12-01-2009 02:43 PM - edited 03-06-2019 08:47 AM
Hi
I have ASA with subinterfaces/vlans for DMZ.The DMZ network has a single switch with no layer-3 vlans in it .The devices that were connected to this switch were down other day due to switch hardware failure.Is there a way I can make sure that these devices plugged into the switch(es) can stay up even if one switch dies..
Thanks
Solved! Go to Solution.
12-01-2009 03:07 PM
CCDECCDE9 wrote:
say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?
Also Daul honed means Network card Teaming you are refering to ?
If you have 2 ASAs you would set it up -
connect ASA1 to switch1 (SW1)
connect ASA2 to switch2 (SW2)
connect SW1 to SW2 with either a L2 trunk or a L2 access port, depending on whether you are running multiple vlans on your DMZ switches.
Lets assume it is connected as above and ASA1 is the active firewall. SW1 is the switch that has the active NICs connected to it. Dual honed simply means each server has 2 NICs, one is active and the other is in standby mode.
1) Failure of active server NIC - server makes it's other NIC active. This is connected to SW2 . traffic flows to SW2, across the link to SW1 and then to ASA1 which is the active firewall
2) Failure of SW1 - the firewall fails over and ASA2 becomes active. The server NICs to SW2 also become active as SW1 has failed.
3) Failure of ASA1 - ASA2 takes over. The active NICs are still connected to SW1 so traffic goes from servers to SW1 across to SW2 and to ASA2
Jon
12-01-2009 02:53 PM
CCDECCDE9 wrote:
Hi
I have ASA with subinterfaces/vlans for DMZ.The DMZ network has a single switch with no layer-3 vlans in it .The devices that were connected to this switch were down other day due to switch hardware failure.Is there a way I can make sure that these devices plugged into the switch(es) can stay up even if one switch dies..
Thanks
You can add a second switch but the problem is you only have one ASA to connect it to. And an ASA cannot have 2 interfaces with the same IP address or an IP address out of the same subnet ie. you can't create the same DMZ on two separate interface on the ASA.
So for redundancy you would need -
1) 2 switches
2) 2 ASA firewalls running in active/standby or active/active
3) each device in the DMZ would need to be dual honed to each switch otherwise there is no point in 1) & 2)
Alternatively you could just have a spare switch with the correct config on it and ready to go.
It really depends on how much downtime costs the company and does this justify making a fully redundant setup.
Jon
12-01-2009 02:58 PM
say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?
Also Daul honed means Network card Teaming you are refering to ?
12-01-2009 03:07 PM
CCDECCDE9 wrote:
say I have two ASAs...When switch of Primary ASA goes down..does primary fails over to secondary and all those devices through secondary now ?
Also Daul honed means Network card Teaming you are refering to ?
If you have 2 ASAs you would set it up -
connect ASA1 to switch1 (SW1)
connect ASA2 to switch2 (SW2)
connect SW1 to SW2 with either a L2 trunk or a L2 access port, depending on whether you are running multiple vlans on your DMZ switches.
Lets assume it is connected as above and ASA1 is the active firewall. SW1 is the switch that has the active NICs connected to it. Dual honed simply means each server has 2 NICs, one is active and the other is in standby mode.
1) Failure of active server NIC - server makes it's other NIC active. This is connected to SW2 . traffic flows to SW2, across the link to SW1 and then to ASA1 which is the active firewall
2) Failure of SW1 - the firewall fails over and ASA2 becomes active. The server NICs to SW2 also become active as SW1 has failed.
3) Failure of ASA1 - ASA2 takes over. The active NICs are still connected to SW1 so traffic goes from servers to SW1 across to SW2 and to ASA2
Jon
12-01-2009 03:17 PM
If you really want redundancy, then you can take a pair of 6500E switches (with the right Sup) and convert them to a VSS set. This way you can connect each of your servers to 2 different switches that act logically like one, so when one switch is down, your servers are still forwarding traffic using the second switch. But you servers have to have 2 NICs and on the server side you have to team your NICs together and run LACP to the switches. Then you connect your switches to a set of ASA in active-active or active-passive.
HTH
Reza
12-01-2009 04:08 PM
sharifimr wrote:
If you really want redundancy, then you can take a pair of 6500E switches (with the right Sup) and convert them to a VSS set. This way you can connect each of your servers to 2 different switches that act logically like one, so when one switch is down, your servers are still forwarding traffic using the second switch. But you servers have to have 2 NICs and on the server side you have to team your NICs together and run LACP to the switches. Then you connect your switches to a set of ASA in active-active or active-passive.
HTH
Reza
Reza
Expensive DMZ though
Just to add you could also do the same with 2 stacked 3750 switches which support cross stack etherchannel.
Jon
12-01-2009 05:02 PM
Jon,
I think, I am subconsciously helping Cisco's earnings
Reza
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide