08-05-2008 03:56 AM - edited 03-06-2019 12:37 AM
Hi,
I have configured HSRP in my Cisco 4506 core switch. We have to total 7 access switches. Among them 6 access switches are configured with different VLAN.
Now we have one cisco ASA 5520 which is connected to core 2 via another access switch. But in this access switch nothing is configured. It is connected like that ..
[ ASA ]---> [Access Switch 7] ---> [Core 2]
Cisco ASA inside IP: 10.138.74.3
Core 2 port connected to Access Switch 7 : under VLAN 50 ,IP 10.138.74.4 (No HSRP configured for VLAN 50)
Now my problem is if core 2 goes down , we are unable to get internet as firewall is not connected to core1.
I want to configure HSRP for firewall connectivity also.
For that I need to configure HSRP for VLAN 50 also. But I am confuse how to connect cisco ASA with the acc switch 7 in this scenario.
What configuration I have to do in the access switch 7?
ASA
|
Access switch 7
| |
Core2 core1
How to configure access switch port which is connected to firewall inside interface.
regards,
som
08-05-2008 04:32 AM
Hello Som,
in order to achieve the desired redundancy it is enough to have Access Switch 7 connected with two uplinks one to Core and one to Core 2:
ASA
|
Access Switch 7
| |
Core1 ----- Core2
The Spannning Tree protocol will deal with the link redundancy
So if Core2 is the root bridge for Vlan 50 link Access Switch 7 -- Core 1 will be blocked.
If core2 fails or link core2-access sw7 fails the link will become operational (STP forwarding state)
You will have an HSRP group in VLan 50 on Core1 and Core2
the two uplinks are trunk ports that allow vlan 50
Notice that you still have two single points of failure: the ASA and the Access switch.
If you have a pair of ASA in stateful failover you can have ASA1 on ASW7
ASA2 on ASW7bis (another switch)
Both ASW7 and ASW7bis could have two uplinks one to core1 and core2.
In this way you get a fault tolerant design to one link or device fault.
Hope to help
Giuseppe
08-05-2008 05:09 AM
Actually it's clear to me that I have to configure HSRP group (50)..
Like that
Core 1
interface Vlan50
ip address 10.138.74.5 255.255.255.224
standby 50 ip 10.138.74.4
standby 50 priority 110
standby 50 preempt
Core 2
interface Vlan50
ip address 10.138.74.6 255.255.255.224
standby 50 ip 10.138.74.4
standby 50 preempt
my firewall inside ip is 10.138.74.3 and in my firewall static route is there for reverse routing
Ip route 10.138.75.0 255.255.255.0 10.138.74.4
Ip route 10.138.76.0 255.255.255.0 10.138.74.4
But my confusion is that ..
How shall I configure the access switch port which is connected to firewall inside interface??
Regards,
som
08-05-2008 06:26 AM
Hi,
You need to change the standby ip address and use a virtual ip address. You can't use an ip address that is already assigned. Choose whatever ip address you want.
Also, you can configure your asa port as an access port.
I hope it helps.
08-05-2008 01:12 PM
Hello som,
nothing changes for the access port with or without HSRP
interface gx/y
switchport
switchport mode access
switchport access vlan 50
no shut
!
this doesn't change because this is an OSI layer 2 port and doesn't care about Layer 3 HSRP group.
Hope to help
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: