is something similar to EtherChannel but with the difference that, unlike in etherchannel, the firewall uses only one interface for data transfer. The other interface will be used as a backup interface. When the primary interface goes down, the secondary interface will takeover. Other than that, as August has pointed out, you configure the redundant interface just like any other interface and give it an IP in the range of your inside interface. When you configure redundant interface, you do not configure individual interfaces (Something similar to etherchannels where changes are made on the PO interface).


Hope this helps.


Regards,


NT

suthomas1 Fri, 07/23/2010 - 20:28
User Badges:

Thanks to all for the great explanation, i got the point being made here.


this, as per my understanding will work as redundant on the asa interface. however, based on the network diagram earlier, if the switch-1 interface connected to router-1 fails, will it create a sort of asymmetric scenario for traffic flowing back & forth the asa? and how wil the asa interface react to this.


if the switch-1 interface connected to asa fails, i would see that asa would use the other member interface to pass the traffic.


Appreciate all help provided, thanks.

Actions

This Discussion