5510 ASA etherchannel Connected to 3740 Stack

levittadmin_2 · ‎02-14-2013

I have a single 5510 ASA and a paired of 3750 Stacked Switches. I was trying to crete an Etherchannel on the ASA and connected to the SW Stack portchannel to support different VLANs subinterfaced at the ASA. am confused with the following statement from doc. http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030

Section Guidelines and Limitations

"The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. "

Can someone epxlained what "If the ASA EtherChannel is connected cross stack"?

or better...

Is it possible to use the ASA 8.4 Port-Channel to connect it to the 3750 etherchannel stack?

Thanks in advance....

Jouni Forss · ‎02-14-2013

Hi,

Seems to me that you cannot configure a Port-channel between an ASA and a Switch Stack IF you connect the ASA to both of the member switches of the stack in a signle Port-channel interface.

I guess this would mean you could configure the Port-channel when its connected to only ONE of the switches in the stack. Though naturally this doesnt help much if the switch fails

I guess in a Failover ASA enviroment you could configure the ASA1 with Port-channel to Member 1 of the stack and ASA2 with Port-channel to Member 2 of the stack. But this is just me guessing.

The documents seem to state that this works with VSS (I'm not that familiar with switching to be honest as others handle that in our company and I only do basic configurations related to switching)

Now that you mentioned this thing I kinda wonder if connecting ASA to 2 different Nexus 5000 would result in the same problem when the other Nexus 5k boots or breaks down? If someone at Cisco happens to read this then I wouldnt mind an answer to this.

- Jouni

levittadmin_2 · ‎02-14-2013

It makes sense and that's in line with what I got from it......I guess now, I am just wondering what would be the best redudant scenario with limited equipment One ASA and Two 3750s? meaning, should I un-stack the Catalyst....

Jouni Forss · ‎02-14-2013

Hi,

The same document does mention Redundant interface.

Naturally it doesnt provide the benefit for using both the interfaces at the sametime but I guess it would help with a situation where your other Switch Stack Member breaks down, gets powered down or the other interfaces simply fails

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1062296

- Jouni

levittadmin_2 · ‎02-14-2013

Unfortunately, Redundant interface do not support sub-interfaces; in my set up I need the ASA to sub-interface 4 VLAN traffic.

Jouni Forss · ‎02-14-2013

Hi,

Atleast looking at the Cisco document you linked it says the following (Portion marked red)

Examples

The following example creates two redundant interfaces:

hostname(config)# interface redundant 1

hostname(config-if)# member-interface gigabitethernet 0/0

hostname(config-if)# member-interface gigabitethernet 0/1

hostname(config-if)# interface redundant 2

hostname(config-if)# member-interface gigabitethernet 0/2

hostname(config-if)# member-interface gigabitethernet 0/3

What to Do Next

Optional Task:

•Configure VLAN subinterfaces. See the "Configuring VLAN Subinterfaces and 802.1Q Trunking" section.

I guess the format should be for example

interface Ethernet0/0

no nameif

no security-level

no ip add

interface Ethernet0/1

no nameif

no security-level

no ip add

interface Redundant1

member-interface Ethernet0/0

member-interface Ethernet0/1

no nameif

no security-level

no ip add

interface Redundant1.10

vlan 10

nameif inside

security-level 100

ip add 10.10.10.1 255.255.255.0

interface Redundant1.20

vlan 20

nameif dmz

security-level 50

ip add 10.10.20.1 255.255.255.0

To my understanding it would be configured with the above mentioned way.

Hopefully the information was helpfull

- Jouni

Karsten Iwen · ‎02-14-2013

To me that statement doesn't make any sense ... And I was not aware of that, because I've only read the config-guide as a PDF, and there the note is not mentioned. I really hope that it's only a documentation-bug. Sadly I don't have any spare ASAs at the moment to lab that. Anyone whoch can test that out?

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Jouni Forss · ‎02-14-2013

Hi Karsten,

I think I might lab this. I have plenty of C3750s and a single ASA5510 at work at the moment. So could test this out. Dont know if I will have time tomorrow but probably next week.

I did a quick look around for more information about this and it does seem that you can configure a single Port-channel from ASA to 2 different physical devices when:

Using VSS
Using vPC with 2 Nexus devices

But as I stated in an earlier reply in this thread, I'm not really familiar with this setup.

- Jouni

hewun.kim · ‎03-26-2013

Hi Guys,

I also so that statement in the ASA config guide and was surprised by the fact that it says the ASA won't support a cross-stack Etherchannel.

I haven't had to a chance to test this out and I won't for another couple of weeks but I suspect that it is because the LACP system ID is based on Stack Master MAC address.

Has anyone tried this global command on the stack:

stack-mac persistent timer 0

This will enable the stack to continue using the MAC address of the current stack master after a new stack master takes over.

With VSS and vPC, that create LACP system ID's that remain persistant across the primary and secondary switches, so I suspect that stack-mac persistent will accomplish the same result.

Regards,

He-Wun Kim