Need ASA 9.x Etherchannel example w/ layer 2 switch config

Similar Messages

• Cisco Asa 5505 and Layer 3 Switch With Remote VPN Access

  i got today a new CISCO LAYER 3 Switch .. so here is my scenrio
  Cisco Asa 5505
  I
  Outside  == 155.155.155.x
  Inside  =      192.168.7.1
  VPN POOL Address =   10.10.10.1   -   10.10.10.20
  Layer 3 Switch Config
  Vlan 2
  interface ip address =  192.168.1.1
  Vlan 2
  interface ip address =  192.168.2.1
  Vlan 2
  interface ip address =  192.168.3.1
  Vlan 2
  interface ip address =  192.168.4.1
  Vlan 2
  interface ip address =  192.168.5.1
  ip Routing
  So i want My Remote Access VPN clients to access all this Networks. So Please can you give me a helpfull trick or Link to configure the rest of my routing
  Thank You all

  When My Remote VPN is Connected , it reaches 192.168.7.2 of the Layer 3 VLan that's Connected to The ASA 5505 ,
  But i can't reach the rest of the VLAN - example
  192.168.1.1
  192.168.1.2
  192.168.1.3
  192.168.1.4
  192.168.1.5
  But i can reach the Connected Interface Vlan to My ASA ..
  So here i think iam miss configuration to my Route
  Any Help Please this is urgent

• ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

  Hello,
  I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
  My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
  According to the Configuration guide 8.4
  Use the following failover interface speed guidelines for the ASAs:
  • Cisco ASA 5510
  – Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
  to the CPU speed limitation.
  • Cisco ASA 5520/5540/5550
  – Stateful link speed should match the fastest data link.
  • Cisco ASA 5580/5585
  – Use only non-management 1 Gigabit ports for the stateful link because management ports have
  lower performance and cannot meet the performance requirement for Stateful Failover.
  Thanks in advance

  Hi,
  I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
  I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
  Option 1:
  2x10GE = 20GE Etherchannel for Data
  1x1GE LAN Failover
  1x1GE STATE Failover
  Option 2:
  1x 10GE Data
  1x 10GE LAN & STATE Failover
  Option 3:
  2x10GE = 20GE Etherchannel for Data
  4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
  (etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
  Option 4:
  1x10GE LAN & STATE Failover
  8x1GE = 8 GE Etherchannel for Data
  I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
  What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
  The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
  Thanks in advance for your feedback!

• Transparent Deployment Using Layer 4 Switch

  Hi,
  Just want to ask how to deploy WSA Ironport on transparent mode on layer 4 Switch.
  I believe it is just deployed by choosing Layer 4 on Transparent Redirection on WSA Ironport.
  But the question is, what will I need to configure to my Layer 4 switch for it to redirect traffic to WSA?
  I'm trying to connect it to a hp procurve layer 4 switch to use transparent redirection.
  Can someone clarify how to deploy it?
  Thanks

  Make sure your swtich can do it:
  http://h30499.www3.hp.com/t5/Switches-Hubs-Modems-Legacy-ITRC/HP-Procurve-2626-Policy-based-routing/td-p/5421071
  I did some digging and didn't find any decent docs on setting it up... but if you take your drawing from the L4TM question you posted, you want to set up a policy that for the "security vlan" so that all IP traffic on the web ports you want to monitor (80, 443, plus others you might want) gets sent to the IP of the WSAProxy
  Here's a bit I lifted from a post on HP's site:
  http://bizsupport2.austin.hp.com/bc/docs/support/S​upportManual/c03015541/c03015541.pdf
  You'll want to have a look through Chapter 8 for the configuration. You've got to basically configure a traffic class, configure policies for it, and then apply it (in this case) to each of the VLANs you want it for.
  What kind of firewall are you using?  If its a Cisco ASA, it would actually be simpler to do WCCP to the WSA...

• Multi-layer/layer3 switch VS. Router

  Multi-Layer Switch or Layer3 switch vs. router; How they are different?
  1.7

  In a router the route calculation and packet processing take place in the software on layer 3. This means that packets need to be moved from the layer 2 hardware interface to layer three and so it takes some time. In a layer 3 Switch Routing calculations takes place at layer 3 in hardware or software, while the actual packet processing takes place at layer 2. The speed gain is accomplished by reducing the amount of features supported and moving as much logic as possible into hardware.

• Multiple VLANs through to layer 2 switch

  So long as each switch supports VLANing (which most manageable switches do), then yes. Some model numbers on the switches would help here though to be sure.
  Also, keep in mind that assigning VLANs is a layer 2 function, not layer 3. So long as you tag the VLANs you need to pass between the switches on the feed ports between them, you should be able to have them running without issue.
  Could you provide a little more detail as to what you're trying to accomplish so that we can better advise you how to proceed?

