Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

ASA Firewall redundant vs etherchannel

Posted on 2014-04-07
6
Medium Priority
?
1,631 Views
Last Modified: 2014-04-08
Hi,

I am setting up a pair of 5512-X outside network with 2x Cisco 2960C switches connecting to our service provider through an access port on each of the switch.

Since Etherchannel accross the 2960C's is not an option, would you:

1) Etherchannel from Firewall A to 2960C A and Etherchannel from Firewall B to 2960C B (with trunk between the 2960C's)

2) Each firewall have uplink to each 2960C and use redundant interfaces

Please let me know why you would favor any of the options.


Thanks.
0
Comment
Question by:random0
  • 3
  • 3
6 Comments
 
LVL 5

Accepted Solution

by:
Martin Tarlink earned 2000 total points
ID: 39984444
Option 2) seems more reasonable because you can set up redundancy
Could you specify which model of2960C you have?
0
 

Author Comment

by:random0
ID: 39984614
They are the 8x100Mb + 2 Gb model.

2960C-8TC-L
0
 
LVL 5

Expert Comment

by:Martin Tarlink
ID: 39984866
I forgot also to ask:

Could you provide more information about your topology?
Do you have one or two ISP modems?
Do you want to use ASA in active/active or active/standby failover.
Do you plan to use multicontext on ASA?
Do you plan to use static NAT to IPS (how many devices)?
Do you plan to use IP inter vlan routing inside that network, VPN.

Also what IOS level you have on your ASA?
Your compact switches supports only LAN Base features so you have to aware of what you can and what you can't do with them.

With Cisco everything I asked could be set up different ways depend what you want to accomplish.
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:random0
ID: 39984899
- The 2960C switches are only for the up links to provider
- Provider supplies 2 access port to a vlan with 2 routers with hsrp running
- Active/Passive failover
- Single context
- No IPS module
- inside network will be served with L3 switches, the compact switches are only the "outside" switches

Now that i think about it, the redudant interfaces make more sense since they will cover more failure scenarios without triggering a firewall failover.
0
 
LVL 5

Expert Comment

by:Martin Tarlink
ID: 39985038
I am not sure now if you need those two switches , why not to plug ISP -Vlan ports to ASA directly, and configure IP address on ASA to match ISP routers.

Not sure how ASA will receive IP - statically / dynamically from ISP
Does your ISP provide your gateway IP address?

If you will have L3 inside your network with IP Service you can set PBR and SLA tracking and if one connection to your ISP will go down inside router will switch the routing patch. The same will be if one of your ASA will go down.
It could be much easier if your ISP can provide 2x "no switchport"  interfaces.

I do not see how you will program those 2960C-8TC-L LAN Base switches. For me those are Layer 2 edge devices.

You have mentioned that your ISP runs HSRP (which is a little limited) means ISP have Cisco router behind. If you can convince your ISP  to run GLBP will be able to run active/active :)
0
 

Author Comment

by:random0
ID: 39985656
I just need layer 2 connectivity to the ISP, they provide me with a static range, but we are beyond the scope of my original question.

The switches are there to connect other devices on that static range.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Arrow Electronics was searching for a KVM  (Keyboard/Video/Mouse) switch that could display on one single monitor the current status of all units being tested on the rack.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question