12-18-2016 08:44 AM - edited 03-01-2019 08:26 AM
Hello Everyone,
I need some guidance on the below design.
There are two 9508 nexus switches and two fortinet firewalls. I am running vPC on nexus 9508 switches and firewalls need to be connected toward northbond in full mesh topology which is each nexus switch should have connection to each firewall.
This firewalls will be in active/standby mode so inside and outside interfaces IP address will be same on primary and secondary firewall. Once active will go down secondary will take over.
1.My confusion is whether i should use L2 links between Nexus and firewalls for full mesh topology or L3 links.
2.Should i run dynamic routing protocol or static protocol. Because ospf will be already running between between nexus 1 and 2 over dedicated non vPC SVI link.
3.What i am thinking is to use L3 links and design as below
- Create vlan 100 with subnet 192.168.100.0/24 L3 SVI on NX-1 with IP 192.168.100.10 and Firewall IP 192.168.100.20
- Create vlan 200 with subnet 192.168.200.0/24 L3 SVI on NX-2 with IP 192.168.200.10 and Firewall IP 192.168.200.20
- Run OSPF on VLAN 100 and 200 between nexus switches and firewall.
- Redistribute static default route in OSPF on foritnet firewall which is pointing to either internet or external block.
- There will also be ospf neighborship between NX-1 & NX-2 over dedicated L3 SVI links over non vPC VLAN.
Ideally it looks fine but i afraid when passive firewall will take over then will there be stateful routing table replication or not.
Will it rebuild the ospf neighborship or will there be any delay.
Suggestions in the above regard will be highly appriciated and if above design is not good then please suggest the modifications
Thanks
FK
01-02-2017 06:35 AM
Any updates from expert in the above regard.
Thanks.
01-02-2017 07:05 AM
I need to build an identical topology. According to some cisco support sources the proper way is 4x L3 p2p links between fws and nexus, no SVIs.
In your position however I would check the hsrp/static routing solution. Which means L3 LACP from each FW split to each nexus (to L2 ports). Nexus side you would vpc 1 port per switch on same vlan to the first FW. And another pair on different vlan (edit: different vpc) to the second fw. The nexus would statically target the cluster VIP. The cluster could target the nexus hsrp. Example:
vlan 10: 10.0.0.0 /29
HSRP .1
nexusA_svi:.2
nexusB_svi:.3
FW cluster ip: .4
FW00: .5
FW01: .6
Ports:
Nexus A:
p1: vpc 1, vlan 10
p2: vpc 2, vlan 10
Nexus B:
p1: vpc 1, vlan 10
p2: vpc 2, vlan 10
I have built this and it works great. You just work with a single subnet between fw and nexus, allowing the standby to kick in. But now I need to run everything on ospf. So I am also trying to find out if there is an extra L3 link needed between the vpc 9k nexus peers (7K style), for proper ospf communication. I found this which makes things little more confusing (check p.52):
http://d2zmdbbm9feqrf.cloudfront.net/2015/usa/pdf/BRKDCT-2378.pdf
10-18-2019 02:10 AM
Hello,
I am working on the similar setup where 2 Nexus 9ks are connected two Cisco Ftds. However I am having touble figuring out the vlan tagging mechanism... Suppose there are two vPCs on Nexus such as Vpc10 and Vpc 20.. and Port Channel 2 is configured on the firewalls... so if I want to transfer traffic related to Po2.1800 from Firewall then where should this vlan 1800 will be tagged on the switch side ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide