12-4
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 12 Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration
For 8.4(1) and later, the management interface is not part of a normal bridge group. Note that for
operational purposes, it is part of a non-configurable bridge group.
Note In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the ASA updates the MAC address
table to use the management interface to access the switch, instead of the data interface. This action
causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets
from the switch to the data interface for at least 30 seconds for security reasons.
No Support for Redundant Management Interfaces
Redundant interfaces do not support Management slot/port interfaces as members. You also cannot set
a redundant interface comprised of non-Management interfaces as management-only.
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following
characteristics:
• No through traffic support
• No subinterface support
• No priority queue support
• No multicast MAC support
• The IPS SSP software module shares the Management 0/0 interface. Separate MAC addresses and
IP addresses are supported for the ASA and IPS module. You must perform configuration of the IPS
IP address within the IPS operating system. However, physical characteristics (such as enabling the
interface) are configured on the ASA.
Redundant Interfaces
A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface.
When the active interface fails, the standby interface becomes active and starts passing traffic. You can
configure a redundant interface to increase the ASA reliability. This feature is separate from device-level
failover, but you can configure redundant interfaces as well as device-level failover if desired.
Redundant Interface MAC Address
The redundant interface uses the MAC address of the first physical interface that you add. If you change
the order of the member interfaces in the configuration, then the MAC address changes to match the
MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the
redundant interface, which is used regardless of the member interface MAC addresses (see the
“Configuring the MAC Address and MTU” section on page 14-12 or the “Configuring Multiple
Contexts” section on page 11-14). When the active interface fails over to the standby, the same MAC
address is maintained so that traffic is not disrupted.