1.0 Introduction

This document provides a detailed technical analysis and a comprehensive solution for establishing a Layer 3 Link Aggregation Control Protocol (LACP) EtherChannel between a Firepower Threat Defense (FTD) appliance, managed by a Firepower Management Center (FMC), and a Cisco Catalyst switch. The analysis is based on a common scenario where an LACP bundle fails to establish despite apparently correct initial configurations on both devices. The objective is to provide a robust, step-by-step implementation and verification plan that follows Cisco best practices.

2.0 Technical Problem Analysis

The core technical problem involves the failure of an LACP Port-Channel to become fully operational between an FTD appliance and a Catalyst switch. The user has configured both endpoints with the intention of creating a redundant, high-bandwidth Layer 3 link.

• FTD Configuration: A Port-Channel interface is created in the FMC, and two physical member interfaces are assigned. The LACP mode is set to “Active,” and the Port-Channel is configured as a routed interface with a static IP address.
• Catalyst Switch Configuration: A corresponding Port-Channel interface is created, and two physical interfaces are assigned to the channel group, also using LACP “Active” mode. This Port-Channel is configured as a Layer 3 interface with a static IP address in the same subnet as the FTD.

Despite the symmetrical “Active-Active” LACP configuration, the link bundle is not forming. This indicates a potential issue with LACP negotiation, a physical layer problem, or a subtle configuration mismatch between the FTD and the switch.

3.0 Comprehensive Implementation and Verification Plan

To ensure a successful and stable LACP EtherChannel deployment, the following structured approach, encompassing configuration, verification, and troubleshooting, should be followed.

3.1 Firepower Management Center (FMC) Configuration for FTD

The primary interface for FTD configuration is the FMC GUI. Ensure the following steps are executed precisely.

1. Navigate to Port-Channel Creation: In the FMC UI, go to Devices > Device Management. Edit the target FTD appliance and select the Interfaces tab.
2. Create the Port-Channel: Click Add Interfaces > Port Channel.
   • Port Channel ID: Assign a unique ID (e.g., 1).
   • Name: Provide a logical name (e.g., Outside_LACP).
   • Enabled: Ensure this checkbox is selected.
   • LACP Mode: Select Active. This is the recommended mode for initiating LACP negotiations.
3. Assign Member Interfaces: From the “Available Interfaces” list, select the physical ports (e.g., Ethernet1/5, Ethernet1/6) and move them to the “Selected Interfaces” list. It is critical that these physical interfaces have no pre-existing configuration.
4. Configure Layer 3 Settings:
   • Select the newly created Port-Channel interface.
   • Under the IPv4 tab, set the IP address and subnet mask (e.g., 10.10.10.2 / 255.255.255.0).
5. Deploy Changes: Save the interface configuration and, most importantly, Deploy the changes from the FMC to the FTD appliance. The configuration is not active until a successful deployment is completed.

3.2 Cisco Catalyst Switch Configuration

A clean and consistent configuration on the switch side is paramount.

1. Prepare Physical Interfaces: First, ensure the member interfaces are in a default state to avoid conflicting configurations.

   ! On the Catalyst Switch
   interface range GigabitEthernet1/0/1 - 2
    default interface
    shutdown
   !
   

2. Configure Member and Port-Channel Interfaces:

   ! On the Catalyst Switch
   interface range GigabitEthernet1/0/1 - 2
    description MEMBER-OF-Po10-TO-FTD
    channel-group 10 mode active
    no shutdown
   !
   interface Port-channel10
    description L3_LINK_TO_FTD_OUTSIDE
    no switchport
    ip address 10.10.10.1 255.255.255.0
    no shutdown
   !
   

   Note: The channel-group number is locally significant and does not need to match the FTD’s Port-Channel ID.

3.3 Verification and Troubleshooting

After deployment, verification must be performed from the command line of both devices.

1. FTD CLI Verification:

   • Access the FTD CLI (via SSH or console) and enter diagnostic mode (> system support diagnostic-cli).
   • Check the Port-Channel summary status. Look for “P” (Port in-bundle) next to the member interfaces.

     firepower# show port-channel summary
     

   • Inspect the LACP neighbor information to confirm negotiation is successful.

     firepower# show lacp neighbor
     

   • Review LACP counters for any errors.

     firepower# show lacp counters
     

2. Catalyst Switch CLI Verification:

   • The show etherchannel summary command is the most critical verification tool. The output should show the protocol as LACP and the status of member ports as (P), indicating they are successfully bundled in the Port-Channel.

     Switch# show etherchannel summary
     Flags:  D - down        P - bundled in port-channel
             I - individual  s - suspended
     ...
     Group  Port-channel  Protocol    Ports
     ------+-------------+-----------+-------------------------------------
     10     Po10(RU)      LACP        Gi1/0/1(P)   Gi1/0/2(P)
     

   • Check LACP neighbor status from the switch perspective.

     Switch# show lacp neighbor
     

3. Common Troubleshooting Steps if Bundle Fails:

   • Physical Layer: Verify cable integrity and SFP/transceiver compatibility on both ends. Check for any physical port errors (show interface).
   • Configuration Consistency: Ensure speed, duplex, and MTU settings are consistent across all member links. While often auto-negotiated, explicit configuration can resolve issues.
   • LACP Mode: Confirm one side is “Active”. While “Active-Active” is best practice, “Active-Passive” will also work. “Passive-Passive” will not form a channel.
   • FMC Deployment: Re-verify that the configuration changes were successfully deployed from the FMC to the FTD without errors.

4.0 Conclusion

Successfully establishing an LACP EtherChannel between an FTD and a Catalyst switch requires meticulous and symmetrical configuration, followed by systematic verification. The most common points of failure are incomplete FMC deployments, mismatched Layer 1/2 settings on member interfaces, and incorrect LACP mode pairings. By following the structured plan outlined in this document, a stable and resilient high-availability link can be reliably achieved.