Hi All,

I am trying to figure out if we can multiple security zones on same etherchannel.

For example: inside & DMZ

We have 8 ports on the ASA(standalone) and was thinking to create either one of following.

1-  create 2 ports etherchannel for Inside zone and 2 port etherchannel for DMZ, keeping inside zone and DMZ separate.

      I will have to create multiple subinterfaces for multiple vlans such as user,voip,server.

      example for INSIDE port channel:    

      Interface Port-channel 1.1

      vlan 10

      nameif user

      security-level 100

      ip address x.x.x.x x.x.x.x.x

     Interface Port-channel 1.2

      vlan 20

      nameif Server

      security-level 100

      ip address x.x.x.x x.x.x.x.x

Similarly for port-channel 2 (DMZ) I will have to create multiple subinterfaces for multiple vlans such as DMZ, wireless etc

Interface Port-channel 2.1

      vlan 30

      nameif DMZ

      security-level 50

      ip address x.x.x.x x.x.x.x.x

Interface Port-channel 2.2

      vlan 40

      nameif wireless

      security-level 100

      ip address x.x.x.x x.x.x.x.x

2 - I can bundle up 4 physical ports into one port-channel and combine INSIDE and DMZ all in same port channel.

     Example:

Interface Port-channel 1.1

      vlan 10

      nameif user

      security-level 100

      ip address x.x.x.x x.x.x.x.x

Interface Port-channel 1.2

      vlan 30

      nameif DMZ

      security-level 50

      ip address x.x.x.x x.x.x.x.x

is it a best practice or should I keep the Zones in separate port-channels ? or keeping all in one port-channel ? any security concerns ?

Also we will be connecting additional firewall later infront of ASA 5525-X and that additional firewall will only be used for S2S VPN connections.