The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter includes tasks for starting your interface configuration for the ASA 5512-X and higher, including configuring Ethernet settings, redundant interfaces, and EtherChannels.
Note For multiple context mode, complete all tasks in this section in the system execution space. If you are not already in the system execution space, in the Configuration > Device List pane, double-click System under the active device IP address.
For ASA cluster interfaces, which have special requirements, see Chapter9, “ASA Cluster”
This chapter includes the following sections:
This section includes the following topics:
For RJ-45 interfaces, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. Auto-MDI/MDIX eliminates the need for crossover cabling by performing an internal crossover when a straight cable is detected during the auto-negotiation phase. Either the speed or duplex must be set to auto-negotiate to enable Auto-MDI/MDIX for the interface. If you explicitly set both the speed and duplex to a fixed value, thus disabling auto-negotiation for both settings, then Auto-MDI/MDIX is also disabled. For Gigabit Ethernet, when the speed and duplex are set to 1000 and full, then the interface always auto-negotiates; therefore Auto-MDI/MDIX is always enabled and you cannot disable it.
Interfaces in transparent mode belong to a “bridge group,” one bridge group for each network. You can have up to 8 bridge groups of 4 interfaces each per context or in single mode. For more information about bridge groups, see Bridge Groups in Transparent Mode.
You can manage the ASA by connecting to:
You may need to configure management access to the interface according to Chapter42, “Management Access”
Table 12-1 shows the Management interfaces per model.
|
|
|
|
|
|
|
---|---|---|---|---|---|---|
Yes3 |
Yes 3 |
|||||
1.The Management 0/0 interface is configured for ASDM access as part of the default factory configuration. See Factory Default Configurations for more information. 2.By default, the Management 0/0 interface is configured for management-only traffic. For supported models in routed mode, you can remove the limitation and pass through traffic. If your model includes additional Management interfaces, you can use them for through traffic as well. The Management interfaces might not be optimized for through-traffic, however. 3.If you installed an SSP in slot 1, then Management 1/0 and 1/1 provide management access to the SSP in slot 1 only. |
Note If you installed a module, then the module management interface(s) provides management access for the module only. For the ASA 5512-X through ASA 5555-X, the software module uses the same physical Management 0/0 interface as the ASA.
You can use any interface as a dedicated management-only interface by configuring it for management traffic, including an EtherChannel interface.
In transparent firewall mode, in addition to the maximum allowed through-traffic interfaces, you can also use the Management interface (either the physical interface, a subinterface (if supported for your model), or an EtherChannel interface comprised of Management interfaces (if you have multiple Management interfaces)) as a separate management interface. You cannot use any other interface types as management interfaces.
In multiple context mode, you cannot share any interfaces, including the Management interface, across contexts. To provide management per context, you can create subinterfaces of the Management interface and allocate a Management subinterface to each context. Note that the ASA 5512-X through ASA 5555-X do not allow subinterfaces on the Management interface, so for per-context management, you must connect to a data interface.
The management interface is not part of a normal bridge group. Note that for operational purposes, it is part of a non-configurable bridge group.
Note In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface; therefore you should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the management interface from the physically-connected switch, then the ASA updates the MAC address table to use the management interface to access the switch, instead of the data interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds for security reasons.
Redundant interfaces do not support Management slot / port interfaces as members. You also cannot set a redundant interface comprised of non-Management interfaces as management-only.
The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following characteristics:
A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as device-level failover if desired.
The redundant interface uses the MAC address of the first physical interface that you add. If you change the order of the member interfaces in the configuration, then the MAC address changes to match the MAC address of the interface that is now listed first. Alternatively, you can assign a MAC address to the redundant interface, which is used regardless of the member interface MAC addresses (see Configuring the MAC Address, MTU, and TCP MSS or the Configuring Multiple Contexts). When the active interface fails over to the standby, the same MAC address is maintained so that traffic is not disrupted.
An 802.3ad EtherChannel is a logical interface (called a port-channel interface) consisting of a bundle of individual Ethernet links (a channel group) so that you increase the bandwidth for a single network. A port channel interface is used in the same way as a physical interface when you configure interface-related features.
Each channel group can have up to 16 active interfaces. For switches that support only 8 active interfaces, you can assign up to 16 interfaces to a channel group: while only 8 interfaces can be active, the remaining interfaces can act as standby links in case of interface failure. For 16 active interfaces, be sure that your switch supports the feature (for example, the Cisco Nexus 7000 with F2-Series 10 Gigabit Ethernet Module).
All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed.
The EtherChannel aggregates the traffic across all the available active interfaces in the channel. The interface is selected using a proprietary hash algorithm, based on source or destination MAC addresses, IP addresses, TCP and UDP port numbers and VLAN numbers.
The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Cisco Catalyst 6500 switch or the Cisco Nexus 7000.
When the switch is part of a Virtual Switching System (VSS) or Virtual Port Channel (vPC), then you can connect ASA interfaces within the same EtherChannel to separate switches in the VSS/vPC. The switch interfaces are members of the same EtherChannel port-channel interface, because the separate switches act like a single switch (see Figure 12-1).
Figure 12-1 Connecting to a VSS/vPC
If you use the ASA in an Active/Standby failover deployment, then you need to create separate EtherChannels on the switches in the VSS/vPC, one for each ASA (see Figure 12-1). On each ASA, a single EtherChannel connects to both switches. Even if you could group all switch interfaces into a single EtherChannel connecting to both ASAs (in this case, the EtherChannel will not be established because of the separate ASA system IDs), a single EtherChannel would not be desirable because you do not want traffic sent to the standby ASA.
Figure 12-2 Active/Standby Failover and VSS/vPC
The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link Aggregation Control Protocol Data Units (LACPDUs) between two network devices.
You can configure each physical interface in an EtherChannel to be:
LACP coordinates the automatic addition and deletion of links to the EtherChannel without user intervention. It also handles misconfigurations and checks that both ends of member interfaces are connected to the correct channel group. “On” mode cannot use standby interfaces in the channel group when an interface goes down, and the connectivity and configurations are not checked.
The ASA distributes packets to the interfaces in the EtherChannel by hashing the source and destination IP address of the packet (this criteria is configurable; see Customizing the EtherChannel). The resulting hash is divided by the number of active links in a modulo operation where the resulting remainder determines which interface owns the flow. All packets with a hash_value mod active_links result of 0 go to the first interface in the EtherChannel, packets with a result of 1 go to the second interface, packets with a result of 2 go to the third interface, and so on. For example, if you have 15 active links, then the modulo operation provides values from 0 to 14. For 6 active links, the values are 0 to 5, and so on.
For a spanned EtherChannel in clustering, load balancing occurs on a per ASA basis. For example, if you have 32 active interfaces in the spanned EtherChannel across 8 ASAs, with 4 interfaces per ASA in the EtherChannel, then load balancing only occurs across the 4 interfaces on the ASA.
If an active interface goes down and is not replaced by a standby interface, then traffic is rebalanced between the remaining links. The failure is masked from both Spanning Tree at Layer 2 and the routing table at Layer 3, so the switchover is transparent to other network devices.
All interfaces that are part of the channel group share the same MAC address. This feature makes the EtherChannel transparent to network applications and users, because they only see the one logical connection; they have no knowledge of the individual links.
The port-channel interface uses the lowest numbered channel group interface MAC address as the port-channel MAC address. Alternatively you can manually configure a MAC address for the port-channel interface. In multiple context mode, you can automatically assign unique MAC addresses to interfaces, including an EtherChannel port interface. We recommend manually, or in multiple context mode, automatically configuring a unique MAC address in case the group channel interface membership changes. If you remove the interface that was providing the port-channel MAC address, then the port-channel MAC address changes to the next lowest numbered interface, thus causing traffic disruption.
The maximum transmission unit (MTU) specifies the maximum frame payload size that the ASA can transmit on a given Ethernet interface. The MTU value is the frame size without Ethernet headers, FCS, or VLAN tagging. The Ethernet header is 14 bytes and the FCS is 4 bytes. When you set the MTU to 1500, the expected frame size is 1518 bytes including the headers. If you are using VLAN tagging (which adds an additional 4 bytes), then when you set the MTU to 1500, the expected frame size is 1522. Do not set the MTU value higher to accommodate these headers. For information about accommodating TCP headers for encapsulation, do not alter the MTU setting; instead change the TCP Maximum Segment Size (the TCP Maximum Segment Size Overview).
If an outgoing IP packet is larger than the specified MTU, it is fragmented into 2 or more frames. Fragments are reassembled at the destination (and sometimes at intermediate hops), and fragmentation can cause performance degradation. Therefore, your IP packets should fit within the MTU size to avoid fragmentation.
Note The ASA can receive frames larger than the configured MTU as long as there is room in memory. See Enabling Jumbo Frame Support to increase memory for larger frames.
The default MTU on the ASA is 1500 bytes. This value does not include the 18 or more bytes for the Ethernet header, CRC, VLAN tagging, and so on.
The ASA supports Path MTU Discovery (as defined in RFC 1191), which lets all devices in a network path between two hosts coordinate the MTU so they can standardize on the lowest MTU in the path.
See Configuring the MAC Address, MTU, and TCP MSS. For multiple context mode, set the MTU within each context.
See Enabling Jumbo Frame Support. For multiple context mode, set the jumbo frame support in the system execution space.
The TCP maximum segment size (TCP MSS) is the size of the TCP payload before any TCP headers are added. UDP packets are not affected. The client and the server exchange TCP MSS values during the three-way handshake when establishing the connection.
You can set the TCP MSS on the ASA. If either endpoint of a connection requests a TCP MSS that is larger than the value set on the ASA, the ASA overwrites the TCP MSS in the request packet with the ASA maximum. If the host or server does not request a TCP MSS, then the ASA assumes the RFC 793-default value of 536 bytes, but does not modify the packet. You can also configure the minimum TCP MSS; if a host or server requests a very small TCP MSS, the ASA can adjust the value up. By default, the minimum TCP MSS is not enabled.
For example, you configure the default MTU of 1500 bytes. A host requests an MSS of 1700. If the ASA maximum TCP MSS is 1380, then the ASA changes the MSS value in the TCP request packet to 1380. The server then sends 1380-byte packets.
By default, the maximum TCP MSS on the ASA is 1380 bytes. This default accommodates VPN connections where the headers can add up to 120 bytes; this value fits within the default MTU of 1500 bytes.
See Configuring the MAC Address, MTU, and TCP MSS. For multiple context mode, set the TCP MSS within each context.
|
|
---|---|
VLANs4: Interfaces of all types5: |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Interfaces of all types 2 : |
|
VLANs 1 : Base and Security Plus License: 1024 Interface Speed for SSP-10 and SSP-20: Base License—1-Gigabit Ethernet for fiber interfaces 10 GE I/O License (Security Plus)—10-Gigabit Ethernet for fiber interfaces (SSP-40 and SSP-60 support 10-Gigabit Ethernet by default.) Interfaces of all types 2 : |
This section includes the guidelines and limitations for this feature.
In multiple context mode, configure the physical interfaces in the system execution space according to the Starting Interface Configuration (ASA 5512-X and Higher). Then, configure the logical interface parameters in the context execution space according to “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces”
Redundant Interface Guidelines
This section lists default settings for interfaces if you do not have a factory default configuration. For information about the factory default configurations, see Factory Default Configurations.
The default state of an interface depends on the type and the context mode.
In multiple context mode, all allocated interfaces are enabled by default, no matter what the state of the interface is in the system execution space. However, for traffic to pass through the interface, the interface also has to be enabled in the system execution space. If you shut down an interface in the system execution space, then that interface is down in all contexts that share it.
In single mode or in the system execution space, interfaces have the following default states:
Some models include two connector types: copper RJ-45 and fiber SFP. RJ-45 is the default. You can configure the ASA to use the fiber SFP connectors.
By default, the physical interface uses the burned-in MAC address, and all subinterfaces of a physical interface use the same burned-in MAC address.
This section includes the following topics:
Note If you have an existing configuration, and want to convert interfaces that are in use to a redundant or EtherChannel interface, perform your configuration offline using the CLI to minimize disruption. See Converting In-Use Interfaces to a Redundant or EtherChannel Interface.
To start configuring interfaces, perform the following steps:
Step 1 (Multiple context mode) Complete all tasks in this section in the system execution space. If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.
Step 2 Enable the physical interface, and optionally change Ethernet parameters. See Enabling the Physical Interface and Configuring Ethernet Parameters.
Physical interfaces are disabled by default.
Step 3 (Optional) Configure redundant interface pairs. See Configuring a Redundant Interface.
A logical redundant interface pairs an active and a standby physical interface. When the active interface fails, the standby interface becomes active and starts passing traffic.
Step 4 (Optional) Configure an EtherChannel. See Configuring an EtherChannel.
An EtherChannel groups multiple Ethernet interfaces into a single logical interface.
Step 5 (Optional) Configure VLAN subinterfaces. See Configuring VLAN Subinterfaces and 802.1Q Trunking.
Step 6 (Optional) Enable jumbo frame support according to the Enabling Jumbo Frame Support.
Step 7 (Multiple context mode only) To complete the configuration of interfaces in the system execution space, perform the following tasks that are documented in Chapter 9, “Multiple Context Mode”:
The MAC address is used to classify packets within a context. If you share an interface, but do not have unique MAC addresses for the interface in each context, then the destination IP address is used to classify packets. Alternatively, you can manually assign MAC addresses within the context according to the Configuring the MAC Address, MTU, and TCP MSS.
Step 8 Complete the interface configuration according to “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces”
For multiple context mode, complete this procedure in the system execution space. If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.
Step 1 Depending on your context mode:
By default, all physical interfaces are listed.
Step 2 Click a physical interface that you want to configure, and click Edit.
The Edit Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit Interface dialog box; to configure other parameters, see “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces” Note that in multiple context mode, before you complete your interface configuration, you need to allocate interfaces to contexts. See Configuring Multiple Contexts.
Step 3 To enable the interface, check the Enable Interface check box.
Step 4 To add a description, enter text in the Description field.
The description can be up to 240 characters on a single line, without carriage returns. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
Step 5 (Optional) To set the media type, duplex, speed, and enable pause frames for flow control, click Configure Hardware Properties.
a. Depending on the interface type, you can choose either RJ-45 or SFP from the Media Type drop-down list.
b. To set the duplex for RJ-45 interfaces, choose Full, Half, or Auto, depending on the interface type, from the Duplex drop-down list.
Note The duplex setting for an EtherChannel interface must be Full or Auto.
c. To set the speed, choose a value from the Speed drop-down list.
The speeds available depend on the interface type. For SFP interfaces, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. See Auto-MDI/MDIX Feature.
d. To enable pause (XOFF) frames for flow control on 1-Gigabit and 10-Gigabit Ethernet interfaces, check the Enable Pause Frame check box.
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. Pause (XOFF) and XON frames are generated automatically by the NIC hardware based on the FIFO buffer usage. A pause frame is sent when the buffer usage exceeds the high-water mark. The default high_water value is 128 KB (10 GigabitEthernet) and 24 KB (1 GigabitEthernet); you can set it between 0 and 511 (10 GigabitEthernet) or 0 and 47 KB (1 GigabitEthernet). After a pause is sent, an XON frame can be sent when the buffer usage is reduced below the low-water mark. By default, the low_water value is 64 KB (10 GigabitEthernet) and 16 KB (1 GigabitEthernet); you can set it between 0 and 511 (10 GigabitEthernet) or 0 and 47 KB (1 GigabitEthernet). The link partner can resume traffic after receiving an XON, or after the XOFF expires, as controlled by the timer value in the pause frame. The default pause_time value is 26624; you can set it between 0 and 65535. If the buffer usage is consistently above the high-water mark, pause frames are sent repeatedly, controlled by the pause refresh threshold value.
To change the default values for the Low Watermark, High Watermark, and Pause Time, uncheck the Use Default Values check box.
Note Only flow control frames defined in 802.3x are supported. Priority-based flow control is not supported.
e. Click OK to accept the Hardware Properties changes.
Step 6 Click OK to accept the Interface changes.
A logical redundant interface consists of a pair of physical interfaces: an active and a standby interface. When the active interface fails, the standby interface becomes active and starts passing traffic. You can configure a redundant interface to increase the ASA reliability. This feature is separate from device-level failover, but you can configure redundant interfaces as well as failover if desired.
This section describes how to configure redundant interfaces and includes the following topics:
This section describes how to create a redundant interface. By default, redundant interfaces are enabled.
Step 1 Depending on your context mode:
Step 2 Choose Add > Redundant Interface.
The Add Redundant Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit Redundant Interface dialog box; to configure other parameters, see “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces” Note that in multiple context mode, before you complete your interface configuration, you need to allocate interfaces to contexts. See Configuring Multiple Contexts.
Step 3 In the Redundant ID field, enter an integer between 1 and 8.
Step 4 From the Primary Interface drop-down list, choose the physical interface you want to be primary.
Be sure to pick an interface that does not have a subinterface and that has not already been allocated to a context. Redundant interfaces do not support Management slot / port interfaces as members.
Step 5 From the Secondary Interface drop-down list, choose the physical interface you want to be secondary.
Step 6 If the interface is not already enabled, check the Enable Interface check box.
The interface is enabled by default. To disable it, uncheck the check box.
Step 7 To add a description, enter text in the Description field.
The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
You return to the Interfaces pane. The member interfaces now show a lock to the left of the interface ID showing that only basic parameters can be configured for it. The redundant interface is added to the table.
By default, the active interface is the first interface listed in the configuration, if it is available. To view which interface is active, enter the following command in the Tools > Command Line Interface tool:
To change the active interface, enter the following command:
where the redundant number argument is the redundant interface ID, such as redundant1.
The physical_interface is the member interface ID that you want to be active.
This section describes how to create an EtherChannel port-channel interface, assign interfaces to the EtherChannel, and customize the EtherChannel.
This section describes how to create an EtherChannel port-channel interface and assign interfaces to the EtherChannel. By default, port-channel interfaces are enabled.
Step 1 Depending on your context mode:
Step 2 Choose Add > EtherChannel Interface.
The Add EtherChannel Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit EtherChannel Interface dialog box; to configure other parameters, see “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces” Note that in multiple context mode, before you complete your interface configuration, you need to allocate interfaces to contexts. See Configuring Multiple Contexts.
Step 3 In the Port Channel ID field, enter a number between 1 and 48.
Step 4 In the Available Physical Interface area, click an interface and then click Add >> to move it to the Members in Group area.
In transparent mode, if you create a channel group with multiple Management interfaces, then you can use this EtherChannel as the management-only interface.
Note If you want to set the EtherChannel mode to On, then you must include only one interface initially. After you complete this procedure, edit the member interface, and set the mode to On. Apply your changes, then edit the EtherChannel to add more member interfaces.
Step 5 Repeat for each interface you want to add to the channel group.
Make sure all interfaces are the same type and speed. The first interface you add determines the type and speed of the EtherChannel. Any non-matching interfaces you add will be put into a suspended state. ASDM does not prevent you from adding non-matching interfaces.
You return to the Interfaces pane. The member interfaces now show a lock to the left of the interface ID showing that only basic parameters can be configured for it. The EtherChannel interface is added to the table.
Step 7 Click Apply. All member interfaces are enabled automatically.
This section describes how to set the maximum number of interfaces in the EtherChannel, the minimum number of operating interfaces for the EtherChannel to be active, the load balancing algorithm, and other optional parameters.
Step 1 Depending on your context mode:
Step 2 Click the port-channel interface you want to customize, and click Edit.
The Edit Interface dialog box appears.
Step 3 To override the media type, duplex, speed, and pause frames for flow control for all member interfaces, click Configure Hardware Properties. This method provides a shortcut to set these parameters because these parameters must match for all interfaces in the channel group.
a. Depending on the interface type, you can choose either RJ-45 or SFP from the Media Type drop-down list.
b. To set the duplex for RJ-45 interfaces, choose Full or Auto, depending on the interface type, from the Duplex drop-down list. Half is not supported for the EtherChannel.
c. To set the speed, choose a value from the Speed drop-down list.
The speeds available depend on the interface type. For SFP interfaces, you can set the speed to Negotiate or Nonegotiate. Negotiate (the default) enables link negotiation, which exchanges flow-control parameters and remote fault information. Nonegotiate does not negotiate link parameters. For RJ-45 interfaces, the default auto-negotiation setting also includes the Auto-MDI/MDIX feature. See Auto-MDI/MDIX Feature.
d. To enable pause (XOFF) frames for flow control on 1-Gigabit and 10-Gigabit Ethernet interfaces, check the Enable Pause Frame check box.
If you have a traffic burst, dropped packets can occur if the burst exceeds the buffering capacity of the FIFO buffer on the NIC and the receive ring buffers. Enabling pause frames for flow control can alleviate this issue. Pause (XOFF) and XON frames are generated automatically by the NIC hardware based on the FIFO buffer usage. A pause frame is sent when the buffer usage exceeds the High Watermark. The default value is 128 KB; you can set it between 0 and 511. After a pause is sent, an XON frame can be sent when the buffer usage is reduced below the Low Watermark. By default, the value is 64 KB; you can set it between 0 and 511. The link partner can resume traffic after receiving an XON, or after the XOFF expires, as controlled by the Pause Time value in the pause frame. The default value is 26624; you can set it between 0 and 65535. If the buffer usage is consistently above the High Watermark, pause frames are sent repeatedly, controlled by the pause refresh threshold value.
To change the default values for the Low Watermark, High Watermark, and Pause Time, uncheck the Use Default Values check box.
Note Only flow control frames defined in 802.3x are supported. Priority-based flow control is not supported.
e. Click OK to accept the Hardware Properties changes.
Step 4 To customize the EtherChannel, click the Advanced tab.
a. In the EtherChannel area, from the Minimum drop-down list, choose the minimum number of active interfaces required for the EtherChannel to be active, between 1 and 16. The default is 1.
b. From the Maximum drop-down list, choose the maximum number of active interfaces allowed in the EtherChannel, between 1 and 16. The default is 16. If your switch does not support 16 active interfaces, be sure to set this command to 8 or fewer.
c. From the Load Balance drop-down list, select the criteria used to load balance the packets across the group channel interfaces. By default, the ASA balances the packet load on interfaces according to the source and destination IP address of the packet. If you want to change the properties on which the packet is categorized, choose a different set of criteria. For example, if your traffic is biased heavily towards the same source and destination IP addresses, then the traffic assignment to interfaces in the EtherChannel will be unbalanced. Changing to a different algorithm can result in more evenly distributed traffic. For more information about load balancing, see Load Balancing.
You return to the Interfaces pane.
Step 6 To set the mode and priority for a physical interface in the channel group:
a. Click the physical interface in the Interfaces table, and click Edit.
The Edit Interface dialog box appears.
c. In the EtherChannel area, from the Mode drop down list, choose Active, Passive, or On. We recommend using Active mode (the default). For information about active, passive, and on modes, see Link Aggregation Control Protocol.
d. In the LACP Port Priority field, set the port priority between 1 and 65535. The default is 32768. The higher the number, the lower the priority. The ASA uses this setting to decide which interfaces are active and which are standby if you assign more interfaces than can be used. If the port priority setting is the same for all interfaces, then the priority is determined by the interface ID (slot/port). The lowest interface ID is the highest priority. For example, GigabitEthernet 0/0 is a higher priority than GigabitEthernet 0/1.
If you want to prioritize an interface to be active even though it has a higher interface ID, then set this command to have a lower value. For example, to make GigabitEthernet 1/3 active before GigabitEthernet 0/7, then make the priority value be 12345 on the 1/3 interface vs. the default 32768 on the 0/7 interface.
If the device at the other end of the EtherChannel has conflicting port priorities, the system priority is used to determine which port priorities to use. See Step 9 to set the system priority.
You return to the Interfaces pane.
Step 9 To set the LACP system priority, perform the following steps. If the device at the other end of the EtherChannel has conflicting port priorities, the system priority is used to determine which port priorities to use. See Step 6 d for more information.
a. Depending on your context mode:
b. In the LACP System Priority field, enter a priority between 1 and 65535.
Subinterfaces let you divide a physical, redundant, or EtherChannel interface into multiple logical interfaces that are tagged with different VLAN IDs. An interface with one or more VLAN subinterfaces is automatically configured as an 802.1Q trunk. Because VLANs allow you to keep traffic separate on a given physical interface, you can increase the number of interfaces available to your network without adding additional physical interfaces or ASAs. This feature is particularly useful in multiple context mode so that you can assign unique interfaces to each context.
For multiple context mode, complete this procedure in the system execution space. If you are not already in the System configuration mode, in the Configuration > Device List pane, double-click System under the active device IP address.
Step 1 Depending on your context mode:
Step 2 Choose Add > Interface.
The Add Interface dialog box appears.
Note In single mode, this procedure only covers a subset of the parameters on the Edit Interface dialog box; to configure other parameters, see “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces” Note that in multiple context mode, before you complete your interface configuration, you need to allocate interfaces to contexts. See Configuring Multiple Contexts.
Step 3 From the Hardware Port drop-down list, choose the physical, redundant, or port-channel interface to which you want to add the subinterface.
Step 4 If the interface is not already enabled, check the Enable Interface check box.
The interface is enabled by default. To disable it, uncheck the check box.
Step 5 In the VLAN ID field, enter the VLAN ID between 1 and 4095.
Some VLAN IDs might be reserved on connected switches, so check the switch documentation for more information. For multiple context mode, you can only set the VLAN in the system configuration.
Step 6 In the Subinterface ID field, enter the subinterface ID as an integer between 1 and 4294967293.
The number of subinterfaces allowed depends on your platform. You cannot change the ID after you set it.
Step 7 (Optional) In the Description field, enter a description for this interface.
The description can be up to 240 characters on a single line, without carriage returns. For multiple context mode, the system description is independent of the context description. In the case of a failover or state link, the description is fixed as “LAN Failover Interface,” “STATE Failover Interface,” or “LAN/STATE Failover Interface,” for example. You cannot edit this description. The fixed description overwrites any description you enter here if you make this interface a failover or state link.
You return to the Interfaces pane.
A jumbo frame is an Ethernet packet larger than the standard maximum of 1518 bytes (including Layer 2 header and FCS), up to 9216 bytes. You can enable support for jumbo frames for all interfaces by increasing the amount of memory to process Ethernet frames. Assigning more memory for jumbo frames might limit the maximum use of other features, such as ACLs. See Controlling Fragmentation with the Maximum Transmission Unit and TCP Maximum Segment Size for more information.
If you have an existing configuration and want to take advantage of the redundant or EtherChannel interface feature for interfaces that are currently in use, you will have some amount of downtime when you convert to the logical interfaces.
This section provides an overview of how to convert your existing interfaces to a redundant or EtherChannel interface with minimal downtime. See Configuring a Redundant Interface and the Configuring an EtherChannel for more information.
We recommend that you update your configuration offline as a text file, and reimport the whole configuration for the following reasons:
Step 1 Connect to the ASA; if you are using failover, connect to the active ASA.
Step 2 If you are using failover, disable failover by choosing Configuration > Device Management > High Availability > Failover and unchecking the Enable failover check box. Click Apply, and continue at the warning.
Step 3 Copy the running configuration by choosing Tools > Backup Configurations and backing up the running configuration to your local computer. You can then expand the zip file and edit the running-config.cfg file with a text editor.
Be sure to save an extra copy of the old configuration in case you make an error when you edit it.
Step 4 For each in-use interface that you want to add to a redundant or EtherChannel interface, cut and paste all commands under the interface command to the end of the interface configuration section for use in creating your new logical interfaces. The only exceptions are the following commands, which should stay with the physical interface configuration:
Note You can only add physical interfaces to an EtherChannel or redundant interface; you cannot have VLANs configured for the physical interfaces.
Be sure to match the above values for all interfaces in a given EtherChannel or redundant interface. Note that the duplex setting for an EtherChannel interface must be Full or Auto.
For example, you have the following interface configuration. The bolded commands are the ones we want to use with three new EtherChannel interfaces, and that you should cut and paste to the end of the interface section.
Step 5 Above each pasted command section, create your new logical interfaces by entering one of the following commands:
Step 6 Assign the physical interfaces to the new logical interfaces:
Where the physical interfaces are any two interfaces of the same type (either formerly in use or unused). You cannot assign a Management interface to a redundant interface.
For example, to take advantage of existing cabling, you would continue to use the formerly in-use interfaces in their old roles as part of the inside and outside redundant interfaces:
For example, to take advantage of existing cabling, you would continue to use the formerly in-use interfaces in their old roles as part of the inside and outside EtherChannel interfaces:
Step 7 Enable each formerly unused interface that is now part of a logical interface by adding no in front of the shutdown command.
For example, your final EtherChannel configuration is:
Note Other optional EtherChannel parameters can be configured after you import the new configuration. See Configuring an EtherChannel.
Step 8 that Save the entire new configuration, including the altered interface section.
Step 9 Re-zip the backup folder with the altered configuration.
Step 10 Choose Tools > Restore Configurations, and choose the altered configuration zip file. Be sure to replace the existing running configuration; do not merge them. See Restoring Configurations for more information.
Step 11 Reenable failover by choosing Configuration > Device Management > High Availability > Failover, and checking the Enable failover check box. Click Apply, and click No when prompted if you want to configure basic failover settings.
We recommend that you update your system and context configurations offline as text files, and reimport them for the following reasons:
Step 1 Connect to the ASA, and change to the system; if you are using failover, connect to the active ASA.
Step 2 If you are using failover, disable failover by choosing Configuration > Device Management > High Availability > Failover and unchecking the Enable failover check box. Click Apply, and continue at the warning.
Step 3 In the system, copy the running configuration by choosing File > Show Running Configuration in New Window and copying the display output to a text editor.
Be sure to save an extra copy of the old configuration in case you make an error when you edit it.
For example, you have the following interface configuration and allocation in the system configuration, with shared interfaces between two contexts.
Step 4 Get copies of all context configurations that will use the new EtherChannel or redundant interface.See Backing Up and Restoring Configurations or Other Files.
For example, you download the following context configurations (interface configuration shown):
Step 5 In the system configuration, create the new logical interfaces according to the Configuring a Redundant Interface or the Configuring an EtherChannel. Be sure to enter the no shutdown command on any additional physical interfaces you want to use as part of the logical interface.
Note You can only add physical interfaces to an EtherChannel or redundant interface; you cannot have VLANs configured for the physical interfaces.
Be sure to match physical interface parameters such as speed and duplex for all interfaces in a given EtherChannel or redundant interface. Note that the duplex setting for an EtherChannel interface must be Full or Auto.
For example, the new configuration is:
Step 6 Change the interface allocation per context to use the new EtherChannel or redundant interfaces. See Configuring a Security Context.
For example, to take advantage of existing cabling, you would continue to use the formerly in-use interfaces in their old roles as part of the inside and outside redundant interfaces:
Note You might want to take this opportunity to assign mapped names to interfaces if you have not done so already. For example, the configuration for customerA does not need to be altered at all; it just needs to be reapplied on the ASA. The customerB configuration, however, needs to have all of the interface IDs changed; if you assign mapped names for customerB, you still have to change the interface IDs in the context configuration, but mapped names might help future interface changes.
Step 7 For contexts that do not use mapped names, change the context configuration to use the new EtherChannel or redundant interface ID. (Contexts that use mapped interface names do not require any alteration.)
Step 8 Copy the new context configuration files over the old ones. For example, for contexts in flash memory, in the system choose Tools > File Management, then choose File Transfer > Between Local PC and Flash. This tool lets you choose each configuration file and copy it to your local computer. This change only affects the startup configuration; the running configuration is still using the old context configuration.
Step 9 Copy the entire new system configuration to the clipboard, including the altered interface section.
Step 10 In ASDM, choose Tools > Command Line Interface, and click the Multiple Line radio button.
Step 11 Enter clear configure all as the first line, paste the new configuration after it, and click Send. The clear command clears the running configuration (both system and contexts), before applying the new configuration.
Traffic through the ASA stops at this point. All of the new context configurations now reload. When they are finished reloading, traffic through the ASA resumes.
Step 12 Close the Command Line Interface dialog box, and choose File > Refresh ASDM with the Running Configuration.
Step 13 Reenable failover by choosing Configuration > Device Management > High Availability > Failover, and checking the Enable failover check box. Click Apply, and click No when prompted if you want to configure basic failover settings.
This section includes the following topics:
The Monitoring > Interfaces > ARP Table pane displays the ARP table, including static and dynamic entries. The ARP table includes entries that map a MAC address to an IP address for a given interface.
The Monitoring > Interfaces > MAC Address Table pane shows the static and dynamic MAC address entries. See MAC Address Table for more information about the MAC address table and adding static entries.
The Monitoring > Interfaces > Interface Graphs pane lets you view interface statistics in graph or table form. If an interface is shared among contexts, the ASA shows only statistics for the current context. The number of statistics shown for a subinterface is a subset of the number of statistics shown for a physical interface.
– Byte Counts—Shows the number of bytes input and output on the interface.
– Packet Counts—Shows the number of packets input and output on the interface.
– Packet Rates—Shows the rate of packets input and output on the interface.
– Bit Rates—Shows the bit rate for the input and output of the interface.
– Drop Packet Count—Shows the number of packets dropped on the interface.
These additional statistics display for physical interfaces:
– Buffer Resources—Shows the following statistics:
Overruns—The number of times that the ASA was incapable of handing received data to a hardware buffer because the input rate exceeded the ASA capability to handle the data.
Underruns—The number of times that the transmitter ran faster than the ASA could handle.
No Buffer—The number of received packets discarded because there was no buffer space in the main system. Compare this with the ignored count. Broadcast storms on Ethernet networks are often responsible for no input buffer events.
– Packet Errors—Shows the following statistics:
CRC—The number of Cyclical Redundancy Check errors. When a station sends a frame, it appends a CRC to the end of the frame. This CRC is generated from an algorithm based on the data in the frame. If the frame is altered between the source and destination, the ASA notes that the CRC does not match. A high number of CRCs is usually the result of collisions or a station transmitting bad data.
Frame—The number of frame errors. Bad frames include packets with an incorrect length or bad frame checksums. This error is usually the result of collisions or a malfunctioning Ethernet device.
Input Errors—The number of total input errors, including the other types listed here. Other input-related errors can also cause the input error count to increase, and some datagrams might have more than one error; therefore, this sum might exceed the number of errors listed for the other types.
Runts—The number of packets that are discarded because they are smaller than the minimum packet size, which is 64 bytes. Runts are usually caused by collisions. They might also be caused by poor wiring and electrical interference.
Giants—The number of packets that are discarded because they exceed the maximum packet size. For example, any Ethernet packet that is greater than 1518 bytes is considered a giant.
Deferred—For FastEthernet interfaces only. The number of frames that were deferred before transmission due to activity on the link.
– Miscellaneous—Shows statistics for received broadcasts.
– Collision Counts—For FastEthernet interfaces only. Shows the following statistics:
Output Errors—The number of frames not transmitted because the configured maximum number of collisions was exceeded. This counter should only increment during heavy network traffic.
Collisions—The number of messages retransmitted due to an Ethernet collision (single and multiple collisions). This usually occurs on an overextended LAN (Ethernet or transceiver cable too long, more than two repeaters between stations, or too many cascaded multiport transceivers). A packet that collides is counted only once by the output packets.
Late Collisions—The number of frames that were not transmitted because a collision occurred outside the normal collision window. A late collision is a collision that is detected late in the transmission of the packet. Normally, these should never happen. When two Ethernet hosts try to talk at once, they should collide early in the packet and both back off, or the second host should see that the first one is talking and wait. If you get a late collision, a device is jumping in and trying to send the packet on the Ethernet while the ASA is partly finished sending the packet. The ASA does not resend the packet, because it may have freed the buffers that held the first part of the packet. This is not a real problem because networking protocols are designed to cope with collisions by resending packets. However, late collisions indicate a problem exists in your network. Common problems are large repeated networks and Ethernet networks running beyond the specification.
– Input Queue—Shows the number of packets in the input queue, the current and the maximum, including the following statistics:
Hardware Input Queue—The number of packets in the hardware queue.
Software Input Queue—The number of packets in the software queue.
– Output Queue—Shows the number of packets in the output queue, the current and the maximum, including the following statistics:
Hardware Output Queue—The number of packets in the hardware queue.
Software Output Queue—The number of packets in the software queue.
– Show Graphs—Shows the graph window or updates the graph with additional statistic types if added.
The Mon itoring > Interfaces > Interface Graphs > Graph/Table window shows a graph for the selected statistics. The Graph window can show up to four graphs and tables at a time. By default, the graph or table displays the real-time statistics. If you enable History Metrics (see Enabling History Metrics), you can view statistics for past time periods.
– Real-time, data every 10 sec
– Last 10 minutes, data every 10 sec
– Last 60 minutes, data every 1 min
– Last 12 hours, data every 12 min
– Last 5 days, data every 2 hours
a. Assign interfaces to contexts and automatically assign unique MAC addresses to context interfaces. See Chapter9, “Multiple Context Mode”
b. Complete the interface configuration according to “Routed Mode Interfaces,” or Chapter16, “Transparent Mode Interfaces”
Table 12-2 lists the release history for this feature.