Etherchannel (Port Channel) on Cisco ASA

March 5, 2013 — 9 Comments

Generally Cisco ASA has one Management interface and four Gigabit Interfaces, but in modern systems and scalable Infrastructures you will need more than four Interfaces. To overcome this limitation you can configure some VLANs and trunk them to an Interfaces. This was a standard solution to this problem, however since ASA version 8.4.2 you are able to use Ether Channel to solve this problem.

The benefit of Ether Channel or Port Channel is that you are able to configure redundancy and load balancing in the same time; all four ASA Interfaces will be bundle to a link in the Layer 2 then you assign all VLANs directly to the Port Channel and so they applied to all Interfaces of ASA .

The ASA distributes the traffics to all Interfaces, which means you have the functioning Load balancing, furthermore if you lost one or two Interface the whole traffics will be distribute to the Interfaces which are available.
If you run the Port Channel on the ASA then you are permitted to make up to 200 VLANs.

Zeichnung2

The Port Channel’s configuration is not really tricky but it is a little bit complex and it will be best if you keep the history of what you have changed to not lose overview of what and why you actually configured.
Here you can see the Port Channel configuration on an ASA 5540 and a Catalyst 2960.
OK, first of all you have the configure the Port Channel on the Catalyst; it is very simple something like that:

1
2
3
4
!
interface Port-channel1
switchport mode trunk
!

Then I apply the Port Channel configuration, to four catalysts Interfaces which are connected to the ASA (in this case GigabitEthernet1/12 till GigabitEthernet1/15 :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
!
interface GigabitEthernet1/12
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/13
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/14
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!
interface GigabitEthernet1/15
description UpLink to ASA
switchport mode trunk
channel-group 1 mode on
!

Ok we are finish with catalyst configuration; now let’s go to the ASA
Now we have to create the Port Channel:

1
2
3
4
5
6
7
  
!
interface Port-channel1
no nameif
no security-level
no ip address
!

We apply the Port Channel 1 to four Interfaces:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
!
interface GigabitEthernet0
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet2
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet3
channel-group 1 mode on
no nameif
no security-level
no ip address
!

The next steps are very important , for each VLANs you have to create a port-channel sub-Interfaces, in there you define the VLAN ID , IP address and the security-Level , I will show you here one inside and one OUTSIDE sub-interface:

1
2
3
4
5
6
7
!
interface Port-channel1.10
vlan 10
nameif inside
security-level 100
ip address 192.168.XX.XXX 255.255.255.0
!

and

1
2
3
4
5
6
7
!
interface Port-channel1.1000
vlan 1000
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!

Well, that is all. !!

It is important to have the same VLAN’s number and VLAN’s ID of both side, there when you have a new VLAN you should apply that configuration in Catalyst first. For debugging and control the Port Channels you can use the :

1
2
3
4
5
6
show port-channel summary
 
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-------------------------------------
1 Po1(U) LACP Gi0/0(P) Gi0/1(P) Gi0/2(P) Gi0/3(P)

The command displays the number of Port Channel group and which Interfaces are member to this ; furthermore you can see the Channel-Group Protocol LACP ( Link Aggregation Control Protocol) ;you have to consider that Cisco ASA support LACP only (no PAgP ) ; you get more useful information by using :

1
Show port-channel detail
1
2
3
4
5
6
7
8
9
10
Group: 1
----------
Ports: 4 Maxports = 16 you see we use four Interfaces (Ports 4) you can extend that up to 16 Physical Interfaces
Port-channels: 1 Max Port-channels= 48 you can configure 48 different Port Channel group
Protocol: LACP/ active
Minimum Links: 2  this is the minimum number of physical Interfaces for a Port Channel Group
Maximum Bundle: 8 you can put maximal 8 physical Interface to a Port Channel
Load balance: src-dst-ip
Ports in the group:
-------------------

For the Catalyst I prefer to use the :
 

1
sho etherchannel port-channel
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
sho etherchannel port-channel
Channel-group listing:
----------------------
Group: 1
----------
Port-channels in the group:
---------------------------
Port-channel: Po1 (Primary Aggregator)
------------
Age of the Port-channel = 761d:02h:50m:21s
Logical slot/port = 5/1 Number of ports = 4
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/45 Active 0
0 00 Gi1/0/46 Active 0
0 00 Gi1/0/47 Active 0
0 00 Gi1/0/48 Active 0
 
Time since last port bundled: 749d:02h:28m:31s Gi1/0/46

Just as the commands in the ASA , the catalyst will show you now the number of Port Channel , port channel status and the physical Interfaces which are applied to this Port Channel group .

Don’t worry about the Spanning-tree Protocol (STP ) on the Catalyst , the STP counts the four EtherChannel’s Interfaces as “one” link like a single port so no member of the EtherChannel will be blocked from STP to prevent looping , I personally use the portfast for each Port Channel member Interface but you have to modify the command for a trunk interface :

1
spanning-tree portfast trunk

Take Care!

Amir

9 responses to Etherchannel (Port Channel) on Cisco ASA

  1. Nice job on this. It made my life much easier as I was trying to find a very concise example and your post fit the bill.

    Thanks!

  2. This doesnt work; it loadbalance properly. I have this configuration, ASA is connected via Port-Channel (vlans, trunks, and Port-Channel sub-interfaces)
    to 4948 Catalyst Switch L2 Port-Channel.
    Only 1 link on 4948 switch is sending traffic (bidirectioal). The other port-channel members
    on 4848 catalyst only have traffic in output direction.
    I am thinking because this is ASA L3 Port-Channel to Catalyst Switch L2 Port-Channel
    As per cisco-tac L3 Port-Channel to L2 Port-Channel wont load-balance properly
    You either do L2 – L2 Port-Channel or L3-L3 Port-Channel. Please advise

  3. Hey Amir….. Do you have this working on a standalone ASA, or an HA Pair ? I’m looking at a multi context Active/Active on a pair of 5585-x. I want to etherchannel the gig interfaces (3 x outside and 3 x inside) and create 2 port-channels (inside/outside) for each context, so ContextA will be port-channel1.1 (inside) and 2.1 (outside), and ContextB will be 1.2 and 2.2. ContextA will be active on ASA-1, and ContextB will be active on ASA-2. Each Port-channel will be configured with an IP address in its context, and a vlan in the system execution space. If ASA-2 fails, both contexts will be active on ASA-1.
    Do you see any problems ?

    • Hi Moore , Actually all my configurations are applied in HA Pair situation , I did configure this Configuration on ASA 5540, nevertheless I use Active/Passive configuration only , i also do not use Multiple Context mode on ASA because we provide a lot of VPN Services and some dynamic routing protocols like EIGRP and OSPF etc .I think i did understand your scheme and insofar I see any problem regarding the PortChannel but as I already say we do not multiple security context, good luck

  4. Hi

    It is great explanation, I was working on this technology for couple of hours but was not working for me. But this made my life easier and I also found where I was making mistake.

    Thanks,

  5. Hi Amir !.. Nice Post.. Thanks for that! I am new to ASA firewall series.

    What is the algorithm the etherchannel use in it .As because in normal catalyst switch it uses either a source ip or mac..or dest ip or mac… like the on returning a packet from asa to the catalyst which algorithm it follows to perform the etherchannel… Please return with clear explanation. I am awaiting for your timely help…

  6. my question is how is the configuration on the 2960 switch if it will connect to 2 ASAs? (Failover scenario) do you still use 1 port-channel or 2?

    on the firewall, will you also create 1 or 2 port-channels?

    • Hi bluephoenix71,
      most of the time I configure 2 Switchs with 2 ASAs, the Switches are bound to a separate Port-channel with each other, every switch is connected with an ASA, this is my default setting, during a failover, there always a switch is connected with an ASA through by Port-Channel.In your case a switch, you can patch 2 interface by ASAs to the Switch.

Trackbacks and Pingbacks:

  1. Anonymous - March 10, 2013

    This is a nice post!…

Leave a Reply

Text formatting is available via select HTML. <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*