Thanks for your advice here it's helping, I'm in the UK friend
Basically there's 4 subnets , these subnets are the virtual server addresses they all sit off the switches (see diagram below sorry not the best), 3 of these subnets are favoured in site 1 and one in site 2, however the way the admins want to do it is we extend the vlan subnets to both sites on the new trunk & in case of disaster replicate the ip address and machine at the "other" site this disaster could be either sites.
>they could do this, but with most modern applications - its not necessary. So you are looking to do multi-site asa failover from what you're saying...
Load balancer is not wanted confirmed.
>sad - it's the right way to get all the inbound services to the right hosts and in the right order...
So CE gets the request via MED Local Pref that I have tuned then static route for that subnet to the ASA in that particular site, the ASA's run 2 contexts Site 1 is primary for ctx1 and secondarry for ctx2, the static CE route points to the primary ctx1 ip in Site 1 & CE in Site 2 points to the primary ctx2
>this doesn't allow for scenario's where only the ASA has failed - you need SLA's on those static routes via track objected, or run dynamic routing protocols between CE and the site's ASA. You want to watch using static routes too much or at all... I would start designing this with no static routes and see how long you can make that work. I think you can do it all with just dynamic routing.
Both ctx policies will have the same permit statements for the exact same subnets right? When failure occurs then the other site just takes primary role for that ctx1 or ctx2 then the ASA's just point a default route for this traffic to the shared VIP of the switches and onto destination , from the server which uses say vlan 10 default gateway which is the HSRP VIP to get back out.... Your saying run a static pointing to the firewall on switch? do we not need to get back to the CE and back to requester
>you need to make sure asymmetric routing does not happen... so if someone comes in CE1 and goes through ASA1 they always need to go back that way or the connection will usually not work in my experience...
If you go the trunked route - you can indeed TRUNK vlans logically "behind" the asa's (even if that trunk carries vlans that route on the L3 switch, and vlans that route on the outside of the ASA... this is quite common - a single trunk with multiple external and internal vlans. The only difference is on which device vlan's layer 3 resides - a firewalled on and a non-firewalled on... you would indeed be running routing protocols or failover between ASA's and hsrp between L3 switches across 2 sites.
I would lean to not using failover - but dynamic routing with each ASA independent. ASA at site 2 would use Eigrp offset lists or ospf cost to look "worse" for those "same" networks Site 1 normally has and better for the subnet Site 2 normally has.
Play around a bit and come back to us if it still is having issues.. I expect you will need some redistribution between an IGP on the asa's and bgp.
Thanks!
Blogs and organic groups at http://www.ccie.net
Received on Sat Dec 22 2012 - 11:34:12 ART
This archive was generated by hypermail 2.2.0 : Tue Jan 01 2013 - 09:36:53 ART