Multiple inside interfaces active/standby

tsiemers1 — Tue, 12 Mar 2019 09:12:11 GMT

We are in a situation where they would like to demo a new content filter inline and in live production. I have been tasked with setting up a sceniaro where our current content filter is running side by side with the new one. They would like to grab buildings one at a time and transition from the old filter to the new filter on the fly. Attached is a diagram of what the network will need.

Current setup:

6 5545-x ASA's, setup in 3 different pairs of active/standby. One pair is for the High Schools, One pair for Middle Schools, and the last pair for Elementary schools.

Content filter is Firepower modules all pointing to a virtual FMC.

New Setup:

iBoss content filter inline with an additional aggregation switch between the iBoss and ASA pairs. This is only because the iBoss only has a single 10gb link outbound.

Where I am getting stuck is how do I have two inside interfaces that use the same routes. Currently I am using PBR's to send traffic to its appropriate ASA pair. What we would like to do is start changing the next-hop on certain buildings to point to the iBoss server, then to a aggregation switch that uses another PBR to go to its assigned ASA.

When I try to create interfaces from the swi-aggregation that go to both the active and standby unit for the new iBoss-Inside interface the failover monitoring on the secondary fails.

Is this the right way to approach this setup? Can you monitor two inside interfaces? Every time I set the scenario up I can get the ether-channels to work but the failover monitoring says "failed" on the standby unit.

Is it better to use layer 2 ether-channels with an SVI or layer 3 ether-channels?

Please see attachment for diagram.

And yes I have suggested multiple times to run this in a test environment, and to slim down to one ASA instead of 3 pairs.

All ASA's have a static route pointed towards the inside of:

10.0.0.0 255.0.0.0 10.10.10.x <----interface on the nexus

Etherchannels must go from

Marvin Rhoads — Mon, 10 Apr 2017 15:23:16 GMT

Etherchannels must go from the same device (or virtual device in the case of VPC, VSS or switch stacks) to the same device. An ASA HA pair is not considered a single device for Etherchannel purposes.

When we are doing demos of a new IPS or content filter we would typically span the interesting traffic and let the content filter do "what-if" analysis.

Ahh, the span idea sounds

tsiemers1 — Mon, 10 Apr 2017 15:45:37 GMT

Ahh, the span idea sounds much easier. I will try to persuade in going that route if allowed.

I see my error now with the ether channel after your explanation.

I created separate port channels for each ASA, one port channel for the primary and a separate port channel for the secondary unit. Now the monitoring is working fine.

Thanks for the quick response.

topic Ahh, the span idea sounds in Network Security

Multiple inside interfaces active/standby

Etherchannels must go from

Ahh, the span idea sounds