ASA Interface High Availability

  • Post author:
  • Post category:ASA / Cisco

The Cisco ASA software image running on either Firepower or ASA hardware supports interface high availability using PortChannel/Etherchannel and Redundant interfaces. This post covers describes both solutions and provides information to configure each method.

EtherChannel Interfaces

An 802.3ad EtherChannel is a logical interface, referred to in the CLI configuration as a Port-Channel interface consisting of a bundle of individual physical interfaces to increase the bandwidth. The Link Aggregation Control Protocol (LACP) is a protocol that aggregates interfaces by exchanging Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices. LACP handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group.

The ASA supports 3 EtherChannel modes:

  • Active – sends and receives LACP updates.
  • Passive – receives LACP updates.
  • On – the EtherChannel is always on, LACP is not used. “On” mode cannot use standby interfaces, the connectivity and configurations are not checked.

EtherChannel Key Points

  • The ASA distributes packets to the interfaces in the EtherChannel by hashing the source and destination IP address of the packet.
  • All interfaces that are part of the channel group share the same MAC address.
  • The Port Channel interface uses the lowest numbered channel group interface MAC address as the Port Channel MAC address.
  • The device to which the ASA is connected to must also support 802.3ad EtherChannel.

Configuration

The ASA physical interfaces used in the Port Channel are only explicitly configured in the channel-group and the mode (active|passive|on), the IP address, security level and nameif settings are configured under the port-channel.

interface GigabitEthernet0/0
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address

The Port Channel interface is configured using the group number 10, as defined under the physical interfaces. The IP address, security level and nameif are configured under this logical interface.

interface Port-channel10
 nameif INSIDE
 security-level 100
 ip address 192.168.99.1 255.255.255.0
 lacp max-bundle 8
 port-channel min bundle 2
 port-channel load-balance src-dst-ip

Verification

From the CLI of the ASA run the command show port-channel 10. From the output below we can confirm the logical interface is configured as the INSIDE interface, enabled for LACP and the active member interfaces are Gi0/0 and Gi0/1.

Run the command show port-channel summary will confirm that the Port-Channel is in use (U) and the ports Gi0/0 and Gi0/1 and bundled in the port-channel (P).

Redundant Interfaces

A Redundant Interface is a single logical interface that consists of a pair (2) physical interfaces, this redundant interface acts in active/standby. When the active interface fails, the standby interfaces become active and passes traffic.

  • A redundant interface uses the MAC address of the first physical interface that you add.
  • If you change the order of the member interfaces, then the MAC address changes of the interface that is now listed as first.
  • You can configure a manual MAC address, this MAC address is maintained
  • All ASA configuration refers to the logical redundant interface instead of the member physical interfaces.
  • You can configure 2 physical interfaces as member of a redundant interface.
  • You can configure up to 8 redundant interfaces.

Configuration

No specific configuration is defined under the physical interfaces.

interface GigabitEthernet0/0
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address

A redundant interface is created, defining the member interfaces. The IP address, security level and nameif are configured under this logical interface.

interface Redundant1
 member-interface GigabitEthernet0/0
 member-interface GigabitEthernet0/1
 nameif INSIDE
 security-level 100
 ip address 192.168.99.1 255.255.255.0
 mac-address 0001.0001.00a1

Verification

Run the command show interface redundant 1 detail. From the output below we can configure the interface is active and the active interface is Gi0/0.

If Gi0/0 fails or is shutdown, traffic will continue to pass, with the standby interface no becoming active. From the output of show interface redundant 1 detail, we can confirm Gi0/1 is now active and the Last switchover time/date has changed since we last run the command previously.

Tags: , , , ,