Re: ASA: What is better Etherchannel with Sub interfaces or Dedicated Physical interfaces???

josem.cortes · ‎09-15-2018

Hi,

Currently I'm working on a design that includes an 2 Stackable Switches and 2 ASA 5515X. The two ASAs are meant to be A/S Failover and I've been trying to check what is the best option to connect them to the Stack Swtiches. I have four zones: ISP1, ISP2, Servers and Inside connections. I'm stuck trying to figure out what is the better from these three options:

1. Connect ASA1 to Stack Switch 1 and ASA2 to Stack Switch 2 using a dedicated physical interface for each Zone on each ASA (ISP1, ISP2, Servers and Inside).

2. Bind four physical interfaces per ASA and create sub-interfaces within for each Zone. Connect ASA1's four interfaces to Stack 1 and ASA2's four interfaces to Stack 2.

3. Bind four physical interfaces per ASA and create sub-interfaces within for each Zone. Connect two interfaces from each ASA to Stack 1 and the two interfaces left to Stack 2.

With either option I will have Redundancy and HA. But I'm a little concern about the best approach in this case.

Thanks in advance

Jose

balaji.bandi · ‎09-15-2018

If you have resources and physical port availability - i would prefer physical separation than logical.

End goal both do the same work, but different approach with some limitations.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

josem.cortes · ‎09-15-2018

Hi BB, thanks for the quick response. What limitations do make you prefer physical over logical?? one of my concerns is load balancing algorithm that causes some links to be overloaded and impact communication, but if you can bring some others to the table would be great

Jose

Ajay Saini · ‎09-16-2018

Hello Jose,

I would have gone for option 3 for following reasons:

1. there is redundancy on the switch and ASA side.

2. There is bandwidth aggregation in terms of ether channel

2. The reason why you would go for subinterface vs phjysical interface is to have scalability. In future, if you have a 5th interface, you can simply create a subinterface and add that vlan in trunk on switch side. No need for additional physical interface.

HTH
AJ

Marvin Rhoads · ‎09-16-2018

Hi Ajay,

I don't think Option 3 would work. All of the ASAs Etherchannel member interfaces must connect to the same logical interface(s) on the neighboring device(s). The only way the neighbors can be different physical devices are:

a. They are members in the same switch stack

b. They are part of a VSS cluster

c. They are NX-OS devices with a vPC.

Options 1 and 2 each have advantages and disadvantages.

Given the throughput of an ASA 5515-X, you really aren't getting any additional capacity building an Etherchannel with more than 2 member interfaces.

I would note that most enterprises prefer not to expose their core switches with outside interfaces, even if they are L2 VLANs only.

josem.cortes · ‎09-16-2018

Hi marvin,

Thanks for your reply. Indeed, when I talk about Stack 1 and Stack 2 I'm refering to two different members of the same stack, thus the etherchannel would built up.

I will consider as well your recomendations about throughput and core exposure.

Ajay Saini · ‎09-16-2018

I agree with you Marvin, but in this case since user has only a stack of 2 switches, physical separation is a secure as a logical separation.

The port-channel and subinterface design is infact a noted design with scability in mind specifically for east to west traffic and firewall still acting as layer 3 hop for these subnets. I don't think we can achieve any better security with same switch and different physical interfaces used for inside, outside or dmz.

-

AJ