vad33
asked on
Connecting two Cisco ASAs to two Juniper Switches running VRRP
My datacenter proivder is providing me with two WAN uplinks each uplink is coming from a Juniper Switch with HSRP enabled between the two uplinks. Is there a way I can connect my two Cisco ASAs 5510 in a redundant way to those two uplinks. I heard that i need to put a switch infront of my ASAs but I really don't want to buy extra hardware. I was also told by my Datacenter provider that having the switches in active/standby mode will not work because the two uplinks need to talk to each other either over the same broadcast or vlan. If anybody has any suggestions on how i can implement this please let me know.
I agree with rfc1180. ASA's in failover need to communicate between the firewalls through each interface to confirm connectivity. If both of your uplink cables are in the same VLAN, then they will be able to see each other through the Service Provider switch infrastructure.
Also implementing a external switch between your ASA's and their switches could cause spanning-tree to come into play which could increase failover times by 40 seconds or so. Direct connecting into the outside interfaces of the ASA eliminates this and no spanning-tree is required in the event of failover.
Also implementing a external switch between your ASA's and their switches could cause spanning-tree to come into play which could increase failover times by 40 seconds or so. Direct connecting into the outside interfaces of the ASA eliminates this and no spanning-tree is required in the event of failover.
ASKER
Yes you are correct they are using VRRP. The datacenter provider is not very flexible. If i configure the ASA in active/standby then the two uplinks are not able to send packets between each other. I'm not really sure but i'm guessing they need to send arp packets.
You do not need the links to be in the same vlan, best practice dictates to use a heartbeat cable between the ASAs (Dedicated interface). That will resolve the issue you are running into. You can then monitor the interface for the upstream at layer 1 and then add monitoring at layer 3 for the default gateway.
Billy
Billy
ASKER
I understand that but the datacenter provider needs the uplinks to be able to talk to one another when the ASAs are in active/standby with a link between them. The standby asa interface are not pingable.
>I understand that but the datacenter provider needs the uplinks to be able to talk to one another
If that is the case, they have a poor aggregation core design! You are then required to install a layer 2 switch between the ASAs, not one, but you are now required to install 2 and install a link between the switches. You do not want a single point of failure if you are building HA.
If that is the case, they have a poor aggregation core design! You are then required to install a layer 2 switch between the ASAs, not one, but you are now required to install 2 and install a link between the switches. You do not want a single point of failure if you are building HA.
ASKER
They want me to connect the uplinks to a vlan on my cisco 3750 stack core switch then connect that to my asa then connect it back to my 3750 stack on another vlan. It just seems crazy to me.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Basically, if the handoff from your SP is Ethernet (Both connections in the same vlan [Same broadcast domain]), then you do not need any switches, you can connect your ASA and configuring them for avtive/standby or active/active. They should have the flexability to provide most handoff configurations either at layer 2 or layer 3.
Hope this helps
Billy