Connection Between Core and Firewall

adamgibs7 · ‎09-26-2018

Dears,

Please find the attached

Please suggest when 6509 are in VSS mode how the connection should be. The access switch is connected to both core with Multi chassis Ether channel, ,,, the user traffic is hash in default algorithm of the port channel, src dst ip

how the traffic flow will be when the connection are according to the Diagram A and how the flows will be when it is according to the Diagram B

AND

Thanks

balaji.bandi · ‎09-26-2018

Is the FW are in Cluster mode Active / Active or Active / Standby? 2nd one give you more High availability in terms of failure scenarios.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

adamgibs7 · ‎09-26-2018

firewalls are in active / standby mode

balaji.bandi · ‎09-26-2018

Look at good CVD document, for your reference.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/ha-cluster.pdf

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎09-27-2018

Hi,
If the ASA's are active/standby then in either scenario (diagram A or B) traffic would not be routed via the FW-B, if it is still standby/secondary. So in diagram A if the traffic originated on Core 2 the traffic would cross the link to Core 1 and then to the FW-A. In Diagram B ideally you'd configure the ASA's to be members of a port-channel, traffic would then go directly from Core 1 to FW-A or from Core 2 to FW-A. Diagram B is the better design.

HTH

adamgibs7 · ‎09-29-2018

Dears,

thanks to both of you and +5 to you both,

clustering is different concept than a active/standby or active/active.

thanks

Peter Koltl · ‎10-01-2018