Hi Marius,

Thanks for your response. I have configured the ASA in Active/ Standby mode. But I need configuration on the ASA for the Down switches connectivity.

Since two interfaces from the firewall will connect to two different switches. Is it possible to bundle those two interfaces..

Or how it can be done ..

Thanks

GKP

Depending on the ASA device you are using, yes it is possible to bundle the interfaces.  However if you have ASA5505 it is not possible to bundle interfaces, but the ports on the 5505 act as a switch so you could just trunk them and lett spanning tree do its work.

If you are running 5510 or higher there are some licensing requirements:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1325049

Etherchannel is configure the same as it would be on a switch.

interface

channel-group mode active

once the ether channel is configured then all subsiquent configurations are done on the portchannel interface.

--

Please remember to rate and select a correct answer

Dear Marius,

Please correct me if I am wrong. Configuring port channel will be fine if we are using a single switch.

Since it is a two different switches connecting to a ASA port channel will not come up ..

Thanks,

GKP

It is possible depending on the switches you are using.  You can configure either Virtual Switching System (VSS) on 6500 or 6800 switches.  And on Nexus you can configure Virtual PortChannel (vPC).  these features will allow you to configure two separate devices so that they are logically seen as one device.

If you are running lower end switches then you would need to stack the switches...if possible.

Another option could be to connect one switch to the Active ASA and the other to the Standby, and then configure a portchannel between the switches.  This way hosts will send traffic to the default gateway which is the ASA, and if the ASA fails then the standby takes over and traffic should not be interupted.  It is not optimal redundancy but better than nothing.

--

Please remember to rate and select a correct answer

HI Marius,

will configuring redundant links in ASA  be a suitable solution ??

Thanks,

GKP

I dont think it would be worth having redundant interfaces. The ASA failover is dependent on interface failure and that depends on which interfaces are being monitored.  This would mean that you need to adjust the failover criteria to include the number of subinterfaces on the active interface.  The ASA only fails over when a certain number of interfaces has failed.  So I would not think this would be a good option.