cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
433
Views
5
Helpful
5
Replies

3850 Stack > ASA 5545X Cluster (Active / Passive) Connectivity Best Practice

Not applicable

Hey guys,

I have a 3850 stack comprising of two switches. There are 6 VLAN's configured across the stack. I've configured the DG against each of the VLAN interfaces for inter-vlan routing between the VLAN's. From each of the switches within the stack, I would like to connect each of the ASA's for HA.

I'm not sure of the best practice for this. Would it be some form of etherchannel configuration or a FHRP configuration upon the ASA's? I've attached a picture to help display my scenario.

Apologies, this is new ground for me and I don't have a lab environment to test in, so any assistance and / or advice would be greatly appreciated.

Kind regards.

5 Replies 5

If you have enough interfaces left on the ASA, I would build a channel to the switch-stack. This is an example with two members:

ASA1-Eth1 <-> Cat1-Eth1
ASA1-Eth2 <-> Cat2-Eth1
ASA2-Eth1 <-> Cat1-Eth2
ASA2-Eth2 <-> Cat2-Eth2

On the port-channel-interface of the ASA you can use subinterfaces for your VLANs.

Hey Karsten,

Thank you for your response. Much appreciated.

If I'm understanding you correctly, would I be correct in thinking this would be what you are suggesting (apologies if this seems obvious)...

1. Create a port-channel / etherchannel between 3850 stack and the ASA cluster.

2. Sub-interface the port-channel upon the ASA side of the channel, configuring the sub-interfaces as the default-gateways for the VLAN's (rather than the VLAN interfaces themselves upon the 3850's) and then have the ASA's do the inter-vlan routing?

Would the above be accurate?

Again, thank you very much for your assistance! This is all quite new to me. Very interesting though! :)

Thank you.

Not applicable

Sorry - furthermore, would this be the best approach in a scenario wherein we have active / passive ASA nodes?

Apologies if this is a stupid question...

There is no single "best" ... ;-) But this way gives you a very high availability and flexibility.

1st: Don't use the name "cluster" for an ASA Failover system. That can get confusing as there is also a different feature named "cluster" on the ASA.

There are a total of three Etherchannels to configure:

  1. One on the ASA to the switches
  2. One on the Switch to the primary ASA
  3. One on the switch to the secondary ASA

The question if there are SVIs on the switch depends on you needs. If you want to route a VLAN on the L3-Switch without firewalling, then use an SVI on the switch. If you want the control of the ASA, then you should not configure an SVI on the switch but use the subinterface on the ASA as the DG for that VLAN.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: