Bringing redundancy at the perimeter, Routers and FWs

Unanswered Question

Hi all...What's required from our side to bring about (preferably) Active/Active with seamless failover if we deploy a pair of routers followed by a pair of firewalls at our network perimeter.

To achieve redundancy on the routers, we can use Cisco HSRP with SNAT but though, this gives us redundancy it might not give us Active/ Active scenario. Is there a better option?

Do we need to involve ISP for achieving an active/active scenario if we have asked them to provide us with two MPLS lines of 8MB each, going on each router FE interface?

The reason we asked for two circuits was to use one as a standby in case the primary goes down but If we can use both at the same time, that would be better, given that we are paying for them anyways.

And then, how do I connect the two ASA 5520s to match the failover configuration of the routers beyond?

I am basically looking at design clues, I wonder, how easy would it be to depict the ensuing diagram in text?

But still...all suggestions welcome.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
spremkumar Tue, 02/05/2008 - 01:04


You can think of using GLBP on your routers to achieve active/active kinda situation.

You also need to keep your ISP informed about this setup and have required configurations done at their end for your network.

They also need to configure 2 equal cost paths pointing towards the links connecting to your routers.

I hope you are already aware that you can configure Active/Active setup with your ASA's which is of same config/model etc.,


Thanks Prem. GLBP on the routers is a seemingly good idea, but what's my ISP has to do here, in technical terms? You said that they have to configure 2 equal cost paths, is this the same as configuring BGP? or is this packet based load balancing? Say, they are planning to give me 2x4MB MPLS based links which I would terminate on my two routers FE interfaces. What should I specifically ask them to do?

Also, afaik configuring two PIX for Active/Active setup involves:

1. Security contexts to be enabled

2. No load balancing

I tried reading through this document to reach my conclusions:


This Discussion