topic Re: Redundant Interface in General Topics

Redundant Interface

rmfalconer — Thu, 21 Jun 2018 23:00:15 GMT

Is there a good way to make an AE act like an ASA redundant interface? Basically all traffic goes through one interface unless it fails, then goes to the other interface.

I'm looking for the same functionality that the ASA redundant interface provides but don't see a good way to do it.

Thanks.

Re: Redundant Interface

LukeBullimore — Fri, 22 Jun 2018 13:27:22 GMT

Hi @rmfalconer

You could achieve this via a Policy Based Forwarding rule. Configure traffic to go down your main interface, with the PBF rule monitoring the gateway/next hop of that interface then use the option "disable this rule if nexthop/monitor IP is not available". Then have another PBF rule underneath that sends traffic out the redundant interface.

Thanks,

Luke.

Re: Redundant Interface

OtakarKlier — Fri, 22 Jun 2018 17:53:28 GMT

Hello,

An ae interface is just lacp, so its bundled so traffic flows via both unless it down. However PBF rules as @LukeBullimore mentioned should help with this.

Hope that helps.

Re: Redundant Interface

pulukas — Sat, 23 Jun 2018 16:18:08 GMT

The Cisco ASA is implementing the ethernet standard PRP for redundant ethernet connections. This standard is not supported by PAN devices.

Your next best option is to configure AE ports on both the PAN and switch which would be supported properly configured on both sides and would also survive the loss of one physical link.

Both of these are layer 2 redundancy protocols. I would not recommend replacing a layer 2 redundancy with policy based routing.

Re: Redundant Interface

jvalentine — Sat, 23 Jun 2018 19:02:09 GMT

If at all possible, I'd configure the AE with LACP. That's the best option.

There is a way to get functionality similar to the ASA redundant interface, but it's ugly (unique, different, non-traditional, thinking outside the box, etc.)

1.) Instead of an AE configured as Layer-3 (or L3 with sub-interfaces), you would configure 2x Layer-2 interfaces on the firewall (with a vlan.x interface to handle Layer-3 duties).

2.) Configure your switch for spanning-tree (the firewall doesn't participate in the STP process, but it will pass the protocol between the L2 interfaces)

3.) Plug both firewall interfaces into your switch

4.) See switch determine that there would be a network loop if both interfaces would be active. Switch will move one of the interfaces into a "blocking" status.

5.) Disconnect the active firewall interface from the switch

6.) See the switch react accordingly and bring up the "backup interface".

Because the firewall doesn't participate in the STP process, steps #4 and #6 will take ~30 seconds. That's how long the switch will take to complete the STP process.

Re: Redundant Interface

pulukas — Sun, 24 Jun 2018 11:19:09 GMT

Agree that is ugly and non-standard.

Bear in mind that when you leave the company when your replacement sees this they will curse your name forever. Assuming they can even figure out why it works.