Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Dual core 4506s with dual ASAs

Does anyone have any recommendations on connecting two layer 3 4506s with two ASAs? We are about to purchase a second 4506 and a second ASA for failover. 4506s will be in layer 3 running EIGRP with l3 etherchannel between them. I'd like to have each 4506 have a connection to an ASA. I'm just trying to grasp how to set this up.

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

"So GLBP requires layer 2 link between the two"

99% sure about this - need to do a bit of reading. HSRP definitely does and i can't see why GLBP wouldn't unless you have read differently somewhere.

Nothing wrong with L3 from access-layer as long as you don't need to have a vlan across multiple access-layer switches.

Yes you wouldn't need the direct failover cable between the ASA devices as you would be running it over the L2 link between the 4500 switches.

Jon

18 REPLIES
Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

If you want to run failover between the ASA devices and connect one to one of the 4500's and one to the other then you will need a L2 connection between your 4506 switches. Note that this link can be used just for the vlan shared with the inside interfaces of the ASA devices so it doesn't even need to be a trunk.

Jon

New Member

Re: Dual core 4506s with dual ASAs

Thanks for the reply. Just so we are on the same page, i just want each 4506 to have a redundant connection to each ASA. 4 connections total. 2 triangles, with an etherchannel in between the 4506s and the failover connection between the ASAs. Does that make sense or will even work?

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

Ahh, we weren't on the same page :).

I was envisaging 2 4500 switches

4500_1

4500_2

and 2 ASA devices

ASA_1

ASA_2

ASA_1 is connected to 4500_1

ASA_2 is connected to 4500_2

If you have dual connections from each ASA how will the addressing work on the ASA interfaces ?

Jon

New Member

Re: Dual core 4506s with dual ASAs

I guess that is my question. I am looking for recommendations. Is this even a feasible setup? Right now we have a vlan set up on the 4506 just for the connection to the ASA, with a default route pointing towards it.

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

No i don't think it is feasible as you would end up with 2 inside interfaces per ASA and they could be addressed from the same subnet on the same ASA.

We just had a thread on this - have a look at scenario failovers to understand what type of redundancy you can have.

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Network%20Infrastructure&topic=LAN%2C%20Switching%20and%20Routing&topicID=.ee71a04&fromOutline=&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.2cc21408

Might also be worth posting into firewalling forum to get input there.

Jon

New Member

Re: Dual core 4506s with dual ASAs

ok great!

I think a light came on. It would make more sense to have one connection from the 4506 to the ASA. Like your illustration you posted earlier?

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

Glad to have helped.

Just remember you need a L2 link for that vlan between the 2 4500 switches.

Jon

New Member

Re: Dual core 4506s with dual ASAs

OK man, i have a question about that now. BTW i did read that link, good info. Similar to what i plan to do but with GLBP. I have several off site switches that are connected via layer 3 fiber link (single uplink) running EIGRP. In my data center i will have the 2 4506s with half of the switches connected to one 4506 and the rest to the other 4506 (until i can get dual uplinks). The switches in my building where the data center is have dual layer 3 uplinks. My servers will be teamed to the 4506s which is mainly where the GLBP will come into play for those vlans. Do you think i still need a layer 2 link between the two 4506s?

I am aiming for a Core/Dist and routed access layer. I'm redesigning a very old network!

New Member

Re: Dual core 4506s with dual ASAs

Maybe this will help illustrate what I'm trying to accomplish.

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

Okay if you run L3 between your 4500 switches you have no L2 path between the 4500 switches as your access-layer uplinks are L3 as well so i can't see how GLBP will work for your servers.

As far as i know GLBP requires a L2 path between the 4500 switches just as HSRP would. Doesn't matter if this L2 path is direct between the 4500 switches or via the access-layer switches but you are using L3 uplinks for access-layer switches.

So as far as i can see you need a L2 trunk between your 4500 switches if you are going to dual hone the servers to these switches.

As for HSRP or GLBP for the ASA devices makes no difference because GLBP load-balances based on different source mac-addresses but the source mac-address will always be the virtual mac-address assigned to the active ASA firewall.

Jon

New Member

Re: Dual core 4506s with dual ASAs

Ah, ok. So GLBP requires layer 2 link between the two. Now i'm getting confused. Will this affect my layer 3 switches (l3 links) that i have on my illustration? Half are connected to 1 4506 and the rest to the other. The reason i am thinking of doing this is because they are on dark fiber, spread out around town and currently i can't dual home them. i figured losing half is better than all during an outage or maintenance.

As for the ASAs, after reading the thread you posted earlier, i don't need the failover connection directly between the two, i am using the L2 link between the 4506s for the ASA failover keepalives?

Thanks for your assistance.

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

"So GLBP requires layer 2 link between the two"

99% sure about this - need to do a bit of reading. HSRP definitely does and i can't see why GLBP wouldn't unless you have read differently somewhere.

Nothing wrong with L3 from access-layer as long as you don't need to have a vlan across multiple access-layer switches.

Yes you wouldn't need the direct failover cable between the ASA devices as you would be running it over the L2 link between the 4500 switches.

Jon

New Member

Re: Dual core 4506s with dual ASAs

seems like awhile back someone on here suggested i use l3 links, but i see what you mean now.

"Nothing wrong with L3 from access-layer as long as you don't need to have a vlan across multiple access-layer switches. "

-I'm trying to get away from that now. I have converted about half the network switches from layer 2 to 3.

I think i am good to go....i appreciate your input and advice.

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

L3 links are often suggested as a good way to go if you can isolate vlans to switches. At least you have removed STP from the access to distro layer.

Good luck with your implementation.

Jon

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

Appreciate the rating and just a final quick point.

One thing i should have said is that you need to understand that your 4500 switches are in effect distro switches. If you just wanted L3 connection between the 4500 switches then you wouldn't patch your servers into these switches. What you would do is a have a pair of switches connected via a L2 trunk just for servers and then these switches would be L3 connected back to the distro switches. Your design can't quite do this because you are patching servers directly into the 4500 switches. Not a criticism, perfectly valid, just wanted to explain your options and the limitations imposed by your placement of servers/clients etc.

Jon

New Member

Re: Dual core 4506s with dual ASAs

Thanks, i do realize this. Unfortunately my budget won't allow dual 6500s so i'm am stuck with dual 4506 sup6 for the next year or two. Which isn't bad, but not my ideal design. So for now a core/dist and routed access layer...

Hall of Fame Super Blue

Re: Dual core 4506s with dual ASAs

No problem, figured you probably did. As always it comes down to cost in the end :)

New Member

Re: Dual core 4506s with dual ASAs

If helps, I have done "State and LAN"failover between two ASAs with just a L2 Switch between them for the LAN failover. I have also done the failover with two other ASA's each had 3 interfaces unused , so I used them for LAN and State failover without L2 switch and it worked too.

its better to have the L2 switch connecting the two ASAs for LAN failover.

HTH

Masood

250
Views
5
Helpful
18
Replies
CreatePlease to create content