Solved: ASA firewalls connected to CAT6K running GLBP

haithamnofal · ‎05-07-2008

Hi,

I have 2 ASA firewalls which I need to connect to my 2 CAT6K core switches. the core switches are running GLBP redundancy protocol between them.

My question here is since my switches are Active-Active, can I implement my firewall cluster in Active-Passive mode? Can you please advise on the best design for this scenario?

R/ Haitham

tj.mitchell · ‎05-07-2008

Context out the ASA's and then you run them in active/active, but this is more of one context is active on firewall 1 and passive on firewall 2, then then next context is passive on firewall 1 and active on firewall 2.

Are the switches connected together, this way they would have an understanding of each other and know that their peer hasn't failed, thus keeping the connection available to both switches. Questions:

Are the GLBP interfaces ports or VLANS?

Are the switches connected together?

What is the out come that you would like?

View solution in original post

Jon Marshall · ‎05-07-2008

Haitham

As Thomas says it really depends on how your switches are connected together and how you have connected your ASA devices to the 6500's.

Assuming that your ASA inside interfaces are in the same vlan and that your 6500 switches are connected via a L2 trunk then there are 2 things to bear in mind.

1) If the ASA devices are on a dedicated vlan ie. no other devices are on that vlan then GLBP won't gain you anything because the source mac-address/IP address will always be the same ie. the active firewall.

2) Regardless of 1 remember that if the return traffic going back to the ASA inside interface or traffic originated from inside goes to the switch that is connected to the passive ASA then the switch will simply send the traffic across the trunk link to the other switch which will then forward it on to the active ASA.

So it doesn't matter which switch is active for which vlans. Any traffic that goes to the switch that isn't connected to the active ASA will simply be sent across the Layer 2 trunk to the other switch which then sends it on to the active ASA.

Of course this is only relevant if you have indeed connected your ASA devices to the 6500's on a common vlan and there is a layer 2 trunk interconnecting your 6500 switches.

Hope this makes sense.

Jon

View solution in original post

srue · ‎05-07-2008

it sounds like you have two cat6k's and two ASA's and you want to implement the ASA's in failover active/passive mode.

Yes, you can do this with standard failover in the asa's (provided the licensing is correct and the hardware is identical between the asa's). For increased redundancy, plug one asa into one switch, and plug the other asa into the other switch and configure failover as one normally would.

here's the 7.2 guide for failover:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/failover.html

haithamnofal · ‎05-07-2008

Hi,

Thanks for your response.

My concern was in running GLBP; how could the ASA passive firewall process traffic if the switch which is connected to it is active!

R/ Haitham

tj.mitchell · ‎05-07-2008

Context out the ASA's and then you run them in active/active, but this is more of one context is active on firewall 1 and passive on firewall 2, then then next context is passive on firewall 1 and active on firewall 2.

Are the switches connected together, this way they would have an understanding of each other and know that their peer hasn't failed, thus keeping the connection available to both switches. Questions:

Are the GLBP interfaces ports or VLANS?

Are the switches connected together?

What is the out come that you would like?

haithamnofal · ‎05-07-2008

Hi,

GLBP is running between VLANs and the 2 switches are connected together.

If I got you right, the switches will be aware of which ASA is active and they will pass traffic to the active ASA between each other accordingly.

This makes sense and will work.

R/ Haitham

Jon Marshall · ‎05-07-2008

Haitham

As Thomas says it really depends on how your switches are connected together and how you have connected your ASA devices to the 6500's.

Assuming that your ASA inside interfaces are in the same vlan and that your 6500 switches are connected via a L2 trunk then there are 2 things to bear in mind.

1) If the ASA devices are on a dedicated vlan ie. no other devices are on that vlan then GLBP won't gain you anything because the source mac-address/IP address will always be the same ie. the active firewall.

2) Regardless of 1 remember that if the return traffic going back to the ASA inside interface or traffic originated from inside goes to the switch that is connected to the passive ASA then the switch will simply send the traffic across the trunk link to the other switch which will then forward it on to the active ASA.

So it doesn't matter which switch is active for which vlans. Any traffic that goes to the switch that isn't connected to the active ASA will simply be sent across the Layer 2 trunk to the other switch which then sends it on to the active ASA.

Of course this is only relevant if you have indeed connected your ASA devices to the 6500's on a common vlan and there is a layer 2 trunk interconnecting your 6500 switches.

Hope this makes sense.

Jon