ASA 5585 port-channels

I want to create a port-channel with 2 10Gbs interfaces on 2 ASA 5585 firewalls, and set them up in a failover pair.
In order to do this, do I simply put two 10Gbs interfaces into a channel and then configure the IP addressing and failover address on the logical port-channel interface? (aka interface po1).
Any limitations with this?

Yes, that is exactly what you do..
Create portchannel on switch and ASA
Trunk the vlan on switch side
Create logical interfaces on ASA

Similar Messages

ASA EIGRP Port Channel Bug?

Hi All
I have EIGRP configured on an ASA5512-X code version 9.1(4). When I do a "show eigrp interfaces" the Port Channel linking to the adjacent router is not listed. It is not a passive interface (even did a "no passive-interface outside" to double check). Other interfaces are listed. Debugging EIGRP shows no hellos arriving on that interface either, even though a debug on the adjacent router confirms they are being sent. Am I missing something or is this a bug?
Thanks for looking!
- James

Hello,
It does... Thanks for the explanation
Now if you are behind the inside interface you should be able to ping it.
Can you share the show run icmp
Also do the following on the ASA
cap capin interface inside match icmp any host 172.17.120.254
cap asp type asp-drop all circular-buffer
Then try to ping the ASA inside interface and provide me:
show cap capin
show cap asp | include 172.17.120.254
Regards,
We are here to help, Remember to rate all the post that help ( If you do not know how to rate a post, just let me know, I will let you know how )
Julio

Disappointed: ASA 8.4 Redundant using Port-channels

So I finally got all our ASAs upgrade to version 8.4 and was all sorts of excited to configure port-channels to our 6500 + SUP7203B switches. I was severally disappointed to discover that I cannot configure two port-channels and have them be members of a redundant interface pair. It would seem like a logical topology.
Port-channel1 = Gig0/0 & Gig0/1
Port-channel2 = Gig0/2 & Gig0/3
Redundant1 = Port-channel1 & Port-channel2
Port-channel1 would connect to the primary 6500
Port-channel2 would connect to the backup 6500
What would it take to make this work? Am I going to have to wait for 8.5? Will we finally get BGP then too? (Had to get that in there)
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329357
EtherChannel Guidelines
•You can configure up to 48 EtherChannels.
•Each channel group can have eight active interfaces. Note that you can assign up to 16 interfaces to a channel group. While only eight interfaces can be active, the remaining interfaces can act as standby links in case of interface failure.
•All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed.
•The device to which you connect the ASA 5500 EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch.
•All ASA configuration refers to the logical EtherChannel interface instead of the member physical interfaces.
•You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel as part of a redundant interface. You cannot use the same physical interfaces in a redundant interface and an EtherChannel interface. You can, however, configure both types on the ASA if they do not use the same physical interfaces.

Hello Yaplej,
Agree with you but unfortunetly this is not supported yet,
We migh need to wait some time before this desing can be accomplish,
Regards,
If you do not have any other question please mark the question as answered

ASA port-channel command on IOS v. 9.0(4)

I have configured 2 of ASA 5550 on a port channel as follows:
=======================================
router# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
router# show module
0 ASA 5550 Adaptive Security Appliance         ASA5550            JMX1226L1S9
1 SSM-4GE Included with ASA 5550 System        SSM-4GE-INC        JAF1224ATNS
router# show interface Port-channel48
Interface Port-channel48 "", is up, line protocol is up
Hardware is EtherChannel/ON, BW 2000 Mbps, DLY 10 usec
    Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
    Input flow control is unsupported, output flow control is off
    Media-type configured as RJ45 connector
    Available but not configured via nameif
    MAC address 001f.ca97.44e2, MTU not set
    IP address unassigned
Members in this channel:
      Active:   Gi1/2 Gi1/3
router# show startup-config
interface GigabitEthernet1/2
channel-group 48 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
channel-group 48 mode on
no nameif
no security-level
no ip address
interface Port-channel48
no nameif
no security-level
no ip address
interface Port-channel48.4
vlan 4
interface Port-channel48.5
vlan 5
After migrating to version 9.0(4) I could not configure channel group on int g 1/2.
=======================================
router# show version
Cisco Adaptive Security Appliance Software Version 9.0(4)
router# show module
0 ASA 5550 Adaptive Security Appliance         ASA5550            JMX1421L333
1 SSM-4GE Included with ASA 5550 System        SSM-4GE-INC        JAF1419ALAK
router# configure terminal
router(config)# interface GigabitEthernet1/2
router(config-if)# channel-group 48 mode on
                      ^
ERROR: % Invalid input detected at '^' marker.
router(config-if)# ?
So I have the following questions about verion 9:
1. Can I still use port-channels on a sigle ASA?
2. Should I replace port-channel by lacp command on a sigle ASA?
3. Does lacp command can be used only on clusters ?
Att.,
Rosa

