In regards configuring redundant Interface, correct me if i'm wrong from what i understand if I bond two interface(e.g e0/0+e0/1) this will create one logical interface, so regarding the physical Interface does this means that one of them are active and the other one is standby? If have two core switch and CSW1 is connected to e0/0 of the Firewall and the CSW2 is connected to e0/1,does the traffic comming from core switch 2 towards to the firewall will be drop as the interface e0/1 is on standby?
Reason I'm Asking this is we have a existing design and we like to put a FW on it.
servers which residing on a dmz is conneced on the csw1 and csw 2(no dmz switch), the Lan subnet is also on the CSW1, one CE router from WAN(outside) were planning to put assa between the core switches and the CErouter, so from ASA we configure redundancy interface towrads the two core switches 1 and 2 which e0/0+e0/1. then we configure subinterfaces on the redundant port and vlan to seperate zone.
Have simple physical diagram below for better understanding
I just like you guys to comment on it and if there is other way design approach we only have one firewall, also not sure how efficient is configuring Interface redudant on asa. Please advise.
Are your core switches in a stack or VSS? If the are independent of each other then you won't be able to create an Etherchannel between the ASA and your core. However if the core is stacked or has VSS, then you can. At that point both of the links will be in the Etherchannel and forwarding traffic. Let us know what your core switches are and we can help further,
As far as i know the redundant interface feature only uses on interface at any one time. But it would allow you to connect the ASA to both switches for redundancy. You only get the throughput of one interface but that may be enough ie. is it for the internet for example.
As Collin says if your switches aren't VSS or stacked then you cannot use etherchannel to connect to the ASA.
If you tried to use two inside interfaces and connect one to each switch then you could get asymmetric routing through the ASA. I have never tried using multiple inside interfaces so maybe Collin has a better idea.
The other alternative is to simply connect the ASA to one of the switches with etherchannel. You get the throughput and you get redundancy of the links although not if the switch you are connecting to fails., but then you only have one firewall anyway. It's not ideal but if you need the throughput it might be the best option.
If you did that you would have to make sure the interconnect between your internal switches had enough bandwidth though as there would be a lot of traffic going across the interconnect.
Correct, redundant interface are active/passive. An Etherchannel will utilize both interfaces. To me, that seems to make better use of resources. However since you have two separate core switches, you'll have to use redundant interfaces or as Jon mentioned, plug two interfaces into one switch and lose chassis redundancy.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...