I have 2 ASA firewalls which I need to connect to my 2 CAT6K core switches. the core switches are running GLBP redundancy protocol between them.
My question here is since my switches are Active-Active, can I implement my firewall cluster in Active-Passive mode? Can you please advise on the best design for this scenario?
As Thomas says it really depends on how your switches are connected together and how you have connected your ASA devices to the 6500's.
Assuming that your ASA inside interfaces are in the same vlan and that your 6500 switches are connected via a L2 trunk then there are 2 things to bear in mind.
1) If the ASA devices are on a dedicated vlan ie. no other devices are on that vlan then GLBP won't gain you anything because the source mac-address/IP address will always be the same ie. the active firewall.
2) Regardless of 1 remember that if the return traffic going back to the ASA inside interface or traffic originated from inside goes to the switch that is connected to the passive ASA then the switch will simply send the traffic across the trunk link to the other switch which will then forward it on to the active ASA.
So it doesn't matter which switch is active for which vlans. Any traffic that goes to the switch that isn't connected to the active ASA will simply be sent across the Layer 2 trunk to the other switch which then sends it on to the active ASA.
Of course this is only relevant if you have indeed connected your ASA devices to the 6500's on a common vlan and there is a layer 2 trunk interconnecting your 6500 switches.
Hope this makes sense.
Context out the ASA's and then you run them in active/active, but this is more of one context is active on firewall 1 and passive on firewall 2, then then next context is passive on firewall 1 and active on firewall 2.
Are the switches connected together, this way they would have an understanding of each other and know that their peer hasn't failed, thus keeping the connection available to both switches. Questions:
Are the GLBP interfaces ports or VLANS?
Are the switches connected together?
What is the out come that you would like?