topic Re: 2 distribution switches to 1 ASA in Network Security

2 distribution switches to 1 ASA

mrjdh — Fri, 21 Feb 2020 17:29:46 GMT

Hello,

I've built a reasonable large topology in GNS3 to show use of a variety of layer 2 and 3 technologies, with just a touch of ASA or enough to demonstrate ASA basics and setup of a site-to-site VPN. As a result and most importantly because I can't really afford any more CPU cycles(!), I have a single ASA connecting my layer 2 block to the edge router running BGP.

Is there a way in which I can connect the ASA to the two distribution switches running HSRP for two VLANs? As I say, I just don't want to undo my hard work and time by pushing GNS any more.

I've read a few responses to a similar question whereby a simple switch between the distros and ASA is the solution, presumably keeping things layer 2 between the new switch and the distribution switches?

How can I achieve this and also ensure that traffic will be returned to the current HSRP active device?

Thanks in advance.

Many thanks.

Re: 2 distribution switches to 1 ASA

Karsten Iwen — Fri, 13 Sep 2019 15:52:53 GMT

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow.

Re: 2 distribution switches to 1 ASA

mrjdh — Fri, 13 Sep 2019 15:58:53 GMT

Thanks Karsten. Is there any way around the no-knowledge of the active switch? What would you do in this scenario, keeping only the 1 ASA?

Re: 2 distribution switches to 1 ASA

bhargavdesai — Fri, 13 Sep 2019 16:20:49 GMT

You may be working on resilient network design.

You may refer this
https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/amp/

Unfortunately emulator GNS3/EVE-NG with ASAv does not support redundant interface as i know.
And i want to know the status for the IPSEC VPN issue which you posted earlier.

HTH

Re: 2 distribution switches to 1 ASA

mrjdh — Fri, 13 Sep 2019 16:27:02 GMT

Hi bhargavdesi,
Thank you for the reply - I haven't forgotten about your VPN reply, I'm going to be testing it in the next couple of hours!

Re: 2 distribution switches to 1 ASA

bhargavdesai — Fri, 13 Sep 2019 16:29:31 GMT

Thank and do let me know if you need further help on that.
And i hope the link will give you good ideas about latest query

HTH

Re: 2 distribution switches to 1 ASA

Karsten Iwen — Fri, 13 Sep 2019 16:38:58 GMT

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

Re: 2 distribution switches to 1 ASA

mrjdh — Fri, 13 Sep 2019 16:57:45 GMT

That's great - thanks for another reply Karsten, much appreciated. I love this community!

Re: 2 distribution switches to 1 ASA

Karsten Iwen — Fri, 13 Sep 2019 17:29:59 GMT

You are welcome!