RE: VPC with ASA in L3 mode

Do you have to run a routing protocol or will the ASAs just have a static
route pointing north?

Brian McGahan, CCIE #8593 (R&S/SP/Security), CCDE #2013::13
bmcgahan_at_INE.com<mailto:bmcgahan_at_INE.com>

Internetwork Expert, Inc.
http://www.INE.com<http://www.ine.com/>

From: Vibeesh S [mailto:vibselva_at_gmail.com]
Sent: Monday, April 15, 2013 4:27 AM
To: Gilles Fabre
Cc: Brian McGahan; Joe Sanchez; Cisco certification
Subject: Re: VPC with ASA in L3 mode

Thanks everyone for your inputs on this.
Was thinking in terms of the firewall integration -with reference to this
topology in the below link, except that - I try and use VPC instead og having
portchannels from the switches.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interf
ace_start.html#wp1336269
The ASA would be in Active/Standby - Routed mode. Am unable to get a POC done
on this at the moment.

On Mon, Apr 15, 2013 at 2:48 PM, Gilles Fabre
<fabre.gilles_at_voila.fr<mailto:fabre.gilles_at_voila.fr>> wrote:

I am jumping on this subjet since I am interested in your inputs.

We implemented recently connections between a pair of N7k vPC to
Active/Passive FWs, using 20G connections to each FW.
We agreed on using 2 L3 links with classical Port-channel (not vPC) from
FW1-N7k1 & FW2-N7k2 instead of vPC.
Would you agree this is the best design in that case ?

By the way, we have another customer using FP on for their L2 between all
Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices only,
we deciced not to use any vPC configuration on them; any comments on that
specific design ?

Thanks & best regards
Gilles.

> Message du 14/04/13 ` 07h47
> De : "Brian McGahan"
> A : "Joe Sanchez"
> Copie ` : "Vibeesh S" , "Cisco certification"
> Objet : Re: VPC with ASA in L3 mode

>
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC.
>
> This is really the key. There are instances where your layer 3 ECMP hashing
and your layer 2 port channel hashing don't agree, in which case a layer 3
frame destined for vPC neighbor A gets layer 2 forwarded to vPC neighbor B,
and it may or may not be dropped depending on whether it needs to go to a vPC
member port or not. The end result is difficult to troubleshoot because packet
loss will occur based on non-deterministic flow hashing.
>
> There are some ways to solve this problem depending on your design though.
Post more details if you want more specific help.
>
> On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
>
> > Vibeesh,
> >
> > I do not believe L3 is the problem, the problem is routing protocols over
> > the vPC. For instance eigrp over a vPC will not work properly. However I
> > have setup MANY vPC's to for instance Fortinet Firewalls with not
problems
> > well none that fortinet didn't have to write new code for, in fact Cisco
> > ASA's as well. If you try doing dynamic routing over the vPC you will
> > start pulling your hair out trying to troubleshoot why it's not working
> > properly.
> >
> > If you are vPC'ng to a None Cisco device such as firewalls with
> > Active/Standby you want to disable lacp graceful convergence. After doing
> > hours and hours of failover testing with devices other than cisco that
are
> > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
doesn't
> > play well with other non-cisco devices if you do not disable graceful
> > convergence. Cisco by default uses graceful convergence and if you have
> > Active/Passive firewalls and or other devices that automatically failover
> > back to the original active device you will lose packets due to the Cisco
> > side of the LACP links gracefully bringing the links back after a
failure.
> >
> > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> >
> >> Cisco does not recommend having a vpc setup to a L3 device.
> >>
> >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
having
> >> ether channel are there any issues that we foresee pop up ?
> >> appreciate your response
> >>
> >> --
> >> CCIE - R&S
> >>
> >>
> >> Blogs and organic groups at http://www.ccie.net
> >>
> >> _______________________________________________________________________
> >> Subscription information may be found at:
> >> http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
>
>
>
>

________________________________
Quiz TV : Vous jtes fan de l'imission "Les Anges de la tili-rialiti" ? 5
questions
ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-sais
on-5-3526.html>

--
CCIE - R&S
Blogs and organic groups at http://www.ccie.net