Sajith,The ASA can detect link failure by using the monitor-interface command, but it cannot react to spanning-tree or other switch related problems. There are many methods to over come this. Some include dynamic routing (OSPF or EIGRP between routers & firewalls) or sla monitors w/ tracking commands for static routing.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html <http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html>Review the sections on IP routing and High Availability. All the information you need for your scenario is there. Good luck, Roger On Wed, Oct 21, 2009 at 2:27 PM, sajith thaivalappil < [email protected]> wrote: > Hi, > > I am trying to build a redundant internet design with multiple ISPs > ,multiple firewalls ,DMZs etc.....I want to make sure there is complete > redundancy even if one or more hardware components failed in the path...... > > > Here is the path > > Edge routers (BGP)- Edge switches(2)-Edge firewalls(2)-DMZ switches(2)- > Core firewalls(2). > > I am planning to keep the firewall in active/standby failover mode. > Switches are in Layer 2 mode. My question is how the firewalls behave id > there is a problem with the switches? Do I need to connect each firewall to > both switches .....Is there any best practices? How does the ASA detect the > switch failure and send traffic through the second switch ? > > Thanks, > Saj > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
