topic Can I use sub-interfaces for (Failover lan interface and link st in Network Security

Can I use sub-interfaces for (Failover lan interface and link state)

Tarjeet Singh — Tue, 12 Mar 2019 02:48:19 GMT

Hi All,

I have two ASA 5510(8.2). I am planing to make Active/standby. I have only 4 interfaces on each ASA.

Interface

Ethernet0/0 Outside

Ethernet0/1 Inside

Ethernet0/2 DMZ

Ethernet0/3.1 (failover)

As I checked cisco config and found that I need two physical interfaces (Lan failover and link state). My plan is to make subinterfaces of Ethernet0/3 and assign it to Lan failover and Link state.

failover

failover lan unit primary

failover lan interface failover Ethernet0/3.1 <=========== Subinterface failover lan interface

failover replication http

failover link state Ethernet0/3.2 <========= Subinterface Link state

Interface

Ethernet0/0 Outside

Ethernet0/1 Inside

Ethernet0/2 DMZ

Ethernet0/3.1 (failover Lan interface)

Ethernet0/3.2 (Failover Link state)

Can you please confirm if it is possible that I can use subinterface for failover config instead of physical interface. Thanks in advance

Can I use sub-interfaces for (Failover lan interface and link st

Jouni Forss — Mon, 07 Oct 2013 17:50:40 GMT

Hi,

You have not mentioned all the interfaces that the ASA has.

On the original ASA5500 Series I tend to use the Management0/0 port for the Failover purpose. I use the Management0/0 for both of the purposes.

Or are you perhaps using the Management0/0 interface at the moment?

Here is one example configuration

failover

failover lan unit primary

failover lan interface failover Management0/0

failover key

failover replication http

failover link failover Management0/0

failover interface ip failover 10.10.10.1 255.255.255.0 standby 10.10.10.2

I dont know if there is a command called "failover link state"

I'll have to say that I have never configured or tried to configure a Sub Interface as an actual Failover interface.

- Jouni

Can I use sub-interfaces for (Failover lan interface and link st

Tarjeet Singh — Mon, 07 Oct 2013 19:27:27 GMT

Hi Jouni,

Thanks for your reply. I am not using mamangment interface..

Interface

Ethernet0/0 Outside

Ethernet0/1 Inside

Ethernet0/2 DMZ

Ethernet0/3 (failover)

Management0/0

Word "State" used as interface name for Ethernet3.2. It is to exchange the failover link state information. Configuring the stateful failover link.

I didnt know that I can use Managment0/0 interface. Can I use same interface for LAN Failover and Failover Link? In Cisco document, they have shown to use separate interfaces or subinterface

============================================

failover link if_name phy_if

Example:

hostname(config)# failover link statelink GigabitEthernet0/2

The if_name argument assigns a logical name to the interface specified by the phy_if argument. The phy_if argument can be the physical port name, such as Ethernet1, or a previously created subinterface, such as Ethernet0/2.3. This interface should not be used for any other purpose (except, optionally, the failover link).

===============================================

Re: Can I use sub-interfaces for (Failover lan interface and lin

Jouni Forss — Mon, 07 Oct 2013 19:50:43 GMT

Ah,

I managed to read wrong the command you had mentioned.

The above "failover" configuration I mentioned is from one of our actual Failover devices so there should not be a problem with it.

It has the same interface acting as the Failover interface and the Statefull Failover interface

Using the Management interface in the Failover is possible on the original ASA5500 Series firewalls. I think the situation would be different if you had a newer ASA5500-X Series model. Though then again those models do have higher amount of ports by default than the original ASA series. The original ASA firewalls usually had 4 ports + management while the new ones have 6 ports + management.

- Jouni

Can I use sub-interfaces for (Failover lan interface and link st

Tarjeet Singh — Mon, 07 Oct 2013 21:39:03 GMT

Thanks Jouni...

I have old series ASA 5510, so I will be good to use managment interface. it is 8.3

Cisco Adaptive Security Appliance Software Version 8.3(2)

Device Manager Version 6.4(3)