Re: ASA active/active?

I agree with Joseph, you should probably run active/standby.

On Fri, Dec 21, 2012 at 6:13 PM, Joseph L. Brunner
<joe_at_affirmedsystems.com>wrote:

> Is a "site" a physical location or a are you referring to "web sites" in a
> single datacenter?
>
> If 2 physical sites, I would just not use active/active - I would run ospf
> or eigrp on the asa's and let the routing figure it out.
>
> If 1 physical site and multiple destination "web sites" behind a single
> pair of asa's then you have to remember - active/active mode requires
> multiple security contexts - so then you can aim static routes (the only
> routes supported in multicontext mode) at the asa's and redistribute those
> static routes in your igp inside and bgp outside so sources and
> destinations figure it all out.
>
> My gut feeling is you need the functionality of active/standby or two
> asa's doing two different things with ospf/eigrp routing, dynamic routing
> and NOT using failover active/active.
>
> Thanks,
>
> -Joe
>
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
> Tony Singh
> Sent: Friday, December 21, 2012 6:17 PM
> To: Cisco certification
> Subject: ASA active/active?
>
> Guys trying to lab the following...
>
>
> I have the following topology:
>
>
> Site A Site B
> CE1----------------PE------------CE2
> | |
> | |
> SW1-------------trunk-----------SW2
> | |
> | |
> ASA1 ASA2
>
>
> 3 corporate routes preferred from CE1 and 1 corporate route preferred from
> CE2 ok I use BGP for this
>
> But I have to send all ip traffic to the ASA's first (behind the switches
> are server farms which are the destinations for the 4 routes above)
>
> Would I create transits vlans for all this traffic + run HSRP right so
> that every failure scenario is accounted for?
>
> So traffic from CE would go CE>ASA>SW>Server , not sure on the return
> path? i.e Server>SW>CE?
>
> ASA's I believe can only run in active/active or active/standby and will
> not participate in HSRP right
>
> If I set static routes on the CE's to point to the ASA's the policies
> would permit the traffic then a default route from the ASA's pointing to
> the VIP of the switch then to vlan server destination?
>
> How would you do this, I'm confused need guidance
>
> --
> BR
>
> Tony
>
> Sent from my iPad
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

-- 
Marc Abel
CCIE #35470
(Routing and Switching)
Blogs and organic groups at http://www.ccie.net