Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
2
Replies

L3 routing on ASA5520 - how to provide failover to L3 lan switches

tsrader
Level 1
Level 1

‎02-27-2008 03:23 PM - edited ‎03-11-2019 05:09 AM

Have dual identical 5520s to provide active/failover for lab environment. To secure environment behind firewalls, I've read that I will need to do L3 routing on ASA and remove L3 vlan routing from dual redundant C6509s.

If i'm doing failover / redundancy between the C6509s (L3 for entire network), how will failover work on ASAs once one L3 lan switch goes down?

Does someone have a sample config which could be used as reference?

TIA

Labels:
0 Helpful
2 Replies 2

Harald-Norvik
Level 1
Level 1

‎02-27-2008 07:02 PM

This is mainly a routing issue.

Failover on the ASAs is handled by the standby unit takes over the IP and MAC address of the active unit, so from you core 6509s you would use one IP gateway address - the ASAs IP.

To have failover toward the LAN side, you will have to use features like VRRP or HSRP on your 6509. It looks like you have dual 6509s, so I would connect the primary ASA to 6509A and the secondary ASA to 6509B. Same VLAN and of course same IP subnet.

The ASAs are sending hello packets between the two inside interfaces to verify of the other link is operational (maybe your link between the 6509s failed or of some other reason the interface is still up).

Fairly simple, and I always recommend using a /29 subnet between the core router and the ASA (not a /30) - even if the client don't have a failover config. This way you can easily add features like ASA failover and dual cores at a later time - without changing the subnet.

Harald

0 Helpful

purohit_810
Level 5
Level 5

‎02-27-2008 08:48 PM

Hi,

Connect two crossover cables between firewall. one you will use for LAN failover a, other one you will use for Stateful table.

Interface {type}

nameif failover

interface {type}

nameif state

failover

failover lan unit secondary

failover lan interface failover Ethernet3

failover interface ip failover 10.0.0.1 255.255.255.0 standby 10.0.0.2

Thanks,

Dharmesh

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card