Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
902
Views
2
Helpful
6
Replies

Portchannel between Router and Firewall

Go to solution
cemrecanaltinel
Level 1
Level 1

‎12-04-2023 04:12 AM - edited ‎12-04-2023 04:13 AM

In my scenario, I have a Cisco router and a firepower firewall. I want to provide line redundancy between these two devices. In the current situation, the router and the firewall are connected to each other via an ineterface, I gave the IP address of router gig 0/0/2 192.168.40.100/24 and I gave the Ethernet 1/2 interface 192.168.40.200/24 ip in the firewall and there are 2 static routes routed to the  in my router,and these routes routed the firewall ip address.these are ip route 192.168.90.0 255.255.255.0 192.168.40.200, 192.168.80.0 255.255. 255.0 192.168.40.200.If I want to line redundancy between tow devices, Should I apply port channel on both devices to ensure line redundancy? For example, if I apply Gigi 1/0/3 for the router and Ethernet 1/3 for the firewall, should I write a route with a high administrative distance value for my existing routes? If something happens to my line between gigi1/0/2 and ethernet 1/2, will the packets of 192.168.90.0 and 192.168.80.0 be directed to the new route?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to cemrecanaltinel

‎12-04-2023 07:09 AM

You can do PO between fw and sw.

This for l2

interface GigabitEthernet0/0
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
channel-group 10 mode active
 no nameif
 no security-level
 no ip address

 Then add IP to PO to make PO l3 

interface Port-channel10
 nameif INSIDE
 security-level 100
 ip address 192.168.99.1 255.255.255.0
 lacp max-bundle 8
 port-channel min bundle 2
 port-channel load-balance src-dst-ip

MHM

View solution in original post

6 Replies 6

Go to solution
marce1000
VIP
VIP

‎12-04-2023 06:06 AM

 

  - In essence a port-channel offers only layer 2 connection redundancy ; for routing (layer 3) redundancies look into issues such as policy based routing or firewall high availability solutions (clusters) offered by vendors (e.g.)

 M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to marce1000

‎12-04-2023 06:17 AM

But  how can that possible , there are configurations for layer 3 etherchannel both on the internet and in Cisco packet tracer. For example, I am sharing 2 inks about this, isn't layer 3 redundancy done in the 2 links?                   https://www.thenetworkdna.com/2022/06/port-channel-on-cisco-catalyst-8300.html     https://www.cisco.com/c/en/us/td/docs/routers/access/1900/software/configuration/guide/Software_Configuration/etherchannel.pdf                                                                                                                                                                                                     

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to cemrecanaltinel

‎12-04-2023 07:09 AM

You can do PO between fw and sw.

This for l2

interface GigabitEthernet0/0
 channel-group 10 mode active
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1
channel-group 10 mode active
 no nameif
 no security-level
 no ip address

 Then add IP to PO to make PO l3 

interface Port-channel10
 nameif INSIDE
 security-level 100
 ip address 192.168.99.1 255.255.255.0
 lacp max-bundle 8
 port-channel min bundle 2
 port-channel load-balance src-dst-ip

MHM

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to MHM Cisco World

‎12-04-2023 08:02 AM - edited ‎12-04-2023 08:02 AM

thank for your solution its so good for me,just May I learn ,what do you use  this command,if I use it ,what does it benefit ?

lacp max-bundle 8 port-channel min bundle 2 port-channel load-balance src-dst-ip

 

0 Helpful

Go to solution
Turn2
Level 1
Level 1

‎12-04-2023 12:20 PM - last edited on ‎12-07-2023 01:32 AM by Community Manager

That command is defining the minimum and maximum number of physical links allowed in the particular port-channel, plus the method the switch uses to balance the traffic across the physical interfaces.

If you have more physical links in your port-channel than the maximum specified, the other's will act as hot-standbys. The ideal load-balancing method to use will be case-by-case depending on the traffic flows on your network. For example, if you have all clients talking to one server, using

dst-ip

would be a terrible choice since all inbound traffic would use just a single physical interface. Depending on the switch model and firmware, the default method, and optional methods will vary, but it's generally either source MAC or source-dest MAC.

Go to solution
cemrecanaltinel
Level 1
Level 1
In response to Turn2

‎12-05-2023 12:14 AM - last edited on ‎12-07-2023 01:33 AM by Community Manager

Which one is better for me

src-dst ip or src-dst mac

My connection is between router and firewall and I have some route from router to firewall so which one is more effective and secure for me ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card