Configuring EtherChannel on an ASA Firewall

The ability to configure EtherChannels on ASA models 5510 and above was introduced within 8.4/8.6. An Etherchannel provides a method of aggregating multiple Ethernet links into a single logical channel.

Within this article we will provide the steps required to create an Etherchannel link on the Cisco ASA along with providing the main troubleshooting/show commands.


Below shows the configuration to create am EtherChannel that will act as a trunk with the VLAN 1000 enabled.

interface GigabitEthernet0/1
  speed 1000
  duplex full
  channel-group 1 mode active
  no nameif
  no security-level
  no ip address

interface GigabitEthernet0/2
  speed 1000
  duplex full
  channel-group 1 mode active
  no nameif
  no security-level
  no ip address

interface Port-channel1.1000
  vlan 1000
  nameif INSIDE
  security-level 100
  ip address


By default when you configure a port channel the  port channel will remain up as long as there is one active member interface. Meaning that even if you are monitoring the port-channel if a single link goes down within the bundle it will not trigger a device-level failover.

To ensure a device-level failover occurs in the event of a single member link failure the port-channel min-bundle command is used. Below shows the necessary commands,

monitor-interface port-channel 1.1000
 interface port-channel 1.1000   port-channel min-bundle 2

Note : the command monitor-interface only allows you to monitor interfaces that have been configured with nameif. i.e so you can only monitor the portchannel interface rather then each of the member links.

Show Commands

Below shows 2 of the main show commands,

asa/pri/act# sh interface port-channel 1
Interface Port-channel1 "", is up, line protocol is up
  Hardware is EtherChannel/LACP, BW 2000 Mbps, DLY 10 usec
        Full-Duplex(Full-duplex), 1000 Mbps(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        Available but not configured via nameif
        MAC address 1c6a.7ac1.3db9, MTU not set
        IP address unassigned
  Members in this channel:
      Active:   Gi0/1 Gi0/2
asa/pri/act# sh port-channel 1
Ports: 2   Maxports = 16
Port-channels: 2 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Rick Donato

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial