06-11-2016 03:21 AM - edited 03-08-2019 06:09 AM
We are designing a network for connection to our clients WAN. There will be two separate connections to the WAN via ASA devices. The client will use one connection for monitoring the new network using SNMP traffic and the other for all other traffic (FTP, HTTP). They use Policy Based Routing
The network we are designing comprises 5 layer 2 switches supporting local VoIP, PABX and workstations used in conjunction with the telephones. Each switch will each be connected to two routers running HSRP to provide redundant gateway. VLSM is used on the network for the VLAN's.
What is the best method to connect the two routers to the two ASA devices?
We understand that it is not good practice to connect the HSRP routers directly to the ASA devices, so we are considering inserting intermediary routers and running EIGRP.
Any advice?
Thanks
Solved! Go to Solution.
06-29-2016 12:58 AM
06-29-2016 12:28 PM
What if R1 or R4 failed - which is just as likely.
06-11-2016 04:04 PM
There is nothing wrong with using HSRP to provide default gateway protection for ASA's.
Are these standalone ASA's, or an active/standby ASA configuration?
06-12-2016 01:42 AM
The ASA's are standalone
06-12-2016 01:27 PM
I would just use HSRP with the routers. If you want you could dual connect the ASA's using the "Redundant" interface feature, or single connect them as you feel is needed.
06-28-2016 09:43 PM
Thanks for the advice Philip.
We are considering using the 2960 at the edge. What equipmnet would you recommend for the HSRP routers?
06-28-2016 09:46 PM
How much throughput will the routers need, and how many interfaces? Any Ethernet only interfaces?
Since you need to buy switches, sometimes it works out better to just get layer 3 switches, like Cisco 3850's. If you use a stack you don't need redundant connections or HSRP. Nice and simple, and reliable.
06-28-2016 10:05 PM
06-28-2016 11:36 PM
As long as it has enough interfaces you could get by with a local cost Cisco 891F.
06-29-2016 12:56 AM
Looks a good option but if we wanted 16 ports is there an alternative?
06-29-2016 12:58 AM
06-29-2016 01:13 AM
Ps. what did you think of the logical design?
06-29-2016 01:18 AM
What does R2 and R3 gain you? If you removed them from the solution would it affect anything (apart from making it simpler)?
If everything was dual connected to R1 and R4 wouldn't you get a similar result?
06-29-2016 01:39 AM
I originally included them so there would be an alternative route out of the network via either firewall. eg. if R2 failed the route to F1 would be lost.
If F1 where connected to R2 and R3 there was concern it may cause instability on F1.
06-29-2016 12:28 PM
What if R1 or R4 failed - which is just as likely.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide