Direct Crossover or Switchport ffor ASA5510 Failover

Unanswered Question
Aug 27th, 2008

I'm not having any luck finding specs on Cisco's web site stating why you should use a direct Ethernet crossover cable (connected between two ASA 5510s without a switch) than using a switch between/uplinking two ASA 5510s.

I see notes that can use a direct crossover Ethernet cable between two ASA 5510s, but also see notes (ciscopress “Cisco ASA, PIX, and FWSM Firewall Handbook; second edition) that should you not.

If you are able to find a Cisco URL/white page stating which type is better, I'll buy you a beer

Thanks, Kevin

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (2 ratings)
Loading.
Jon Marshall Wed, 08/27/2008 - 05:23

Kevin

Don't know of a specific white paper/URL so no beer :-( but if you use a crossover cable then the only thing that needs to fail is the active ASA for it to switch to the other ASA.

Using a switch introduces a single point of failure. If you use 2 switches connected via a trunk then you have eliminated the single point of failure.

If the firewalls are close enough i would use a crossover but you may want your firewalls in different racks in different parts of the data centre in which case using switches is the way to go. Because of the above i usually use switches.

Jon

ksvy_ksvy Wed, 08/27/2008 - 05:55

HOU140ffipt1-pri# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1

Ok, I should have stated the environment; due to 3 of the 4 Internetwork interfaces being used for other LANs (inside, outside, and DMZ), we configured the 4th interface for both STATEful and LAN-Base. The test 2950 switch was configured for trunking and tested good, but the site were the failover ASA pair is to be set up, uses a 4500 series CAT OS coded switch.

Discussion among some of our support is to use a direct crossover.

So depending on the remote site's support configuring their CAT OS switch, to support the trunked ports for the two ASA failover interfaces, we're concerned about which of the two options to go with

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2

ksvy_ksvy Wed, 08/27/2008 - 05:57

asa# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2

Actions

This Discussion