03-29-2017 12:29 PM - edited 03-08-2019 09:58 AM
Hi all,
I currently have one active ASA and one ISP. Recently, we acquired a second ISP and ASA for failover. One ASA will be active and the other standby. The second circuit (ISP) will also be standby. In addition, we acquired two-3750 stack switches to necessitate the failover configuration (more ports). The 3750 will sit between the ISP routers and ASA.
I have not had a chance to configure this scenario before. I have worked on the ASA and would like any ideas and suggestions on how to configure the 3750 stack to achieve the failover goal. I will also need to set up a WAF that is currently set on the DMZ of the ASA on the stack as well so that the outside traffic will hit the WAF before it is allowed to the DMZ zone.
Any ideas and suggestions will be appreciated.
+----------+ +----------+
| R1 ISP1 | | R2 ISP2 |
+----------X X----------+
X X
X X
X X
X----------------X
| 3750 |
+----------------+
| 3750 |
X----------------X
X X
X X
X X
X X
+---------X X-----------+
| ASA1 | | ASA2 |
+---------+ +-----------+
Sam.
03-29-2017 01:46 PM
Hi Sam,
The stack of the 3750s just need a layer-2 vlan to span all 4 connections (2 from the ISPs and 2 from the firewalls). You also need a connection between isp1 and isp2 and run HSRP towards inside the network.
HTH
03-30-2017 10:20 AM
Hi Reza,
Thank you for the prompt response to my concern. When you say " a layer-2 Vlan" do you mean just one vlan or two vlans; one for each ISP-switch-ASA? Do I have to set HSRP on the switches if failover will be set on the ASA (one active and the other standby)?. Try to clarifying if the switch needs to be aware of the state of connection or this will be handled by the ASA.
Thank you.
Sam.
03-30-2017 10:36 AM
Hi Sam,
When you say " a layer-2 Vlan" do you mean just one vlan or two vlans; one for each ISP-switch-ASA?
No, you just need one vlan on the switch. This vlan will have all 4 ports (2 from the ISPs and 2 from the firewalls) in it.
Do I have to set HSRP on the switches if failover will be set on the ASA (one active and the other standby)?
You need HSRP between r1-ISP1 and r2-ISP2. So, lets say that you want the left side of your diagram which includes r1-ISP1 and ASA1 to be the primary and right side as stand-by.
You configure HSRP on r1-ISP1 with higher priority (110), so it is the active HSRP and you keep the opposite side as default priority (100) so, it stays as stand-by.
The same way with the firewalls, keep the left side as primary in your cluster and the right side as backup. Once you set it all up you would need to do some testing and tuning in a maintenance window to make sure fail-over works correctly.
HTH
03-30-2017 10:43 AM
Hello Reza,,
Thank you so much for clarification regarding vlan configuration. I will go a head and configure the switches as such you have recommended and give it a test. I will provide an update how it goes...probably early next week.
Thank you for your time and assistance.
Sam.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide