ASA and switch redundancy question.

Answered Question
Feb 22nd, 2010

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.


I have;


2 internet links

2 ASA 5510's

2 3750 switches

and some dual homed servers.


I plan on setting on the ASA's in an active/passive configuration and use redundant interfaces with tracking so that I can fail over to my backup internet if need be.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 9 months ago

marcosgeorgopoulos wrote:

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

Marcos

You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.

Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.

Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Mon, 02/22/2010 - 15:36

marcosgeorgopoulos wrote:

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

Marcos

You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.

Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.

Jon

marcosgeorgopoulos Wed, 03/31/2010 - 21:05

Hi Guys,

The hardware I thought I'd have available has changed slighty.

The two switches I have are now only 2950's which means I cannot stack them.

So now I have

2 internet links

2 ASA 5510's

2 2950 switches

and some dual homed servers.

Would the below configuration work?  Can anyone think of a way to improve it? or problems?

  • 2 internet links with each link plugged into one firewall.
  • ASA's(5510's) are Active/Passive with a stateful link. ( monitoring the inside and outside interfaces)
  • 2950's are connect via CrossOver cable.
  • Each interfaces connected to a port on a switch.

See below...

  Link 1                           Link 2

      |                                   |

      |                                   |
       |                                   |

   ASA-- - stateful failover--- ASA

      |                                   |

      |                                   |

      |                                   |

  2950----------XOver------------2950

    \                                   /

      \                               /
         \                          /

           \                      /

             \                  /

                   Server

Cheers.

Jon Marshall Thu, 04/01/2010 - 01:07

See below...

  Link 1                           Link 2

      |                                   |

      |                                   |
       |                                   |

   ASA-- - stateful failover--- ASA

      |                                   |

      |                                   |

      |                                   |

  2950----------XOver------------2950

    \                                   /

      \                               /
         \                          /

           \                      /

             \                  /

                   Server

Cheers.

Marcos

That will work absolutely fine but be aware that if you have multiple vlans inside you will now need to route them off the ASAs because the 2950s are not L3 capable.

Jon

marcosgeorgopoulos Thu, 04/01/2010 - 04:26

Hi Jon,

Many thanks.

When you say

"if you have multiple vlans inside you will now need to route them off  the ASAs"

Are you saying that;

  1. My ASA's will need to know how to route to the internal networks ( via the ASA's inside interfaces )
  2. I will need to use my ASA to route traffic between different vlans?

cheers.

Jon Marshall Thu, 04/01/2010 - 07:10

marcosgeorgopoulos wrote:

Hi Jon,

Many thanks.

When you say

"if you have multiple vlans inside you will now need to route them off  the ASAs"

Are you saying that;

  1. My ASA's will need to know how to route to the internal networks ( via the ASA's inside interfaces )
  2. I will need to use my ASA to route traffic between different vlans?

cheers.

Marcos

I mean 2) because the 2960 cannot route between vlans ie. it is L2 only.

Jon

Actions

This Discussion

Related Content