Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ASA with two core switch

Dear All

As per my clients requirement we have to connect two 4500-x switches  with cisco a single  asa 5545-k9.Both switch will be inside interface of asa and hsrp will be running between them.Can anybody suggest me about the best way to achive this.Please let me know if you need any feedback from my side.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ASA with two core switch

Hi,

As long as there is a shared VLAN (network) for each firewall interface between theASA units you can have them as HA pair. Without some shared interfaces there isnt any point in configuring as HA pair.

If there are only seperate networks then redundant interfaces (or port channels if the model is appropriate) would provide link resilience but not appliance redundancy to each unit.

reload in 25 years

reload in 25 years
9 REPLIES
VIP Purple

ASA with two core switch

For that you can use the redundant interfaces on the ASA:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329357

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062296

--

Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

ASA with two core switch

I have done this with simulation and this seems to be ok .

sh interface redundant 1 detail

Interface Redundant1 "inside1", is up, line protocol is up

  Hardware is linaeth, BW 100 Mbps, DLY 100 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        Media-type configured as RJ45 connector

        MAC address 0000.abac.4f01, MTU 1500

        IP address 192.168.0.1, subnet mask 255.255.255.0

        0 packets input, 0 bytes, 0 no buffer

        Received 0 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

        0 L2 decode drops

        0 packets output, 128 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 babbles, 0 late collisions, 0 deferred

        0 lost carrier, 0 no carrier

        input queue (curr/max packets): hardware (256/256) software (0/0)

        output queue (curr/max packets): hardware (0/0) software (0/2)

  Traffic Statistics for "inside1":

        0 packets input, 0 bytes

        3 packets output, 84 bytes

        0 packets dropped

      1 minute input rate 0 pkts/sec,  0 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Control Point Interface States:

        Interface number is 2

        Interface config status is active

        Interface state is active

  Redundancy Information:

       Member Ethernet0/1(Active), Ethernet0/2

        Last switchover at 00:15:09 UTC Nov 30 1999

I shall connect primary switch with active interface and secondary switch with another interface .I would like to know "Is there any limitation or challenge regarding this implementation." Is this the best solution ? or this can be done done by other way also ...

Please suggest...

VIP Purple

ASA with two core switch

The best solution would be to have two ASAs, one connected to each switch. But if that solution is not available, the redundant interfaces should give you the optimum in your setup.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

ASA with two core switch

Two ASAs are there.But there is also two separate business unit.Each unit has two core switches which are connected to both ASA .

VIP Purple

ASA with two core switch

I mean two ASAs running as a failover-pair. With that you had the best solution.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

ASA with two core switch

Two ASAs are in failover mode .But there are four core switches.

VIP Purple

ASA with two core switch

you were talking about a single ASA (and two core switches) in your first post. So, what is your exact setup at the moment?

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

New Member

ASA with two core switch

This is my setup .Two ASA in Active -passive mode.2 core switch from two different business unit (2X2=4 Core switch ) will be connected to each ASA.

New Member

Re: ASA with two core switch

Hi,

As long as there is a shared VLAN (network) for each firewall interface between theASA units you can have them as HA pair. Without some shared interfaces there isnt any point in configuring as HA pair.

If there are only seperate networks then redundant interfaces (or port channels if the model is appropriate) would provide link resilience but not appliance redundancy to each unit.

reload in 25 years

reload in 25 years
446
Views
0
Helpful
9
Replies
CreatePlease to create content