ASA 8.4x – Redundant Interfaces and Port-Channel configurations

Posted: October 6, 2013 in Cisco Security - Firewalls
0

!– Make sure all interfaces are not in shutdown state and enter redundant and port-channel commands.

ASA1(config)# int eth0/0
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config-if)# int et0/2
ASA1(config-if)# channel-group 1 mode active
ASA1(config-if)# no shut

ASA1(config)# int port-channel 1
ASA1(config-if)# nameif outside
ASA1(config-if)# ip address 160.60.0.12 255.255.255.0

ASA1(config)# int redundant 1
ASA1(config-if)# member-interface eth0/1
ASA1(config-if)# member-interface eth0/3
ASA1(config-if)# nameif inside
ASA1(config-if)# ip address 20.0.0.12 255.255.255.0
ASA1(config-if)# no shut

!– Show run
interface Ethernet0/0
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/1
no nameif
no security-level
no ip address

interface Ethernet0/2
channel-group 1 mode active
no nameif
no security-level
no ip address

interface Ethernet0/3
no nameif
no security-level
no ip address

interface Management0/0
shutdown
no nameif
no security-level
no ip address

interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/3
nameif inside
security-level 100
ip address 20.0.0.12 255.255.255.0

interface Port-channel1
nameif outside
security-level 0
ip address 160.60.0.12 255.255.255.0

!– Configure routing
ASA1(config)# router ospf 1
ASA1(config-router)# network 20.0.0.0 255.255.255.0 area 1
ASA1(config-router)# network 160.60.0.0 255.255.255.0 are 0
ASA1(config-router)# log-adj-changes

!– Create network object for inside and dynamic PAT
ASA1(config)# object network INSIDE
ASA1(config-network-object)# subnet 20.0.0.0 255.255.255.0
ASA1(config-network-object)# nat (inside,outside) dynamic interface

ASA1(config)# access-list OUT-IN ext permit icmp any any
ASA1(config)# access-group OUT-IN in int outside

ASA1# sh int ip br 
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0/0                unassigned      YES unset  up                    up
Ethernet0/1                unassigned      YES unset  up                    up
Ethernet0/2                unassigned      YES unset  up                    up
Ethernet0/3                unassigned      YES unset  up                    up
Management0/0              unassigned      YES unset  administratively down up
Port-channel1              160.60.0.12     YES manual down                  down
Redundant1                 20.0.0.12       YES manual up                    up

!– Make sure that switch ports are also configured for channel-group so the Port-channel1 interface is not down.

SW2(config)#int f0/41
SW2(config-if)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1
SW2(config)#int f0/12
SW2(config-if)#channel-group 1 mode active

ASA1# ping 160.60.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 160.60.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA1# sh interface redundant 1 detail
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
334 packets input, 26940 bytes, 0 no buffer
Received 244 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
74 L2 decode drops
142 packets output, 11258 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
106 packets input, 6761 bytes
142 packets output, 8555 bytes
2 packets dropped
1 minute input rate 0 pkts/sec,  41 bytes/sec
1 minute output rate 0 pkts/sec,  45 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Control Point Interface States:
Interface number is 9
Interface config status is active
Interface state is active
Redundancy Information:
Member Ethernet0/1(Active), Ethernet0/3
Last switchover at 14:08:54 UTC Sep 18 2013

!– If you shut down Eth0/1, the active interface becomes Eth0/3 and we should loose one, two pings:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

ASA1#  sh int red 1
Interface Redundant1 “inside”, is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 001e.7a36.6d41, MTU 1500
IP address 20.0.0.12, subnet mask 255.255.255.0
29393 packets input, 3455064 bytes, 0 no buffer
Received 260 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
82 L2 decode drops
29183 packets output, 3437408 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 2 interface resets
0 late collisions, 0 deferred
162 input reset drops, 0 output reset drops, 0 tx hangs
input queue (blocks free curr/low): hardware (510/254)
output queue (blocks free curr/low): hardware (510/253)
Traffic Statistics for “inside”:
29157 packets input, 2911127 bytes
29183 packets output, 2911931 bytes
6 packets dropped
1 minute input rate 140 pkts/sec,  14009 bytes/sec
1 minute output rate 140 pkts/sec,  14004 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec,  16 bytes/sec
5 minute output rate 0 pkts/sec,  16 bytes/sec
5 minute drop rate, 0 pkts/sec
Redundancy Information:
Member Ethernet0/3(Active), Ethernet0/1
Last switchover at 14:08:54 UTC Sep 18 2013

!– Check out port channel status

ASA1# sh port-channel 1 detail
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
——————-
Port: Et0/0
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/0     SA      bndl       32768         0x1       0x1     0x1         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/0     SA      bndl       32768         0x0       0x1      0x10d       0x3d

Port: Et0/2
————
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel  = Po1

Flags:  S – Device is sending Slow LACPDUs   F – Device is sending fast LACPDUs.
A – Device is in active mode.        P – Device is in passive mode.

Local information:
LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
—————————————————————————–
Et0/2     SA      bndl       32768         0x1       0x1     0x3         0x3d

Partner’s information:
Partner Partner    LACP Partner  Partner   Partner  Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
———————————————————————————–
Et0/2     SA      bndl       32768         0x0       0x1      0x12a       0x3d

ASA1# sh port-channel 1 load-balance
EtherChannel Load-Balancing Configuration:
src-dst-ip

EtherChannel Load-Balancing Addresses UsedPer-Protocol:
Non-IP: Source XOR Destination MAC address
IPv4: Source XOR Destination IP address
IPv6: Source XOR Destination IP address

!– this is output when one of the interfaces is down, no load balacing:

ASA1# sh int e0/0 | in packets output
63320 packets output, 7471910 bytes, 0 underruns

ASA1# sh int e0/2 | in packets output
16482 packets output, 1941871 bytes, 0 underruns

!– Check port channel summary and notice that one of the interface is down.

ASA1# sh port-channel summary
Flags:  D – down        P – bundled in port-channel
I – stand-alone s – suspended
H – Hot-standby (LACP only)
U – in use      N – not in use, no aggregation/nameif
M – not in use, no aggregation due to minimum links not met
w – waiting to be aggregated
Number of channel-groups in use: 1
Group  Port-channel  Protocol    Ports
——+————-+———–+———————————————–
1      Po1(U)            LACP    Et0/0(P)   Et0/2(D)

#########################################################################

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s