Yes Roger
You will connect firewalls to different switches with switches having
trunks in between them.
I am note sure about the routing structure of your network.
But for fail over, the firewall will monitor the physical interfaces.
By putting two switches with active firewall having interfaces
connected to one and standby firewall connected to the other you will
have redundancy for the failure of switches.
Basically your structure will be something like this
Edge Router1----Edge switch1---------Edge Firewall 1-----DMZ Switch
1---Core firewall1
!
!
!
!
Edge Router2----Edge switch2---------Edge Firewall 2-----DMZ Switch
2---Core firewall2
Not sure if you will get the email with the formatting in tact:)
Basically draw you network without redundancy. Then draw a mirror
network with switches having trunks between them and that would be
your diagram
On Wed, Oct 21, 2009 at 10:57 PM, Roger Cheeks
<[email protected]> wrote:
> Sajith,
> The ASA can detect link failure by using the monitor-interface command, but
> it cannot react to spanning-tree or other switch related problems. There
> are many methods to over come this. Some include dynamic routing (OSPF or
> EIGRP between routers & firewalls) or sla monitors w/ tracking commands for
> static routing.
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/route_overview.html
> Review the sections on IP routing and High Availability. All the
> information you need for your scenario is there.
> Good luck,
> Roger
>
> On Wed, Oct 21, 2009 at 2:27 PM, sajith thaivalappil
> <[email protected]> wrote:
>>
>> Hi,
>>
>> I am trying to build a redundant internet design with multiple ISPs
>> ,multiple firewalls ,DMZs etc.....I want to make sure there is complete
>> redundancy even if one or more hardware components failed in the path......
>>
>>
>> Here is the path
>>
>> Edge routers (BGP)- Edge switches(2)-Edge firewalls(2)-DMZ switches(2)-
>> Core firewalls(2).
>>
>> I am planning to keep the firewall in active/standby failover mode.
>> Switches are in Layer 2 mode. My question is how the firewalls behave id
>> there is a problem with the switches? Do I need to connect each firewall to
>> both switches .....Is there any best practices? How does the ASA detect the
>> switch failure and send traffic through the second switch ?
>>
>> Thanks,
>> Saj
>> _______________________________________________
>> For more information regarding industry leading CCIE Lab training, please
>> visit www.ipexpert.com
>>
>
>
> _______________________________________________
> For more information regarding industry leading CCIE Lab training, please
> visit www.ipexpert.com
>
>
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