  Hello,
  Is it possible to send multiple vlans across a layer 3 dell powerconnect to a Meraki layer 2 switch and configure the ports to access the different vlans? 
  Is it also multiple vlans across a layer 3 dell powerconnect to a layer 2 dell powerconnect switch and configure the ports to access the different vlans? 
  I've been playing aound with this and I can't seem to get it done.
  Thanks for any help in advance.
  This topic first appeared in the Spiceworks Community

• Broadcast storms applicable on layer 3 switches?

  Dear all,
  Me and my collegue were wondering about the following on a cisco 3750 x layer 3 switch.
  Lets assume we configure the 3750 without vlans so we create several networks on the 3750. For example fa 0/1 has as network 10.10.10.0/24 with 10.10.10.1 as it being the default gateway. Fa 0/2 has as network 10.10.11.0/24 with 10.10.11.1 as it being the default gateway.
  The question is if a broadcast storm rages on network 10.10.10.0/24, would 10.10.10.0/24 only be affected by the broadcast storm or will network 10.10.11.0/24 also be affected due the broadcast?
  If we assume the same settings but we would utilize vlans then anetwork is definitely not being affected by a broadcast storm happening on an other network right?
  Thanks in advance for your help.
  kind regards

  Hi,
  When you configure an L3 port on your 3750
  int f0/1
  no switchport
  ip add 10.10.10.1 255.255.255.0
  no shut
  int f0/2
  no switchport
  ip add 10.10.11.1 255.255.255.0
  no shut
  The key is NO SWITCHPORT
  This takes the port out of L2 configuration therefore
  it does not belong to any VLAN and does not operate like an L2 port
  with regards to broadcast etc.
  Have a look at this link from a 3750 config guide
  http://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750/software/release/12-2_55_se/configuration/guide/scg3750/swint.html#wpmkr2208885
  Hope this helps
  Regards
  Alex

• Connect Nexus 5548UP-L3 to Catalyst 3750G-24T-E Layer 3 Switch

  Please help!
  Could anyone out there please assist me with basic configuration between Nexus Switch and Catalyst Switch, so that devices connected on the catalyst switch can talk to devices connected on nexus switch and vice-versa? In my current setup all servers on VLAN 40 are connected on the Catalyst Switch A as shown in the diagram below, and all desktops and all other peripherals are connected on the Catalyst Switch B.  I am required to implement/add a new Nexus Switch 5548 that in the future will replace the Switch A. From now I just need to connect both switches together and start moving the server from Switch A to the Nexus Switch.
  The current network setup is shown as per diagram below:
  SWITCH A – this is a layer 3 switch. All servers are connected to this switch on the VLAN 40.
  SWITCH B – all desktops, VoIP telephones, and printers are connected on tis switch. This switch is also a layer 3 switch.
  I have connected together the Nexus 5548UP and SWITCH A (3750G) using the GLC-T= 1000BASE-T SFP transceiver module for Category 5 copper wire. The new network is shown as per diagram below:
  Below is the configuration I have created in both Switches:
  SWITCH A - 3750G
  interface Vlan40
  description ** Server VLAN **
  ip address 10.144.40.2 255.255.255.128
  ip helper-address 10.144.40.39
  ip helper-address 10.144.40.40
  interface Vlan122
  description connection to N5K-C5548UP Switch mgmt0
  ip address 172.16.0.1 255.255.255.128
  no ip redirects
  interface Port-channel1
  description UpLink to N5K-C5548UP Switch e1/1-2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,30,40,100,101,122
  switchport mode trunk
  interface GigabitEthernet1/0/3
  description **Connected to server A**
  switchport access vlan 40
  no mdix auto
  spanning-tree portfast
  interface GigabitEthernet1/0/20
  description connection to N5K-C5548UP Switch mgmt0
  switchport access vlan 122
  switchport mode access
  spanning-tree portfast
  interface GigabitEthernet1/0/23
  description UpLink to N5K-C5548UP Switch e1/1
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,30,40,100,101,122
  switchport mode trunk
  channel-group 1 mode active
  interface GigabitEthernet1/0/24
  description UpLink to N5K-C5548UP Switch e1/2
  switchport trunk encapsulation dot1q
  switchport trunk allowed vlan 1,30,40,100,101,122
  switchport mode trunk
  channel-group 1 mode active
  N5K-C5548UP Switch
  feature interface-vlan
  feature lacp
  feature dhcp
  feature lldp
  vrf context management
    ip route 0.0.0.0/0 172.16.0.1
  vlan 1
  vlan 100
  service dhcp
  ip dhcp relay
  interface Vlan1
    no shutdown
  interface Vlan40
    description ** Server VLAN **
    no shutdown
    ip address 10.144.40.3/25
    ip dhcp relay address 10.144.40.39
    ip dhcp relay address 10.144.40.40
  interface port-channel1
    description ** Trunk Link to Switch A g1/0/23-24 **
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,122
    speed 1000
  interface Ethernet1/1
    description ** Trunk Link to Switch A g1/0/23**
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,12
    speed 1000
    channel-group 1 mode active
  interface Ethernet1/2
    description ** Trunk Link to Switch A g1/0/24**
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,122
    speed 1000
    channel-group 1 mode active
  interface Ethernet1/3
    description **Connected to server B**
    switchport access vlan 40
    speed 1000
  interface mgmt0
    description connection to Switch A g2/0/20
    no ip redirects
    ip address 172.16.0.2/25
  I get a successful response from Server A when I ping the N5K-C5548UP Switch (VLAN 40 interface (10.144.40.3) .But if I try to ping from Server A to Server B or vice-versa the ping fails. From N5K-C5548UP I can ping successful either Server A or Server B. What am I doing wrong here? Is there any additional configuration that I need to add on the Nexus Switch? Please Help. Thank you.

