I see a lot of ASA designs and they are typically flanked with switches. One of the reasons for this is that the failover requirements typically dictate that the devices to be layer 2 adjacent in each security zone. There is obviously the requirement to be L3 directly connected to their next hop. The result of this requirement that an ASA can’t typically be directly connected directly to an L3 only device and it is often the case that a switch is sandwiched between the FW and the next L3 device.
This article is meant to outline a possible work around with IOS and IOS-XE based routers to provide the L2 two adjacency using inherit L2 features. Readers may use these sample configurations to build out there own labs and more fully validate the applicability the their environment.
TL;DR–BDI and BVI allow ASA A/S to function properly in my testing.
Below is the topology that used for validating this. In a real world scenario it is less likely that routers would be the connection point on all interfaces. The reason I positioned them here is to demonstrate both IOS and IOS-XE techniques in the same lab.
To make asav-1 and asav-2 L2 adjacent on both transit interfaces, IOS and IOS-XE (csr100v) have bridging functions the can be leveraged.
IOS has a concept of bridges exposed as bridge-groups (to which physical interfaces are assigned) and bridge virtual interfaces. The bridge virtual interface (or bvi) is a virtual interface with a mac address that becomes a routing instance for the bridge group. The BVI allows iosv-1 and iosv-2 to do an IGP peer between each other and the Firewalls.
IOS-XE, found in later ISR’s, ASR 1000’s, and CSR1000v have a similar concept known as bridge domains. Physical interfaces are assigned to the bridge domain and a virtual interface, known as a BDI (Bridge Domain Interface) is used as the L3 instance inside the L2 instance.
Examples (relevant snippets)
ASA Configuration (asav-1 shown, asav-2 similar)
interface GigabitEthernet0/0 nameif inside security-level 100 ip address 10.10.30.100 255.255.255.0 standby 10.10.30.101 ! interface GigabitEthernet0/1 description to csr1000v-X nameif outside security-level 0 ip address 10.10.20.100 255.255.255.0 standby 10.10.20.101 ! interface GigabitEthernet0/2 description LAN/STATE Failover Interface ! //adjust for secondary -- failover lan unit secondary failover failover lan unit primary failover lan interface FOVER GigabitEthernet0/2 failover link FOVER GigabitEthernet0/2 failover interface ip FOVER 10.10.10.1 255.255.255.252 standby 10.10.10.2 ! object network obj-any subnet 0.0.0.0 0.0.0.0 ! nat (inside,outside) source static obj-any interface ! router ospf 1 network 10.10.30.0 255.255.255.0 area 0 log-adj-changes default-information originate always ! //routing to the HSRP standby on the BDI of csr1000v-1/csr1000v-2 route outside 0.0.0.0 0.0.0.0 10.10.20.1 1
IOS Router Config (iosv-1 shown, iosv-2 similar)
! //bridge configuration ! bridge irb bridge-group 1 bridge-group 1 bridge 1 protocol ieee bridge 1 route ip ! interface Loopback0 description Loopback ip address 192.168.0.1 255.255.255.255 ! interface GigabitEthernet0/1 description to iosv-3 ip address 10.0.0.17 255.255.255.252 ip ospf cost 1 ! //next two physical interfaces are in bridge-group 1 ! interface GigabitEthernet0/2 description to iosv-2 no ip address bridge-group 1 ! interface GigabitEthernet0/3 description to asav-1 no ip address bridge-group 1 ! //BVI for peering between the routers and ASAs (unique IP per Router) ! interface BVI1 ip address 10.10.30.2 255.255.255.0 ! router ospf 1 passive-interface Loopback0 network 10.0.0.16 0.0.0.3 area 0 network 192.168.0.1 0.0.0.0 area 0
IOS-XE Router Config (csr1000v-1 shown, csr1000v-2 similar)
bridge-domain 1 interface Loopback0 description Loopback ip address 192.168.0.7 255.255.255.255 ! //Next two interfaces assigned to bridge domain 1 ! interface GigabitEthernet2 description to asav-1 no ip address negotiation auto service instance 1 ethernet encapsulation untagged bridge-domain 1 ! ! interface GigabitEthernet3 description to csr1000v-2 no ip address negotiation auto service instance 1 ethernet encapsulation untagged bridge-domain 1 ! interface GigabitEthernet4 description to iosv-4 ip address 10.0.0.37 255.255.255.252 ip ospf cost 1 ! //BDI routing interface for csr1000v-1, showing with HSRP ! interface BDI1 ip address 10.10.20.2 255.255.255.0 standby 1 ip 10.10.20.1 standby 1 priority 90 standby 1 preempt ! router ospf 1 passive-interface Loopback0 network 10.0.0.36 0.0.0.3 area 0 network 10.10.20.2 0.0.0.0 area 0 network 192.168.0.7 0.0.0.0 area 0
Full unedited configuration of all devices can be downloaded here.
BVI and BDI interfaces seem to work as expected for providing L2 Adjacency. With this topology built, I performed various cursory failover scenarios and everything worked as expected. I think BDI/BVI could be a viable solution for certain use cases. As with any solution, this should be tested and validated against the requirement.
If you have a similar configuration and have additional feedback or have ran into challenges, please share those with the community by commenting below.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This
may or may does not reflect the position of past, present or future employers.