Creating ASA Inside interface failover &/or redundancy

collinsjl · ‎04-06-2017

Which is the best way to configure the ASA for the following desired output:

We will have 2 3850 switches in a stack running multiple VRFs which will use the ASA as their gateway. We do not want to send a single link to the INSIDE interface. That makes that switch a single point of failure.
Should I send a port channel up from the 3850s (one link each) to the ASA or send 2 separate Trunk links up the the ASA? Of course this will depend on the ASA solution.
Should I use a PortChannel on the ASA and then define L3 subinterfaces under the port channel?
Should I use a redundant link of the ASA and assign sub interfaces to that? If you can.
Desired outcome is that if one of the switches goes down that the traffic still flows.
Load Balancing across the links is optimal but I am not sure that is possible without mac flapping.
We will be needing several IP'ed subinterfaces for at least 10-15 VLANs

Are there any examples of this out there?
Any help would be appreciated

collinsjl · ‎04-06-2017

I grabbed an old 5510 w security plus off the dusty shelf - upgraded the software and added this on it:

interface Redundant1
member-interface Ethernet0/2
member-interface Ethernet0/3
nameif
security-level 100
no ip address
!
interface Redundant1.10
vlan 10
nameif Production
security-level 100
ip address 10.82.0.254 255.255.255.0
!
interface Redundant1.100
vlan 100
nameif CUST1
security-level 90
ip address 10.82.100.254 255.255.255.0
!
interface Redundant1.101
vlan 101
nameif CUST2
security-level 90
ip address 10.82.101.254 255.255.255.0
!
interface Redundant1.102
vlan 102
nameif CUST3
security-level 90
ip address 10.82.102.254 255.255.255.0
!
interface Redundant1.103
vlan 103
nameif CUST4
security-level 90
ip address 10.82.103.254 255.255.255.0

I am thinking at this point I should just send a single trunk link up from each 3850 and I assume the first member will serve all requests and if it fails then the second member in the REDUNDANCY will take over. I also assume that mac addresses will change then and there will be a small outage during that time. Does redundancy support a virtual MAC that will swap when the link swaps?

I am looking at doing the same for the WAN links but need to look at how the monitior for failover would work

interface Redundant2
member-interface Ethernet0/0
member-interface Ethernet0/1
nameif
security-level 0
no ip address
!
interface Redundant2.2
vlan 2
nameif WAN1
security-level 0
ip address 1.1.1.1 255.255.255.252
!
interface Redundant2.3
vlan 3
nameif WAN2
security-level 0
ip address 2.2.2.2 255.255.255.252

I would then feed those two links to a 2960 stack. One to each switch.

collinsjl · ‎04-06-2017

OK - Just found this:

Redundant Interface MAC Address

The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a manual MAC address to the redundant interface, which is used regardless of the member interface MAC addresses. When the active interface fails over to the standby, the same MAC address is maintained so that traffic is not disrupted.

At this point I think I have the solution but is it the best solution? Is there a method to use both links and load balance?