The following is documented in the config guide for both 8.4 and 9.0:
•You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
So, even with 8.4 it was probably never meant to work.

Port channel asa

Hi!
Is it possible to configure etherchannel on Cisco ASA 5580 (ASA5580-4GE-CU card) ?
Thanks for your help,

Hi ,
Yes its supports etherchannel , traffic among your port-channel will be as below
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
Table 12-2 Load Distribution per Interface
# of Active Interfaces
% Distribution Per Interface
1
2
3
4
5
6
7
8
1
100%
2
50%
50%
3
37.5%
37.5%
25%
4
25%
25%
25%
25%
5
25%
25%
25%
12.5%
12.5%
6
25%
25%
12.5%
12.5%
12.5%
12.5%
7
25%
12.5%
12.5%
12.5%
12.5%
12.5%
12.5%
8
12.5%
12.5%
12.5%
12.5%
12.5%
12.5%
12.5%
12.5%
HTH
Sandy

Port channel issue in ASA

We have two Cisco ASA 55XX Firewalls and both are in HA (Active/Standy). Two ports from each Firewall is connecting two ports of Nexus 5K Switch and running port channel between Firewall & Nexus Switch and port-channel is UP. And Switches having back to back connection with allowed all VLAN trunk port.
FW01 ----------------- SW01 (Two ports with Port channel)
FW02 ----------------- SW02 (Two ports with Port channel)
I have VLAN 10 with IP Subnet 10.10.10.0/28
SW01 : 10.10.10.2
SW02 : 10.10.10.3
HSRP IP : 10.10.10.1
FWs : 10.10.10.4 & 10.10.10.5
Firewall Default Gateway : 10.10.10.1
Problem : I am not able Ping Firewall IPs from Nexus Switches. When I checked ARP table in Nexus Switch; I have observed that Firealls two IPs having same MAC address; when I checked that MAC address in the Firewall; that MAC address is Port channel interface MAC address.
This is issue (two IPs learing same MAC address) from ASA.
How to fix this issue ?
Thanks
Venkat

Hi,
What version of IOS are you running on the ASAs?
see table-12-3 in this link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
HTH

Nexus 1010v interfaces, port-channel, Catalyst 6500E VSS

I'm installing a pair of 1010v-X appliances using flexible network option 5 on version 4.2(1)SP1(5.1).
I have all interfaces grouped into a single port channel 6. All interfaces uplink to a pair of Catalyst 6506Es in a VSS (Sup2T).
My question relates to the VSS configuration.
For example, do I set up one port-channel on the VSS and put all 12 interfaces in it? Or, do I set up two port-channels on the VSS and put the active 1010v-X in one port-channel and the standby into another port-channel?
Do I set dot1q trunking up on the port-channel(s) on the VSS?
Thanks.

Hi,
What version of IOS are you running on the ASAs?
see table-12-3 in this link:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
HTH

ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface

Hi All,
I am having problem when configure port channel on asa5550
IOS ver asa914-k8.bin also in ver 9.02   and 8.47.
Please let me know how can I solve this problem.
UK-LON-FW(config)# int port-channel 3
UK-LON-FW(config-if)# vlan 245
                       ^
ERROR: % Invalid input detected at '^' marker.
UK-LON-FW(config-if)# nameif secure
ERROR: nameif not allowed on empty etherchannel interface.
UK-LON-FW(config-if)#
here is my interfaces configuration:
interface GigabitEthernet0/0
description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
channel-group 1 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
channel-group 2 mode on
no nameif
no security-level
no ip address
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.10.51.18 255.255.254.0
interface GigabitEthernet1/0
description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/1
description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
no nameif
no security-level
no ip address
interface GigabitEthernet1/2
description LAN Failover Interface
no nameif
no security-level
no ip address
interface GigabitEthernet1/3
description STATE Failover Interface
no nameif
no security-level
no ip address
interface Port-channel1
description outside zone
no nameif
no security-level
no ip address
interface Port-channel1.5
description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
vlan 5
nameif outside
security-level 0
ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
interface Port-channel2
description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
no nameif
no security-level
no ip address
interface Port-channel2.105
description dmz
vlan 105
nameif dmz
security-level 50
ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
interface Port-channel3
description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
no nameif
security-level 100
ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
UK-LON-FW(config-if)#

Hi Marvin,
Thank you for your answer. I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right. Verson 9.x doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr
Also, you can see the 8.4 release notes were you can see that it is not supported:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
Interface Features
EtherChannel support (ASA 5510 and higher)
You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

ASA 5585-X Licensing

Hi,
I was hoping to get some assistance from the community on 5585 part numbers/licensing.
We have recently purchased some 5585-X SSP-20's. The part number ordered was ASA5585-S20C20XK9 "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES". We want to enable the 10GE ports on the SSP-20, do we just purchase an additional license? We are being guided by our reseller to swap the hardware for ASA5585-S20C20XK9 "ASA 5585-X Chas w/SSP20,CX SSP20,16GE,4 SFP+,2 AC,3DES/AES".
Thanks,
Colin

Based on the documentation you need the Security-Plus License to enable 10G for the 5585 with SSP10 or SSP20.

ASA5580 port channel to 6509 VSS

Hi All,
I hope this is the correct location for this.
Anyway, here's the situation I'm trying to configure several VLANs on my ASA to uniquely allocate to contexts, the VLANs will be trunked from my VSS.
Unfortunately I'm not clear on how to achieve this, the configuration guide for 8.4 talks about multiple contexts and routed setups all which don't appear to apply exactly. I've configured the port channel at both ends and I've configured sub-interfaces on the port channel and assigned VLAN IDs. These sub-interfaces are then allocated to the contexts to set 'ip address' etc. I've not been able to successfully test this configuration and I am concerned that it is incorrect..
If anyone has any advice or suggestions I would be grateful?
Many thanks.

Well the good news is that I have been able to test my configuration.
Using an infrequently utilised VLAN I disabled the current interface and brought up an allocated port on the new ASA which I successfully pinged the subinterface ip of (configured via a context of the ASA). The complication was using the correct VRF as the source!
All is good ready for the cut-over.
Regards.

Cisco ASA 5585-X SSP-20 8.4(2) - TCP Syslog problem

Hi,
We have a firewall service environment where logging is handled with UDP at the moment.
Recently we have noticed that some messages get lost on the way to the server (Since the server doesnt seem to be under huge stress from syslog traffic). We decided to try sending the syslog via TCP.
You can imagine my surprise when I enabled the "logging host <interface name> <server ip> tcp/1470" on an ASA Security context and find out that all the connections through that firewall are now being blocked. Granted, I could have checked the command reference for this specific command but I never even thought of the possibility of a logging command beeing able to stop all traffic on a firewall.
The TCP syslog connection failing was caused by a missmatched TCP port on the server which got corrected quickly. Even though I could now view log messages from the firewall in question in real time, the only message logged was the blocking of new connections with the following syslog message:
"%ASA-3-201008: Disallowing new connections."
Here start my questions:
- New connections are supposed to be blocked when the the TCP Syslog server aint reachable. How is it possible that I am seeing the TCP syslog sent to the server and the ASA Security Context is still blocking the traffic?
- I configured the "logging permit-hostdown" after I found the command and it supposedly should prevent the above problem/situation from happening. Yet after issuing this command on the Security Context in question, connections were still being blocked with the same syslog message. Why is this?
- Eventually I changed the logging back to UDP. This yet again caused no change to the situation. All the customer connections were still being blocked. Why is this?
- After all the above I removed all possible logging configurations from the Security Context. This had absolutely no effect on the situation either.
- As a last measure I changed to the system context of the ASA and totally removed the syslog interface from the Security Context. This also had absolutely no effect on the situation.
At the end I was forced to save the configuration on the ASAs Flash -memory, remove the Security Context, create the SC again, attach the interfaces again and load the configuration from the flash into the Security Context. This in the end corrected the problem.
Seems to me this is some sort of bug since the syslog server was receiving the syslog messages from the SC but the ASA was still blocking all new connections. Even the command "logging permit-hostdown" command didnt help or changing back to UDP.
It seems the Security Context in question just simply got stuck and continued blocking all connections even though in the end it didnt have ANY logging configurations on.
Seems to me that this is quite a risky configuration if you are possibly facing cutting all traffic for hundreds of customers when the syslog connection is lost or the above situation happens and isnt corrected by any of the above measures we took (like the command "logging permit-hostdown" which is supposed to avoid this situation alltogether).
- Jouni

