Sunday, June 9, 2013

Configuring EtherChannel on an ASA

An EtherChannel (starting release 8.4), allows two or up to eight active physical interfaces to be bundled together and form a single logical port-channel interface. Each interface must be of the same type, speed, and duplex mode before an EtherChannel can be built.

To build an EtherChannel, the ASA and a switch must both agree to do so. The table below summarizes the EtherChannel negotiation methods and its characteristics.

EtherChannel Negotiation Methods

Negotiation Mode              Negotiation Packets Sent?                  Characteristics

On                                     No                                                     All ports channeling all the time

Passive                              Yes                                                     Waits to channel until asked

Active                                Yes                                                     Actively asks to form a channel


For this scenario, we built an EtherChannel between the ASA and a switch using the CLI:

ciscoasa(config)# interface gigabitethernet1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# channel-group ?

interface mode commands/options:
  <1-48>  Channel group number
ciscoasa(config-if)# channel-group 1 ?

interface mode commands/options:
  mode  Etherchannel Mode of the interface
ciscoasa(config-if)# channel-group 1 mode ?

interface mode commands/options:
  active   Enable LACP unconditionally
  on       Enable static port-channel
  passive  Enable LACP only if a LACP device is detected
ciscoasa(config-if)# channel-group 1 mode on
INFO: security-level and IP address are cleared on GigabitEthernet1.
ciscoasa(config-if)# interface gigabitethernet2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# channel-group 1 mode on
INFO: security-level and IP address are cleared on GigabitEthernet2.
ciscoasa(config-if)# show port-channel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(N)             -      Gi1(P)   Gi2(P)

ciscoasa(config-if)# interface ?

configure mode commands/options:
  GigabitEthernet  GigabitEthernet IEEE 802.3z
  Port-channel     Ethernet Channel of interfaces
  Redundant        Redundant Interface
  <cr>
ciscoasa(config-if)# interface port-channel ?

configure mode commands/options:
  <1-48>  Port-channel interface number
ciscoasa(config-if)# interface port-channel 1
ciscoasa(config-if)# port-channel ?

interface mode commands/options:
  load-balance  Load Balancing method
  min-bundle    Configure minimum number of active links
ciscoasa(config-if)# port-channel load-balance ?

interface mode commands/options:
  dst-ip                Dst IP Addr
  dst-ip-port           Dst IP Addr and TCP/UDP Port
  dst-mac               Dst Mac Addr
  dst-port              Dst TCP/UDP Port
  src-dst-ip            Src XOR Dst IP Addr
  src-dst-ip-port       Src XOR Dst IP Addr and TCP/UDP Port
  src-dst-mac           Src XOR Dst Mac Addr
  src-dst-port          Src XOR Dst TCP/UDP Port
  src-ip                Src IP Addr
  src-ip-port           Src IP Addr and TCP/UDP Port
  src-mac               Src Mac Addr
  src-port              Src TCP/UDP Port
  vlan-dst-ip           Vlan, Dst IP Addr
  vlan-dst-ip-port      Vlan, Dst IP Addr and TCP/UDP Port
  vlan-only             Vlan
  vlan-src-dst-ip       Vlan, Src XOR Dst IP Addr
  vlan-src-dst-ip-port  Vlan, Src XOR Dst IP Addr and TCP/UDP Port
  vlan-src-ip           Vlan, Src IP Addr
  vlan-src-ip-port      Vlan, Src IP Addr and TCP/UDP Port
ciscoasa(config-if)# port-channel load-balance src-dst-ip
ciscoasa(config-if)# port-channel min-bundle ?

interface mode commands/options:
  <1-8>  Number of minimum links
ciscoasa(config-if)# port-channel min-bundle 1
ciscoasa(config-if)# lacp ?

interface mode commands/options:
  max-bundle  Configure maximum number of active links

configure mode commands/options:
  system-priority  LACP priority for the system
ciscoasa(config-if)# lacp max-bundle ?

interface mode commands/options:
  <1-8>  Number of maximum links
ciscoasa(config-if)# lacp max-bundle 8
ciscoasa(config)# interface port-channel1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# show port-channel 1
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
ciscoasa(config-if)# show port-channel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(U)             -      Gi1(P)   Gi2(P)
ciscoasa(config-if)# show port-channel detail
                Channel-group listing:
                -----------------------

Group: 1
----------
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip
                Ports in the group:
                -------------------
Port: Gi1
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

Port: Gi2
------------
Port state    = bndl
Channel group =    1        Mode = ON
Port-channel  = Po1

ciscoasa(config-if)# ping 192.168.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 10/24/60 ms

----

SW1(config)#interface fastethernet1/1
SW1(config-if)#no shutdown
SW1(config-if)#channel-group ?
  <1-6>  Channel group number

SW1(config-if)#channel-group 1 ?
  mode  Etherchannel Mode of the interface

SW1(config-if)#channel-group 1 mode ?
  on  Enable Etherchannel only

SW1(config-if)#channel-group 1 mode on
Creating a port-channel interface Port-channel1
SW1(config-if)#
*Mar  1 00:01:19.231: %EC-5-BUNDLE: Interface Fa1/1 joined port-channel Po1
SW1(config-if)#
*Mar  1 00:01:22.111: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
SW1(config-if)#interface fastethernet1/2
SW1(config-if)#no shutdown
SW1(config-if)#channel-group 1 mode on
SW1(config-if)#
*Mar  1 00:01:35.187: %EC-5-BUNDLE: Interface Fa1/2 joined port-channel Po1
SW1(config-if)#do show etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------
1     Po1(SU)     Fa1/1(P)   Fa1/2(P)

SW1(config-if)#interface vlan1
SW1(config-if)#ip address 192.168.1.2 255.255.255.0
SW1(config-if)#do ping 192.168.1.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/22/56 ms


You can also configure an EtherChannel using the ASDM:





Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)