Redundancy with 2 ASA and 2 core switches

I'd like to implement full redundancy with 2 ASA and 2 core switches running HSRP. Has anyone implemented this scenario? If yes, I'd like to know if the ASAs are in active/standby or active/active. Also, are there any sample configs out there? Thanks
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Craig BeckCommented:
Will the ASAs be connected directly to each core switch, so ASA1 to core1 and ASA2 to core2, for example?

In a lot of the deployments I've seen/implemented the ASAs wouldn't be connected directly to the core switches.  Instead, a pair of switches would be used between the ASAs and the cores to provide redundant paths between them all.  This would allow ASA1 to see core2 without having to pass through core1, etc, and therefore removes the reliance on the connected core being up.  That in-turn means you could kill one core and not upset internet traffic going through the primary ASA, for example.

It really depends on more than just providing redundancy in that you need to consider how many internet circuits you have and how you want traffic to be routed normally and in the event of a failure.
leblancAccountingAuthor Commented:
I forgot to attach the snapshot of the network diagram that I have in mind. See pic. Thx

net diagram
Craig BeckCommented:
You need to do some routing tricks to make that work nicely, unless the two core switches are stacked or VSS and the ASAs are connected via Etherchannels.
Get Certified for a Job in Cybersecurity

Want an exciting career in an emerging field? Earn your MS in Cybersecurity and get certified in ethical hacking or computer forensic investigation. WGU’s MSCSIA degree program was designed to meet the most recent U.S. Department of Homeland Security (DHS) and NSA guidelines.  

leblancAccountingAuthor Commented:
The core switches will be configured as HSRP. Are they any examples of this scenario out there?
Craig BeckCommented:
I understand, but what I'm saying is that IF you want to connect it all in this way you'll need to attack it in a slightly different way.

As your diagram shows, the ASAs will have a link to each core.  The problem here is that unless you use Etherchannels you'll have two separate routed interfaces per ASA, so you'll have to play with routing to get failover/redundancy to work nicely.  If you do use Etherchannels you'll need the cores to be stacked or configured in a VSS.

Instead of connecting each ASA directly to each core, use two switches instead.  It simplifies things massively and adds redundancy.  This lets you use HSRP and you can configure your ASAs in either active/active, active/passive or active/standby HA.

Network Diagram
leblancAccountingAuthor Commented:
I did not think of that. So the switches between the ASA and the cores are just layer 2 switches and they don't do hsrp. Correct?
All the ports connected to those 2 switches are access ports, except the trunk between them. Correct?
Can those 2 switches be just 1 switch?
Craig BeckCommented:
Yes everything between cores and ASAs is one single VLAN, including the link between switches (not cores).

You need 2 switches to mitigate the single point of failure.
leblancAccountingAuthor Commented:
The problem is I have to purchase 2 new switches. I am just wondering if it is easier to just stack the 2 cores.
Craig BeckCommented:
That's a good idea on its own, but it'll only help with ASA redundancy if you can configure Etherchannels on them.  Which ASAs do you have?
leblancAccountingAuthor Commented:
Craig BeckCommented:
Cool, so you can use Etherchannels - That's your solution.  No intermediate switches needed then, but realise that if one core switch dies you lose half the bandwidth to your active ASA.  This may or may not be a problem for you, especially if you were only going to run one interface from each ASA anyway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
leblancAccountingAuthor Commented:
I am lost when you talk about etherchannel on the ASAs. Can you elaborate on that? Thx
Craig BeckCommented:
An Etherchannel on the ASA is just 2 or more interfaces which are configured as one logical link.  It's a way to add redundancy and load-balancing for traffic.

If you use 2 separate links they are completely separate so you have no layer-2 redundancy there - you have to put them in layer-3 mode in terms of routing.  That means you have to run two separate instances of HSRP and different subnets.
leblancAccountingAuthor Commented:
I see. So for ASA1, for example, the links to sw1 and sw2 will be setup as etherchannel. So all the connections between the ASA1 and the core switches are trunk and the default gateway for the core switches will be the IP address that is assigned to both ASA1 and ASA2. Correct?

I understand HSRP but I always get confused when it comes to the links going to the outside world, like should I use layer 2 trunk or layer 3 static routes or dynamic.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.