Link Aggregation with Cisco ASA

Interesting project that I got some days ago: I need to connect a Cisco ASA redundantly to a HP Switch Switch cluster (clustered with IRF protocol) and VLAN tag support. I configured a bridge-aggregation interface at the HP 5920AF-24XG like this (VLANs were already configured):

interface Bridge-Aggregation1
description Link to Cisco ASA

interface Ten-GigabitEthernet1/0/8
port link-aggregation group 1

interface Ten-GigabitEthernet2/0/8
port link-aggregation group 1

interface Bridge-Aggregation1
description Link to Cisco ASA
port link-type hybrid
port hybrid vlan 1 23 tagged

Configuring Ten-GigabitEthernet1/0/8 done.
Configuring Ten-GigabitEthernet2/0/8 done.

after this I saved the current Cisco ASA configuration to the flash and to my TFTP server. You can’t configure a port-channeling on used ports or can change the naming (like “inside”) directly to another interface. The interface name depends on so many configuration parameters like firewall and VPN settings. So I saved the current-configuration, edit it with a text editor, copied it from the TFTP to the startup-config and reload the device. Never do this from remote, please connect a serial cable to the Cisco ASA and make this changes via console. At startup you can see directly if commands are not recognized and you don’t need network access.

I took the two first interfaces because they have full gigabit support (Cisco ASA 5510). I first created the Port-Channel:

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

than I declared the interfaces to this port-channel:

interface Ethernet0/0
channel-group 1 mode on
no nameif
no security-level
no ip address

interface Ethernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address

Now we can configure sub-interfaces for our vlan tagged interfaces. The sub-interface number isn’t the vlan tag number but I would recommend to set it equal for your own harmony 🙂

interface Port-channel1
description Link-Aggregation
no nameif
no security-level
no ip address

interface Port-channel1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0

interface Port-channel1.23
vlan 23
nameif dmz
security-level 75
ip address 192.168.23.1 255.255.255.0

you can now look at both devices, if the aggregation is working. Example HP Stack:

[IRF1]display link-aggregation verbose
Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing
Port Status: S — Selected, U — Unselected
Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,
D — Synchronization, E — Collecting, F — Distributing,
G — Defaulted, H — Expired

Aggregate Interface: Bridge-Aggregation1
Aggregation Mode: Static
Loadsharing Type: Shar
Port Status Priority Oper-Key
——————————————————————————–
XGE1/0/8 S 32768 4
XGE2/0/8 S 32768 4

Example Cisco ASA:

ASA5510# show port-channel
Channel-group listing:
———————–

Group: 1
———-
Span-cluster port-channel: No
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: ON
Minimum Links: 1
Load balance: src-dst-ip

there are several options for load balancing:

ASA5510(config-if)# port-channel load-balance ?

interface mode commands/options:
dst-ip Dst IP Addr
dst-ip-port Dst IP Addr and TCP/UDP Port
dst-mac Dst Mac Addr
dst-port Dst TCP/UDP Port
src-dst-ip Src XOR Dst IP Addr
src-dst-ip-port Src XOR Dst IP Addr and TCP/UDP Port
src-dst-mac Src XOR Dst Mac Addr
src-dst-port Src XOR Dst TCP/UDP Port
src-ip Src IP Addr
src-ip-port Src IP Addr and TCP/UDP Port
src-mac Src Mac Addr
src-port Src TCP/UDP Port
vlan-dst-ip Vlan, Dst IP Addr
vlan-dst-ip-port Vlan, Dst IP Addr and TCP/UDP Port
vlan-only Vlan
vlan-src-dst-ip Vlan, Src XOR Dst IP Addr
vlan-src-dst-ip-port Vlan, Src XOR Dst IP Addr and TCP/UDP Port
vlan-src-ip Vlan, Src IP Addr
vlan-src-ip-port Vlan, Src IP Addr and TCP/UDP Port

you can find more information here.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.