cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


289
Views
0
Helpful
8
Replies
Highlighted
Beginner

2 distribution switches to 1 ASA

Hello,

 

I've built a reasonable large topology in GNS3 to show use of a variety of layer 2 and 3 technologies, with just a touch of ASA or enough to demonstrate ASA basics and setup of a site-to-site VPN. As a result and most importantly because I can't really afford any more CPU cycles(!), I have a single ASA connecting my layer 2 block to the edge router running BGP.

 

SingleASA_2Distro.png

 

Is there a way in which I can connect the ASA to the two distribution switches running HSRP for two VLANs? As I say, I just don't want to undo my hard work and time by pushing GNS any more.

 

I've read a few responses to a similar question whereby a simple switch between the distros and ASA is the solution, presumably keeping things layer 2 between the new switch and the distribution switches?

 

How can I achieve this and also ensure that traffic will be returned to the current HSRP active device?

 

Thanks in advance.

 

Many thanks.

1 ACCEPTED SOLUTION

Accepted Solutions
VIP Mentor

Re: 2 distribution switches to 1 ASA

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

8 REPLIES 8
VIP Mentor

Re: 2 distribution switches to 1 ASA

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow. 

Beginner

Re: 2 distribution switches to 1 ASA

Thanks Karsten. Is there any way around the no-knowledge of the active switch? What would you do in this scenario, keeping only the 1 ASA?
VIP Mentor

Re: 2 distribution switches to 1 ASA

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

Beginner

Re: 2 distribution switches to 1 ASA

That's great - thanks for another reply Karsten, much appreciated. I love this community!
VIP Mentor

Re: 2 distribution switches to 1 ASA

You are welcome!
Beginner

Re: 2 distribution switches to 1 ASA

You may be working on resilient network design.

You may refer this
https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/amp/

Unfortunately emulator GNS3/EVE-NG with ASAv does not support redundant interface as i know.
And i want to know the status for the IPSEC VPN issue which you posted earlier.


HTH
Beginner

Re: 2 distribution switches to 1 ASA

Hi bhargavdesi,
Thank you for the reply - I haven't forgotten about your VPN reply, I'm going to be testing it in the next couple of hours!
Beginner

Re: 2 distribution switches to 1 ASA

Thank and do let me know if you need further help on that.
And i hope the link will give you good ideas about latest query

HTH