IP Addressing for HA Links for ASA/FWSM/ACE Etc– Poll
November 6, 2008 by Greg Ferro · 7 Comments
I have been reviewing a collection (more than fifty) firewalls throughout a network. All of these firewalls are in failover or HA mode and have an interface between them for failure detection, state and config replication. But it seems that the choices for the HA IP addressing vary tremendously.
When I configure a HA link I always use 1.1.1.0/30. The Primary is 1.1.1.1 and the Secondary is 1.1.1.2.
What I didn’t realise is that many other people do the same thing. About 50% of these firewalls uses 1.1.1.0/30, or maybe 1.0.0.0/24 or something similar. The remainder seem to use private addresses and some are using public address.
So here is the question ? What IP addressing do you use when configuring a HA link between firewall / load balancers / devices ?
Sound off in the comments and take the poll.
[polldaddy poll=1078479]
Update 2010-02-06
Since writing this post, the RIPE has allocated the 1.0.0.0/8 to the APNIC for allocation to public Internet hosts. This means that hosts on the public Internet in the range 1.1.1/24 will not be accessible and therefore you should not use this range any longer. You should use 192.0.2.0/24 in the current IP address plan.
Please rate this post:
Why Rate Posts?
(No Ratings Yet)
Loading ...Probably Related Posts on the Same Topic
Reserved IP Address Range for Testing — RFC 2544
I have been looking at a multi host data centre and am using MPLS to securely share certain resources and considering what architecture considerations for Network Management.
Lets define the problem. Network Management is software and servers that collect data from my network equipment and presents it to me in some useful form. Add to this some documentation and process support tools such as a wiki that holds documentation or a service such as helpdesk package.
The servers have to have IP addresses but what addresses to allocate ? If I use something from the RFC1918 addressing then it is possible that a given VRF might need to use that range. I don’t need the hassle of buying and maintaining routable addresses (although for a very large data centre this would be easy enough to do).
So I spent some time researching the RFC’s and found this little gem.
…
Read the full articleIOS:Open Source Lab DNS and IP Addressing
A number of Cisco Bloggers have talked about making labs available for others to use. However, part of what will be needed is some conventions to make these labs work for the largest number of people.
Following Ivan Pepelnjak posting on Private Domain Names, and an earlier posting that I made on Reserved IP Address for Testing I believe we have perfect combination for DNS and IP addresses for building live test environments, that will work for Open Source lab scenarios.
…
Read the full articleBlessay: Designing Enterprise DMZ and Multilayer Firewall Clusters
In modern Enterprise networks, you typically have many clusters of firewalls protecting assets in your network. Since we use two or more layers of firewalls, we can put our DMZ for intermediate security zones in different places in our network. Lets gather together the different options and consider the merits or not, and sometimes how they ‘self-build’.
Read the full articleDesign: Cisco Firewall Services Module Virtualization Design Traps
The Cisco Firewall Service Modules (FWSM) has a design limitation based on its ability to discriminate packet forwarding between multiple contexts. It also applies to ASA/PIX software. Lets review this in detail and learn the evil consequences.
Read the full article
I’m a big fan of using /30’s out of the 169.254.0.0/16 link local allocation.
It’s the “zeroconf” range and should never be routed or permitted through firewalls, I normally route to null0 or have a generic denial/drop within input firewall rules. And it will never conflict with normal RFC1918 private addressing that might also be in use.
ie. on ASA/PIX with stateful failover,
failover interface ip failover 169.254.255.249 255.255.255.252 standby 172.31.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 172.31.255.254
And on occasion when I cut’n’paste from the template I already open I’m retarded and forget to change everything :-/
failover interface ip failover 169.254.255.249 255.255.255.252 standby 169.254.255.250
failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 169.254.255.254
this is a great suggestion — the only downside might be that you could theoretically use this range on the inside interface — but then 1.1.1.1 might become legal one day as well. I like it.
reserved range 192.0.2.x/24
Thats a very good suggestion. Deserves another post I think.
I tried to AVOID the use of 1.1.1.0/30 as 1.1.1.1/32 is used on the WLC’s and it generally serves to confuse those who are not so clued up
I take it that WLC is a Wireless LAN Controller ? And they use 1.1.1.1 as some type of special address ?
Also, note that the firewall HA links are only locally significant. The actual IP address used is not relevant to your network.