03-30-2012 06:54 AM - edited 03-07-2019 05:52 AM
Hi, This scenario is as follows:
Clients ----- l2 switch ---- l2 switch (primary) --- asa (primary)
----- l2 switch (secondary) --- asa (secondary)
there are three vlans a, b, c on the asa interfaces (sub interfaces). the clients used to have the asa as default gateway. The firewall not only served as the intervlan router but performed firewalling between the servers of a,b,c vlans. for intervlan routing, static routing towards the firewall ips has been configured on both l2 (primary and secondary) switches.
we thought of enabling hsrp on l2 switch primary and secondary to automate the switchover to the firewalls if link to primary firewall fails. if i enabe hsrp on l2 primary and secy switches, would this enable l3 routing on the switch and prevent the packets being firewalled?
Thanks
Anbu
03-30-2012 08:46 AM
Hi Anbu,
To confirm you have moved your Default gateway from the ASA to your switches ?
If you have moved you gateways to the switches and configured as L3 vlan the routing will take place on your switches and traffic will never reach the firewalls. (this is for traffic betwwen the vlan)
In short if your gateway is configured on your switches host in vlan A can speak to host in vlan B with no firewall in between.
I hope this answer your question
03-30-2012 09:53 AM
If I understand correctly there are servers in different vlan's whose traffic has to be passed through firewall.
so if the vlan routing is moved from the firewall to the L3 switch, then it is quite possible that the server traffic might not go through the firewall as it might be serverd by the L3 switch itself.
two possbililities that I could think off.
1. can you bring the firewall functions to the switch (I'm quite familiar with the firewall, so I cannot comment on this) or,
2. have the vlan routing (of interested traffic) to pass through the ASA firewall.
just my 2 cents.
Experts can comment.
-Vijay
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide