Also be aware that failover performs several other checks if it looses it's state cable. This is a concern if you plug the state cable into a switch. Here is an example
Outside_switch1----Outside_switch2 | | | | | | Primary_fw secondary_fw | | | | | | Inside_switch1-----inside_switch2 Now, if your state cable is plugged into the inside switches, and a swicth fails, your state cable is now disconnected. The second thing the firewalls will do is try to ping each interface. If the secondary fw can ping any interface on the primary, it will remain in inactive state. So if inside_switch1 fails, it has lost all connectivity to the internal network, but it remains in active state, where as the secondary firewall has connectivity to both the internal and external networks, and should be used as the active firewall. But since it can ping the outside interface on the primary, it remains inactive. To overcome this you should use a dedicated cable for the failover cable (one that is not plugged into the switches) in this design. Another thing that might work, but I have never tried, is configuring a redundant interface. One interface on the outside switches, and the other on the inside switches, then assign this redundant interface as the failover interface, but I am not sure if you can assign a redundant interface as a failover interface. -----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Badar Farooq Sent: Wednesday, October 21, 2009 2:54 PM To: Roger Cheeks Cc: [email protected] Subject: Re: [OSL | CCIE_Security] Design question Yes Roger You will connect firewalls to different switches with switches having trunks in between them. I am note sure about the routing structure of your network. But for fail over, the firewall will monitor the physical interfaces. By putting two switches with active firewall having interfaces connected to one and standby firewall connected to the other you will have redundancy for the failure of switches. Basically your structure will be something like this Edge Router1----Edge switch1---------Edge Firewall 1-----DMZ Switch 1---Core firewall1 ! ! ! ! Edge Router2----Edge switch2---------Edge Firewall 2-----DMZ Switch 2---Core firewall2 Not sure if you will get the email with the formatting in tact:) Basically draw you network without redundancy. Then draw a mirror network with switches having trunks between them and that would be your diagram On Wed, Oct 21, 2009 at 10:57 PM, Roger Cheeks <[email protected]> wrote: > Sajith, > The ASA can detect link failure by using the monitor-interface > command, but it cannot react to spanning-tree or other switch related > problems. There are many methods to over come this. Some include > dynamic routing (OSPF or EIGRP between routers & firewalls) or sla > monitors w/ tracking commands for static routing. > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide > /route_overview.html Review the sections on IP routing and High > Availability. All the information you need for your scenario is > there. > Good luck, > Roger > > On Wed, Oct 21, 2009 at 2:27 PM, sajith thaivalappil > <[email protected]> wrote: >> >> Hi, >> >> I am trying to build a redundant internet design with multiple ISPs >> ,multiple firewalls ,DMZs etc.....I want to make sure there is >> complete redundancy even if one or more hardware components failed in the path...... >> >> >> Here is the path >> >> Edge routers (BGP)- Edge switches(2)-Edge firewalls(2)-DMZ >> switches(2)- Core firewalls(2). >> >> I am planning to keep the firewall in active/standby failover mode. >> Switches are in Layer 2 mode. My question is how the firewalls behave >> id there is a problem with the switches? Do I need to connect each >> firewall to both switches .....Is there any best practices? How does >> the ASA detect the switch failure and send traffic through the second switch ? >> >> Thanks, >> Saj >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, >> please visit www.ipexpert.com >> > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, > please visit www.ipexpert.com > > _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
