cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

526
Views
0
Helpful
1
Replies
CB90021204
Beginner

Cisco ASA failover keepalives - classification and prioritization

Hello,

I have a busy layer two link between data centres and need to make sure failover keepalive traffic between the ASA firewalls at each data centre gets through. 

I'd like to implement layer 2 QoS across the link. Can you classify and prioritize ASA failover keep alive traffic? If so which ports does it use or is it already classified by the ASA?

Thanks, 

1 ACCEPTED SOLUTION

Accepted Solutions
Francesco Molino
VIP Mentor

Hi

If you want to apply QoS on failover link between ASA, you need to do:

- mark traffic on switches that are facing to ASA failover interface

- All switches in-between must trust the QoS value and applye your QoS policy (bandwidth reservation based on qos value choosed before).

Let's assume that your failover ip on primary unit is 192.168.100.1 and 192.168.100.2 for the secondary unit.

The acl to classify traffic is:

From ASA1 to ASA2

  ip access-list extended HA-ASA

    permit ip host 192.168.100.1 host 192.168.100.2

From ASA2 to ASA1:

  ip access-list extended HA-ASA

    permit ip host 192.168.100.2 host 192.168.100.1

Hope this answered your question.

Thanks.

PS: if this solved your issue, please don't forget to rate and mark as correct answer.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

1 REPLY 1
Francesco Molino
VIP Mentor

Hi

If you want to apply QoS on failover link between ASA, you need to do:

- mark traffic on switches that are facing to ASA failover interface

- All switches in-between must trust the QoS value and applye your QoS policy (bandwidth reservation based on qos value choosed before).

Let's assume that your failover ip on primary unit is 192.168.100.1 and 192.168.100.2 for the secondary unit.

The acl to classify traffic is:

From ASA1 to ASA2

  ip access-list extended HA-ASA

    permit ip host 192.168.100.1 host 192.168.100.2

From ASA2 to ASA1:

  ip access-list extended HA-ASA

    permit ip host 192.168.100.2 host 192.168.100.1

Hope this answered your question.

Thanks.

PS: if this solved your issue, please don't forget to rate and mark as correct answer.


Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE- Guest and Posture Troubleshooting (38%)

Content for Community-Ad