topic Re: FTD Etherchannel/LACP question in Network Security

FTD Etherchannel/LACP question

Chess Norris — Fri, 10 Oct 2025 16:30:43 GMT

Hello,

I have a FTD 1010 in my home lab that's using 1 routed interface for outside and the rest of the interfaces are used as switchports on a VLAN that I use for the Inside. Now I also have a Synology NAS with two interfaces that can be bond together to a LACP interface.

On the FTD, I thought I could create an Etherchannel and put it in the same security zone as my VLAN interfaces (Inside Zone), but it seems that I need to create a separate Zon for the Etherchannel interface. Otherwise I got lots of warning about my NAT rules that could not use multiple interfaces etc.

So what would be the best stratergi here? Create a new security zone and use the same NAT and access rules for this new zone? The Etherchannel interface must be on the same VLAN/IP subnet as my other interfaces. Otherwise I will not be able to connect to it.

Thanks

/Chess

Re: FTD Etherchannel/LACP question

Chess Norris — Fri, 10 Oct 2025 17:16:10 GMT

Here is a configuration from a Cisco switch that I want to replicate on the FTD if possible.

CISCO(config)#interface range Gi0/37 - 38
CISCO(config-if-range)#description SYNOLOGY
CISCO(config-if-range)#switchport mode access
CISCO(config-if-range)#switchport nonegotiate 
CISCO(config-if-range)#spanning-tree portfast
CISCO(config-if-range)#channel-group 3 mode active 

CISCO(config)#interface port-channel 3
CISCO(config-if)#description SYNOLOGY
CISCO(config-if)#switchport mode access
CISCO(config-if)#switchport nonegotiate

Re: FTD Etherchannel/LACP question

nspasov — Fri, 10 Oct 2025 23:37:13 GMT

There are a lot of moving parts here so some additional info is needed. Below are a few questions / comments:

You cannot configure the 1010 switchports in an EtherChannel. I am not sure if you were already aware but I figured I would mention it. There are some additional limitations which you can find here
Is the the 1010 running in routed or transparent mode?
Which device in your network is the L3 GW for the VLANs? I assume it is a VLAN interface on the 1010 but want to confirm.
What does your NAT configuration look like?
Can you share the exact error/warning that receive with regards to NAT

Thank you for rating helpful posts!

Re: FTD Etherchannel/LACP question

Chess Norris — Mon, 13 Oct 2025 09:25:59 GMT

Re: FTD Etherchannel/LACP question

Chess Norris — Mon, 13 Oct 2025 09:29:59 GMT

@nspasov Thanks for answering. I think the issue is exactly what you say - That the 1010 lack support for using the switch ports in an EtherChannel.

Before, I had a C3560CX-8PC-S handling this but unfortunately it died a while ago.

My FTD 1010 now serves as both a firewall, router and a switch and while it does a decent job, it's still primaly a firewall.

My company are a Cisco partner so I think I instead will get a C9200cx on NFR to replace my old 3560.

/Chess

Re: FTD Etherchannel/LACP question

nspasov — Tue, 14 Oct 2025 01:12:06 GMT

Most welcome! And yes, NFR is a great program to get your failed/aging gear replaced.

Thank you for rating helpful posts!

Re: FTD Etherchannel/LACP question

Marvin Rhoads — Tue, 14 Oct 2025 14:04:47 GMT

@Chess Norris you are in good company- I use a 9200CX in my home lab that I also acquired via NFR. It's a nice little fanless switch that runs the latest IOS-XE. I also have an older 3560CX.

Lately I have been working through getting the 9200CX to work with TACACS over TLS with ISE 3.5. I run my ISE/FMC/FTDv etc. on a Proxmox server.