04-12-2016 06:28 AM - edited 03-12-2019 12:36 AM
We have 2 ASAs setup in an active/standby configuration. The "Outside" interfaces on each ASA connects to a 1 of the 2 switches in the switch-stack as do the border routers - and this is for failover redundancy.
ISPs-&-INTERNET
| |
R------------R
| |
switch-----switch
| | outside | |
ASA ASA
inside
Red is "outside" interfaces
Blue is "failover" and "stateful" replication links
My first question is - Do we really need to run the failover and stateful replication link through "any" switches? Would it be better (more secure and less points of failure) to connect the failover and stateful replication link directly between ASAs without switches?
My second question is - Would it be better to use 2 physically links for these two services?
Thank you
Frank
Solved! Go to Solution.
04-12-2016 06:56 AM
99 times out of 100 I run the failover link using a cable directly between the two ASAs. The Cisco guides recommend a switch because it gives you a place to login and see the interface status apart from the ASAs. I tend to agree with your take however that a 6" cat 5 jumper fails less often than two jumpers plus a switch.
I only run state over a separate interface in very high bandwidth use cases (when I run it at all). I generally work with small-medium enterprises for whom maintaining state of every TCP connection in the event of a failover is not so critical. Larger enterprises and especially eCommerce application might have different business requirements which would drive the design differently.
04-12-2016 08:13 AM
If you're using a switch and have decided to do stateful failover, the switch (whether or not it includes "outside" traffic) should have a dedicated VLAN (L2 only - no SVI L3 interface) for this traffic.
When I use outside switches I prefer they are the slightly higher end models with a strictly out of band management interface with its own VRF (like a 3560-X or higher) so that I never expose the switch management plane to the public Internet.
04-12-2016 06:56 AM
99 times out of 100 I run the failover link using a cable directly between the two ASAs. The Cisco guides recommend a switch because it gives you a place to login and see the interface status apart from the ASAs. I tend to agree with your take however that a 6" cat 5 jumper fails less often than two jumpers plus a switch.
I only run state over a separate interface in very high bandwidth use cases (when I run it at all). I generally work with small-medium enterprises for whom maintaining state of every TCP connection in the event of a failover is not so critical. Larger enterprises and especially eCommerce application might have different business requirements which would drive the design differently.
04-12-2016 08:02 AM
Hi Marvin,
Do you think this is a security concern since the state replication traffic is passing in clear text through the outside switch or is not really an issue?
04-12-2016 08:13 AM
If you're using a switch and have decided to do stateful failover, the switch (whether or not it includes "outside" traffic) should have a dedicated VLAN (L2 only - no SVI L3 interface) for this traffic.
When I use outside switches I prefer they are the slightly higher end models with a strictly out of band management interface with its own VRF (like a 3560-X or higher) so that I never expose the switch management plane to the public Internet.
04-12-2016 08:19 AM
Exactly!
Thank you
Frank
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide