• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2291
  • Last Modified:

Connecting two Cisco ASAs to two Juniper Switches running VRRP

My datacenter proivder is providing me with two  WAN uplinks each uplink is coming from a Juniper Switch with HSRP enabled between the two uplinks.  Is there a way I can connect my two Cisco ASAs 5510 in a redundant way to those two uplinks.  I heard that i need to put a switch infront of my ASAs but I really don't want to buy extra hardware.  I was also told by my Datacenter provider that having the switches in active/standby mode will not work because the two uplinks need to talk to each other either over the same broadcast or vlan.  If anybody has any suggestions on how i can implement this please let me know.  
0
vad33
Asked:
vad33
  • 4
  • 3
1 Solution
 
rfc1180Commented:
Your data center provider should NOT be sending HSRP hello messages via your vlan (Down stream to you), they should have a trunk between their core switches that is used for the HSRP hello messages. It is unlikely that the Juniper switches are running HSRP as Hot Standby Router Protocol  is a Cisco proprietary. They are more than likely utilizing VRRP. With that being said, you do NOT need a switch in between your ASAs and their network. As a matter of fact, the handoff between the service provider to you should be layer 2 (Ethernet) to a customer device that is layer 3 device such as a router or firewall. Utilizing a layer 2 switch will just add complexity to the design.

Basically, if the handoff from your SP is Ethernet (Both connections in the same vlan [Same broadcast domain]), then you do not need any switches, you can connect your ASA and configuring them for avtive/standby or active/active. They should have the flexability to provide most handoff configurations either at layer 2 or layer 3.

Hope this helps

Billy
0
 
gavvingCommented:
I agree with rfc1180.  ASA's in failover need to communicate between the firewalls through each interface to confirm connectivity.  If both of your uplink cables are in the same VLAN, then they will be able to see each other through the Service Provider switch infrastructure.  

Also implementing a external switch between your ASA's and their switches could cause spanning-tree to come into play which could increase failover times by 40 seconds or so.   Direct connecting into the outside interfaces of the ASA eliminates this and no spanning-tree is required in the event of failover.
0
 
vad33Author Commented:
Yes you are correct they are using VRRP.  The datacenter provider is not very flexible. If i configure the ASA in active/standby then the two uplinks are not able to send packets between each other.  I'm not really sure but i'm guessing they need to send arp packets.
0
How to change the world, one degree at a time.

By embracing technology, we can solve even the biggest problems—including the gender gap.  By earning a degree from WGU, you have an opportunity to gain the knowledge, credentials, and experience it takes to thrive in today’s high-growth IT industry.

 
rfc1180Commented:
You do not need the links to be in the same vlan, best practice dictates to use a heartbeat cable between the ASAs (Dedicated interface). That will resolve the issue you are running into. You can then monitor the interface for the upstream at layer 1 and then add monitoring at layer 3 for the default gateway.

Billy
0
 
vad33Author Commented:
I understand that but the datacenter provider needs the uplinks to be able to talk to one another when the ASAs are in active/standby with a link between them.  The standby asa interface are not pingable.  
0
 
rfc1180Commented:
>I understand that but the datacenter provider needs the uplinks to be able to talk to one another
If that is the case, they have a poor aggregation core design! You are then required to install a layer 2 switch between the ASAs, not one, but you are now required to install 2 and install a link between the switches. You do not want a single point of failure if you are building HA.
0
 
vad33Author Commented:
They want me to connect the uplinks to a vlan on my cisco 3750 stack core switch then connect that to my asa then connect it back to my 3750 stack on another vlan.  It just seems crazy to me.
0
 
rfc1180Commented:
>They want me to connect the uplinks to a vlan on my cisco 3750 stack core switch then connect that to my asa then connect it back to my 3750 stack on another vlan.

it is either that or get dedicated hardware for the connectivity between the uplinks and your ASAs so that their uplinks do not touch your core. If you do not want to dish out funds for new hardware, this is your only option.

Billy
0

Featured Post

Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now