02-22-2010 03:01 PM - edited 03-06-2019 09:50 AM
Hi All,
I was hoping someone could help me with me questions.
I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.
I have;
2 internet links
2 ASA 5510's
2 3750 switches
and some dual homed servers.
I plan on setting on the ASA's in an active/passive configuration and use redundant interfaces with tracking so that I can fail over to my backup internet if need be.
What I'm not 100% sure about is how to go about setting up the switches for redundnacy.
From my understanding I can stack them. and connect one interface from each server to each switch.
However in this scenario how would I go about connecting my FW's up to my switches?
Many thanks in advance.
Cheers.
Solved! Go to Solution.
02-22-2010 03:36 PM
marcosgeorgopoulos wrote:
Hi All,
I was hoping someone could help me with me questions.
I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.
What I'm not 100% sure about is how to go about setting up the switches for redundnacy.
From my understanding I can stack them. and connect one interface from each server to each switch.
However in this scenario how would I go about connecting my FW's up to my switches?
Many thanks in advance.
Cheers.
Marcos
You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.
Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.
Jon
02-22-2010 03:36 PM
marcosgeorgopoulos wrote:
Hi All,
I was hoping someone could help me with me questions.
I need to setup some redundancy for a network. I have Firewall and server experience but not so much with switches.
What I'm not 100% sure about is how to go about setting up the switches for redundnacy.
From my understanding I can stack them. and connect one interface from each server to each switch.
However in this scenario how would I go about connecting my FW's up to my switches?
Many thanks in advance.
Cheers.
Marcos
You would just connect both firewalls to the stack. It is recommended to use a dedicated vlan for this ie. no other devices in this vlan other than the 3750 switches and the inside firewall interfaces. Then just have a default-route on the 3750 pointing to the VIP of the firewalls inside interfaces.
Edit - i was assuming you had users on the switches that also needed internet access. If you only have servers in one vlan then you could put the ASA inside interfaces in the same vlan as the servers. This would mean you didn't have to turn on ip routing on the 3750s if you didn't want to. But as i say having a dedicated vlan is recommended.
Jon
02-22-2010 03:41 PM
Thanks Jon.
That makes sense.
Many thanks.
03-31-2010 09:05 PM
Hi Guys,
The hardware I thought I'd have available has changed slighty.
The two switches I have are now only 2950's which means I cannot stack them.
So now I have
2 internet links
2 ASA 5510's
2 2950 switches
and some dual homed servers.
Would the below configuration work? Can anyone think of a way to improve it? or problems?
See below...
Link 1 Link 2
| |
| |
| |
ASA-- - stateful failover--- ASA
| |
| |
| |
2950----------XOver------------2950
\ /
\ /
\ /
\ /
\ /
Server
Cheers.
04-01-2010 01:07 AM
See below...
Link 1 Link 2
| |
| |
| |ASA-- - stateful failover--- ASA
| |
| |
| |
2950----------XOver------------2950
\ /
\ /
\ /\ /
\ /
Server
Cheers.
Marcos
That will work absolutely fine but be aware that if you have multiple vlans inside you will now need to route them off the ASAs because the 2950s are not L3 capable.
Jon
04-01-2010 04:26 AM
Hi Jon,
Many thanks.
When you say
"if you have multiple vlans inside you will now need to route them off the ASAs"
Are you saying that;
cheers.
04-01-2010 07:10 AM
marcosgeorgopoulos wrote:
Hi Jon,
Many thanks.
When you say
"if you have multiple vlans inside you will now need to route them off the ASAs"
Are you saying that;
- My ASA's will need to know how to route to the internal networks ( via the ASA's inside interfaces )
- I will need to use my ASA to route traffic between different vlans?
cheers.
Marcos
I mean 2) because the 2960 cannot route between vlans ie. it is L2 only.
Jon
04-01-2010 05:25 AM
If you can, create an etherchannel between the switches. If you don't do that and the connections between the switches fail your redundant solution wont be so redundant...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide