cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4338
Views
5
Helpful
2
Replies

Single ASA, 2 Inside Core Switches (HSRP) Best Practice Design

Hi,

I am designing a N/W with following equipment.

1: 2 * Cores (4503)

2: Single Firewall ASA-5520

I have following design options;

DESIGN 1:

  1. Core Switches are using HSRP
  2. Vlans are active on one switch (primary) at a time
  3. CONNECT BOTH CORES WITH ASA
  • ASA E0------------------------------------------------outside switch (routers)
  • ASA R1(redundant interface=E1+E3)-------------------both Cores (HSRP)
  • ASA E1---------------Core 1 (F3/48) + ASA E3---------------Core 2 (F3/48)
  • ASA E2---------------DMZ switch

DESIGN 2:

  1. Core Switches are using HSRP
  2. Vlans are active on one switch (primary) at a time
  3. CONNECT BOTH CORES TO LAYER 2 SWITCH (INSIDE ZONE)
  4. CONNECT LAYER 2 SWITCH TO ASA E1

The first options looks better to me to avoid single point of failure (insdie layer 2 switch).

Unfortunatelly i am short of time and don't have access to the LAB currently.

Please

  1. share your experience and suggest which option is better
  2. Pros, Cons during hsrp failover, other features,etc
  3. suggest if there is any alternate option
  4. Any precautions

BR,

ABDUL MAJID KHAN

1 Accepted Solution

Accepted Solutions

Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.

For that reason I would prefer  the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.

View solution in original post

2 Replies 2

Hi,

Any Update

BR

ABDUL MAJID KHAN

Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.

For that reason I would prefer  the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: