Cisco WAN :: 5510 Simple Network Architecture For Redundant Switches And Firewalls?
Oct 17, 2012
We'll be building a small remote site that will use two Windows 2008 servers. We would like redundancy in firewalls, IPS's and switches. Is it better to buy stand-alone ASA 5510s (with embedded IPS's) and 2960s, or is it a better option to buy a Cat 6000 with FW modules. We'll have several internet IP addresses available.
we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack. Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack. for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document [URL]
So my question is :
1. can we use redundant interface feature where 2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
I have a customer with active/standby on a pair of 5510's with the CSC modules. They were inquiring about the AIP/ASA, and since this would NOT work in their current setup, would getting a pair of 5510/AIP configured for transparent failover work placed in front fo the existing units? Would I need to have a switch placed between the AIP and CSC ASA's? Or would I setup the ASA's for context based Active/Active failover to interconnect the ASA's to the existing units, but I still see a need for a switch.
I would like to create 3 x VLANs on an SG 300-28P and have them completely isolated from each other, for example ports 1 - 12 on VLAN 1, ports 13 - 24 on VLAN 2 and ports 25 - 28 on VLAN 3. No communication between any of the VLANs.
interface Redundant1 description *** INSIDES NETWORK *** member-interface Ethernet0/1 (This is a 1000Mbps Port) member-interface Ethernet0/2 (This one is 100Mbps) no nameif no security-level no ip address [code]....
Then... i issue following command and its OK!
ASA5510# show interface redundant 1 detail Interface Redundant1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps) Input flow control is unsupported, output flow control is off [code]...
It's transfer correctly then i no shut and back to normal Primary core switch Gi0/30 Interface again, BUT redundant interface no revert back. I issued this command again BW remain 100Mbps.
ASA5510# show interface redundant 1 detail Interface Redundant1 "", is up, line protocol is up Hardware is i82546GB rev03, BW 100 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) [ code]....
I did manually shut down and no shut the secondary core switch interface Gi0/30 Its changed correctly to 1000Mbps .
I have 2 SG300 switches and all I want is to propagate VLAN info from one to other. I do not have computers with GVRP compliant NICs, so I dont want that auto registeration functionality on access ports. I want VLAN prop via trunks and switchport mode access on access ports just like VTP. I have read on cisco docs that this functionality is provided with GVRP Mode fixed, but there are only 2 modes that I can see on SG300 are Normal and Forbidden. Trunk configured correctly, gvrp is enabled globally and on port, ports are up and functional, tried different combinations of checking and unchecking boxes of dynmic vlan creation and enable registeration on both ends but no joy. When I create a vlan from one, it doesnt propogate to other.
For a simple ether channel to work between 2 switches I have configured ports 1 and 2 on both cisco 2960 switches with the channel-group option like this:
interface FastEthernet0/1 channel-group 1 mode on ! interface FastEthernet0/2 channel-group 1 mode on
I thought the port-channel 1 would get automatically created but it didn't, should it? And under the port-channel interface should I set this as a trunk or do I do this on the 2 fa interfaces on each switch?
redundant Power Supply?PIM sparse mode (PIM-SM), PIM dense mode (PIM-DM), and PIM sparse-dense mode?Layer 4 prioritization: enables prioritization based on TCP/UDP port numbersUni-Directional Link Detection (UDLD) — monitors a link between two switches and blocks the ports on both ends of the link if the link goes down at any point between the two devices
let me know the exact meaning of attach ( yellow marked one)? the contractor was saying "it doesn't mean two switches as there is a built in redundancy in Cisco switch)"I don't think he is correct as I never heard about built in redundancy in Cisco Router/switchAny comment as this will affect the numbers from 55 (3750 v2) to 110....
I have two switch SG300-10 that need to be interconnect togheter with a simple redundant "cable fail safe" configuration.My idea is use the two uplink copper port of the first switch, connected to the two uplink copper port of the second switch.
How to create a working setup configuration? The first setup that i need, is with only one VLAN1 for all ports,
The second setup is with the VLAN1 assigned to the ports 1-2-3-4 of all the two switch, (linked togheter by uplink ports) and the VLAN2 assigned to the ports 5-6-7-8 always linked togheter with the same uplink ports.
Is possible use the two uplink port at the same time, as cable fail safe? or use a uplink port 1 for the first group and the second uplink port for second group?
I need to use this configuration for audio cobranet transport, and i need to test the correct configuration for the primary and secondary audio stream, if can work togheter on the same VLAN or i need to separate the two stream, from start to the end.
I was under the impression that those global addresses that we used with NAT were from the outside IP addresses range?Lets say my outside IP address is idk 192.112.40.11 /30 and I only had two usable IPs (since you can't use network and broadcast IPs) so how would I set up NAT for a couple of Inside addresses with a shorting of addresses like this? Idk if that makes sense what I'm trying to say
I am trying to upgrade all my firewalls to Security Plus but I am not sure what firewalls are needing the upgrade. Is there a SNMP pull I can do to see what license is on my firewall? example: "This platform has an ASA 5510 Security Plus license." via SNMP
We have a configuration where we go through a firewall (ASA 5510) to a router, which decides if it is internet traffic or another network used for colleges etc in Canada called SR Net. If it is internet traffic it then goes through another ASA 5510 to the internet.
When we tested we were not seeing the speed of our internet (about 1/10th). We tested by putting the laptop before the internet firewall and we get the throughput. We also threw the test laptop before the router and we got the throughput expected. But when the test laptop is before the internal (first) firewall we get about 1/10th the speed. We are Nating on both firewalls, so from the inside we are going from a private IP to a Public IP (so it can go to SR Net is need be), then Nating again to the internet IP on the second firewall.
There are two Cisco 4900M L3 switches and two Cisco 2960 L2 switches. I need to configure the two L3 switches to operate as a redundant pair, as the servers connecting to them are connecting using bonded interfaces, which can only have one default gateway. So these two L3 switches need to have the same Vlan interface 1, 2 and 3 IP's set onto them.How are the two L3 switches made aware of each other? via a normal trunk? Is there some special configration for configuring a mated/redundant pair of switches? or are they both just configured as though they were the same switch, but linked?
Does a portable RPS device either from Cisco or another manufacturer exists, that would allow you to move primary power for a switch without causing an outage? I realize that for the Catalyst 3560 for example, you can get an RPS 2300 or 675, but my understanding is that these are made for a more permanent installation, not to mention rather costly.
It looks like the RPS 675 is rather inexpensive after all, especially in the secondary market, but still rather large for toting around.
We are currently in the process of planning our move to fiber. We have a corporate location and 15 remote offices. I would like to create VPN tunnels from each remote office back to the corporate location.
Our remote offices mostly use 2811s. The core at our corporate location is a 3750. I am wondering if the logical step is to just create IPSEC VPN tunnels from the 2811s to the 3750? Will this be too taxing on the 3750 to have 15 separate VPN tunnels? I have a cisco background, but I am fairly new to handling massive architecture changes and adjustements.
I have a 5510 ASA and have been given another an told to make them active and standby. Basically the active one is working great but the second one has no config on it apart from the default one, but is the same firmware level. I guess I need a crossover cable, and what happens with the inside and outside interfaces, would they need to go into a vlan on a switch, one inside vlan where the 2 firewalls inside interface go into and another vlan for the outside? Otherwise if it failsover to the standby ASA the inside and outside interfaces wouldn't work.
I would like to know if there is a way to monitor which programs/processes are using my network, say if there's something in the background updating that I can close to reduce lag in games, my computer is free of viruses and most the auto updates are turned off because I update them manually, so I just would like a simple straightforward answer,what program or process is using my network?
one of the most widely deployed switches in the world. The "Swiss Army knife of network", can do routing, switching, security, wireless and almost everything that you would want your core switch to do. Remember to use the rating system to let Akshay know if you have received an adequate response.
Akshay might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the Network Infrastructure sub-community LAN, Switching and Routing discussion forum shortly after the event. This event lasts through July 27, 2012. Visit this forum often to view responses to your questions and the questions of other community members.
Site A has an ASA 5510 and a single internet connection.Site B has two internet connections (primary and backup). If Site B also has an ASA, I can configure Site A's ASA to deal with a failover at Site B (set peer 1.1.1.1 2.2.2.2). Does this work if Site B has an IOS router instead of an ASA? In other words will "set peer 1.1.1.1 2.2.2.2" on the ASA work when it's talking to IOS on the other end?
I would like to setup a simple VPN on a small network, nothing special, just to provide access to some simple resources on the network from anywhere. Since I'm not a Cisco expert, I was advised to user a 861 router, but I just can't seem to get the VPN working on this device.
I've placed the router behind a modem and did some basic configuration. Hosts who are connected to the modem (on the Vlan side) can access the internet and can setup a VPN connection to the router. A VPN connection from inside the network is worthless, but I just can't get the VPN working on the FastEthernet4 connection.
Any VPN config for a 861 router for this situation? Or how to configure this device as a VPN server?
I know the general difference between a router and a switch, but after considerable reading I'm unable to determine if I could just use a switch for my pretty simple specific application.
Here are the two devices I need to setup on my network (connections would be wired, both devices in close proximity): (1) computer running windows2k with 100mbps ethernet card (has software firewall installed) (1) blue ray player for streaming netflix videos
Because I don't have any computers on the network communicating with each other, based on what I've read it seems possible to just connect a switch to my cable modem instead of using a router.
internet | | Gateway2 | | | RX========== <sw 2960g>==========(Gi0/1)(Gi0/2)Gateway 1 ============>internet | | | Cache server
Now from RX the traffic is out , it may go to Gateway1 router or Gateway2 router
Note that router Gateway 1 has its traffic cached by Cache server. But the Gateway 2 router has not configured to cache its traffic , note that Gateway 1 router has two interfaces connected with sw but Gateway 2 only 1 interface connected to sw .
