Sorry about that caveman-style diagram... Each of my access switches has dual connection to both core switches. Each VLAN is configured with HSRP for redundancy, so layer 3 interfaces are configured on both cores. Ofcoures VLAN routing is done on cores as well. Right now the inside interface is in connected to the port in VLAN 1 on 2960s, but I'm thinking about connecting it to the port on 3750X, because they're redundand. My question is about the proper way of doing this. I don't want to use VLAN 1 for reasons listed above, so should I create another VLAN, let's say 101 with IP subnet : 10.10.101.x/24 and use it to connect ASA inside interface? Will this work?

I think, I need to refraze myself (English is not my primary language). Should I connect the ASA to one of the distribution (core) switches or to access switches (3750s)? And should the ASA be in VLAN other than VLAN1?

thank you very much

forman

forman

My first thought was that I like to have essential services such as the ASA connected to the core since they are providing a core type of service and it simplifies their connectivity. Then I thought that if you connect the ASA to one of the access switches you could trunk that VLAN to both of the cores and configure HSRP so that there could be some redundancy in the connection to the core. Based on this I am somewhat inclined to suggest connection of the ASA to the access switch.

HTH

Rick

Thank you for your suggestion Rick.This is actually exactly what I was planning:

- connecting ASA inside int to 3750X stack, which is connected to both cores; and yes, we use HSRP on our cores for each VLAN, so even if one of the cores goes down, the other will still do inter-VLAN routing.

How do you think I should configure physical swich-port on 3750X to accomodate ASA inside int? Is there any standards for that? Right now ASA is just connected to the port in VLAN 1, which I don't want to use.

I was thinking about creating separate VLAN with HSRP just for ASA, such as:

VLAN 101

Core1:

interface Vlan101

ip address 10.6.101.2 255.255.255.0

standby 101 ip 10.6.101.1

standby 101 priority 105

standby 101 preempt

Core2:

interface Vlan101

ip address 10.6.101.3 255.255.255.0

standby 101 ip 10.6.101.1

standby 101 preempt

and assigning IP address from that subnet to ASA. Let's assume 10.6.101.101/24. Once completed, I will change default routes on both cores to 10.6.101.101. What do you think?

thanks

forman

I like what you suggest and believe that it would work nicely. The port where the ASA connects would be an access port in VLAN 101, and you need to be sure that VLAN 101 is trunked between the switches so that both VLAN interfaces can communicate with each other.

HTH

Rick

I agree with Rick.  The ASAs should be connecting to your core. They way you have it right now, when a PC connected to one of the 2960s or 3750s need to connect to the Internet, the packet is forwarded to the default gateway which is the set of 4506 switches.  From there, since the 4500s are not connected to the ASA, it goes back to the 2960 (at the top) and then gets forwarded to the ASA. Are you sure this is how eveything is conneced, because I am not sure how actually this network works today as the access switches are only layer-2??

HTH

Reza,

I realize that the packets from end users in switch 2960 take that weird route. It works and that's how it was implemented by the vendor during the last network upgrade. Now, I do agree it's a little strange. That's why I will move it to 3750 stack, which doesn't service end users at all, just servers exlusivly.

As for your question how it works, we use HSRP for each VLAN, so the routing is done on both cores. Then the default route on the cores is pointing to ASA.

thanks