Redundant interfaces in Cisco ASA

Redundant interfaces in Cisco ASA

In Checkpoint they call it interface bonding – when will I stop dragging this Checkpoint everywhere ? – in Cisco ASA they called it interface redundancy. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active, if it fails ASA transparently switches to the next available interface in a group and all traffic passes through it. By default the first added to the group interface becomes active and all the rest become passive. At the end of the article there is some dry theory and facts, but now let’s plunge into code.

Warning ! The moment you assign some physical interface to be a member of the redundant virtual interface ALL the existing configs on such interface are wiped out.
Create redundant interface (group) and assign 2 physical interfaces to it :

Santa#conf t
Santa(config)# interface Redundant1
Santa(config-if)# member-interface Ethernet0/0
Santa(config-if)# member-interface Ethernet0/2
Santa(config-if)#no nameif
Santa(config-if)#no security-level
Santa(config-if)#no ip address

Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.
So far :

Santa#show run int
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.120
Santa(config-subif)# vlan 120
Santa(config-subif)# nameif dmz
Santa(config-subif)# security-level 50
Santa(config-subif)# ip address 10.0.0.12 255.255.255.0

To remind you state of the physical interfaces comprising the Redundant 1 is :
interface Ethernet0/2
no nameif
no security-level
no ip address

interface Ethernet0/0
no nameif
no security-level
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address

Santa(config)# interface Redundant1.100
Santa(config-subif)# vlan 100
Santa(config-subif)# nameif outside
Santa(config-subif)# security-level 0
Santa(config-subif)# ip address 139.61.77.12 255.255.255.0

Now some verification is looming (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :

Santa# sh int redundant 1 detail
Interface Redundant1 “”, is up, line protocol is up

Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
1870 packets input, 150617 bytes, 0 no buffer
Received 1329 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
766 L2 decode drops
264 packets output, 24326 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (9/18) software (0/0)
output queue (curr/max packets): hardware (0/2) software (0/0)
Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:25:35 UTC August 19 2010

And what about some debug ? Of course:

Santa(config)# debug redundant-interface ?

exec mode commands/options:
error errors
event events

Now let’s initiate shut on physical interface Ethernet0/2 that is now active
redundant interface Redundant1 switchover, active idx 1, stby idx 0
redundant interface Redundant1 switching active from Ethernet0/2 to Ethernet0/0.
Send gratuitous ARP on Redundant1.100.
Send gratuitous ARP on Redundant1.120.
redundant interface Redundant1 switch active to Ethernet0/0 done.
Switch has happened, now verify it:

Santa(config-if)# sh int redundant 1 det

Interface Redundant1 “”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 001b.d589.9892, MTU not set
IP address unassigned
2284 packets input, 187559 bytes, 0 no buffer
Received 1544 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
797 L2 decode drops
296 packets output, 27430 bytes, 0 underruns
0 output errors, 0 collisions, 1 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (8/18) software (0/0)
output queue (curr/max packets): hardware (0/5) software (0/0)

Control Point Interface States:
Interface number is 10
Interface config status is active
Interface state is active

Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 07:57:11 UTC August 19 2010

Having done a bit practice the dry theory comes next.

You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);
All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;
Only one interface is passing production traffic at any given moment;
Redundant interface gets by default MAC address of the first added to it interface, configurable;<
When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;
You can force some interface to become Active using the command:
Santa# redundant-interface redundant active-member <if_name>
Redundant interfaces are compatible with fail over feature.