45-8
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 45 Managing Firewall Devices
Configuring Firewall Device Interfaces
standby interface becomes active and starts passing traffic. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as failover, if desired. You can configure up
to eight redundant interface pairs.
A redundant interface functions as a single interface (inside, outside, etc.), with only one of the member
pair active at any one time. This redundant interface is configured normally, with a unique interface
name, security level and IP address. Note that each member interface must be of the same type (e.g.,
GigabitEthernet), and cannot have a name, security level, or IP address assigned. In fact, do not
configure any options other than Duplex and Speed on the member interfaces.
The redundant interface uses the MAC address of the first physical interface that you specify. If you
change the order of the member interfaces in the configuration, then the MAC address changes to match
the MAC address of the interface that is now listed first. Alternatively, you can explicitly assign a MAC
address to the redundant interface; this address is then used regardless of the member interface MAC
addresses. In either case, when the active interface fails over to the standby, the same MAC address is
maintained so that traffic is not disrupted.
Note This option is available only on PIX 8.0+ and non-5505 ASA devices.
Defining Redundant Interfaces
Follow these steps to configure two physical interfaces as a single logical “redundant interface” in the
Add/Edit Interface (ASA/PIX 7.0+) dialog box, which is accessed from the device Interfaces page (see
Managing Device Interfaces, Hardware Ports, and Bridge Groups, page 45-14).
1. Choose Redundant as the interface Type in the Add/Edit Interface dialog box.
The Redundant ID, Primary Interface and Secondary Interface options appear.
2. Provide an identifier for this redundant interface in the Redundant ID field; valid IDs are the
integers from 1 to 8.
3. Primary Interface – Choose the primary member of the redundant interface pair from this list of
available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces
cannot be used for a redundant interface pair.
4. Secondary Interface – Choose the secondary member of the redundant interface pair from this list
of available interfaces. Available interfaces are presented by Hardware Port IDs, as named interfaces
cannot be used for a redundant interface pair.
Note Member interfaces must be enabled and of the same type (e.g., GigabitEthernet), and cannot
have a Name, IP Address, or Security Level assigned. In fact, do not configure any options
other than Duplex and Speed on the member interfaces.
5. Continue configuring this interface, as described in Add/Edit Interface Dialog Box (PIX
7.0+/ASA/FWSM), page 45-19.
Configuring EtherChannels
Beginning with ASA 8.4.1, you can define logical EtherChannel interfaces. An EtherChannel, also
called a port-channel interface, is a logical interface consisting of a bundle of individual Ethernet links
(a channel group). This provides increased bandwidth and fault tolerance compared to the individual
links.