Solved: vPC between Nexus and Cisco ASA 5545-x

robert.vizitiu1 · ‎11-25-2015

Hello all,

I have some questions regarding the followin design maybe you guys can help me.

We have 4 cisco 2960 switches, 2 Nexus 5500 , 2 ASA 5545 and a router used for BGP.We would like to use vPC on the Nexus switches as in the image:

----------
Cisco 2960
----------           -----------              --------
                     Nexus1 5548        ASA 5545
----------           -----------              --------
Cisco 2960
----------                                                                      ----------
                                                                                 Cisco 2921
----------                                                                       ----------
Cisco 2960
----------           -----------              --------
                     Nexus2 5548         ASA 5545
----------           -----------              --------
Cisco 2960
----------

We would like to deploy vPC between Cisco 2960 and Nexus and between Nexus and ASA firewalls.The 2 Asa will be configured in Transparent mode as cluster , and a portchannel will connect every ASA to the Nexus pair.

The 2 Nexus are using RIP as routing protocol but on the Cisco 2921 we are using only BGP and static routes.

My question is , will this scenario work even if we use RIP on the Nexus?

Thank you in advance,

Ganesh Hariharan · ‎12-04-2015

Hello Robert,

Yes , These type of setup i have designed and implemented for one of the clients with multi tenent facility.

But ASA was in routed mode not in transparent.

You can have portchannel of two ports towrads Nexus end and trunk all vlan from nexus and assign sub interface with specifc zones for firewall policy.

and for out bound if it is only interface then you can go with L3 port and assign point to point network between router and ASA for routing purpose.

With the above you will have default towards router and internal LAN subnet towards Nexus end and rest segment will be connected with ASA.

Hope it Helps..

-GI

Rate if it Helpss

View solution in original post

Ganesh Hariharan · ‎11-29-2015

Hello,

We have deployed ASA with portchannel and at Nexus with MEC with vPC domain.

Have a look on this link Quick Start Guide :: ASA Cluster on Nexus documents ASA cluster configuration with connections to vPC domains.

https://communities.cisco.com/docs/DOC-35904

Hope it Helps..

-GI

Rate if it Helpss.

robert.vizitiu1 · ‎12-04-2015

Hi Ganesh,

Thank you for this document , is very useful.

My topology would look like the one at page 5 for transprent mode but I want to alter this topology so I would have : L3 Cloud (router) ===> Cluster ASA ====>Nexus

On the ASA cluster I will configure a port-channel to Nexus , configure subinterfaces on the port-channel and assign vlans on each subinterface.On the other side to L3 Cloud will be the outside interface so I don't need any vlans as all traffic will be forwarded to the outside interface, right?

Do you think this topology will work or should I stick to the one presented there?

Thank you,

Ganesh Hariharan · ‎12-04-2015

Hello Robert,

Yes , These type of setup i have designed and implemented for one of the clients with multi tenent facility.

But ASA was in routed mode not in transparent.

You can have portchannel of two ports towrads Nexus end and trunk all vlan from nexus and assign sub interface with specifc zones for firewall policy.

and for out bound if it is only interface then you can go with L3 port and assign point to point network between router and ASA for routing purpose.

With the above you will have default towards router and internal LAN subnet towards Nexus end and rest segment will be connected with ASA.

Hope it Helps..

-GI

Rate if it Helpss

robert.vizitiu1 · ‎12-06-2015

Hello Ganesh,

Thanks a lot for your input, this was very helpful.

So basically this setup will work only if I use ASA in routed mode, is there any way to make it in transparent mode?

Thank you,

Robert

Ganesh Hariharan · ‎12-09-2015

Hello Robert,

To be honest, I never designed and deployed ASA in transparent mode. As none of my clients had ever asked..:)

I will do some research on transparent stuff, if i get any will defenitely revert to you.

Hopefully in the meantime some of my fellow netpro's can come and reply.

-GI

robert.vizitiu1 · ‎12-09-2015

Hello Ganesh,

We did some research and agreed with my colleagues to use Routed mode so we will do it that way.Thank you very much for your time and I will let you know how it worked :)