Switch between ISR and ASA firewall

mohammad saeed · ‎04-09-2018

Hi Guys,

I have two ISR and two FTD firewalls connected directly with each other with redundant links (triangle shape). My question here do I need to put a L2 sw between FTD and ISR instead of directly connection? Is it healthy to do this? Or not needed?

Thanks for all

MK saeed

Mohammed al Baqari · ‎04-09-2018

For full HA you will need two switches then you can have redundant links to
the switches and EtherChannel between the switches. This is the best
practice. Connecting routers and ftds directly isn't good practice as
limits any future expansion

mohammad saeed · ‎04-09-2018

So it's for future expansion reason? but I thunk if I put switch will be a security weakness point?

Dennis Mink · ‎04-09-2018

theoretically yes. you could choose to manage it using and IP address in a VLAN that you stretch into your DMZ. alternatively is you want to be more secure. dont stick an IP address on it at all and manage the switch through console.

Please remember to rate useful posts, by clicking on the stars below.

mohammad saeed · ‎04-09-2018

So it's better like this: ?

ISP----ISR---L2 SW---ASA FTD---Core SW

and L2 sw will harden it with ACL ans SSH to make much secure!

Mohammed al Baqari · ‎04-09-2018

You can also harden the switch to make sure that its secured. Things like
ACLs, access-class, authenticated ntp, ssh only etc