Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
705
Views
0
Helpful
5
Replies

ASA active/active - any way to announce a default route?

jkell
Level 1
Level 1

‎03-27-2011 09:32 AM - edited ‎03-06-2019 04:16 PM

I have a pair of ASA 5540s running 8.2(3) in active/active failover mode.  The internal networks are arranged on a /24 subnet "ring" around a central core switch.  The ASAs are connected to a 3750 stack to provide redundant paths for each ASA as well as some direct L2 paths for the higher-traffic nodes on the ring (rather than going through the core switch).

Since the ASAs can't do routing in active/active (last time I checked?) there are 3 options (I know of) to get the default route propagated:

(1) static routes at each node pointing to the ASA inside (gives them a straight hop),

(2) static route in the core pointing to the ASA inside propagated to the other nodes (adds an extra hop and breaks the "direct L2 path" option),

(3) static route in the 3750 stack pointing to the ASA inside, propagated to the other nodes (adds an extra hop),

In case (2) the core switch becomes the default next-hop as propagated by the IGP (EIGRP here).

In case (3) the 3750 stack becomes the default next-hop as propagated by the IGP.

Ideally the ASA could announce the default route to IGP, thus the next-hop would point to the ASA interface.

Is this possible?

Labels:
0 Helpful
5 Replies 5

boss.silva
Level 1
Level 1

‎03-27-2011 10:42 AM

Hi,

Maybe you can "cheat"

Add a static route with a higher administrative distance to the ASA's inside interface, and redistribute it into the IGP. This way the other nodes will get this route as coming from the IGP, and the node itself that is generating this route is not going to use it.

Let me know if that satisfies your question, and rate if correct.

thank you.

0 Helpful

jkell
Level 1
Level 1
In response to boss.silva

‎03-27-2011 11:49 AM

That still announces the next-hop as the originating node, not the ASA address as next-hop.  They all share a common subnet (nodes, core, ASA inside all on same /24 backbone "ring").

0 Helpful

boss.silva
Level 1
Level 1
In response to jkell

‎03-27-2011 11:59 AM

True. Static routes sound to be the best solution for your problem then.

-Bruno Silva.

0 Helpful

jkell
Level 1
Level 1
In response to jkell

‎03-27-2011 12:10 PM 

jkell wrote:
That still announces the next-hop as the originating node, not the ASA address as next-hop.  They all share a common subnet (nodes, core, ASA inside all on same /24 backbone "ring").

More accurately, the node announces the default, and all other nodes correlate that to a next-hop of the announcing node.

I could just form a new L3 subnet from 3750s to the ASA, so the 3750 hop was "required" as the default; but the idea was to allow L2 direct from ASA to any of the routed nodes on the ring.

0 Helpful

boss.silva
Level 1
Level 1
In response to jkell

‎03-28-2011 07:30 AM

I was thinking about this solution...

What i can think of, wouldn't be better to have this ASA in transparent mode, and stick it into the middle of the 3750 and the core, this way all the traffic would be inspected.

Otherwise the only option would be separate this subnet, because this is not a very good design.

-Bruno Silva.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card