No, but the one caveat is vpc

Agent2014 · ‎07-08-2014

Hi All

Can anyone help me decide what is the best way to connect a firewall cluster to a VDC running in a pair of N7K's which is a VPC domain?

Can I configure a VLAN interface on each VDC and use HSRP? I was planning on presenting one 10GB cable from each VDC to each firewall. Would this work OK? HSRP traffic will go across the VPC peer link correct?

thanks all

jerry.bonner · ‎07-08-2014

Are you talking clustered ASA? I haven't done this personally, but from what I can see in the documentation you should be ok to connect everything as you describe. HSRP for SVI's from switch to switch will be fine across peer link. Enabling vpc peer-gateway on the Nexus is recommended.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/ha_cluster.html#pgfId-1712473

Agent2014 · ‎07-09-2014

HI Jerry

Thanks for the response.

The firewall cluster is actually fortigate. If I present 2 connections (1 to each firewall)that are in a VPC domain do you see any issues with that?

jerry.bonner · ‎07-09-2014

No, but the one caveat is vpc orphan ports. If the vpc link between the nexus switches fails for any reason, all the vpc ports on the vpc secondary switch will be forced down. So it's recommended to connect single port devices to the primary vpc switch so the connections stay up. But if you're ok with that, then I don't see any problems.

You have a few options, one would be to run a separate link between your nexus switches for non-vpc vlans. These vlans would not be allowed over the vpc peer-link, or forwarded out vpc's.

See here page 49 :

http://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

What is the best way to connect a firewall cluster to a VPC domain