0

I have a Cisco ASA5510, IOS 7.2.5

Presently it is connected to a single Cisco 2960 with VLAN's 10,11,12, configured as subinterfaces on E0/1, which are also the internal default gateways for the respective VLANs. So the ASA routes between the VLAN's - (LAN, DMZ etc)

Our parent company has sent 2 x 2960G switches (not stackable) as a switch replacement.

What is the best method of connecting these switches to the ASA? I would like to decommission the old 2960 and just use the new gigabit switches. I need to use the same VLAN's on both switches.

Don't know if it is best to have a single trunk link to ASA5510 to sw1, then LACP port-channel from SW1 to SW2 -- I realise this is daisy chaining, so would be least preferable.

OR

ASA/E0 - SW1/Gi0/1 - trunk with subinterfaces as is now?

ASA/E1 - SW2/Gi0/1 - trunk with subinterfaces?

SW1 - SW2 - LACP ?? or would that cause spanning tree loops?

I am willing to accept any other suggestions for configuration.

Hopefully I don't need to upgrade to IOS 8.4 on ASA, really would like to avoid those headaches for the moment

henkus
  • 3
  • 2

1 Answers1

0

ASA does not support STP, but you can configure 'redundant interfaces', which will be sort of active/passive - probably by one link up and one link down. You will likely need to upgrade the OS version.

It doesnt seem to filter BPDUs, so it is likely possible to let the switches use STP and control what port is in what state. That is however not something I have tried, so I suggest you carefully test this, or stick to the 'redundant interface' feature.

See http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/intrface.html

3molo
  • 4,340
  • 5
  • 30
  • 46
  • Hi 3molo, thank you for your feedback. If I setup a redundant link, would only one switch be active, or do I still need a trunk link between switches? - Ah, also checked RAM, I need to upgrade to be able to install 8.4. – henkus Jan 30 '13 at 09:34
  • You would need a trunk link between them anyway. I thought your goal was to have as redundant of paths of possible. You might be able to squeeze in 8.2 or 8.3. – 3molo Jan 30 '13 at 11:02
  • Yes, my goal is redundant paths, might just need to look at ram upgrade and go to 8.4 for all that etherchannel goodness on the ASA - at least with 8.2.5 it should use the same config (with the default ram), so will give that a shot. Thank you very much for your insight. – henkus Jan 30 '13 at 12:21
  • With etherchannel it'll still only go to the same switch. Stacking is required to form a channel with physically separated switches. – 3molo Jan 30 '13 at 12:32
  • ah so - redundant paths it must be. – henkus Jan 30 '13 at 15:29