VMware Cloud Community
wh1test
Contributor
Contributor

Port-channel witch vlans between ESXi 5.5 and ASA5506-X

Hello everyone!

I just purchased Cisco ASA 5506-X K9. I have two VMware ESXi 5.5 U3 (build 3568722) hosts.

Now I need to connect each host to my Cisco ASA 5506. I want to configure vlan trunk with two vlans.

ASA5506-ESXi_5.5_trunk.png

Here is configuration on the ASA side:

interface GigabitEthernet1/3

channel-group 1 mode active

interface GigabitEthernet1/4

channel-group 1 mode active

interface Port-Channel 1

interface Port-Channel 1.93

description Inside Vlan93

vlan 93

nameif inside

security-level 100

ip add 192.168.3.254 255.255.255.0

interface Port-Channel 1.94

description DMZ Vlan94

vlan 94

nameif dmz

security-level 30

ip add 192.168.4.254 255.255.255.0

VMware side in configured in the same way as described in this video, but I cannot make it work (no traffic between Cisco and VMWare hosts). Please see screenshots in attachment.

I have only one difference from video manual:

Adapter    Broadcom Corporation NetXtreme BCM5719

Link Layer Discovery Protocol is not available on this physical network adapter

Can somebody help me please? How to configure VMWare side properly?

Reply
0 Kudos
2 Replies
bayupw
Leadership
Leadership

Hi, when you said there is no traffic, is it between the two VLANs or even there are no traffic within a same VLAN?

Bayu Wibowo | VCIX6-DCV/NV
Author of VMware NSX Cookbook http://bit.ly/NSXCookbook
https://github.com/bayupw/PowerNSX-Scripts
https://nz.linkedin.com/in/bayupw | twitter @bayupw
Reply
0 Kudos
chipx0r
Contributor
Contributor

Hello,

I believe you're confusing 2 different concepts. Port-Channel is to add bandwidth and HA to a common Host, with another concept 'Layer2 Trunking'.

If you only want to propagate VLans, you need to configure the ASA as 'Router-on-a-stick' without Port-Channel. Because ASA manage this interfaces as L3, you need to change it to L2 with the command 'switchport'. and the L2 'switchport mode trunk'. (Check page 4-11)

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/int5505.pdf

If you want to have HA, you need another set of 2 cables running (one per host) and a different Port-Channel per Host, propagating the same VLans within each Port-Channel, and the Router-on-a-stick configuration.

If you need more guidance, I'm glad to help.

Reply
0 Kudos