cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
200
Views
0
Helpful
4
Replies
kapplejacks
Beginner

ASR1001 -> ASA 5555?

Hey network team! 

I was looking at Ciscos high and low level diagrams of networks! Particularly I’m focusing this question on the internet zone! In most diagrams you see a single ingress ISP connect to an ASR (normally two ISP’s via 2 - one link connections to a pair of ASRs, then one down stream link to internet switch stack.) sending data over 1 link down to a switch stack. Then this internet switch down streams to two HA ASA over port channel. 

 

Something similar to this. 

ISP=EPB -> ASR1 -> Inet-S1-g1/0/1->Port channel to primary ASA,

ISP=Wide Open West -> ASR2 -> Inet-S1-g2/0/1-> port channel to secondary ASA 

 

Is the Inet switch really needed if the ASRs are singularly connect to the down stream Inet Switch? In the words of Elon. Simpler is better. Since each ASR has a direct connect can we not simplify by connect ASR1 down stream to ASA-pri and monitor that interface? If the ISP goes down it would trigger a fail over run off the second ASR link while still having updated BGP routes? 

4 REPLIES 4
Jon Marshall
VIP Community Legend

 

If the firewalls are a pair as in your diagram then they need a L2 path between them on the outside for the VIP which is what the switches provide. 

 

Jon

MHM Cisco World
Advocate

config ASR each one connect to one ISP, 
you can config two ASA in HA, 
then config ASA static route toward HSRP of both ASR.
ASR track the ISP to change the priority and elect the active or standby of HSRP group.

balaji.bandi
VIP Guru

Sometimes we call it the best approach, but most of the time we do not need to deploy the best approach due to cost and others.

but we do need to bear in mind, that we are compromising which means if any network or significant issue if the proper device elements are not in place, easy diagnosis issue can be major outage.

 

1. in regards to switch, it is good to have Layer 2 switch between for both the segment visibility.

2. you can also do other approaches by connecting ASR1 to ASR2 directly link to know the visibility of failover and connect to ASA Directly.

 

 

Option1 is easy to deploy.

Option2 bit complicated (I call it over-engineering)

 

You need to Look at HA requirements also for ASA.

I agree simple is best - so I take Option1 as a simple setup. 

 

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

paul driver
VIP Expert

Hello

A layer hand off (HO)switch is viable for multiple situation including FW HA Failover
The reason being this FW failover link needs to be able to support a high amount of bandwidth for synchronization of FW configuration and maintaining the stateful and translation tables in case of a failure to either physical FW, So attaching them together via layer 2 switchports in postfast mode is a best practice approach.

 

 


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul