Setup port channel between a pair of Cisco ASA and a switch stack

For better redundancy, we may want to use port channel to connect a highly available active/passive pair of Cisco ASA to a switch stack. An important aspect to know is to create separate port channels on the switch stack, one for each ASA. On each ASA, it is still a single port channel because the configuration is replicated between the units. If you group all interfaces on the switch stack into a single port channel connecting to both ASA, the port channel will not be established because of the separate ASA system IDs. A single port channel is also not desirable because you do not want traffic to be sent to the standby ASA.

The following diagram from this Cisco document explains it all.

Following this diagram, we configure two port-channels on the switch stack.

!
interface Port-channel2
switchport mode trunk
!
interface Port-channel3
switchport mode trunk
!

We then apply the port channel configuration to the four switch interfaces which are connected to the ASA pair.

!
interface GigabitEthernet3/2
description to ASA-Primary
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet6/2
description to ASA-Primary
switchport mode trunk
channel-group 2 mode active
!
interface GigabitEthernet3/3
description to ASA-Secondary
switchport mode trunk
channel-group 3 mode active
!
interface GigabitEthernet6/3
description to ASA-Secondary
switchport mode trunk
channel-group 1 mode active
!

Let’s now configure port-channel on the ASA pair.

!
interface Port-channel1
no nameif
no security-level
no ip address
!

We then apply the port-channel to the two interfaces on each ASA.

!
interface GigabitEthernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
channel-group 1 mode active
no nameif
no security-level
no ip address
!

The next step is important; for each VLAN we create a subinterface on the port channel. In each, we define the VLAN ID, IP address and security-level. In the example below we create:

!
interface Port-channel1.10
vlan 10
nameif INSIDE
security-level 100
ip address 10.1.1.2 255.255.255.0
!
interface Port-channel1.1000
vlan 1000
nameif OUTSIDE
security-level 0
ip address dhcp setroute
!

It is important to have the same VLAN ID of both side. When adding a new VLAN apply the configuration on the switch stack first.

Leave a Reply

Your email address will not be published. Required fields are marked *