Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

HSRP and Static routing

Hi, This scenario is as follows:

Clients ----- l2 switch ---- l2 switch (primary) --- asa (primary)

                                    ----- l2 switch (secondary) --- asa (secondary)

there are three vlans a, b, c on the asa interfaces (sub interfaces).  the  clients used to have the asa as default gateway.  The firewall not only served as the intervlan router but performed firewalling between the servers of a,b,c vlans. for intervlan routing, static routing towards the firewall ips has been configured on both l2 (primary and secondary) switches.

we thought of enabling hsrp on l2 switch primary and secondary to automate the switchover to the firewalls if link to primary firewall fails. if i enabe hsrp on l2 primary and secy switches, would this enable l3 routing on the switch and prevent the packets being firewalled?



New Member

HSRP and Static routing

Hi Anbu,

To confirm you have moved your Default gateway from the ASA to your switches ?

If you have moved you gateways to the switches and configured as L3 vlan the routing will take place on your switches and traffic will never reach the firewalls.  (this is for traffic betwwen the vlan)

In short if your gateway is configured on your switches host in vlan A can speak to host in vlan B with no firewall in between.

I hope this answer your question

New Member

HSRP and Static routing

If I understand correctly there are servers in different vlan's whose traffic has to be passed through firewall.

so if the vlan routing is moved from the firewall to the L3 switch, then it is quite possible that the server traffic might not go through the firewall as it might be serverd by the L3 switch itself.

two possbililities that I could think off.

1. can you bring the firewall functions to the switch (I'm quite familiar with the firewall, so I cannot comment on this) or,

2. have the vlan routing (of interested traffic) to pass through the ASA firewall.

just my 2 cents.

Experts can comment.


CreatePlease to create content