In the end , if I want Router Gateway 2 to hve its traffic to be cached by cahce server , can I do as the same config which is currently exist in Gateway 1 , or there is different behaviuor ???? Is there new modification on cahce server ?? im using suid cahe based linux .
I will include a brief info about only cache config in gateway1 router
====================================== ip access-list extended CACHE5 deny tcp any host x..x.x.x eq www deny tcp any host x.x.x.x permit tcp x.x.x.x x.x.x.x any eq www ================================== [Code] ........
I am having some challenges on my DMZ network.My servers and Cisco Switches in the DMZ are picking the mac address of the Firewall(Cisco ASA).I have put some static arp entries on the Firewall and switches but the servers and users on the DMZ are still receiving the mac address of the Firewall.How can i stop the Firewall from changing the mac addresses of the devices on the network.My ASA is a 5520 and i have 2960Switches.
I have a query on how the 6500s running in VSS mode would route the traffic over an OSPF environment where it has leant about two equal cost paths, but one via the 2nd chassis.Proposed setup - 2 6509s running in VSS. Switch-1 in VSS has a layer 3 connection (via a LES circuit) to one of a pair of Nexus 7Ks at another office. Switch-2 in the VSS has another layer 3 connection (via LES by another provider) to the other N7K at the other office. The L3 connections would use /30 ranges and allow each Nexus to form an ospf neighbour relationship with the VSS. We want to keep both offices environments separate so although we do have L2 circuits we're using these to provide L3 connectivity between sites & exchange routing info via them using ospf.
Each Nexus will advertise all the directly connected networks it knows about to the 6509s running in VSS. Thus I couldn't figure out if for example we have users/servers behind our VSS 6509s, these would need to go via their default gateway to get to a network located off the LAN, the default gw ip in VSS setup exisits on the control plane on switch-1 (in normal operation). Then to get to a network that is located off the Nexuses at the other site it would have 2 equal cost paths to it, however one of these paths would be via the VSL link and off the switch-2 chassis. I wasn't therefore sure if we'd actually ever see any transmit traffic via the 2nd L3 connection because I have a funny feeling that I've read the VSS always choses the local chassis egress rather than going via the VSL to use another port...
All of the above is theorectical at the moment as currently both circuits are connected to a single Nexus/6509 chassis however for improved resilence I want to move one of the circuits to be physically attached to the other Nexus & 6509 chasis at each site but I wasn't then sure how the traffic flows would be affected.
I have a home network using a 2600 and PIX515E, and unfortunetly I don't know how to set up ACLs. I read a few Cisco documentation but unfortunetly I am unable to grasp the concept of how to define them. Would anyone be able to give me a crash course on setting up ACLs?
I will be building my own computer here in the next month and am looking to become quite informed about building my own wireless network.Trouble is, I'm a bit out of to with what I need and what is good. I'm also officially tired of renting a modem from Comcast (bastards keep bumping my monthly rate up). So what pieces of equipment do I need to build a simple quality wireless network for my home? I would like the network to support two laptops, one desktop, and an Xbox plugged into a LAN line. Also, I'm thinking of using a Rosewill Wirelss Adapter 3 antenna [URL].
We are a non-profit organization that is heavily reliant on interns that use their own laptops a lot here. My concern is they come in and connect to our wireless network with no supervision or anything else. I am worried they will introduce a virus, trojan, or something to our network. What the best way to keep them from introducing unwanted malware from a thumb drive, virus in email, or something to that effect shy of standing over them while they install and run an antivirus software?
I am trying to figure out how to give computers that connect to my LAN limited access. I have heard that some viruses, though rare, may travel through the network and infect all computers on the network. I want to prevent this. Is there any way to give computers connected to my network strict access to only the internet to prevent viruses or any other harmful attacks?
I was wondering how would it be possible for a person to gain access to computer through my router? Or is that even possible? Just a quick rundown, the past few weeks, 2 of my email accounts have been compromised, one was email i had for years, the other was a new random email that i rarely use. In the same week, both these accounts were "hacked" the passwords were changed and i can't get access to them. Same goes for my fb account also compromised. These emails aren't linked to the fb acct neither. I know you might think yeah, i might have clicked on one of these phishing links, but i assure you haven't, i have never entered any of my information on random sites or anything like that. Actually i only really frequent 5 or 6 sites on this certain laptop and i have never downloaded anything on it but songs from iTunes.
I've scanned my computer numerous times, and even went as far as to factory reset it, so i don't know how high the possibility of me having a key logger is.So i guess i'm asking, how would a person be able to have gained access to computer w/o having it in their physical possession? Can i be getting hacked through my wifi connection? What information of mine would someone have to have in order to access my computer and monitor my web activity?