Sameetha

I did a project for a customer in which we connected a pair of ASA to Nexus 5K where the N5K was trunking/tagging vlans in the connection to the ASA. In our case we were using port channel to enhance the redundancy of the connection between N5K and ASA and there was some configuration to support that. But as indicated in the previous response all you really need on the ASA is to configure the appropriate subinterfaces on the ASA with the vlan identification.

HTH

Rick

Hi Richard,

Thanks for responding to my post. To have a clarity of my question. Please go through the following scenario

We are having a pair of Nexus 5k connected to Firewalls(Active/Standy mode) . We had implemented the vpc on the port channels communicating with firewall and these port channels are on access mode over the vlan which is running HSRP between the nexus 5k devices. At the firewall end, we bundled up the ports connected to nexus 5k as a port channel.we had a static route with the next hop as the virtual IP of HSRP. On the other hand, on the nexus 5k switches we had a static route with the next hop as port-channel IP of the firewall. I am afraid that if we have any loops here, since both nexus 5k are active and active on hsrp for the data traffic. In this scenario we don't have any sub interfaces created at the firewall end.

So I am actually trying to find out if there is any difference if we had a trunk mode on the port-channels at nexus 5k devices. If we had trunk mode on the port channel at the nexus 5k switches, is it necessary to create the sub interface at the firewall end for it to understand the vlan tagged traffic coming from nexus switches

Thank you,

Sameetha

There is no difference when using vlan trunking between your ASA and Nexus5k.

vPC has built in mechanisms to prevent loops. In case you are not using the peer-gateway feature vPC will use the peer-link to forward the packet to the active hsrp neighbor. If you are using peer-gateway both switches will forward traffic for the vMAC.

vPC loop prevention mechanism will not allow traffic to pass the peer-link and be forwarded to a vPC member port therefore you will not have a loop

kind regards

Oliver

Thanks Oliver for responding to this discussion. Now that I got to know about the vPC peer-gateway feature

Regards,

Sameetha

Sameetha

Perhaps I am not clearly understanding what you are describing. For vpc on Nexus port channel, with HSRP address on the Nexus and the active ASA address of the port channel it would seem to support a single vlan. Is that your case? Is there a single vlan between the Nexus and the ASA? If so then vpc and port channel should prevent any loops.

If you need more than one vlan connecting the Nexus and the ASA then it would make sense to configure the port channel as a trunk. And if it is a trunk then it would need the ASA to configure subinterfaces for the port channel so that it would understand the tagged traffic. This is what my customer did and it works well.

HTH

Rick

Richard,

I apologize for making the question so complicated. Thanks for responding me.

We are using single vlan between Nexus switches and the ASA. 

From this I got another question here, 

If I have a static route on the firewall with the next hop as HSRP Virtual IP. What will be the traffic behavior? Since from the data plane perspective, HSRP is active on both the vpc peer devices (nexus 5k). To which Nexus 5k device is the data forwarded.

Note: We have a vpc port channel (from both the devices) on the access mode to the vlan running on the hsrp

Thank you.

Sameetha

Data will be forwarded from your active asa to both vpc peers. Traffic is forwarded based on 6-tupels (source or destination MAC addresses, IP addresses, TCP and UDP port numbers and vlan numbers.)

Thank you Oliver. 

Regards,

Sameetha