Solved: Re: 2 distribution switches to 1 ASA

mrjdh · ‎09-13-2019

Hello,

I've built a reasonable large topology in GNS3 to show use of a variety of layer 2 and 3 technologies, with just a touch of ASA or enough to demonstrate ASA basics and setup of a site-to-site VPN. As a result and most importantly because I can't really afford any more CPU cycles(!), I have a single ASA connecting my layer 2 block to the edge router running BGP.

Is there a way in which I can connect the ASA to the two distribution switches running HSRP for two VLANs? As I say, I just don't want to undo my hard work and time by pushing GNS any more.

I've read a few responses to a similar question whereby a simple switch between the distros and ASA is the solution, presumably keeping things layer 2 between the new switch and the distribution switches?

How can I achieve this and also ensure that traffic will be returned to the current HSRP active device?

Thanks in advance.

Many thanks.

Karsten Iwen · ‎09-13-2019

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

View solution in original post

Karsten Iwen · ‎09-13-2019

You can configure a redundant interface on the ASA and add one member-interface connecting to SW1 and one member-interface connecting to SW2. The redundant interface also can have sub interfaces for all your needed VLANs. But as ASA and the Switch don't share any information which switch is HSRP-active, you could have a non-optimal traffic flow.

mrjdh · ‎09-13-2019

Thanks Karsten. Is there any way around the no-knowledge of the active switch? What would you do in this scenario, keeping only the 1 ASA?

Karsten Iwen · ‎09-13-2019

For this scenario it doesn't matter if you have one ASA or two in HA. In most cases I would just ignore this "problem" when both switches are directly colocated and have a direct link (typically a channel) between each other. It's just one switched hop more than the optimal path. Or you have to build your distribution as a VSS/VPC or stack. There you can use EtherChannels to both devices.

mrjdh · ‎09-13-2019

That's great - thanks for another reply Karsten, much appreciated. I love this community!

Karsten Iwen · ‎09-13-2019

You are welcome!

bhargavdesai · ‎09-13-2019

You may be working on resilient network design.

You may refer this
https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/amp/

Unfortunately emulator GNS3/EVE-NG with ASAv does not support redundant interface as i know.
And i want to know the status for the IPSEC VPN issue which you posted earlier.

HTH

mrjdh · ‎09-13-2019

Hi bhargavdesi,
Thank you for the reply - I haven't forgotten about your VPN reply, I'm going to be testing it in the next couple of hours!

bhargavdesai · ‎09-13-2019

Thank and do let me know if you need further help on that.
And i hope the link will give you good ideas about latest query

HTH