1

I'm looking at moving to colocation and one area being discussed is networking redundancy. I can get a dual feed from a two different datacentre switches configured with Rapid Spanning Tree Protocol to give me an active passive supply.

I'm looking at using the Cisco ASA 5505 as a firewall. If I get two and put them in transparent mode, should I be able to put them 'in line' before my switches and the RSTP pass through ok and remove the loop?

I realise that I would have to keep the configuration between them in sync manually.

If this is possible, but considered to be a bad idea, what alternatives exist for a low cost HA firewall solution.

EDIT: I'd just want to add for clarification that I was looking to make sure my hardware was redundant i.e. two firewalls, not just having 2 network links from the datacentre through a single firewall.

Ross Buggins
  • 198
  • 1
  • 2
  • 9

1 Answers1

0

I have the same configuration: two Layer 2 connections to the data center provider, and a single gateway IP address.

You don't need RSTP to make this work. Instead, you can put the ASA's in to active/passive failover mode. When the primary fails, the backup will assume your external IP and continue working. The data center will just see this as the device moving to a different switchport.

longneck
  • 23,082
  • 4
  • 52
  • 86
  • I had seen some ASA's supported A\A or A\P HA, however, the 5505 is the lowest range and I don't think supports HA natively. I was looking at the 5505 due to our low bandwidth requirements and for budget reasons. – Ross Buggins Nov 28 '12 at 14:49
  • You're right. I didn't realize that the 5505's don't support failover. – longneck Nov 28 '12 at 15:07
  • Although, since I wrote the last comment I've just had someone tell me that with the security plus licence it supports Active Passive. I haven’t had it confirmed yet. – Ross Buggins Nov 28 '12 at 15:24