Lan extension with two ASAs
Posted on 2013-01-10
Just looking for some design guidance - Here is the scenario I have:
I have two sites - A and B - each site has it's own subnet, dhcp, dns, etc.
In each site I have one vlan for voice and one vlan for data.
Sites A and B are connected together via VPN L2L.
Site A has a pair of Cisco ASA 5510 running 8.2(5) in active/standby mode
Site B has a pair of Cisco ASA 5505 running 8.2(5) in active/standby mode
There is an access list in place defining the traffic.
1 - Voice can talk to Voice across the link
2 - Data can talk to Data across the link
3 - Certain IPs on Data can access Certain IPs on the voice accross the link and vice versa.
Each site has their own internet connection - these are the same connections the VPN travels through.
Site A looks a bit like this.
PC connects to the distribution switches - Default gateway for the network is a pair of 3560G running HRSP. This switch routes between the local voice and data vlan - This switch has a gateway of last resort that is the cisco ASA 5510.
PC------ 3560G Gateway ----- ASA 5510 Gateway ----- Internet
Site B looks a bit like this - Same idea as above
PCs connects to the distribution switches - Default gateway for the network is ONE HP ProCurve J9089A Switch 2610-48-PWR (this is a layer 3 device) - this switch does routing between voice and data local vlans - this switch has a gateway of last resort that is the Cisco ASA 5505.
Gateway switch and Cisco ASA (in both sites) have the same ip subnet meaning the connection between gateway and asa is a layer 2 connection.
So the challenge starts now, and it is more of a design challenge than anything else
I recently acquired a Lan Extension between these two sites. The purpose of this lan extension is to substitute the VPN L2L between sites. This lan extension is 100Mbps full duplex.
My ideal scenario was to replace the VPN L2L by connecting the two endpoints of the lan extension via spare ports i have on both ASA devices (Site A and Site B). This would help me leverage my knowledge of the Cisco ASA platform in creating and managing access lists.
One of the challenges i face is due to the fact that i am not able to QoS the traffic and i would have to hope that 100mpbs would be enough. Just for your knowledge Site B voice mail application is on Site A and there are some extension to extension calls going on. On a 10mbps link ( slowest link between the two sites) i have never had problems with these calls or the calls to voice mail.
Ideally for the future i would like to establish some internet redundancy between the two sites: If site A looses internet, please route through site B's internet connection - and vice versa. However this is not my immediate goal.
1 - What do you think about my idea ?
2 - Do you see any challenges with this ?
3 - If i tackle the job of only replacing the vpn l2l with the lanX - do you think i would have problems failing over the internet between sites in the future ?