topic 4500X VSS in Switching

4500X VSS

Eugen Bitca — Sun, 10 Mar 2019 20:13:13 GMT

Hello,

A typical Data Center ASA cluster with vPC and VSS(file attached)

All interfaces and port-channels are up, vPC, VSS, Cluster all OK.

1. From Core-S1 Vlan 200 I can reach Vlan 200 on Servers LAN
2. From Core-S1 Vlan 200 I can reach ip 10.44.124.1 (Vlan124 on Core-S4)
3. From Core-S1 some traffic to Vlan 124 are ok and some not
4. From Core-S4 Vlan 124 some traffic to Vlan 124 are ok and some not
5. If I disable Te1/1/10 and Te1/2/7, vlan 124 is reachable from Core-S1
6. If I enable Te1/1/10 and Te1/2/7 and disable Te2/1/10 and Te2/2/7, some
traffic to vlan 124 are ok and some not.
7. If I move trunk from Core-S1 to Core-S4 with interfaces Te2/1/10 and Te2/2/7 disabled, vlan 124 is reachable.

Do I need special configuration for L3 routing on VSS?

Thank you

Hi,

Reza Sharifi — Mon, 07 Aug 2017 15:32:55 GMT

Hi,

What I have seen in the past is that when you connect VSS to a firewall cluster, you can't have cross connects. So, if you remove ports 2/2/7 and 1/1/10 (cross connects) from the VSS switches and just put interface 2/1/10 and 1/2/7 in po3, your design should work fine. Can you test that?

HTH

Hi,

Eugen Bitca — Tue, 08 Aug 2017 05:25:22 GMT

Hi,

ASA cluster with cross connects to vPC work great, but to VSS on 4500x not very well.

To remove cross connects and test I will not be able because I converted 4500X back to standalone.

I found a link where Cisco do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing(https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137822), so I will not convert them to VSS.

How can ASA Cluster (transparent mode) have links to both Core Switches Core-S3 and Core-S4?

How do you think the following configuration is a good one(file attached)?

ASA-Cluster

!
interface Port-channel2.124
vlan 124
nameif inside124
bridge-group 1
security-level 100
!
interface Port-channel1.324
vlan 324
nameif outside324
bridge-group 1
security-level 0
!
interface Port-channel5.524
vlan 524
nameif outside524
bridge-group 1
security-level 0
----------------------------------------------------
Core-S3
!
interface Port-channel3
switchport
switchport trunk allowed vlan 124
switchport mode trunk
switchport vlan mapping 324 124
!
---------------------------------------------------
Core-S4
!
interface Port-channel4
switchport
switchport trunk allowed vlan 124
switchport mode trunk
switchport vlan mapping 524 124

Thanks