A logical redundant interface is a pair of one active and one standby physical interface. When the active interface fails, the standby interface becomes active.
The firewall will remove all interface settings when adding the physical interface to a redundant group.
The logical redundant interface will take the MAC address of the first interface added to the group, because this will also become the active interface. This MAC address is not changed with the member interface failures, but changes when you swap the order of the physical interfaces added to the pair; optionally, a vMAC can be configured for the redundant interface. With redundant interfaces, the nameif, security-level, and IP address configuration is done at the logical interface level. This feature is not preemptive.
Etherchannel: ASA supports both active and passive modes, where active initiates the LACP negotiation, and passive expects to receive LACP negotiations.
The logical portchannel interface will take the MAC address of the lowest number interface from the group; optionally, a vMAC can be configured for the etherchannel interface.
interface Ethernet0/0
no nameif
no security-level
no ip address
interface Ethernet0/2
no nameif
no security-level
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif OUTSIDE
security-level 0
ip address 136.1.34.17 255.255.255.0
interface Ethernet0/1
channel-group 1 mode passive
no nameif
no security-level
no ip address
interface Ethernet0/3
channel-group 1 mode passive
no nameif
no security-level
no ip address
interface Port-channel1
lacp max-bundle 2 port-channel load-balance src-dst-ip-port
nameif INSIDE
security-level 100
ip address 136.1.93.17 255.255.255.0
ASA03-5510# sh nameif
Interface Name Security
Port-channel1 INSIDE 100
Redundant1 OUTSIDE 0
ASA03-5510#
ASA03-5510# sh ip address
System IP Addresses:
Interface Name IP address Subnet mask Method
Port-channel1 INSIDE 136.1.93.17 255.255.255.0 manual
Redundant1 OUTSIDE 136.1.34.17 255.255.255.0 manual
ASA03-5510# sh interface redundant 1 | b Redundancy
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2
Last switchover at 17:21:44 UTC Jul 14 2014
ASA03-5510# sh port-channel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(U) LACP Et0/1(P) Et0/3(P)
ASA03-5510# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip-port
EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address and TCP/UDP (layer-4) port number
IPv6: Source XOR Destination IP address and TCP/UDP (layer-4) port number
ASA03-5510# sh port-channel 1 brief
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ passive
Minimum Links: 1
Maximum Bundle: 2
Load balance: src-dst-ip-port
– Check ip arp entry to confirm that MAC address fo the first ASA interfaces added to the group show up here:
RTR3#sh ip arp 136.1.34.17
Protocol Address Age (min) Hardware Addr Type Interface
Internet 136.1.34.17 0 001e.1359.4850 ARPA FastEthernet0/0
ASA03-5510# sh int et0/0 | in MAC
MAC address 001e.1359.4850, MTU not set
CCIE-SW1#sh ip arp 136.1.93.17
Protocol Address Age (min) Hardware Addr Type Interface
Internet 136.1.93.17 0 001e.1359.4851 ARPA Vlan93
ASA03-5510# sh int et0/1 | in MAC
MAC address 001e.1359.4851, MTU 1500
ASA03-5510#
~~~~~ Switch configurations to support these features.
Redundant interface configs:
#interface FastEthernet0/9 #interface FastEthernet0/15
switchport access vlan 34 switchport access vlan 34
switchport mode access switchport mode access
spanning-tree portfast spanning-tree portfast
Ether-channel config:
#interface Port-channel1
switchport access vlan 93
switchport mode access
#interface FastEthernet0/19 #interface FastEthernet0/23
switchport access vlan 93 switchport access vlan 93
switchport mode access switchport mode access
channel-group 1 mode active channel-group 1 mode active
CCIE Security Blog 
Hello there,
So the redundant interface and the port channel are the two ways we can achieve the redundancy.
Could you please elaborate more on which one is better and why? and the timout might occur in each case in case one of the link fails.
Cheers!
Hi Sanket
redundant interface provides “redundancy”; it makes firewall running if one interface failed. Eg, hardware failure on interface, link down, etc.
Port channels is as same as with switching. Provides a load balancing between interfaces and makes firewall running if one interface failed.
Better way? It all depends what you would like to achieve. In terms of redundancy – i would prefer going with redundant interface but you are actually using only one interface; other interface is idle. Something like firewall in active/passive mode.
Port channel – good approach if you have higher traffic load you need to take care of, but in case of failure amount of traffic going thru will be reduced to one interface only.
In both situations you have to act and fix the issue.
HTH.
I’ve recently come across an ASA 5525X HA Pair which are using 2 Interfaces into seperate switches and a channel-group with 3 sub port-channels defined.
I’d assumed this configuration was due to limited NIC port availability in the Hypervisor Servers preventing individual interfaces being used to seperate the network traffic as 3 Network (VLAN’s) using individual interfaces in a HA pair would appear to be a better option as its allows the full Interface Wire Speed to be used provides better segementation of networks and reduces future re-configuration at the Hypervisor level but wanted to raise this query in case there are other reasons for such a design channel-groups etc
as it allows
Good one, amazing stuff
http://www.routexp.com/2018/02/site-to-site-ipsec-tunnel-between-asa.html