redundant uplink: connect it directly to active/standby ASA ports?
I have a physical cabling question, not sure whether to put it under security or under switching...
in our co-location, we have a redundant internet uplink from the ISP. At the moment those uplinks are connected to our switch-stack and one port is in alternate blocked state (via STP). We will install two ASA 5515-X in active/standby failover mode in a couple of weeks.
Is it a good idea to connect the internet uplink cables physically to the two ASAs? That would save some switchports and eliminates the possibility to configure a switchport into the outside vlan by accident. (One context of the ASAs works as transparent FW). In my opinion if one uplink switch goes down, the ASA would make a failover within seconds and so it should be the same redundancy as we have with STP.
Or does it make more sense to keep it like it is right now: Both uplinks directly connected to different switches of our stack and the ASA's outside interface also connected to two switches?
redundant uplink: connect it directly to active/standby ASA port
Personally I always try to go via switches. It gives you additional redundancy and more flexibility in setting up your HA scheme.
Yes, if you don't have dedicated outside swithces you could possibly configure an inside host port in the outside VLAN. Good change control and configuration managment minimize the chance of that. Even if you do it, it shouldn't work as there should not be the expected L3 gateway or DHCP server on that outside VLAN.
Ideally, the ASAs each have an outside and an outside2 interface. An ipsla operation is tracking the reachability of the upstream ISP gateway IP address (or a further upstream well-know Internet-based resource) and in the event that it becomes unreachable it changes the default route via a track option in the routing command.
Of course that's in addition to the ASA-ASA failover interface monitoring which is one of the several ongoing checks to establish and verify the health of the standby ASA.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :