Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2576
Views
0
Helpful
4
Replies

Cisco ASA ACTIVE/PASSIVE Failover with OSPF Peering - Best Practices

Andrew4728
Level 1
Level 1

‎06-18-2012 08:55 PM - edited ‎03-11-2019 04:20 PM

I've been searching the web trying to find some answers regarding best practices when it comes to ASA Active/passive failover with OSPF.

We have pairs of 5520s and 5540s connected to pairs of nexus 7ks and 6500 switches.  The ASAs plug into switchports on the same VLAN, and peer with OSPF to the SVI on the switches.  This is working fine, but the problem I am running into is the 2 switches are peering with OSPF across the layer 2 link.  We prefer the switches to only peer across a seperate L3 link we have between the switches.

How would one go about preventing the switches from peering across the L2 link, but the active ASA continue to peer with both switches?

Anyone have links to any best practices documents that go into further detail of deploying ASA active/passive failover with OSPF?

Thank you for your help!

Labels:
0 Helpful
4 Replies 4

Andrew4728
Level 1
Level 1

‎06-19-2012 05:21 PM

Nobody? How do you have your active/standby asas setup with ospf?

Sent from Cisco Technical Support iPhone App

0 Helpful

Josh Sprang
Level 1
Level 1

‎06-19-2012 08:26 PM

Since the active Asa in a cluster keeps the same ip address and Mac address regardless of which physical is active, i think the switchports to both active and standby have to be l2 adjacent. I usually recommend a wan edge switching fabric and offload this from the core so you can bridge the vlan there between Asa clusters, and keep your core l3 peered to the Asa. Hth

Sent from Cisco Technical Support iPad App

0 Helpful

Andrew4728
Level 1
Level 1

‎06-19-2012 09:43 PM

We do have wan switches, but arnt running routing protocols on outside.. We have ospf between the LAN switches and the asa to dynamically advertise routes to remote vpn sites.. The problem im trying to find a solution to is our lan switches peering with each other through the svis over the layer 2 link...

Any thoughts? Been mulching through every cisco doc i can find and havent found an answer yet

Thanks guys!

Sent from Cisco Technical Support iPhone App

0 Helpful

tombell01
Level 1
Level 1
In response to Andrew4728

‎06-27-2012 12:06 AM

Hi,

I have run into this same problem.  A suggestion I had from a colleague was to configure the SVI OSPF network type to non-broadcast, and then configure static neighbours with the firewall from the switches.  I was going to give this a try but if you are willing to be the guinea pig then I'll happily let you road-test it for me!

Regards,

Tom

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card