Solved: Re: Cisco ASA - Migration from a single physical interface to Port-Cha

Alain K. · ‎12-21-2023

Hello Cisco Community,

I have a Cisco ASA Firewall and I need to migrate one of the inside interface from the current Gig0/2 interface to a new Port-Channel using also this same interface.

Here is an example of my current setup:

interface GigabitEthernet0/2
description inside-Int
nameif inside-int
security-level 25
ip address 10.10.10.4 255.255.255.0 standby 10.10.10.3

And I want to have the following

interface GigabitEthernet0/2
description inside-Int 1
channel-Group 2 mode active
no nameif
no security-level
no ip address

interface GigabitEthernet1/2
description inside-Int 1
channel-Group 2 mode active
no nameif
no security-level
no ip address

Interface Port-Channel2
description inside-int PO
nameif inside-int
security-level 25
ip address 10.10.10.4 255.255.255.0 standby 10.10.10.3

Here are my questions:

Is what I want to achieve possible ?
Will I loose the FW Rules for the interface inside-int if I delete it from Gig0/2 and than move it to Po2 ?
Is there a way to achieve that without any interruption ?

Thanks for your help

balaji.bandi · ‎12-21-2023

yes that should work,

s there a way to achieve that without any interruption ?- but there will traffic interruption when you doing that.

Make sure other side also matches the config same way like ASA.

You need to also look Associated ACL or object when you moving from Ethernet interface to Port-channel interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎12-22-2023

@Alain K. you cannot add a physical interface to a port-channel if it has a nameif configured. When you remove the nameif or clear the configuration from the physical interface to reconfigure as part of the port-channel, anything associated to that nameif will be removed. Such as: the NAT rules, the "access-group <ACL> <direction> interface <interface>" command will be removed (the ACL itself will remain) and other configuration such as ssh/http access will be removed. You should copy the existing configuration and reapply the configuration.

View solution in original post

MHM Cisco World · ‎12-21-2023

The PO increase BW and give us some redundancy.

Also there is other solution which is interface redundant (not increase BW)

And both PO and interface redundant need to remove nameif and add it again. Or change namif

Which need also change any ACL and NAT use this nameif.

So to do changes will effect your traffic.

MHM

balaji.bandi · ‎12-21-2023

yes that should work,

s there a way to achieve that without any interruption ?- but there will traffic interruption when you doing that.

Make sure other side also matches the config same way like ASA.

You need to also look Associated ACL or object when you moving from Ethernet interface to Port-channel interface.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Rob Ingram · ‎12-22-2023

@Alain K. you cannot add a physical interface to a port-channel if it has a nameif configured. When you remove the nameif or clear the configuration from the physical interface to reconfigure as part of the port-channel, anything associated to that nameif will be removed. Such as: the NAT rules, the "access-group <ACL> <direction> interface <interface>" command will be removed (the ACL itself will remain) and other configuration such as ssh/http access will be removed. You should copy the existing configuration and reapply the configuration.

Alain K. · ‎12-22-2023

Hello all! Thanks for the amazing support!

What if I take my current setup:

interface GigabitEthernet0/2
description inside-Int
nameif inside-int
security-level 25
ip address 10.10.10.4 255.255.255.0 standby 10.10.10.3

Then create a new named interface nameif inside-int-po:

Interface Port-Channel2
description inside-int PO
nameif inside-int
security-level 25

After that, I copied the ACL and everything assisted to "inside-int" to this new interface "inside-int-po" and configured the second yet not in use Gi1/2 as a member of Po2:

interface GigabitEthernet1/2
description inside-Int 1
channel-Group 2 mode active
no nameif
no security-level
no ip address

And finally, assign the IP of Gi0/2 to Po2:

Interface Port-Channel2
ip address 10.10.10.4 255.255.255.0 standby 10.10.10.3

And don't forget to add Gi0/2 to Po2

interface GigabitEthernet0/2
shut
description inside-Int 1
no nameif
no security-level
no ip address
channel-Group 2 mode active
no shut

Will that be possible, and is it a good idea?

MHM Cisco World · ‎12-22-2023

Why you dont use interface redundant instead of PO?

MHM

Alain K. · ‎12-22-2023

I will need to have any kind of dynamic routing protocol like OSPF for doing or am I wrong ?

MHM Cisco World · ‎12-22-2023

First interface which is port member of PO is from same FW or different?

MHM

MHM Cisco World · ‎12-22-2023

Port channel can not config in FW HA if you used interface from both FW as port member in PO.

You need use interface in same FW in PO.

Also SW you connect to need to be one if multi it need to be vpc or vss or stackwise virtual.

MHM

Alain K. · ‎12-22-2023

This is the current setup, 2 ASA as active and standby connected to 2 Cisco Catalyst running VSS:

The black connections are the current ones.
The red ones are the planned ones.
The dashed lines are the connections to the standby ASA.

MHM Cisco World · ‎12-22-2023

Go ahead you dont need interface redundant' your config is correct.

For more note check below guide (it for fpr but principle is same as asa)

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html

Note:- use same port in both fw'

Use port channel number different in stack switch

Goodluck

MHM

Alain K. · ‎12-22-2023

Thanks MHM,

that was the plan with the Port-Channel numbering

Wish you all best!

Alain.

Cisco ASA - Migration from a single physical interface to Port-Channel