Thanks for the reply. Just so we are on the same page, i just want each 4506 to have a redundant connection to each ASA. 4 connections total. 2 triangles, with an etherchannel in between the 4506s and the failover connection between the ASAs. Does that make sense or will even work?

Ahh, we weren't on the same page :).

I was envisaging 2 4500 switches

4500_1

4500_2

and 2 ASA devices

ASA_1

ASA_2

ASA_1 is connected to 4500_1

ASA_2 is connected to 4500_2

If you have dual connections from each ASA how will the addressing work on the ASA interfaces ?

Jon

I guess that is my question. I am looking for recommendations. Is this even a feasible setup? Right now we have a vlan set up on the 4506 just for the connection to the ASA, with a default route pointing towards it.

No i don't think it is feasible as you would end up with 2 inside interfaces per ASA and they could be addressed from the same subnet on the same ASA.

We just had a thread on this - have a look at scenario failovers to understand what type of redundancy you can have.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc21408

Might also be worth posting into firewalling forum to get input there.

Jon

ok great!

I think a light came on. It would make more sense to have one connection from the 4506 to the ASA. Like your illustration you posted earlier?

Glad to have helped.

Just remember you need a L2 link for that vlan between the 2 4500 switches.

Jon

OK man, i have a question about that now. BTW i did read that link, good info. Similar to what i plan to do but with GLBP. I have several off site switches that are connected via layer 3 fiber link (single uplink) running EIGRP. In my data center i will have the 2 4506s with half of the switches connected to one 4506 and the rest to the other 4506 (until i can get dual uplinks). The switches in my building where the data center is have dual layer 3 uplinks. My servers will be teamed to the 4506s which is mainly where the GLBP will come into play for those vlans. Do you think i still need a layer 2 link between the two 4506s?

I am aiming for a Core/Dist and routed access layer. I'm redesigning a very old network!

Maybe this will help illustrate what I'm trying to accomplish.

Okay if you run L3 between your 4500 switches you have no L2 path between the 4500 switches as your access-layer uplinks are L3 as well so i can't see how GLBP will work for your servers.

As far as i know GLBP requires a L2 path between the 4500 switches just as HSRP would. Doesn't matter if this L2 path is direct between the 4500 switches or via the access-layer switches but you are using L3 uplinks for access-layer switches.

So as far as i can see you need a L2 trunk between your 4500 switches if you are going to dual hone the servers to these switches.

As for HSRP or GLBP for the ASA devices makes no difference because GLBP load-balances based on different source mac-addresses but the source mac-address will always be the virtual mac-address assigned to the active ASA firewall.

Jon

Ah, ok. So GLBP requires layer 2 link between the two. Now i'm getting confused. Will this affect my layer 3 switches (l3 links) that i have on my illustration? Half are connected to 1 4506 and the rest to the other. The reason i am thinking of doing this is because they are on dark fiber, spread out around town and currently i can't dual home them. i figured losing half is better than all during an outage or maintenance.

As for the ASAs, after reading the thread you posted earlier, i don't need the failover connection directly between the two, i am using the L2 link between the 4506s for the ASA failover keepalives?

Thanks for your assistance.

seems like awhile back someone on here suggested i use l3 links, but i see what you mean now.

"Nothing wrong with L3 from access-layer as long as you don't need to have a vlan across multiple access-layer switches. "

-I'm trying to get away from that now. I have converted about half the network switches from layer 2 to 3.

I think i am good to go....i appreciate your input and advice.

L3 links are often suggested as a good way to go if you can isolate vlans to switches. At least you have removed STP from the access to distro layer.

Good luck with your implementation.

Jon