Showing results for 
Search instead for 
Did you mean: 

Two Nexus swtiches in vPC and Active/Passive firewall cluster

Hello Everyone,

I need some guidance on the below design.

There are two 9508 nexus switches and two fortinet firewalls. I am running vPC on nexus 9508 switches and firewalls need to be connected toward northbond in full mesh topology which is each nexus switch should have connection to each firewall.

This firewalls will be in active/standby mode so inside and outside interfaces IP address will be same on primary and secondary firewall. Once active will go down secondary will take over.

1.My confusion is whether i should use L2 links between Nexus and firewalls for full mesh topology or L3 links.
2.Should i run dynamic routing protocol or static protocol. Because ospf will be already running between between nexus 1 and 2 over dedicated non vPC SVI link.
3.What i am thinking is to use L3 links and design as below
- Create vlan 100 with subnet L3 SVI on NX-1 with IP and Firewall IP
- Create vlan 200 with subnet L3 SVI on NX-2 with IP and Firewall IP
- Run OSPF on VLAN 100 and 200 between nexus switches and firewall.
- Redistribute static default route in OSPF on foritnet firewall which is pointing to either internet or external block.
- There will also be ospf neighborship between NX-1 & NX-2 over dedicated L3 SVI links over non vPC VLAN.

Ideally it looks fine but i afraid when passive firewall will take over then will there be stateful routing table replication or not.
Will it rebuild the ospf neighborship or will there be any delay.

Suggestions in the above regard will be highly appriciated and if above design is not good then please suggest the modifications



3 Replies 3

Any updates from expert in the above regard. 



I need to build an identical topology. According to some cisco support sources the proper way is 4x L3 p2p links between fws and nexus, no SVIs.

In your position however I would check the hsrp/static routing solution. Which means L3 LACP from each FW split to each nexus (to L2 ports). Nexus side you would vpc 1 port per switch on same vlan to the first FW. And another pair on different vlan (edit: different vpc) to the second fw. The nexus would statically target the cluster VIP. The cluster could target the nexus hsrp. Example:

vlan 10: /29




FW cluster ip: .4

FW00: .5

FW01: .6


Nexus A:

p1: vpc 1, vlan 10

p2: vpc 2, vlan 10

Nexus B:

p1: vpc 1, vlan 10

p2: vpc 2, vlan 10

I have built this and it works great. You just work with a single subnet between fw and nexus, allowing the standby to kick in. But now I need to run everything on ospf. So I am also trying to find out if there is an extra L3 link needed between the vpc 9k nexus peers (7K style), for proper ospf communication. I found this which makes things little more confusing (check p.52):



I am working on the similar setup where 2 Nexus 9ks are connected two Cisco Ftds. However I am having touble figuring out the vlan tagging mechanism... Suppose there are two vPCs on Nexus such as Vpc10 and Vpc 20.. and Port Channel 2 is configured on the firewalls... so if I want to transfer traffic related to Po2.1800 from Firewall then where should this vlan 1800 will be tagged on the switch side ? 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers