Configuring EtherChannel on an ASA Firewall

In this topic, I will go through the EtherChannel configuration on ASA. An EtherChannel provides a method of aggregating multiple Ethernet links into a single logical channel. The ability to configure EtherChannel’s on ASA models 5510 and above.

Below is configuration steps required to create an EtherChannel link on the Cisco ASA along with providing the main troubleshooting/show commands.

Below shows the configuration to create am EtherChannel that will act as a trunk with the VLAN 10 enabled.

interface GigabitEthernet0/1
speed 10
duplex full
  channel-group 1 mode active
no nameif
no security-level
no ip address

interface GigabitEthernet0/2
speed 1000
duplex full
  channel-group 1 mode active
no nameif
no security-level
no ip address

interface Port-channel1.10
  vlan 10
nameif INSIDE
security-level 100
ip address 192.168.1.1 255.255.255.0

High availability by default when you configure a port-channel the port-channel will remain up as long as there is one active member interface. Meaning that even if you are monitoring the port-channel if a single link goes down within the bundle it will not trigger a device-level failover.

To ensure a device-level failover occurs in the event of a single member link failure the port-channel min-bundle command is used. Below shows the necessary commands,

monitor-interface port-channel 1.10

interface port-channel 1.10

port-channel min-bundle 2

Note: the command monitor-interface only allows you to monitor interfaces that have been configured with nameif. So you can only monitor the port-channel interface rather than each of the member links.

 

Show commands for troubleshooting

INBASA# show interface port-channel 1
Interface Port-channel1 “”, is up, line protocol is up
Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
Input flow control is unsupported, output flow control is off
Available but not configured via nameif
MAC address 1c6b.7ac1.3db4, MTU not set
IP address unassigned
Members in this channel:
Active:   Gi0/1 Gi0/2

INBASA # show port-channel 1
Ports: 2   Maxports = 16
Port-channels: 2 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip