11-30-2010 07:27 AM - edited 03-01-2019 06:53 AM
Hi all,
What is the best way to connect a Firewall cluster (Checkpoint FW cluster) to a vPC Domain ?
Current Topology is like as below. We are gonna replace Cat6Ks with N7Ks.
FW#1(Active) ----- keepalive for amongt FWs -------- FW#2 (Standby)
I I
I I
I I
I VLAN 100 HSRP on Cat6K Side I
I I
I I
Cat6K#2 -------------------peer keepalive------------------------------Cat6K#2
--------------------- peer link-----------------------------------
I know my options are :
Thanks in advance.
Dumlu
Solved! Go to Solution.
01-19-2011 12:40 PM
Hi Dumlu
Option two will work. Overall most setups should work, but you need to be careful with your routing. We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link.
If you use static routing you can point your firewalls to the HSRP address that the Nexus would use on that VLAN. Because each Nexus will route packets sent to the HSRP mac, even if they are HSRP Standby, you won't get into a situation where you will cross the peer-link unnecessarily.
Hope that helps
Chad
11-30-2010 11:23 PM
What hardware are you running Checkpoint on? SPLAT, Nokia, Crossbeam? I don't believe SPLAT supports ether channels, I know that Crossbeam does. Check if your hardware can do ether-channels. If does, then go with your option 2. If not, go with option 3.
11-30-2010 11:59 PM
Hi Roman,
Hardware is Dell servers I guess. I am gonna double check the LACP possibility. So I might got with option 2.
However Id like to keep static routing on this scenario. I dont think it would cause any harms if I enable "peer-gateway" feature. Do you ?
Thanks in advance.
01-19-2011 12:40 PM
Hi Dumlu
Option two will work. Overall most setups should work, but you need to be careful with your routing. We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link.
If you use static routing you can point your firewalls to the HSRP address that the Nexus would use on that VLAN. Because each Nexus will route packets sent to the HSRP mac, even if they are HSRP Standby, you won't get into a situation where you will cross the peer-link unnecessarily.
Hope that helps
Chad
01-19-2011 01:12 PM
Hi,
Thanks a lot for your reply. I have gone through couple of recent Networkers presos and noticed the same recommendations that youve stated Chad.
I was wondering why in the hell that that I would use static routing
Thanks.
Dumlu
01-19-2011 01:16 PM
Yes, its not often you'd be advised to do static routing This is a pretty common scenario that I have seen many times with multiple customers. Most can get away with doing static routing. I've encountered a few situations where we must use EIGRP or OSPF due to complex routing table. In those we ended up running another link (or 2) between the Nexus 7000s to form our routing adj.
02-19-2011 05:03 PM
Hello all,
How about the option 1?
Our scenario is as below:
DMZ switch ----- PC
| |
| |
| |
FW FW (Checkpoint with VRRP connecting to N7k using VLAN 16)
| |
L2 Switch
| | | |
N7k-1 ---- N7k-2 (Peer Link Between N7k)
| | | |
| | | |
Inside switch ---- Server (VLAN16)
When user ping from DMZ switch PC to Server in the Inside switch, the packet loss and long response time happen intermittently.
But when we ping from Inside switch with another VLAN (VLAN12) to the server, it's okay. VLAN12 and VLAN16's gateway are on N7k with HSRP.
So N7k's inter-vlan routing seems to be okay, but through FW has problem.
L2 switch and Inside switch connect to N7k with vPC. ALL the PC/Server are in VLAN 16 and their default gateway is to N7k.
When user ping from inside to DMZ we can see a icmp redirect message, and I don't know whether it could be the problem to cause the intermittent packet loss?
Thanks.
Peter
07-06-2011 12:49 AM
Chad,
We currently have two ASAs and two Nexus 7010. One ASA connects to one Nexus and the second ASA to the second Nexus. We run OSPF across this environment and we can see that the primary ASA has formed a neighbour OSPF peer with the second ASA across the peer link. This has been working fine with no issue until we rebooted the Nexus and we started dropping after the Nexus had restored. Adding a static route to the HSRP address resolved the issue.
We are now looking to remove OSPF.
Can you please provide a better explaination of, "We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link" ?
Why don't you allow traffic?
When will it drop?
What will it drop?
thanks,
Alan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide