10-16-2007 11:20 PM - edited 03-11-2019 04:26 AM
Hi,
I have a question regarding ASA failover pair connection. Inside and outside interface (no DMZ) needs to be connected via L2 switch, and via LAN based cable. My question: is it possible to use the same switch for connecting ASA interfaces? Please look at attach file. Inside interfaces of both ASA is connected to ports in the same VLANs, an additional port (trunk) is connected to Cisco 6500 an OSPF is configured. Also, the sam is with outside interfaces of both ASAs.
Solved! Go to Solution.
10-16-2007 11:35 PM
Hi
Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.
Seems wrong to have redundant firewalls hanging off one switch.
HTH
Jon
10-17-2007 03:45 AM
Hi
Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.
You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.
It all depends on the level of redundancy you need.
Jon
10-16-2007 11:35 PM
Hi
Yes you can do this if you want to although i would question why you want to do this. The problem is you have redundant firewalls but only connecting to one switch so your catalyst 2960/3560 is now a single point of failure.
Seems wrong to have redundant firewalls hanging off one switch.
HTH
Jon
10-17-2007 12:05 AM
OK, you are right, but what if we do that with two separate devices...for example, inside interfaces is connected two one switch, and outside in another...if something goes wrong with inside switch, nothing will work, it is still a single point of failure...same with outside switch...
10-17-2007 03:45 AM
Hi
Yes you are right it is still a single point of failure. The idea would be to have one inside interface to one switch and the other inside interface to another switch and the same for the outside.
You could if you wanted use the same physical switches and so you need 2 switches, each with 2 vlans although quite often designs often use separate switches for the outside interfaces.
It all depends on the level of redundancy you need.
Jon
10-17-2007 04:07 AM
yes, level of redundancy and amount of money that customer want to give..:) In this moment, thay have only one switch, so it was important for me to know if it is possible to implement that only with one switch. Thanks on answers
10-19-2007 11:16 PM
jon, is this possible to assign same subnet address to two inside interfaces on ASA 5520 sw v 7.2.2?
In order to use two ASAs in redundancy mode connected to two different L2 switches, this would be required so I was wondering if it's doable?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide