Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
5
Helpful
2
Replies

Layer 3 gateway for a VPC VLAN on a separate device

Ashley Hare
Level 1
Level 1

‎01-10-2020 04:09 AM - edited ‎01-10-2020 06:30 AM

Hi there,

 

I have a query around a supported VPC design using Nexus 77xx. I've struggled to find any documentation specific to this particular scenario.

 

I have a client who has a requirement to create a DMZ network (layer 2 separation) through a Nexus 7700 pair, with layer 3 routing carried out using a separate firewall appliance. 


A host on one of these VLANs requires resilient connectivity, using bundled links with LACP. The intention would be to cross-patch these links across separate FEX, with separate parent chassis using VPC.

 

Connectivity to the upstream firewall (active/standby) would be via a layer 2 port-channels (non-VPC) directly between the core switches and the firewall appliances. These port-channels would trunk the VLAN of the DMZ network, as well as other (transit) networks where the devices peer using EIGRP. The transit/peering VLANs for all other traffic are non-VPC.

 

Layer 3 routing for the DMZ network would be carried out by these firewalls to allow segregation, with no layer 3 configuration present on the Nexus core switches.

 

The VLAN would be trunked across the VPC port-channel between the two Nexus core switches.

 

I've thrown together the below diagram to try and show the intended setup.

vpc-setup.PNG

Is this a supported design?


Are there any considerations regarding failover for this solution?

 

I hope the above description and diagram is reasonably clear, but please let me know if you need further information.

 

0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎01-12-2020 05:40 AM

I do not see any issue in terms of design, Layer 2 handover to FW, FW configured correctly with HA with Floated IP, you should be good..

 

why do you think you have an issue here?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Ashley Hare
Level 1
Level 1
In response to balaji.bandi

‎01-12-2020 12:20 PM - edited ‎01-12-2020 12:20 PM

Hi there,

 

I don't believe there's an issue, I'm just looking for reassurance in the absence of any validated designs.

 

Thanks for your feedback.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents