cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
899
Views
0
Helpful
8
Replies

ASA links to multilayer switches

denisjalsovec
Level 1
Level 1

Hi guys,

Can someone help me with multilayer switch commands. I need to configure redundant links from ASA to multilayer switches. One link is active, another is standby. I know how to configure on ASA, but I'm not sure how to configure ports on two switches. Whether they need to have IP address or to be only in trunk mode?

I thought at first that I could create two etherchannel pipes to multilayer switches but this wont work, so the solution is to use redundant links.
I also cannot test this scenario in Packet Tracer nor GNS3.

 

Thanks

1 Accepted Solution

Accepted Solutions

Hello.

Thanks for the diagram.

From the picture we see, you will be running ASA for Internet access and DMZ.But DMZ interfaces will be connected to dedicated switch and Internet uplink will go directly to WAN router.

So, you may have the configuration previously mentioned.

For Switch to ASA connectivity I would recommend to create dedicated VLAN and put only switch SVIs and ASA into the vlan. Let's say you assign VLAN 100 for this purpose.

Switch:

vlan 100
 name ASA_INSIDE

int vlan100
 ip add 10.x.y.z 255.255.255.240
 ip ospf X area Y

int g1/0/1
 switchport mode access
 switchport access vlan 100
 span-tree portfast

Sure, you need to allow VLAN 100 on inter-switch trunk.

View solution in original post

8 Replies 8

Hello.

Do you have one ASA or two devices in HA mode?

Please provide port (and sub-interface) configuration you have on your ASA for the ports.

Hi, I dont have configuration. I work only on design right now and before I start to configure I need to know how to configure switch side.

There is only one ASA that I want to connect to two multilayer switches (if one switch fails, another take over). I know that the best solution would be to use two ASAs in failover, but this is not what I want right now. I need solution for one ASA.. Please look at my design. I only know that this can be accomplished by using redundant links on ASA, but i'm not sure about switch configuration.

Design in is attachment.

Hello.

Per your post I assume you are going to use redundant interface feature on ASA device.

In this case if your ASA has IP-address assigned to redundant interface itself, it means you need just access vlan on the switches; if you want sub-interfaces then you need to configure trunk on your switches.

For access vlan on the switches:

int g1/0/1

 switchport mode access
 swi access vlan 99 <-whatever VLAN you assign
 span-tree portfast

Thanks for quick answer.

I'm a little bit confused with that access vlan now..

This network use SVI interfaces (which are gateway of each vlan) on core switches (hsrp on SVI, if on switch fails, another take over). So if I use few vlans on network and redundant links on ASA, I need to configure access vlan on core switches and that will work?

I know if network has more vlans, I must use trunk for vlan traffic. What vlan should I allow on "switchport access"? Native or someting else?

Thanks..

Hello.

It seems to me, that I don't understand you design.

What do you need ASA for? How are you going to route traffic over ASA?

Could you please provide what (just in theory) IP-addresses are you going to assign to ASA and what routes are you going to configure on ASA?

Okay,

let's say I'm using OSPF on all L3 devices.. You will find whole network in the attachment.

I need ASA for DMZ and internet. I hope you will get a clearer picture of the network now..

 

Hello.

Thanks for the diagram.

From the picture we see, you will be running ASA for Internet access and DMZ.But DMZ interfaces will be connected to dedicated switch and Internet uplink will go directly to WAN router.

So, you may have the configuration previously mentioned.

For Switch to ASA connectivity I would recommend to create dedicated VLAN and put only switch SVIs and ASA into the vlan. Let's say you assign VLAN 100 for this purpose.

Switch:

vlan 100
 name ASA_INSIDE

int vlan100
 ip add 10.x.y.z 255.255.255.240
 ip ospf X area Y

int g1/0/1
 switchport mode access
 switchport access vlan 100
 span-tree portfast

Sure, you need to allow VLAN 100 on inter-switch trunk.

Thanks a lot man..

You were very helpful.

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: