Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2576
Views
0
Helpful
3
Replies

Recommended resilient topology for 2 X ASA

Go to solution
mrjdh
Level 1
Level 1

‎08-03-2021 01:35 PM

Hello,

 

Bit of a while since I've posted here, need some advice. 

 

I'm revisiting the configuration for an active/standby ASA HA setup, and I don't think I've ever totally nailed a proven, recommended resilient topology when thinking about the links to both core switches. 

 

Came across quite a nice article by Stuart Fordham - https://www.802101.com/cisco-asa-failover-redundant-interfaces-catalyst-hsrp-and-power/, which explains the reason for the extra links etc, and I just wondered whether this is a time proven topology? I realise every scenario/requirement is different, but from a resiliency point of view with the 2 X ASA in place within the network, what is your opinion?

 

Thoughts welcomed. 

 

Thanks. 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-04-2021 12:44 PM

+1 for the use of portchannels.(and, for FTD, interface groups). They will not only add resilience but also make any changes going forward much easier should you wish to add or change physical interfaces.

I have never seen redundant interfaces in use in a production network. I'm sure there's somebody using them somewhere but I've worked on probably close to 1000 ASAs and never seen anyone use them.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Muhammad Awais Khan
Cisco Employee
Cisco Employee

‎08-03-2021 04:27 PM

Hi,

 

Shared design is good to start with but to make it more efficient, we can leverage Portchannels, especially for connection between inside LAN and Core. This will increase the bandwidth and also introduce highavailability and make the design more scalable.

 

I agree with you, every network design is different. If i have to design a DC Network Security Solution, i would leverage ASA/FTD HA Pair with portchannel configured on all or atleast 4-6 interfaces and then leverage sub-interfaces for different security zones. This will make deisgn more flexible and allows us to easily add/remove any service.

 

For Perimeter/Edge Security Firewall design, atleast for LAN, i would leverage Port-channels if possible ( depends on the connected Core Switch whether core switches are virtually/physically stacked ) and may create subinterfaces for different zones.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-04-2021 12:44 PM

+1 for the use of portchannels.(and, for FTD, interface groups). They will not only add resilience but also make any changes going forward much easier should you wish to add or change physical interfaces.

I have never seen redundant interfaces in use in a production network. I'm sure there's somebody using them somewhere but I've worked on probably close to 1000 ASAs and never seen anyone use them.

0 Helpful

Go to solution
mrjdh
Level 1
Level 1

‎08-05-2021 10:21 AM

Thanks to you both for the opinion, appreciated.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card