08-01-2022 01:59 AM
Hello guys,
I have a problem with ASA. I attached the topology of the network. Now we have 2 core switches which are route within VLAN-s. Now I have to insert in these topology 2 ASA (active/standby). The goal is that the 2 ASA control the traffic beetween the VLAN-s instead of core switches (eliminate IP routing in the core switches) but ASA allow all traffic from and to the internet (The ASA doesnt have to filter the traffic of internet, only filter traffic beetween VLAN-s) . The question is what is the best choice to insert the two ASA in the topology with minimal modification of the topology and the configuration of the 2 core switches and how configure the interfaces of the ASA. Please help me.
08-01-2022 01:59 PM
I thing the best of logical connection ,
the ASA be between the router & Core
in core the default route to ASA , or you can create the VLANs on ASA (Sub-interface)
on ASA you can control the traffic between VLANs & internet by QOS of service policy
08-01-2022 11:46 PM
Thank you for your reply. What do you think what is the better solution? Route all VLAN subnets from core to ASA, on ASA control the traffic beetween VLAN-s and route back the VLAN-s to core, or create VLAN-s on ASA?
08-02-2022 04:31 AM
On ASA more security and more centralized with control,
but however that depends on business need and importance.
for example in my Co we created almost VLAN on ASA as I.T, finance , Guest , Management ...etc
but we create some VLAN on Core as internal machine likes printer , fingerprint , Cameras & some Departments.
08-02-2022 06:00 AM
Okay, but you also control the traffic of printer, fingerprint, cameras. etc on ASA ?
08-02-2022 10:56 AM
that's depends on the destination ,
the internet & VLAN created on ASA , the Packets will pass through ASA.
from any VLAN created on Core to any VLAN created on Core , the packets not pass through ASA.
08-02-2022 02:03 PM - edited 08-02-2022 02:03 PM
@W-ALI wrote:
on ASA you can control the traffic between VLANs & internet by QOS of service policy
Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy
08-02-2022 02:32 PM
@paul driver wrote:
Qos does not control routing path selection, it can however classify, mark police & shape traffic based on polcy
yes, that's what I mean, control the traffic by service policy rule
08-02-2022 12:41 PM
config the Edge SW have two three interface
ONE Connect to ISP
two other connect one for Active other for standby ASA
finally you will get two OUT for active ASA you can use load by PBR or use primary/backup ISP
for ASA OUT we talk about for IN
config all VLAN with default GW point to Active ASA IN interface,
make L2 SW connect to IN of both ASA
and that it.
08-02-2022 02:06 PM
Hello
08-04-2022 02:35 AM
Hello Paul,
Thank you for your reply, I understand this solution. I try to find a solution which require the minimal change of the current configuration of the core switches because these network has to work continously. So what is your opinion about this solution? WIll it work?
1. disable all VLAN3 interface on the core stack, except the default LAN.
2. attach the ASA cluster to the core stack via default LAN L3 interface
3. disable IP routing on core stack
4. route all traffic to ASA cluster
5. control traffic beetween VLAN-s on ASA by access policies
6. Route back the VLAN subnets from ASA to core stack
7. Route all other traffic from ASA to internet router
Tibor
08-10-2022 05:15 AM
Hello Paul
Any response?
Tibor
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide