Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3598
Views
0
Helpful
7
Replies

Help with failover design between Nexus7K and active/standby Firewall

Go to solution
gwhuang5398
Level 2
Level 2

‎12-11-2012 08:23 AM - edited ‎03-03-2019 06:52 AM

In the attached diagram, Nexus7K is used in two ways: on the left side, NX7K pair connects to the firewall as Layer 2 trunks. vPC VLANs are trunked through. The firewall is a pair in active/standby mode. On the right side, another NX7K pair connects to the firewall as Layer 3 rotued links. HSRP or VRRP will be running between the NX7K pair for the firewall VLAN SVI.

Because NX7K pairs don't have meshed connections to the firewall active/standby units, I want to make sure in failover scenarios (firewall failover or NX7K failures), the connection that remains between NX7K pair and the firewall can actually forward traffic (not black holed).

The failure scenarios I can think of include: firewall failover from active to standby, NX7K primary device failure, NX7K dual active, and NX7K vPC peer-link failure. I would like to get some advices about what I need to consider and implement in those scenarios to achieve high availability.

Thanks a lot for any advice.                  

Labels:
Preview file
33 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎12-11-2012 08:59 PM

Hi

from your topology i can see that the main issue is that physical connectivity from the firewalls to the pair of nexus devices in both topologies is lacking to a redundant link to the N7K

first of all since you are using vPC with a vPC peer link between the pair of N7K then you need to follow Cisco's recommendations of connecting a L2 Firewalls link and L3

in L2 if you are passing vPC vlan over the firewall trunk then in your topology there is a possibility of traffic blocking or dropping situations effected by vPC loop preventions mechanism in the case for example a vPC peer link gose down

the fix to the is either:

use none-vPC vlans and a separate inter switch link for those vlans ( i thin you already have this link )

or multi home the L2 links from each Firewall to both N7K switch  and assuming that HSRP is configured in the N7K and static routing is used between the firewall and the N7K

for the L3 Firewalls links:

you need to multi-home as well ( if possible and recommend ) and use static routing between the N7K and firewalls and the firewalls need to point to the N7K HSRP VIP

multi-homing with L3 and using L3 dyanaminc routing peering over the vPC-peer link is not supported design

have look at the following discussion which might help you as well

https://supportforums.cisco.com/message/3792466#3792466

hope this help

if helpful rate

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎12-11-2012 11:38 AM

In active/passive failover mode on the ASA, the interface IP for the active firewall and the passive firewall need to be on the same subnet, thus eliminating the design on the right. For added redundancy you could port channel a couple of interfaces on the ASA's to a vPC on the 7K's.

0 Helpful

Go to solution
gwhuang5398
Level 2
Level 2
In response to Collin Clark

‎12-11-2012 01:42 PM

The limitation is I can only have one connection from the active firewall to NX7K-1, and one connection from the standby firewall to NX7K-2. If I could do a mesh between the firewall devices and NX-7K devices, I would do a vPC as you suggested.

The challenge with this connectivity is how to align firewall active, primary NX-7K, and maybe spanning-tree root and HSRP active together in various failure scenarios. I would appreciate any advice there.

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to gwhuang5398

‎12-11-2012 01:55 PM

I like to keep things in parallel. By that I mean 7K1 should be STP root, HSRP active and connect to ASA primary. It's easier to keep straight in my head especially during troubleshooting. It's a straight forward design. I would use HSRP and STP can be changed so primary root is 7K1 and secondary is 7K2. If there was an outage on 7K1 things will swing over pretty fast. You can tweak the HSRP parameters for a quicker standby to active failover as well. Is this the info you're looking for?

0 Helpful

Go to solution
gwhuang5398
Level 2
Level 2
In response to Collin Clark

‎12-11-2012 02:52 PM

If ASA fails over from active to the standby, should 7K-1 change vPC primary, STP root, and HSRP active all to the vPC secondary peer device (7K-2)? HSRP can use tracking to adjust priority, but how can STP root make the change without manual intervention?

0 Helpful

Go to solution
Collin Clark
VIP Alumni
VIP Alumni
In response to gwhuang5398

‎12-11-2012 06:53 PM

STP would not change unless the 7K1 box was completely offline (that's the outage I was thinking in my head). I would not change STP, vPC, etc when the standby becomes active. Just let it run and know that when the primary comes back online everything will be back in line.

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni
In response to gwhuang5398

‎12-11-2012 09:44 PM

One more thing to add
Be aware in nexus with vPC both active and standby HSRP forward traffic not like other platforms and make sure when you multihome the firewalls to both nexus peers with vPC to enable vPC peer-gateway I think in new software releases it's on by default

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Marwan ALshawi
VIP Alumni
VIP Alumni

‎12-11-2012 08:59 PM

Hi

from your topology i can see that the main issue is that physical connectivity from the firewalls to the pair of nexus devices in both topologies is lacking to a redundant link to the N7K

first of all since you are using vPC with a vPC peer link between the pair of N7K then you need to follow Cisco's recommendations of connecting a L2 Firewalls link and L3

in L2 if you are passing vPC vlan over the firewall trunk then in your topology there is a possibility of traffic blocking or dropping situations effected by vPC loop preventions mechanism in the case for example a vPC peer link gose down

the fix to the is either:

use none-vPC vlans and a separate inter switch link for those vlans ( i thin you already have this link )

or multi home the L2 links from each Firewall to both N7K switch  and assuming that HSRP is configured in the N7K and static routing is used between the firewall and the N7K

for the L3 Firewalls links:

you need to multi-home as well ( if possible and recommend ) and use static routing between the N7K and firewalls and the firewalls need to point to the N7K HSRP VIP

multi-homing with L3 and using L3 dyanaminc routing peering over the vPC-peer link is not supported design

have look at the following discussion which might help you as well

https://supportforums.cisco.com/message/3792466#3792466

hope this help

if helpful rate

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card