ASA interface redundancy
We can implement link failure recovery with our firewall using what’s called Redundant Interface.
Besides making it failure tolerant at device level, we can implement physical redundancy with the device itself. What we do basically is to create a virtual interface to which a couple of physical interfaces belong. If one of these links fail, the other one in the redudant group gets active and starts to forward traffic. Up to eight interfaces can be configured like this, and once there, all the configs we did at interface level before, are now done at the virtual interface level..
We have to consider:
- We have to remove the nameifs of the physical member by issuing no nameif .
- Both physical interfaces have to be the same type. Meaning so, all of them Ethernet or GigabitEthernet, no mixes.
- We can only configure the description and administrative status on the physical interfaces.
- Etherchannel interface has to has at least one member on it.
We are definetly talking about Layer 2 redundacy. Easiest topology I came up with:
Video demonstration. This video is no longer hosted in this blog’s server so it was moved to Youtube.