When troubleshooting redundant interface operations on the Cisco ASA, which configuration
should be verified?
A.
The name if configuration on the member physical interfaces are identical.
B.
The MAC address configuration on the member physical interfaces are identical.
C.
The active interface is sending periodic hellos to the standby interface.
D.
The IP address configuration on the logical redundant interface is correct.
E.
The duplex and speed configuration on the logical redundant interface are correct.
Explanation:
ConceptA logical redundant interface is a pair of an active and a standby physical interface. When the
active interface fails, the standby interface becomes active. From firewall perspective this event is
completely transparent and can be viewed as a single logical interface. We can use redundant
interfaces to increase the security appliance reliability. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as failover if desired. We can configure
upto 8 redundant interfaces.
Redundant interface are number from 1 to 8 and have the name redundant X. When adding
physical interfaces to the redundant pair, please make sure there is no configuration on it and
interface is also in no shutdown state. This is just a precaution, the firewall will remove these
settings when adding the physical interface to a new group. The logical redundant interface will
take the MAC address of the first interface added to the group.
This MAC address is not changed with the member interface failures, but changes when you swap
the order of the physical interfaces to the pair.
Once we have configured a redundant interface, we can assign it a name and a security level,
followed by an IP address. The procedure is the same as with any interface in the system.
Configuration
–>
interface GigabitEthernet0/0
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
no nameif
no security-level
no ip address
interface Redundant1
member-interface GigabitEthernet0/0
member-interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 1.1.1.1 255.255.255.0
Verify
You can use the following command to verify–
–>
ciscoasa(config)# show interface redundant 1Interface Redundant1 “outside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
MAC address 5475.d0d4.9594, MTU 1500
IP address 1.1.1.1, subnet mask 255.255.255.0
27 packets input, 12330 bytes, 0 no buffer
Received 27 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 27 overrun, 0 ignored, 0 abort
10 L2 decode drops
1 packets output, 64 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops input queue (curr/max packets): hardware (5/25) software
(0/0) output queue (curr/max packets): hardware (0/1) software (0/0)
Traffic Statistics for “outside”:
17 packets input, 7478 bytes
1 packets output, 28 bytes
17 packets dropped
1 minute input rate 0 pkts/sec, 92 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member GigabitEthernet0/0(Active), GigabitEthernet0/1
Last switchover at 23:13:03 UTC Dec 15 2011