ASA 5520 implementation

Answered Question
Oct 16th, 2007
User Badges:

Hi,


I have a question regarding ASA failover pair connection. Inside and outside interface (no DMZ) needs to be connected via L2 switch, and via LAN based cable. My question: is it possible to use the same switch for connecting ASA interfaces? Please look at attach file. Inside interfaces of both ASA is connected to ports in the same VLANs, an additional port (trunk) is connected to Cisco 6500 an OSPF is configured. Also, the sam is with outside interfaces of both ASAs.



Correct Answer by Jon Marshall about 9 years 5 months ago

Hi


Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.


You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.


It all depends on the level of redundancy you need.


Jon

Correct Answer by Jon Marshall about 9 years 5 months ago

Hi


Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.


Seems wrong to have redundant firewalls hanging off one switch.


HTH


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jon Marshall Tue, 10/16/2007 - 23:35
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.


Seems wrong to have redundant firewalls hanging off one switch.


HTH


Jon

binelipetrov Wed, 10/17/2007 - 00:05
User Badges:

OK, you are right, but what if we do that with two separate devices...for example, inside interfaces is connected two one switch, and outside in another...if something goes wrong with inside switch, nothing will work, it is still a single point of failure...same with outside switch...

Correct Answer
Jon Marshall Wed, 10/17/2007 - 03:45
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Hi


Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.


You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.


It all depends on the level of redundancy you need.


Jon

binelipetrov Wed, 10/17/2007 - 04:07
User Badges:

yes, level of redundancy and amount of money that customer want to give..:) In this moment, thay have only one switch, so it was important for me to know if it is possible to implement that only with one switch. Thanks on answers

Actions

This Discussion