Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
1
Replies

Two ASA 5510 High Availability, Two 3560x with HSRP.

Go to solution
LuisPantaB
Level 1
Level 1

‎05-29-2014 04:14 PM - edited ‎03-03-2019 07:26 AM

I have two ASA 5510 working on High Availability, and I need to connect them withc two switchs 3560x working with HSRP.  What is the better way to connect them? I try to take High Availability. Do I need to make some aditional configuration?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-29-2014 08:04 PM

Hi Luis ,

 Are you going to use same 3560X switch for connecting your ASA outside and interface ?? , Are you talking about only inside interface . 

if you are talking about only one segment , they configuration is pretty simple . 

Create Common subnet between ASA & Switches (like 192.168.100.0/28)

ASA primary : 192.168.100. 5 ASA standby :192.168.100.6

Switch 1 : 192.168.100.2 

Switch 2 : 192.168.100.3

VIP address : 192.168.100.1

From 3560 : Point default route/specific which passes via ASA to active IP address of ASA 192.168.100.5 (Primary ASA interface IP address)

From ASA : Point reverse route for network/subnets available on 3560 switch to HSRP IP address of your SVI VLAN : 192.168.100.1

As given below , if your ASA fails or failover traffic will be pointed back to HSRP VIP address (Switch1)

on your switch 1 under HSRP track the interface connecting to ASA 1 , if the connectivity fails you can bring down HSRP Priority and make switch 2 as active , similarly ASA as failover .  

 

ASA (Primary)----->Failover---> ASA(Standby)

|                                                               |

|                                                               |

Switch1----------> L2 Link---------> Switch 2

HSRP VIP

 

HTH
Sandy

View solution in original post

0 Helpful
1 Reply 1

Go to solution
SANTHOSHKUMAR SARAVANAN
Level 4
Level 4

‎05-29-2014 08:04 PM

Hi Luis ,

 Are you going to use same 3560X switch for connecting your ASA outside and interface ?? , Are you talking about only inside interface . 

if you are talking about only one segment , they configuration is pretty simple . 

Create Common subnet between ASA & Switches (like 192.168.100.0/28)

ASA primary : 192.168.100. 5 ASA standby :192.168.100.6

Switch 1 : 192.168.100.2 

Switch 2 : 192.168.100.3

VIP address : 192.168.100.1

From 3560 : Point default route/specific which passes via ASA to active IP address of ASA 192.168.100.5 (Primary ASA interface IP address)

From ASA : Point reverse route for network/subnets available on 3560 switch to HSRP IP address of your SVI VLAN : 192.168.100.1

As given below , if your ASA fails or failover traffic will be pointed back to HSRP VIP address (Switch1)

on your switch 1 under HSRP track the interface connecting to ASA 1 , if the connectivity fails you can bring down HSRP Priority and make switch 2 as active , similarly ASA as failover .  

 

ASA (Primary)----->Failover---> ASA(Standby)

|                                                               |

|                                                               |

Switch1----------> L2 Link---------> Switch 2

HSRP VIP

 

HTH
Sandy

0 Helpful
Customers Also Viewed These Support Documents