Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
722
Views
3
Helpful
6
Replies

FTD Etherchannel/LACP question

Go to solution
Chess Norris
Level 4
Level 4

‎10-10-2025 09:30 AM

Hello,

 

I have a FTD 1010 in my home lab that's using 1 routed interface for outside and the rest of the interfaces are used as switchports on a VLAN that I use for the Inside. Now I also have a Synology NAS with two interfaces that can be bond together to a LACP interface.

On the FTD, I thought I could create an Etherchannel and put it in the same security zone as my VLAN interfaces (Inside Zone), but it seems that I need to create a separate Zon for the Etherchannel interface. Otherwise I got lots of warning about my NAT rules that  could not use multiple interfaces etc.

So what would be the best stratergi here? Create a new security zone and use the same NAT and access rules for this new zone? The Etherchannel interface must be on the same VLAN/IP subnet as my other interfaces. Otherwise I will not be able to connect to it.

Thanks

/Chess

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-10-2025 03:50 PM - edited ‎10-10-2025 04:37 PM

There are a lot of moving parts here so some additional info is needed. Below are a few questions / comments:

  1. You cannot configure the 1010 switchports in an EtherChannel. I am not sure if you were already aware but I figured I would mention it. There are some additional limitations which you can find here
  2. Is the the 1010 running in routed or transparent mode?
  3. Which device in your network is the L3 GW for the VLANs? I assume it is a VLAN interface on the 1010 but want to confirm.
  4. What does your NAT configuration look like?
  5. Can you share the exact error/warning that receive with regards to NAT

Thank you for rating helpful posts!

 

Thank you for rating helpful posts!

View solution in original post

6 Replies 6

Go to solution
Chess Norris
Level 4
Level 4

‎10-10-2025 10:16 AM

Here is a configuration from a Cisco switch that I want to replicate on the FTD if possible.

 

CISCO(config)#interface range Gi0/37 - 38
CISCO(config-if-range)#description SYNOLOGY
CISCO(config-if-range)#switchport mode access
CISCO(config-if-range)#switchport nonegotiate 
CISCO(config-if-range)#spanning-tree portfast
CISCO(config-if-range)#channel-group 3 mode active 

CISCO(config)#interface port-channel 3
CISCO(config-if)#description SYNOLOGY
CISCO(config-if)#switchport mode access
CISCO(config-if)#switchport nonegotiate

 

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee

‎10-10-2025 03:50 PM - edited ‎10-10-2025 04:37 PM

There are a lot of moving parts here so some additional info is needed. Below are a few questions / comments:

  1. You cannot configure the 1010 switchports in an EtherChannel. I am not sure if you were already aware but I figured I would mention it. There are some additional limitations which you can find here
  2. Is the the 1010 running in routed or transparent mode?
  3. Which device in your network is the L3 GW for the VLANs? I assume it is a VLAN interface on the 1010 but want to confirm.
  4. What does your NAT configuration look like?
  5. Can you share the exact error/warning that receive with regards to NAT

Thank you for rating helpful posts!

 

Thank you for rating helpful posts!

Go to solution
Chess Norris
Level 4
Level 4
In response to nspasov

‎10-13-2025 02:23 AM - edited ‎10-13-2025 02:29 AM

@nspasov Thanks for answering. I think the issue is exactly what you say - That the 1010 lack support for using the switch ports in an EtherChannel.

Before, I had a C3560CX-8PC-S  handling this but unfortunately it died a while ago.

My FTD 1010 now serves as both a firewall, router and a switch and while it does a decent job, it's still primaly a firewall.

My company are a Cisco partner so I think I instead will get a C9200cx on NFR to replace my old 3560.

/Chess

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Chess Norris

‎10-13-2025 06:12 PM

Most welcome! And yes, NFR is a great program to get your failed/aging gear replaced. 

Thank you for rating helpful posts!

 

Thank you for rating helpful posts!
0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chess Norris

‎10-14-2025 07:04 AM

@Chess Norris you are in good company- I use a 9200CX in my home lab that I also acquired via NFR. It's a nice little fanless switch that runs the latest IOS-XE. I also have an older 3560CX.

Lately I have been working through getting the 9200CX to work with TACACS over TLS with ISE 3.5. I run my ISE/FMC/FTDv etc. on a Proxmox server.

Go to solution
Chess Norris
Level 4
Level 4

‎10-13-2025 02:20 AM - edited ‎10-13-2025 02:25 AM

.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card