Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
510
Views
10
Helpful
2
Replies

design

elite2010
Level 3
Level 3

‎10-30-2021 11:51 AM

Hi ,

 

 

 

collapsed core.PNG

 

Is it ok the firewall failover link also connects through the core switch?

Does it require a switch between load balancer and firewall? 

AS i don't have my own public  IP , I am using a load balancer in internet zone 

What are the pros and cons for the above design 

Please suggest a better design than the above 

 

Thanks 

 

0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎10-30-2021 02:16 PM

Hello,

 

--> Is it ok the firewall failover link also connects through the core switch?

 

The following applies with regard to the failover link when you use a switch (as opposed to directly connecting the units with a cable):

 

If you use a switch, make sure there is no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA.

So, basically, put the failover link in a separate Vlan.

 

Does it require a switch between load balancer and firewall?

 

--> Obviously the load balancer must have a connection to both firewalls. Which load balancer do you have ? If you don't use a switch, you need to connect each firewall to a separate interface on the load balancer. If you use a switch, you only need one interface on the load balancer. 

paul driver
VIP
VIP

‎10-30-2021 03:24 PM - edited ‎10-30-2021 03:25 PM

Hello
Looks okay to me, I assume fws are clustered/HA paring, it is recommended not to have direct connections between the fws (crossovers) and do use switch interconnects (fastest possible) for the FW paring to maintain the stateful information and perform the synchronisation.


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card