Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1099
Views
0
Helpful
1
Replies

Recommended design for 2x ASA and Cisco Stack

mSumo
Level 1
Level 1

‎10-15-2019 03:56 AM

Hello experts,

 

I have some general question about what design would you recommend for the scenario below.

 

I advised company to replace their current 4 switches (from 3 different brands and quite old ones) with a 2x Catalyst 2960X-48FPD-L and put them to a STACK. Also, as there is some issue with compatibility for VPN between their existing routers (Draytek) and other side of VPN with ASA, we are going to replace those routers as well with ASA 5506-X. I am OK with setting up the switches, as I have some experience with cisco switches. However, I am not sure about what would be the best way to connect/configure ASAs.

 

See the draft design. As you can see, the existing switches do not have any redundancy at all.

NEtwork Design.jpg

 

Info:

  • There are two ISPs 
  • ASA will be configured for HA
  • We will deploy VoIP so I will create a VLAN for data traffic and a VLAN for voice traffic. (currently, there are no VLANs in place… no tagging)
  • I am OK with configuring the switches
  • I have just very little (almost none) experience with ASA but I guess it should not be complicated to set them up

 

My questions:

  • Is it better to create  L3 port channels and have switches to route between VLANs?
  • Is it better to create L2 port channels and route between VLANs on ASAs?
  • There is a VPN that is bounded to a particular ISP – is there a way to configure VPN in a wah that if one ISP is down, another one will be used instead?
  • is the design I proposed OK, or would you change anything?

 

For ASA, I know what I would like to achieve, but not sure how to configure it yet... will google it once the boxes are with me :)

Labels:
0 Helpful
1 Reply 1

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-15-2019 06:24 AM

Hi,

 

What is your requirement? Do you want to keep ASA in the HA? And I hope HA is a good solution, which provides you ASA redundancy also. If one ASA goes down then other ASA will take care of the responsibility of the failed ASA and operation will work smoothly without user complains.

 

My notes:

1. Must Keep ASA in the Active-Active mode or Active-Passive Mode.

2. If you will move the ASA in the HA mode then your port-channel configuration will change as One port-channel bundle will have one port from the ASA1 and other from the ASA2. (If you want full redundancy then keep all four ports in the single port-channel). 

3.  Keep VLAN routing on the Core switches only. Don't extend VLAN routing on the ASA.

4. Port-channel Between ASA and Switch try to keep Layer 3 otherwise you can go with SVI also.

 

Here, the VPN failover configuration examples as:

https://learningnetwork.cisco.com/blogs/vip-perspectives/2018/07/27/cisco-asa-site-to-site-vpn-failover

http://www.techspacekh.com/configuring-failover-site-to-site-vpn-on-cisco-routers/

https://community.cisco.com/t5/vpn-and-anyconnect/cisco-asa-dual-isp-vpn-redundancy/td-p/1723979

 

 

 

 

 

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful
Customers Also Viewed These Support Documents