[toc:faq]

Introduction

This document explains the concept of redundant interface on firewall. We will discuss the whole concpet and configuration sample for the same.

Requirements

There are no specific requirements for this document.

Components Used

ASA 5500 series running 7.X and above

Concept

A logical redundant interface is a pair of an active and a standby physical interface. When the active interface fails, the standby interface becomes active.  From firewall perspective this event is completely transparent and can be viewed as a single logical interface. We can use redundant interfaces to increase the security appliance reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired. We can configure upto 8 redundant interfaces.

Redundant interface are number from 1 to 8 and have the name redundant X. When adding physical interfaces to the redundant pair, please make sure there is no configuration on it and interface is also in no shutdown state. This is just a precaution, the firewall will remove these settings when adding the physical interface to a new group. The logical redundant interface will take the MAC address of the first interface added to the group. This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces to the pair.

Once we have configured a redundant interface, we can assign it a name and a security level, followed by an IP address. The procedure is the same as with any interface in the system.

Configuration

-->

interface GigabitEthernet0/0

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

no nameif

no security-level

no ip address

interface Redundant1

member-interface GigabitEthernet0/0

member-interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 1.1.1.1 255.255.255.0

Verify

You can use the following command to verify--

-->

ciscoasa(config)# show interface redundant 1

Interface Redundant1 "outside", is up, line protocol is up

  Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec

        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)

        MAC address 5475.d0d4.9594, MTU 1500

        IP address 1.1.1.1, subnet mask 255.255.255.0

        27 packets input, 12330 bytes, 0 no buffer

        Received 27 broadcasts, 0 runts, 0 giants

        0 input errors, 0 CRC, 0 frame, 27 overrun, 0 ignored, 0 abort

        10 L2 decode drops

        1 packets output, 64 bytes, 0 underruns

        0 output errors, 0 collisions, 0 interface resets

        0 late collisions, 0 deferred

        0 input reset drops, 0 output reset drops

        input queue (curr/max packets): hardware (5/25) software (0/0)

        output queue (curr/max packets): hardware (0/1) software (0/0)

  Traffic Statistics for "outside":

        17 packets input, 7478 bytes

        1 packets output, 28 bytes

        17 packets dropped

      1 minute input rate 0 pkts/sec,  92 bytes/sec

      1 minute output rate 0 pkts/sec,  0 bytes/sec

      1 minute drop rate, 0 pkts/sec

      5 minute input rate 0 pkts/sec,  0 bytes/sec

      5 minute output rate 0 pkts/sec,  0 bytes/sec

      5 minute drop rate, 0 pkts/sec

  Redundancy Information:

        Member GigabitEthernet0/0(Active), GigabitEthernet0/1

        Last switchover at 23:13:03 UTC Dec 15 2011

Related Information

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/int5505.html