Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
503
Views
0
Helpful
2
Replies

HSRP and Static routing

anbushan74
Level 1
Level 1

‎03-30-2012 06:54 AM - edited ‎03-07-2019 05:52 AM

Hi, This scenario is as follows:

Clients ----- l2 switch ---- l2 switch (primary) --- asa (primary)

                                    ----- l2 switch (secondary) --- asa (secondary)

there are three vlans a, b, c on the asa interfaces (sub interfaces).  the  clients used to have the asa as default gateway.  The firewall not only served as the intervlan router but performed firewalling between the servers of a,b,c vlans. for intervlan routing, static routing towards the firewall ips has been configured on both l2 (primary and secondary) switches.

we thought of enabling hsrp on l2 switch primary and secondary to automate the switchover to the firewalls if link to primary firewall fails. if i enabe hsrp on l2 primary and secy switches, would this enable l3 routing on the switch and prevent the packets being firewalled?

Thanks

Anbu

Labels:
0 Helpful
2 Replies 2

Zeeshan Siddiqui
Level 1
Level 1

‎03-30-2012 08:46 AM

Hi Anbu,

To confirm you have moved your Default gateway from the ASA to your switches ?

If you have moved you gateways to the switches and configured as L3 vlan the routing will take place on your switches and traffic will never reach the firewalls.  (this is for traffic betwwen the vlan)

In short if your gateway is configured on your switches host in vlan A can speak to host in vlan B with no firewall in between.

I hope this answer your question

0 Helpful

vijay.swaminathan
Level 1
Level 1
In response to Zeeshan Siddiqui

‎03-30-2012 09:53 AM

If I understand correctly there are servers in different vlan's whose traffic has to be passed through firewall.

so if the vlan routing is moved from the firewall to the L3 switch, then it is quite possible that the server traffic might not go through the firewall as it might be serverd by the L3 switch itself.

two possbililities that I could think off.

1. can you bring the firewall functions to the switch (I'm quite familiar with the firewall, so I cannot comment on this) or,

2. have the vlan routing (of interested traffic) to pass through the ASA firewall.

just my 2 cents.

Experts can comment.

-Vijay

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card