Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

Quick redundant interface configuration reference on ASA.

[toc:faq]

Introduction

This document explains the concept of redundant interface on firewall. We will discuss the whole concpet and configuration sample for the same.

Requirements


There are no specific requirements for this document.

Components Used


ASA 5500 series running 7.X and above

Concept

A logical redundant interface is a pair of an active and a standby physical interface. When the active interface fails, the standby interface becomes active.  From firewall perspective this event is completely transparent and can be viewed as a single logical interface. We can use redundant interfaces to increase the security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. We can configure upto 8 redundant interfaces.

Redundant interface are number from 1 to 8 and have the name redundant X. When adding physical interfaces to the redundant pair, please make sure there is no configuration on it and interface is also in no shutdown state. This is just a precaution, the firewall will remove these settings when adding the physical interface to a new group. The logical redundant interface will take the MAC address of the first interface added to the group. This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces to the pair.

Once we have configured a redundant interface, we can assign it a name and a security level, followed by an IP address. The procedure is the same as with any interface in the system.

Configuration

-->

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

Verify


You can use the following command to verify--

-->

ciscoasa(config)# show interface redundant 1

Interface Redundant1 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        MAC address 5475.d0d4.9594, MTU 1500

        IP address 1.1.1.1, subnet mask 255.255.255.0

        27 packets input, 12330 bytes, 0 no buffer

        Received 27 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 27 overrun, 0 ignored, 0 abort

        10 L2 decode drops

        1 packets output, 64 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        input queue (curr/max packets): hardware (5/25) software (0/0)

        output queue (curr/max packets): hardware (0/1) software (0/0)

  Traffic Statistics for "outside":

        17 packets input, 7478 bytes

        1 packets output, 28 bytes

        17 packets dropped

      1 minute input rate 0 pkts/sec,  92 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Redundancy Information:

        Member GigabitEthernet0/0(Active), GigabitEthernet0/1

        Last switchover at 23:13:03 UTC Dec 15 2011

Related Information

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html

-->

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

Version history
Revision #:
1 of 1
Last update:
‎01-15-2012 09:44 PM
Updated by:
 
Labels (1)
Comments

Ankur,

     Can you please explain why you are writing this document? Honestly it gives no added benefit over what is given in the official configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062371

The only benefit I can see that it provides is that you show the output of 'show interface redundant...' Perhaps this document should be changed and rewritten to address something that is lacking in the documentation, such as 'troubleshooting problems with redundant interfaces' or 'verifying a redundant interface configuration'

If your goal is to show a simple, basic configuration of redundant interfaces, please rename the doc to 'quick configuration for redundant interface on ASA' or something similar.

Also, the link you provide to the configuration guide is wrong and refers to a 5505, please use the link I provide above.

Sincerely,

     Jay