Dear Giuseppe,

What do you mean by "the same named interface"? Is it the same physical interface, or same logical interface?

Thank you for your reply.

Hello @ammartalal ,

if you are using ASA classic operating system the name is that given under the L3 interface that can be a routed L3 interface or a logical interface.

How are configured the interfaces to the eBGP neighbors ? they are in a port-channel ? They are members of the same bridge group ?

They are indipendent each with its own IP address ?

Hope to help

Giuseppe

Dear Giuseppe,

---

How are configured the interfaces to the eBGP neighbors ? they are in a port-channel ? They are members of the same bridge group ?

They are indipendent each with its own IP address ?

---

The interfaces are in the same port-channel, sub-interfaces. Each interface with its own /30 IP address range. They are not on the same bridge group.

The interfaces configuration on my side is as below: 

interface port-channel1.422
 security-level 100
 ip address xxx.xxx.2.25 255.255.255.252

interface Port-channel1.423
 security-level 100
 ip address xxx.xxx.2.29 255.255.255.252

interface Port-channel1.424
 security-level 100
 ip address xxx.xxx.2.33 255.255.255.252

interface Port-channel1.425
 security-level 100
 ip address xxx.xxx.2.37 255.255.255.252

The interfaces configuration on the NSX-T side is as below:

interface port-channel1.422
 ip address xxx.xxx.2.26 255.255.255.252

interface Port-channel1.423
 ip address xxx.xxx.2.30 255.255.255.252

interface Port-channel1.424
 ip address xxx.xxx.2.34 255.255.255.252

interface Port-channel1.425
 ip address xxx.xxx.2.38 255.255.255.252

If I have to use a single interface (port-channel1.422 for example), how can I add multiple IP addresses to the same interface?

Hello @ammartalal ,

verify what happens when you modfiy the maximum-paths under router bgp.

if you see 4 paths installed and used you are fine.

>>If I have to use a single interface (port-channel1.422 for example), how can I add multiple IP addresses to the same interface?

You have to verify with people managing the NSX if they can use a single wider subnet for their side.

But again this is needed only if ECMP does not work with different interfaces on ASA.

Hope to help

Giuseppe

Hello @Giuseppe Larosa 

The maximum paths are already set at 4, and I can see the below output when I execute "show bgp 172.28.10.10", where 172.28.10.0/24 is a subnet advertised on all 4 BGP peers.

BGP routing table entry for 172.28.10.0/24, version 386
Paths: (4 available, best #4, table default)
Multipath: eBGP
  Not advertised to any peer
  65001
    172.26.2.26 from 172.26.2.26 (172.26.2.26)
      Origin incomplete, metric 0, localpref 100, valid, external, multipath
  65001
    172.26.2.34 from 172.26.2.34 (172.26.2.26)
      Origin incomplete, metric 0, localpref 100, valid, external, multipath
  65001
    172.26.2.38 from 172.26.2.38 (172.26.2.38)
      Origin incomplete, metric 0, localpref 100, valid, external, multipath
  65001
    172.26.2.30 from 172.26.2.30 (172.26.2.38)
      Origin incomplete, metric 0, localpref 100, valid, external, multipath, best

Do the above prove ECMP is working or not?

The people managing NSX have no issue with a wider subnet, but is it possible to have multiple IP addresses at the same interface on ASA?

Hello @ammartalal ,

>> Do the above prove ECMP is working or not?

For a standard router it would be enough as the multipath attribute is there to demonstrate tha maximum-paths 4 is effective.

Being an ASA a stateful firewall there might be some limitations on how ECMP can work.

Can you post a show version so that we can see what version of ASA o.s is running on the device ?

Hope to help

Giuseppe

Cisco Adaptive Security Appliance Software Version 9.13(1)
SSP Operating System Version 2.7(1.107)
Device Manager Version 7.14(1)

Compiled on Mon 23-Sep-19 09:38 PDT by builders
System image file is "disk0:/asa9-13-1-smp-k8.bin"
Config file at boot was "startup-config"

ASA up 34 days 18 hours

Hardware:   ASA5555, 16384 MB RAM, CPU Lynnfield 2800 MHz, 1 CPU (8 cores)
            ASA: 8792 MB RAM, 1 CPU (2 cores)
Internal ATA Compact Flash, 8192MB
BIOS Flash MX25L6445E @ 0xffbb0000, 8192KB

Encryption hardware device : Cisco ASA Crypto on-board accelerator (revision 0x1                                                                                                                                   )
                             Boot microcode        : CNPx-MC-BOOT-2.00
                             SSL/IKE microcode     : CNPx-MC-SSL-SB-PLUS-0005
                             IPSec microcode       : CNPx-MC-IPSEC-MAIN-0026
                             Number of accelerators: 1
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4


 0: Int: Internal-Data0/0    : address is f80b.cb28.17df, irq 11
 1: Ext: GigabitEthernet0/0  : address is f80b.cb28.17e4, irq 5
 2: Ext: GigabitEthernet0/1  : address is f80b.cb28.17e0, irq 5
 3: Ext: GigabitEthernet0/2  : address is f80b.cb28.17e5, irq 10
 4: Ext: GigabitEthernet0/3  : address is f80b.cb28.17e1, irq 10
 5: Ext: GigabitEthernet0/4  : address is f80b.cb28.17e6, irq 5
 6: Ext: GigabitEthernet0/5  : address is f80b.cb28.17e2, irq 5
 7: Ext: GigabitEthernet0/6  : address is f80b.cb28.17e7, irq 10
 8: Ext: GigabitEthernet0/7  : address is f80b.cb28.17e3, irq 10
 9: Int: Internal-Data0/1    : address is 0000.0001.0002, irq 0
10: Int: Internal-Control0/0 : address is 0000.0001.0001, irq 0
11: Int: Internal-Data0/2    : address is 0000.0001.0003, irq 0
12: Ext: Management0/0       : address is f80b.cb28.17df, irq 0
13: Int: Internal-Data0/3    : address is 0000.0100.0001, irq 0

Licensed features for this platform:
Maximum Physical Interfaces       : Unlimited      perpetual
Maximum VLANs                     : 500            perpetual
Inside Hosts                      : Unlimited      perpetual
Failover                          : Active/Active  perpetual
Encryption-DES                    : Enabled        perpetual
Encryption-3DES-AES               : Enabled        perpetual
Security Contexts                 : 2              perpetual
Carrier                           : Disabled       perpetual
AnyConnect Premium Peers          : 5000           perpetual
AnyConnect Essentials             : Disabled       perpetual
Other VPN Peers                   : 5000           perpetual
Total VPN Peers                   : 5000           perpetual
AnyConnect for Mobile             : Enabled        perpetual
AnyConnect for Cisco VPN Phone    : Enabled        perpetual
Advanced Endpoint Assessment      : Enabled        perpetual
Shared License                    : Disabled       perpetual
Total TLS Proxy Sessions          : 2              perpetual
Botnet Traffic Filter             : Disabled       perpetual
IPS Module                        : Disabled       perpetual
Cluster                           : Enabled        perpetual
Cluster Members                   : 2              perpetual

This platform has an ASA5555 VPN Premium license.

Serial Number: FCH2103J3MP
Running Permanent Activation Key: 0xa008d671 0xacd17a69 0x3dc3dd68 0xc4101c70 0x0b04e7ba
Configuration register is 0x1

Image type          : Release
Key version         : A

Configuration last modified by xxxx at 09:57:25.950 AST Thu Aug 12 2021

This is the output of the show version.

Best regards,