cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1456
Views
0
Helpful
4
Replies

When two FTDs in HA connect to respective core/access switches, do those switches also have to be in HA ?

damode
Level 1
Level 1
4 Replies 4

Hi,

No they don't

*** please remember to rate useful posts

If they dont require redundant switches, then how will the switches provide alternative traffic route ?

Just to add more context, both FTDs (ISA 3000) will be deployed in two different DCs.

Typically an HA pair of FTD firewalls (assuming route mode) will share an internal IP address. Whichever one is active will assert ownership of that address (it sends a gratuitous ARP upon failover) and act as the gateway for outgoing traffic. So FTDs across data centers often implies a stretched VLAN. As long as the internal devices can reach the IP address on the active FTD they don't care where it is physically.

You only need your switches to be in a stack or VSS or VPC etc. if you are doing something like Etherchannel or portchannel between the switches and a given FTD appliance.

 

this design as following 

Dual Core SW connect to Access SW

these Core SW can use HSRP group to load balance.

 

dual Core to dual ASA

config one VLAN in dual Core "don't config SVI"

config ASA inside IP "same VLAN you config in both Core"

 

here traffic will come to Core 1 or Core 2 will be send to ASA active inside IP.  

Review Cisco Networking for a $25 gift card