Unsolved
4 Posts
0
955
January 4th, 2022 10:00
ASA to N4032 Layer 3 connection
Hello
I am having a problem connecting an ASA to a N4032 switch stack. I want the switches to all inter vlan routing.
With a Cisco layer 3 switch I just had set an interface to be a routed port with a /30 address and set the interface to "no switchport" and also set a /30 address on the ASA. The set the static routes.
However on the N4032 switches, you cannot a "no switch port" or even assign an IP to an port interface.
So I have tried using a vlan instead but it's not working. Once I get that working I want to setup redundancy between 2 ASA and 2 of stacked switches.
ASA-1
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.30.1 255.255.255.0
route inside 172.17.0.0 255.255.0.0 172.17.0.0 1
route inside 172.18.0.0 255.255.0.0 172.18.0.0 1
route inside 172.19.0.0 255.255.0.0 172.19.0.0 1
I also tried these routes:
route inside 172.17.0.0 255.255.0.0 192.168.30.3 1
route inside 172.18.0.0 255.255.0.0 192.168.30.3 1
route inside 172.19.0.0 255.255.0.0 191.168.30.3 1
SW-1
ip routing
interface vlan 1
exit
interface vlan 10
ip address 10.10.10.1 255.255.255.0
exit
interface vlan 17
ip address 172.17.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 18
ip address 172.18.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 19
ip address 172.19.1.1 255.255.0.0
ip netdirbcast
bandwidth 10000
exit
interface vlan 303
ip address 192.168.30.3 255.255.255.0
exit
!Cannot use a L3 routed port /30 address so use a vlan
interface Te1/0/21
switchport access vlan 303
exit
ip route 0.0.0.0 0.0.0.0 192.168.30.1
SW-1console#ping 192.168.30.1
Pinging 192.168.30.1 with 0 bytes of data:
Reply From 192.168.30.1: icmp_seq = 0. time= 2119 usec.
Reply From 192.168.30.1: icmp_seq = 1. time= 1644 usec.
Reply From 192.168.30.1: icmp_seq = 2. time= 1603 usec.
Reply From 192.168.30.1: icmp_seq = 3. time= 1874 usec.
----192.168.30.1 PING statistics----
4 packets transmitted, 4 packets received, 0% packet loss
round-trip (msec) min/avg/max = 1/1/2
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
????
Success rate is 0 percent (0/4)
fp2110asa# ping 192.168.30.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.30.33, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
fp2110asa# sho route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF, BI - BGP InterVRF
Gateway of last resort is not set
S 172.17.0.0 255.255.0.0 [1/0] via 172.17.0.0, inside
S 172.18.0.0 255.255.0.0 [1/0] via 172.18.0.0, inside
S 172.19.0.0 255.255.0.0 [1/0] via 172.19.0.0, inside
C 192.168.30.0 255.255.255.0 is directly connected, inside
L 192.168.30.1 255.255.255.255 is directly connected, inside
DELL-Josh Cr
Moderator
•
9.6K Posts
•
42.4K Points
0
January 4th, 2022 15:00
Hi,
If you just need to enable routing on the switch the command ip routing does that and it will route between the VLANS that it knows. Page 1504 starts the section on routing. https://dell.to/3EV5Eel
nadminer
4 Posts
0
January 4th, 2022 17:00
I already have that running.
I got the fist part working - single ASA to the switch stack by using this
ASA-1
interface Ethernet1/2
nameif inside
security-level 100
ip address 192.168.7.1 255.255.255.252
!
route inside 172.17.0.0 255.255.0.0 192.168.7.2 1
route inside 172.18.0.0 255.255.0.0 192.168.7.2 1
route inside 172.19.0.0 255.255.0.0 192.168.7.2 1
SW-1
interface vlan 303
ip address 192.168.7.2 255.255.255.252
ip netdirbcast
exit
ip route 0.0.0.0 0.0.0.0 192.168.7.1
!
interface Te1/0/21
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
fp2110asa# ping 172.19.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.19.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.18.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.18.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
fp2110asa# ping 172.17.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.17.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
The next step is to have redundant connections for HA.
2 connections from each ASA to 2 of switch stack members.
FP2110 running ASA requires port-channel to be created at the FXOS level.
I assume a port-channel will be needed on the switch too?
Anyone done this before?
DELL-Joey C
Moderator
•
4.2K Posts
•
20.9K Points
0
January 5th, 2022 01:00
Hello @nadminer,
I would say that a call to the support line is needed to check on the configuration of the switches to meet the requirement, in order for HA to work at optimal level.
So far, I've not done such configuration before, maybe Josh has something to say if he know anything about it. I'll leave it to him to get back to you if he has any words.
nadminer
4 Posts
0
January 6th, 2022 21:00
I tried this config and it's not working
interface vlan 303
ip address 192.168.7.2 255.255.255.252
ip netdirbcast
exit
ip route 0.0.0.0 0.0.0.0 192.168.7.1
interface Te1/0/21
channel-group 1 mode active
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
!
interface Te2/0/21
channel-group 1 mode active
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
!
interface port-channel 1
description "link to ASA1"
switchport mode trunk
switchport access vlan 303
switchport trunk native vlan 303
exit
I saw some posts about using hashing 3 or 4 for the LAG settings but none of them worked either.
The ASA shows a LACP connection and send and receive traffic on both ports but pings are not working
DELL-Joey C
Moderator
•
4.2K Posts
•
20.9K Points
0
January 7th, 2022 01:00
Hi @nadminer,
I'm unsure if the configuration is correct. There is no proper documentation for your environment to look at and refer.
I may suggest to check with the network support via phone, to confirm the configuration deployment is in place.
nadminer
4 Posts
0
January 8th, 2022 14:00
I would but switches are out of support. Maybe Dell can go above and beyond the call of duty?
I have tried almost every combination of settings. Port-Channel just doesn't work between a FP2110 running ASA and these N4032 switches. Spent too much time on this already.
If I would have know the N4032 can't do a "no switchport" I would not have bought them. Would gone with Cisco switches.
Will just configure the ASAs to fail over with the switches. Not ideal but...
Surprise no one has run into this.