Re: VPC with ASA in L3 mode

Fabre,

If you have ACTIVE/PASSIVE I would use the 20g vPC from the Cisco/Fortigate
per FW if you are using vPC's downstream to your Distribution blocks. This
will ensure proper flow from the host through the firewalls. You want to
avoid having user traffic traversing your vpc-peer-link as much as
possible, hence the reason cisco modified the HSRP to allow the standby
switch to forward traffic upstream when a packet arrives as opposed to
sending the traffic across the vpc-peer-link.

But again, Architecture is also one of those that you want to have a big
white board session and architecture overview of YOUR corporation or
clients traffic flow.

M2C.

On Mon, Apr 15, 2013 at 4:18 AM, Gilles Fabre <fabre.gilles_at_voila.fr> wrote:

>
> I am jumping on this subjet since I am interested in your inputs.
>
> We implemented recently connections between a pair of N7k vPC to
> Active/Passive FWs, using 20G connections to each FW.
> We agreed on using 2 L3 links with classical Port-channel (not vPC) from
> FW1-N7k1 & FW2-N7k2 instead of vPC.
> Would you agree this is the best design in that case ?
>
> By the way, we have another customer using FP on for their L2 between all
> Nexus devices (2 N7k + 6 N5k); since the N7k will connect to L3 devices
> only, we deciced not to use any vPC configuration on them; any comments on
> that specific design ?
>
> Thanks & best regards
> Gilles.
>
>
> > Message du 14/04/13 ` 07h47
> > De : "Brian McGahan"
> > A : "Joe Sanchez"
> > Copie ` : "Vibeesh S" , "Cisco certification"
> > Objet : Re: VPC with ASA in L3 mode
>
> >
> > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > the vPC.
> >
> > This is really the key. There are instances where your layer 3 ECMP
> hashing and your layer 2 port channel hashing don't agree, in which case a
> layer 3 frame destined for vPC neighbor A gets layer 2 forwarded to vPC
> neighbor B, and it may or may not be dropped depending on whether it needs
> to go to a vPC member port or not. The end result is difficult to
> troubleshoot because packet loss will occur based on non-deterministic flow
> hashing.
> >
> > There are some ways to solve this problem depending on your design
> though. Post more details if you want more specific help.
> >
> > On Apr 14, 2013, at 12:14 AM, "Joe Sanchez" wrote:
> >
> > > Vibeesh,
> > >
> > > I do not believe L3 is the problem, the problem is routing protocols
> over
> > > the vPC. For instance eigrp over a vPC will not work properly. However
> I
> > > have setup MANY vPC's to for instance Fortinet Firewalls with not
> problems
> > > well none that fortinet didn't have to write new code for, in fact
> Cisco
> > > ASA's as well. If you try doing dynamic routing over the vPC you will
> > > start pulling your hair out trying to troubleshoot why it's not working
> > > properly.
> > >
> > > If you are vPC'ng to a None Cisco device such as firewalls with
> > > Active/Standby you want to disable lacp graceful convergence. After
> doing
> > > hours and hours of failover testing with devices other than cisco that
> are
> > > vPC'd to Nexus 5k and 7k's, Ive found that cisco's version of LACP
> doesn't
> > > play well with other non-cisco devices if you do not disable graceful
> > > convergence. Cisco by default uses graceful convergence and if you have
> > > Active/Passive firewalls and or other devices that automatically
> failover
> > > back to the original active device you will lose packets due to the
> Cisco
> > > side of the LACP links gracefully bringing the links back after a
> failure.
> > >
> > > On 4/13/13 9:44 PM, "Vibeesh S" wrote:
> > >
> > >> Cisco does not recommend having a vpc setup to a L3 device.
> > >>
> > >> If I use SVI on the 7K and connect it to a ASA with VPC who is also
> having
> > >> ether channel are there any issues that we foresee pop up ?
> > >> appreciate your response
> > >>
> > >> --
> > >> CCIE - R&S
> > >>
> > >>
> > >> Blogs and organic groups at http://www.ccie.net
> > >>
> > >>
> _______________________________________________________________________
> > >> Subscription information may be found at:
> > >> http://www.groupstudy.com/list/CCIELab.html
> > >
> > >
> > > Blogs and organic groups at http://www.ccie.net
> > >
> > > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> > Blogs and organic groups at http://www.ccie.net
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> >
> >
> >
> >
>
>
>
>
> ------------------------------
> Quiz TV : Vous jtes fan de l'imission "Les Anges de la tili-rialiti" ? 5
> questions
ici<http://tv.voila.fr/quiz-tv/quiz-special-les-anges-de-la-tele-realite-sais
on-5-3526.html>

Blogs and organic groups at http://www.ccie.net
Received on Mon Apr 15 2013 - 14:03:18 ART