Cisco Firewall :: Connecting Single ASA-5520 To Two Layer 3 Switches?
Sep 30, 2011
Connecting ASA 5520 to two Catalyst 3560G layer 3 switches. What's the best practice to connect the asa-5520 at the edge, to the core of my network? What I'm looking to do is connect two routed gigabit ports (gi0/2 and gi03) to two seperate layer 3 routed ports on catalyst 3560G. I'm wondering how to do it, or if there's any type of failover method? I'm running EIGRP in the network and the link to the first core switch has a /30 point to point connection. Everything works fine, I'm just not sure how to connect the second switch to the firewall. Should I use the a different /30 for the point to point connection to csw02 gi0/48? (See attachment) How would this affect traffic flowing through this interface? Would I have to duplicate rules I have on my inside (gi0/2) interface? Is there a way to make the inside2 interface standby some how? I want to know the best way to set this up, so in the event csw01 goes down I don't loose internet. Will EIGRP work it's magic and only use 1 path to the ASA? Should I even be using routed interfaces on the ASA and just use trunked mode?Running ASA 8.4?
View 1 Replies
ADVERTISEMENT
Jan 4, 2012
Two different WAN links get connected to the firewall via two routers.(Different ip subnets).I need to get this two wan streams seperatly to the core switches.Core switches sits.Active/Stanby senario. If the Active core goes down Stndby Core will have take over the traffic. My design is correct ,if not what do i need to change. ASA is 5520.
View 8 Replies
View Related
May 28, 2012
Could I configure and connect 3 Dell switches to an ASA-5525 Firewall which has got 8 interfaces.
View 7 Replies
View Related
Oct 24, 2012
Need to know if ASA 5520 does Layer 7 firewall or not?
View 2 Replies
View Related
Oct 22, 2011
Prior we only had 62.5u multi mode.I've got 3750x switches and new SM SFP and yellow fiber patch cables. None of my links show connected. No lights and trunk port interfaces show down/down.
Is there a special command you have to do on a port when using SM fiber? Do you think I need cross over fibers?
Also, should I be able to see a laser signal light like MM or is SM a different frequency so it's not as visible as MM?
View 8 Replies
View Related
Jun 24, 2012
I have a Cisco ASA 5520 that I'd like to be able to connect directly to our gigabit fiber connection (we're currently connected through a media converter that's causing problems). I've found the following:Cisco ASA 5500 Series 4 Port Gigabit Ethernet Security Services Module [URL]. I only need a single fiber connection, as opposed to the 4 copper + 4 fiber.
View 1 Replies
View Related
Mar 18, 2012
I want to setup VLAN with the switches SG300 and SLM2024. What is the suggestion to connect these 2 switches. We have the Juniper net screen.
View 1 Replies
View Related
Jun 27, 2012
I got a different scenario from one of my client.My client have two different branch offices and have 50Mbps point to point connectivity between them. All users in both braches using same series of IP pool ( 192.168.224.0/24) in both branches.Both branches he had only Cisco 2960S series switches only. And in both branches he is using IP cameras. He will monitor the assets by accessing IP cameras through the browser.His requirement is, he wants to prioritize the Video traffic( monitoring through the browser) over the normal data traffic.Note: He had a single VLAN only.
View 8 Replies
View Related
Jan 26, 2013
I'm using the Cisco ASA 5520 on GNS3 .. Everything is working fine, except for one thing. The CCP .. I tried the CCP with a router and it worked, but it can't see the firewall.
I have already enabled the HTTP server using "HTTP server enable" and created account using "username admin privilege 15 password admin" also enabled SSH and Telnet on the ASA
"ssh 0 0 INSIDE"
"telnet 0 0 INSIDE"
When I use the CMD to telnet to the ASA, it works just fine .. Also, when I connected a router to the ASA I could SSH to it, as well as using the PuTTy . Is there a way to troubleshoot? Or even a document that illustrates how to configure the ASA for CCP? Better a document for configuring the ASA from scratch .
View 7 Replies
View Related
Sep 18, 2011
Since several weeks ago we are triyng to solve a disconnection problem related to servers benind an ASA 5520 behind this ASA there are:
-subnet with public ip addres
-sunbet with prive ip address, the server on this subnet are acccesible via NAT.the problem is worst when some ousite our network and behind a nat device (like a adsl modem/router) tries to connect to those servers wich are using natted ip behind the ASA.I tried from my home to connect to this ASA5520 using annyconnect and get reset tcp packets. Are there some aditional configuration to make the ASA work properly?. We have other firewalls like PIX or software firewall (ASG), they work with no problem. Only the ASA 5520 has this issue.
View 1 Replies
View Related
Apr 18, 2011
I have ASA 5520 running ver 8.3.(2)8 and configured for AnyConnect VPN. While testing for iPads and iPhones we noticed that on connecting it disconnects few times before finally connecting. These are the messages logged in the ASA.I don't see authenticatio as an issue. Results are better with wifi compared to 3G. [Code]
View 1 Replies
View Related
Oct 6, 2011
now we have 2 switches: SF300-24..on one SF300-24 we config it at layer 3 mode with VLAN configuration same as following [code] And we use port 26 on 2 switches SF300-24 is trunk mode then we connect both SF300-24 switches.But on SF300-24 layer 2 cann't inderstand VLAN from Sf300-24 layer 3..How to config VLAN on 2 switches SF300-24 Layer 3 and SF300-24 layer 2?
View 2 Replies
View Related
Jan 1, 2013
We have several of the SG300 Serices switches. We use them to route VLAN traffic to Remote Offices, Internet Connections, and WiFi Access Points.In one remote office we have a SG300-10 setup to route the HQ Network and the remote Office Subnet. The SG300 is Connected to HQ via Fiber and has multiple Tagged VLANs on it. If I do speed tests over the Fiber Link on the Incoming Tagged Netwotk I get Decent performance, 80Mbs. If I switch to a networtk that is not priginating from HQ, and have the SG300-10 route packet, I get dismal performance. 15-20Mbs.
I Fireded up a New SG300-28P FW v1.2.7.76. Added a the HQ VLAN 101 and new VLAN 1025 . Mapped some Tagged and untagged ports for each. Switch was connected to HQ Network as untagged VLAN 101. I put a laptop on an Untagged VLAN 101 port. Ran some tests, cam back with 750-850Mbs. Great. Put the same laptop on a Tagged 101 Port, Configured the NIC for Tagged VLAN 101, Same test, same Speeds, 750-850Mbs.I then Configured laptop for Tagged VLAN 1025. Connected to tagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!
I then Configured laptop for Untagged VLAN 1025. Connected to unagged VLAN 1025 port. Ran speed tests, resuts were 15-20Mbs!It was only the Laptop and the Connection to the HQ net on the SG300-28P. Why is the performance of this unit soooooo poor when it needs to route?Other Switches have FW v1.0.0.27 or FW v1.1.2.0. They have Similar speed issues. All Configured for Layer 3.
View 10 Replies
View Related
Dec 2, 2012
We have a project in which we are using 34 Cisco SG200-18's each with a MGBLX1 (LC Single Mode Fiber) SFP mini-GBIC.All the fiber's come back to one building where we must "bridge" all 34 fiber connections. What hardware should be used to accomplish this? A L2 switch? For example, a 12 port SFP Switch with Fiber SFP's accepting the first 12 fiber connections, then other switch with SFP for the next 12 and so on, until there is a overall capacity of 36 and having patch cables between the 3 switches?
what cisco or non cisco hardware would work with these SF200-18's to accomplish this?
View 9 Replies
View Related
Mar 10, 2011
Here is a second paragraph from official BCMSN book page 93:
View 6 Replies
View Related
Jul 2, 2012
I have :
- two different subnets (S1, S2)
- these subnets are connected to an IP backbone via wirelles acces points
I would like to physically connect these subnets together so the networks devices in S1 could directly communicate with the devices in S2 and vice versa without going through the backbone.
The obvious solution seems to interconnect these subnets with a router or a switch L3. But I would like to connect these subnets and stay at layer 2.
So, is it possible to connect S1 and S2 with a switch L2 ? If I do that, what is going to happen? Can I create just one subnet S3 from this two subnets when I connect them together and have my two separate subnets back as soon as I disconnect them?
View 1 Replies
View Related
Sep 15, 2011
ASA design. I have two Cisco ASA 5585 which are connecting to two Nexus 7K. I looked at one design and it seems I can make Redundant interfaces on ASA and put two physical interfaces (Link1-1/1-2) into it however the down side I can see is it will utilize one link out of 4 at one time. As per my understanding if I make redundant interface on ASA 1 and put 1-1/1-2 into it only one link would be active at one time. This will force Nexus2 to send all traffic to Nexus 1 in order to reach ASA. Ideally I want a solution where both switches could send traffic straight to Active Firewall and incase of failure both links to standby firewall.
View 5 Replies
View Related
Jan 5, 2011
I'm thinking of connecting a branch office to the main office with just using multilayer switch. The sites will be connected using ethernet leased line, so I'm thinking of connecting it directly to the switch.
We're running eigrp on our network so the Multilayer switch will do the eigrp routing.Thinking of using C3750E-24TD-E (IP Services) as the multilayer switch. Can this work or do I still need a router to terminate the WAN?
