Dual Cisco ASA 5505 passing RSTP in transparent mode

Question

I'm looking at moving to colocation and one area being discussed is networking redundancy. I can get a dual feed from a two different datacentre switches configured with Rapid Spanning Tree Protocol to give me an active passive supply.

I'm looking at using the Cisco ASA 5505 as a firewall. If I get two and put them in transparent mode, should I be able to put them 'in line' before my switches and the RSTP pass through ok and remove the loop?

I realise that I would have to keep the configuration between them in sync manually.

If this is possible, but considered to be a bad idea, what alternatives exist for a low cost HA firewall solution.

EDIT: I'd just want to add for clarification that I was looking to make sure my hardware was redundant i.e. two firewalls, not just having 2 network links from the datacentre through a single firewall.

score 0 · Answer 1 · answered Nov 28 '12 at 14:15

I have the same configuration: two Layer 2 connections to the data center provider, and a single gateway IP address.

You don't need RSTP to make this work. Instead, you can put the ASA's in to active/passive failover mode. When the primary fails, the backup will assume your external IP and continue working. The data center will just see this as the device moving to a different switchport.

Dual Cisco ASA 5505 passing RSTP in transparent mode

1 Answers1