cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3090
Views
0
Helpful
13
Replies

Backup interface in ASA 5505

jvardhan29
Level 1
Level 1

i am confused with the requirement of the "backup interface vlan "command requirement on ASA 5505 . i read from Cisco doc that with the implementation of this command firewall blocks all through traffic on backup interface unless the default route through the primary interface goes down , but i want to know in which scenario will it be used .Can we combine this with IP SLA ?

Also i am confused that IP SLA will also have 2 default routes but the "backup interface " command is not necessary in that . can some one please explain as may be it is a simple question . Below is the sample config

ASA5505(config)# interface vlan 2
ASA5505(config-if)# nameif primary
ASA5505(config-if)# security-level 0
ASA5505(config-if)# ip address 100.100.100.1 255.255.255.0
ASA5505(config-if)# backup interface vlan 3


ASA5505(config)# interface vlan 4
ASA5505(config-if)# nameif backup
ASA5505(config-if)# security-level 5
ASA5505(config-if)# ip address 200.200.200.1 255.255.255.0


ASA5505(config)# route primary 0.0.0.0 0.0.0.0 100.100.100.2 1
ASA5505(config)# route backup 0.0.0.0 0.0.0.0 200.200.200.2 20

13 Replies 13

Kureli Sankar
Cisco Employee
Cisco Employee

I have never used this command myself but, reading the command reference below

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/b.html#wp1359012

The Security Plus license no longer limits the  number of VLAN interfaces to 3 for normal traffic, 1 for a backup  interface, and 1 for failover; you can now configure up to 20 interfaces  without any other limitations. Therefore the backup interface command is not required to enable more than 3 interfaces.

When you configure Easy VPN with the backup interface command, if the backup interface becomes the primary, then the adaptive  security appliance moves the VPN rules to the new primary interface.  See the show interface command to view the state of the backup interface.

SLA route tracking does not require this command.

-KS

hi

i have read the document but i have not seen any example of this command . Does that mean that "backup interface vlan " command is required only for base license of asa 5505 . i believe this command is still needed for ezvpn irrespective of security or base license. can someone please help me on this

The 5505 supports 3 usable VLANs - for data traffic.  It does support 5
in total, but two are restricted to a backup interface and failover
link, as the link indicates.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html#wp1060211

If you have license for 20 interfaces then, you do not need this command "backup interface vlan"

-KS

Hi Poonguzhali

I have read the link but nowhere it mentions about "support of 5 interfaces in total out of which two restricted to a backup interface and failover".if that is the case then can we specify a nameif to this interface , as in the document it mentions that whichever interface has nameif is the active vlan but as you mentioned that other non-data interface can be used as backup interface so that means it will not allow to put nameif for this vlan

also let me know if the switching of traffic from primary interface to backup interface for ezvpn clinets (if primary isp is down) is stateful or not(consider we are using base license and this asa is ezvpn server).

Jayesh,

Pls. search for the below text in the above link that I enclosed.

5 interfaces total (highlighted in red) - 3 for data. 1 for backup and 1 for failover. I have highlighted the backup interface command as well.

Example 15: Primary Unit Configuration

passwd g00fba11
enable password gen1u$
hostname Buster

asdm image disk0:/asdm.bin
boot system disk0:/image.bin
interface vlan 2
description Primary ISP interface
nameif outside
security-level 0
ip address 209.165.200.224 standby 209.165.200.225
backup interface vlan 4
no shutdown
interface vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
no shutdown
interface vlan 3
nameif dmz
security-level 50
ip address 192.168.2.1 255.255.255.0
no shutdown
interface vlan 4
description Backup ISP interface
nameif backup-isp
security-level 0
ip address 209.168.202.128 standby 209.168.202.129
no shutdown
interface vlan 5
description LAN Failover Interface
interface ethernet 0/0
switchport access vlan 2

no shutdown


-KS


Thanks KS , as you mentioned that we donot require backup interface command with the sec plus license ( 20 vlans) then if we assume that we are using base license then in the base license we can only create 2 VLAN interfaces with "nameif" , 3rd interface is given nameif only if we specify "no forward interface vlan "command but in your below example nameif are given for 4 vlan interfaces , hence i didn t understnd.

KS,

any idea on this one ?

hi experts

any idea on this question related to back interface . please help .

Jayesh,

In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.


In routed mode, you can configure up to three active VLANs with the Base license, and up to 20 active
VLANs with the Security Plus license.


An active VLAN is a VLAN with a nameif command configured.

With the Base license, the third VLAN can only be configured to initiate traffic to one other VLAN.

Now, it appears that the 5-interface example that I provided about is for security plus. Sorry about that.

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/examples.html#wp1038603

-KS

hi

With 3rd interface (backup - vlan3) being restricted and not being used till outside (vlan2 ) interface is up , will the traffic pass across backup interface (configured with no forward interface comamnd ) when the outside goes down ?

hi experts,

please let me know your views on the query

hi experts

this is leading to make me believe that backup interface command is not of much use other than when 5505 is ezvpn server ?

Jayesh,

Yes I believe so.  Honestly this the first time I am answering a query on backup interface. So, you can imagine how many people use this.

On the other token the restricted base license where the dmz interface can only talk to the outside and not to the inside is used very often.

-KS

Review Cisco Networking for a $25 gift card