topic switch requirements for active/active failover configuration on in Network Security

switch requirements for active/active failover configuration on ASA

DannyHuston — Tue, 12 Mar 2019 00:51:59 GMT

Hi all,

I have a basic setup of two 6509 chassis (non-VSS) with an etherchannel trunk between them. I have a pair of ASA 5585-X configured for active/standby (each appliance inside interface is connected to one 6509). I also have a pair of 3560E switches also an etherchannel trunk between them and the outside interfaces of each ASA connect to each. I want to explore active/active failover and what it can do for me. My questions:

1) does this mean I get the performance of both ASAs (meaning if one appliance handles max 2 million connections, would active/active permit 2 million to each appliance or would it still be just 2 million total?). Obviously I won't see combined throughput but am curious about the connection limit since theoretically I am now putting two appliances into use with active/active?

2) does the 6509 need to be configured for VSS in order for active/active to work properly on the ASA or can I still keep the 6509s configured as they are? How will packets going into one ASA to the switch will know how to get back to the same ASA if active/active? Likewise with the 3560E on the outside.

Thanks.

switch requirements for active/active failover configuration on

Julio Carvajal — Thu, 24 Jan 2013 17:33:45 GMT

A/ Well that depends on the amount of traffic one context is using.

Example:

You have context A and B, and of course each of the ASA's is active for one. so you will split the amount of data between the 2 units so you can see the performance improvement

A/ I am not sure I get the whole picture of your desing but let me think.....................each interface on the failover group will have it's own virtual mac-address so that is where the switch will know where to send the packets back.

Let me know if you have any other question

Julio

switch requirements for active/active failover configuration on

Michal Garcarz — Thu, 24 Jan 2013 17:34:15 GMT

1. yes, because both ASA are used at the same time, BUT: you have to remember that it's difficult to divide traffic by exactly 50% and assign it to context. Remember that you can manage resources assigned to contexts:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_contexts.html#wp1195334

2. It depends on type of deployment. Usually you use separate interfaces in contexts (for example vlans). Even when you share interface between contexts you use "mac-address auto". Then the same shared interface has different MAC address in each context - and upstream/downstream switch do not have any problems switching traffic to separate mac address. So - you do not need VSS to have Active-Active working correctly.

---

Michal

switch requirements for active/active failover configuration on

david.tran — Fri, 25 Jan 2013 03:02:10 GMT

You need to keep this in mind:

ASA can only do Active/Active on a context basis. In other words, Active/Active in ASA similar to using HSRP with multiple HSRP group. Therefore, if you have a single source and single destination using different services such as http, https, ssh, telnet, it will bind to a single context and Active/Active will NOT help you.