RE: ASA active/active?

From: Joseph L. Brunner <joe_at_affirmedsystems.com>
Date: Sat, 22 Dec 2012 00:13:30 +0000

Is a "site" a physical location or a are you referring to "web sites" in a single datacenter?

If 2 physical sites, I would just not use active/active - I would run ospf or eigrp on the asa's and let the routing figure it out.

If 1 physical site and multiple destination "web sites" behind a single pair of asa's then you have to remember - active/active mode requires multiple security contexts - so then you can aim static routes (the only routes supported in multicontext mode) at the asa's and redistribute those static routes in your igp inside and bgp outside so sources and destinations figure it all out.

My gut feeling is you need the functionality of active/standby or two asa's doing two different things with ospf/eigrp routing, dynamic routing and NOT using failover active/active.

Thanks,

-Joe

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Tony Singh
Sent: Friday, December 21, 2012 6:17 PM
To: Cisco certification
Subject: ASA active/active?

Guys trying to lab the following...

I have the following topology:

Site A Site B
CE1----------------PE------------CE2
| |
| |
SW1-------------trunk-----------SW2
| |
| |
ASA1 ASA2

3 corporate routes preferred from CE1 and 1 corporate route preferred from CE2 ok I use BGP for this

But I have to send all ip traffic to the ASA's first (behind the switches are server farms which are the destinations for the 4 routes above)

Would I create transits vlans for all this traffic + run HSRP right so that every failure scenario is accounted for?

So traffic from CE would go CE>ASA>SW>Server , not sure on the return path? i.e Server>SW>CE?

ASA's I believe can only run in active/active or active/standby and will not participate in HSRP right

If I set static routes on the CE's to point to the ASA's the policies would permit the traffic then a default route from the ASA's pointing to the VIP of the switch then to vlan server destination?

How would you do this, I'm confused need guidance 

--
BR
Tony
Sent from my iPad
Blogs and organic groups at http://www.ccie.net
Received on Sat Dec 22 2012 - 00:13:30 ART

This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART