design

elite2010 · ‎10-30-2021

Hi ,

collapsed core.PNG

Is it ok the firewall failover link also connects through the core switch?

Does it require a switch between load balancer and firewall?

AS i don't have my own public IP , I am using a load balancer in internet zone

What are the pros and cons for the above design

Please suggest a better design than the above

Thanks

Georg Pauwen · ‎10-30-2021

Hello,

--> Is it ok the firewall failover link also connects through the core switch?

The following applies with regard to the failover link when you use a switch (as opposed to directly connecting the units with a cable):

If you use a switch, make sure there is no other device on the same network segment (broadcast domain or VLAN) as the failover interfaces of the ASA.

So, basically, put the failover link in a separate Vlan.

Does it require a switch between load balancer and firewall?

--> Obviously the load balancer must have a connection to both firewalls. Which load balancer do you have ? If you don't use a switch, you need to connect each firewall to a separate interface on the load balancer. If you use a switch, you only need one interface on the load balancer.

paul driver · ‎10-30-2021

Hello
Looks okay to me, I assume fws are clustered/HA paring, it is recommended not to have direct connections between the fws (crossovers) and do use switch interconnects (fastest possible) for the FW paring to maintain the stateful information and perform the synchronisation.

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul