Re: Routing Efficiency on Sub-interfaces

jcggraf01 · ‎02-14-2011

I am building a Extranet with16 internal VLANs that need be routed on my ASA5520 in a HA configuration. After the external and failover interfaces I have two interfaces remaining to for my 16 VLANs. What I would like to know is what is the most efficient use of the two interfaces. Should I port-channel the two physical interfaces into a single interface. Then create 16 sub-interfaces on my port-channel interface and route between the sub-interfaces? Should I keep the two interfaces separate and divide the VLANs between them? If I keep the interfaces separate is it more efficient to try to route between subnets on differant physical interfaces or on subnets in the same physical subnet?

Thanks

Jennifer Halim · ‎02-14-2011

I assume that you are already running ASA version 8.4.1 for the etherchannel feature as it is only supported from this version onwards.

Secondly, I also assume that you would need separation as well as policies between all this extranet subnets, hence you are routing it through the ASA firewall. Would they actually have a need to communicate with each other, or they are independent to each other and ASA will only provide them gateway to the internet?

In my opinion, creating port channel would be the easiest to manage all the VLANs as you don't have to divide VLANs into the 2 physical interfaces and keep track of which physical interface you assign the sub interface/VLAN to. Keeping in mind that port channel is a brand new feature.

Another option that you can do is to configure redundant interface with the 2 physical interfaces that you have. However, you are only using 1 physical interface at the time but it still gives you redundancy when the physical interface fails.

jcggraf01 · ‎02-15-2011

Yes, I will be running 8.4.1 on two ASA 5520 in an Active – Standby mode.

I am required to use the ASA by our security team for all routing on our Extranet so that all traffic is restricted by policy as required. Some of the VLANs are required to communicate with other VLANs on the ASA such as web application servers talking to backend databases on separate VLANs or all Windows member servers talking to the domain controllers in their VLAN.

Sudeep Khuraijam · ‎02-15-2011

Without knowing the rest of the component it is tough to say one way or the other.

Your design goal is high availability but then you are trying to achieve the "highest routing efficiency" . I assume what you mean is

the most efficient interface utilization.

The choices will be largely affected by what underlying switching framework you have and what truely is more important to your business.

1) If you have a multi-chassis switch, or a switch stack or a semi-multichassis like a cisco VSS, you might indeed want to use port-channel across switches to each ASA. Most of these switches will be able to do run Port channel accross the stack.

The things to wary of is in the case of a primary switch failure, different switches (& vendors) take different times to learn, preempt and take over as master, run the config and then maintain port channel state and the rest of the system management functions before it can start forwarding. Some do a stateful fail with no port channel transitions. But some dont. If the secondary switch fails, it may be less of an issue.

If you go with this architecture, and if the master switch (based on the model and vendor) failure generates a portchannel failure event, you are forcing yourself into failing the firewall and letting the standby takeover. This may be bad. Several states will be lost, several types of flow entries will be lost etc...

But it is the most efficient use of your active interfaces ( which is not always the good thing). And whether you want or should use the port channel depends on the switch.

2) If you have switches that cannot do multichassis port-channel, you should setup a redundant interface and make your two uplinks as members. The advantage is near instant switchover and it is agnostic of which swich is primary/secondary. The disadvantage is that its 50% efficient and only the active member will be used.

In case of a member failure, you may choose not to failover the active, as the other standby is still available. Now if the active member had failed,

there might be temporary glitch for the underlying stp and re-arps to normalize but within a few seconds you will be going ( assuming there is fast convergence setup). And most applications will love you for that.

You can do redundant parent interface across a switch stack, multi chassis stack or independent switches.

3) If you have a single switch, use portchannel since finally it is supported on your version and there are no other choices.

So while portchannel gets you to UP your interface utilization over 50% efficiency, it has several drawbacks. lack of 1:1 protect for your traffic for one.

What I would personally like to see from Cisco is a hierarchical interface redundancy over portchannels - so another level of abstraction. Without which you get 25% efficiency when you want to dual home to each chassis in a 2 multi-chassis situation in large scale installs.

The last time I checked this was not supported in the near future.

Finally, regarding your inside VLANs you should put them all under a parent redundant interface or port channel and I assume you have a separate outside interface. In either case you should have 1:1 failover capacity. From a forwarding speed standpoint there is no difference.

Sudeep