Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
938
Views
0
Helpful
2
Replies

ASA connection to multiple internet circuits

anthonywalters1
Level 1
Level 1

‎11-24-2014 03:42 PM - edited ‎03-05-2019 12:13 AM

Hello.

 

I need some help please.

I need to figure out how to set this up.

We are trying top move from a current inefficent setup to a new solution.

 

How can I connect 4 separate internet hand offs on 1 3850 switch?

I have 2 ASA in a failover setup and a 3850 switch.

The 4 100mb circuits are ethernet handoffs.

 

If I connect all 4 into a 3850 switch, how can i make the ASA point to all 4 circuits?

What would I use as the Gateway for the ASA?

This would be simple with one circuit, as the gateway on the ASA would be the IP of the handoff.

 

I was thinking vlans on the switch. Putting the ASA in one and the 4 circuits in another?

Please help.

I have attached a visio.

 

Thank you

 

 

 

 

Labels:
Preview file
181 KB
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎11-24-2014 07:54 PM

Hi,

You would have to bring each connection separately (4) and connect them to your 3850 switch using /30s.  Assuming you are using static routes, on the firewall you have to pick one link as your primary with the lowest AD (default)  and the other 3 with higher ADs as backups.

The bad thing about this design is that if you lose the 3850 switch, you lose all your circuits.

A better design would be to have redundant switches and have each switch with 2 connections.

The other negative part of this design is that all your circuits are coming from the same provider (Cogent) if this provider has any issues or outage, you lose all your circuits. 

A better design would be to get the circuits from 2 different providers.

HTH

0 Helpful

Karsten Iwen
VIP
VIP

‎11-25-2014 07:31 AM

Just to add to Rezas perfect answer:

  1. I think a 3850 is a waste of money to put that device in front of the ASAs. I would use two smaller 8-port-switches to connect to the internet. The ASAs can be connected fully redundant, and the provider-links are connected on both switches with two links each.
  2. As Reza mentioned, the ASA is typically used in a primary/backup fashion if there is more then one internet-link. But you could split the load by not using a default-route, but instead four routes that each handles a quarter of the internet address-space:
    0.0.0.0/2 -> Connection1
    64.0.0.0/2 -> Connection2
    128.0.0.0/2 -> Connection3
    192.0.0.0/2 -> Connection4
    On each connection you also need a default-route with a higher AD for the handling of incoming traffic and for redistributing traffic in the case of link-failures. These can also be controlled with ip sla.

 

0 Helpful
Customers Also Viewed These Support Documents