Hi Jon,

Thanks for the response! To answer the queries -

1) Yes, the ASA's will perform all our NAT requirements. I'm triple checking with our ISP on their routing so thanks for highlighting.

2) ASA wise we have a bunch of sub interfaces for VLANs so were intending to do something like the below (not sure if HA is posible with the redundant links as per a quick config example?). That was one of my concerns about traffic going across the interconnect as it would choke to 100Mb instead of the 1Gb uplinks being used everywhere else, but does confirm my understanding of how the traffic would flow if an ISP router fails so thankyou.

ASA1 Example-
interface redundant 1
 member-interface e0
 member-interface e1
 nameif outside
 security-level 0
 ip address 1.1.1.12 255.255.255.248 standby 1.1.1.13

interface redundant 2
 member-interface e2
 member-interface e3
 nameif inside
 security-level 100
 ip address 10.2.2.1 255.255.255.252 standby 10.2.2.2
!
interface redundant 2.x
 nameif vlanx
 vlan x
 security-level 100
 ip address x.x.x.x x.x.x.x
!
​interface redundant 2.y
 nameif vlany
 vlan y
 security-level 100
 ip address y.y.y.y y.y.y.y
!
failover lan unit primary
failover lan interface FAILOVER Management0/0
failover key blah
failover link FAILOVER Management0/0
failover interface ip FAILOVER 10.1.1.1 255.255.255.252 standby 10.1.1.2
monitor-interface outside
monitor-interface inside

If everything still looks ok I guess my last query would be how does failover initiate with the redundancy? Does it flip if one interface in the pair goes down or it waits till both?

Thanks again.

That was one of my concerns about traffic going across the interconnect as it would choke to 100Mb instead of the 1Gb uplinks being used everywhere else, but does confirm my understanding of how the traffic would flow if an ISP router fails so thankyou.

Just to clarify, I meant the interconnect between the switches and not between the firewalls in case that was what you were talking about.

As far as failover goes I have never used the redundant interface feature as I never needed to so I'm not sure but I remember the configuration guides do mention it, I have just forgotten it :-)

I wouldn't have thought it failed over if one of the redundant pair failed though as then I can't see the point of using redundant interfaces if you see what I mean.

Where I think redundant interfaces are really useful is for example you have one firewall connected to a switch. That would give you protection from an interface failure.

The way I did it with a failover pair was to simply connect the active firewall to one switch and the standby firewall to the other.

You still get failover if either an interface on the firewall or the whole firewall fails but looking at your diagram in certain circumstances that could mean the traffic from the standby firewall has to go across the switch interconnect to get to the HSRP active switch whereas with your setup using redundant links it could go direct.

I'm not saying you shouldn't use them, just that I can't see a huge advantage assuming that the switch interconnect is the same speed as all the other connections.

I'll have a bit more of a think about it and go through some failure scenarios but I think it would work either way.

Jon

Hi Jon,

Thanks again for the insights, linking the firewalls direct to each switch probably does make more sense / simplifies the setup I may have just been over zealous on resilience options :)

The interconnect between our two 3560's is the 100Mb choke point, initially I don't see this as an immediate problem as we only have a 100Mb pipe on a 1Gb bearer. With the 2/4 hour SLAs on the equipment it's a minor choke area as we also don't have any particular SLAs we're bound to for service provided (from a guaranteed bandwidth perspective).

Hoping to get it configured in a test environment to confirm before the weekend. At least a little more confident now that I wasn't going mad!

Thanks.