  no, no secret aukhadiev
  I made a mistake without realising and the interface e1/3 was showing "Interface Ethernet1/3 is down (Inactive)". After spending sometime trying to figure out what was wrong with that interface or switch, it turned out to be that i forgot to add the vlan 40. Now the config looks like this:
  N5K-C5548UP Switch
  feature interface-vlan
  feature lacp
  feature dhcp
  feature lldp
  vrf context management
    ip route 0.0.0.0/0 172.16.0.1
  vlan 1
  vlan 40
  vlan 100
  service dhcp
  ip dhcp relay
  interface Vlan1
    no shutdown
  interface Vlan40
    description ** Server VLAN **
    no shutdown
    ip address 10.144.40.3/25
    ip dhcp relay address 10.144.40.39
    ip dhcp relay address 10.144.40.40
  interface port-channel1
    description ** Trunk Link to Switch A g1/0/23-24 **
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,122
    speed 1000
  interface Ethernet1/1
    description ** Trunk Link to Switch A g1/0/23**
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,12
    speed 1000
    channel-group 1 mode active
  interface Ethernet1/2
    description ** Trunk Link to Switch A g1/0/24**
    switchport mode trunk
    switchport trunk allowed vlan 1,30,40,100-101,122
    speed 1000
    channel-group 1 mode active
  interface Ethernet1/3
    description **Connected to server B**
    switchport access vlan 40
    speed 1000
  interface mgmt0
    description connection to Switch A g2/0/20
    no ip redirects
    ip address 172.16.0.2/25
  Thank you,
  JN

• Performance of layer 3 switches when they are acting like a router

  Hi everybody
  I want to know what are the performance differences of layer 3 switches when they are acting just like a router with lots of route entries in their routing table in compare to when they are acting in layer 2?
  The layer 3 switch in our case is “WS-C3750X-24T-S”
  I guess there is a difference between these two situations:
  when the switch is acting in layer 3 and just routes packet between different VLAN (in routing table we just have entries for connected interfaces and nothing else)
  when the switch is acting in layer 3 and also has to do routing based on static routes or routes learned via a routing table
  I think in situation 1 the switch performance is just like when it is acting in layer 2 but I don’t know about situation 2. Does anyone know about this?
  Thanks a lot

  Hello.
  Actually there is no difference unless you reach a capacity limit of routing table and other TCAM entries.
  Also you need to note that some IOSs do not support full (but stub only) EIGRP functionality.
  PS: see details regarding routing capacity.

• NEEDED : ISE 1.1.3 Posture configuration and Switch Config (ACL, dACL)

  hello,
  could anyone please post screen capture of ISE posture configuration ( and remediation )
  I need urgently a dACL and a redirection ACL that work at least in a mockup lab.
  Authentification and authorizations policies not needed.
  posture and remediation policies not needed.
  The issue is about ACLs (I guess)
  Also needed is a valid switch config file, with ACL (if necessary) a the DOT1x ethernet port.
  My IOS is 122.55 SE or 52 SE
  Thank you by advance.
  Best regards.
  V.

