Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA subinterfaces and switch

Hi,

i want to ask:

I need to divide my Outside ASA interface to subinterfaces like this (VPN will be terminatedon subinterfaces):

.

.

interface GigabitEthernet0/0
!
interface GigabitEthernet0/0.1
nameif Outside
security-level 0
ip address 117.x.x.x 255.255.255.224
vlan 30
!
interface GigabitEthernet0/0.2
nameif Outside2
security-level 0
ip address 118.x.x.x 255.255.255.248
vlan 40
!
.
.

Physical interface gigabitEthernet0/0 will be connected to cisco switch (because there are two ASA´s in active-standby configuration we need cable to primary,secondary ASA) and from switch to ISP router.


How to configure this switch? Should I configure conected interfaces to trunk all vlans?

Is this configuration sufficient and good or not?


hostname Switch
!
!
no aaa new-model
system mtu routing 1500
ip subnet-zero
!
!
!
!
no file verify auto
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan internal allocation policy ascending
!
interface GigabitEthernet0/1
description To_ASA1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/2
description To_ASA2
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/3
!
interface GigabitEthernet0/4
!
interface GigabitEthernet0/5
!
interface GigabitEthernet0/6
!
interface GigabitEthernet0/7
!
interface GigabitEthernet0/8
!
interface GigabitEthernet0/9
!
interface GigabitEthernet0/10
description To_ISP
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface GigabitEthernet0/11
!
interface GigabitEthernet0/12
!
interface GigabitEthernet0/13
!
interface GigabitEthernet0/14
!
interface GigabitEthernet0/15
!
interface GigabitEthernet0/16
!
interface GigabitEthernet0/17
!
interface GigabitEthernet0/18
!
interface GigabitEthernet0/19
!
interface GigabitEthernet0/20
!
interface GigabitEthernet0/21
!
interface GigabitEthernet0/22
!
interface GigabitEthernet0/23
!
interface GigabitEthernet0/24
!
interface GigabitEthernet0/25
!
interface GigabitEthernet0/26
!
interface GigabitEthernet0/27
!
interface GigabitEthernet0/28
!
interface Vlan1
no ip address
shutdown
!
interface Vlan30
no ip address
!
interface Vlan40
no ip address
!
ip classless
ip http server
!
!
control-plane
!
!
line con 0
line vty 5 15
!
end

Thank for any advice.

2 REPLIES
New Member

ASA subinterfaces and switch

Hi,

Not knowing what your end goal is, are you trying to connect to two different ISP's, or one ISP via two different LAN blocks?  The latter case is pointless in terms for redundancy.  I believe its a 5510, or higher.  So your subinterfaces and you switchport configuration looks correct.  The only thing that looks off, again because not knowing what your trying to do.  Your truck connection to the ISP router.  It's not normal to see an ISP router have two different LAN blocks on two different vlans.  But that is just guessing the case from the above config.  

Hope that helps,

Nick

New Member

ASA subinterfaces and switch

Hi,

yes it´s ASA 5520.

We have two links to Internet - from the same ISP. Capacity of first connection is 10Mbit/s and second 12Mbit/s . We want to use both links - first to internet browsing, mail etc. second for VPN connection from other company.

Our ISP merge this two link in their router (they will be balanced links that capacity is not zero if one of the link fail - its a ISP job so not interestig to my question) and from ISP router one physical interface divided to subinterfaces will be connected to our ASA´s. Between our ASA´s and router is one switch that split physical connection because of active/standby configuration.

Maybe a picture is better to understand.

Thanks.

525
Views
0
Helpful
2
Replies
CreatePlease login to create content