We help IT Professionals succeed at work.

ASA acive/standby failover configuration

ggRM7865 asked
I am trying to find the best way to connect two ASA 5515 active/standby firewalls witha L3 Core switch and avoid the use of L2 switches to connect the interfaces and adding possible points of failures.
Attached is a diagram showing my idea of connecting them by using VLANs. (Please note that Vlan_DMZ, VLAN_EXT are not routable).

Please let me know if someone of you implemented this solution vs the use of L2 switches (or Crossover cables).

thank you for your help.
Watch Question

Most Valuable Expert 2015
no offense, but that's ugly.  i like physical separation, as well.  i would not terminate the inside interfaces along with the outside interfaces to the same [layer 2 or layer 3] device -- even if they are vlan segmented.


Thank you for your response....

Why wouldn't you terminate the interfaces in non-routable VLANs? If you use separated switches you would have to deal with extra points of failure which is not the purpose of using failover firewalls. In this case you will just have to make the L3 switch redundant. Wrong?
Most Valuable Expert 2015

i simply do not interconnect my outside interfaces, inside, dmz, etc to the same switch.

if you're that mission critical, then physical separate should be more important that the cost of a couple more switches.
Top Expert 2004
I agree with Jan Springer on this. We have our DMZ and inside interfaces on one pair of switches, and our outside interfaces on a different set of switches. The risk is not under normal conditions, but if someone were to find a vulnerability and get into that switch, they have everything. Even though it's Layer 2. Or even if someone accidentally misconfigures the switch, you could have a problem with mixing traffic. and use a different password on the outside switch than on the others.

We have 2 links channeling between the outside switches and similar between the inside switches to eliminate the single points of failure. They don't have to be expensive switches. Companies who skimp on internet security nearly always regret it later because it costs way more to deal with the damage.
Pete LongTechnical Consultant
Distinguished Expert 2019
I could not agree more with Jan, just takes someone to get a subnet wrong on an SVI ,and the default proxy arp will let you jump VLANs.

The only time I would consider cabling different security zones into the same device is If I were using VDC/Nexus.

Buy some more switches!



Thank you out there for sharing your opinion, ....even if I disagreed with you.. :((

I guess it is more a physical fear from seeing EXT, DMZ and INT networks connected to same L3 switch than a real potential security issue.
Assuming that you know what you do in configuring VLANs/Firewall, when you un IP'ed a VLAN (no Vlan interface's IP) and use the firewall interface's IP as gateway, there is NO way that traffic will mix. ...you basically do the same thing in a firewall where you have different networks (VLANs) connected to the same physical device's interfaces.
Still cannot sleep at night ? Apply some deny traffic ACLs to the routed VLANs interfaces....in case you think you ever need them.

ARP?  It won't work....it is a broadcasting message and  wont propagate. I know companies (high profile) that implemented this cabling/configuration and never heard any particular problem.

thank you ;))