Solved: Yeah got it !! Thanks !!

bhushit17 · ‎03-15-2016

We are having ASA 5580 in active-standby mode all interfaces are gig interfaces, due to high traffic on inside interface we want to bundle two ports for inside. Now problem is that the device is under production and is having more than around 400 lines of ACL under that inside interface along with some static routes also.

What troubles me :-

Is there any way I can bundle the ports without having to restart the firewalls ?
What all risks are involved in the activity ?
What if I change the startup config and reboot, but I have not done that before so not confident.

Please guide me for performing this activity on ASA.

Thanks,

Bhushit

Marius Gunnerud · ‎03-16-2016

Is there any way I can bundle the ports without having to restart the firewalls ?

You do not "need" to reload the ASA when configuring port-channels.

What all risks are involved in the activity ?

To configure the existing port into a port-channel you need to remove the nameif command from the interface. removing this will also remove all other commands that reference this interface name.

What if I change the startup config and reboot, but I have not done that before so not confident.

This is not a good option as you will need to reload both the ASA's. I suggest copying the running config out, change the interface configuration to have portchannel, then copy it back to the primary ASA's running-config. This will give little to no down time.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎03-16-2016

What I am suggesting is the following:

1. copy the running configuration out to an FTP server

copy running-config ftp://username:password@<FTPSERVERIP

2. edit the configuration with the following. Keep in mind that this is just an example and you should change the configuration to your needs and edit the relevant interface as well as adding in the new port-channel. it is important that you keep the exact same nameif, security-level, and IP that was on the interface you are moving to the port-channel.

interface Gig0/1

no nameif

no security-level

no ip add

channel-group 1 mode on

interface Gig0/2

channel-group 1 mode on

no shut

interface po1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

3. Save the file and copy it back to the ASAs running configuration:

copy ftp://username:password@<FTPSERVERIP running-config

4. Check to see that the Primary ASA is still the Active ASA. Check to see that the configuration has been changed correctly and that traffic is flowing as normal.

5. save the ASA configuration.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎03-16-2016

Is there any way I can bundle the ports without having to restart the firewalls ?

You do not "need" to reload the ASA when configuring port-channels.

What all risks are involved in the activity ?

To configure the existing port into a port-channel you need to remove the nameif command from the interface. removing this will also remove all other commands that reference this interface name.

What if I change the startup config and reboot, but I have not done that before so not confident.

This is not a good option as you will need to reload both the ASA's. I suggest copying the running config out, change the interface configuration to have portchannel, then copy it back to the primary ASA's running-config. This will give little to no down time.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

bhushit17 · ‎03-16-2016

With restart, I was referring to that method of swapping the startup-config with new configuration.

" I suggest copying the running config out, change the interface configuration to have portchannel, then copy it back to the primary ASA's running-config. This will give little to no down time."

Didn't get you there you mean after removing nameif from an interface, creating portchannel and putting nameif, I copy my running config into the console ?

This will take much time to paste the full config as my current running config is too lengthy with more than 20000 objects and more than 1000 rules.

What if I just copy that interface related(nameif related - routes and ACL) running config back ?

Thanks again,

Bhushit

Marius Gunnerud · ‎03-16-2016

What I am suggesting is the following:

1. copy the running configuration out to an FTP server

copy running-config ftp://username:password@<FTPSERVERIP

2. edit the configuration with the following. Keep in mind that this is just an example and you should change the configuration to your needs and edit the relevant interface as well as adding in the new port-channel. it is important that you keep the exact same nameif, security-level, and IP that was on the interface you are moving to the port-channel.

interface Gig0/1

no nameif

no security-level

no ip add

channel-group 1 mode on

interface Gig0/2

channel-group 1 mode on

no shut

interface po1

security-level 100

nameif inside

ip add 10.10.10.1 255.255.255.0 standby 10.10.10.2

3. Save the file and copy it back to the ASAs running configuration:

copy ftp://username:password@<FTPSERVERIP running-config

4. Check to see that the Primary ASA is still the Active ASA. Check to see that the configuration has been changed correctly and that traffic is flowing as normal.

5. save the ASA configuration.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

bhushit17 · ‎03-16-2016

Yeah got it !!

Thanks !!

Ether Channel on ASA 5580