Direct Crossover or Switchport ffor ASA5510 Failover

Unanswered Question
Aug 27th, 2008
User Badges:

I'm not having any luck finding specs on Cisco's web site stating why you should use a direct Ethernet crossover cable (connected between two ASA 5510s without a switch) than using a switch between/uplinking two ASA 5510s.


I see notes that can use a direct crossover Ethernet cable between two ASA 5510s, but also see notes (ciscopress “Cisco ASA, PIX, and FWSM Firewall Handbook; second edition) that should you not.


If you are able to find a Cisco URL/white page stating which type is better, I'll buy you a beer


Thanks, Kevin


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Jon Marshall Wed, 08/27/2008 - 05:24
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Andrew


Apologies as this is the 2nd time today i have posted an answer just after you.


Not doing it on purpose :-)


Jon

Jon Marshall Wed, 08/27/2008 - 05:23
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Kevin


Don't know of a specific white paper/URL so no beer :-( but if you use a crossover cable then the only thing that needs to fail is the active ASA for it to switch to the other ASA.


Using a switch introduces a single point of failure. If you use 2 switches connected via a trunk then you have eliminated the single point of failure.


If the firewalls are close enough i would use a crossover but you may want your firewalls in different racks in different parts of the data centre in which case using switches is the way to go. Because of the above i usually use switches.


Jon

ksvy_ksvy Wed, 08/27/2008 - 05:55
User Badges:

HOU140ffipt1-pri# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1




Ok, I should have stated the environment; due to 3 of the 4 Internetwork interfaces being used for other LANs (inside, outside, and DMZ), we configured the 4th interface for both STATEful and LAN-Base. The test 2950 switch was configured for trunking and tested good, but the site were the failover ASA pair is to be set up, uses a 4500 series CAT OS coded switch.

Discussion among some of our support is to use a direct crossover.


So depending on the remote site's support configuring their CAT OS switch, to support the trunked ports for the two ASA failover interfaces, we're concerned about which of the two options to go with


failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2




ksvy_ksvy Wed, 08/27/2008 - 05:57
User Badges:

asa# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2

ksvy_ksvy Wed, 08/27/2008 - 06:04
User Badges:


left out the setup; active-standby


thanks, kevin

Actions

This Discussion