To make it work seamlessly the ASA physical interface would need to be bonded into a portchannel.

On the Nexus side, you would need to have a corresponding vPC configured so that they look like one logical device to the ASA portchannel.

Thanks for your help!

My understanding is that by using vPC, I could configure the ASA FW as follows:

- interface Gig0/1 and Gig0/2 are placed into a PortChannel

- the PortChannel is configured for multiple "PortChannel subinterfaces", with each subinterface allocated to a specific VLAN. Those VLANs are then carried across to the Nexus switches via a dot1Q trunk, and become available to the servers that are directly connected to the Nexus switches.

Does that design sound accurate?

If, by chance, I choose to utilize different switches (non-Nexus ones), that do not support vPC, is my only option to configure the ASA firewall with a redundant interface pair? Would I then have to configure "redundant sub-interfaces" to allocate each subinterface to a specific VLAN? The only downside I see to this alternate design is that my physical interfaces would not both be utilized simultaneously, whereas with vPC, both interfaces are up and passing traffic. Does this sound correct?

Thank you Marvin!

Just to close off on this topic; if using a single ASA, with no vPC or VSS support on the access layer switches, I could only configure one PortChannel going to each switch, correct (and I would NOT be able to span the PortChannel interface members across switches)?

In this situation, my design would allow a redundant interface pair consisting of Gig0/1 and Gig0/2. Each of those interfaces would go to a physically distinct access layer switch. I believe I can then configure my "redundant interface pair" as a dot1q trunk, and further create redundant subinterfaces that would each be allocated to a specific VLAN.

Is the above accurate?

You are correct in that all VLANs/subnets will go to the inside only.

Regards,

jdesaul