Mike here. I'm a (very) junior engineer and I've been asked to configure a failover solution for our ASAs. A more experienced engineer recommended the attached design (or at least my novice interpretation of it.)
I appreciate any and all input. This is all VERY new to me.
We're down to one physical interface available on each ASA so both state and failover links need to pass on this single physical interface for both firewalls up to core switches.
My initial thought is this:
Create layer 2 Vlans on both of the cores, 1 each for State-link and Failover-link.
Trunk both of those Vlans to the each firewall (and between the cores themselves.)
Create sub-interfaces on both firewalls, using the one physical interface that I have left.
Tag each sub-interface on the firewall with the corresponding state or failover Vlan.
Complete the failover configuration (including state) pointing to the correct sub interface for each.
Some questions:
Can/should we use sub interfaces to carry separate failover and state link traffic?
Can we tag Vlan information on those sub interfaces so that the cores can carry them across trunks to each other?
Is it more elegant to just carry both failover and state link on the same interface/subnet?
If we use two separate sub interfaces for failover/state, can you assign an address to the state link interface?
Initial thought for config on the firewall(s):
conf t
clear configure interface gigabitEthernet 0/3
!
interface GigabitEthernet0/3
description NAME=n-dfw1-1ab22=sc1 IP=192.168.10.250 IF=eth1/39
no nameif
security-level 100
no ip address
end
!
conf t
interface GigabitEthernet0/3.1051
description Firewall State link
vlan 1051
end
!
conf t
interface GigabitEthernet0/3.1052
description Firewall Failover link
vlan 1052
end
!
conf t
failover lan interface failover Gigabit0/3.1052
failover interface ip failover 192.168.10.169 255.255.255.248 standby 192.168.10.170
failover key FAILOVERKEY1
failover lan unit primary
failover link failover GigabitEthernet0/3.1051 (do we get primary/standby address assigned to this?)
EDIT:
I just found this configuration:
failover lan unit primary
failover lan interface folink gigabitethernet0/3
failover interface ip folink 172.27.48.1 255.255.255.0 standby 172.27.48.2
interface gigabitethernet 0/3
failover link statelink gigabitethernet0/4
failover interface ip statelink 172.27.49.1 255.255.255.0 standby 172.27.49.2
interface gigabitethernet 0/4
failover ipsec pre-shared-key a3rynsun
So maybe something like this for me:
conf t
clear configure interface gigabitEthernet 0/3
!
interface GigabitEthernet0/3
description NAME=n-dfw1-1ab22=sc1 IP=192.168.10.250 IF=eth1/39
no nameif
security-level 100
no ip address
end
!
conf t
interface GigabitEthernet0/3.1051
description Firewall State link
vlan 1051
end
!
conf t
interface GigabitEthernet0/3.1052
description Firewall Failover link
vlan 1052
end
!
conf t
failover lan interface failover Gigabit0/3.1052
failover interface ip failover 192.168.10.169 255.255.255.248 standby 192.168.10.170
failover key FAILOVERKEY1
failover lan unit primary
failover link state GigabitEthernet0/3.1051
failover interface ip state 192.168.10.177 255.255.255.248 standby 192.168.10.178
