Design of ASA failover A/S

ahmedzniti · ‎02-13-2013

Hello

I have 2 FW ASA 5520 and i would like to connect each asa in cisco access switch then to configure a failover active standby and noted there is not a redundancy switch (hsrp not configured) ,its possible to do that ?

thanks

Andrew Phirsov · ‎02-13-2013

Surely it's possible. Redundant interfaces of each asa should be on the same l2 segment. HSRP is not related here.

ahmedzniti · ‎02-13-2013

Thanks for your reply and i want to know the difference between licences contains Active/Active and licences Active/Standby

and the steps to activate it in the two scenario

Regards

Jouni Forss · ‎02-13-2013

Hi,

I'm not sure if I understood the question correctly but I will try to answer.

It all comes down to how far you want or can take the redundancy of your network.

Nothing stops you from using a ASA Failover pair with only one switch. You could have the ASA Failover pair but not use redundant switches/routers but naturally the only thing that could withstand a device failure or other similiar problem would be the ASAs. If a switch or router broke the ASA Failover pair wouldnt help you much.

On the other hand you could have Failover ASAs and redundant switches and still for example your Internet connection/router failing would still mean that nothing works (Other than the LAN ofcourse)

And also you could have Failover ASAs, redundant core routers/L3 switches and redundant Internet router/L3 switch with dual ISP or dual WAN connections from same ISP. Even then there might be possible that some single failing device might cause problems.

The typical Failover setup we do would probably be something like this

ASA Failover pair
L3 switch stack as Internet Router
L3 switch stack or 4500/6500 as Customer LAN core
2 WAN connections on the Internet Router (Typically our own terminated through different path to different ISP Core)

- Jouni