Studying otions - Design issues

fahim · ‎10-13-2007

We have been provided with two options by our technology consultants to cater for Network Infrastructure in our new office building that spans across 20 floors with data center on 10th and IDFs on each floor.

*Attached Diagram Option I is using Cisco Cat 3750E at the access layer and Core and Distribution collapsed into a pair of 6509s.

* Option II is more high end with 4509s on the access layer and separated distribution and core layer (redundant).

But glaring in the diagram is the way two ASA 5540 are connected in failover mode. Seems like in both options I and II the consultants have multihomed it.

Is this possible? Is the representation right? I need to be sure of this point before I take this up for technical feasibility.

Also, any other concerns based on this diagrams that I should have..please advise!!

Rgds

Collin Clark · ‎10-14-2007

They can be multihomed for redundancy. You might want to have your consultants create a detailed diagram for the firewall infrastructure; explaining how they connect to the switches, why, and what scenarios provide redundancy and what scenarios won't.

HTH and please rate.

fahim · ‎10-14-2007

Thanks for the reply clark.

In order to multihome my firewall, I'll have to provide, same IP address to two interfaces on the same subnet.

Is this doable on ASA for I don't remember if it was doable on PIX?

Collin Clark · ‎10-15-2007

On the ASA you'll use an SVI (VLAN interface) instead of a physical interface. You can assign two or more physical ports to the 'inside' VLAN and connect each port back to the core/distribution layer.

HTH and please rate.

fahim · ‎10-19-2007

I understand that the current ASA code does not allow the same VLAN ID to be used across two interfaces. This maybe doable in the future but an ASA expert also tells me that not today. Can you provide please provide me with the link on this site that describes how this can be done so that I can test it on one of our ASAs?