Re: ASA active/active?

Hi Joe

Thanks for your advice here it's helping, I'm in the UK friend

Basically there's 4 subnets , these subnets are the virtual server addresses they all sit off the switches (see diagram below sorry not the best), 3 of these subnets are favoured in site 1 and one in site 2, however the way the admins want to do it is we extend the vlan subnets to both sites on the new trunk & in case of disaster replicate the ip address and machine at the "other" site this disaster could be either sites.

Load balancer is not wanted confirmed.

So CE gets the request via MED Local Pref that I have tuned then static route for that subnet to the ASA in that particular site, the ASA's run 2 contexts Site 1 is primary for ctx1 and secondarry for ctx2, the static CE route points to the primary ctx1 ip in Site 1 & CE in Site 2 points to the primary ctx2

Both ctx policies will have the same permit statements for the exact same subnets right? When failure occurs then the other site just takes primary role for that ctx1 or ctx2 then the ASA's just point a default route for this traffic to the shared VIP of the switches and onto destination , from the server which uses say vlan 10 default gateway which is the HSRP VIP to get back out.... Your saying run a static pointing to the firewall on switch? do we not need to get back to the CE and back to requester

--
BR
Tony
Sent from my iPhone on 3
On 22 Dec 2012, at 10:16, "Joseph L. Brunner" <joe_at_affirmedsystems.com> wrote:
> so I almost have to use statics from the CE then redis these into BGP..?
> 
>> I would say you do... with an optional ip sla & tracked object  on the CE to make sure the static route is pinging through the ASA that is up before advertising :)
> 
> what would the return path from the server be? I will have to use default on the switch or run IGP here?
> 
>> default to inside of the ASA at the site from the local switch. There should be a vlan & subnet between the inside of each ASA and the L3 switch behind it.
> 
> 
> I really need the ASA virtual ip to be the same for things to work, I read somewhere contexts can share the same VIP
> 
>> it sounds like you need a load balancer to grab all the servers into a common pool. Absent of a load balancer - you are stuck doing some type of funky anycast, where a secondary IP is bound to each server, the servers run ospf/rip with the adjacent switch and the routing figures out where to send what... crazy.
> 
> You definitely need an F5, ACE or Netscaler to tie this all together.
> 
> The only thing I can think of it is tying it all together in DNS.
> 
> Can you give us more information about the host ip's/subnets behind each ASA?
> 
> Where are you located? 
> 
> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Tony Singh
> Sent: Saturday, December 22, 2012 3:16 AM
> To: Thomas Perrier; Joseph L. Brunner; marc abel
> Cc: Cisco certification
> Subject: Re: ASA active/active?
> 
> Hi Joe /Marc /Thomas
> 
> There are two sites
> 
> The servers are hosted environments and I am not allowed to run dynamic on the ASA's already checked :/
> 
> So it leaves me kind of stumped, there is a VPN between the sites that PE is responsible for where I will start using EBGP I run iBGP between the L2 trunk but I need to send the PE ip traffic to the ASA's so I almost have to use statics from the CE then redis these into BGP..?
> 
> I'm trying to lab this but problem I'll have is Site 2 will have traffic come into the CE>go over the trunk>ASA site 1> destination if it is active/standby?
> 
> If its active/active do I run two contexts ctx1 Site1 is active & ctx2 Site2 is active? Then point the default route into the switches HSRP VIP address for server forwarding, what would the return path from the server be? I will have to use default on the switch or run IGP here?
> 
> I really need the ASA virtual ip to be the same for things to work, I read somewhere contexts can share the same VIP
> 
> Thanks for your advice, I'm losing sleep over this
> 
> --
> BR
> 
> Tony
> 
> Sent from my iPhone on 3
> 
> On 22 Dec 2012, at 07:30, Thomas Perrier <thomas_at_perrier.name> wrote:
> 
>> Joseph,
>> 
>> On Sat, Dec 22, 2012 at 1:13 AM, Joseph L. Brunner 
>> <joe_at_affirmedsystems.com> wrote:
>> 
>>> If 1 physical site and multiple destination "web sites" behind a 
>>> single pair of asa's then you have to remember - active/active mode 
>>> requires multiple security contexts - so then you can aim static 
>>> routes (the only routes supported in multicontext mode) at the asa's
>> 
>> Since version 9.0, the ASA supports dynamic routing protocols in 
>> multicontext mode. And site-to-site VPN too, BTW. Lots of good stuff 
>> in this release.
>> 
>> -Thomas
>> 
>> 
>> Blogs and organic groups at http://www.ccie.net
>> 
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
> 
> 
> Blogs and organic groups at http://www.ccie.net
> 
> _______________________________________________________________________
> Subscription information may be found at: 
> http://www.groupstudy.com/list/CCIELab.html
Blogs and organic groups at http://www.ccie.net