Link to home
Start Free TrialLog in
Avatar of vad33
vad33

asked on

Connecting two Cisco ASAs to two Juniper Switches running VRRP

My datacenter proivder is providing me with two  WAN uplinks each uplink is coming from a Juniper Switch with HSRP enabled between the two uplinks.  Is there a way I can connect my two Cisco ASAs 5510 in a redundant way to those two uplinks.  I heard that i need to put a switch infront of my ASAs but I really don't want to buy extra hardware.  I was also told by my Datacenter provider that having the switches in active/standby mode will not work because the two uplinks need to talk to each other either over the same broadcast or vlan.  If anybody has any suggestions on how i can implement this please let me know.  
Avatar of rfc1180
rfc1180
Flag of United States of America image

Your data center provider should NOT be sending HSRP hello messages via your vlan (Down stream to you), they should have a trunk between their core switches that is used for the HSRP hello messages. It is unlikely that the Juniper switches are running HSRP as Hot Standby Router Protocol  is a Cisco proprietary. They are more than likely utilizing VRRP. With that being said, you do NOT need a switch in between your ASAs and their network. As a matter of fact, the handoff between the service provider to you should be layer 2 (Ethernet) to a customer device that is layer 3 device such as a router or firewall. Utilizing a layer 2 switch will just add complexity to the design.

Basically, if the handoff from your SP is Ethernet (Both connections in the same vlan [Same broadcast domain]), then you do not need any switches, you can connect your ASA and configuring them for avtive/standby or active/active. They should have the flexability to provide most handoff configurations either at layer 2 or layer 3.

Hope this helps

Billy
I agree with rfc1180.  ASA's in failover need to communicate between the firewalls through each interface to confirm connectivity.  If both of your uplink cables are in the same VLAN, then they will be able to see each other through the Service Provider switch infrastructure.  

Also implementing a external switch between your ASA's and their switches could cause spanning-tree to come into play which could increase failover times by 40 seconds or so.   Direct connecting into the outside interfaces of the ASA eliminates this and no spanning-tree is required in the event of failover.
Avatar of vad33
vad33

ASKER

Yes you are correct they are using VRRP.  The datacenter provider is not very flexible. If i configure the ASA in active/standby then the two uplinks are not able to send packets between each other.  I'm not really sure but i'm guessing they need to send arp packets.
You do not need the links to be in the same vlan, best practice dictates to use a heartbeat cable between the ASAs (Dedicated interface). That will resolve the issue you are running into. You can then monitor the interface for the upstream at layer 1 and then add monitoring at layer 3 for the default gateway.

Billy
Avatar of vad33

ASKER

I understand that but the datacenter provider needs the uplinks to be able to talk to one another when the ASAs are in active/standby with a link between them.  The standby asa interface are not pingable.  
>I understand that but the datacenter provider needs the uplinks to be able to talk to one another
If that is the case, they have a poor aggregation core design! You are then required to install a layer 2 switch between the ASAs, not one, but you are now required to install 2 and install a link between the switches. You do not want a single point of failure if you are building HA.
Avatar of vad33

ASKER

They want me to connect the uplinks to a vlan on my cisco 3750 stack core switch then connect that to my asa then connect it back to my 3750 stack on another vlan.  It just seems crazy to me.
ASKER CERTIFIED SOLUTION
Avatar of rfc1180
rfc1180
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial