Solved: Hsrp or osfp(or other routing protocol) between 2 asa and core?

ddxnet · ‎08-09-2011

Hello. I have 2 asa 5540(active/standby) and 2 catalyst 3560 as a core network.

We don't have agregation level, because our network isn't big. We use hsrp on the switches to give default gw for servers and other computers.

What is better way to use hsrp or ospf to achieve high availability between 2 asa(active/standby) and 2 switches?

Jon Marshall · ‎08-09-2011

Vladimir

The common approach is to use a dedicated vlan between the switches and the ASA firewalls for example vlan 10.

So you would have L3 vlan interfaces on the 3560 switches for vlan 10 and run HSRP between them. On the ASA firewall you would give the inside interfaces of each ASA an ip address from the vlan 10 subnet.

Then on the 3560 switch -

ip route 0.0.0.0 0.0.0.0

on the ASAs you need static routes for each subnet on the 3560s ie.

route inside

then connect ASA1 to sw1 and AS2 to sw2.

Note you can run a dynamic routing protocol between the ASAs and the 3560s to exchange routes instead of statics if you want but it depends on how big your network is and what feature set you have on the switches.

*** Edit - one note about running a dynamic routing protocol. In active/standby the routing table is not actually populated on the standby unit so if the active firewall fails then there will be a delay while the routing table is populated.

Jon

View solution in original post

Peter Paluch · ‎08-09-2011

Hello Vladimir,

If both devices support OSPF then in my personal opinion, it is always the best to go with the routing protocol. The HSRP is intended to be used only between gateways towards end stations, not between network infrastructure devices themselves. The HSRP can only provide you with an illusion of the default gateway. Routing protocols always provide with a full routing table, possibly utilizing many paths to diverse destinations.

I would like to hear other friends' ideas here, though.

Best regards,

Peter

Jon Marshall · ‎08-09-2011

Vladimir

The common approach is to use a dedicated vlan between the switches and the ASA firewalls for example vlan 10.

So you would have L3 vlan interfaces on the 3560 switches for vlan 10 and run HSRP between them. On the ASA firewall you would give the inside interfaces of each ASA an ip address from the vlan 10 subnet.

Then on the 3560 switch -

ip route 0.0.0.0 0.0.0.0

on the ASAs you need static routes for each subnet on the 3560s ie.

route inside

then connect ASA1 to sw1 and AS2 to sw2.

Note you can run a dynamic routing protocol between the ASAs and the 3560s to exchange routes instead of statics if you want but it depends on how big your network is and what feature set you have on the switches.

*** Edit - one note about running a dynamic routing protocol. In active/standby the routing table is not actually populated on the standby unit so if the active firewall fails then there will be a delay while the routing table is populated.

Jon

ddxnet · ‎08-09-2011

Jon,

Thanks a lot for your explanation!

Edison Ortiz · ‎08-09-2011

I agree with Jon.. Based on your setup static routing will provide faster failover since you are running active/standby.

One thing I want to add, treat the ASA as an end host so make sure to enable spanning-tree portfast.

Peter Paluch · ‎08-09-2011

Jon, Edison,

Thanks for voicing your opinions and sharing your views!

Best regards,

Peter