Hi,

Pls. find my answer below:

point no. 1: Router Model is 3945E

point no. 2: yes, I would like to configure ASA as Active/Standby

point no. 3: yes, DMZ-1 and DMZ-2 in Same DMZ Stack Switches

point no.4 : Moving DMZ to N5k (I m ok). but as of now the design is separate DMZ switches)

point no.5:Yes, L2 Sw between ASA and CE is stacked

point no. 6: For 10G port I need to check whether 5585-x will have one or two 10G port.

Pls. let me know if you need any more informations.

Hi,

another information, there will be 3 ISP connected to CE routers.

So there will be a 3rd router or will one of the routers have two ISP connections?

But here is a design I would like you to consider.  It is not very different from yours but perhaps seen from another perspective with a few changes.

The routers have a link to the ISPs and one link to the L2 switch stack.  One router has a link to one switch the other router has a link to the second switch.  The inside interfaces are configured with HSRP.  I suggest not using two links from each router to the switch stack as bridging the interfaces on the router will add un-needed complexity and make things more difficult to troubleshoot.

The switch stack in turn has two links to each ASA.  Each ASA has one link going to each L2 switch and is configured as a portchannel.  The ASAs also have 2 links going between them for failover and state.  Each ASA has a link that goes to each of the N5K switches and is configured in a portchannel.  The nexus switches are configured with vPC and have 3 links between them; 1 link is for the vPC keepalive and the two others are configured in a portchannel and provide data flow between the switches.  Depending on your security requirements, the nexus switches can be configured with several VRFs.  Inter-VRF router must go through the ASA but routing within each VRF is allowed without going through the ASA.

From here, the nexus switches have a link to each switch in the DMZ stack and these links are in a vPC on the nexus switches and configured as a portchannel on the DMZ switch stack.

For security, each trunk should have a dedicated unused native vlan and all allowed VLANs should be manually configured to be allowed over the trunk.

--
Please remember to rate and select a correct answer

Hi,

As per your design ASA are not cross conneting to L2 Switches.

another point as per your design.  There will be no security implemented between internal servers connected directly to 5k and DMZ.

Can you check this and suggest.

There wont be any 3rd router, it will be like 1:2 or 2:1 connections.

As per your design ASA are not cross conneting to L2 Switches.

Incorrect, since the switches are stacked they will be seen as one switch with regards to the ASAs.  Therefore one cable goes to switch1 the other to switch 2, but make sure to configure them in the same portchannel.

another point as per your design.  There will be no security implemented  between internal servers connected directly to 5k and DMZ.

Maybe I did not make this very clear in my description above.  keep in mind that this is not a complete design document and you will need to figure out some things for yourself based on your requirements.  I am just trying to give you some ideas that you might want to use.

The servers can be placed in either VRFs or in VLANs (again depending on your requirements and the scale of the deployment).  I would suggest VRFs.  They allow you to route directly between subnets within the same VRF and then you can force all traffic through the ASA for inter VRF communication.

If you place the servers in VLANs then you can not have SVIs within the same default VRF configured on the N5K switches as this will be doing the routing between the VLANs.

--
Please remember to rate and select a correct answer

Hi,

I like to implement several vlans depend on the Server categories on both N5k as HSRP, What about conext configuration on 5585-X

Hi,

Can you give me context base solution on this design. 

-> There will be two DMZ network to be connected via L2 sw to FW

-> Two Internet RTW connected via L2 Switch.  Internet RTW to be connected to 3 different ISP

-> Another two MPLS RTW connected directly to FW to be connected to Two MPLS Service provider.

You would not need any contexts on the ASA unless you have specific security requirements that dictate this.  You can regulate traffic by using ACLs.

--
Please remember to rate and select a correct answer

Hi,

Got it thanks...I have added another link to FW for MPLS Link.  So, redesign little bit.  Can you check and help me how to implement this solution.

Attached the modified design.  total i think 8 1G port and 2 10G ports are available on this FW model(5585-X).  I think its sufficient to connect individual link.

Please help me on the configuration part.

total i think 8 1G port and 2 10G ports are available on this FW  model(5585-X).  I think its sufficient to connect individual link.

You can set it up this way, that each device has its own port into the ASA.  Will the DMZ switches have redundant links to the ASA?  Keep in mind that if you do find that you require more ports, a cost effective way of doing things is to connect the devices to the N5K switches and then have them seperated by either using VLANs or VRFs, and then send all traffic through the ASA for filtering.

I have added another link to FW for MPLS Link.  So, redesign little  bit.  Can you check and help me how to implement this solution.

As I mentioned above I would suggest using the N5K to connect the MPLS routers and then send them through a VLAN to the ASA for filtering.  If it is a security requirement that these routers have to be connected directly to the ASA then there really is no choice but to connect them directly to the ASAs.

--
Please remember to rate and select a correct answer

Hi

Thanks for your suggessation,

But as of now I can see there are enough ports in FW to connect all Devices individually as given below:

1 is going to n5k-1 (inside)

2 is going to DMZ SW (inside-dmz)

3 is going to L2 Sw at Internet side (outside)

4 is going to MPLS RTW ( outside)

5 & 6 are for failover

so still i will have 2 ports extra. So i think its better all link directly connected to FW.  I am thinking of easy configuration point of view.

If we are following you diagram we are missing two ports.  so your ports should be as follows:

1Gb ports

--------------

1 is going to n5k-1 (inside)

2 is going to n5k-2 (inside)

3 is going to DMZ SW (inside-dmz)

4 is going to L2 Sw-01 at Internet side (outside)

5 is going to L2 Sw-02 at Internet side (outside)

6 is going to MPLS RTW ( outside)

10Gb ports

---------------

7 & 8 are for failover

This is fine and you have enough ports for this.  I am suggesting using the 10Gb for failover as the state replication will require a high speed link to provide as much of a seamless failover as possible.

--
Please remember to rate and select a correct answer