Re: HSRP Between VSS L3 Switches and ASA 5500-x in Failover Standby/Active Mode

foued kh · ‎11-26-2017

Hi all,

I need to interconnect two 4500-x (in VSS mode) to two ASA 5500-x (in Failover Active/Standby mode).
To establish this architecture, I think that :

- I need a L2 switch like 2960-x between the two VSS L3 Switches and the two ASA 5500-x Failover Active/standby firewalls.

- Configure HSRP in the ASAs Firewalls.

Can you agree with me please ?
Thank you in advance

Reza Sharifi · ‎11-26-2017

Hi,

You should be able to connect the VSS directly to the firewalls without any switch in between.

HTH

foued kh · ‎11-26-2017

Thank you,
Do you mean that I will use from every switch two cable to the two firewall or not ; I mean ;
For example CORE01 and CORE02 , ASA01 and ASA02 :
CORE01 --> Cable --> ASA01
CORE02 --> Cable --> ASA02

Richard Burts · ‎11-26-2017

I have done pretty much what the original poster asks for several customers: a pair of layer 3 switches communicating with a pair of ASA (failover active/standby). We used Etherchannel to accomplish this. Each ASA has a physical connection to each switch (so each switch has a physical connection to each ASA). On each ASA and each switch configure the two physical interfaces making the connections as members of the Etherchannel. Configure a vlan (and vlan interfaces) on each device as members of the Etherchannel. (you could have more than 1 vlan on the Etherchannel if you want more than 1 vlan to be active on the layer 3 switches). On the layer 3 switches vlan you can configure HSRP so that the route statements on the ASA have a single IP address as next hop that could be active on either of the layer 3 switches. (note that ASA does not have a concept of HSRP but route statements on the switches would point to the IP of the active ASA which accomplishes the equivalent of HSRP for the ASA).

HTH

Rick

HTH

Rick

Richard Burts · ‎11-26-2017

After posting my response I looked again at the thread and think it worthwhile to clarify. the post suggests this

CORE01 --> Cable --> ASA01
CORE02 --> Cable --> ASA02

what I am suggesting would be this

CORE01 --> Cable --> ASA01

CORE01 --> Cable --> ASA02

CORE02 --> Cable --> ASA01

CORE02 --> Cable --> ASA02

This allows either switch to communicate with either ASA. So any single device might fail and yet full communication (at layer 3) is maintained.

HTH

Rick

HTH

Rick

foued kh · ‎11-26-2017

Sorry Mr. Richard but I can't assimilate how to interconnect the two switches to two interfaces in one ASA and these two interfaces are for inside. What I know is that the Firewall will refuse to make two interfaces with IP in same rang

Richard Burts · ‎11-26-2017

You continue to think about the traditional approach of configuring the IP address on the physical interface. And you are correct that the ASA will not allow two physical interfaces to have IP addresses in the same range. But if you really think about how to implement Etherchannel on ASA then you will realize that the IP address is no longer on the physical interface. The physical interface is configured as a member of the channel (and no IP address on the physical interface). Then you configure the channel interface. Then you configure a vlan to be in the channel. And you assign the interface name, the interface name and security level, and IP address in the vlan. The config might look somewhat like this

interface GigabitEthernet0/1
speed 1000
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
speed 1000
channel-group 1 mode active
no nameif
no security-level
no ip address
!

interface Port-channel1
speed 1000
lacp max-bundle 8
port-channel load-balance src-dst-ip-port
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif inside
security-level 100
ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2

HTH

Rick

HTH

Rick

Florin Barhala · ‎08-01-2018

Hello Richard,

I was reading your input on this design.
Now I am not sure about this: how can you bind on one firewall/ASA two connections/wires from two distinct Layer 3 switches into one PortChannel (let's say we are using 2x 3850 models)?

I just (re)read 9.6 config guide and found no mention about this:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-echannel.html

L.E. I just (re)read threads full name, you were suggesting all this under VSS scenario :)

Now if I don't have VSS scenario can I get full redundancy using HSRP and A/P ASA?

Richard Burts · ‎08-01-2018

If you look at this section of the 9.6 document that you mention there is a pretty clear example of two switches connecting to one ASA and then an example of two switches connecting to two ASA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/configuration/general/asa-96-general-config/interface-echannel.html#ID-2077-00000026

The article does mention doing this in the context of VSS or of vPC when connecting to two switches. This is because VSS and vPC support cross chassis EtherChannel (EtherChannel on two different switch chassis). I am not clear whether your 3850 will support cross channel EtherChannel. If your 3850 do support this feature then you should be able to connect two 3850 to two ASA and configure redundant interfaces which support failover. If your 3850 do not support cross chassis EtherChannel then this approach would not work for you.

HTH

Rick

HTH

Rick

Florin Barhala · ‎08-02-2018

Currently 3850 support cross chassis Etherchannel if the two switches are stacked. I am in non-stacked 3850 scenario so as you said I need to look for something else.

Thanks for your input!

Richard Burts · ‎08-02-2018

Florin

Yes if your switches do not support cross chassis EtherChannel then the approach described in this discussion will not work for you. Sorry.

HTH

Rick

HTH

Rick