2 Cisco ASA + 4 Cisco switches - best way to connect all together

Question

Until now I have been involved in using Cisco hardware in professional environment but on a small level. Recently, requirement has came up for our new facility to be built with PCI compliance in mind and since we have quite a lot of traffic passing between the servers we have decided to invest some money into high-end Cisco hardware (at least high-end with what I have been using so far - Cisco 5505 / Cisco 5510s).

We got:

• 2* Cisco ASA 5550
• 4* Cisco Catalyst 2960G-48TC

There will be two racks, in each 1 ASA and 2 switches. I have been thinking for a while on the best way to cross connect everything and came out with following schema:

• so 2 ASA working in HA mode, Active/Standby (we can't use Active/Active as we have a lot of VPN sessions)
• ASAs are connected with each other using two links 0/3 - 0/3 as FOLINK and 1/3 - 1/3 as STATELINK
• 0/0s in ASAs are feeds from our ISP
• ASAs are connected with each switch in local rack using LACP bundles (two cables each)
• switches are also connected with each other using LACP bundles

Now a request for advice here - is there anything wrong in my thinking as for this design? Could anything be improved / changed to make it better?

Answer 1

Do note that the ASAs do not support spanning tree.

Not having played around with them much I can't give exact details, but you'll have to ensure that it understands that the 0/[12] portgroup and 1/[12] portgroups are backups for each other.

Did you buy SMARTnet? I strongly suggest doing so. SMARTnet coverage allows you to ask Cisco exactly this question and they will assist you with the planning and configuration of your devices.

Answer 2

Hmmm. I think this is going to be a spanning tree mess... If you implement it like this make sure that you get the bridge priorities right so that your traffic flows the way you want it to. (in other words, that the right ports are disabled and the right ports remain enabled by STP) And then calculate and test how the network will end up when a link or a device breaks.

If you just let the devices use their default settings you might end up with something like:

Another think I'm surprised about: why do you use LACP between the ASA's and the switches. Are you planning to use different VLANs and then let the ASA firewall/route between them? Otherwise only your internet traffic will go through the ASA, and that is limited by the bandwidth to the ISP. Since that is only one link it makes no sense to have two links to your internal network.

After looking a bit closer at the Cisco docs it seems that only the ASA 5505 can't do spanning tree. That would mean that the ASA 5550 can. In that case you might consider using the ASA as the root bridge, if it can handle the traffic levels required. It becomes much simpler then:

Another option would be to add another layer of switches. You then get a clear tree if you make the middle switches the root and the backup root:

You have many options, but because I don't know your exact requirements I can't tell you which one is the best option for you. I hope I have given you some ideas though :-)

Answer 3

Given the precise hardware you mention I do not have anything to add that has not already been mentioned.

The idea of having two EtherChannels, one to each switch in the rack, per ASA could be simplified quite a bit by using stackable switches. I realize that if you already have the hardware this is moot - however it could simplify future implementations with a slight change to hardware acquisition.

The Cisco 2960S line (the latest model refresh in the Catalyst 2960 series) support stacking through the FlexStack stack module -- similar to how the 3750's are stackable with StackWise[+]. FlexStack and StackWise are not the same, but from an administrative standpoint they yield many of the same results. For those that don't want to plunge into chassis switches, Cisco's stacking capabilities on the 2960S's and 3750[V2,E,X]'s provide a handful of similar functions.

In this case specifically cross-stack EtherChannel can yield much simplification. With cross-stack EtherChannel it would be possible to configure a single EtherChannel from one ASA with one PHY interface going to the first switch in the rack and a second PHY interface in the EtherChannel going to the second switch in the same rack. Additionally, the switches in the stack (in the same rack) do not need EtherChannels configured between them -- as their inter-connectivity is provided via 2960S FlexStack.

FlexStack cables can be up to 3m in length -- depending on how close your racks are together you may be able to stack all four switches.

With multiple ASA's in HA the desired redundancies can be achieved with quite a bit simplified.

I bring this up because I have similar objectives you list met with ASA's in HA and stacked 3750X's at a few client data center sites.

Answer 4

This is what I think the best option would be.

First Connect the ASA5550's in a HA pair. Connect HA1 Inside/DMZ interface to Switch1. Connect HA2 Inside/DMZ to Switch two. Have the Failover monitor ALL interfaces that are active. Between Switch one and Switch two setup a 3 or 4 port LACP.

Now this is also assuming that your ISP has given you two distinct connections that are in the same IP address space.

Also you didnt say what version of ASAOS you are running. The Release notes for 8.4(1) stats they did introduce EtherChannel. They may be worth looking in to as well.