Thanks for your response!

So, it is the way I already assumed. I'm in the need for another hardware piece (l2 switch) in between and then have a "transfer vlan" instead of a transfer network. I have to rethink that if thats what I want.

To be honest I don't get what you mean with the fail-over device. We are having of course 2 ASA 5510 devices for redundancy reasons. But there still i have the problem to interconnect them with the VSS directly. Because the failover pair is sharing its IP addresses. Thats a feature I cannot do on the VSS.

That brings maybe VRRP or HSRP in place for a proper solution. But as a matter of fact that I need a L2-Adjacency between both VRRP-Members, do I need also a dedicated switch for that? Or is this adjacency already established through the VSL-Link ?

Best regards

Phil

Hi,

You cant use First Hop redundancy Protocls along with VSS. In fact VSS eleminate the need of First Hop redundancy protocols and the 2 Core Switches act as a Single Bridge . from STP prespective , both VSS Cores would have a single Bridge ID.

Now, According to your requirment, you can connect both ASAs to the two cores part of the VSS, one should be connected to the first core and the second ASA connects to the Second Core part of the VSS.This should give you the redundancy you need if one of the ASA goes down , the secondary takes over, as well as if either of the Core goes down, one of the ASA takes the Active role.

HTH

Mohamed

From physical point of view your are right. i can connect the ASA to the VSS pair to have redundancy. but when you take a look at l2 or l3 between ASA and VSS you maybe come to the same conclusion as I, that it is not possible.

To make clear what I mean:

Let's say you define a transfer network 192.168.10.0/29 between ASA and VSS.

You then would have the following (theoretical) assignment of the ip addresses:

Primary ASA - 192.168.10.1/29

Secondary ASA - 192.168.10.2/29

1. Chassis VSS - 192.168.10.3/29

2. Chassis VSS - 192.168.10.4/29

(Keep in mind dynamic routing protocols like ospf / ibgp )

Yes, I agree. From ASA point of view this is no problem. You can define the IP addresses on the interfaces, but from VSS side you are running into a problem I mentioned earlier. You are not allowed to define the _same_ subnet on two individual interfaces (for example GigabitEthernet1/7/3 and GigabitEthernet 2/7/3).

So, I see the only solution is either you are defining a VLAN-Interfaces on the VSS and then bind the VLAN-Tag (maybe as trunk native vlan for future use of other vlans) to the VSS interfaces, or you use HSRP or VRRP, to "share" one IP along the two VSS interfaces.

Other solution would also to place an additional switch in between ASA and VSS (solution from Leo, two posts earlier)

Br

Phil

This is exactly the answer to my problem

So the solution is to create a SVI on the VSS and put the two interfaces pointing to ASA to "access mode". And on ASA side configure the IP adress of the transfer network on interfaces physically connected to VSS. So they share on L2 broadcast domain. Routes from ASA to VSS points to SVI interfaces and on VSS the gateway for networks at outside interface of ASA (internet for example) is the share ip on the inside subinterface.

Thanks for your input!

Best regards

Phil

@manish arora Do you have a valid link which i can read? I would like to take a look since I want to connect a pair of VSS to two ASAs (active, standby).

Thank you