Solved: Port-channel on ASA

krzysztofmaciejewskiit · ‎09-01-2024

The pings do not go through the Port-channel. VLANs are configured. Without the Port-channel, the ping passes correctly. Devices are directly connected.

ASA config:
interface GigabitEthernet1/3
channel-group 1 mode active
!
interface Port-channel10.1
vlan 987
nameif TEST
security-level 100
ip address 192.168.0.10 255.255.255.0

Switch config:
interface Port-channel1
switchport access vlan 987
switchport mode access
!
interface FastEthernet0/3
description to ASA-PO
switchport access vlan 987
switchport mode access
channel-group 1 mode active

=================================== SHOW OUTPUT ========================================

ASA# show lacp neighbor

ASA# show port-channel summary

Switch:

MHM Cisco World · ‎09-01-2024

interface Port-channel1
switchport trunk native vlan 987 <<- remove this

Switchport trunk allow vlan 987 <<- add this
switchport mode trunk
!
interface FastEthernet0/3
description to ASA-PO
switchport trunk native vlan 987 <<- remove this
switchport mode trunk

Switchport trunk allow vlan 987 <<- add this
channel-group 1 mode active

View solution in original post

marce1000 · ‎09-01-2024

- Can other traffic go through the port-channel ?
- What error do you get for the pings ?

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

krzysztofmaciejewskiit · ‎09-01-2024

ASA# ping TEST 192.168.0.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.11, timeout is 2 seconds:
?????

PO-TEST#ping
Protocol [ip]:
Target IP address: 192.168.0.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.11
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.11
.....
Success rate is 0 percent (0/5)

MHM Cisco World · ‎09-01-2024

First check vlan in SW

Second since you use subinterface then the traffic is tag and hence you can not use PO access mode in SW

You need to change of PO from access to trunk and allow vlan in trunk

MHM

krzysztofmaciejewskiit · ‎09-01-2024

I made the changes on the Switch. There is still a problem. I'm running debug on Switch and when I ping from ASA specifying source zone:
*Mar 3 00:30:55.897: ICMP: echo reply sent, src 192.168.0.11, dst 192.168.0.10, topology BASE, dscp 0 topoid 0

VLAN:

interface Port-channel1
switchport trunk native vlan 987
switchport mode trunk
!
interface FastEthernet0/3
description to ASA-PO
switchport trunk native vlan 987
switchport mode trunk
channel-group 1 mode active

MHM Cisco World · ‎09-01-2024

interface Port-channel1
switchport trunk native vlan 987 <<- remove this

Switchport trunk allow vlan 987 <<- add this
switchport mode trunk
!
interface FastEthernet0/3
description to ASA-PO
switchport trunk native vlan 987 <<- remove this
switchport mode trunk

Switchport trunk allow vlan 987 <<- add this
channel-group 1 mode active

krzysztofmaciejewskiit · ‎09-01-2024

It works, but doesn't the “switchport mode trunk” command pass all VLANs? Great to know that I have to do it this way, but now I'm a little confused.

MHM Cisco World · ‎09-01-2024

What point confuse you?

MHM

krzysztofmaciejewskiit · ‎09-01-2024

I thought the “switchport mode trunk” command allowed all VLANs by default. I'm curious, why do we have to explicitly type “switchport trunk allow vlan 987”?
I even added the “switchport trunk allow vlan all” command before you said to add the “switchport trunk allow vlan 987” directly and it didn't work.

MHM Cisco World · ‎09-01-2024

Ok' this not effect config what is effect config is

switchport trunk native vlan 987 <<- remove this

You are correct

Switchport mode trunk <<- allow all vlan' but I suggest

switchport trunk allow vlan 987 <<- only to allow one vlan in this trunk' since you use one subinterface in asa.

MHM

krzysztofmaciejewskiit · ‎09-01-2024

You are right, “switchport trunk native vlan 987” was the problem. As for allowing one VLAN, I realize that we should only let go of the required VLANs, but I'm in a lab environment, so I took a shortcut
That is, the problem first turned out to be “switchport mode access” and then “switchport trunk native vlan 987”, because ASA was expecting tagged traffic and I was sending untagged traffic. Am I right?

MHM Cisco World · ‎09-01-2024

Totally right friend

MHM

krzysztofmaciejewskiit · ‎09-01-2024

This is not the first time you have helped me and then explained. Thank you.