cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
0
Helpful
10
Replies

HSRP Between VSS L3 Switches and ASA 5500-x in Failover Standby/Active Mode

foued kh
Level 1
Level 1

Hi all, 

I need to interconnect two 4500-x (in VSS mode) to two ASA 5500-x (in Failover Active/Standby mode).
To establish this architecture, I think that :

- I need a L2 switch like 2960-x between the two VSS L3 Switches and the two ASA 5500-x Failover Active/standby firewalls.

- Configure HSRP in the ASAs Firewalls.

 

Can you agree with me please ?
Thank you in advance 

10 Replies 10

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

You should be able to connect the VSS directly to the firewalls without any switch in between. 

HTH

Thank you,
Do you mean that I will use from every switch two cable to the two firewall or not ; I mean ;
For example CORE01 and CORE02 , ASA01 and ASA02 :
CORE01 --> Cable --> ASA01
CORE02 --> Cable --> ASA02

I have done pretty much what the original poster asks for several customers: a pair of layer 3 switches communicating with a pair of ASA (failover active/standby). We used Etherchannel to accomplish this. Each ASA has a physical connection to each switch (so each switch has a physical connection to each ASA). On each ASA and each switch configure the two physical interfaces making the connections as members of the Etherchannel. Configure a vlan (and vlan interfaces) on each device as members of the Etherchannel. (you could have more than 1 vlan on the Etherchannel if you want more than 1 vlan to be active on the layer 3 switches). On the layer 3 switches vlan you can configure HSRP so that the route statements on the ASA have a single IP address as next hop that could be active on either of the layer 3 switches. (note that ASA does not have a concept of HSRP but route statements on the switches would point to the IP of the active ASA which accomplishes the equivalent of HSRP for the ASA).

 

HTH

 

Rick

HTH

Rick

After posting my response I looked again at the thread and think it worthwhile to clarify. the post suggests this

CORE01 --> Cable --> ASA01
CORE02 --> Cable --> ASA02

 

what I am suggesting would be this

CORE01 --> Cable --> ASA01

CORE01 --> Cable --> ASA02

CORE02 --> Cable --> ASA01

CORE02 --> Cable --> ASA02

 

This allows either switch to communicate with either ASA. So any single device might fail and yet full communication (at layer 3) is maintained.

 

HTH

 

Rick

HTH

Rick

Sorry Mr. Richard but I can't assimilate how to interconnect the two switches to two interfaces in one ASA and these two interfaces are for inside. What I know is that the Firewall will refuse to make two interfaces with IP in same rang

You continue to think about the traditional approach of configuring the IP address on the physical interface. And you are correct that the ASA will not allow two physical interfaces to have IP addresses in the same range. But if you really think about how to implement Etherchannel on ASA then you will realize that the IP address is no longer on the physical interface. The physical interface is configured as a member of the channel (and no IP address on the physical interface). Then you configure the channel interface. Then you configure a vlan to be in the channel. And you assign the interface name, the interface name and security level, and IP address in the vlan. The config might look somewhat like this

interface GigabitEthernet0/1
 speed 1000
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/2
 speed 1000
 channel-group 1 mode active
 no nameif
 no security-level
 no ip address
!

interface Port-channel1
 speed 1000
 lacp max-bundle 8
 port-channel load-balance src-dst-ip-port
 no nameif
 no security-level
 no ip address
!
interface Port-channel1.10
 vlan 10
 nameif inside
 security-level 100
 ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2 

 

HTH

 

Rick

HTH

Rick

Hello Richard,

I was reading your input on this design.
Now I am not sure about this: how can you bind on one firewall/ASA two connections/wires from two distinct Layer 3 switches into one PortChannel (let's say we are using 2x 3850 models)?

I just (re)read 9.6 config guide and found no mention about this:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-echannel.html

L.E. I just (re)read threads full name, you were suggesting all this under VSS scenario :)

Now if I don't have VSS scenario can I get full redundancy using HSRP and A/P ASA?

If you look at this section of the 9.6 document that you mention there is a pretty clear example of two switches connecting to one ASA and then an example of two switches connecting to two ASA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-echannel.html#ID-2077-00000026

 

The article does mention doing this in the context of VSS or of vPC when connecting to two switches. This is because VSS and vPC support cross chassis EtherChannel  (EtherChannel on two different switch chassis). I am not clear whether your 3850 will support cross channel EtherChannel. If your 3850 do support this feature then you should be able to connect two 3850 to two ASA and configure redundant interfaces which support failover. If your 3850 do not support cross chassis EtherChannel then this approach would not work for you.

 

HTH

 

Rick

HTH

Rick

Currently 3850 support cross chassis Etherchannel if the two switches are stacked. I am in non-stacked 3850 scenario so as you said I need to look for something else.

Thanks for your input!

Florin

 

Yes if your switches do not support cross chassis EtherChannel then the approach described in this discussion will not work for you. Sorry.

 

HTH

 

Rick

HTH

Rick
Review Cisco Networking for a $25 gift card