Solved: Re: active / standby config

Network Pro · ‎04-16-2012

Hi,

implementing active / standby configuration. i have two asa 5520 firewall.

gi0/0 - inside active 10.10.10.1 standby 10.10.10.254

gi0/1- outside active 172.22.1.1 standby 172.22.1.254

gi0/2 - lan failover active 192.168.100.1 standby 192.168.100.254

gi0/3 - state full failover active 192.168.101.1 standby 192.168.101.254

I am doing this on a test environment

a silly question: 1 port (inside interface) of the active asa will be connecting back to the switch, does the port on the 2nd asa need connecting on the same switch as well ? (if i do this wont this be a single point of failure? )

and if i use the switch what will be its default gateway for hte inside network (10.10.10.1 or 10.10.10.254 ?)

Thanks

Dan-Ciprian Cicioiu · ‎04-16-2012

If you will use the switch as a default gateway for the users/servers connected, yes you will need an Vlan interface on the second switch also , and use HSRP in order to offer more redundance - the case in which the first switch fails.

Also another option is to use the firewall as the 'gateway' for the hosts. This depends on your setup.

Yes you can use only one port on the ASA pairs to do failover and statefull.

No you can use a direct cable between the pairs in order to have statefull/failover.

Regards

Dan

View solution in original post

Dan-Ciprian Cicioiu · ‎04-16-2012

Hi,

No, you do not need the inside port of the standby firewall to be on the same switch , but you will need it on the same VLAN.

If you will have both inside ports connected on the same switch , yes it will be single point of failure.

Regards

Dan

Network Pro · ‎04-16-2012

if i have it terminated on the same switch, will there be any case of spanning tree ?

if i have it on the same switch then yes it should be on same vlan but can i terminate this on a another switch? if this is the case then do i need an ip address for the second switch ?

also is a statefull failure port definitely needed ? cant i use the failover port do the job of statefull failure also ? but if i do need another port for failover and statefull failover do i need to use a switch in between for lan failover ? - its just that too many switches

Thanks

Dan-Ciprian Cicioiu · ‎04-16-2012

If you will use the switch as a default gateway for the users/servers connected, yes you will need an Vlan interface on the second switch also , and use HSRP in order to offer more redundance - the case in which the first switch fails.

Also another option is to use the firewall as the 'gateway' for the hosts. This depends on your setup.

Yes you can use only one port on the ASA pairs to do failover and statefull.

No you can use a direct cable between the pairs in order to have statefull/failover.

Regards

Dan

Network Pro · ‎04-16-2012

i am just doing this on a test environment - so i can use a single switch for the inside vlan and outside vlan just for testing purpose

Thanks

Dan-Ciprian Cicioiu · ‎04-16-2012

Ok then.

You can use as the failover/statefull interface just one interface per ASA, and you can connected them directly.

Regards

Dan

Network Pro · ‎04-17-2012

thanks used the same switch for inside and outside (just vlan off - vlan 1 for inside and vlan 10 for outside)