Re: Default route in switch in a dual-ASA scenario....

Different products/vendors implement failover/HA in diffierent ways. SUN for
example requires 4 IPs (sometimes even 5 IPs) to do NIC teaming. HP can do
it in one only :). I'm not saying which is better, its just how its designed
(each having their pros and cons)

Similarly in Cisco HSRP three IPs are required (two physical + one virtual).

With Cisco ASA's HA implementation, you only need two IPs, whichever unit is
active, it replies/serves to the Active IP and MAC (ARP). In some specific
scenarios this behavior creates problems. Therefore we have something called
virtual mac-address for ASA failover (but this is an optional feature).

To summarize, you should point the deafult route to the PRIMARY ASA IP
Address.
(as you mentioned).

Regards

Farrukh

On Fri, May 15, 2009 at 3:39 PM, Cisco Nuts <cisconuts_at_hotmail.com> wrote:

> Thanks !!
>
> So the default route in Both switches should point to the physical IP of
> ASA 1
> then?
>
> Since HSRP is configured in the switches, I was assuming that both switches
> would point their default route to the HSRP IP NOT the actual physical IP
> of
> ASA 1 ??
>
> If the ASA 1 box goes down, how will switch #1 start routing out to ASA 2 ?
>
> If the default route pointed out to the HSRP IP, then I see no issue, but
> since right now the default route is pointing out to ASA1 physical IP, how
> would that work?
>
> Please advise.
>
> Thanks,
>
> CN
>
> > Date: Thu, 14 May 2009 23:45:10 +0300
> > From: bogdan.sass_at_catc.ro
> > To: cisconuts_at_hotmail.com
> > CC: ccielab_at_groupstudy.com
> > Subject: Re: Default route in switch in a dual-ASA scenario....
> >
> > Cisco Nuts wrote:
> > > Hi:
> > >
> > > If we have 2 ASA's configured for failover connected to 2 switches, is
> there a
> > > reason why the default route in both switches point to the physical
> address of
> > > the primary asa.
> > >
> > > If the primary asa to switch ip's are .1 and .2 and secondary asa to
> switch #2
> > > ip's are .3 and .4 and the hsrp active is .100, shouldn't the default
> route in
> > > both switches point to the .100?
> > >
> > As far as I know, there is no support for HSRP on the ASA.
> > > What is different in asa compared to regular routers?
> > >
> > On two ASAs configured for failover, when the primary fails, the
> > secondary unit will assume the primary's IP address. So your
> > configuration is correct.
> >
> >
> > --
> > Bogdan Sass
> > CCAI,CCSP,JNCIA-ER,CCIE #22221 (RS)
> > Information Systems Security Professional
> > "Curiosity was framed - ignorance killed the cat"
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
>
> _________________________________________________________________
> Windows Live : Keep your life in sync.
> http://windowslive.com/explore?ocid=TXT_TAGLM_BR_life_in_synch_052009
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Fri May 15 2009 - 16:48:28 ART