i have a 4900M pair of switches at my collapsed access/core network with only a single ASA5585 chassis firewall as the [layer 3] gateway.
The ASA chassis has a firewall SSP and an IP SSP and [x16 Gb] interfaces across the firewall and IPS SSP Modules.
The 4900 will be configured in layer 2 mode with no inter vlan routing.
My first thoughts are that the setup would probably have to look something like this:
[where 4900a connects to the firewall ssp on asa]
If 4900a fails, all hosts connected to 4900b lose connectivity; likewise; if the Gb interface or firewall SSP on the ASA fails, the whole network is lost.
What i would like is this:
..where connections from each 4900 terminate at nic's on each SSP at the single ASA5585.
Clearly the ASA is in itself a single point of failure, however...
Without using intelligent Layer 3; what would be the most straightforward way to provide extra robustness in this setup? [before then considering the impact on the firewall rulebase and functionality]
Is there a layer 2 solution, with a single gateway IP [at my single gateway firewall]
I can see a potential dot1q solution where the two physical links up to the firewall are each dot1q; and i could perhaps create an additional vlan that layer- 3 terminates at the firewall with an IP address on a fastethernet dot1q trunk.
However, i believe this will require a unique IP address on each VLAN that maps to the firewall layer3 ?
Also the latest version of ASA firmware now supports Port Channelling; i will research if this is a possibility as well; not sure if you can multi-chassis port channel across the x2 4900 devices [very unlikely].
Can somebody validate/ confirm if there is a straightforward solution to this ?