cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
485
Views
4
Helpful
4
Replies

HSRP

somnath21
Level 1
Level 1

Hi,

I have configured HSRP in my Cisco 4506 core switch. We have to total 7 access switches. Among them 6 access switches are configured with different VLAN.

Now we have one cisco ASA 5520 which is connected to core 2 via another access switch. But in this access switch nothing is configured. It is connected like that ..

[ ASA ]---> [Access Switch 7] ---> [Core 2]

Cisco ASA inside IP: 10.138.74.3

Core 2 port connected to Access Switch 7 : under VLAN 50 ,IP 10.138.74.4 (No HSRP configured for VLAN 50)

Now my problem is if core 2 goes down , we are unable to get internet as firewall is not connected to core1.

I want to configure HSRP for firewall connectivity also.

For that I need to configure HSRP for VLAN 50 also. But I am confuse how to connect cisco ASA with the acc switch 7 in this scenario.

What configuration I have to do in the access switch 7?

ASA

|

Access switch 7

| |

Core2 core1

How to configure access switch port which is connected to firewall inside interface.

regards,

som

4 Replies 4

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Som,

in order to achieve the desired redundancy it is enough to have Access Switch 7 connected with two uplinks one to Core and one to Core 2:

ASA

|

Access Switch 7

| |

Core1 ----- Core2

The Spannning Tree protocol will deal with the link redundancy

So if Core2 is the root bridge for Vlan 50 link Access Switch 7 -- Core 1 will be blocked.

If core2 fails or link core2-access sw7 fails the link will become operational (STP forwarding state)

You will have an HSRP group in VLan 50 on Core1 and Core2

the two uplinks are trunk ports that allow vlan 50

Notice that you still have two single points of failure: the ASA and the Access switch.

If you have a pair of ASA in stateful failover you can have ASA1 on ASW7

ASA2 on ASW7bis (another switch)

Both ASW7 and ASW7bis could have two uplinks one to core1 and core2.

In this way you get a fault tolerant design to one link or device fault.

Hope to help

Giuseppe

Actually it's clear to me that I have to configure HSRP group (50)..

Like that

Core 1

interface Vlan50

ip address 10.138.74.5 255.255.255.224

standby 50 ip 10.138.74.4

standby 50 priority 110

standby 50 preempt

Core 2

interface Vlan50

ip address 10.138.74.6 255.255.255.224

standby 50 ip 10.138.74.4

standby 50 preempt

my firewall inside ip is 10.138.74.3 and in my firewall static route is there for reverse routing

Ip route 10.138.75.0 255.255.255.0 10.138.74.4

Ip route 10.138.76.0 255.255.255.0 10.138.74.4

But my confusion is that ..

How shall I configure the access switch port which is connected to firewall inside interface??

Regards,

som

Hi,

You need to change the standby ip address and use a virtual ip address. You can't use an ip address that is already assigned. Choose whatever ip address you want.

Also, you can configure your asa port as an access port.

I hope it helps.

Hello som,

nothing changes for the access port with or without HSRP

interface gx/y

switchport

switchport mode access

switchport access vlan 50

no shut

!

this doesn't change because this is an OSI layer 2 port and doesn't care about Layer 3 HSRP group.

Hope to help

Giuseppe

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco