Configure Etherchannel on Cisco ASA to increase bandwidth and achieve HA

Cisco's Etherchannel solution allows you to bundle two or more physical Ethernet links in order to aggregate available bandwidth. CCIE Brandon Carroll shows you step-by-step how to set it up on your Cisco ASA.

Some may say that bandwidth is king. This is true in many cases, especially with higher end video applications becoming more prevalent in network environments. In this post I'll show you how to get more bandwidth with your Cisco ASA, as well as an added bonus of high availability.

The solution is Etherchannel and it became available on the ASA in version 8.4. Essentially what you are accomplishing is a bundle relationship between two interfaces that are looked at as one in the ASA. So a 1-GBps interface can be EtherChanneled with another to become a 2-GBps bundle. There's the bandwidth increase that some may be looking for. What about the high availability? That comes with the bundle. The ASA load balances traffic over the two interfaces in the bundle. If one interface goes down the traffic still travels over the other interface. How's that for a bit of redundancy?

Lets look at how to configure EtherChannels on the ASA. There are basically two methods:

  • Use ASDM and configure via a GUI interface
  • Use the CLI

First let's examine the GUI interface.

In the Figure A, I've navigated to Configuration>Device Settings>Interfaces and I've selected the Add button. This presents an option to create an EtherChannel Interface.

Figure A

(Click to enlarge screenshots)
The next step is to provide the parameters for the EtherChannel. In Figure B, you can see the need to provide a Port Channel ID, an interface name, and a security level. Additionally you must add available physical interfaces as group members. You select them and use the add button to move them into the group. You'll notice that the GigabitEthernet0/0 as well as GigabitEthernet0/1 interfaces are not present. This is because they are already configured. At the bottom of the configuration page you must determine how the IP address of the interface is to be configured. In this case we have statically assigned the IP address.

Figure B

Figure C shows the advanced options. Specifically related to the EtherChannel is the number of Minimum Active Members that can be defined before the interface goes down, as well as the Maximum Number of Active Members. This value defaults to 8, which is the maximum number of interfaces that can be in one EtherChannel.

Figure C

Next, we've modified the load balancing scheme. The default scheme is defaulted to Source and Destination IP address. This means that each session will be load balanced based on the layer three information. In the Figure D you can see a number of the alternative load balancing schemes.

Figure D

For this sample connection, I'm using source and destination IP and layer 4 port number.

Figure E

Clicking OK creates the EtherChannel in ASDM but does not apply the configuration to the ASA. In Figure F you can see the summary of the EtherChannel in ASDM. Note that a Layer 3 interface is designated as port-channel1. Click Apply to push the configuration out to the ASA.

Figure F

Now for the CLI Configuration. In Figure G we are previewing the commands before they are sent to the CLI. What you can see by breaking down the configuration is that a new interface is created with the command Interface port-channel1 command. The command has the port-channel load-balance command applied to make the modifications that we applied in the Advanced tab in ASDM. The minimum and maximum members are defined as 1 and 8 respectively, and the name CHANNEL1 is applied. Finally, the security level and IP address is configured. Moving to the top of the configuration block, the interfaces GigabitEthernet 0/2 and 0/3 are placed into channel-group 1 in an Active mode. For those of you who are savvy with Cisco Switches, you'll most likely feel right at home since the configuration is nearly identical.

Figure G

Overall, the configuration of the ASA is very simple. ASDM makes sure of that, but again, if you've configured EtherChannels on Cisco switches it's pretty easy still. One additional note would be to make sure that the switch side has a mirror configuration. He following would work on the connected switch.

Interface PortChannel 1
ip address
no shut
interface range g0/7-8
channel-group 1

You'll find more EtherChannel configurations at

By Brandon Carroll

Brandon Carroll has been in the industry since the late 90s specializing in data networking and network security in the enterprise and data center. Brandon holds the CCIE in security and is a published author in network security.