Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3108
Views
0
Helpful
7
Replies

Failover Scenario in ASA

Go to solution
Jacob Samuel
Level 1
Level 1

‎08-06-2011 03:54 AM - edited ‎03-11-2019 02:08 PM

Hi,

I need a small clarification on the belwo issue, related to failover design. kindly fdin teh attahcement, based on the scanrio is it possible to do full mesh connectivity from Core to ASA Inside, as mentioned in red dotted link in the diagram..

Thanks & regards

Sunny

Labels:
Preview file
57 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jacob Samuel

‎08-07-2011 04:16 AM

Sunny

Bundling physical interfaces into one logical link would still not solve the problem with normal switches. ASA firewalls do now support this although you need the latest code. Cisco call this etherchannel and it has been around for ages with switches but has only recently been added to the ASAs.

However you still get the same issues because with an etherchannel you have to termnate it on the same switch chassis ie. you cannot spread an etherchannel across physical switches except -

1) a 3750 stack. 3750s support MEC which allows you to spread an etherchannel across multiple switches in the stack.

2) Nexus switches support VPc which allows you to spread the etherchannel across 2 chassis

3) 6500 switches running VSS (note you need specific supervisors and linecards for VSS) allow you to create a logical switch from 2 physical switches.

With the above 3 options you can spread an etherchannel across multple switches.

So you could use any of the above three options and etherchannel on the ASA. This way you would be give you some added redundancy because if one link in the eterchannel fails you still have other links in the bundle.

I say could but i have never done any of the above so i couldn't guarantee without testing it would work and there are a few threads on this forum about issues running ASA to VSS. So it maybe that you still could not only run the etherchannel from each ASA to one of the VSS pair and not both.

Jon

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎08-06-2011 06:33 AM

Sunny

Not really no because you couldn't use the same subnet for 2 different interfaces per firewall. So you would need 2 separate subnets and this now presents problems both with routing and firewalling ie. on the core switches you have 2 default-routes pointing to the VIPs of both subnets. Traffic could use one VIP from the 6500 switches to go to the ASAs but how do you guarantee the same interface is used to send traffic back to the 6500 because you would need to. How do setup static NATs etc.

You build redundancy into your network by having multiple paths to the same destination. What your scenario outlines is a failure in both paths. Most redundant networks would struggle to survive that sort of failure.

Jon

0 Helpful

Go to solution
Jacob Samuel
Level 1
Level 1
In response to Jon Marshall

‎08-06-2011 11:30 PM

Hi Jon,

Thanks for the update. but i heard fromsome source that in Juniper, they have the concept of bundeling 2 physical interface as one (like multilink interface), any idea?

thanks again...

regards

Sunny

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jacob Samuel

‎08-07-2011 04:16 AM

Sunny

Bundling physical interfaces into one logical link would still not solve the problem with normal switches. ASA firewalls do now support this although you need the latest code. Cisco call this etherchannel and it has been around for ages with switches but has only recently been added to the ASAs.

However you still get the same issues because with an etherchannel you have to termnate it on the same switch chassis ie. you cannot spread an etherchannel across physical switches except -

1) a 3750 stack. 3750s support MEC which allows you to spread an etherchannel across multiple switches in the stack.

2) Nexus switches support VPc which allows you to spread the etherchannel across 2 chassis

3) 6500 switches running VSS (note you need specific supervisors and linecards for VSS) allow you to create a logical switch from 2 physical switches.

With the above 3 options you can spread an etherchannel across multple switches.

So you could use any of the above three options and etherchannel on the ASA. This way you would be give you some added redundancy because if one link in the eterchannel fails you still have other links in the bundle.

I say could but i have never done any of the above so i couldn't guarantee without testing it would work and there are a few threads on this forum about issues running ASA to VSS. So it maybe that you still could not only run the etherchannel from each ASA to one of the VSS pair and not both.

Jon

0 Helpful

Go to solution
Jacob Samuel
Level 1
Level 1
In response to Jon Marshall

‎08-07-2011 04:36 AM

Hi Jon,

Thanks a lot for the reply. yes exactly this is waht i was expecting, the Core in VSS and the DMZ is 3750 Stack. Is there any option to get the confige guide for this also would like to know from which version its supports.

Thanks a lot

regards

Jacob

0 Helpful

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame
In response to Jacob Samuel

‎08-07-2011 04:44 AM

Jacob

It was introduced in 8.4(1). There are caveats about which interfaces you can use. From the ASA release notes -

EtherChannel support (ASA 5510 and higher)

You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.

Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.

We introduced the following commands: channel-group, lacp port-priority, interface port-channel, lacp max-bundle, port-channel min-bundle, port-channel load-balance, lacp system-priority, clear lacp counters, show lacp, show port-channel.

We introduced or modified the following screens:
Configuration > Device Setup > Interfaces.
Configuration > Device Setup > Interfaces > Add/Edit EtherChannel Interface.
Configuration > Device Setup > Interfaces > Add/Edit Interface.
Configuration > Device Setup > EtherChannel.

I haven't seen specific config guide for ASA/VSS and i would emphasise i don't know whether it would actually work the way you want.

Jon

0 Helpful

Go to solution
Jacob Samuel
Level 1
Level 1
In response to Jon Marshall

‎08-07-2011 04:50 AM

Thanks a lot Jon for your valuable support, let me also try for some config guide for this.

Thanks & Regards

Jacob

0 Helpful

Go to solution
fashour
Level 1
Level 1

‎04-05-2012 02:54 PM

one thing to remember here is that dynamic routing protocol peering is not supported if you are using the vPC option. you can use that approach if you are doing only static routing.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card