Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9875
Views
8
Helpful
3
Replies

PortChannel in Cisco ASA with subinterface vlan

Rizal Ferdiyan
Level 1
Level 1

‎12-30-2011 03:00 AM - edited ‎03-11-2019 03:08 PM

Dear Cisco Expert,

I have problem with portchannel in cisco ASA with subinterface, My asa create port channel two link with switch :

my asa configuration (PO3 == int gi0/1 & int gi0/0 ASA) :

interface Port-channel3

no nameif

no security-level

no ip address

!

interface Port-channel3.20

vlan 20

nameif XXXX

security-level 50

ip address 172.27.3.1 255.255.255.224

my switch configuration (PO3 == int gi0/19 & int gi0/20 switch) :

interface Port-channel3

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 20,30,40,50

switchport mode trunk

end

I also tried create int vlan 20 in switch,

interface Vlan20

ip address 172.27.3.2 255.255.255.224

end

but it doesn't work

the etherchannel status is still in waiting :

show etherchannel sum :

3      Po3(SD)         LACP      Gi0/19(w)   Gi0/20(w)  

Do you have any clue ?

Thank u guys, ...

Btw, if i create ASA port chanel withoout subinterface it's work.

Best Regards

Rizal Ferdiyan

Labels:
0 Helpful
3 Replies 3

ajay chauhan
Level 7
Level 7

‎12-30-2011 04:10 AM

You ASA cofniguration should look like this. You havnt posted the full config so no comment on that

interface GigabitEthernet0/0

channel-group 10 mode active

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

channel-group 10 mode active

speed 1000

duplex full

no nameif

no security-level

no ip address

!

!

interface Port-channel3

speed 1000

duplex full

no nameif

no security-level

no ip address

!

interface Port-channel3.20

vlan 20

nameif XXXX

security-level 50

ip address 172.27.3.1 255.255.255.224

Thanks

Ajay

Lovleen Arora
Level 1
Level 1
In response to ajay chauhan

‎09-17-2015 05:37 PM

thanks Ajay,

how can u leverage this multi-vlan port-channel in a security context? I have allocated the port-channel and its sub-interfaces to a context, is that enough? the downlink switch will use the asa security context for inter-vlan routing.

 

0 Helpful

Rishabh Seth
Level 7
Level 7
In response to Lovleen Arora

‎09-17-2015 08:25 PM

Hi,

In a multi vlan multi context setup, you just need to allocate a sub interface to correct context and map it to correct vlan.

You should have appropriate nat and acl according to your network.

Is there any specific issue that you are facing?

Thanks,

R.Seth

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card