Which two statements about Cisco ASA redundant interface configuration are true? (Choose two.)
A.
Each redundant interface can have up to four physical interfaces as its member.
B.
When the standby interface becomes active, the Cisco ASA sends gratuitous ARP out on the
standby interface.
C.
Interface duplex and speed configurations are configured under the redundant interface.
D.
Redundant interfaces use MAC address-based load balancing to load share traffic across
multiple physical interfaces.
E.
Each Cisco ASA supports up to eight redundant interfaces.
Explanation:
Configuring a Redundant Interface
A logical redundant interface pairs an active and a standby physical interface. When the active
interface fails, the standby interface becomes active and starts passing traffic. You can configure a
redundant interface to increase the security appliance reliability. This feature is separate from
device-level failover, but you can configure redundant interfaces as well as failover if desired. You
can configure up to 8 redundant interface pairs.
In Active/Standby failover, the active device uses the primary unit’s MAC addresses. In the event
of a failover, the secondary Cisco ASA becomes active and takes over the primary unit’s MAC
addresses, while the active
device (now standby) takes over the standby unit’s MAC addresses. Once the standby Cisco ASA
becomes active, it sends out a gratuitous ARP on the network. A gratuitous ARP is an ARP
request that the Cisco ASA sends out on the Ethernet networks with the source and destination IP
addresses of the active IP addresses. The destination MAC address is the Ethernet broadcast
address, i.e., ffff.ffff.ffff. All devices on the
Ethernet segment process this broadcast frame and update their ARP table with this information.
Using gratuitous ARP, the Layer 2 devices, including bridges and switches, also update the
Content Addressable Memory (CAM) table with the MAC address and the updated switch port
information.
Using a virtual MAC address is recommended to avoid network disruptions. When a secondary
Cisco ASA boots up before the primary Cisco ASA, it uses its physical MAC addresses as activeLayer 2 addresses.
However, when the primary Cisco ASA boots up, the secondary swaps the MAC addresses and
uses the primary Cisco ASA’s physical MAC addresses as active. With the virtual MAC address,
Cisco ASA do not need to swap the MAC address.
When stateful failover is enabled, the active unit continually passes per-connection state
information to the standby unit. After a failover occurs, the same connection information is
available at the new active unit.
Supported end-user applications are not required to reconnect to keep the same communication
session.
The state information passed to the standby unit includes these:
The NAT translation table
The TCP connection states
The UDP connection states
The ARP table
The Layer 2 bridge table (when it runs in the transparent firewall mode)
The HTTP connection states (if HTTP replication is enabled)
The ISAKMP and IPSec SA table
The GTP PDP connection database
The information that is not passed to the standby unit when stateful failover is enabled includes
these:
The HTTP connection table (unless HTTP replication is enabled)
The user authentication (uauth) table
The routing tables
State information for security service modules
Note: If failover occurs within an active Cisco IP SoftPhone session, the call remains active
because the call session state information is replicated to the standby unit. When the call is
terminated, the IP SoftPhone client loses connection with the Call Manager. This occurs because
there is no session information for the CTIQBE hang-up message on the standby unit. When the
IP SoftPhone client does not receive a response back from the Call Manager within a certain time
period, it considers the Call Manager unreachable and unregisters itself.