ASA Redundant Interface and design

jlucero2424 · ‎01-20-2014

Hi Guys,

In regards configuring redundant Interface, correct me if i'm wrong from what i understand if I bond two interface(e.g e0/0+e0/1) this will create one logical interface, so regarding the physical Interface does this means that one of them are active and the other one is standby? If have two core switch and CSW1 is connected to e0/0 of the Firewall and the CSW2 is connected to e0/1,does the traffic comming from core switch 2 towards to the firewall will be drop as the interface e0/1 is on standby?

Reason I'm Asking this is we have a existing design and we like to put a FW on it.

servers which residing on a dmz is conneced on the csw1 and csw 2(no dmz switch), the Lan subnet is also on the CSW1, one CE router from WAN(outside) were planning to put assa between the core switches and the CErouter, so from ASA we configure redundancy interface towrads the two core switches 1 and 2 which e0/0+e0/1. then we configure subinterfaces on the redundant port and vlan to seperate zone.

Have simple physical diagram below for better understanding

(outside)

Router---Firewall

| |

e0/0 e0/1

| |

CSW1 CSW2

| |

(DMZ)VlanServers/Vlan-LAN(Inisde)

I just like you guys to comment on it and if there is other way design approach we only have one firewall, also not sure how efficient is configuring Interface redudant on asa. Please advise.

Thanks in advance.

Collin Clark · ‎01-20-2014

Are your core switches in a stack or VSS? If the are independent of each other then you won't be able to create an Etherchannel between the ASA and your core. However if the core is stacked or has VSS, then you can. At that point both of the links will be in the Etherchannel and forwarding traffic. Let us know what your core switches are and we can help further,

jlucero2424 · ‎01-20-2014

Hi Collin,

Thanks for the reply, the two switch are not configured on VSS or stack, are you talking about creating port-channeling on the ASA?

Also for the redundant interface configuration on the asa it looks that one of the interface is forwarding traffic and the other one is standby, so I gues it wont work with the set up.,

The set up is some of the servers are connected on the CSW1 and the other on CSW2, lan subnet is also on the core switches they areonly seperated by vlan.

Jon Marshall · ‎01-20-2014

Jaspher

As far as i know the redundant interface feature only uses on interface at any one time. But it would allow you to connect the ASA to both switches for redundancy. You only get the throughput of one interface but that may be enough ie. is it for the internet for example.

As Collin says if your switches aren't VSS or stacked then you cannot use etherchannel to connect to the ASA.

If you tried to use two inside interfaces and connect one to each switch then you could get asymmetric routing through the ASA. I have never tried using multiple inside interfaces so maybe Collin has a better idea.

The other alternative is to simply connect the ASA to one of the switches with etherchannel. You get the throughput and you get redundancy of the links although not if the switch you are connecting to fails., but then you only have one firewall anyway. It's not ideal but if you need the throughput it might be the best option.

If you did that you would have to make sure the interconnect between your internal switches had enough bandwidth though as there would be a lot of traffic going across the interconnect.

Jon

Collin Clark · ‎01-20-2014

Correct, redundant interface are active/passive. An Etherchannel will utilize both interfaces. To me, that seems to make better use of resources. However since you have two separate core switches, you'll have to use redundant interfaces or as Jon mentioned, plug two interfaces into one switch and lose chassis redundancy.