Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1729
Views
0
Helpful
2
Replies

ASA 5580 with EtherChannel 20Gbs, Does the Failover link must match the same Speed?

chrmendezm
Level 1
Level 1

‎09-13-2011 08:42 PM - edited ‎03-11-2019 02:24 PM

Hello,

I have an ASA 5580, I am plannning on setting two EtherChannels (inside and outside), each channel will include two TenGigabit interfaces.

My questions is that if the links that I am gonig to use for the failover and link, should also be 20Gbs each, or it is ok to use 10Gbs for each link?

According to the Configuration guide 8.4

Use the following failover interface speed guidelines for the ASAs:

• Cisco ASA 5510

– Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due

to the CPU speed limitation.

• Cisco ASA 5520/5540/5550

– Stateful link speed should match the fastest data link.

• Cisco ASA 5580/5585

– Use only non-management 1 Gigabit ports for the stateful link because management ports have

lower performance and cannot meet the performance requirement for Stateful Failover.

Thanks in advance

1 person had this problem
Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎09-17-2011 05:59 AM

Hi Cristian,

No need to use an EtherChannel for your failover link (unless you want to). As you noticed in the configuration guide, the only requirement for the 5580 is that you don't use a management port for failover.

The "failover link speed must be as fast as your fastest data interface" is more of a requirement for the smaller ASA platforms. This is not the case for the 5580.

Hope that helps.

-Mike

0 Helpful

i.va
Level 3
Level 3
In response to mirober2

‎04-19-2013 04:21 AM

Hi,

I have 2x ASA5580-20 with 8x1GE interfaces and additional 2x 10GE interfaces each. Software version running is v8.4.4.1.

I am planning to use them in multiple context (active/active) transparent mode. Taking into account the FW performance of 5Gbps real-world traffic per ASA5580-20, which on the following interface configurations would make the most sense?

Option 1:

-------------

2x10GE = 20GE Etherchannel for Data

1x1GE LAN Failover

1x1GE STATE Failover

Option 2:

-------------

1x 10GE Data

1x 10GE LAN & STATE Failover

Option 3:

-------------

2x10GE = 20GE Etherchannel for Data

4x1GE = 4GE Etherchannel for LAN/STATE Failover (possibly up to 8x1GE)

(etherchannel for LAN/STATE Failover actually does not make much sense, since only one interface wll be used anyway)

Option 4:

-------------

1x10GE LAN & STATE Failover

8x1GE = 8 GE Etherchannel for Data

I have read several guides (e.g. link1, link2, link3). Some state that 1GE Failover interfaces would suffice for the ASA5580, others recommend a link as fast as the data link. Almost none of them account for higher bandwidth etherchannels.

What is recommended in this case? Both Firewalls will be connected to one VSS Switch Pair, so it would make sense to cross-connect with at least 2 links on each VSS member.

The ASA does not support connecting an EtherChannel to a switch stack. If the ASA EtherChannel is connected cross stack, and if the Master switch is powered down, then the EtherChannel connected to the remaining switch will not come up. (http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html)

Thanks in advance for your feedback!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card