We're in the process of swapping in a new pair of ASA5520s and Catalyst 3750s to support two separate business units. We want Firewall A and Switch A to handle traffic for Org A (VLAN 100). Similarly, firewall B and Switch B should handle traffic for Org B (VLAN200). But we want to be able to fail traffic over in case of firewall or switch failure. Traffic between the two Orgs is being routed at the switch level.
The ASAs are set up for Active/Active failover, and we have VLANs set up as follows:
Org A VLAN 100 (.100 subnet)
Org B VLAN 200 (.200 subnet)
Switch A uplink subnet (.1)
Switch B uplink subnet (.2)
The uplink interface on each switch is currently a routed port with a static address on the uplink subnet. This works fine in a normal state. However, when we fail over one of the firewall contexts to the other chassis, this results in the inability to route internal traffic because the internal interface is now physically connected to a different switch with a different IP port address (obvious in hindsight).
The question is, rather than a routed port, what would be the proper way to handle traffic between the switches and firewalls in a failover scenario?
If I make the uplink ports into trunks, won't this cause all packets destined for either firewall to hit both both? Seems like that's not the way to go either?
For more information, a concept diagram and the ASA and catalyst configs as they are currently are here:
ASA Context 1 (Org A)
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
ip address x.x.246.131 255.255.255.0 standby x.x.246.133
ip address 192.168.4.1 255.255.255.0 standby 192.168.4.3
access-list Inside_access_in extended permit ip any any
Question We run asr9001 with XR 6.1.3, and we have a very long delay to
login w/ SSH 1 or 2 to the device compare to IOS device. After
investigation, the there is 1s delay between the client KEXDH_INIT and
the server (XR) KEXDH_REPLY. After debug ssh serv...
Introduction The purpose of this document is to demonstrate the Open
Shortest Path First (OSPF) behavior when the V-bit (Virtual-link bit) is
present in a non-backbone area. The V-bit is signaled in Type-1 LSA only
if the router is the endpoint of one or ...
Hi, I am seeing quite a few issues with patch install and wanted to
share my experience and workaround to this. Login to admin via CLI, then
access root with the “shell” command Issue “df –h” and you’ll probably
see the following directory full or nearly ...