Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
0
Helpful
4
Replies

When two FTDs in HA connect to respective core/access switches, do those switches also have to be in HA ?

damode
Level 1
Level 1

‎01-31-2021 11:04 PM

 
0 Helpful
4 Replies 4

Mohammed al Baqari
Level 11
Level 11

‎01-31-2021 11:36 PM

Hi,

No they don't

*** please remember to rate useful posts
0 Helpful

damode
Level 1
Level 1
In response to Mohammed al Baqari

‎01-31-2021 11:58 PM

If they dont require redundant switches, then how will the switches provide alternative traffic route ?

Just to add more context, both FTDs (ISA 3000) will be deployed in two different DCs.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to damode

‎02-01-2021 12:14 AM

Typically an HA pair of FTD firewalls (assuming route mode) will share an internal IP address. Whichever one is active will assert ownership of that address (it sends a gratuitous ARP upon failover) and act as the gateway for outgoing traffic. So FTDs across data centers often implies a stretched VLAN. As long as the internal devices can reach the IP address on the active FTD they don't care where it is physically.

You only need your switches to be in a stack or VSS or VPC etc. if you are doing something like Etherchannel or portchannel between the switches and a given FTD appliance.

 

0 Helpful

MHM Cisco World
VIP
VIP

‎02-01-2021 06:22 AM

this design as following 

Dual Core SW connect to Access SW

these Core SW can use HSRP group to load balance.

 

dual Core to dual ASA

config one VLAN in dual Core "don't config SVI"

config ASA inside IP "same VLAN you config in both Core"

 

here traffic will come to Core 1 or Core 2 will be send to ASA active inside IP.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card