topic Since the distribution in Switching

ASA High Availability

Docklands — Fri, 08 Mar 2019 18:25:19 GMT

If two ASA5508-X are operating in Active-Standby HA mode and the internal interfaces are connected to two separate layer 3 distribution switches, what mechanism should run on the distrubtion switches to route traffic. Note, the two distribution layer switches are running HSRP for the stacked access layer 2 switches.

Thanks

Mike

Since the distribution

Reza Sharifi — Wed, 03 May 2017 15:56:14 GMT

Since the distribution switches are running layer-3, you just need a transit vlan (layer-3) between the distribution switches and the firewalls. Usually a /29 subnet would be sufficient.

HTH

Hi

Julio E. Moisa — Wed, 03 May 2017 17:15:29 GMT

I usually use HSRP between the firewalls and distribution switches, if the firewalls are not the gateway for the VLANs you can use static route between the firewall and distribution switches. As Reza mentioned you need a /29 subnet between them.

Let me share an example of the config that you need. It is a basic configuration.

DISTRIBUTION 1

conf t
vlan 777
int vlan 777
ip add 192.168.77.2 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 105

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

DISTRIBUTION 2

conf t
vlan 777
int vlan 777
ip add 192.168.77.3 255.255.255.248
standby 77 ip 192.168.77.1
standby 77 preempt
standby 77 priority 100

ip route 0.0.0.0 0.0.0.0 192.168.77.4

*Trunk between the distribution switches to pass the vlan 777

PRIMARY FIREWALL

interface GigabitEthernet0/0
description OUTSIDE
nameif OUTSIDE
security-level 0
no shut
ip address 192.168.77.4 255.255.255.248 standby 192.168.77.5

route OUTSIDE 0.0.0.0 0.0.0.0 192.168.77.1 1

Hi Julio,

Docklands — Wed, 03 May 2017 19:59:28 GMT

Hi Julio,

Thank you for the reply.

I'm not quite sure why the 192.168.77.4 and .5 addresses are attached to the OUTSIDE interfaces. I am connecting the distribution switches to the firewall INTERNAL interfaces?

Thanks

Mike

Ps. Sorry for the delay in replying but I just got home

You are correct. It should

Reza Sharifi — Wed, 03 May 2017 20:07:06 GMT

You are correct. It should be the internal interface.

HTH

Thanks Reza

Docklands — Wed, 03 May 2017 20:18:37 GMT

Thanks Reza

Lol you are right, it is

Julio E. Moisa — Wed, 03 May 2017 20:41:06 GMT

Lol you are right, it is just an example hehe but it can be inside or a name related.

Also you can use access mode port over the vlan 777 to connect to the firewalls

🙂