- "Do I Know This Already?" Quiz
- Foundation Topics
- Configuring Physical Interfaces
- Configuring VLAN Interfaces
- Configuring Interface Security Parameters
- Configuring the Interface MTU
- Verifying Interface Operation
- Exam Preparation Tasks
- Review All Key Topics
- Define Key Terms
- Command Reference to Check Your Memory
This chapter is from the book
This chapter is from the book
This chapter is from the book
Configuring Physical Interfaces
An ASA supports multiple physical interfaces that can be connected into the network or to individual devices. From the Configuration tab in Cisco ASDM, you can view the list of interfaces by selecting Device Setup > Interfaces, as shown in Figure 3-1.
)
Figure 3-1. Using ASDM to View a List of Interfaces
From the CLI, you can see a list of the physical firewall interfaces that are available by using the following command:
ciscoasa# show version
Firewall interfaces are referenced by their hardware index and their physical interface names. Example 3-1 lists the physical interfaces in an ASA 5510. Ethernet0/0 through 0/3 and Management0/0 are built-in interfaces, while GigabitEthernet1/0 through 1/3 are installed as a 4GE-SSM module.
Example 3-1. Listing Physical ASA Interfaces
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(4)
Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 1 day 10 hours
Hardware: ASA5510-K8, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW080 @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 001a.a22d.1ddc, irq 9
1: Ext: Ethernet0/1 : address is 001a.a22d.1ddd, irq 9
2: Ext: Ethernet0/2 : address is 001a.a22d.1dde, irq 9
3: Ext: Ethernet0/3 : address is 001a.a22d.1ddf, irq 9
4: Ext: Management0/0 : address is 001a.a22d.1ddb, irq 11
5: Int: Internal-Data0/0 : address is 0000.0001.0002, irq 11
6: Int: Not used : irq 5
7: Ext: GigabitEthernet1/0 : address is 001a.a22d.20f1, irq 255
8: Ext: GigabitEthernet1/1 : address is 001a.a22d.20f2, irq 255
9: Ext: GigabitEthernet1/2 : address is 001a.a22d.20f3, irq 255
10: Ext: GigabitEthernet1/3 : address is 001a.a22d.20f4, irq 255
11: Int: Internal-Data1/0 : address is 0000.0003.0002, irq 255
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 100
Inside Hosts : Unlimited
Failover : Active/Active
VPN-DES : Enabled
[output truncated for clarity]
Before you begin configuring the ASA interfaces, you should first use the interface list to identify each of the interfaces you will use. At a minimum, you need one interface as the “inside” of the ASA and one as the “outside.”
Default Interface Configuration
Some interfaces come predefined in the initial factory default configuration. You can view the interface mappings with the show nameif EXEC command. As shown in Example 3-2, an ASA 5510 or higher model defines only one interface, Management0/0, for use by default. The interface is named “management” and is set aside for out-of-band management access.
Example 3-2. Default Interface Configuration on ASA 5510 and Higher Models
ciscoasa# show nameif Interface Name Security Management0/0 management 100 ciscoasa#
An ASA 5505 takes a different approach with its default interfaces, as shown in Example 3-3. Rather than use physical interfaces, it defines an “inside” and an “outside” interface using two logical VLANs: VLAN 1 and VLAN 2.
Example 3-3. Default Interface Configuration on the ASA 5505
ciscoasa# show nameif Interface Name Security Vlan1 inside 100 Vlan2 outside 0 ciscoasa#
These two VLANs are then applied to the physical interfaces such that interface Ethernet0/0 is mapped to VLAN 2, while Ethernet0/1 through 0/7 are mapped to VLAN 1 (inside). This configuration gives one outside interface that can be connected to a service provider network for an Internet connection. The remaining seven inside interfaces can be connected to individual devices on the protected network.
You can display the ASA 5505 interface-to-VLAN mapping by entering the show switch vlan command, as shown in Example 3-4.
Example 3-4. Displaying the ASA 5505 Interface-to-VLAN Mapping
ciscoasa# show switch vlan
VLAN Name Status Ports
---- -------------------------------- --------- -----------------------------
1 inside up Et0/1, Et0/2, Et0/3, Et0/4
Et0/5, Et0/6, Et0/7
2 outside up Et0/0
ciscoasa#
Configuring Physical Interface Parameters
For each physical interface, you can configure the speed, duplex, and the interface state. In ASDM, select Configuration > Interfaces, select an interface, and click the Edit button. In the General tab, click Configure Hardware Properties, as shown in Figure 3-2.
)
Figure 3-2. Configuring Physical Interface Parameters in ASDM
You can do the same task from the CLI by using the following commands:
ciscoasa(config)# interface hardware-id
ciscoasa(config-if)# speed {auto | 10 | 100 | 1000}
ciscoasa(config-if)# duplex {auto | full | half}
ciscoasa(config-if)# [no] shutdown
By default, an interface uses autodetected speed and autonegotiated duplex mode, as if the speed auto and duplex auto commands had been entered. As long as the ASA interface and the device connected to it are configured the same, the interface will automatically come up using the maximum speed and full-duplex mode. You can also statically configure the interface speed to 10, 100, or 1000 Mbps, as wellas full or half duplex mode.
By default, physical interfaces are administratively shut down. Use the no shutdown interface configuration command to enable each one individually. As well, you can shut an interface back down with the shutdown command.
Mapping ASA 5505 Interfaces to VLANs
By default, an ASA 5505 maps interface Ethernet0/0 to VLAN 2 and interfaces Ethernet0/1 through 0/7 to VLAN 1. All eight interfaces are connected to an internal 8-port switch, with each interface configured as an access link mapped to a single VLAN.
Figure 3-3 shows how ASDM can be used to map a physical interface to a different VLAN number. First, a new interface is created and named vlan 10. At the top of the Add Interface dialog box, Ethernet0/3 is added to the list of interfaces that are mapped to VLAN 10.
)
Figure 3-3. Mapping an ASA 5505 Interface to a VLAN
You can use the following CLI command to accomplish the same task:
ciscoasa(config-if)# switchport access vlan vlan-id
The vlan-id parameter represents a VLAN interface that has already been created and configured. The section, “Configuring VLAN Interfaces,” covers this in detail.
In Example 3-5, interface Ethernet0/3 is mapped to VLAN 10, while Ethernet0/4 is mapped to VLAN 20.
Example 3-5. Mapping Interfaces to VLANs on an ASA 5505
ciscoasa(config)# interface ethernet0/3 ciscoasa(config-if)# switchport access vlan 10 ciscoasa(config-if)# interface ethernet0/4 ciscoasa(config-if)# switchport access vlan 20
Configuring Interface Redundancy
By default, each physical ASA interface operates independently of any other interface. The interface can be in one of two operating states: up or down. When an interface is down for some reason, the ASA cannot send or receive any data through it. For example, the switch port where an ASA interface connects might fail, causing the ASA interface to go down, too.
To keep an ASA interface up and active all the time, you can configure physical interfaces as redundant pairs. As a redundant pair, two interfaces are set aside for the same ASA function (inside, outside, and so on), and connect to the same network. Only one of the interfaces is active at any given time; the other interface stays in a standby state. As soon as the active interface loses its link status and goes down, the standby interface becomes active and takes over passing traffic.
Both physical interfaces in a redundant pair are configured as members of a single logical “redundant” interface. To join two interfaces as a redundant pair, the interfaces must be of the same type (10/100/1000BASE-TX, for example).
The redundant interface, rather than its physical member interfaces, is configured with a unique interface name, security level, and IP address—all the parameters used in ASA interface operations.
First, you must create the redundant interface by entering the following configuration command:
ciscoasa(config)# interface redundant number
You can define up to eight redundant interfaces on an ASA. Therefore, the interface number can be 1 through 8.
Next, use the following command to add a physical interface as a member of the redundant interface:
ciscoasa(config-int)# member-interface physical_interface
Here, physical_interface is the hardware name and number, like ethernet0/1 or gigabitethernet0/1, for example. In Figure 3-4, ASA interfaces Ethernet0/0 and Ethernet0/1 are member interfaces of a logical redundant interface called Redundant1, while Ethernet0/2 and Ethernet0/3 are members of interface Redundant2.
)
Figure 3-4. Example Redundant Interfaces
Be aware that the member interface cannot have a security level or an IP address configured. In fact, as soon as you enter the member-interface command, the ASA will automatically clear those parameters from the physical interface configuration. You should repeat this command to add a second physical interface to the redundant pair.
Keep in mind that the order in which you configure the interfaces is important. The first physical interface added to a logical redundant interface will become the active interface. That interface will stay active until it loses its link status, causing the second or standby interface to take over. The standby interface can also take over when the active interface is administratively shut down with the shutdown interface configuration command.
However, the active status will not revert to the failed interface, even when it comes back up. The two interfaces trade the active role back and forth only when one of them fails.
The redundant interface also takes on the MAC address of the first member interface that you configure. Regardless of which physical interface is active, that same MAC address will be used. You can override this behavior by manually configuring a unique MAC address on the redundant interface with the mac-address mac_address interface configuration command.
In Example 3-6, interfaces Ethernet0/0 and Ethernet0/1 are configured to be used as logical interface redundant 1.
Example 3-6. Configuring a Redundant Interface Pair
ciscoasa(config)# interface redundant 1 ciscoasa(config-if)# member-interface ethernet0/0 INFO: security-level and IP address are cleared on Ethernet0/0. ciscoasa(config-if)# member-interface ethernet0/1 INFO: security-level and IP address are cleared on Ethernet0/1. ciscoasa(config-if)# no shutdown
The redundant interface is now ready to be configured as a normal ASA interface. From this point on, you should not configure anything on the two physical interfaces other than the port speed and duplex.
To accomplish the same thing through ASDM, first select Add > Redundant Interface from the drop-down menu in the upper-right corner of the interface listing. A new Add Redundant Interface dialog box appears, as shown in Figure 3-5. Select the redundant interface number and the two physical interfaces that will operate as a redundant pair. To enable the new redundant interface for use, be sure to check the Enable Interface check box.
)
Figure 3-5. Adding a Redundant Interface in ASDM
Configuring an EtherChannel
A single link between an ASA and a switch provides simple connectivity, but it is a single point of failure. If the link goes down, no data can travel across it. In the previous section, you learned that a redundant interface binds two physical interfaces into one logical interface. The possibility of a link failure is reduced, because one of the two interfaces will always be up and available; however, only one of the two links can pass data at any given time.
How can you maximize availability with more than one link, while leveraging the bandwidth of all of them at the same time? Beginning with ASA software release 8.4(1), you can use an EtherChannel to make that all possible. With an EtherChannel, two to eight active physical interfaces can be grouped or bundled together as a single logical port-channel interface. Each interface must be of the same type, speed, and duplex mode before an EtherChannel can be built.
Figure 3-6 shows an EtherChannel that is built out of multiple physical GigabitEthernet interfaces that connect an ASA to a Catalyst switch. On the ASA, the resulting logical interface is named interface port-channel 1. Notice that the individual links in the Ether-Channel can have different interface names on each end. The interfaces can also be connected and grouped in any arbitrary order. What matters is that the interfaces form one common EtherChannel link between the two devices.
)
Figure 3-6. Building an EtherChannel from Multiple Physical Links
An ASA can support up to eight active interfaces in a single EtherChannel; however, you can configure up to 16 different interfaces per EtherChannel, although only eight of them can be active at any time. If one active interface fails, another one automatically takes its place. Although Figure 3-6 shows a single EtherChannel link, an ASA can support up to 48 different EtherChannels.
Because multiple interfaces are active in an EtherChannel, the available bandwidth can be scaled over that of a single interface. Traffic is load balanced by distributing the packets across the active interfaces. The ASA computes a hash value based on values found in the packet header, such as the source or destination MAC address, IP address, or the UDP or TCP port number. You can configure a preset combination of fields that are used. As long as the number of active interfaces is a multiple of two, the ASA can evenly distribute packets across them.
To build an EtherChannel, the ASA and the switch must both agree to do so. You can configure the ASA interfaces to statically participate, where the EtherChannel is “always on.” In that case, the switch interfaces must also be configured for “always on” operation. Instead, you can configure the ASA and switch to negotiate an EtherChannel with each other.
Negotiation uses the Link Aggregation Control Protocol (LACP), which is a standards-based protocol. LACP packets are exchanged between the ASA and the switch over the interfaces that can become part of an EtherChannel. The ASA and the switch use a system priority (a 2-byte priority value followed by a 6-byte switch MAC address) to decide which one is allowed to make decisions about what interfaces are actively participating in the EtherChannel at a given time.
Interfaces are selected and become active according to their port priority value (a 2-byte priority followed by a 2-byte port number), where a low value indicates a higher priority. A set of up to 16 potential links can be defined for each EtherChannel. Through LACP, up to eight of these having the lowest port priorities can become active EtherChannel links at any given time. The other links are placed in a standby state and will be enabled in the EtherChannel if one of the active links goes down.
LACP can be configured in the active mode, in which the ASA actively asks a far-end switch to negotiate an EtherChannel, or in passive mode, in which the ASA negotiates an EtherChannel only if the far end initiates it. Table 3-2 summarizes the EtherChannel negotiation methods and characteristics.
Table 3-2. EtherChannel Negotiation Methods
|
Negotiation Mode |
Negotiation Packets Sent? |
Characteristics |
|
On |
No |
All ports channeling all the time |
|
Passive |
Yes |
Waits to channel until asked |
Active |
Yes |
Actively asks to form a channel |
To configure an EtherChannel in ASDM, begin by defining the port-channel interface. Select Configuration > Device Setup > Interfaces, click the Add button, and select
EtherChannel Interface. Under the General tab, enter an arbitrary Port Channel ID number (1 to 48) that will identify the port-channel interface.
Next, select an interface from the Available Physical Interface list and click the Add>> button to make it a member of the EtherChannel. You can repeat this process to add multiple interfaces. Make sure to select the Enable Interface check box to enable the port-channel interface for use. In Figure 3-7, interface port-channel1 has been created. Ethernet0/2 and Ethernet0/3 have been added as member interfaces.
)
Figure 3-7. Configuring a New EtherChannel in ASDM
Notice that Figure 3-7 also has fields for Interface Name, Security Level, and IP Address. These fields are not applied to the individual member interfaces; instead, they are applied to the port-channel interface. The fields are covered in the section, “Configuring Interface Security Parameters.”
Next, configure the method that the ASA will use to distribute packets across the links within the EtherChannel. By default, a packet’s source and destination IP addresses are used to compute a hash index that points to the link that will carry the packet. This is the appropriate choice in most cases, as long as the source and destination IP addresses are unique and diverse. The more varied the hash input values, the better the traffic will be distributed across the links in the EtherChannel.
In some scenarios, the majority of the traffic might travel between the same two IP addresses, causing most of the packets to travel over only one link of the EtherChannel. In that case, you can configure the EtherChannel load-balancing method to use additional information, such as a Layer 4 port number, MAC addresses, or a VLAN number, to provide more uniqueness so that the packets can be spread more evenly across the EtherChannel links. The possible load-balancing methods are as follows:
- Destination IP
- Destination IP and Layer 4 Port
- Destination MAC Address
- Destination Layer 4 Port
- Source and Destination IP Address
- Source and Destination MAC Address
- Source and Destination IP Address and Layer 4 Port
- Source and Destination Layer 4 Port
- Source IP Address
- Source IP Address and Layer 4 Port
- Source MAC Address
- Source Layer 4 Port
- VLAN Destination IP Address
- VLAN Destination IP and Layer 4 Port
- VLAN Only
- VLAN Source and Destination IP Address
- VLAN Source and Destination IP Address and Layer 4 Port
- VLAN Source IP Address
- VLAN Source IP Address and Layer 4 Port
To configure the load-balancing method, select the Advanced tab in the Add EtherChannel Interface screen and choose the method from the drop-down list at the bottom of the screen, as shown in Figure 3-8.
