12-6
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 12 Starting Interface Configuration (ASA 5510 and Higher)
Information About Starting ASA 5510 and Higher Interface Configuration
Figure 12-1 Connecting to a VSS
If you use the ASA in an Active/Standby failover deployment, then you need to create separate
EtherChannels on the switches in the VSS, one for each ASA (see Figure 12-1). On each ASA, a single
EtherChannel connects to both switches. Even if you could group all switch interfaces into a single
EtherChannel connecting to both ASAs (in this case, the EtherChannel will not be established because
of the separate ASA system IDs), a single EtherChannel would not be desirable because you do not want
traffic sent to the standby ASA.
Figure 12-2 Active/Standby Failover and VSS
Link Aggregation Control Protocol
The Link Aggregation Control Protocol (LACP) aggregates interfaces by exchanging the Link
Aggregation Control Protocol Data Units (LACPDUs) between two network devices.
You can configure each physical interface in an EtherChannel to be:
• Active—Sends and receives LACP updates. An active EtherChannel can establish connectivity with
either an active or a passive EtherChannel. You should use the active mode unless you need to
minimize the amount of LACP traffic.
• Passive—Receives LACP updates. A passive EtherChannel can only establish connectivity with an
active EtherChannel.
ASA
Switch 1
port-channel 1
VSS
Switch 2
port-channel 2
gig0/0
gig3/5 gig6/5
gig0/1
Primary ASA
Switch 1
port-channel 1port-channel 1
VSS
Switch 2
Secondary ASA
port-channel 3port-channel 2
gig0/0 gig0/1 gig0/0 gig0/1
gig3/2 gig3/3 gig6/3gig6/2