Hi,
I FINALLY had the time to look at this issue as I was testing something else in our lab too.
In short, here is what I did:
I configured the TCP logging in the same way as in the original post
I configured the TCP logging giving the commands in different order
Did some other tests related to the proble
Device used: ASA 5585-X
Software: 8.4(2)
Original Device and software : ASA 5585-X running 8.4(1)9
Heres the above scenarions and what actually happened
Original situation
Before doing any changes the test firewall context in question is working normally and the log sent by UDP/514 is arriving to the Syslog server as usual.
I now change the syslog to TCP by giving a command "logging host tcp/1471" (actual port being TCP/1470)
The firewall immediatly starts blocking all connections going through it.
I change the configuration to the correct port TCP/1470 after which log starts appearing in my realtime view on the syslog server. The firewall context in question is still sending only the message "Disallowing new connections" even though the TCP -port on the Syslog server is clearly reachable and the connection is active.
After this I try to do the suggest "clear local-host all" command. This has no effect on the firewall context. No connections are getting through. No connections/xlates are formed on the firewall. I can only see the firewall doing DNS queries with its outside interface (related to another configuration).
After this I try to start correcting the situation the same way as before. I add "logging permit-hostdown" command which has no effect on the situation. I remove all logging configurations and it doesnt have any effect on the situation.
After this I activate UDP logging and can see the logs arriving on the syslog server but again I can only see "Disallowing new connections" message.
In the end I have no other option (to my knowledge) other than to delete the Security Context and create it again with same interfaces and with the configuration saved to the Flash -memory of the ASA.
After this the connections work like usual. (UDP logging in the saved configuration)
Giving the configurations in different order
After I've created the firewall again and all is working I have another try in configuring the TCP Syslog while giving the commands in different order.
First I add the command "logging permit-hostdown" command
Then I add the command "logging host tcp/1470"
After this logs start arriving on the syslog server and connections work as usual. Seems giving the "logging permit-hostdown" first before any other configurations is the right way to go.
Removing the "logging permit-hostdown" command
After I saw that everything was working I tried to remove the "logging permit-hostdown" command and see what happens. Everything worked fine.
Configuring wrong TCP port to "logging host" command
I decide to try and change the TCP port used to a wrong one and see if anything happens. (logging permit-hostdown is active). Firewall works as usual. Naturally no logs can be viewed at the syslog server.
Configuring the TCP Syslogging without "logging permit-hostdown" but with correct port
Finally I tried to configure the TCP Syslogging on ASA with the correct TCP port without issuing the "logging permit-hostdown" command. Everything seemed to work fine after this.
So in conclusion it seems that IF you don't have the "logging permit-hostdown" command issued before you start configuring "logging host tcp/xxxx" , you might run into problems IF you don't have matching settings on the ASA sending the log and the Syslog server receiving the log.
There doesnt seem to be any easy way to correct the situation (with the connections getting blocked) after you have once messed up the configurations. Seems your only option is to reconfigure the Security Context (which is easy) or if this problem exists in the same way in a single ASA you will have to reboot the device which means longer downtime than reconfiguring a context.
There would still be a couple of things to test but at the moment I have no more time for this. I will update if there is any new information.
- Jouni

Port-channel on ASA5520

So everything I've read on Cisco's documentation here: http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329030 says that I can create a port-channel on two physical interfaces that will uplink to a VSS pair. However, the command is not recognized. What am I missing? I've tried executing "channel-group #" on the physical interface and tried creating the port-channel 1st and neither commands exist. I haven't seen it listed anywhere if it is only available after a specific piece of ASA software. If it is the software would someone know what version at a minimum I need to upgrade to? Below is an output from a show version
Cisco Adaptive Security Appliance Software Version 8.0(4)
Device Manager Version 6.1(3)
Compiled on Thu 07-Aug-08 20:53 by builders
System image file is "disk0:/asa804-k8.bin"
Config file at boot was "startup-config"
########### up 43 days 23 hours
Hardware: ASA5520, 2048 MB RAM, CPU Pentium 4 Celeron 2000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

Hi,
You need software 8.4(1) atleast to be able to configure Port Channel / Etherchannel
Here is the section from the command reference which states this
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1932200
Naturally in your case if you were to upgrade the ASA to 8.4(x) software it would mean that NAT configuration format would be totally different compared to your software version of 8.0.
- Jouni

Right way of configuring higher MTU over a Port Channel

Hi guys,
I have a running critical Port-Channel between two locations.
Here's the config
SW1:
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end
interface GigabitEthernet1/45
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
interface GigabitEthernet1/46
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode active
end
SW2
interface GigabitEthernet1/1
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode passive
end
interface GigabitEthernet1/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-protocol lacp
channel-group 2 mode passive
end
interface Port-channel2
switchport
switchport trunk encapsulation dot1q
switchport mode trunk
end
Now I need to increase the MTU from default value to 9198. What the right way to do it and avoid any connectivity loss, PortChannel restart.
Does it matter what switch I start first?
Thanks!
L.E. both SW are WS-C4948

Hi,
Because you are using layer 2 interfaces - there is no fragmentation support at layer 2, and interfaces receiving frames which have an unsupported size will be dropped.
I think the best way for you to proceed is to lab this up; and verify what happens - it may be that you need to make changes on switches at either end of the channel within a very short time frame to prevent too large an outage.
When you are ready to maike your change - think the best way to do this is to use the interface range command, and apply the 'mtu' command to all the interfaces in this range. I don't think it matters which switch you apply this change to first, and I don't believe if you are hinting at the 802.3ad (controlled by system-priority) decision maker, that it makes any difference.
HTH
Mike

How to configure a port channel with VLAN trunking (and make it work..)

We're trying to configure a port channel group with trunked ports to connect a NetApp HA pair. We want to create two data LIFs and connect them to the switch stack. We are trying to create 2 data lifs, one for cifs and one for nfs that are on different vlans.
We want the same ports to be able to allow multiple vlans to communicate. (trunked)
These data lifs should be able to fail over to different nodes in the HA pair and still be able to communicate on the network.
What this means is that we have to connect 4 ports each for each node in the NetApp HA Pair to the switches and create a port channel of some type that allows for trunked vlans. When we configure the ports, the configuration is as follows (below):
We are only able to configure an IP on one of the vlans.
When we configure an IP from another vlan for the data lif, it does not respond to a ping.
Does anyone have any idea what I'm doing wrong on the Cisco switch?
interface GigabitEthernet4/0/12
description Netapp2-e0a
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet4/0/13
description Netapp2-e0c
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/12
description Netapp2-e0b
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface GigabitEthernet6/0/13
description Netapp2-e0d
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
channel-protocol lacp
channel-group 20 mode active
end
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
spanning-tree portfast
spanning-tree bpduguard enable
end

Our problem was fixed by the storage people. They changed the server end to trunk, and the encapsulation / etherchannel.
I like all the suggestions, and they probably helped out with the configuration getting this to work.
Thanks!
interface Port-channel20
description Netapp2-NFS
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
interface GigabitEthernet4/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet4/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/12
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active
interface GigabitEthernet6/0/13
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 10,20,511,519
switchport mode trunk
channel-protocol lacp
channel-group 20 mode active

Port-channel question on 9148

hey I have a question about port-channel.
we have a port-channel 10 which contains 4 interfaces as below.
my question is how the port-channel associated with the servers? I mean the output "sh flogi database" as below........
do we need to add port-channel as a zone member ? I think the answer is no since I don;t see the port-channel as a zone member....
=================================================================
tormds01# sh interface port-channel 10
port-channel 10 is up
    Hardware is Fibre Channel
    Port WWN is 24:0a:54:7f:ee:a0:d5:48
    Admin port mode is auto, trunk mode is on
    snmp link state traps are enabled
    Port mode is F
    Port vsan is 510
    Speed is 32 Gbps
    5 minutes input rate 124316072 bits/sec, 15539509 bytes/sec, 9919 frames/sec
    5 minutes output rate 2205921104 bits/sec, 275740138 bytes/sec, 141424 frames/sec
      43540499847 frames input, 70772376296224 bytes
        0 discards, 0 errors
        0 CRC, 0 unknown class
        0 too long, 0 too short
      237450525827 frames output, 442040501099476 bytes
        0 discards, 0 errors
      0 input OLS, 0 LRR, 0 NOS, 0 loop inits
      0 output OLS, 0 LRR, 0 NOS, 0 loop inits
    Member[1] : fc1/1
    Member[2] : fc1/5
    Member[3] : fc1/9
    Member[4] : fc1/13
    Interface last changed at Tue Apr 8 22:16:49 2014
tormds01# sh flogi database
INTERFACE        VSAN    FCID           PORT NAME               NODE NAME
fc1/3            510   0x860000 50:06:01:64:3d:e0:24:d0 50:06:01:60:bd:e0:24:d0
                           [torvnx01_spa0]
fc1/7            510   0x860100 50:06:01:6c:3d:e0:24:d0 50:06:01:60:bd:e0:24:d0
                           [torvnx01_spb0]
fc1/11           510   0x860200 50:06:01:60:3d:e0:24:d0 50:06:01:60:bd:e0:24:d0
                           [torvnx01_spa2]
fc1/15           510   0x860300 50:06:01:68:3d:e0:24:d0 50:06:01:60:bd:e0:24:d0
                           [torvnx01_spb2]
port-channel 10 510   0x860400 24:0a:54:7f:ee:92:3e:80 21:fe:54:7f:ee:92:3e:81
port-channel 10 510   0x860401 20:01:04:25:b5:3a:00:8f 20:01:00:25:b5:30:00:8f
                           [mcvhes0101hba0]
port-channel 10 510   0x860402 20:01:04:25:b5:3a:00:9f 20:01:00:25:b5:30:00:9f
                           [mcvhes0102hba0]
port-channel 10 510   0x860404 20:01:04:25:b5:3a:00:6f 20:01:00:25:b5:30:00:6f
                           [mcvhes0103hba0]
port-channel 10 510   0x860408 20:01:04:25:b5:3a:00:7f 20:01:00:25:b5:30:00:7f
                           [mcvhes0104hba0]
port-channel 10 510   0x86040f 20:01:04:25:b5:3a:00:4f 20:01:00:25:b5:30:00:4f
                           [mcvhes0105hba0]
port-channel 10 510   0x860410 20:01:04:25:b5:3a:00:5f 20:01:00:25:b5:30:00:5f
                           [mcvhes0106hba0]
port-channel 10 510   0x860417 20:01:04:25:b5:3a:00:2f 20:01:00:25:b5:30:00:2f
                           [mcvhes0107hba0]
port-channel 10 510   0x860418 20:01:04:25:b5:3a:00:0f 20:01:00:25:b5:30:00:0f
                           [mcvhes0109hba0]
port-channel 10 510   0x86041b 20:01:04:25:b5:3a:00:bf 20:01:00:25:b5:30:01:bf
                           [mcvhes0110hba0]
port-channel 10 510   0x86041d 20:01:04:25:b5:3a:00:1f 20:01:00:25:b5:30:00:1f
