Obligatory I didn't initially set this up disclaimer.
My public garbage wifi traffic circuit has a 3850 MDF and a single ASA5525x . This obviously isn't a huge deal if it goes out for a few minutes, which I why I did it today. Plain old router on a stick setup. However, the circuit was bumped from 500 to 1g recently, and as I suspected, it's not going to see all that throughput because the trunk is a single 1g copper. There's vlan interfaces for the clients traffic, management, wifi controller backhauls, pretty standard stuff. Pointing out the obvious here that it's not optimal since all that intervlan traffic is being routed through that same port. I can operate Cisco, but I'm not an expert by any means.
I run over to the DC today to cure that bottleneck. As I feared there aren't any SFP+ cages on the ASA, so instead I decide to build a LAG between the 3850 and the ASA. Backed up both configs to tftp and I also like to paste them plaintext into a notepad++ additionally just in case. I set up the "port-channels"(hate that marketing bullshit term) carve out two unused ports on each device, and get ready to move the vlans from one interface to the LAG. Problem one: The ASA didn't seem capable of moving the vlans to another interface that I could find. I can accomplish this in two clicks on a Mikrotik, so that threw me. I was already in my window, so I copied all the subinterface code out of my handy little notepad++, make no int ge0/1.x commands, ctrl+H the existing commands to say port-channel 1.x, nuke the vlans off the old port Name the LAG "inside" and set security level to 1 and voila!
Problem 2: When I did that, the ASA decided to delete all the inside/outside NAT rules on the box. I pasted them back in from my notepad, but it did cause a brief loss of connectivity and dropped a couple of lan to lan tunnels temporarily. This is garbage traffic so no real harm done, but I want to learn from this. Is there a way to complete a task like this more cleanly on an ASA?
tia
No comments:
Post a Comment