cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
755
Views
0
Helpful
1
Replies

Cisco ASA failover keepalives - classification and prioritization

CB90021204
Level 1
Level 1

Hello,

I have a busy layer two link between data centres and need to make sure failover keepalive traffic between the ASA firewalls at each data centre gets through. 

I'd like to implement layer 2 QoS across the link. Can you classify and prioritize ASA failover keep alive traffic? If so which ports does it use or is it already classified by the ASA?

Thanks, 

1 Accepted Solution

Accepted Solutions

Francesco Molino
VIP Alumni
VIP Alumni

Hi

If you want to apply QoS on failover link between ASA, you need to do:

- mark traffic on switches that are facing to ASA failover interface

- All switches in-between must trust the QoS value and applye your QoS policy (bandwidth reservation based on qos value choosed before).

Let's assume that your failover ip on primary unit is 192.168.100.1 and 192.168.100.2 for the secondary unit.

The acl to classify traffic is:

From ASA1 to ASA2

  ip access-list extended HA-ASA

    permit ip host 192.168.100.1 host 192.168.100.2

From ASA2 to ASA1:

  ip access-list extended HA-ASA

    permit ip host 192.168.100.2 host 192.168.100.1

Hope this answered your question.

Thanks.

PS: if this solved your issue, please don't forget to rate and mark as correct answer.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 Reply 1

Francesco Molino
VIP Alumni
VIP Alumni

Hi

If you want to apply QoS on failover link between ASA, you need to do:

- mark traffic on switches that are facing to ASA failover interface

- All switches in-between must trust the QoS value and applye your QoS policy (bandwidth reservation based on qos value choosed before).

Let's assume that your failover ip on primary unit is 192.168.100.1 and 192.168.100.2 for the secondary unit.

The acl to classify traffic is:

From ASA1 to ASA2

  ip access-list extended HA-ASA

    permit ip host 192.168.100.1 host 192.168.100.2

From ASA2 to ASA1:

  ip access-list extended HA-ASA

    permit ip host 192.168.100.2 host 192.168.100.1

Hope this answered your question.

Thanks.

PS: if this solved your issue, please don't forget to rate and mark as correct answer.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: