Thanks for your reply Sharifi,

Yes, Both ASAs are configured in Active/stand by mode..

Then you should not have any loop since the bundle logically acts as one link and only one of the ASA is forwarding.

can you post the router portchannel config and also sh etherc summ?

HTH

Hi Sharifi,

Ether summary is blank for the router, but I have configured it.

While configure channel group in Router interface, I can choose only the Po No, but I am not able select the mode active/on

Pls check the configuration in below.

Router Interface config:

interface FastEthernet0/0/0
no ip address
duplex full
speed 100
channel-group 5

interface FastEthernet0/0/1
no ip address

duplex full
speed 100
channel-group 5

interface Port-channel5

ip address 192.168.10.1 255.255.255.0

sh etherchannel summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        R - Layer3      S - Layer2
        U - in use
Group Port-channel  Ports
-----+------------+-----------------------------------------------------------

Firewall -Primary config:

interface Ethernet0/0

description *****- Connected from Internet Firewall-*****

channel-group 5 mode on

speed 100

duplex full

no nameif

no security-level

no ip address

Firewall -Secondary config:

interface Ethernet0/0

description *****- Connected from Internet Firewall-*****

channel-group 5 mode on

speed 100

duplex full

no nameif

no security-level

no ip address

sh port-channel summ

Flags:  D - down        P - bundled in port-channel

        I - stand-alone s - suspended

        H - Hot-standby (LACP only)

        U - in use      N - not in use, no aggregation/nameif

        M - not in use, no aggregation due to minimum links not met

        w - waiting to be aggregated

Number of channel-groups in use: 2

Group  Port-channel  Protocol    Ports

------+-------------+-----------+-----------------------------------------------

5      Po5(U)             -      Et0/0(P)

Kindly suggest on it..

Thanks in advance.

Thanks for your reply Pille,

Is any alternative design for the requirement, I don't want to put one L2 switch in between the router and firewall.
Kindly suggest any other design plan for the same.

A typical design without a L2 switch inbetween would be a square built like this:

ASA----ASA

|           |

R1--------R2

This design requires the Routers to use VLANs and VLAN-interfaces or at least bridge-groups.

If you have only 1 Router at hand just use a single link to each ASA and again use a bridge-group and BVI.

Regards

Pille

Hi Pille,

To create a Bridge-group, I need L2 switch right?, to connect the router and both ASA firewalls.

I want to avoid L2 switch in between Router and Firewall, because It may be PoF (Point of Failover).

If my understand is wrong, kindly explain clearly pls..

Thanks & Regards,

Saravanan

While a setup with L2 switches would be my prefered design you don't necessarily need them.

A Config example for a bridge group  would look like this:

bridge irb
bridge 1 protocol ieee
bridge 1 route ip
interface Gi0/1
bridge-group 1
interface Gi0/2
bridge-group 1
interface BVI1
ip address 192.168.10.1 255.255.255.0

I'm not familiar with 2921 but I believe it should support that as well.

Regards

Pille

Thanks Pille for your reply.

I was in vacation, So I am not able to reply it.

I will try the solution, because I heard the IRB technology newly.
Surely I will come to you next day..

Regards,

Saravanan

Hi Mohammed,

I was planned to do portchannel for a single router with two interface of the routers.
I agree, if we want to do portchannel on the switches, it should be stacked mode, then only the Portchannel will effective.

Another thing is, I am using the two firewalls as Active/standby mode through Failover cable. So It will act as a single firewall only. I can't split the port channel for the both Firewalls.

I was tried to do Portchannel on the router interface, but no luck. The configurations are attached in above.