Re: VPC with ASA in L3 mode

I am jumping on this subjet since I am interested in your inputs.

We implemented recently connections between a pair of N7k vPC to
Active/Passive FWs, using 20G connections to each FW.
We agreed on using 2 L3 links with classical Port-channel (not vPC) from
FW1-N7k1 & FW2-N7k2 instead of vPC.
Would you agree this is the best design in that case ?

By the way, we have another customer using FP on for their L2 between all
Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices only,
we deciced not to use any vPC configuration on them; any comments on that
specific design ?

Thanks & best regards
Gilles.

> Message du 14/04/13 C 07h47
> De : "Brian McGahan"
> A : "Joe Sanchez"
> Copie C : "Vibeesh S" , "Cisco certification"
> Objet : Re: VPC with ASA in L3 mode
>
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC.
>
> This is really the key. There are instances where your layer 3 ECMP hashing
and your layer 2 port channel hashing don't agree, in which case a layer 3
frame destined for vPC neighbor A gets layer 2 forwarded to vPC neighbor B,
and it may or may not be dropped depending on whether it needs to go to a vPC
member port or not. The end result is difficult to troubleshoot because packet
loss will occur based on non-deterministic flow hashing.
>
> There are some ways to solve this problem depending on your design though.
Post more details if you want more specific help.
>
> On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
>
> > Vibeesh,
> >
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC. For instance eigrp over a vPC will not work properly. However I
> > have setup MANY vPC's to for instance Fortinet Firewalls with not
problems
> > well none that fortinet didn't have to write new code for, in fact Cisco
> > ASA's as well. If you try doing dynamic routing over the vPC you will
> > start pulling your hair out trying to troubleshoot why it's not working
> > properly.
> >
> > If you are vPC'ng to a None Cisco device such as firewalls with
> > Active/Standby you want to disable lacp graceful convergence. After doing
> > hours and hours of failover testing with devices other than cisco that
are
> > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
doesn't
> > play well with other non-cisco devices if you do not disable graceful
> > convergence. Cisco by default uses graceful convergence and if you have
> > Active/Passive firewalls and or other devices that automatically failover
> > back to the original active device you will lose packets due to the Cisco
> > side of the LACP links gracefully bringing the links back after a
failure.
> >
> > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> >
> >> Cisco does not recommend having a vpc setup to a L3 device.
> >>
> >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
having
> >> ether channel are there any issues that we foresee pop up ?
> >> appreciate your response
> >>
> >> --
> >> CCIE - R&S
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>
Received on Mon Apr 15 2013 - 11:18:05 ART