For better redundancy, we may want to use port channel to connect a highly available active/passive pair of Cisco ASA to a switch stack. An important aspect to know is to create separate port channels on the switch stack, one for each ASA. On each ASA, it is still a single port channel because the configuration is replicated between the units. If you group all interfaces on the switch stack into a single port channel connecting to both ASA, the port channel will not be established because of the separate ASA system IDs. A single port channel is also not desirable because you do not want traffic to be sent to the standby ASA.
The following diagram from this Cisco document explains it all.
Following this diagram, we configure two port-channels on the switch stack.
! interface Port-channel2 switchport mode trunk ! interface Port-channel3 switchport mode trunk !
We then apply the port channel configuration to the four switch interfaces which are connected to the ASA pair.
! interface GigabitEthernet3/2 description to ASA-Primary switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet6/2 description to ASA-Primary switchport mode trunk channel-group 2 mode active ! interface GigabitEthernet3/3 description to ASA-Secondary switchport mode trunk channel-group 3 mode active ! interface GigabitEthernet6/3 description to ASA-Secondary switchport mode trunk channel-group 1 mode active !
Let’s now configure port-channel on the ASA pair.
! interface Port-channel1 no nameif no security-level no ip address !
We then apply the port-channel to the two interfaces on each ASA.
! interface GigabitEthernet0/0 channel-group 1 mode active no nameif no security-level no ip address ! interface GigabitEthernet0/1 channel-group 1 mode active no nameif no security-level no ip address !
The next step is important; for each VLAN we create a subinterface on the port channel. In each, we define the VLAN ID, IP address and security-level. In the example below we create:
! interface Port-channel1.10 vlan 10 nameif INSIDE security-level 100 ip address 10.1.1.2 255.255.255.0 ! interface Port-channel1.1000 vlan 1000 nameif OUTSIDE security-level 0 ip address dhcp setroute !
It is important to have the same VLAN ID of both side. When adding a new VLAN apply the configuration on the switch stack first.