Hello,

Have a number of organisations that I work with who are currently all changing their ISP to a different one. The company who are supporting this are introducing a new router and firewall to the network and removing the old layer 3 switch. Firewalling and filtering was previously done off site but will now be handled by the ASA 5505. I personally do not have permission to configure the ASA (nor would I know how to) but I might be able to point the people who do in the right direction if anyone here can help me.

So these places are set up with 2 ip ranges, so int 0 on the ASA is 10.0.0.1, int 1 is 10.0.1.1. The Cisco ASA has been configured with the same settings on it's required ports as the old layer 3 switch had, so nothing much has to change on the internal network. Problem is that the old layer 3 switch must have only been passing data through at layer 3, so basically not switching and not creating networking loops. It seems that due to certain required network topologies, switch A is connected to switch B, which is connected to switch C, which is connected to the ASA, but switch A will also be plugged into one of the interfaces on the ASA (creating a loop). As I've said, this was not a problem with the layer 3 switch but now the ASA must be switching at layer 2 (I guess...?) as well as routing to the internet (which is required for both ports, which are vlans) and so is messing up the lan with a switching loop.

Ok, so what I'd really like to know is, can the ASA 5505 be configured so as to allow access to the internet for both vlans/ip ranges while also preventing switching loops being created? It seems definite that this is being caused by the introduction of the 5505 as the old setup was exactly the same, it's just that the 2 cables have been plugged into the 5505. We do not have the option of using STP here as the rest of the switches on the network are unmanaged.

Thanks.

The 5505 can have separate vlans, one interface can trunk several vlans, or you could assign one vlan per interface. By default the 5505 won't broadcast between its interfaces so I don't think its causing a loop unless something unusual has been configured.

The number of vlans supported is according to license. This link discusses vlan interface configuration for ASA 8.4

http://www.cisco.com/en/US/docs/securit ... _5505.html

If the switches are unmanaged how does one assign a switchport to a vlan?

Hmm yes, well there is one vlan on each of the 2 internal facing interfaces being used, no trunking. This device is definitely creating the loop, if I take one of the cables out, the LAN settles down to normal quickly. None of the other switchports are assigned to vlans, they are just dumb switches.

Sorry I may be wrong about the defaults, the 5505 ports may all be in vlan1 by default or configured on the same vlan. Then, think without spanning tree protocol working you will need to assign them to different vlans if you're using them, and set up routing between the vlans on the ASA.

Ok thanks, I'll enquire if both ports are on the same vlan or not.

If you have one VLAN connected to the two ports into the switches then you will create a loop. The ASA will switch packets within the same VLAN as it is in the same broadcast domain within the ASA. Do you have spanning tree working correctly?

I recall I also did this kind of setup and caused a bridging loop. To resolve, I had to also allow VLAN 1 down the trunk to the ASA, as in that topology, STP was sent over VLAN1. It was a long time ago and I cannot recall the exact setup. Not sure what happens if you use RPVST+

_________________
"Right actions in the future are the best apologies for bad actions in the past."

I am curious. Are there positions in the industry where responsibilities are focused on just one line of equipment such as the cisco 5500 series security appliances? It seems that these appliances are ever evolving and becoming more complex that at some point, if it is not how it is already, it would necessitate a full time position to install and monitor the equipment and do nothing else. Can I go to a job interview and tell them my main focus of skills is in the Cisco Adaptive Security Appliances and hope to get a job?

I don't know about that but it seems you wish to be security focused? Have you looked into the Cisco CCDP certification path? This topic isn't really the correct channel to be discussing this so if you have further questions raise it in the main forum

_________________
"Right actions in the future are the best apologies for bad actions in the past."

any company worth any amount of salt would not put their defense strategy into one line of firewall or security appliance.
one vulnerability could bring down the entire infrastructure. Here we run like 6 different vendors firewalls, a bit overkill but much more secure.

I think focusing on one line of hardware or software would be career limiting in many ways, limiting the companies you can work for, the devices have a lifetime,
say in 10 years they go end-of-life, you career would be toast.

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw

Just to let you know, found out that the problem was not actually switching loops as I'd previously suspected. It was just the firewall blocking all traffic intermittently (every few seconds, or tens of seconds roughly). Eventually, after explaining the problem for perhaps the tenth time, someone with half a brain at the company who manage the firewalls told me that it was more likely that this problem was due to the firewall blocking all traffic. He explained that the device was configured in such a way that if any traffic originating from another IP range other than what int x is configured to be on, comes into that interface, it would block all traffic. So as I explained originally, in most of these organisations I work at there are 2 IP ranges, 2 domains, but unfortunately at most sites the switching fabric is not seperate, so requests from one IP range will run up the cables of the other, which due to the config of these ASAs, shut the connection down.

Easiest way for me to resolve was to take one (internal) cable out of an int on the ASA and then put everything in the site on the same range as the other int, then play about with DNS so the clients could all still log into their respective domains without delays or too much trouble.

Just out of curiosity, does anyone know exactly how this config would be created in the ASA? Is it a common thing? I'm guessing it's not a default setting as someone would have mentioned it earlier?

Someone will probably know what you're referring to but all I can think of is "shunning"?

_________________
"Right actions in the future are the best apologies for bad actions in the past."

sounds like asynchronous routing?

_________________
"If you're good at anticipating the human mind. It leaves nothing to chance."
-Jigsaw