2 September 2010

IP Addressing for HA Links for ASA/FWSM/ACE Etc- Poll

I have been reviewing a collection (more than fifty) firewalls throughout a network. All of these firewalls are in failover or HA mode and have an interface between them for failure detection, state and config replication. But it seems that the choices for the HA IP addressing vary tremendously.

firewall-ha-ip-addr-1.jpg

When I configure a HA link I always use 1.1.1.0/30. The Primary is 1.1.1.1 and the Secondary is 1.1.1.2.

What I didn’t realise is that many other people do the same thing. About 50% of these firewalls uses 1.1.1.0/30, or maybe 1.0.0.0/24 or something similar. The remainder seem to use private addresses and some are using public address.

So here is the question ? What IP addressing do you use when configuring a HA link between firewall / load balancers / devices ?

Sound off in the comments and take the poll.

[polldaddy poll=1078479]

Update 2010-02-06

Since writing this post, the RIPE has allocated the 1.0.0.0/8 to the APNIC for allocation to public Internet hosts. This means that hosts on the public Internet in the range 1.1.1/24 will not be accessible and therefore you should not use this range any longer. You should use 192.0.2.0/24 in the current IP address plan.

Please rate this post:

1 Star - It\\\'s Crud2 Stars - It\\\'s Tosh3 Stars - Something\\\'s missing4 Stars - Needs works5 Stars - Good Enough6 Stars - Good7 Stars - Excellent8 Stars - Brilliant9 Stars - Astonishing10 Stars - Awesomely Godlike? (No Ratings Yet)
Loading ... Loading ...

About Greg Ferro
Greg is a Network and Security Architect / Designer / Engineer working freelance in the UK and worked for Resellers, DotCom's, Large Corporate's and Service Providers across a variety of products & Vendors. He prefers to work for end users, believes in the life cycle, total cost of ownership and that near enough is often good enough. He likes talking about himself in the first person to feel "royal", even when hosting the Packet Pushers Podcast on Data Networking. More about Greg at http://etherealmind.com/who-am-i/ and you can follow him on Twitter.

Comments

  1. Colin says:

    I’m a big fan of using /30′s out of the 169.254.0.0/16 link local allocation.

    It’s the “zeroconf” range and should never be routed or permitted through firewalls, I normally route to null0 or have a generic denial/drop within input firewall rules. And it will never conflict with normal RFC1918 private addressing that might also be in use.

    ie. on ASA/PIX with stateful failover,

    failover interface ip failover 169.254.255.249 255.255.255.252 standby 172.31.255.250
    failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 172.31.255.254

  2. Colin says:

    And on occasion when I cut’n'paste from the template I already open I’m retarded and forget to change everything :-/

    failover interface ip failover 169.254.255.249 255.255.255.252 standby 169.254.255.250
    failover interface ip failover-state 169.254.255.253 255.255.255.252 standby 169.254.255.254

  3. Greg Ferro says:

    this is a great suggestion – the only downside might be that you could theoretically use this range on the inside interface – but then 1.1.1.1 might become legal one day as well. I like it.

  4. Charles says:

    reserved range 192.0.2.x/24

  5. SteveP says:

    I tried to AVOID the use of 1.1.1.0/30 as 1.1.1.1/32 is used on the WLC’s and it generally serves to confuse those who are not so clued up ;-)

    • Greg Ferro says:

      I take it that WLC is a Wireless LAN Controller ? And they use 1.1.1.1 as some type of special address ?

      Also, note that the firewall HA links are only locally significant. The actual IP address used is not relevant to your network.

Speak Your Mind

*