ASA Design ASA Connecting to two Switches...

charming904 · ‎09-16-2011

Hi Guys

First of all excuse me for my bad drawing, I need some help with ASA design.

I have two Cisco ASA 5585 which are connecting to two Nexus 7K.

I looked at one design and it seems I can make Redundant interfaces on ASA and put two physical interfaces (Link1-1/1-2) into it however the down side I can see is it will utilize one link out of 4 at one time. As per my understanding if I make redundant interface on ASA 1 and put 1-1/1-2 into it only one link would be active at one time. This will force Nexus2 to send all traffic to Nexus 1 in order to reach ASA.

Ideally I want a solution where both switches could send traffic straight to Active Firewall and incase of failure both links to standby firewall.

Diagram attached.

mirober2 · ‎10-01-2011

Hi Charm,

Is there a reason you don't want traffic from Nexus2 to go through Nexus1 to get to the ASA? Besides redundant interfaces, the only other solution would be to setup the Nexus switches in a VSS pair and then configure a port-channel between the two switches in the VSS. Unlike redundant interfaces, traffic is load balanced across multiple physical links in a port-channel. The ASA configuration guide has an example of this:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1336269

-Mike

Mohamed Sobair · ‎10-01-2011

Hi,

Nexus Switches doesnt have the Concept of VSS , unlike Cisco Catalyst 6500 Series. it has the concept of Virtual Port Channel. So, the design and Implementation would slightly be different here.

Amazing, Now Cisco introduces the Etherchannel portchannel interface feature on the Cisco ASA version 8.4. if you are running code 8.4 on your ASA, you can do the following according to your requirement:

1- have the Nexus 7K peers via vPC ehterchannel between themselves via peer link , this allows both Nexus to be as one logical device to the ASAs.

2- Have the Active ASA to peer with both Nexus 1 and Nexus 2 via 802.3ad eitherchannel, (Make sure you configure the ports of the Nexus switches connecting to the Active ASA as member of the same vPC domain.

3- Have the Secondary ASA to peer with both Nexus 1 and Nexus 2 via 802.3ad etherchannel. (Make sure you configure the ports of both Nexuse switches connecting to the Standby ASA as member of the same vPC domain, this vPC domain is different than the above one.

with this setup, you have fully redundant paths and you benefit from the Speed of Convergence.

You can also Have Active/Active ASA Setup on any time and both links will be forwarding.

Note:

If you are not running version 8.4, then there is another approach of doing it.

Regards,

Mohamed

charming904 · ‎10-02-2011

Thanks for your reply Mohamed

I cannot have active/active as i am terminting several vpns on it. With regards to VPC, can i make it Layer 3 on ASA side, like if i need to configure ASA as default gateway on nexus switches what would be the next-hop ip address i ll configure on both Nexus,

kremeznoy · ‎07-01-2013

Hi, Mohamed !

Thank You for Your answer.

I have nearly the same situation: Act/Stb ASA in Transparent Mode, Two Nexus 7k with vPC. And lets imagine such situation:

- Both ASA working good, first is Active, second is Standby

- Both vPC ports on N7k (POX to ASA 1 and POY to ASA 2) are in UP/UP State.

- All MAC table on N7k is learned through POX from ASA 1.

Then I try to do Switchover on ASA devices. So during MAC aging time is not expired on N7k, both N7k will send L2 frame to ASA 1 that will be Standby at that time. After re-learning of MAC table on N7k through ASA 2 that will be Active at that time, network will be converged. Right?

Is any way to avoid it?

Have a nice day.

----

Sergiy

davood.zarei · ‎09-02-2013

as i looked at the design, i feel that charm is trying to setup a dynamic routing protocol for the L3 part (which is the upper side of the nexus swiches as aggration layer). so both ASAs and the nexus switches need to establish adjacencies, but there is a problem here, if you put the links between ASAs and the nexus switches in vPC etherchannel using LACP, there will be a black hole bcz as Fashour is said above some of the traffic may traverse the peer-link with loop prevention flag set. and it's blocked by neighboring peer at the time of receiving (and having any intention to sent it over another vpc member port). but what is the solution? in case u wana follow setting up vpc portchannel between the nexus devices and the ASAs, try to build up an inter-swtich link (with non-vpc vlan) for dynamic routing protocol neighborship over it.

zekebashi · ‎10-21-2019

Hi Mohamed,

I am a bit confused about point 3: " Make sure you configure the ports of both Nexuse switches connecting to the Standby ASA as member of the same vPC domain, this vPC domain is different than the above one."

Shouldn't both ASAs be connected to the samd vPC domain? Meaning, if NX9k_01 and NX9k_02 are peers of the same domain (vPC Domain 100); ASA_Active will be connected to NX9K_01 and NX9K_02 (vPC Domain 100) via a port channel, lets say Po10; and ASA_Standby will be connected to NX9K_01 and NX9K_02 (vPC Domain 100) via a port channel, lets say Po20. Thus, both ASAs will connected to the same vPC Domain and not two different vPC domains? Isn't that what you meant?

Thanks in advance,

~zK

Page 102

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

Mohamed Sobair · ‎10-03-2011

Hi Charm,

The default gateway on both nexus would be the Active ASA IP interface. you can have eitherchannel as I said from the both ASAs to the Nexus Switches and SVI interface on nexus switch pointing to the ASA Active Interface IP.

Regards,

Mohamed

fashour · ‎04-05-2012

The problem with the vPC design is that if you are using dynamic routing protocol. This is not supported and some routing packets will be dropped on the vPC peer link.