Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Asa 5510 Management Interface is about worthless

Guys, help me out here. What can this mgt inteface be used for beside mgt? I can't use it for failover, i have to burn another port.

So out of 5 ports, I have only 3 I can use inside/outside/dmz with 1 dedicated to A/S failover.

Why can't I set the mgt inteface as DMZ2?

I need 4 ports plus failover. In the old Pix 515e/525 we have "ports to spare".

I think Cisco's response is purchase a $3,000 SSM-4GE. Arghhh, 3k for 1 port?

What am I missing here?

Thanks

12 REPLIES
Community Member

Re: Asa 5510 Management Interface is about worthless

If you don't require the dedicated Gbps per network, you could trunk multiple networks over the same physical link and then create the Vlan SVIs on the ASA. Many people may cringe at that idea, but it would definitely provide you more flexibility with the number of networks protected by the ASA. That is essentially the idea behind the FWSM (internal etherchannel trunks b/n cat6500 and fw blade).

Community Member

Re: Asa 5510 Management Interface is about worthless

thanks but "cringe" is an understatement. ;)

Community Member

Re: Asa 5510 Management Interface is about worthless

I'm curious to why this would make some admins "cringe" at the thought combining DMZs on a single gig interface? It would seem like a waste to dedicate an expensive gig port for a single DMZ if that DMZ only required an average of a few Mbps... I only say this because I'm curious if there are ill effects that can occur by doing this as I do it on my network.

Thanks for any input you can provide.

Community Member

Re: Asa 5510 Management Interface is about worthless

if trying to do a quick 1-for-1 swap, then goinv to SVI's and other methods is time consuming. Specially if you have not done it before. ;)

I agree, burning a gig interface is crazy. What is more crazy is why cisco doesn't offer for the ASA a 4-port 10/100 meg card for about $400-800.00.

Community Member

Re: Asa 5510 Management Interface is about worthless

I'm curious to why this would make some admins "cringe" at the thought combining DMZs on a single gig interface? It would seem like a waste to dedicate an expensive gig port for a single DMZ if that DMZ only required an average of a few Mbps... I only say this because I'm curious if there are ill effects that can occur by doing this as I do it on my network.

Thanks for any input you can provide.

Gold

Re: Asa 5510 Management Interface is about worthless

taken from the 7.2 documentation:

The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called

Management 0/0, which is meant to support traffic to the security appliance. However, you can configure

any interface to be a management-only interface using the management-only command. Also, for

Management 0/0, you can disable management-only mode so the interface can pass through traffic just

like any other interface.

Community Member

Re: Asa 5510 Management Interface is about worthless

Good to now that is what the docs say. But try to use it as an interface for A/S failover... not supported. But isn't that passing traffic just like "any other interface"? :)

Has anyone used the mgt interface a 3rd DMZ interface or an extranet interface for normal traffic?

Cisco Employee

Re: Asa 5510 Management Interface is about worthless

management can works as a Failover Interface and also as a normal Ethernet Interface

You need Security Plus License and a command no man-only to make it working like ethernet port

I again reiterate you can use management port as failover Interface

Community Member

Re: Asa 5510 Management Interface is about worthless

I am almost sure cisco does not support using the mgt interface as failover interface. I read that somewhere. will try and see where that info is...

Community Member

Re: Asa 5510 Management Interface is about worthless

For some reason I can use the management ports for failover on my 5510's but not my 5540's... This probably just adds to the confusion on this tread but I thought it was important!

Community Member

Re: Asa 5510 Management Interface is about worthless

fantastic info to have! That would be where the confusion was on my side.

Cisco has a "here is how to us Mgt as f/o, but not supported" doc around on the site somewhere.

Community Member

Re: Asa 5510 Management Interface is about worthless

Attached is the cisco doc I used to set it up along with my config for the Management0/0 interface. This only worked on my 5510's though, not my 5540's for some reason. That could, of course, be something on my end though.

PRIMARY:

failover

failover lan unit primary

failover lan interface failover Management0/0

failover link failover Management0/0

failover interface ip failover 10.254.254.5 255.255.255.252 standby 10.254.254.6

SECONDARY:

failover

failover lan unit secondary (default)

failover lan interface failover Management0/0

failover link failover Management0/0

failover interface ip failover 10.254.254.5 255.255.255.252 standby 10.254.254.6

1264
Views
0
Helpful
12
Replies
CreatePlease to create content