Cisco Cisco Catalyst 6500 Series 7600 Series ASA Services Module Guide De Montage
10
10
Reference
Guidelines for the ASA Services Module
VLAN Guidelines and Limitations
•
Use VLAN IDs 2 to 1001.
•
You can use private VLANs with the ASASM. Assign the primary VLAN to the ASASM; the ASASM automatically handles
secondary VLAN traffic. There is no configuration required on the ASASM for this feature; see the switch configuration
guide for more information. See also the example in
secondary VLAN traffic. There is no configuration required on the ASASM for this feature; see the switch configuration
guide for more information. See also the example in
.
•
You cannot use reserved VLANs.
•
You cannot use VLAN 1.
•
If you are using ASASM failover within the same switch chassis, do not assign the VLAN(s) that you are reserving for
failover and stateful communications to a switch port. However, if you are using failover between chassis, you must include
the VLANs in the trunk port between the chassis.
failover and stateful communications to a switch port. However, if you are using failover between chassis, you must include
the VLANs in the trunk port between the chassis.
•
If you do not add the VLANs to the switch before you assign them to the ASASM, the VLANs are stored in the supervisor
engine database and are sent to the ASASM as soon as they are added to the switch.
engine database and are sent to the ASASM as soon as they are added to the switch.
•
You can configure a VLAN in the ASASM configuration before it has been assigned on the switch. Note that when the
switch sends the VLAN to the ASASM, the VLAN defaults to be administratively up on the ASASM, regardless of whether
the you shut them down in the ASASM configuration. You need to shut them down again in this case.
switch sends the VLAN to the ASASM, the VLAN defaults to be administratively up on the ASASM, regardless of whether
the you shut them down in the ASASM configuration. You need to shut them down again in this case.
SPAN Reflector Guidelines
In Cisco IOS software Version 12.2SXJ1 and earlier, for each ASASM in a switch, the SPAN reflector feature is enabled. This
feature allows multicast traffic (and other traffic that requires a central rewrite engine) to be switched when coming from the
ASASM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:
feature allows multicast traffic (and other traffic that requires a central rewrite engine) to be switched when coming from the
ASASM. The SPAN reflector feature uses one SPAN session. To disable this feature, enter the following command:
no monitor session servicemodule
ASA and Cisco IOS Feature Interaction Guidelines
Some ASASM features interact with Cisco IOS features. The following features involve Cisco IOS software:
•
Virtual Switching System (VSS)—No ASASM configuration is required.
•
Autostate—The supervisor informs the ASASM when the last interface on a given VLAN has gone down, which assists in
determining whether or not a failover switch is required.
determining whether or not a failover switch is required.
•
Clearing entries in the supervisor MAC address table on a failover switch—No ASASM configuration is required.
•
Version compatibility—The ASASM will be automatically powered down if the supervisor/ASASM version compatibility
matrix check fails.
matrix check fails.
SVI Guidelines
If you want to use the MSFC as a directly connected router (for example, as the default gateway connected to the ASASM outside
interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
interface), then add an ASASM VLAN interface to the MSFC as a switched virtual interface (SVI).
For security reasons, by default, you can configure one SVI between the MSFC and the ASASM; you can enable multiple SVIs,
but be sure you do not misconfigure your network.
but be sure you do not misconfigure your network.
For example, with multiple SVIs, you could accidentally allow traffic to pass around the ASASM by assigning both the inside
and outside VLANs to the MSFC. (See
and outside VLANs to the MSFC. (See