08-03-2017 10:52 AM - last edited on 03-25-2019 06:05 PM by ciscomoderator
Hello,
I was wondering if it would be possible to connect one Cisco to two Nexus data center access layer switches as follows (also see the attached diagram).
Cisco ASA (Gig0/1) --- Nexus #1 (Gig0/1)
Cisco ASA (Gig0/2) --- Nexus #2 (Gig0/1)
There will be servers connected to the Nexus switches, and those switches will operate in layer 2 mode. The servers will point to the Cisco ASA for the default gateway.
The connections between the Cisco ASA firewall and the two Nexus switches would be configured as a dot1q trunk supporting multiple VLANs.
Is this a feasible design, given the fact that there is only one ASA firewall and two access switches? Or, do I need two Cisco ASAs to do this?
Thank you,
jdesaul
Solved! Go to Solution.
08-04-2017 08:28 AM
If the switches weren't Nexus with vPC setup, you can do something similar with 6500 or 4500 series in VSS pairs.
If it wasn't any of those then, yes, redundant interfaces would be the option given a single ASA. More common would be an ASA HA pair. You could do that with or without portchannel interfaces.
In any case, only with portchannels on the ASA(s) do you get use of the multiple interfaces assuming all VLANs / subnets go into the inside only (e.g. if you don't segregate the traffic into zones going to multiple ASA physical interfaces).
08-03-2017 05:13 PM
You can do that, but it's not clear what you are trying to achieve. You can create sub interfaces under the asa physical interface and use them as default gateway for your internal vlans.
08-03-2017 07:03 PM
To make it work seamlessly the ASA physical interface would need to be bonded into a portchannel.
On the Nexus side, you would need to have a corresponding vPC configured so that they look like one logical device to the ASA portchannel.
08-04-2017 06:58 AM
Thanks for your help!
My understanding is that by using vPC, I could configure the ASA FW as follows:
- interface Gig0/1 and Gig0/2 are placed into a PortChannel
- the PortChannel is configured for multiple "PortChannel subinterfaces", with each subinterface allocated to a specific VLAN. Those VLANs are then carried across to the Nexus switches via a dot1Q trunk, and become available to the servers that are directly connected to the Nexus switches.
Does that design sound accurate?
If, by chance, I choose to utilize different switches (non-Nexus ones), that do not support vPC, is my only option to configure the ASA firewall with a redundant interface pair? Would I then have to configure "redundant sub-interfaces" to allocate each subinterface to a specific VLAN? The only downside I see to this alternate design is that my physical interfaces would not both be utilized simultaneously, whereas with vPC, both interfaces are up and passing traffic. Does this sound correct?
08-04-2017 08:28 AM
If the switches weren't Nexus with vPC setup, you can do something similar with 6500 or 4500 series in VSS pairs.
If it wasn't any of those then, yes, redundant interfaces would be the option given a single ASA. More common would be an ASA HA pair. You could do that with or without portchannel interfaces.
In any case, only with portchannels on the ASA(s) do you get use of the multiple interfaces assuming all VLANs / subnets go into the inside only (e.g. if you don't segregate the traffic into zones going to multiple ASA physical interfaces).
08-04-2017 09:08 AM
Thank you Marvin!
Just to close off on this topic; if using a single ASA, with no vPC or VSS support on the access layer switches, I could only configure one PortChannel going to each switch, correct (and I would NOT be able to span the PortChannel interface members across switches)?
In this situation, my design would allow a redundant interface pair consisting of Gig0/1 and Gig0/2. Each of those interfaces would go to a physically distinct access layer switch. I believe I can then configure my "redundant interface pair" as a dot1q trunk, and further create redundant subinterfaces that would each be allocated to a specific VLAN.
Is the above accurate?
You are correct in that all VLANs/subnets will go to the inside only.
Regards,
jdesaul
08-04-2017 09:12 AM
You're welcome.
Yes - everything in your latest post is correctly stated.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide