Solved: Nexus with BGP and ASA

ALIAOF_ · ‎08-10-2018

So based on the following:

https://community.cisco.com/t5/switching/issue-with-routing-over-nexus-7000-vpc-peerlink/td-p/1827500

https://adamraffe.com/2013/03/08/l3-over-vpc-nexus-7000-vs-5000/

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

my understanding is that Cisco best practice is to not run BGP or any other routing protocol between ASA's and 7K's if they are single attached and if there is a need to run then there should be a separate non VPC link.

Reasoning behind is because both firewall will form an adjacency with the 7K's and then some traffic will end up over the peer link which will drop it because of the VPC rule that if no links are down peer link will drop traffic from the peer.

My second question on this scenario is that wouldn't both of the ASA's advertise routes and respond to the ARP even though one of them is in standby?

cassiolange · ‎08-12-2018

Hello

No problem. N7K have same features.

Peer Gateway was introduced in version 4.2(1).

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/interfaces/config/cisco_nexus7000_interfaces_config_guide_8x/config-vpcs.html#concept_968F09BCD0664C358DC692CC04B12484

Layer 3 over vPC requires F2E, F3 or M3 modules.

This section describes the Layer 3 over vPC for F2E, F3 and M3 Modules feature and how to configure it. Starting from Cisco NX-OS Release 7.2(0)D1(1), Layer 3 over vPC is available on F2E and F3 Series modules. Starting from Cisco NX-OS Release 8.1(1), Layer 3 over vPC is available on M3 Series modules for IPv4 unicast traffic only. Starting from Cisco NX-OS Release 8.2(1), Layer 3 over vPC is available on M3 Series modules for IPv6 unicast traffic

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/interfaces/config/cisco_nexus7000_interfaces_config_guide_8x/config-vpcs.html#concept_F862A25175DE4C738065F0EDA6F5D8C0

Regards,

View solution in original post

cassiolange · ‎08-12-2018

Hello,

You can configure the Cisco Nexus to do this, but you should enable two features under vPC domain.

Peer-gateway - You can configure vPC peer devices to act as the gateway even for packets that are destined to the vPC peer device’s MAC address.

Layer3 peer-router - Do not decrement the TTL when routing unicast packets across the peer-link.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/9-x/interfaces/configuration/guide/b_cisco_nexus_9000_series_nx-os_interfaces_configuration_guide_9x/b_cisco_nexus_9000_series_nx-os_interfaces_configuration_guide_9x_chapter_0100...

Regards,

ALIAOF_ · ‎08-12-2018

Thank you it shows that it is for Nexus 9K though I have 7K I'm working with.

cassiolange · ‎08-12-2018

Hello

No problem. N7K have same features.

Peer Gateway was introduced in version 4.2(1).

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/interfaces/config/cisco_nexus7000_interfaces_config_guide_8x/config-vpcs.html#concept_968F09BCD0664C358DC692CC04B12484

Layer 3 over vPC requires F2E, F3 or M3 modules.

This section describes the Layer 3 over vPC for F2E, F3 and M3 Modules feature and how to configure it. Starting from Cisco NX-OS Release 7.2(0)D1(1), Layer 3 over vPC is available on F2E and F3 Series modules. Starting from Cisco NX-OS Release 8.1(1), Layer 3 over vPC is available on M3 Series modules for IPv4 unicast traffic only. Starting from Cisco NX-OS Release 8.2(1), Layer 3 over vPC is available on M3 Series modules for IPv6 unicast traffic

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus7000/sw/interfaces/config/cisco_nexus7000_interfaces_config_guide_8x/config-vpcs.html#concept_F862A25175DE4C738065F0EDA6F5D8C0

Regards,