Solved: ASA 5540 Failover and 4500 HSRP

Muhammad Zeeshan Sanaullah · ‎03-20-2010

Hi all,

I have attached the diagram of the network. It is the Server Farm Portion. I have couple of design questions.

There are 3 categories of Servers

1 - Application Servers : Vlan 18 , APP_DMZ on ASA (Gi0/1.18) , Security Level is 70 , Def Gw = ASA

2 - Database Servers : Vlan 17 , DB_DMZ on ASA (Gi0/1.17) , Security Level is 90 , Def Gw = ASA

3 - Infrastructure Servesr : Vlan 10 , INF_DMZ on ASA (Gi0/2) , Security Level is 50 , Def Gw = ASA

The ASAs will be configured for Active/Standby Failover and will be the Default GW for all Servers.

For the Outside Zone , I want the Distribution/Aggregation Switches which are 4507R to act as Gateway for ASA Outside. I mean the security appliance will send all traffic moving outside to the 4507Rs which will then route to the core. The links between the core and distribution are all L3 Routed Etherchannels.

Thus logically the the 4507Rs and the Access Switches will be in L2 mode for traffic from servers to the outside. But the 4507Rs will in L3 mode for ASA Outside.

For this i think i will need to run HSRP for the Outside VLAN and point a default route in the ASA towards the Virtual IP. This will effectively enable both ASA and 4507R failover. On the 4507R I will confgure a Route for the Server Farm and point to the Active ASA Outside IP address.

I do not have access to physical equipment for a couple of days to test this design so if anybody can point out any issues with this plz let me know as I am making some low level designs

Thanks

Zeeshan Sanaullah

Jon Marshall · ‎03-20-2010

Zeeshan

Thus logically the the 4507Rs and the Access Switches will be in L2 mode for traffic from servers to the outside. But the 4507Rs will in L3 mode for ASA Outside.

Not sure what you mean here. If you mean the 4507Rs are not routing for the server vlans then yes i agree. The ASA will be responsible for routing the server vlans.

Thus logically the the 4507Rs and the Access Switches will be in L2 mode for traffic from servers to the outside. But the 4507Rs will in L3 mode for ASA Outside.

So the default-gateway for the servers is the ASA but the default-gateway for the ASA on it's outside interface(s) will be a L3 HSRP VIP on the 4500s - is that correct ?

If so then yes you would add a default-route on the ASA pointing to the L3 HSRP VIP for the outside vlan on the 4500 switches. And yes you would then need to add route(s) for the server vlans to the 4507s so they know how to route back to the server vlans. Alternatively you could run a routing protocol between the ASA and the 4500s rather than use static routes but if there are only a few server vlans static routes will work fine.

Jon

View solution in original post

Jon Marshall · ‎03-20-2010

Zeeshan

Thus logically the the 4507Rs and the Access Switches will be in L2 mode for traffic from servers to the outside. But the 4507Rs will in L3 mode for ASA Outside.

Not sure what you mean here. If you mean the 4507Rs are not routing for the server vlans then yes i agree. The ASA will be responsible for routing the server vlans.

Thus logically the the 4507Rs and the Access Switches will be in L2 mode for traffic from servers to the outside. But the 4507Rs will in L3 mode for ASA Outside.

So the default-gateway for the servers is the ASA but the default-gateway for the ASA on it's outside interface(s) will be a L3 HSRP VIP on the 4500s - is that correct ?

If so then yes you would add a default-route on the ASA pointing to the L3 HSRP VIP for the outside vlan on the 4500 switches. And yes you would then need to add route(s) for the server vlans to the 4507s so they know how to route back to the server vlans. Alternatively you could run a routing protocol between the ASA and the 4500s rather than use static routes but if there are only a few server vlans static routes will work fine.

Jon