)
Figure 3-8. Configuring the EtherChannel Load-Balancing Method
Next, you need to configure a negotiation method for the EtherChannel. ASDM uses a default method of “active” on each member interface, where the ASA will use LACP to actively ask the far-end switch to bring up the EtherChannel. To configure the method, select Configuration > Device Setup > Interfaces, select an interface that is a member of the EtherChannel, and click the Edit button. In Figure 3-9, interfaces Ethernet0/2 and 0/3 are shown to be members of the Port-channel1 group. Because their individual configurations are restricted, they are shown with a lock icon next to their names. Remember that the security parameters of an EtherChannel are configured on the Port-channel interface instead.
)
Figure 3-9. Selecting an EtherChannel Interface for Configuration
Under the General tab of the Edit Interface screen, make sure that the Enable Interface check box under the Channel Group is selected. Select the Advanced tab and use the EtherChannel drop-down menu to set the negotiation mode, which can be either Active, Passive, or On, as shown in Figure 3-10.
)
Figure 3-10. Configuring the EtherChannel Negotiation Method
You can configure more interfaces in the channel group number than are allowed to be active in the channel. This prepares extra standby interfaces to replace failed active ones. Set a lower LACP port priority (1 to 65,535; default 32,768) for any interfaces that must be active and a higher priority for interfaces that might be held in the standby state. Otherwise, just use the default scenario, in which all ports default to 32,768, and the lower port numbers (in interface number order) are used to select the active ports.
By default, an ASA uses LACP system priority of 32,768. If the ASA and the switch both use the same value, the one with the lower MAC address becomes the decision maker over the LACP negotiations. You can change the system priority by selecting Configuration > Device Setup > EtherChannel.
You can also configure an EtherChannel by using the CLI. Select a physical interface that will be a member of the EtherChannel, and then identify the port-channel number where it will belong, along with the negotiation method that will be used:
ciscoasa(config)# lacp system-priority priority
ciscoasa(config)# interface type mod/num
ciscoasa(config-if)# channel-protocol lacp
ciscoasa(config-if)# channel-group number mode {on | passive | active}
ciscoasa(config-if)# lacp port-priority priority
As an example of LACP configuration, suppose that you want to configure an ASA to actively negotiate an EtherChannel using interfaces Ethernet0/2 and 0/3. You can use the commands listed in Example 3-7 to accomplish this.
Example 3-7. Configuring an EtherChannel Using the CLI
CISCOASA(config)# interface ethernet0/2 CISCOASA(config-if)# channel-protocol lacp CISCOASA(config-if)# channel-group 1 mode active CISCOASA(config-if)# exit CISCOASA(config)# interface ethernet0/3 CISCOASA(config-if)# channel-protocol lacp CISCOASA(config-if)# channel-group 1 mode active CISCOASA(config-if)# exit
If you find that an EtherChannel is having problems, remember that the entire concept is based on consistent configurations on both ends of the channel. You can verify the Ether-Channel state with the show port-channel summary command. Each port in the channel is shown, along with flags indicating the port’s state, as shown in Example 3-8.
Example 3-8. show port-channel summary Command Output
CISCOASA# show port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(U) LACP Et0/2(P) Et0/3(P)
CISCOASA#
The status of the port channel shows the EtherChannel logical interface as a whole. This should show U (in use) if the channel is operational. You also can examine the status of each interface within the channel. Notice that both of the channel interfaces have flags (P), which indicate that they are active in the port-channel.