Redundant vs Etherchannel on ASA

Redundant:

A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as a device-level failover if desired.

You can configure up to 8 redundant interface pairs.

Redundant Interface MAC Address

The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a manual MAC address to the redundant interface, which is used regardless of the member interface MAC addresses. When the active interface fails over to the standby, the same MAC address is maintained so that traffic is not disrupted.

Configuration:

interface Ethernet0/0
no nameif
no security-level
no ip address

interface Ethernet0/2
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
nameif OUTSIDE
security-level 0
ip address 192.168.1.1 255.255.255.0

Eherchannel:

An 802.3ad EtherChannel is a logical interface (called a port-channel interface) consisting of a bundle of individual Ethernet links (a channel group) so that you increase the bandwidth for a single network. A port-channel interface is used in the same way as a physical interface when you configure interface-related features.

You can configure up to 48 EtherChannels, depending on how many interfaces your model supports.

Each channel group can have up to 16 active interfaces. For switches that support only 8 active interfaces, you can assign up to 16 interfaces to a channel group: while only 8 interfaces can be active, the remaining interfaces can act as standby links in case of interface failure. For 16 active interfaces, be sure that your switch supports the feature (for example, the Cisco Nexus 7000 with F2-Series 10 Gigabit Ethernet Module).

All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed.

The EtherChannel aggregates the traffic across all the available active interfaces in the channel. The interface is selected using a proprietary hash algorithm, based on source or destination MAC addresses, IP addresses, TCP and UDP port numbers, and VLAN numbers.

Link Aggregation Control Protocol (used by Etherchannel)

The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices.

You can configure each physical interface in an EtherChannel to be:

• Active—Sends and receives LACP updates. An active EtherChannel can establish connectivity with either an active or a passive EtherChannel. You should use the active mode unless you need to minimize the amount of LACP traffic.

• Passive—Receives LACP updates. A passive EtherChannel can only establish connectivity with an active EtherChannel. Not supported on Firepower hardware models.

• On—The EtherChannel is always on, and LACP is not used. An “on” EtherChannel can only establish a connection with another “on” EtherChannel. Not supported on Firepower hardware models

Configuration:

interface Ethernet0/1
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Ethernet0/3
channel-group 1 mode passive
no nameif
no security-level
no ip address

interface Port-channel1
lacp max-bundle 2 port-channel load-balance src-dst-ip-port
nameif INSIDE
security-level 100
ip address 192.168.2.1 255.255.255.0

Troubleshooting

ASAINB-5510# sh nameif
Interface                Name                     Security
Port-channel1            INSIDE                   100
Redundant1               OUTSIDE                    0

ASAINB-5510# sh ip address
System IP Addresses:
Interface                   Name                  IP address                     Subnet mask                   Method
Port-channel1          INSIDE              192.168.1.1                    255.255.255.0                 manual
Redundant1             OUTSIDE           192.168.2.1                   255.255.255.0                 manual

ASAINB-5510# sh interface redundant 1 | b Redundancy
Redundancy Information:
Member Ethernet0/0(Active), Ethernet0/2

ASAINB-5510# sh port-channel summary
Flags: D – down P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
——+————-+———–+———————————————–
1 Po1(U) LACP Et0/1(P) Et0/3(P)

ASAINB-5510# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip-port

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address and TCP/UDP (layer-4) port number
IPv6: Source XOR Destination IP address and TCP/UDP (layer-4) port number

ASAINB-5510# sh port-channel 1 brief
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ passive
Minimum Links: 1
Maximum Bundle: 2
Load balance: src-dst-ip-port

ASAINB-5510# sh int et0/1 | in MAC
MAC address 001e.1239.4341, MTU 1500