topic Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best Practices in Network Security

Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best Practices

Andrew4728 — Mon, 11 Mar 2019 23:20:51 GMT

I've been searching the web trying to find some answers regarding best practices when it comes to ASA Active/passive failover with OSPF.

We have pairs of 5520s and 5540s connected to pairs of nexus 7ks and 6500 switches. The ASAs plug into switchports on the same VLAN, and peer with OSPF to the SVI on the switches. This is working fine, but the problem I am running into is the 2 switches are peering with OSPF across the layer 2 link. We prefer the switches to only peer across a seperate L3 link we have between the switches.

How would one go about preventing the switches from peering across the L2 link, but the active ASA continue to peer with both switches?

Anyone have links to any best practices documents that go into further detail of deploying ASA active/passive failover with OSPF?

Thank you for your help!

Re: Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best P

Andrew4728 — Wed, 20 Jun 2012 00:21:06 GMT

Nobody? How do you have your active/standby asas setup with ospf?

Sent from Cisco Technical Support iPhone App

Re: Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best P

Josh Sprang — Wed, 20 Jun 2012 03:26:55 GMT

Since the active Asa in a cluster keeps the same ip address and Mac address regardless of which physical is active, i think the switchports to both active and standby have to be l2 adjacent. I usually recommend a wan edge switching fabric and offload this from the core so you can bridge the vlan there between Asa clusters, and keep your core l3 peered to the Asa. Hth

Sent from Cisco Technical Support iPad App

Re: Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best P

Andrew4728 — Wed, 20 Jun 2012 04:43:52 GMT

We do have wan switches, but arnt running routing protocols on outside.. We have ospf between the LAN switches and the asa to dynamically advertise routes to remote vpn sites.. The problem im trying to find a solution to is our lan switches peering with each other through the svis over the layer 2 link...

Any thoughts? Been mulching through every cisco doc i can find and havent found an answer yet

Thanks guys!

Sent from Cisco Technical Support iPhone App

Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best Pract

tombell01 — Wed, 27 Jun 2012 07:06:13 GMT

Hi,

I have run into this same problem. A suggestion I had from a colleague was to configure the SVI OSPF network type to non-broadcast, and then configure static neighbours with the firewall from the switches. I was going to give this a try but if you are willing to be the guinea pig then I'll happily let you road-test it for me!

Regards,

Tom