×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Single ASA, 2 Inside Core Switches (HSRP) Best Practice Design

Answered Question
Jul 26th, 2012
User Badges:

Hi,

I am designing a N/W with following equipment.


1: 2 * Cores (4503)

2: Single Firewall ASA-5520


I have following design options;

DESIGN 1:

  1. Core Switches are using HSRP
  2. Vlans are active on one switch (primary) at a time
  3. CONNECT BOTH CORES WITH ASA
  • ASA E0------------------------------------------------outside switch (routers)
  • ASA R1(redundant interface=E1+E3)-------------------both Cores (HSRP)
  • ASA E1---------------Core 1 (F3/48) + ASA E3---------------Core 2 (F3/48)
  • ASA E2---------------DMZ switch


DESIGN 2:

  1. Core Switches are using HSRP
  2. Vlans are active on one switch (primary) at a time
  3. CONNECT BOTH CORES TO LAYER 2 SWITCH (INSIDE ZONE)
  4. CONNECT LAYER 2 SWITCH TO ASA E1


The first options looks better to me to avoid single point of failure (insdie layer 2 switch).


Unfortunatelly i am short of time and don't have access to the LAB currently.

Please

  1. share your experience and suggest which option is better
  2. Pros, Cons during hsrp failover, other features,etc
  3. suggest if there is any alternate option
  4. Any precautions


BR,

ABDUL MAJID KHAN

Correct Answer by Marvin Rhoads about 5 years 1 week ago

Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.


For that reason I would prefer  the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Marvin Rhoads Sat, 08/11/2012 - 11:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,
  • Cisco Designated VIP,

    2017 Firewalling, Network Management, VPN

Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.


For that reason I would prefer  the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.

Actions

This Discussion

Related Content