                           [mcvhes0111hba0]
port-channel 10 510   0x86041e 20:01:04:25:b5:3a:00:3f 20:01:00:25:b5:30:00:3f
                           [mcvhes0108hba0]
port-channel 10 510   0x86041f 20:01:04:25:b5:3a:00:ff 20:01:00:25:b5:30:01:ff
                           [mcvhes0112hba0]
port-channel 10 510   0x860423 20:01:04:25:b5:3a:00:df 20:01:00:25:b5:30:01:df
                           [mcvhes0113hba0]
port-channel 10 510   0x860425 20:01:04:25:b5:3a:00:ef 20:01:00:25:b5:30:01:ef
                           [mcvhes0114hba0]
port-channel 10 510   0x860426 20:01:04:25:b5:3a:00:cf 20:01:00:25:b5:30:01:cf
                           [mcvhes0115hba0]
port-channel 10 510   0x860427 20:01:04:25:b5:3a:00:8e 20:01:00:25:b5:30:01:8f
                           [MCDBWS0200hba0]
port-channel 10 510   0x860429 20:01:04:25:b5:3a:00:9e 20:01:00:25:b5:30:01:9f
                           [MCDBWS0201hba0]
port-channel 10 510   0x86042a 20:01:04:25:b5:3a:00:7e 20:01:00:25:b5:30:01:7f
                           [mcvhes0118hba0]
port-channel 10 510   0x86042b 20:01:04:25:b5:3a:00:af 20:01:00:25:b5:30:01:af
                           [mcvhes0116hba0]
port-channel 10 510   0x86042c 20:01:04:25:b5:3a:00:6e 20:01:00:25:b5:30:01:6f
                           [mcvhes0117hba0]
port-channel 10 510   0x86042d 20:01:04:25:b5:3a:00:4e 20:01:00:25:b5:30:01:4f
                           [mcvhes0119hba0]
port-channel 10 510   0x86042e 20:01:04:25:b5:3a:00:5e 20:01:00:25:b5:30:01:5f
                           [mcvhes0120hba0]
port-channel 10 510   0x860431 20:01:04:25:b5:3a:00:2e 20:01:00:25:b5:30:01:2f
                           [awotorprodsql01hba0]
port-channel 10 510   0x860432 20:01:04:25:b5:3a:00:3e 20:01:00:25:b5:30:01:3f
                           [awotorprodsql02hba0]
port-channel 10 510   0x860435 20:01:04:25:b5:3a:00:fe 20:01:00:25:b5:30:00:ef
                           [dbcactv01n3hba0]
port-channel 10 510   0x860436 20:01:04:25:b5:3a:00:de 20:01:00:25:b5:30:00:bf
                           [dbcactv01n4hba0]
port-channel 10 510   0x860439 20:01:04:25:b5:3a:00:ce 20:01:00:25:b5:30:00:8e
                           [mcvhes0123hba0]
port-channel 10 510   0x86043a 20:01:04:25:b5:3a:00:be 20:01:00:25:b5:30:00:af
                           [mcvhes0122hba0]
port-channel 10 510   0x86043c 20:01:04:25:b5:3a:00:ae 20:01:00:25:b5:30:00:9e
                           [mcvhes0124hba0]
port-channel 10 510   0x860443 20:01:04:25:b5:3a:00:8d 20:01:00:25:b5:30:00:6e
                           [mcvhes0125hba0]
port-channel 10 510   0x860445 20:01:04:25:b5:3a:00:ee 20:01:00:25:b5:30:00:cf
                           [mcvhes0121hba0]
port-channel 10 510   0x860446 20:01:04:25:b5:3a:00:9d 20:01:00:25:b5:30:00:7e
                           [mcvhes0126hba0]
port-channel 10 510   0x860447 20:01:04:25:b5:3a:00:6d 20:01:00:25:b5:30:00:4e
                           [mcvhes0127hba0]
port-channel 10 510   0x860449 20:01:04:25:b5:3a:00:7d 20:01:00:25:b5:30:00:5e
                           [mcvhes0128hba0]

I think what you do is F-Port trunking channeling !
port-channel as a zone member ? I assume you will do pwwn based zoning; in which case the answer is NO !

ASA 5585 port-channels

Similar Messages

Maybe you are looking for