Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
926
Views
0
Helpful
6
Replies

Redundant etherchannels for ASA 5585X

prabhanjan_hb
Level 1
Level 1

‎08-29-2013 03:12 AM - edited ‎03-11-2019 07:32 PM

Hi there ,  We have procured 2 ASA 5585X units for Active / Standby setup . In the interim we will go with etherchannelling 1 Gig links to upstream 6513 swtiches (non VSS).  Can I have this configuration for resiliency. 

Etherchannel from ASA Primary - Switch 1 & Switch 2

Etherchannel from ASA Standby - Switch 1 & Switch 2

or

Etherchannel from ASA Primary - Switch 1

Etherchannel from ASA Standby - Switch 2

( Failover links between the Firewalls are already configured )

Currently I am reviewing which would be the best way to configure redundancies to upstream switches. Appreciate any suggestions

Thanks

Labels:
0 Helpful
6 Replies 6

Jonathan Woods
Level 1
Level 1

‎08-29-2013 05:57 AM

Since your 6513's are not in a VSS you cannot etherchannel/port-channel a firewall (or any device) split between your two chassis. The only way you can do this in the non-nexus line is to have them in a VSS. Your best bet is to etherchannel firewall 1 to switch1, and firewall 2 to switch 2.

You'll need to make sure that you you have the etherchannel interfaces trigger a failover if one of the switches should die...also be aware, even with a stateful link between firewalls, there will still be short delay between the failure and when traffic starts flowing normally through the secondary firewall.

0 Helpful

prabhanjan_hb
Level 1
Level 1
In response to Jonathan Woods

‎08-29-2013 07:31 AM

Thanks John , do we have any specific features in ASA 5585X to reduce failover delay if one of the upstream switch is down ? . 

Thanks

Prabs

0 Helpful

Jonathan Woods
Level 1
Level 1
In response to prabhanjan_hb

‎08-29-2013 07:37 AM

The delay is not in the failover. The delay is in the traffic flowing through the 6513's now take a different path. I assume you are trunking your 6513's together, and thus that's how you're dual-homing devices to your 6500's and connecting them to same VLAN's?

I've run into this issue many times. Are there active SVI's on the switches, or are the active SVI's on the firewalls themselves (meaning, are you trunking the VLAN's to the firewalls)?

One way of handling this is to put your VLAN SVI's in HSRP between the 6513's, and then create routed links to your Firewalls (utilizing OSPF or EIGRP). That way your routes will change dynamically (almost instantly) with the failure of a switch or a firewall. This way your next hop is covered both directions.

0 Helpful

prabhanjan_hb
Level 1
Level 1
In response to Jonathan Woods

‎08-29-2013 08:19 AM

John ,

Exactly ,this 6513 sits in the aggregation layer & i have SVI's configured with VRFs with HSRP on both the switches.

Using these VRF's i will be routing client specific traffic into the ASAs running with Multiple contexts.

Though i have EIGRP running on these switches with VRF lite , I will be statically routing VRF specific subnets from the switches to specific context on the ASA's .

Thanks

0 Helpful

Jonathan Woods
Level 1
Level 1
In response to prabhanjan_hb

‎08-29-2013 08:21 AM

That will work.

Delay should be minimal or non-existent in that scenario. Just remember you can't cross your etherchannels between chassis.

0 Helpful

prabhanjan_hb
Level 1
Level 1
In response to prabhanjan_hb

‎08-29-2013 08:24 AM

Thanks John, appreciate your response.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card