해결됨: Configure portchannels on routers and ASAv

SilverAfter · ‎12-26-2024

You used BVI on the router to bundle two interfaces into one interface, and now you need to configure them as one network using portchannel on the ASAv.
However, the ASAv must function as a failover.
Below is the topology and the configuration of the routers.

interface GigabitEthernet0/2
no ip address
duplex auto
speed auto
media-type rj45
bridge-group 1

!

interface GigabitEthernet0/4
no ip address
shutdown
duplex auto
speed auto
media-type rj45
bridge-group 1

!

interface BVI1
ip address 114.141.24.1 255.255.255.252

!

MHM Cisco World · ‎12-26-2024

You can NOT config it as PO since the FW is HA active/standby

this only work for FW cluster

MHM

원본 게시물의 솔루션 보기

MHM Cisco World · ‎12-26-2024

Sorry what is Q here.

MHM

SilverAfter · ‎12-26-2024

PUB-R2's interfaces g0/2 and g0/4 are grouped together as BVI to make them a single interface.
On the other side, we want to group G0/0 of FW1 and 2 into one interface.

MHM Cisco World · ‎12-26-2024

You can NOT config it as PO since the FW is HA active/standby

this only work for FW cluster

MHM

SilverAfter · ‎12-27-2024

That's not possible Thanks.

Flavio Miranda · ‎12-26-2024

@SilverAfter

"If you use the ASA device in an Active/Standby failover deployment, then you need to create separate EtherChannels on the switches in the VSS/vPC, one for each ASA device. On each ASA deivce, a single EtherChannel connects to both switches. Even if you could group all switch interfaces into a single EtherChannel connecting to both ASA devices (in this case, the EtherChannel will not be established because of the separate ASA system IDs), a single EtherChannel would not be desirable because you do not want traffic sent to the standby ASA device. "

Here what Cisco says. You should not add a port-channel on both active and standby firewall because the traffic will be load balanced between them and you should not receive traffic on the firewall in standby mode.