Solved

Cisco ASA 5550 Port Load Balancing and Fault Tolerance

Posted on 2011-02-19
7
2,360 Views
Last Modified: 2012-05-11
Greetings all

I have a Cisco 5550 ASA which I am using between my infrastructure and another.

The 5550 has many interfaces. Currently I have one interface plugged in between the 5550 and my Cisco Cat6509.

I would like to plug a second connection between the 5550 and my Cat6509 for fault tolerance and load balancing.

I need some guidance please on how to do this.

Many thanks

Keeka
0
Comment
Question by:keeka
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Expert Comment

by:mikegatti
ID: 34932786
What is the current setup of your firewall, do you have a pair of firewalls with active-active license? Also you mentioned that you have a 6509, are you connecting all firewall interfaces to the 6509 and segregating your security zones by vlan or do you have another switch in front of your firewall acting as an external switch?
0
 
LVL 1

Author Comment

by:keeka
ID: 34933032
Its a very simple setup. I have one firewall. It has 1 connection to my network and another connection to another company.

I want to put an additional connection from the firewall to my switch.

Is it possible to bind two ports on a 5550 ASA to act as one connection? Like it is possible to use a Port-Channel interface?  

0
 
LVL 8

Expert Comment

by:pgolding00
ID: 34940545
you can configure ethernet sub-interfaces (eg interface e0/0.1, e0/0.2 etc), then assign a unique 802.1q tag to each subinterface, then do the same on the next interace (e0/1.1, e0/1.2 etc). then configure interface vlan1, interface vlan2 etc on the firewall. configure the switch ports as .1q trunks and add the appropriate vlans to the trunks. this should work like a normal switch-switch trunk link.
0
Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34945190
I don't think you can accomplish load balancing or faul-taulerance with a single ASA since  the ASA does not support Etherchannel. You could add another ASA and configure the two to run in active-active failover. I think the other point to highlight is the single point of failure that you have on the other side of the firewall.
0
 
LVL 1

Author Comment

by:keeka
ID: 34949483
Hi

Thank you, I don't care too much about the other side. That's their problem.

Keeka
0
 
LVL 1

Author Comment

by:keeka
ID: 34949498
Hi pgolding00

Any chance of an example config please?

Thank you

Keeka
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 34957398
sorry, i dont have access to an operating firewall with this config. below example taken from this cisco sample config:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

interface Ethernet1.1
 vlan 2
 nameif vlan2
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif vlan3
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!

as i understand it, you can either specify the ip addressing under the sub-interface (as above), or create an interface vlan xxx, then configure the ip addressing under the vlan. in your case, you would add ip addressing to the vlan interface and allocate the vlans to sub-interfaces as above. you might use ethernet1.<vlan number> and ethernet2.<vlan number> to have one vlan able to use two interfaces. working this way may not be possible for all models - the cisco doco is not particularly clear. the 5505 model can only work in this way but the higher models seem to have both options available.

and, dont expect the firewall to act as a switch for the same vlan configured on multiple physical interfaces - it wont do that.

this might also be helpful:
http://www.cisco.com/en/US/customer/docs/security/asa/asa83/configuration/guide/intrface.html#wp1082576
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

This article is focussed on erradicating the confusion with slash notations. This article will help you identify and understand the purpose and use of slash notations. A deep understanding of this will help you identify networks quicker especially w…
I recently attended Cisco Live! in Las Vegas, a conference that boasted over 28,000 techies in attendance, and a week of hands-on learning hosted by a solid partner with which Concerto goes to market.  Every year, Cisco displays cutting-edge technol…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now