Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2275
Views
5
Helpful
4
Replies

Forwarding of VRRP Hello Packets

WelcomEIB
Level 1
Level 1

‎02-19-2021 06:19 AM - edited ‎02-19-2021 06:38 AM

Hi,

 

We have 2 x Cisco ASA 5516-X firewalls in an active/passive implementation. The ISP has provided dual-homed ethernet links which use VRRP. Each ISP link terminates into the outside interface of each firewall. Currently the ISP links are unable to exchange VRRP hello packets. A solution to this is to introduce switches between the firewalls and the ISP links. Other than this approach, is there a way to allow the VRRP process to work with the existing setup i.e. without introducing additional switches? There are no spare interfaces on the firewalls currently. 

 

Diagram attached for reference. 

Labels:
Preview file
6 KB
0 Helpful
4 Replies 4

WelcomEIB
Level 1
Level 1

‎02-19-2021 06:36 AM

 
Preview file
6 KB
0 Helpful

rais
Level 7
Level 7
In response to WelcomEIB

‎02-19-2021 06:46 AM

Will the FW switch from standby to active based on ISP links?

You can use a VLAN on internal switches as an External/ISP VLAN.

HTH

WelcomEIB
Level 1
Level 1
In response to rais

‎02-19-2021 07:03 AM

Thanks for the response. At the moment the firewall config is set to monitor a number of interfaces, including the outside interfaces. But this is just the interface state. 

 

What you've suggested did cross my mind, however I wasn't sure whether or not it's normal practice to terminate a WAN link on an inside switch, even on a separate VLAN. This isn't something I've seen before. Plus it'd mean using 4 "expensive" 10Gb ports and these aren't high density switches. 

0 Helpful

Rob Ingram
VIP
VIP

‎02-19-2021 11:51 AM

@WelcomEIB 

You need layer 2 connectivity. Yes you could do what has been suggested if you didnt want to purchased additional hardware. However it generally isn't recommended, normally you'd expect 2 switches on the outside of the network, between the firewalls and routers. These don't need to be high spec.

0 Helpful
Customers Also Viewed These Support Documents