06-21-2018 04:00 PM
Is there a good way to make an AE act like an ASA redundant interface? Basically all traffic goes through one interface unless it fails, then goes to the other interface.
I'm looking for the same functionality that the ASA redundant interface provides but don't see a good way to do it.
Thanks.
06-22-2018 06:27 AM
Hi @rmfalconer
You could achieve this via a Policy Based Forwarding rule. Configure traffic to go down your main interface, with the PBF rule monitoring the gateway/next hop of that interface then use the option "disable this rule if nexthop/monitor IP is not available". Then have another PBF rule underneath that sends traffic out the redundant interface.
Thanks,
Luke.
06-22-2018 10:53 AM
Hello,
An ae interface is just lacp, so its bundled so traffic flows via both unless it down. However PBF rules as @LukeBullimore mentioned should help with this.
Hope that helps.
06-23-2018 09:18 AM
The Cisco ASA is implementing the ethernet standard PRP for redundant ethernet connections. This standard is not supported by PAN devices.
Your next best option is to configure AE ports on both the PAN and switch which would be supported properly configured on both sides and would also survive the loss of one physical link.
Both of these are layer 2 redundancy protocols. I would not recommend replacing a layer 2 redundancy with policy based routing.
06-23-2018 12:02 PM
If at all possible, I'd configure the AE with LACP. That's the best option.
There is a way to get functionality similar to the ASA redundant interface, but it's ugly (unique, different, non-traditional, thinking outside the box, etc.)
1.) Instead of an AE configured as Layer-3 (or L3 with sub-interfaces), you would configure 2x Layer-2 interfaces on the firewall (with a vlan.x interface to handle Layer-3 duties).
2.) Configure your switch for spanning-tree (the firewall doesn't participate in the STP process, but it will pass the protocol between the L2 interfaces)
3.) Plug both firewall interfaces into your switch
4.) See switch determine that there would be a network loop if both interfaces would be active. Switch will move one of the interfaces into a "blocking" status.
5.) Disconnect the active firewall interface from the switch
6.) See the switch react accordingly and bring up the "backup interface".
Because the firewall doesn't participate in the STP process, steps #4 and #6 will take ~30 seconds. That's how long the switch will take to complete the STP process.
06-24-2018 04:19 AM
Agree that is ugly and non-standard.
Bear in mind that when you leave the company when your replacement sees this they will curse your name forever. Assuming they can even figure out why it works.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
