Re: VPC with ASA in L3 mode

Thanks everyone for your inputs on this.

Was thinking in terms of the firewall integration -with reference to this
topology in the below link, except that - I try and use VPC instead og
having portchannels from the switches.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interf
ace_start.html#wp1336269

The ASA would be in Active/Standby - Routed mode. Am unable to get a POC
done on this at the moment.

On Mon, Apr 15, 2013 at 2:48 PM, Gilles Fabre <fabre.gilles_at_voila.fr> wrote:

>
> I am jumping on this subjet since I am interested in your inputs.
>
> We implemented recently connections between a pair of N7k vPC to
> Active/Passive FWs, using 20G connections to each FW.
> We agreed on using 2 L3 links with classical Port-channel (not vPC) from
> FW1-N7k1 & FW2-N7k2 instead of vPC.
> Would you agree this is the best design in that case ?
>
> By the way, we have another customer using FP on for their L2 between all
> Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices
> only, we deciced not to use any vPC configuration on them; any comments on
> that specific design ?
>
> Thanks & best regards
> Gilles.
>
>
> > Message du 14/04/13 ` 07h47
> > De : "Brian McGahan"
> > A : "Joe Sanchez"
> > Copie ` : "Vibeesh S" , "Cisco certification"
> > Objet : Re: VPC with ASA in L3 mode
>
> >
> > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > the vPC.
> >
> > This is really the key. There are instances where your layer 3 ECMP
> hashing and your layer 2 port channel hashing don't agree, in which case a
> layer 3 frame destined for vPC neighbor A gets layer 2 forwarded to vPC
> neighbor B, and it may or may not be dropped depending on whether it needs
> to go to a vPC member port or not. The end result is difficult to
> troubleshoot because packet loss will occur based on non-deterministic flow
> hashing.
> >
> > There are some ways to solve this problem depending on your design
> though. Post more details if you want more specific help.
> >
> > On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
> >
> > > Vibeesh,
> > >
> > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > the vPC. For instance eigrp over a vPC will not work properly. However
> I
> > > have setup MANY vPC's to for instance Fortinet Firewalls with not
> problems
> > > well none that fortinet didn't have to write new code for, in fact
> Cisco
> > > ASA's as well. If you try doing dynamic routing over the vPC you will
> > > start pulling your hair out trying to troubleshoot why it's not working
> > > properly.
> > >
> > > If you are vPC'ng to a None Cisco device such as firewalls with
> > > Active/Standby you want to disable lacp graceful convergence. After
> doing
> > > hours and hours of failover testing with devices other than cisco that
> are
> > > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
> doesn't
> > > play well with other non-cisco devices if you do not disable graceful
> > > convergence. Cisco by default uses graceful convergence and if you have
> > > Active/Passive firewalls and or other devices that automatically
> failover
> > > back to the original active device you will lose packets due to the
> Cisco
> > > side of the LACP links gracefully bringing the links back after a
> failure.
> > >
> > > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> > >
> > >> Cisco does not recommend having a vpc setup to a L3 device.
> > >>
> > >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
> having
> > >> ether channel are there any issues that we foresee pop up ?
> > >> appreciate your response
> > >>
> > >> --
> > >> CCIE - R&S
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
> ------------------------------
> Quiz TV : Vous jtes fan de l'imission "Les Anges de la tili-rialiti" ? 5
> questions
ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-sais
on-5-3526.html>

--
CCIE - R&S
Blogs and organic groups at http://www.ccie.net