cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1080
Views
0
Helpful
1
Replies

redundant uplink: connect it directly to active/standby ASA ports?

Dear community,

I have a physical cabling question, not sure whether to put it under security or under switching...

in our co-location, we have a redundant internet uplink from the ISP. At the moment those uplinks are connected to our switch-stack and one port is in alternate blocked state (via STP). We will install two ASA 5515-X in active/standby failover mode in a couple of weeks.

Is it a good idea to connect the internet uplink cables physically to the two ASAs? That would save some switchports and eliminates the possibility to configure a switchport into the outside vlan by accident. (One context of the ASAs works as transparent FW). In my opinion if one uplink switch goes down, the ASA would make a failover within seconds and so it should be the same redundancy as we have with STP.

Or does it make more sense to keep it like it is right now: Both uplinks directly connected to different switches of our stack and the ASA's outside interface also connected to two switches?

Any ideas or suggestions?

Thanks in advance!

Best regards,

Alex

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

Personally I always try to go via switches. It gives you additional redundancy and more flexibility in setting up your HA scheme.

Yes, if you don't have dedicated outside swithces you could possibly configure an inside host port in the outside VLAN. Good change control and configuration managment minimize the chance of that. Even if you do it, it shouldn't work as there should not be the expected L3 gateway or DHCP server on that outside VLAN.

Ideally, the ASAs each have an outside and an outside2 interface. An ipsla operation is tracking the reachability of the upstream ISP gateway IP address (or a further upstream well-know Internet-based resource) and in the event that it becomes unreachable it changes the default route via a track option in the routing command.

Of course that's in addition to the ASA-ASA failover interface monitoring which is one of the several ongoing checks to establish and verify the health of the standby ASA.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: