cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2207
Views
0
Helpful
7
Replies

ASA and switch redundancy question.

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.


I have;


2 internet links

2 ASA 5510's

2 3750 switches

and some dual homed servers.


I plan on setting on the ASA's in an active/passive configuration and use redundant interfaces with tracking so that I can fail over to my backup internet if need be.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

1 Accepted Solution

Accepted Solutions

Jon Marshall
Hall of Fame
Hall of Fame

marcosgeorgopoulos wrote:

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

Marcos

You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.

Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.

Jon

View solution in original post

7 Replies 7

Jon Marshall
Hall of Fame
Hall of Fame

marcosgeorgopoulos wrote:

Hi All,

I was hoping someone could help me with me questions.

I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.

What I'm not 100% sure about is how to go about setting up the switches for redundnacy.

From my understanding I can stack them. and connect one interface from each server to each switch.

However in this scenario how would I go about connecting my FW's up to my switches?

Many thanks in advance.

Cheers.

Marcos

You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.

Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.

Jon

Thanks Jon.

That makes sense.

Many thanks.

Hi Guys,

The hardware I thought I'd have available has changed slighty.

The two switches I have are now only 2950's which means I cannot stack them.

So now I have

2 internet links

2 ASA 5510's

2 2950 switches

and some dual homed servers.

Would the below configuration work?  Can anyone think of a way to improve it? or problems?

  • 2 internet links with each link plugged into one firewall.
  • ASA's(5510's) are Active/Passive with a stateful link. ( monitoring the inside and outside interfaces)
  • 2950's are connect via CrossOver cable.
  • Each interfaces connected to a port on a switch.

See below...

  Link 1                           Link 2

      |                                   |

      |                                   |
       |                                   |

   ASA-- - stateful failover--- ASA

      |                                   |

      |                                   |

      |                                   |

  2950----------XOver------------2950

    \                                   /

      \                               /
         \                          /

           \                      /

             \                  /

                   Server

Cheers.


See below...

  Link 1                           Link 2

      |                                   |

      |                                   |
       |                                   |

   ASA-- - stateful failover--- ASA

      |                                   |

      |                                   |

      |                                   |

  2950----------XOver------------2950

    \                                   /

      \                               /
         \                          /

           \                      /

             \                  /

                   Server

Cheers.

Marcos

That will work absolutely fine but be aware that if you have multiple vlans inside you will now need to route them off the ASAs because the 2950s are not L3 capable.

Jon

Hi Jon,

Many thanks.

When you say

"if you have multiple vlans inside you will now need to route them off  the ASAs"

Are you saying that;

  1. My ASA's will need to know how to route to the internal networks ( via the ASA's inside interfaces )
  2. I will need to use my ASA to route traffic between different vlans?

cheers.

marcosgeorgopoulos wrote:

Hi Jon,

Many thanks.

When you say

"if you have multiple vlans inside you will now need to route them off  the ASAs"

Are you saying that;

  1. My ASA's will need to know how to route to the internal networks ( via the ASA's inside interfaces )
  2. I will need to use my ASA to route traffic between different vlans?

cheers.

Marcos

I mean 2) because the 2960 cannot route between vlans ie. it is L2 only.

Jon

If you can, create an etherchannel between the switches. If you don't do that and the connections between the switches fail your redundant solution wont be so redundant...

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: