i am confused with the requirement of the "backup interface vlan "command requirement on ASA 5505 . i read from Cisco doc that with the implementation of this command firewall blocks all through traffic on backup interface unless the default route through the primary interface goes down , but i want to know in which scenario will it be used .Can we combine this with IP SLA ?
Also i am confused that IP SLA will also have 2 default routes but the "backup interface " command is not necessary in that . can some one please explain as may be it is a simple question . Below is the sample config
ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0
ASA5505(config-if)# backup interface vlan 3
ASA5505(config)# interface vlan 4
ASA5505(config-if)# nameif backup
ASA5505(config-if)# security-level 5
ASA5505(config-if)# ip address 126.96.36.199 255.255.255.0
ASA5505(config)# route primary 0.0.0.0 0.0.0.0 100.100.100.2 1
ASA5505(config)# route backup 0.0.0.0 0.0.0.0 188.8.131.52 20
I have never used this command myself but, reading the command reference below
The Security Plus license no longer limits the number of VLAN interfaces to 3 for normal traffic, 1 for a backup interface, and 1 for failover; you can now configure up to 20 interfaces without any other limitations. Therefore the backup interface command is not required to enable more than 3 interfaces.
When you configure Easy VPN with the backup interface command, if the backup interface becomes the primary, then the adaptive security appliance moves the VPN rules to the new primary interface. See the show interface command to view the state of the backup interface.
SLA route tracking does not require this command.
i have read the document but i have not seen any example of this command . Does that mean that "backup interface vlan " command is required only for base license of asa 5505 . i believe this command is still needed for ezvpn irrespective of security or base license. can someone please help me on this
The 5505 supports 3 usable VLANs - for data traffic. It does support 5 in total, but two are restricted to a backup interface and failover link, as the link indicates.
If you have license for 20 interfaces then, you do not need this command "backup interface vlan"
I have read the link but nowhere it mentions about "support of 5 interfaces in total out of which two restricted to a backup interface and failover".if that is the case then can we specify a nameif to this interface , as in the document it mentions that whichever interface has nameif is the active vlan but as you mentioned that other non-data interface can be used as backup interface so that means it will not allow to put nameif for this vlan
also let me know if the switching of traffic from primary interface to backup interface for ezvpn clinets (if primary isp is down) is stateful or not(consider we are using base license and this asa is ezvpn server).
Pls. search for the below text in the above link that I enclosed.
5 interfaces total (highlighted in red) - 3 for data. 1 for backup and 1 for failover. I have highlighted the backup interface command as well.
enable password gen1u$
asdm image disk0:/asdm.bin
boot system disk0:/image.bin
interface vlan 2
description Primary ISP interface
ip address 184.108.40.206 standby 220.127.116.11
backup interface vlan 4
interface vlan 1
ip address 192.168.1.1 255.255.255.0
interface vlan 3
ip address 192.168.2.1 255.255.255.0
interface vlan 4
description Backup ISP interface
ip address 18.104.22.168 standby 22.214.171.124
interface vlan 5
description LAN Failover Interface
interface ethernet 0/0
switchport access vlan 2
Thanks KS , as you mentioned that we donot require backup interface command with the sec plus license ( 20 vlans) then if we assume that we are using base license then in the base license we can only create 2 VLAN interfaces with "nameif" , 3rd interface is given nameif only if we specify "no forward interface vlan "command but in your below example nameif are given for 4 vlan interfaces , hence i didn t understnd.
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.
An active VLAN is a VLAN with a nameif command configured.
With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN.
Now, it appears that the 5-interface example that I provided about is for security plus. Sorry about that.
With 3rd interface (backup - vlan3) being restricted and not being used till outside (vlan2 ) interface is up , will the traffic pass across backup interface (configured with no forward interface comamnd ) when the outside goes down ?
this is leading to make me believe that backup interface command is not of much use other than when 5505 is ezvpn server ?
Yes I believe so. Honestly this the first time I am answering a query on backup interface. So, you can imagine how many people use this.
On the other token the restricted base license where the dmz interface can only talk to the outside and not to the inside is used very often.