Top
Browse > Home / Design, Operation, Security / IP Addressing for HA Links for ASA/FWSM/ACE etc- Poll

IP Addressing for HA Links for ASA/FWSM/ACE Etc- Poll

6 November, 2008 by Greg Ferro            Print Posting

What IP addressing do you use for the sync / failover / HA links between your highly available devices ?
I have been reviewing a collection (more than fifty) firewalls throughout a network. All of these firewalls are in failover or HA mode and have an interface between them for failure detection, state and config replication. But it seems that the choices for the HA IP addressing vary tremendously.

firewall-ha-ip-addr-1.jpg

When I configure a HA link I always use 1.1.1.0/30. The Primary is 1.1.1.1 and the Secondary is 1.1.1.2.

What I didn’t realise is that many other people do the same thing. About 50% of these firewalls uses 1.1.1.0/30, or maybe 1.0.0.0/24 or something similar. The remainder seem to use private addresses and some are using public address.

So here is the question ? What IP addressing do you use when configuring a HA link between firewall / load balancers / devices ?

Sound off in the comments and take the poll.

[polldaddy poll=1078479]

VN:F [1.0.8_357]
Please rate this post :    Why ?
Rating: 7.0/10 (2 votes cast)
Share:
  • Reddit
  • Digg
  • del.icio.us
  • Facebook
  • StumbleUpon
  • TwitThis
  • LinkedIn
  • Technorati
Filed Under: Design, Operation, Security
Tagged: ,

Comments

3 Responses to “IP Addressing for HA Links for ASA/FWSM/ACE Etc- Poll”
  1. Colin says:
    6 November 2008 at 20:23

    I’m a big fan of using /30’s out of the 169.254.0.0/16 link local allocation.

    It’s the “zeroconf” range and should never be routed or permitted through firewalls, I normally route to null0 or have a generic denial/drop within input firewall rules. And it will never conflict with normal RFC1918 private addressing that might also be in use.

    ie. on ASA/PIX with stateful failover,

    failover interface ip failover 169.254.255.249 255.255.255.252 standby 172.31.255.250
    failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 172.31.255.254

    Reply
  2. Colin says:
    6 November 2008 at 20:26

    And on occasion when I cut’n'paste from the template I already open I’m retarded and forget to change everything :-/

    failover interface ip failover 169.254.255.249 255.255.255.252 standby 169.254.255.250
    failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 169.254.255.254

    Reply
  3. Greg Ferro says:
    6 November 2008 at 20:45

    this is a great suggestion - the only downside might be that you could theoretically use this range on the inside interface - but then 1.1.1.1 might become legal one day as well. I like it.

    Reply

Speak Your Mind

Tell us what you're thinking...

Bottom