View 2 Replies
View Related
Jul 12, 2012
I have a situation where I have ethernet traffic from two separate networks/ip subnets (Subnet A and Subnet B) on a single ethernet connection. I have the need to separate the traffic into two separate networks and two isolated broadcast domains. I thought this could easily be accomplished with a Cisco 300 Layer 3 switch, but I can't get it to work correctly. I have the switch set to IP routing mode. I have three VLANs configured. VLAN 1 sees the combined Layer 2 & 3 ethernet traffic for both subnet A and subnet B. VLAN 10 has an IP address assigned from subnet A and is the gateway for devices within that subnet. VLAN 20 has an IP address assigned from subnet B and is the gateway for devices within that subnet. IP proxy arp is on by default and should be active.Devices in VLAN 10 can ping devices in VLAN 20 and devices in VLAN 20 can ping devices in VLAN 10. This appears to be working only because the switch is the default gateway for those components.
No devices or servers in VLAN 1 can ping VLAN 10 or VLAN 20 components, and VLAN 10 and VLAN 20 components can not ping VLAN 1. I analyzed the ARP traffic on VLAN 1 and the switch is not responding with its own MAC address for requests for IPs for active devices connected to VLAN 10 or VLAN 20. The Cisco documentation says that the device should be responding and acting as a router.I can not physically connect everthing on VLAN 1 directly to the switch, I can not make the switch the default gaeway for all devices on VLAN 1, and I can not create static routes directly to the VLAN 1 switch IP address for all devices that are part of VLAN 1, so I am stuck. I need the switch to let VLAN 1 components automatically know what is connected to VLAN 10 and VLAN 20.
I am willing to scrap this approach entirely if there is an easier way to do this. Put simply, I have a few devices in Subnet A that need to be isolated from Layer 2 & 3 traffic destined for a few devices in Subnet B, but I can't reconfigure my entire network to create these isolated broadcast domains.
View 4 Replies
View Related
May 29, 2012
We have a potential new customer who is wanting to deploy a guest WLAN. I am happy doing this via a VLAN on the WAP4410N series AP’s. I would then create the relevant VLAN’s on the switch. Can each VLAN be assigned an IP address and allowing me to be able to add a static route on the router pointing the traffic for the Guest VLAN back to the switch?
View 1 Replies
View Related
Dec 27, 2011
Why layer 2 switches need its mac address, even it does not have any interface ? (does not have stp and etc)
View 8 Replies
View Related
Aug 4, 2012
connecting a Cisco 3945 Router to an Ethernet WAN Link. The service provider has provided a 100M Ethernet Single Mode Fiber handoff to the customer premises with SC Connector. The CPE configuration proposed for this setup is like this.
Cisco 3945
EHWIC-1GE-SFP-CU (EHWIC 1 port dual mode SFP(100M/1G) or GE(10M/100M/1G)
GLC-FE-100LX 100BASE-LX SFP for FE port.
Since the SFP has LC Connector, i suppose i need to have an SC-LC Cable for connecting the Ethernet link. Do i need anything else, apart from above?
View 2 Replies
View Related
Jul 23, 2012
I'm new and just entered in the world of studying my certification for Cisco, since I'm curious I see that there are switches that can perform task depending on the layer? I see some with specifics for Layer 2, some other for layer 3 and even some others with router capabilities!I know this is a rookie question but how do I know what the best switch for a network? or how can I identify them?
View 3 Replies
View Related
Dec 14, 2012
i've a problem with my SF300-24 routing. That's my network configuration:
Port 1 to 12 assigned to VLAN 10
Port 13 to 23 assigned to VLAN 20
Port 24 has an ip 10.17.7.254 to connect with my deafult route, beacuse I've also a Linksys RV042 router, connected in turn with my ISP router, having an ip 10.17.7.1.
View 6 Replies
View Related
Jun 13, 2011
If there is C6509E as core switches and C3750 Switches running layer 3 at the User dept uplink to the C6509E Switches, what will be the multicast command that should be implemented at both end? CGMP or IGMP or do not need to implement this snooping as well?
Users (IPTV) -> C3750 (Access Switch) -> C6509E (Core Switch) -> C6509E (Server Farm Switch) -> IPTV Servers
Do we need to configure multicast at C3750 Switches (Access Level) at the User dept? Let's say the IPTV Mulitcast is 239.1.1.1. How can we build up this multicast configuration based on this scenario?
View 5 Replies
View Related
May 12, 2013
I have a project I am working on that will require routing over a MetroE circuit to connect a few sites together back to HQ. Although, I know this can be accomplished several ways, I have come up with a solution that I think will work, but would like you all's input as to whether this is adequate and if my thoughts on how to properly "organize" the network are right.
I have been working with the SG300 line in Layer 3 mode and have not had any issues in a test setup I have here in the office. Basically my thought is to have a single VLAN/subnet allocated for each physical site. That will handle the basic interoffice connectivity etc. I also have a need to prioritize voice/video traffic throughout the entire network. My plan was to create an additional VLAN/subnet to house the teleconferencing equipment. Thats pretty much the jist of the setup. My only question is how to properly prioritize the voice/video VLAN.
View 3 Replies
View Related
Sep 25, 2012
I would like to ask if it is possibe to stack a 3Com 3cr17161-91 to a layer 3 Cisco Switch? The two will be stacked using the avaialble SFP modules.
View 4 Replies
View Related
Mar 16, 2012
My SF300-24 switch has been working 100% as a backup switch for a client of mine. At my clients premises it was running 3 Vlan's and doing inter VLAN routing. When my client received their original switch back, I obviously brought my SF300-24 back to the workshop, reset it back to Factory defaults and tried to do a fresh installation on it. I can not get it to change from Layer 2 to Layer 3! I installed the latest firmware but still no go.
Everything works a 100% via the console, but when I go to the System Mode menu and try and edit it, it justs sits at layer 2 and will not chage to layer 3!
View 4 Replies
View Related
Mar 22, 2011
I am migrating an a group of workstations that run a fire system from one software to another. The current workstations run the following info:123.123.123.xxx 255.255.255.0The new workstations run:100.100.100.xxx 255.255.255.0There is a central switch location using a GE-DSG-244 Layer 2+ Managed switch. There are two remote location using GE-DS-82 Managed Switches.The two networks must remain isolated, yet use the same fiber communications. The central switch connects to the two location using MM Fiber. From my research I believe I need to use the 802.1q standard to allow port trunking between the two switches.
View 7 Replies
View Related
Sep 5, 2012
I've been conducting research on configuring 3 distribution switches in my network which are Cisco Catalyst 4507's to communicate with our core over layer 3. Our core switch which is already configured at Layer 3 for intervlan routing is a Cisco Catalyst 6509.
I've got the configuration portion complete and all devices are able to communicate my only question is about QoS. Do I have to configure QoS at the layer 3 interfaces for voice, if so how is that completed. We have several vlans and separate the vlans for each building by voice and data. We only configure ports on the access switches with voice vlans for QoS and we use the auto qos option on these interfaces.
View 2 Replies
View Related
Jun 13, 2012
How to set the management interface on a SG300 Switch in Layer 3 mode? I've some vlans configured on the switch with interfaces in each of them:
Vlan 100 (10.0.1.254 /24)
Vlan 200 (10.0.2.254 /24)
Vlan 300 (10.0.3.254 /24)
...
Vlan 900 (10.0.9.254 /24)
Now, the management interface is listening on all interfaces (IPs). But I would like to configure the switch to only listen on 10.0.9.254. What I need to configure or whether it is possible?
View 3 Replies
View Related
Jul 11, 2012
I have a SG300-28P switch. I just read in the Administration Guide that, when in Layer 3 mode, the switch doesn't support MAC-based VLAN or Dynamic VLAN Assignment.
So, in order to assign a client to a VLAN based on their MAC or based on the response of a RADIUS server, we have to disable layer 3 features. Without layer 3 switching, the switch is unable to act as a default gateway and forward packets between VLANs. As a result, the VLANs can't communicate in any way, or access the internet, unless a separate router is connected to every VLAN. Right? Doesn't this limitation significantly reduce the usefulness of the DVA feature?
View 2 Replies
View Related
Sep 28, 2012
Question: how would STP or RSTP behave in a star topology with a hub in the middle?i.e. you have four switches all linked to the same central hub. Single links, no loops.Each switch would then get BPDUs from everybody.Going by theory, it should be OK since it still sees the root's BPDU and will see the link to the hub as the root port, despite presence of other BPDUs from other switches? No different from receiving an inferior BPDU from an upstream switch and a superior BPDU from a further upstream root switch.I guess I could lab it by turning off spanning tree on a switch to simulate a hub? I've never previously had to deal with STP issues where there are hubs that aren't strictly point to point bridging so to speak (ok they're not bridging but you get the drift).I've got a scenario I'm examining at the moment where this is the topology, except all switches have bpdufilter running hence effectively no spanning tree. I'm curious to know what would happen should I remove the bpdufilter.I realise there is zero benefit in spanning tree in this instance as I don't have any redundant loops to fall back on, but I'm reluctant to turn off STP on those vlans (since obviously theres stuff behind those switches). The BPDUfilter method seems like an elegant solution but I wonder if its actually necessary.(the hub is actually a VPLS mesh, most sites terminate PE to CE router but I'm playing around with switches as the termination points – run our own Q in Q, split vlans off before it gets to layer 3 as separation, etc.)
View 1 Replies
View Related
