In addition to providing HA using redundant firewalls, it is also possible to use redundant interfaces. The idea behind a redundant interface is that failing over to a different firewall is disruptive and should be avoided. By cabling the firewalls so that each one has redundant links to each network segment (such as the case of a full-mesh setup), interface redundancy can be used. Instead of failing over all traffic onto a different firewall, it is only failed over onto a different interface on the same firewall (see Figure 13.18).

Figure 13.18: Cabling for Redundant Interfaces

Redundant interfaces are not a part of NSRP, but are commonly used together with NSRP to build full-mesh setups. However, it is possible to create redundant interfaces without enabling NSRP.

If you are using redundant interfaces with NSRP, you need to know that you can bind VSIs to the redundant interfaces, just as you would with a physical interface. By the same token, you can also keep a redundant interface as a local interface instead of a VSI.

Grouping Physical Interfaces Into a Redundant Interface

To create a redundant interface, two or more physical interfaces are grouped together. Within a redundant interface group, one interface is considered the primary interface and will be used for sending and receiving traffic unless its link goes down. The secondary interface has its link up at all times, but is not active; traffic sent to it is simply discarded.

Once the redundant interface has...