cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
260
Views
0
Helpful
1
Replies
Highlighted
Beginner

ASA redundant design questions

 

Hi, thanks for your time and knowledge. 

 

I have a topology like below in data center and plan to have a full redundant topology. Currently Primary/Scondary/ASA and another core switch at HQ are running EIGRP. Especially ASA is redistributing all IPsec tunnels (around 70 branches) and remote VPN (10.254.50.0/24) to EIGRP. Blue line is internal and red line is for DMZ, in terms of internal vlans, they are running through EIGRP which means that 

  default gateways for internal vlans are all primary/secondary through HSRP (Virtual IP)

 however for DMZ vlan, it is terminated to ASA interface. for example, from server's perspective, default gateway is not primary/secondary switch, but ASA dmz interface. so servers in DMZ are recognizing Primary/Secondary as L2 switch. 

1111

 

Question 1) According to my research, I need to have HSRP between two switches ====== ASAs. Is it right? I can't run EIGRP? If I can't run EIGRP between four devices, I need to make a lots of static route in ASA for branch offices (70 subnet) and remote VPN user (1 subnet)

 

 

Q2) I like left topology because I don't need to setup redundant interface and less cables. Especially I don't need another IPS sensor (If I choose right topology, I need one more IPS sensor). Also, we don't have VSS between Primary and Secondary (jut trunk) Do you see any problem with left topology? I am ok for couple minutes of downtime due to device failure.

 

Q3) Both ASA inside/DMZ/outside ip address should be identical? except failover interface?  i.e inside of interface ip is 10.254.5.4 now. then this will be both inside IP for Active/Standby? or I need different ip address for all interfaces? 

 

Thanks. 

Everyone's tags (1)
1 REPLY 1
Highlighted
Beginner

What are your devices?

What are your devices?  Router/switches/ASAs?  Your pictures are kind of cut off so it hard to understand your topology.

 

You need to have two Layer3 devices to run HSRP one will be Primary and one would be Standby.  You should be able to run EIGRP on all the devices.

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey