ASA Redundant interfaces with stack switches

Similar Messages

• Cisco ASA Redundant interface

  Hello,
  We are looking at upgrading an aging firewall with a Cisco ASA.  I have used the ASA before. 
  We would like to use the ASA in a colocation facility that will have a few site to site vpns.  The ASA MUST be able to have redundant interfaces to our switches.  Reading through ASA documentation this is possible.  (http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838) Can the ASA have redundant links to the same vlans?  Will any of our configuration for VPN's, etc have to be setup twice?
  Thanks

  There are four types of redundancy that one can use on ASAs. The first one you cited, redundant interfaces on a single physical device is the least common in my experience.
  The second is failover - when the ASA is mated is a failover ASA in a high availability configuration. This is the most common usage for customers requiring high availability (HA). That is the most common implementation and has been around since ASA 7.0 software (i.e. a good many years).
  The third is to bond your interfaces from a given ASA (or sets of interfaces if you have an HA pair) into an Etherchannel. This has the added advantage of giving you potentially higher trhoughput. Etherchannel support was introduced in ASA software version 8.4(1).
  The fourth and newest method is clustering. It was introduced just last fall in ASA 9.0 and is not very widely adopted just yet. It is primarily for high throughput requirements exceeding a single device's capacity but also gives the added benefit of redundancy.
  None of them require you setup things twice configuration-wise. Some file operations (software upgrade, certificate management, VPN profiles (XML files)) need to be copied onto both members in a failover pair or all members in a cluster scenario.
  Edit - there is a fifth type specific to VPNs whereby one can configure a secondary VPN gateway for clients, usually at a alternate site. That approach does require settting up everything separately on the ASAs.

• ASA Redundant Interfaces

  Hi everybody,
  and thanks for a great forum!
  I have one asa and two switches, i would like the asa set up with a redundant interface consisting of one physical interface in each switch (vlan trunked across the two switches). Now... Is it possible to set a preferred active physical interface in this redundant interface bundle? Is there a way to make sure the same interface is always active (both interfaces a working as intented), even after a reboot?
  More specifically, i need this so i can decide where to establish my stp root, and always have the most optimal path (again ofcourse unless one interface fails).
  Cheers

  Hi,
  I see that you want to configure redundant interface on ASA and also need to ensure that same interface always remain active. Now, the interface which you will defined first using 'member-interface' command while configuring redundant interface will be the active one by default. If you already have it configured and you want to change the active interface, you can use following command:
  To change the active interface, enter the following command:
  hostname# redundant-interface redundantnumber active-member physical_interface
  Now, if active interface goes down, second one will take over as expected.
  Check this link for more info:
  http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html#wp1045838
  Hope this answers your question.
  Sourav

• Redundant Interfaces with Management0/0 on ASA5510

  Readers,
  Is it possible to configure redundant interfaces on the Management port?
  Thanks,
  Timothy

  Timothy
  normal ASA boxes just have a single management interface.. I really dont feel the need for redundancy here.. If you need one, you can get a failver ASA box, and build up redundancy..
  in any case, you have other interaces like inside, through which you can enable management, like telnet, http etc, if required.. or any other DMZ interface (say network management DMZ)... its all flexible.. with all these, i really dont see any need for a redundant management port...
  Hope this helps.. all the best..
  Raj

• Etherchannel with stacked switches on 3750

  Hi,
  i have got cisco 3750 3 Nos. stacked together, below are the config. for etherchannel & the err. msg. i get.
  interface gigabit 1/0/25
  switchport mode access
  channel-group 1 mode desirable
  once if i do that, i get "creating a port-channel interface Port-channel 1
  interface gigiabit 2/0/25
  switchport mode acess
  channel-group 1 mode desirable
  i get error msg. "%With PAgP enabled, all ports in the Channel should belong to the same switch Command rejected (Port-channel1, Gi2/0/25): Invalid etherchnl mode"
  actually if i do that in the same switch i mean 1/0/26,command is accepting. so how to proceed, bcoz i thought i will share the load across 3 switches for etherchanneling.

  You cannot use PAgP for etherchannel across seperate 3750's in a stack.
  You can set the channel mode to 'on' and it will work or they must come from the same swtich in the stack.
  The following is taken from the cat 3750 config guide
  http://www.cisco.com/en/US/products/hw/switches/ps5023/products_configuration_guide_chapter09186a00801cdea1.html#1154336
  For cross-stack EtherChannel configurations, disable PAgP and LACP on all ports targeted for the EtherChannel by using the channel-group channel-group-number mode on interface configuration command. Before adding a stack member port to an existing EtherChannel, manually disable PAgP and LACP on all the ports that are members of the channel group, and then manually configure the cross-stack EtherChannel. PAgP and LACP are not supported on cross-stack EtherChannels.
  If cross-stack EtherChannel is configured and the switch stack partitions, loops and forwarding misbehaviors can occur.
  HTH
  N

• C3750G IP BASE upgrade to IP SERVICE with stacking four switches

  Dears
     Existing i have 4 x C3750G IP BASE with stacking, now need upgrade to IP service for BGP support.
  Order from reseller PN: CD-3750G=EMI=.
  I want ask need purchasing 4 x "CD-3750G=EMI=" or just purchasing 1 only for 4 x switches. I checked Cisco supportforums C3750G not support license activation.
  Many Thanks
  Wong

  Disclaimer
  The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
  Liability Disclaimer
  In no event shall Author be liable for any damages whatsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
  Posting
  My understanding has been the 3750 series will allow you to (legally) run a whole stack with an IPServices image as long as one stack member has a license for IPServices.
  For redundancy, you should have at least two stack members with IPServices, otherwise if the sole IPServices master fails, the whole stack reverts to IPBase.

• N7k as redundant core with vpc to 4510/3750 as distribution switch

  Hi - basic question here
  Got 2 qty N7k as redundant core with vpc to 4510 and 3750 as redundand distribution switch running MST. I got stuck with some bad cabling design from our IDF to Datacenter so have 2 access switch whereby each one will have a etherchannel to both distribution 4510 and 3750. My question is this is  a doable design as I am not sure about the vpc upstream on how it effects etherchannel with MST for my distribution and access.
  Thanks

  vPC will be considered as one logical link by both upstream and downstream connected devices
  the question here are you going to run L3 between the distribution and Core devices ? (  this is recommended design ) if yes, then you do not need to worry about MST and VPC if you going to have it L3 from distribution devices up to the Core
  one thing to consider is the distribution switch in your design has big difference in terms of backplane throughput i mean between the 4500 and 3750 !
  if you can have both as 4500 will be better and more consistent design
  Good luck
  if helpful Rate

• Reg. Redundant interfaces in ASA 8.0

  Hi
  In ASA 8.0,I have following queries related to redundant interfaces
  a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
  b)Is Redundant interface supported in the Multiple context mode
  Regards
  Ankur

  Yes Ankur,it is possible.
  ##snippet##
  interface Ethernet0/0
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/1
  speed 100
  nameif inside
  security-level 100
  ip address 192.168.16.19 255.255.255.128
  ospf network point-to-point non-broadcast
  ospf message-digest-key 123 md5
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  nameif null0
  security-level 50
  ip address 10.2.1.1 255.255.255.0
  interface Management0/0
  no nameif
  security-level 0
  no ip address
  interface Redundant1
  member-interface Ethernet0/0
  member-interface Ethernet0/2
  no nameif
  no security-level
  no ip address
  interface Redundant1.1
  vlan 32
  no nameif
  no security-level
  ip address 1.1.1.8 255.0.0.0
  Regards,
  Sushil

• ASA redundant design questions

  Hi, thanks for your time and knowledge. 
  I have a topology like below in data center and plan to have a full redundant topology. Currently Primary/Scondary/ASA and another core switch at HQ are running EIGRP. Especially ASA is redistributing all IPsec tunnels (around 70 branches) and remote VPN (10.254.50.0/24) to EIGRP. Blue line is internal and red line is for DMZ, in terms of internal vlans, they are running through EIGRP which means that 
    default gateways for internal vlans are all primary/secondary through HSRP (Virtual IP)
   however for DMZ vlan, it is terminated to ASA interface. for example, from server's perspective, default gateway is not primary/secondary switch, but ASA dmz interface. so servers in DMZ are recognizing Primary/Secondary as L2 switch. 
  Question 1) According to my research, I need to have HSRP between two switches ====== ASAs. Is it right? I can't run EIGRP? If I can't run EIGRP between four devices, I need to make a lots of static route in ASA for branch offices (70 subnet) and remote VPN user (1 subnet)
  Q2) I like left topology because I don't need to setup redundant interface and less cables. Especially I don't need another IPS sensor (If I choose right topology, I need one more IPS sensor). Also, we don't have VSS between Primary and Secondary (jut trunk) Do you see any problem with left topology? I am ok for couple minutes of downtime due to device failure.
  Q3) Both ASA inside/DMZ/outside ip address should be identical? except failover interface?  i.e inside of interface ip is 10.254.5.4 now. then this will be both inside IP for Active/Standby? or I need different ip address for all interfaces? 
  Thanks. 

  What are your devices?  Router/switches/ASAs?  Your pictures are kind of cut off so it hard to understand your topology.
  You need to have two Layer3 devices to run HSRP one will be Primary and one would be Standby.  You should be able to run EIGRP on all the devices.

• What is the best design tablet with stylus to have an easy interface with Adobe Photoshop?

         What is best design tablet with stylus for use with Adobe Photoshop for this holiday seasons offering 2013?
  I am trying to find a tablet with good stylus  to work with Adobe Design products primarily Photoshop. I would like one that worked in layers with photoshop.
  The folks a Wacom don't even answer the phone just a recorded message go to the web site with questions.  Not a good sign for a company. So what is a good design tablets for pressure sensitive stylus? Will wacom cintiq tablet interface well with Apple Imac IOS 10.8?
  I love my Samsung note 3 but it will not easily transfer images to apple Imac 10.8.
  Please help me find tablets with good adobe design interface?  Just tell me which way to jump. It is easier to leave Apple for PC or Android  than to abandon Adobe knowledge. The products have to work together.
  Does wacom Cintiq not embrace an easy interface with Apple  Imac IOS 10.8 latest software. Wacom seems to be championing Windows 8 as a companion to their tablet interface.
  Can an Ipad deliver good layered designs using adobe software design programs and a stylus?
  What should I buy for an Adobe design tablet with pressure sensitive stylus for ths Holiday Season? 
  Should i wait until next year?
  Will the tablet work in  Photoshop layers?
  this link seemed ominus
  http://forums.adobe.com/message/4950467

  subhash007 wrote:It's not 802.3ad link aggreagated interface. In the switch side, the ports will be configured as normal access ports and the bonding config will be done on the server side.
  To be honest, I don't understand how the Linux bonding mode can work without anything configured the other end.
  My understanding of 'bonding' comes from Multilink PPP (MLP) where the data stream is chopped up and split across two (or more) circuits. At the other end, a similar MLP-enabled device reforms the data stream from the multiple circuits, maintaining packet order. But this requires MLP-enabled 'bonding' devices at each end.
  Perhaps you could help me better understand the Linux bonding...
  subhash007 wrote:If any single homed server is connected to Switch 2, what will be traffic path for its data packets?Switch 2 ------------------> Switch 1 ----------------------> Active firewall                                   ORSwitch 2 ------------------> Passive Firewall -----------> Active Firewall
  If the firewalls operate in the same fashion as Cisco ASAs, then the inter-firewall link doesn't carry traffic. It's for failover detection and HTTP replication only. But like I said, I'm not familiar with this vendor's products.
  subhash007 wrote:Also will there be any change in traffic path if the trunk between Switch 1 & Switch 2 is converted to L3 routed interface? Since there is no VRRP, i can convert the trunk to L3 right?
  Same as above.

• Using 37xx stack switch can I send snmp messages as syslog ?

  In my environment, we are having cisco 37xx stack switches, I want to know is it possible to use the switch config to send snmp traps as syslog messages to the Syslog-server.
  In our case, we are using siem which has the ability to process syslog messages from different networking switches. What specific event I'm after is related to bandwidth utilization of the interface. It would have been great if there was existing syslog-event for exceeded bandwidth or increase in bandwidth beyond certain bps rate. The only place such information can be obtained is from snmp, but the siem station doesn't understand snmp, So I hope there are some setting which allows the conversion of snmp traps to syslog msg to be forwarded to destination.
  Thanks.

  The iPad cannot use your Android phone number at all so it will not in any way be associated with the device or your Apple ID. You will be using your Apple ID email address as your connect address to use Messages. If you want to look at it this way, your iPad/iMessages will be associated with your Apple account/Apple ID, not with the Android phone number.
  Where some users get into problems is if they go from an iPhone number to an Android phone number. That is not what you are doing.

• LMS and stacking switches

  Hi everyone!
  I was having a conversation with a friend and he assured that the LMS is stacking switches with up to 09 switches.
  Anyone know if this is true? For all I know this is only done through the special interface stack (as in 3750 and 2960S).

  LMS (and Cisco Network Assistant) manages Cisco switch stacks. And, yes, a stack is up to 9 switches.
  I'm not sure what you're asking, though. Stacks are built by virtue of physically connecting the StackWise cables and that is independent of what, if anything, is used for network management.

• Performance of stacked switch

  I'm installing a stack of 3x 3750G switches, which are inter-connected w/ StackWise cables.
  Are stacked switches truely act as one switch w/o any performance penalty if a packet has to traverse from one switch to another in the same stack?
  Would it be better to arrange the ports together on the same switch if I know they'll mostly generate local traffice among themselves?
  Another question I have is sould I try to distribute ports among the stacked switches as much as possible or is the stack really functioning as a unified stack??
  For instance, I've got 3x 24-port 3750G's; thus a total of 72 ports. If I currently have only 24 objects (clients or switches), should I plug 8 in each switch or it doesn't make a difference if I plug all 24 objects into the same switch?

  A customer asked me this exact question the other day....
  The stack has an interconnect speed of 32G. Thus a packet coming in from 1/0/1 going to 3/0/1 will hit the backplane on switch 1 (speed so high you can forget about it for all intents and purposes) traverse the 32G interconnect bus, across the backplane on switch 3 to the egress port. You can consider this almost identical to the 6500 series when using the "classic" series line cards (61xx series) which likewise share a 32G backplane bus.
  I have tested this with IXIA gigabit traffic generators which blasted 20 Gig of traffic with 50000 flows across the switch stack. The boxes were solid as a rock. 20Gig is rather a lot of traffic.... !!!
  The only occassion when you might have a problem with this architecture is if you have multi gigabit traffic crossing the switch stack that requires QOS priority on an already heavily utilised stack. In that case you could possibly get contention for the stacking bus (unless there is a way of prioritising the traffic gaining access to the stacking bus???? There hasn't been in the past). Cisco's answer to that would be twofold.
  1.If you required such traffic patterns with such heavy traffic and QOS requirements then you should be using a 6500 series switch with high end interface blades.
  2.That the 3750 supports ingress QOS to precisely address the problem of overloading the switch fabric.
  Best regards,
  Steve

• ASA Redundant/Dual Connections to the SAME ISP

  Is it possible to connect two ports on an ASA to the same ISP for physical port redundancy?  I know it's possible to connect to two different ISPs with different subnets, but in this case it would be the same ISP, same subnet.  I'm expecting the answer to be 'no' and that I'd have to bring up a 'cold spare' interface should the primary interface go down.  The ASA model is either 5520 or 5512-X, and I'd have to go get the software versions if anyone would like that information.

  You can't give two ports an IP from the same subnet in the same context no.
  But you could either -
  1) use etherchannel
  or
  2) use the redundant interface feature where you use two ports but only one is active and if it fails the other takes over with the same IP address
  Jon

• NAT on sub-interface with no internet access

  Good morning,
  Please I have a router 2901, which I configured tow sub-interfaces for Voice and Data. Everything seems to be working fine but I can't access the internet after configuring NAT.
  Config below
  Router1#sh config
  Using 5392 out of 262136 bytes
  ! No configuration change since last restart
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  ! NVRAM config last updated at 16:15:07 UTC Wed Jul 2 2014 by aadmin
  version 15.2
  service timestamps debug uptime
  service timestamps log uptime
  service password-encryption
  hostname A
  boot-start-marker
  boot-end-marker
  ! card type command needed for slot/vwic-slot 0/0
  logging buffered 51200 warnings
  enable secret 4 U3/EVMmZsx9ys3vbB8aDhHy.5h4qh2V8/DkTGNsxvTA
  enable password 7 06150E2C5F5B071E
  aaa new-model
  aaa authentication login default local
  aaa session-id common
  memory-size iomem 25
  ip cef
  ip dhcp excluded-address 10.10.36.1 10.10.36.25
  ip dhcp excluded-address 10.10.36.200 10.10.36.254
  ip dhcp pool DATA
   network 10.10.36.0 255.255.255.0
   default-router 10.10.36.1
   dns-server 8.8.8.8 4.2.2.2
  ip dhcp pool VOICE
   network 10.1.1.0 255.255.255.0
   default-router 10.1.1.1
   option 150 ip 10.10.36.4
  no ipv6 cef
  multilink bundle-name authenticated
  crypto pki trustpoint TP-self-signed-3112445314
   enrollment selfsigned
   subject-name cn=IOS-Self-Signed-Certificate-3112445314
   revocation-check none
   rsakeypair TP-self-signed-3112445314
  crypto pki certificate chain TP-self-signed-3112445314
   certificate self-signed 01 nvram:IOS-Self-Sig#1.cer
  voice-card 0
  license udi pid CISCO2901/K9 sn FCZ1808C4L8
  hw-module pvdm 0/0
  username a password 7 1416111F05557C
  username e privilege 15 password 7 1437455E0E2A25382525260B67
  username c password 7 030B580E0701284F165B5C
  username a password 7 01000709481E0808
  redundancy
  interface Embedded-Service-Engine0/0
   no ip address
   shutdown
  interface GigabitEthernet0/0
   description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-GE 0/0$
   ip address #.#.#.58 255.255.255.248
   ip nat outside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1
   no ip address
   ip nat inside
   ip virtual-reassembly in
   duplex auto
   speed auto
   no keepalive
  interface GigabitEthernet0/1.1
   encapsulation dot1Q 1 native
   ip address 10.10.36.1 255.255.255.0
   ip verify unicast reverse-path
   ip nat inside
   ip virtual-reassembly in
  interface GigabitEthernet0/1.100
   encapsulation dot1Q 100
   ip address 10.1.1.1 255.255.255.0
  ip forward-protocol nd
  ip http server
  ip http access-class 23
  ip http authentication local
  ip http secure-server
  ip http timeout-policy idle 60 life 86400 requests 10000
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  ip route 0.0.0.0 0.0.0.0 #.#.#.57
  ip access-list extended LAN_NAT_POLICY
   permit ip 10.0.0.0 0.255.255.255 any
  access-list 23 permit 10.10.36.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.0.255
  access-list 23 permit 10.10.0.0 0.0.255.255
  access-list 101 permit tcp 10.10.36.0 0.0.0.255 host 10.10.36.1 eq telnet
  control-plane
  mgcp profile default
  gatekeeper
   shutdown
  banner exec ^C
  % Password expiration warning.
  Cisco Configuration Professional (Cisco CP) is installed on this device
  and it provides the default username "cisco" for  one-time use. If you hav
  already used the username "cisco" to login to the router and your IOS imag
  supports the "one-time" user option, then this username has already expire
  You will not be able to login to the router with this username after you e
  this session.
  It is strongly suggested that you create a new username with a privilege l
  of 15 using the following command.
  username <myuser> privilege 15 secret 0 <mypassword>
  Replace <myuser> and <mypassword> with the username and password you want
  use.
  ^C
  banner login ^C
  Cisco Configuration Professional (Cisco CP) is installed on this device.
  This feature requires the one-time use of the username "cisco" with the
  password "cisco". These default credentials have a privilege level of 15.
  YOU MUST USE CISCO CP or the CISCO IOS CLI TO CHANGE THESE  PUBLICLY-KNOWN
  CREDENTIALS
  Here are the Cisco IOS commands.
  username <myuser>  privilege 15 secret 0 <mypassword>
  no username cisco
  Replace <myuser> and <mypassword> with the username and password you want
  to use.
  IF YOU DO NOT CHANGE THE PUBLICLY-KNOWN CREDENTIALS, YOU WILL NOT BE ABLE
  TO LOG INTO THE DEVICE AGAIN AFTER YOU HAVE LOGGED OFF.
  For more information about Cisco CP please follow the instructions in the
  QUICK START GUIDE for your router or go to http://www.cisco.com/go/ciscocp
  ^C
  line con 0
   password 7 13041406025D52
  line aux 0
   exec-timeout 0 1
   no exec
  line 2
   no activation-character
   no exec
   transport preferred none
   transport output pad telnet rlogin lapb-ta mop udptn v120 ssh
   stopbits 1
  line vty 0 4
   access-class 23 in
   privilege level 15
   password 7 094D4D1D105441
   transport input telnet ssh
  line vty 5 15
   access-class 23 in
   privilege level 15
   transport input telnet ssh
  scheduler allocate 20000 1000
  ntp master
  ntp server 10.10.36.1
  end
  Please I need a quick response
  Thank you.

  Can you change the interface to outside interface in this command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/1.1 ov
  can you try this below command
  ip nat inside source list LAN_NAT_POLICY interface GigabitEthernet0/0 ov
  Regards
  PrajithTR