Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1182
Views
0
Helpful
1
Replies

Active / standby firewalls with dual ISP design

Madura Malwatte
Level 4
Level 4

‎05-24-2017 06:28 AM - edited ‎03-12-2019 02:24 AM

Just wanted to confirm a particular design with active/standby firewalls and dual ISP links. Normally the best practice says to have a switch stack between the firewalls and ISP links, however in my case the outside switches are in separate wiring closets hence I cannot use the stacking cables.

Would this alternate design be just as effective as having a switch stack between the firewalls and ISP links (in terms of redundancy and failover)? I can't see any reason why this would not work.

Will be using static route with IP SLA tracking. 

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎05-24-2017 09:02 AM

Using two independent switches is perfectly fine. You don't need a switch stack. With independent switches you could even have a better availability. A switch stack could fail as a complete system while two separate switches typically fail individually.

For your connections: If you use VLANs then you can*t put one vlan of one interface to the first switch and the other to the second switch. But you could do so with individual interfaces.

Another option is to connect one ASA to switch-1 and the second ASA to switch-2, you need an interconnection of the switches here. Or you could use redundant interfaces on both ASAs, one member connected to switch-1, the other to switch-2. The redundant interface gets subinterfaces for each outside connection. That is my preferred way to implement it.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card