Solved: Firewall Connections to vPC Domain

dumlutimuralp · ‎11-30-2010

Hi all,

What is the best way to connect a Firewall cluster (Checkpoint FW cluster) to a vPC Domain ?

Current Topology is like as below. We are gonna replace Cat6Ks with N7Ks.

FW#1(Active) ----- keepalive for amongt FWs -------- FW#2 (Standby)

I I

I VLAN 100 HSRP on Cat6K Side I

I I

Cat6K#2 -------------------peer keepalive------------------------------Cat6K#2

--------------------- peer link-----------------------------------

I know my options are :

Connect the FWs to an edge switch which supports etherchannel and connects to vPC domain through that port channel.
Connect the FWs through two ports (LACP config) to both N7Ks.
Setup a seperate STP link between N7Ks, configure VLAN 100 on this link and then keep running HSRP on VLAN 100 on both N7ks on this non vPC VLAN.
Setup the links between N7Ks and FWs as routed links and run a dynamic routing protocol in between.

Thanks in advance.

Dumlu

Chad Peterson · ‎01-19-2011

Hi Dumlu

Option two will work. Overall most setups should work, but you need to be careful with your routing. We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link.

If you use static routing you can point your firewalls to the HSRP address that the Nexus would use on that VLAN. Because each Nexus will route packets sent to the HSRP mac, even if they are HSRP Standby, you won't get into a situation where you will cross the peer-link unnecessarily.

Hope that helps

Chad

View solution in original post

Roman Rodichev · ‎11-30-2010

What hardware are you running Checkpoint on? SPLAT, Nokia, Crossbeam? I don't believe SPLAT supports ether channels, I know that Crossbeam does. Check if your hardware can do ether-channels. If does, then go with your option 2. If not, go with option 3.

dumlutimuralp · ‎11-30-2010

Hi Roman,

Hardware is Dell servers I guess. I am gonna double check the LACP possibility. So I might got with option 2.

However Id like to keep static routing on this scenario. I dont think it would cause any harms if I enable "peer-gateway" feature. Do you ?

Thanks in advance.

Chad Peterson · ‎01-19-2011

Hi Dumlu

Option two will work. Overall most setups should work, but you need to be careful with your routing. We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link.

If you use static routing you can point your firewalls to the HSRP address that the Nexus would use on that VLAN. Because each Nexus will route packets sent to the HSRP mac, even if they are HSRP Standby, you won't get into a situation where you will cross the peer-link unnecessarily.

Hope that helps

Chad

dumlutimuralp · ‎01-19-2011

Hi,

Thanks a lot for your reply. I have gone through couple of recent Networkers presos and noticed the same recommendations that youve stated Chad.

I was wondering why in the hell that that I would use static routing

Thanks.

Dumlu

Chad Peterson · ‎01-19-2011

Yes, its not often you'd be advised to do static routing This is a pretty common scenario that I have seen many times with multiple customers. Most can get away with doing static routing. I've encountered a few situations where we must use EIGRP or OSPF due to complex routing table. In those we ended up running another link (or 2) between the Nexus 7000s to form our routing adj.

peter.cheng · ‎02-19-2011

Hello all,

How about the option 1?

Our scenario is as below:

DMZ switch ----- PC

| |

FW FW (Checkpoint with VRRP connecting to N7k using VLAN 16)

| |

L2 Switch

| | | |

N7k-1 ---- N7k-2 (Peer Link Between N7k)

| | | |

Inside switch ---- Server (VLAN16)

When user ping from DMZ switch PC to Server in the Inside switch, the packet loss and long response time happen intermittently.

But when we ping from Inside switch with another VLAN (VLAN12) to the server, it's okay. VLAN12 and VLAN16's gateway are on N7k with HSRP.

So N7k's inter-vlan routing seems to be okay, but through FW has problem.

L2 switch and Inside switch connect to N7k with vPC. ALL the PC/Server are in VLAN 16 and their default gateway is to N7k.

When user ping from inside to DMZ we can see a icmp redirect message, and I don't know whether it could be the problem to cause the intermittent packet loss?

Thanks.

Peter

alanjbrown · ‎07-06-2011

Chad,

We currently have two ASAs and two Nexus 7010. One ASA connects to one Nexus and the second ASA to the second Nexus. We run OSPF across this environment and we can see that the primary ASA has formed a neighbour OSPF peer with the second ASA across the peer link. This has been working fine with no issue until we rebooted the Nexus and we started dropping after the Nexus had restored. Adding a static route to the HSRP address resolved the issue.

We are now looking to remove OSPF.

Can you please provide a better explaination of, "We don't support dynamic routing protocols over vPC because this can lead to dropping traffic due to crossing vPC Peer-Link" ?

Why don't you allow traffic?

When will it drop?

What will it drop?

thanks,

Alan