ASA Trunking and Port-channel

Jon Eyes · ‎11-21-2012

Hi,

I dont know if this is a best practice and the ideal way of doing it but i want to give it a try

In the diagram, i have my current network setup as shown in the left. I want to configure it as shown in the right

So im thinking,

Create a port channel out of interface 3 and 4 of ASA
Configure 2 sub-interfaces in those Po interface (my inside vlan and the dmz)
At the 4948, configure a trunked port channel out of a single interface (funny ), then do the same in the second 4948
Connect ASA port 3 to the 1st 4948's single-interfaced port channel, ASA port 4 connects the same on the 2nd 4948

Had anyone done this before? How would these devices/traffic behave? Ramifications of doing so? Any best configuration of doing this?

I need inputs before I deploy this to production, if feasible

Greatly appreciate all your comments

Thanks,

Jon

Julio Carvajal · ‎11-21-2012

Hello Jonjon,

I don't think is a feassible desing.

Let me explain you why:

As Cisco explained all over the documents and its certification an ethernet channel is used for redundancy purposes and increase the bandwidth) on a local switch. If you plan to terminate an ethernet-channel on two different devices ( This is what you are showing on the right) what you are looking for is the Multi-chassis ethernet solution and this is only supported on the following appliances:

- 3750 switches

- Catalyst 6500 series

- Nexus switches which support vPC (virtual port channels

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mikeraddie · ‎11-23-2012

Hi Jonjon,

i think this will work fine. Its probably not best practice - you would normally isolate dmz vlans on their own layer 2 switches but the setup on the right looks fine from a networking perspective.

One possible problem would be if you experienced abnormal traffic on your dmz, such as a DoS attack, this may consume all the bandwidth on the etherchannel and therefore your local network may be affected.

Julio Carvajal · ‎11-23-2012

Hello Mike,

I mean the thing is that you will not be able to run failover on the inside interface but you could use a routing protocol for that... Besides that everything is the same......

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

pille1234 · ‎11-25-2012

Hi Mata,

while your design may work (I am not sure about that), I would strongly discourage you from splitting up your port-channels to 2 seperate switches. With LACP enabled it wouldn't work anyway, but a static portchannel config might be possible. Do you use a dynamic routing protocol? I can't imagine how this would play out, but even with static routes you would have unneccssary traffic switching. A packet destined for the left C4948 may get sent out to the right C4948 due to the portchannel loadbalancing and would then have to be switched back accross the LAN side to the destination C4948.

regards

Pille