ASA acive/standby failover configuration

Hello,
I am trying to find the best way to connect two ASA 5515 active/standby firewalls witha L3 Core switch and avoid the use of L2 switches to connect the interfaces and adding possible points of failures.
Attached is a diagram showing my idea of connecting them by using VLANs. (Please note that Vlan_DMZ, VLAN_EXT are not routable).

Please let me know if someone of you implemented this solution vs the use of L2 switches (or Crossover cables).

thank you for your help.
ConFWSW.pdf
ggRM7865Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jan SpringerCommented:
no offense, but that's ugly.  i like physical separation, as well.  i would not terminate the inside interfaces along with the outside interfaces to the same [layer 2 or layer 3] device -- even if they are vlan segmented.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ggRM7865Author Commented:
Thank you for your response....

Why wouldn't you terminate the interfaces in non-routable VLANs? If you use separated switches you would have to deal with extra points of failure which is not the purpose of using failover firewalls. In this case you will just have to make the L3 switch redundant. Wrong?
Jan SpringerCommented:
i simply do not interconnect my outside interfaces, inside, dmz, etc to the same switch.

if you're that mission critical, then physical separate should be more important that the cost of a couple more switches.
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

mikebernhardtCommented:
I agree with Jan Springer on this. We have our DMZ and inside interfaces on one pair of switches, and our outside interfaces on a different set of switches. The risk is not under normal conditions, but if someone were to find a vulnerability and get into that switch, they have everything. Even though it's Layer 2. Or even if someone accidentally misconfigures the switch, you could have a problem with mixing traffic. and use a different password on the outside switch than on the others.

We have 2 links channeling between the outside switches and similar between the inside switches to eliminate the single points of failure. They don't have to be expensive switches. Companies who skimp on internet security nearly always regret it later because it costs way more to deal with the damage.
Pete LongTechnical ConsultantCommented:
I could not agree more with Jan, just takes someone to get a subnet wrong on an SVI ,and the default proxy arp will let you jump VLANs.

The only time I would consider cabling different security zones into the same device is If I were using VDC/Nexus.

Buy some more switches!

P
ggRM7865Author Commented:
Thank you out there for sharing your opinion, ....even if I disagreed with you.. :((

I guess it is more a physical fear from seeing EXT, DMZ and INT networks connected to same L3 switch than a real potential security issue.
Assuming that you know what you do in configuring VLANs/Firewall, when you un IP'ed a VLAN (no Vlan interface's IP) and use the firewall interface's IP as gateway, there is NO way that traffic will mix. ...you basically do the same thing in a firewall where you have different networks (VLANs) connected to the same physical device's interfaces.
Still cannot sleep at night ? Apply some deny traffic ACLs to the routed VLANs interfaces....in case you think you ever need them.

ARP?  It won't work....it is a broadcasting message and  wont propagate. I know companies (high profile) that implemented this cabling/configuration and never heard any particular problem.

thank you ;))
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.