cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1734
Views
6
Helpful
7
Replies

Direct Crossover or Switchport ffor ASA5510 Failover

ksvy_ksvy
Level 1
Level 1

I'm not having any luck finding specs on Cisco's web site stating why you should use a direct Ethernet crossover cable (connected between two ASA 5510s without a switch) than using a switch between/uplinking two ASA 5510s.

I see notes that can use a direct crossover Ethernet cable between two ASA 5510s, but also see notes (ciscopress “Cisco ASA, PIX, and FWSM Firewall Handbook; second edition) that should you not.

If you are able to find a Cisco URL/white page stating which type is better, I'll buy you a beer

Thanks, Kevin

7 Replies 7

andrew.prince
Level 10
Level 10

Kevin,

You are refering to LAN based failover - but that is not the only way:-

In LAN based - the failover interface is recommended to go thru a switch, the "state interface" is recommended to be connected via an xover cable from device to device.

This is tru for both active/actvie & active/standby solutions:-

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

http://www.cisco.com/en/US/customer/products/ps6120/products_configuration_example09186a0080834058.shtml

HTH>

Andrew

Apologies as this is the 2nd time today i have posted an answer just after you.

Not doing it on purpose :-)

Jon

Jon,

Never an issue my friend - he who types fastest eh!! ;o)

Jon Marshall
Hall of Fame
Hall of Fame

Kevin

Don't know of a specific white paper/URL so no beer :-( but if you use a crossover cable then the only thing that needs to fail is the active ASA for it to switch to the other ASA.

Using a switch introduces a single point of failure. If you use 2 switches connected via a trunk then you have eliminated the single point of failure.

If the firewalls are close enough i would use a crossover but you may want your firewalls in different racks in different parts of the data centre in which case using switches is the way to go. Because of the above i usually use switches.

Jon

HOU140ffipt1-pri# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1

Ok, I should have stated the environment; due to 3 of the 4 Internetwork interfaces being used for other LANs (inside, outside, and DMZ), we configured the 4th interface for both STATEful and LAN-Base. The test 2950 switch was configured for trunking and tested good, but the site were the failover ASA pair is to be set up, uses a 4500 series CAT OS coded switch.

Discussion among some of our support is to use a direct crossover.

So depending on the remote site's support configuring their CAT OS switch, to support the trunked ports for the two ASA failover interfaces, we're concerned about which of the two options to go with

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2

asa# sh run | grep failover

failover

failover lan unit primary

failover lan interface faillink GigabitEthernet0/3.1

failover polltime unit 1 holdtime 3

failover polltime interface 3 holdtime 15

failover replication http

failover link statelink GigabitEthernet0/3.2

failover interface ip faillink 10.10.10.1 255.255.255.0 standby 10.10.10.2

failover interface ip statelink 10.10.11.1 255.255.255.0 standby 10.10.11.2

left out the setup; active-standby

thanks, kevin

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: