🎯Cisco ASA的接口冗余是将两个物理接口组合成一个虚拟接口，以应对物理链路故障。在虚拟接口上配置所有Layer 3参数，同一时间组内只有一个接口处于活动状态，若当前活动接口失效，ASA会自动切换到组内下一个可用接口，所有流量将通过该接口传输。

💻创建冗余接口的具体操作，如将Ethernet0/0和Ethernet0/2两个物理接口分配到Redundant1虚拟接口中，并可在此基础上进行更多配置，如创建VLAN等。

🔍进行了一系列的验证操作，如查看接口状态、进行故障切换并验证切换结果等。还提到了一些关于接口冗余的理论知识，如可定义最多8个冗余接口、同一组内接口应类型相同等。

In Cisco ASA they called it interface redundancy. The idea is to provide for the physical link failure. That is – you combine two physical interfaces on the ASA into a virtual one, then you configure all the Layer 3 parameters on this virtual interface. At the same time only ONE of the interfaces in a group is active (that is - no load sharing), if it fails ASA transparently switches to the next available interface in a group and all the traffic passes through it. By default the first added to the group interface becomes active and all the rest become passive. At the end of the article there is some dry theory and facts, but now let’s plunge into code.
Warning ! The moment you assign some physical interface to be a member of the redundant virtual interface ALL the existing configs on such interface are wiped out.Create redundant interface (group) and assign 2 physical interfaces to it :

Santa#conf t
Santa(config)# interface Redundant1
Santa(config-if)# member-interface Ethernet0/0
Santa(config-if)# member-interface Ethernet0/2
Santa(config-if)#no nameif
Santa(config-if)#no security-level
Santa(config-if)#no ip address

Now basically we can start configuring nameif , IP address and security level for this Redundant1 interface but let’s be more creative and create some VLANs on it.

So far :

Santa#show run int

interface Redundant1member-interface Ethernet0/0member-interface Ethernet0/2no nameifno security-levelno ip address

Santa(config)# interface Redundant1.120
Santa(config-subif)# vlan 120
Santa(config-subif)# nameif dmz
Santa(config-subif)# security-level 50
Santa(config-subif)# ip address 10.0.0.12 255.255.255.0

To remind you,the state of the physical interfaces comprising the Redundant 1 is :

interface Ethernet0/2no nameifno security-levelno ip addressinterface Ethernet0/0no nameifno security-levelno ip addressinterface Redundant1member-interface Ethernet0/0member-interface Ethernet0/2no nameifno security-levelno ip address

Santa(config)# interface Redundant1.100
Santa(config-subif)# vlan 100
Santa(config-subif)# nameif outside
Santa(config-subif)# security-level 0
Santa(config-subif)# ip address 139.61.77.12 255.255.255.0

Now some verification is due (pay attention to the bottom of the output where you can see which interface is currently active and how many state changes have happened so far) :

Santa# sh int redundant 1 detail

Interface Redundant1 "", is up, line protocol is upHardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usecAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)Available but not configured via nameifMAC address 001b.d589.9892, MTU not setIP address unassigned1870 packets input, 150617 bytes, 0 no bufferReceived 1329 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort766 L2 decode drops264 packets output, 24326 bytes, 0 underruns0 output errors, 0 collisions, 0 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max packets): hardware (9/18) software (0/0)output queue (curr/max packets): hardware (0/2) software (0/0)Control Point Interface States:Interface number is 10Interface config status is activeInterface state is activeRedundancy Information:Member Ethernet0/0(Active), Ethernet0/2Last switchover at 07:25:35 UTC August 19 2010

And what about some debug ? Of course:

Santa(config)# debug redundant-interface ?

exec mode commands/options:
error errors
event events

Now let’s initiate shut on physical interface Ethernet0/2 that is now active:

redundant interface Redundant1 switchover, active idx 1, stby idx 0redundant interface Redundant1 switching active from Ethernet0/2 to Ethernet0/0.Send gratuitous ARP on Redundant1.100.Send gratuitous ARP on Redundant1.120.redundant interface Redundant1 switch active to Ethernet0/0 done.

Switch has happened, now verify it:

Santa(config-if)# sh int redundant 1 det

Interface Redundant1 "", is up, line protocol is upHardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usecAuto-Duplex(Full-duplex), Auto-Speed(100 Mbps)Available but not configured via nameifMAC address 001b.d589.9892, MTU not setIP address unassigned2284 packets input, 187559 bytes, 0 no bufferReceived 1544 broadcasts, 0 runts, 0 giants0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort797 L2 decode drops296 packets output, 27430 bytes, 0 underruns0 output errors, 0 collisions, 1 interface resets0 babbles, 0 late collisions, 0 deferred0 lost carrier, 0 no carrierinput queue (curr/max packets): hardware (8/18) software (0/0)output queue (curr/max packets): hardware (0/5) software (0/0)Control Point Interface States:Interface number is 10Interface config status is activeInterface state is activeRedundancy Information:Member Ethernet0/0(Active), Ethernet0/2Last switchover at 07:57:11 UTC August 19 2010

Having done a bit practice the dry theory comes next.

You can define up to 8 Redundant interfaces (if you have ASA 5580 why not?);All the interfaces in the same group should be of the same type (Ethernet with Fiber won’t go well) ;Only one interface is passing production traffic at any given moment;Redundant interface gets by default MAC address of the first added to it interface, configurable;<When fail over happens to the second interface, it takes over MAC address of its previously active neighbour to prevent loss of traffic. If MAC is configured especially and manually it remains the same;You can force some interface to become Active using the command: Santa# redundant-interface redundant active-member Redundant interfaces are compatible with fail over feature.

For even more information , see:
ASA 8.3 interface configuration

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.