YilinChen 发表于 2019-10-28 10:14
Probable reason: trunk mode of Gi1/0/10 is dynamic, Po7 is access
Port: Gi2/0/10

应用到下面两个端口上interface port-channel2
interface GigabitEthernet1/0/10
switchport trunk encapsulation dot1q
channel-group 2 mode on
interface GigabitEthernet2/0/10
switchport trunk encapsulation dot1q
channel-group 2 mode on
除了没封装之外其他的还需要更改吗
还有能帮我看一下ASA防火墙配置有问题吗
ASA5515防火墙
interface Port-channel2
nameif inside
security-level 100
ip address 10.99.209.1 255.255.255.248
应用到这两个端口下interface port-channel2
interface GigabitEthernet0/1
channel-group 2 mode on
interface GigabitEthernet0/4
channel-group 2 mode on

本帖最后由 seasonli72658 于 2019-10-28 10:44 编辑

YilinChen 发表于 2019-10-28 10:14
Probable reason: trunk mode of Gi1/0/10 is dynamic, Po7 is access
Port: Gi2/0/10

spanning-tree portfast 这个命令是不是不用配置了
还有一个问题就是链路聚合一端channel配置VLAN ，别一端channel配置的是IP这个会有影响吗。

seasonli72658 发表于 2019-10-28 10:31
spanning-tree portfast 这个命令是不是不用配置了
还有一个问题就是链路聚合一端channel配置VLAN ，别 ...

清除所有垃圾配置
2端PortChannel要么全是三层，要么都是Trunk透VLAN

YilinChen 发表于 2019-10-29 08:35
清除所有垃圾配置
2端PortChannel要么全是三层，要么都是Trunk透VLAN

nameif inside
security-level 100
policy-route route-map rmap-to-Liantong
如果做链路聚合的话，问一下上面这三条是配置在port-channel下面呢，还是配置在端口下面

在Portchannel下进行配置

YilinChen 发表于 2019-10-29 13:47
在Portchannel下进行配置

非常感谢，我试一下晚上，这个问题已经弄了好久了，一直不好用，
nameif inside
security-level 100
policy-route route-map rmap-to-Liantong
上面这个对端的配置三层核心交换上的端口配置
channel-group 2 mode on 只配置这个可以吗，和上面的端口互联

seasonli72658 发表于 2019-10-29 13:58
非常感谢，我试一下晚上，这个问题已经弄了好久了，一直不好用，
nameif inside
security-level 100

请详细描述问题现象，包括连线拓扑、对应相关接口配置、要实现的功能等，谢谢

YilinChen 发表于 2019-10-29 14:04
请详细描述问题现象，包括连线拓扑、对应相关接口配置、要实现的功能等，谢谢

好的稍等我画一下图,等我一下谢谢

seasonli72658 发表于 2019-10-29 14:28
好的稍等我画一下图,等我一下谢谢

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 140.207.0.28 255.255.255.248
!
interface GigabitEthernet0/1
nameif inside
security-level 100
ip address 10.99.209.1 255.255.255.248
!
interface GigabitEthernet0/2
nameif VPN
security-level 0
no ip address
!
interface GigabitEthernet0/3
nameif inside1
security-level 100
ip address 10.99.210.1 255.255.255.248
用同网段连接的方法：
路由写了优先级
route inside 10.88.0.0 255.255.0.0 10.99.209.4 1
route inside1 10.88.0.0 255.255.0.0 10.99.210.4 6
route inside 10.99.0.0 255.255.0.0 10.99.209.4 1
route inside1 10.99.0.0 255.255.0.0 10.99.210.4 6
这个主要用来走VPN的，主要实现哪个堆叠交换挂了都可以正常让VPN连进来
=======================================

interface Port-channel1
nameif inside
security-level 100
ip address 10.99.201.1 255.255.255.248
policy-route route-map rmap-to-Liantong
interface GigabitEthernet0/1
channel-group 2 mode on
no nameif
no security-level
no ip address
interface GigabitEthernet0/4
channel-group 2 mode on
no nameif
主要实现连接堆叠交换机，做链路聚合，哪个堆叠交换挂 了都可以正常上外网
==================================

interface Port-channel1
no switchport
ip address 10.99.201.4 255.255.255.248
interface GigabitEthernet1/0/18
channel-group 2 mode on
interface GigabitEthernet2/0/18
channel-group 2 mode on
上面是链路聚合端口连接ASA5515 new
==================================

interface GigabitEthernet1/0/1
switchport access vlan 209
switchport mode access
interface GigabitEthernet2/0/10
switchport access vlan 210
switchport mode access

interface Vlan209
ip address 10.99.209.4 255.255.255.248
!
interface Vlan210
ip address 10.99.210.4 255.255.255.248
ip route 192.168.2.0 255.255.255.0 10.99.209.1 1
ip route 192.168.2.0 255.255.255.0 10.99.210.1 6

YilinChen 发表于 2019-10-29 14:04
请详细描述问题现象，包括连线拓扑、对应相关接口配置、要实现的功能等，谢谢

麻烦帮忙看一下，这样配置有没有问题，因为我这里配置要停网，不能总测试，所以帮忙看一下这样还哪里有问题吗

本帖最后由 seasonli72658 于 2019-10-30 09:47 编辑

YilinChen 发表于 2019-10-28 10:14
Probable reason: trunk mode of Gi1/0/10 is dynamic, Po7 is access
Port: Gi2/0/10

今天我配了防火墙的protchannel但是在写
nameif inside这个命令打不上，提示不能在空接口配置nameif这个是什么意思
ASA5515-SH-new(config)# interface Port-channel1
ASA5515-SH-new(config-if)# nameif inside
ERROR: nameif not allowed on empty etherchannel interface.
ASA5515-SH-new(config-if)# security-level 100
ASA5515-SH-new(config-if)# ip address 10.99.201.1 255.255.255.248
ASA5515-SH-new(config-if)# policy-route route-map rmap-to-Liantong
ASA5515-SH-new(config-if)#
==============================================================================================================
虽然

nameif inside没有配置上，但是我把channel配置到接口上了下面是日志:下面的LOG是不是代表链路聚合成功了

Group state = L3
Ports: 2 Maxports = 8
Port-channels: 1 Max Port-channels = 1
Protocol: -
Minimum Links: 0
Ports in the group:
-------------------
Port: Gi1/0/18
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = -
Age of the port in the current state: 0d:00h:17m:28s
Port: Gi2/0/18
------------
Port state = Up Mstr In-Bndl
Channel group = 1 Mode = On Gcchange = -
Port-channel = Po1 GC = - Pseudo port-channel = Po1
Port index = 0 Load = 0x00 Protocol = -
Age of the port in the current state: 0d:00h:17m:05s
Port-channels in the group:
---------------------------
Port-channel: Po1
------------

Age of the Port-channel = 0d:00h:18m:15s
Logical slot/port = 12/1 Number of ports = 2
GC = 0x00000000 HotStandBy port = null
Passive port list = Gi1/0/18 Gi2/0/18
Port state = Port-channel L3-Ag Ag-Inuse
Protocol = -
Port security = Disabled
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Gi1/0/18 On 0
0 00 Gi2/0/18 On 0
Time since last port bundled: 0d:00h:17m:05s Gi2/0/18
===============================================================================================
能告诉我 interface Port-channel1下面怎么才能配置上：nameif inside吗谢谢

贴了图，可还是思维描述混乱，是2台ASA 都有和 3650 建立链路聚合的需求，还是只其中一台ASA有这样的需求？
光看现有配置，为什么ASA5515 NEW上，物理接口下配置是channel-group2, 楼主却非得在PortChannel 1里配命令？

YilinChen 发表于 2019-10-30 15:04
贴了图，可还是思维描述混乱，是2台ASA 都有和 3650 建立链路聚合的需求，还是只其中一台ASA有这样的需求？ ...

不好意思，是写错了，物理接口下配置是channel-group1，就两个防火墙都要和堆叠交换机建立链路聚合的需求,现在解决了ASA5515 NEW链路聚合的问题，别一个也就搞定了，能帮我看看吗，ASA5515 NEW的防火墙链路聚合的问题