09-13-2011 08:42 PM - edited 03-11-2019 02:24 PM
Hello,
I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.
My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?
According to the Configuration guide 8.4
Use the following failover interface speed guidelines for the ASAs:
• Cisco ASA 5510
– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due
to the CPU speed limitation.
• Cisco ASA 5520/5540/5550
– Stateful link speed should match the fastest data link.
• Cisco ASA 5580/5585
– Use only non-management 1 Gigabit ports for the stateful link because management ports have
lower performance and cannot meet the performance requirement for Stateful Failover.
Thanks in advance
09-17-2011 05:59 AM
Hi Cristian,
No need to use an EtherChannel for your failover link (unless you want to). As you noticed in the configuration guide, the only requirement for the 5580 is that you don't use a management port for failover.
The "failover link speed must be as fast as your fastest data interface" is more of a requirement for the smaller ASA platforms. This is not the case for the 5580.
Hope that helps.
-Mike
04-19-2013 04:21 AM
Hi,
I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.
I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?
Option 1:
-------------
2x10GE = 20GE Etherchannel for Data
1x1GE LAN Failover
1x1GE STATE Failover
Option 2:
-------------
1x 10GE Data
1x 10GE LAN & STATE Failover
Option 3:
-------------
2x10GE = 20GE Etherchannel for Data
4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)
(etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)
Option 4:
-------------
1x10GE LAN & STATE Failover
8x1GE = 8 GE Etherchannel for Data
I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.
What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.
The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)
Thanks in advance for your feedback!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide