Please Help: ASA firewall Etherchannel

uzair.infotech · ‎02-12-2016

Please help me that the attached network diagram is correct. I am using two firewall in active/standby mode. Outside interface is using port-channel 12 with switch 3850 having ip address 10.181.11.1/24 standby ip 10.181.11.2. I have ISR 3925 router as Gateway router connected to ISP. Router interface G0/0 ip 10.181.11.3/24 is connected to switch 3850. Is this connectivity correct or not?

I didn't give any ip address on portchannel-12 at Switch 3850.

Best regards,

Uzair Hussain

Jon Marshall · ‎02-12-2016

As long as all the interfaces on the 3850 switch are in the same vlan then yes it should work fine.

You do not need to assign an IP for this to the 3850.

Jon

Marvin Rhoads · ‎02-12-2016

Jon if I understand the diagram correctly, I may differ with your answer.

The two ASAs cannot each have two interfaces on Po12. An etherchannel interface must have both ends on the same physical or logical device.

At the switch end it can be switch members in the same stack or in a VSS/VPC cluster.

At the ASA end it cannot be two ASAs in an HA pair. (It can be multiple ASAs in a cluster.)

Jon Marshall · ‎02-12-2016

Hi Marvin

You may differ and you would be absolutely correct 🙂

My mistake, for some reason I assumed different portchannels per ASA.

That is the second mistake I have made in two days in this forum, not good.

Thanks for correcting it.

Jon

Marvin Rhoads · ‎02-12-2016

You're welcome Jon. Thanks for the gracious acknowledgement.