Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1657
Views
0
Helpful
8
Replies

2 distribution switches to 1 ASA

Go to solution
mrjdh
Level 1
Level 1

‎09-13-2019 08:07 AM - edited ‎02-21-2020 09:29 AM

Hello,

 

I've built a reasonable large topology in GNS3 to show use of a variety of layer 2 and 3 technologies, with just a touch of ASA or enough to demonstrate ASA basics and setup of a site-to-site VPN. As a result and most importantly because I can't really afford any more CPU cycles(!), I have a single ASA connecting my layer 2 block to the edge router running BGP.

 

SingleASA_2Distro.png

 

Is there a way in which I can connect the ASA to the two distribution switches running HSRP for two VLANs? As I say, I just don't want to undo my hard work and time by pushing GNS any more.

 

I've read a few responses to a similar question whereby a simple switch between the distros and ASA is the solution, presumably keeping things layer 2 between the new switch and the distribution switches?

 

How can I achieve this and also ensure that traffic will be returned to the current HSRP active device?

 

Thanks in advance.

 

Many thanks.

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP
In response to mrjdh

‎09-13-2019 09:38 AM

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Karsten Iwen
VIP
VIP

‎09-13-2019 08:52 AM

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow. 

0 Helpful

Go to solution
mrjdh
Level 1
Level 1
In response to Karsten Iwen

‎09-13-2019 08:58 AM

Thanks Karsten. Is there any way around the no-knowledge of the active switch? What would you do in this scenario, keeping only the 1 ASA?
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mrjdh

‎09-13-2019 09:38 AM

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

0 Helpful

Go to solution
mrjdh
Level 1
Level 1
In response to Karsten Iwen

‎09-13-2019 09:57 AM

That's great - thanks for another reply Karsten, much appreciated. I love this community!
0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to mrjdh

‎09-13-2019 10:29 AM

You are welcome!
0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight

‎09-13-2019 09:20 AM

You may be working on resilient network design.

You may refer this
https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/amp/

Unfortunately emulator GNS3/EVE-NG with ASAv does not support redundant interface as i know.
And i want to know the status for the IPSEC VPN issue which you posted earlier.


HTH
0 Helpful

Go to solution
mrjdh
Level 1
Level 1
In response to bhargavdesai

‎09-13-2019 09:27 AM

Hi bhargavdesi,
Thank you for the reply - I haven't forgotten about your VPN reply, I'm going to be testing it in the next couple of hours!
0 Helpful

Go to solution
bhargavdesai
Spotlight
Spotlight
In response to mrjdh

‎09-13-2019 09:29 AM

Thank and do let me know if you need further help on that.
And i hope the link will give you good ideas about latest query

HTH
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card