Solved: Re: Firepower to VPC with ospf

vivarock12 · ‎02-22-2021

Hello,

have anyone had a problem with a portchannel vpc from to nexus connecting to asa Firepower?

i can ping between the 3 device but im not able establish an ospf adj between the Firepower and the nexus.

NX1 --VPC--NX2

| |

| portchannel |

---------------

|

Firepower

any idea what happening?

if anyone need the config from both sides: it the same on both nexus and remember form the active FP one cable to each nexus and the same form the stand by,

In the nexus config both cable that connect with the active FP go in one Port-channel(po100)

and both cble that goes to the standby goes in other Port-channel(po101).

!

Vlan 2000

Name INSIDE_FW

!

Vlan 2001

Name OUTSIDE_FW

!

Interface VLAN 2000

Description INSIDE_FW

VRF member PRO

IP address 172.18.100.5/29

Ip router ospf PRO area 0

!

Interface VLAN 2001

Description OUTSIDE_FW

VRF member CORE

IP address 172.18.100.13/29

Ip router ospf PRO area 0

!

router ospf PRO

vrf PRO

vrf CORE

!

Int eth1/15

Descript FP-ACTIVE

Switchport

Switchport mode trunk

Switchport trunk allowed vlan 2000,2001

Channel-group 2000 mode active

!

Int eth1/16

Descript FP-STANDBY

Switchport

Switchport mode trunk

Switchport trunk allowed vlan 2000,2001

Channel-group 2001 mode active

!

Interface po 2000

Descript FP-ACTIVE

Switchport

Switchport mode trunk

Switchport trunk allowed vlan 2000,2001

Descrip Interconexion_Firewall-Active

Vpc 2000

¡

Interface po 2001

Descript FP-STANDBY

Switchport

Switchport mode trunk

Switchport trunk allowed vlan 2000,2001

Descrip Interconexion_Firewall-Standby

Vpc 2001

!

vrf context PRO

!

vrf context CORE

!

On the FP they are on HA:

!

Fp2110 /eth-uplink/fabric* # create port-channel XX

Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/1

Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit

Fp2110 /eth-uplink/fabric/port-channel* # create member-port Ethernet1/2

Fp2110 /eth-uplink/fabric/port-channel/member-port* # exit

Fp2110 /eth-uplink/fabric/port-channel* # commit-buffer

!

Then create to sub interfaces on the Firepower that match with the Vlans, assing them ip address.

then with the basic OSPF configuration it should come up.

Saludos,

Gerardo Andree Mejia Garcia.

balaji.bandi · ‎02-22-2021

Look at the vPC and OSPF best pratcice guide :

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

Personally - i deploy each FW go to respected Parent switch is best approach - personal implementation and best results)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

vivarock12 · ‎02-22-2021

@balaji.bandifrom i have found this is the recomended scenario for this type of conections:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html

View solution in original post

balaji.bandi · ‎02-22-2021

Look at the vPC and OSPF best pratcice guide :

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

Personally - i deploy each FW go to respected Parent switch is best approach - personal implementation and best results)

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

vivarock12 · ‎02-22-2021

@balaji.bandifrom i have found this is the recomended scenario for this type of conections:

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/215351-configure-verify-and-troubleshoot-port.html

vivarock12 · ‎02-22-2021

Buen dia,

Your going to laugh but the problem was that on the interface vlan doing de L3\ospf i put:

router ospf 1 area 0

and i created a proces for that call PRO

router ospf PRO

VRF CORE

VRF PRO

So i change the configuration and the interface vlan and it came up jajajaja thanks for the help.

@balaji.bandiill give a solution for the help and for the best practice idea.

Salufos,

Gerardo Mejia