asa 5505 - Redundant Interfaces With Stack Switches

Harinirina RATAHINARISOA · ‎11-29-2013

Hi All,

we have one ASA 5505 and a pair of cisco 2960s switch connected in stack.

We would like to connect one interface of the to switch1 and another interface to switch2 for redundancy purpose, switch1 and switch2 are in stack.

I've read ASA 5505 does not support etherchannel and redundant interface.

How can we proceed to have redundancy on inside link.

Best Regards.

Marius Gunnerud · ‎11-30-2013

You could connect each switch to a seperate interface on the 5505 and trunk the connections (you can only configure trunks if you have the security plus license). Then connect two linkes between the switches and configure them in an etherchannel and trunk them. This should give you the redundancy you are looking for.

Otherwise you will need to upgrade to an ASA hardware that supports ether-channels and redundant interfaces, 5512 or higher.

--

Please remember to rate and select a correct answer.

--
Please remember to select a correct answer and rate helpful posts

Julio Carvajal · ‎11-30-2013

Hello,

Remember that the ASA 5505 has an embedded switch on it so let's say you have an INSIDE and OUTSIDE VLAN.

So Totally agree with Marius here

SWITCH 1 ________TRUNK_________ Port1

| | ASA

| |

SWITCH 2 _________TRUNK_________Port2

Run the Port-Channel between the switches and let Spanning-Tree do it's part.

Configure a logical interface on the ASA and configure the l2 ports as trunks.

For this you will need the security plus as mentioned by Marius.

Note: The other way would be getting a second box to run active/standby

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Harinirina RATAHINARISOA · ‎12-01-2013

Hi all,

Thanks for your advices.

We've just upgraded the license into security plus. We've noticed that if the interface between switch and firewall is configured as trunk, we cannot reach the gateway (vlan configured in the ASA) from a pc connected to the switch.

when it is configured as access, the ping respond.

How to solve this issue?

Best Regards.

Julio Carvajal · ‎12-01-2013

Hello,

Great to hear that we are moving forward

Can you share the ASA configuration?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Marius Gunnerud · ‎12-01-2013

As Julio mentioned, we would need to see the full sanitized configuration of the ASA to be able to further help you.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Harinirina RATAHINARISOA · ‎12-02-2013

Hi,

Please, find below the configuration of the ASA.

**************************************

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

description Test LAN

switchport trunk allowed vlan 1,20,22

switchport mode trunk

!

interface Ethernet0/7

description Test LAN Backup

switchport trunk allowed vlan 1,20,22

switchport mode trunk

!

interface Vlan1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Vlan2

nameif outside

security-level 0

ip address

!

global (inside) 1 192.168.1.150-192.168.1.200 netmask 255.0.0.0

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XXXX 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

**************************************

when we connect the cable between the switch and ASA to e0/2, we can ping the gateway. but when we connect it to e0/6, the ping does not respond.

Best Regards

Marius Gunnerud · ‎12-02-2013

You need to add the native VLAN configuration to the interfaces. Assuming you are using the default native VLAN on the switches, add the following command to the interfaces (change the native VLAN ID if required)

switchport trunk native vlan 1

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

Harinirina RATAHINARISOA · ‎12-02-2013

Hi,

Thanks for your reply.

We will do the test and let you know.

Best Regards

Harinirina RATAHINARISOA · ‎12-19-2013

Hi,

when using and allowing other vlans than native vlan on the trunk port, everything is working fine.

Thanks a lot for your help and your time.

Best Regards