Filter
Top Products
45-9
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 45 Managing Firewall Devices
Configuring Firewall Device Interfaces
An EtherChannel interface is configured and used in the same manner as a single physical interface. You
can configure up to 48 EtherChannels, each of which consists of between one and eight active Fast
Ethernet, Gigabit Ethernet, or Ten-Gigabit Ethernet ports.
Note You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel as
part of a redundant interface. You cannot use the same physical interfaces in a redundant interface and
an EtherChannel interface. You can, however, configure both types on the ASA if they do not use the
same physical interfaces.
EtherChannel MAC Addressing
All interfaces that are part of a channel group share the same MAC address. This makes the
EtherChannel transparent to network applications and users, because they only see the one logical
connection; they have no knowledge of the individual links. By default, the EtherChannel uses the MAC
address of the lowest-numbered member interface as its MAC address.
Alternatively, you can manually configure a MAC address for the port-channel interface. We recommend
doing so in case the channel interface membership changes. For example, if you remove the interface
that provides the port-channel MAC address, the port-channel is assigned the MAC address of the next
lowest numbered interface, causing traffic disruption. Manually assigning a unique MAC address to the
EtherChannel interface prevents this disruption. (Note that in multiple-context mode, you can assign
unique MAC addresses to interfaces assigned to an individual context, including EtherChannel
interfaces.)
About Management Only EtherChannel Interfaces
You can specify an EtherChannel group as a management-only interface, but note the following caveats:
• Routed mode – You must explicitly configure the EtherChannel to be Management Only in the
Add/Edit Interface Dialog Box (PIX 7.0+/ASA/FWSM), page 45-19. Any non-management
interface added to the management-only port-channel is treated as a management port. If you add
an interface already defined as management-only to the management-only group, that attribute is
ignored on the physical interface. Similarly, you cannot designate an interface as management-only
if it is already a member of a management-only port-channel.
• Transparent mode – In this mode, members of a management-only EtherChannel can themselves
only be management-only ports. Thus, when a management-only member is added to a
transparent-mode EtherChannel, the channel inherits the management-only designation, while the
designation is removed from the member interface. Conversely, when such an interface is removed
from the EtherChannel, the designation is restored on the individual interface.
Using an EtherChannel Interface as a Failover Link
If an EtherChannel interface is specified as a failover link, all state-sync traffic for that link will travel
over a single physical interface. Should that physical interface fail, the state-sync traffic will then
traverse another physical interface that is part of the EtherChannel aggregated link. If there are no
remaining available physical interfaces in the EtherChannel link specified for failover, the ASA falls
back to the redundant interface, if one is specified.
While an EtherChannel interface is being used as an active failover link, changes to that EtherChannel
configuration are not allowed. You can change the EtherChannel configuration of that link only by
disabling either the link or failover, as follows:
• Disable the EtherChannel link while the configuration changes are being made, and then reactivate
it (failover will not occur while the link is disabled).