  Hi Venkatesh,
  Your the ultimate ISE Guru !!
  You're right
  Thanks a lot.
  See screen captures and Sw config below
  aaa new-model
  aaa group server radius ISE
  server 192.168.6.10 auth-port 1812 acct-port 1813
  server 192.168.6.10 auth-port 1645 acct-port 1646
  aaa authentication login default local
  aaa authentication dot1x default group ISE
  aaa authorization network default group ISE
  aaa authorization network auth-list group ISE
  aaa authorization auth-proxy default group radius
  aaa accounting dot1x default start-stop group ISE
  aaa server radius dynamic-author
  client 192.168.6.10 server-key 123456789
  ip dhcp snooping
  ip device tracking
  dot1x system-auth-control
  dot1x critical eapol
  interface FastEthernet1/0/1
  switchport mode access
  ip access-group ACL-ALLOW in
  authentication port-control auto
  authentication periodic
  dot1x pae authenticator
  dot1x timeout tx-period 10
  spanning-tree portfast
  spanning-tree bpduguard enable
  ip http server
  ip http secure-server
  ip access-list extended ACL-ALLOW
  permit ip any any
  ip access-list extended ACL-POSTURE-REDIRECT
  deny   udp any any eq domain
  deny   udp any host 192.168.6.10 eq 8905
  deny   udp any host 192.168.6.10 eq 8906
  deny   tcp any host 192.168.6.10 eq 8443
  deny   tcp any host 192.168.6.10 eq 8905
  deny   tcp any host 192.168.6.10 eq www
  permit ip any any
  snmp-server community snmp RO
  snmp-server community RO RO
  snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
  snmp-server enable traps mac-notification change move threshold
  snmp-server host 192.168.6.10 public
  snmp-server host 192.168.6.10 version 2c snmp  mac-notification
  radius-server attribute 6 on-for-login-auth
  radius-server attribute 6 support-multiple
  radius-server attribute 8 include-in-access-req
  radius-server attribute 25 access-request include
  radius-server dead-criteria time 5 tries 3
  radius-server host 192.168.6.10 auth-port 1645 acct-port 1646 key 123456789
  radius-server vsa send accounting
  radius-server vsa send authentication
  V.

• How do you take information from one layer and switch it to another?

  I am trying to figure out how to take pictures and text that I have already placed on one layer and switch it to another layer. I have like 50 pages worth of information and I am trying to look for the easiest way to do this. In illustrator and Photoshop, its pretty easy. Wanting to know if it is the same because I have been trying but it is not there. Just in case it matters, Im using CS5 on a pc. Help is greatly appreciated.

  Hi Martin,
  Please follow the below steps.
  Step 1
  Create the separate layer. Select the content you want to move.
  Step 2
  Go to check layer panel, near the pen symbol icon, the below box drag to move up to the image layer, see sample
  Step 3
  This option use spread wise content, it will complete the task with fast. If more faster, please raise as question to Scripting Forum, they can suggest the tool.

• Dynamic VLAN assignment and Layer 3 switching on 300 series

  I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
  So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right?
  I'm new to VLAN configuration and layer 3 switching so I wanted to check my understanding. Doesn't this limitation significantly reduce the usefulness of the DVA feature?
  I may well be confused and missing something regarding how this is typically used..

  Hello Glenn,
  Your concept about packet forwarding is correct. With a layer 2 switch, there must be something directing traffic with multiple subnets for intervlan communication or something that provides an IP route to give the request a path back for the request.
  The usefulness for the DVA feature, is not particularly limited to the switch as the switch will correctly assign the VLAN for you, as VS the L3 switch mode, you're dealing with IP addresses. In any scenario, you're going to require a router to get to the internet since the switch does not support NAT.
  Additionally, if you're router does not support VLAN, the L3 switch feature would still be the solution since you should be able to make a static route pointing back to the switch to allow any subnet to traverse the single media. It would still beg the question, how to assign VLAN dynamically.
  The answer, although (in my opinion is terrible) would be GVRP.  But, this application would require ALL of your network cards to be GVRP Enable / Capable which most likely is not the scenario for you (or most anyone else for that matter).

• What is an example of an external switch in the accessibility- switch control feature on an iPhone 5s

  what is an example of an external switch in the accessibility- switch control feature on an iPhone 5s

  Perhaps this will help:
  http://bdmtech.blogspot.com/2013/09/new-in-ios-7-detailed-look-at-switch.html

• Layer 2 switch

  required a layer 2 switch with following requirement below
  24 or 48 ports
  ppoE supported
  Redudant power supply
  Stackable.
  Please suggest a switch model with all the above features

  However if you mean poe-
  The 3750-X meets your requirements.
  http://www.cisco.com/en/US/prod/collateral/switches/ps5718/ps6406/data_sheet_c78-584733.html

• Layer 3 switches vpn

  I have a question, it is possible to use a layer 3 switches to set up VPN tunnels?

  Actually, it is only posible on Catalyst 6500 Switches with an special line card for VPN hardware-encryption.
  DL.