Solved: Re: Connectivity of Switch and ASA

cisco · ‎10-22-2010

Hi,

i have two 6513 core switches , wanted to connect to ASA.. Now these devices can be connected by two ways

1) One cable from each 6513switch , going to ASA ( My question over here two ports on ASA can be given IP address of same segment)

2) One cable from each 6513switch going to L2-VLAN of some 3750switch and from that same L2-VLAN one cable connects to ASA. (But then this 3750 switch can be single point of failure in the network)

regards

Neo

Jon Marshall · ‎10-22-2010

Neo

6500s - sw1 & sw2

ASAs - asa1 & as2

connect asa1 to sw1

connect asa2 to sw2

it is recommended thatr you have a dedicated vlan for this connectivity ie no end devices should be in this vlan. Obviously this vlan needs to be allowed on the trunk link between the 2 6500 switches. This should run HSRP on the 6500s and the firewall uses the HSRP VIP to reach the networks off the 6500.

you now have redundnacy for your firewalls ie. lets assume that asa1 is active, so traffic goes via sw1 to asa1. Note that if the packet arrives at sw1 destined for the firewall then it is simply switched across the L2 link to sw1 and then to asa1.

1) asa1 fails and asa 2 becomes active. Now any traffic arriving at sw1 is simply switched across the L2 trunk to sw2 and sent to asa2 (which is now the active firewall). Any traffic arriving on sw2 is simply sent to asa2.

2) sw1 fails. If sw1 fails the asa will failover to asa2 and same as 1) except no traffic will be arriving on sw1

3) connection between sw1 and asa1 fails. As long as you are monitoring the inside interface of asa1 then again asa1 fails over to asa2 and traffic flows as per 1)

4) Both switches fail - you then have a lot more problems to worry about than your firewalls

Jon

View solution in original post

Jon Marshall · ‎10-22-2010

cisco@learn wrote:

Hi,

i have two 6513 core switches , wanted to connect to ASA.. Now these devices can be connected by two ways

1) One cable from each 6513switch , going to ASA ( My question over here two ports on ASA can be given IP address of same segment)

2) One cable from each 6513switch going to L2-VLAN of some 3750switch and from that same L2-VLAN one cable connects to ASA. (But then this 3750 switch can be single point of failure in the network)

regards

Neo

If your 6513 switches are connected via L2 trunk the third and common option is to connect one each ASA to just one switch. That way you have redundancy.

If your 6153 switches are not connected via a L2 trunk then 2) is the one you will need to use.

Jon

cisco · ‎10-22-2010

Hi Jon,

yes my both 6513 switches are connected via L2 link. both 6513 switches are working in Active /Active mode ( odd vlans are active on switch-1 and even vlans are active on switch-2) if possible could you please explain the third option in detail.

regards

Neo

Jon Marshall · ‎10-22-2010

Neo

6500s - sw1 & sw2

ASAs - asa1 & as2

connect asa1 to sw1

connect asa2 to sw2

it is recommended thatr you have a dedicated vlan for this connectivity ie no end devices should be in this vlan. Obviously this vlan needs to be allowed on the trunk link between the 2 6500 switches. This should run HSRP on the 6500s and the firewall uses the HSRP VIP to reach the networks off the 6500.

you now have redundnacy for your firewalls ie. lets assume that asa1 is active, so traffic goes via sw1 to asa1. Note that if the packet arrives at sw1 destined for the firewall then it is simply switched across the L2 link to sw1 and then to asa1.

1) asa1 fails and asa 2 becomes active. Now any traffic arriving at sw1 is simply switched across the L2 trunk to sw2 and sent to asa2 (which is now the active firewall). Any traffic arriving on sw2 is simply sent to asa2.

2) sw1 fails. If sw1 fails the asa will failover to asa2 and same as 1) except no traffic will be arriving on sw1

3) connection between sw1 and asa1 fails. As long as you are monitoring the inside interface of asa1 then again asa1 fails over to asa2 and traffic flows as per 1)

4) Both switches fail - you then have a lot more problems to worry about than your firewalls

Jon