i have a 4900M pair of switches at my collapsed access/core network with only a single ASA5585 chassis firewall as the [layer 3] gateway.
The ASA chassis has a firewall SSP and an IP SSP and [x16 Gb] interfaces across the firewall and IPS SSP Modules.
The 4900 will be configured in layer 2 mode with no inter vlan routing.
My first thoughts are that the setup would probably have to look something like this:
[where 4900a connects to the firewall ssp on asa]
If 4900a fails, all hosts connected to 4900b lose connectivity; likewise; if the Gb interface or firewall SSP on the ASA fails, the whole network is lost.
What i would like is this:
..where connections from each 4900 terminate at nic's on each SSP at the single ASA5585.
Clearly the ASA is in itself a single point of failure, however...
Without using intelligent Layer 3; what would be the most straightforward way to provide extra robustness in this setup? [before then considering the impact on the firewall rulebase and functionality]
Is there a layer 2 solution, with a single gateway IP [at my single gateway firewall]
I can see a potential dot1q solution where the two physical links up to the firewall are each dot1q; and i could perhaps create an additional vlan that layer- 3 terminates at the firewall with an IP address on a fastethernet dot1q trunk.
However, i believe this will require a unique IP address on each VLAN that maps to the firewall layer3 ?
Also the latest version of ASA firmware now supports Port Channelling; i will research if this is a possibility as well; not sure if you can multi-chassis port channel across the x2 4900 devices [very unlikely].
Can somebody validate/ confirm if there is a straightforward solution to this ?
Meet the Authors Event - A Cybersecurity Deep Dive with Omar Santos
(Live event – Thursday, January 23rd, 2020 at 10:00 a.m. Pacific / 1:00 p.m. Eastern / 7:00 p.m. Paris)
This event will have place on Thursday 23rd, January 2020 at 10hrs PDT
Posting this for anyone interested in using a Raspberry PI as a flow collector for Stealthwatch. We created a very lightweight version of our software. It can create flows if the eth port is attached to a SPAN or you can forward NetFlow/IPFIX ...
Dear Team Suppose we have hundreds of rules in access policy on cisco fmc device. Now I want to fetch all access policy rules in which I have mentioned some specific port number X. Can anyone help me with the process to fetch the same?
Greetings everyone, Happy New Year! I would like to thank you all for making our ISE demos in dCloud a great success!
The ISE instant demo has been in the top 5 of Enterprise demos for a long time now and recently just moved into the #1 and 2 slots...