Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
12538
Views
0
Helpful
5
Replies

subinterface with portchannel configuration in ASA 5525X

Muthukumar P
Level 1
Level 1

‎03-02-2017 09:19 AM - edited ‎03-12-2019 02:00 AM

Hi team,

          Is it possible sub-interface with port-channel configuration in ASA 5525x series? please confirm. suppose if possible please share the link for the same.

Thanks

Muthukumar

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Karsten Iwen
VIP
VIP

‎03-02-2017 09:53 AM

I have no link at the moment, but it is possible und a very common way to configure the ASA.

My typical setup is to have Etherchannels from the ASAs to the DMZ-switches and Etherchannels to the Core-switches. On both channels multiple subinterfaces are used as the firewall-interfaces.

For the outside switches I typically have redundant interfaces with one subinterface for each ISP.

0 Helpful

James Leinweber
Level 4
Level 4
In response to Karsten Iwen

‎03-06-2017 01:42 PM

On the switch side, configure trunks with nonegotiate, e.g.

interface Port-channel5
  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 1,999
  switchport mode trunk
  switchport nonegotiate

interface Gi1/0/5

 channel-group 5 mode active

  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 1,999
  switchport mode trunk
  switchport nonegotiate

interface Gi2/0/5

 channel-group 5 mode active

  switchport trunk encapsulation dot1q
  switchport trunk native vlan 998
  switchport trunk allowed vlan 1,999
  switchport mode trunk
  switchport nonegotiate

On the firewall physical interfaces, join the port channels:

interface GigabitEthernet0/1
 channel-group 5 mode active
 no nameif
 no security-level
 no ip address

interface GigabitEthernet0/5
 channel-group 5 mode active
 no nameif
 no security-level
 no ip address

On the firewall portchannel, specify lacp:

interface Port-channel5
 description Po5-TRK
 lacp max-bundle 8
 no nameif
 no security-level
 no ip address

On the firewall logical subinterfaces, specify the vlan:

interface Port-channel5.999
 vlan 999
 nameif some-vlan
 security-level 50
 ip address 192.0.2.33 255.255.255.0
 ipv6 address 2001:db8:0:2::33/64

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

mmccrack3n
Level 1
Level 1
In response to James Leinweber

‎05-07-2019 06:54 AM

Not sure you want a native vlan on the switch side: the asa does not support it.

0 Helpful

Dennis Perto
Level 5
Level 5

‎03-02-2017 12:47 PM

As Karsten wrote. It is possible. First you make your etherchannels and then you configure your subinterfaces on this.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html#wp1343917

0 Helpful

SreeramLalitha4761
Level 1
Level 1
In response to Dennis Perto

‎08-22-2020 11:02 AM

ASA won't allow you to have ether channel on sub-interfaces. You will get the "channel-group <group-number> mode active" only under the physical interface. for example

 

ASA(config)# int e1
ASA(config-if)# no sh
ASA(config-if)# channel-group 10 mode active
INFO: security-level, delay and IP address are cleared on Ethernet1.

!

ASA(config-subif)# int e1
ASA(config-if)# no channel-group 10 mode active
ASA(config-if)# int e1.20
ASA(config-subif)# vlan 20

ASA(config-subif)# chan?

 

exec mode commands/options:
change-password
ASA(config-subif)# chan

 

As you can see, ASA wont give you an option to configure channel-group. 

 

Thanks 

Sreeram

sreeram.ccie@gmail.com

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card