We are in the process of replacing a very old core router that works as the network's default gateway:
network: 10.1.0.0/16 (flat, no VLANs)
ASA SSL VPN remotepool: 188.8.131.52/24
All the router does here is be the default gateway for the network and send all traffic out to the firewall with a static route (it used to route to remote sites too). That includes the SSL VPN remotepool subnet:
ip route 0.0.0.0 0.0.0.0 ASAinsideipaddr
ip route 184.108.40.206 255.255.255.0 ASAinsideipaddr
So I've been thinking of replacing the router with two layer 3 switches for redundancy and future-proofness:
And just realised i'm a but rusty with layer 3 switch routing.
Now my question is, if i configure these switch ports as routed ports they cannot belong to the same network, correct?
I would have to configure a single VLAN 1 on the switch for the 10.1.0.0/16 subnet but would i also have to tag the ports as belonging in VLAN1 or simply add a default route to the firewall's interface? How would this work? If all ports are switch ports and the VLAN is in the 10.1.0.0/16 subnet then i would only need to add a single static route to send remotepool traffic out to the ASA's inside interface?
These LAN connections would be connecting to a HPE switch stack so RSTP would also be needed.
Which makes me think, is it worth using the ASAs as the default gateway instead for now to simplify things and look to buy layer 3 switches only if we decide to split the network into VLANs? The userbase is somewhere between 100-150 users.
In which case, is there anything i should be aware of when using the ASA as the network's default gateway? I assume the ASA would not need any additional routing done to connect the inside interface 10.1.0.x/16 to the remotepool clients.
you don’t really need to use hrsp depending switch type you can just use say two stackable 2960x for example in a stack with a default route pointing to the asa HA
I am assuming the Asa’s are HA failover and as such just have each individual asa inside interfaces (and outside if applicable -in different L2 vlan access ports) attach to either one of the physical switches in this stack - HA failover will do the rest.
Please rate and mark as an accepted solution if you have found any of the information provided useful. This then could assist others on these forums to find a valuable answer and broadens the community’s global network.