Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring ASA Management on a sub-interface

Dear All

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.

I need to use 4 interfaces four data traffic

1- Inside

2- Outside

3- dmz-1

4- dmz-2

The remaining will be the management interface only.How can I configure the Statefull failover and Management?

What I did?

1- I used the management0/0 for The stateful failover.

2- I used gig 0 for outside

3- I used gig 1 for inside

4- I used gig 2 for dmz-1

5- I divided the gig 3 to two sub interfaces

          a- gig0/3.1 for dmz-2

          b- gig0/3.2 for Management and I defined it as a management-only

Does anyone has comments or recommendatiosn on this design? Please advise.

Thanks on advance,

6 REPLIES
New Member

Re: Configuring ASA Management on a sub-interface

The way that you propose is fine, but what is the reason for needing a management-only interface? If it is more convenient you can manage from any interface that you are behind.

New Member

Re: Configuring ASA Management on a sub-interface

Dear August

Thanks for your reply.

I just put it to follow the security standard of having a didicated management interface for the ASA.

Do you have any concern about configuring the management 0/0 with stateful and lan faiover?

Thanks,

Cisco Employee

Re: Configuring ASA Management on a sub-interface

Ahmad, it is recomended to have a stateful failover interface that is as fast as the fastest traffic passing interface. With your design that would have to be one if the Gig ports. This is to ensure that failover stateful info is not going to overload the failover link. I do not have the document infront of me, but im sure it is documented somewhere.   - Magnus

Cisco Employee

Re: Configuring ASA Management on a sub-interface

as magnus suggested, it is not recommended to use management interface for state

ful failover

here is the link which has cisco recommendations

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#intro

Cisco Employee

Re: Configuring ASA Management on a sub-interface

Jitendriya,

     Thanks for the link. Ahmad, the key lines in that document are as follows:

"Cisco recommends that you do not use the management interface for       failover, especially for stateful failover in which the security appliance       constantly sends the connection information from one security appliance to the       other. The interface for failover must be at least of the same capacity as the       interfaces that pass regular traffic, and while the interfaces on the ASA 5540       are gigabit, the management interface is FastEthernet only. The management       interface is designed for management traffic only and is specified as       management0/0."

- Magnus

New Member

Configuring ASA Management on a sub-interface

I'm in the same situation with a pair of 5520s.  For clarification I found the following excerpt from Cisco Docs stating different requirements for various ASA models. Link at the bottom.

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should  use the fastest Ethernet interface available. If you experience  performance problems on that interface, consider dedicating a separate  interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

Cisco ASA 5510

Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

Cisco ASA 5520/5540/5550

Stateful link speed should match the fastest data link.

Cisco ASA 5580/5585

Use  only non-management 1 Gigabit ports for the stateful link because  management ports have lower performance and cannot meet the performance  requirement for stateful failover.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1078922

1917
Views
0
Helpful
6
Replies