Network Guys

Share your knowledge!

Link Aggregation with Cisco ASA

Interesting project that I got some days ago: I need to connect a Cisco ASA redundantly to a HP Switch Switch cluster (clustered with IRF protocol) and VLAN tag support. I configured a bridge-aggregation interface at the HP 5920AF-24XG like this (VLANs were already configured):

interface Bridge-Aggregation1
description Link to Cisco ASA

interface Ten-GigabitEthernet1/0/8
port link-aggregation group 1

interface Ten-GigabitEthernet2/0/8
port link-aggregation group 1

interface Bridge-Aggregation1
description Link to Cisco ASA
port link-type hybrid
port hybrid vlan 1 23 tagged

Configuring Ten-GigabitEthernet1/0/8 done.
Configuring Ten-GigabitEthernet2/0/8 done.

after this I saved the current Cisco ASA configuration to the flash and to my TFTP server. You can’t configure a port-channeling on used ports or can change the naming (like “inside”) directly to another interface. The interface name depends on so many configuration parameters like firewall and VPN settings. So I saved the current-configuration, edit it with a text editor, copied it from the TFTP to the startup-config and reload the device. Never do this from remote, please connect a serial cable to the Cisco ASA and make this changes via console. At startup you can see directly if commands are not recognized and you don’t need network access.

I took the two first interfaces because they have full gigabit support (Cisco ASA 5510). I first created the Port-Channel:

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

than I declared the interfaces to this port-channel:

interface Ethernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address

interface Ethernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

Now we can configure sub-interfaces for our vlan tagged interfaces. The sub-interface number isn’t the vlan tag number but I would recommend to set it equal for your own harmony :)

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

interface Port-channel1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

interface Port-channel1.23
vlan 23
nameif dmz
security-level 75
ip address 192.168.23.1 255.255.255.0

you can now look at both devices, if the aggregation is working. Example HP Stack:

[IRF1]display link-aggregation verbose
Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing
Port Status: S — Selected, U — Unselected
Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,
D — Synchronization, E — Collecting, F — Distributing,
G — Defaulted, H — Expired

Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
——————————————————————————–
XGE1/0/8 S 32768 4
XGE2/0/8 S 32768 4

Example Cisco ASA:

ASA5510# show port-channel
Channel-group listing:
———————–

Group: 1
———-
Span-cluster port-channel: No
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip

there are several options for load balancing:

ASA5510(config-if)# port-channel load-balance ?

interface mode commands/options:
dst-ip Dst IP Addr
dst-ip-port Dst IP Addr and TCP/UDP Port
dst-mac Dst Mac Addr
dst-port Dst TCP/UDP Port
src-dst-ip Src XOR Dst IP Addr
src-dst-ip-port Src XOR Dst IP Addr and TCP/UDP Port
src-dst-mac Src XOR Dst Mac Addr
src-dst-port Src XOR Dst TCP/UDP Port
src-ip Src IP Addr
src-ip-port Src IP Addr and TCP/UDP Port
src-mac Src Mac Addr
src-port Src TCP/UDP Port
vlan-dst-ip Vlan, Dst IP Addr
vlan-dst-ip-port Vlan, Dst IP Addr and TCP/UDP Port
vlan-only Vlan
vlan-src-dst-ip Vlan, Src XOR Dst IP Addr
vlan-src-dst-ip-port Vlan, Src XOR Dst IP Addr and TCP/UDP Port
vlan-src-ip Vlan, Src IP Addr
vlan-src-ip-port Vlan, Src IP Addr and TCP/UDP Port

you can find more information here.

Leave a Reply

Click on the button to load the content from jetpack.wordpress.com.

Load content

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Certificates

ekahau Certified Survey Engineer
ATP_wsrgb
ACMP2
suca
Post Categories
Post Archives