Standalone Cisco ASA5585 Gateway Resiliency

Unanswered Question
Jan 13th, 2012
User Badges:

hi


i have a 4900M pair of switches at my collapsed access/core network with only a single ASA5585 chassis firewall as the [layer 3] gateway.


The ASA chassis has a firewall SSP and an IP SSP and [x16 Gb] interfaces across the firewall and IPS SSP Modules.


The 4900 will be configured in layer 2 mode with no inter vlan routing.


My first thoughts are that the setup would probably have to look something like this:



  ASA

    |

    |

--4900a----4900b--

    |            |

    |            |


[where 4900a connects to the firewall ssp on asa]


If 4900a fails, all hosts connected to 4900b lose connectivity; likewise; if the Gb interface or firewall SSP on the ASA fails, the whole network is lost.



What i would like is this:


    __ASA__

    |            |

    |            |     

--4900----4900--

    |            |

    |            |


..where connections from each 4900 terminate at nic's on each SSP at the single ASA5585.


Clearly the ASA is in itself a single point of failure, however...


Without using intelligent Layer 3; what would be the most straightforward way to provide extra robustness in this setup? [before then considering the impact on the firewall rulebase and functionality]


Is there a layer 2 solution, with a single gateway IP [at my single gateway firewall]


I can see a potential dot1q solution where the two physical links up to the firewall are each dot1q; and i could perhaps create an additional vlan that layer- 3 terminates at the firewall with an IP address on a fastethernet dot1q trunk.


However, i believe this will require a unique IP address on each VLAN that maps to the firewall layer3 ?


Also the latest version of ASA firmware now supports Port Channelling; i will research if this is a possibility as well; not sure if you can multi-chassis port channel across the x2 4900 devices [very unlikely].


Can somebody validate/ confirm if there is a straightforward solution to this  ?


thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion

Related Content