i'm making a design which has two ASA 5525-X in cluster connected to a stack of 3750-x by a port-channel. the topology is attached.
I found in the documentation the following statement:
"The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. "
however it's no clear for me if my design will work as each ASA will connect to only one Switch. So is the design correct?
From my point of view it doesn't work (mean clustering with 3750-x) switches in a way I would expect.
I have made tests with 3850 and there are few problems (cluster with cross-switch etherchannel):
- with persistent mac address of stack, when master is only rebooted (can happen), then (after exMaster boot) all traffic stops (you have 2 devices with same mac address). Then you have to reboot whole stack (or just slave).
- if you allow convergence of network (non persistent mac add of stack), then you have outage which cluster of ASA will not survive and you have to manually recover cluster.
One way or another, there will be outage.
And what bothers me most is, you have to something to have 100% working solution (as before outage).
I am going to continue with Active/Standby scenario (even with half of power useless). But it will be most bullet-proof solution I can get (with this hardware).
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :