Solved

Cisco ASA 5550 Port Load Balancing and Fault Tolerance

Posted on 2011-02-19
7
2,383 Views
Last Modified: 2012-05-11
Greetings all

I have a Cisco 5550 ASA which I am using between my infrastructure and another.

The 5550 has many interfaces. Currently I have one interface plugged in between the 5550 and my Cisco Cat6509.

I would like to plug a second connection between the 5550 and my Cat6509 for fault tolerance and load balancing.

I need some guidance please on how to do this.

Many thanks

Keeka
0
Comment
Question by:keeka
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
7 Comments
 
LVL 3

Expert Comment

by:mikegatti
ID: 34932786
What is the current setup of your firewall, do you have a pair of firewalls with active-active license? Also you mentioned that you have a 6509, are you connecting all firewall interfaces to the 6509 and segregating your security zones by vlan or do you have another switch in front of your firewall acting as an external switch?
0
 
LVL 1

Author Comment

by:keeka
ID: 34933032
Its a very simple setup. I have one firewall. It has 1 connection to my network and another connection to another company.

I want to put an additional connection from the firewall to my switch.

Is it possible to bind two ports on a 5550 ASA to act as one connection? Like it is possible to use a Port-Channel interface?  

0
 
LVL 8

Expert Comment

by:pgolding00
ID: 34940545
you can configure ethernet sub-interfaces (eg interface e0/0.1, e0/0.2 etc), then assign a unique 802.1q tag to each subinterface, then do the same on the next interace (e0/1.1, e0/1.2 etc). then configure interface vlan1, interface vlan2 etc on the firewall. configure the switch ports as .1q trunks and add the appropriate vlans to the trunks. this should work like a normal switch-switch trunk link.
0
Turn your laptop into a mobile console!

The CV211 Laptop USB Console Adapter provides a direct Laptop-to-Computer connection for fast and easy remote desktop access with no software to install.

 
LVL 3

Accepted Solution

by:
mikegatti earned 500 total points
ID: 34945190
I don't think you can accomplish load balancing or faul-taulerance with a single ASA since  the ASA does not support Etherchannel. You could add another ASA and configure the two to run in active-active failover. I think the other point to highlight is the single point of failure that you have on the other side of the firewall.
0
 
LVL 1

Author Comment

by:keeka
ID: 34949483
Hi

Thank you, I don't care too much about the other side. That's their problem.

Keeka
0
 
LVL 1

Author Comment

by:keeka
ID: 34949498
Hi pgolding00

Any chance of an example config please?

Thank you

Keeka
0
 
LVL 8

Expert Comment

by:pgolding00
ID: 34957398
sorry, i dont have access to an operating firewall with this config. below example taken from this cisco sample config:
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00806ab788.shtml

interface Ethernet1.1
 vlan 2
 nameif vlan2
 security-level 100
 ip address 10.0.1.1 255.255.255.0
!
interface Ethernet1.2
 vlan 3
 nameif vlan3
 security-level 100
 ip address 10.0.2.1 255.255.255.0
!

as i understand it, you can either specify the ip addressing under the sub-interface (as above), or create an interface vlan xxx, then configure the ip addressing under the vlan. in your case, you would add ip addressing to the vlan interface and allocate the vlans to sub-interfaces as above. you might use ethernet1.<vlan number> and ethernet2.<vlan number> to have one vlan able to use two interfaces. working this way may not be possible for all models - the cisco doco is not particularly clear. the 5505 model can only work in this way but the higher models seem to have both options available.

and, dont expect the firewall to act as a switch for the same vlan configured on multiple physical interfaces - it wont do that.

this might also be helpful:
http://www.cisco.com/en/US/customer/docs/security/asa/asa83/configuration/guide/intrface.html#wp1082576
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question