07-26-2012 06:22 AM - edited 02-21-2020 04:42 AM
Hi,
I am designing a N/W with following equipment.
1: 2 * Cores (4503)
2: Single Firewall ASA-5520
I have following design options;
DESIGN 1:
DESIGN 2:
The first options looks better to me to avoid single point of failure (insdie layer 2 switch).
Unfortunatelly i am short of time and don't have access to the LAB currently.
Please
BR,
ABDUL MAJID KHAN
Solved! Go to Solution.
08-11-2012 11:08 AM
Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.
For that reason I would prefer the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.
07-31-2012 01:12 AM
Hi,
Any Update
BR
ABDUL MAJID KHAN
08-11-2012 11:08 AM
Your "ASA redundant interface" isn't really. A single ASA has no true redundancy. I suppose you could make an "Inside 1" and "Inside 2" but they would have separate IP addresses and inside hosts would not switch automatically from one to the other. I would say the complexity that introduces would more than offset the second idea of having a small L2 switch VLAN between your single ASA inside interface and your core L3 switches.
For that reason I would prefer the second option. A reputable L2 switch without any configuration changes being made is quite reliable - I regularly come across them with years of uptime. You could possibly add some quasi-redundancy in option 2 by binding together your ASA E1 and E3 interfaces into an etherchannel (requires ASA software 8.4 or later). that option is not possible with option 1 (at least not into both core switches) as an Etherchannel cannot span two IOS switches at one end.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: