Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA multi-path

Looking for a design best practice, and a little help,

Basically my design looks like this



                                     2821               (Single ISP w/BGP failover to redundant site)

                                   /         \

                                4948    4948        (Inet/MPLS Switch)

                                   |           |

                                ASA  --- ASA       (5520's Failover Pair (Advert BGP AS from here))           

                                    |           | 

                                 6506 --- 6506       (Core (VS-SUP720-10G)           

The 4948's also have a pair of 2821's that are from 2 seperate carriers provideing MPLS connections to the other site/corp office off a single vlan to both switches (Load balanced with OSPF, and Connected to the ASA's via "DMZ_MPLS")

Here is my issue, as of 8.x the ASA's dont support etherchannel of 2 or more interfaces together, so, if i connect the 4948's together with a "Uplink" port that's layer 2, and set the internet router to use a BVI interface that uses both G0/0 & G0/1, aren't I going to run into a "Non-Mac-Flooding" issue?

Can i create a "Layer 3 Interface on both 4948's and use that for a "Uplink" to ensure multi-path?

I realize that i am useing only a single internet connection, but would like to have full redundancy up to that single point of failure, as if the i-net router fails, bgp fails over to the secondary site.

Cisco Employee

Re: ASA multi-path

You best bet on this is doing ASA Active/Active along with 4900 L3 interfaces.