Using Redundant Interfaces

VN:F [1.9.6_1107]
Rating: 5.0/5 (2 votes cast)
By Brandon Carroll on May 10th, 2010

One of the things that I love about the ASA is that there are so many variations in the way it can be configured.  You can run in transparent or routed mode, single or multiple context mode and even do fancy things with sub-interfaces.  A somewhat new configuration that I see pop up from time-to-time is the use of redundant interfaces.  I’ve heard people call it an interface bundle, and some other fancy names.  Redundant interfaces are a very simple concept.

The begin with, the concept of a “virtual” Redundant interface.  This is in the form of interface Redundant#.  The Redundant interface is where the IP address, nameif, and physical member interface definitions are defined.  In the following output you can see a simple configuration where E0/1 and E0/2 are members of the Redundant Interface 1.  Some things to consider here are that you need to remove any configuration on the physical interfaces and VLANS and Spanning-tree should be a consideration for the interfaces of the switch were you’re connected.

!
interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/2
ip address 172.23.22.11 255.255.255.0
nameif inside

Now once you take a look at the interface after you’ve made it redundant you can see which interface is actively being used. Traffic is not load balanced across the two links.

ciscoasa(config-if)# show interface redundant1 | begin Redundancy
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/2
Last switchover at 22:54:36 UTC May 6 2010
ciscoasa(config-if)#

Additionally you can easily change which interface is active:

ciscoasa(config-if)# redundant-interface redundant 1 active-member Ethernet0/2

And with verification you can see that this has taken place.

ciscoasa(config-if)# show interface redundant1 | begin Redundancy
Redundancy Information:
Member Ethernet0/2(Active), Ethernet0/1
Last switchover at 22:56:46 UTC May 6 2010
ciscoasa(config-if)#


Redundant interfaces are definite possibility on the CCIE Security Exam so be aware of them and prepared to configure them.

Brandon Carroll – CCIE #23837
Senior Technical Instructor – IPExpert
Mailto: bcarroll@ipexpert.com
Telephone: +1.810.326.1444
Fax: +1.810.454.0130
Using Redundant Interfaces, 5.0 out of 5 based on 2 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: ,

This entry was posted on Monday, May 10th, 2010 at 8:04 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

4 Responses to “Using Redundant Interfaces”

  1. Aaron says:
    May 10, 2010 at 8:54 am

    What are the OS and licensing requirements for interface redundancy?

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  2. Tyson Scott says:
    May 10, 2010 at 2:02 pm

    8.0.2 is the minimum software. I am not sure about license but I believe it is with the basic security license feature set.

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  3. Roland says:
    May 16, 2010 at 5:41 am

    Great post!

    I install both Fortinet and ASA firewalls. On Fortinet you can configure one etherchannel towards the switch and many VLAN subinterfaces, with bandwidth policing on specific VLANs if needed. I’d really love to have these features on ASA and get rid of the old concept of interface/vlan/cable.

    These redundant interfaces can help but are not a solution.

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply
  4. Matt says:
    September 3, 2010 at 4:18 pm

    Basic licenses can use them.

    VA:F [1.9.6_1107]
    Rating: 0.0/5 (0 votes cast)
    Reply

Leave a Reply