cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1376
Views
0
Helpful
2
Replies

Create port-channel for existing physical interfaces on ASA 5525

Ahmad Saad4
Level 1
Level 1

Hi there,

We've got a standalone ASA 5525 which is connected to the core switch with single physical interface for the LAN and other for the Internet.

Now, our ISP needs to change the IP address of the Internet link with a complete different range.So, for the sake of redundancy and resiliency, we would like to create port-channel interfaces for the LAN & Internet.

As I understood that we cannot use the same interface name (nameif) on the port-channel interface if it's already used on the physical interface ( e.g. nameif Inside), and if you try to rename/modify the nameif, it will remove all the rules(NAT,ACL, ..etc)that related to the nameif.

It's not necessarily to use/add the same physical interface to the port-channel interface; we could use another free two ports to create port-channel interface for the Internet and another free two ports for the LAN. However, as I said there're few quite rules (NAT,ALC,SSL, default route,..etc) which are related to both physical interfaces (Internet & LAN), so if I try to rename/delete the nameif on these physical interfaces, all these rules will be deleted immediately.

 Could someone please advise on what is the least disruptive way to create the port-channel interface in my case ?

Thanks!

 

 

 
 
.
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

This medium risk change, since you moving totaly interface from standalone to port-channel.

So the Internal associated ACL rules will be changed, where required you need to tweak the settings.

It all depends on how big your ACL rule set.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Marvin Rhoads
Hall of Fame
Hall of Fame

I've done this several times. The best way is to just schedule an outage window and make the change to portchannel while using the same nameif(s). Just save the NAT rules etc. and restore them as they were afterwards from the cli.

I use something like Notepad++ so I can search the current-running config for all instances of the nameif that will be affected. Then after I restore everything double check the work with a before and comparison using something like Examdiff so you can quickly see any changes in what might be a couple thousand line of configuration file. If you did it right, there should only be a small handful of changes - all related to the interface configuration.

By the way, your ACLs will remain - just access-group command that associated them to an interface needs to be restored.

Review Cisco Networking for a $25 gift card