cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1834
Views
8
Helpful
8
Replies

Cisco ASA A\S with one Cisco Nexus 9000 switch

michelegarribba
Level 1
Level 1

Hi all,

i'm in a migration path from and old 65K infrastructure to a new one with Nexus 9000.

The datacenter network has only one single Cisco Nexus switch that connect to a couple of ASA 5585 in A\S configuration.

What should be the best way to connect the switch to the ASAs?

I tried to connect the Nexus to the previous Pix A\S couple and the link to the standbay Pix is always flapping.

If i put a switch in the middle it works quiet well.

Can i face the same problem with the ASAs ?

The links are in access mode since the ASAs are the L3 core of the infrastructure and i use a transit vlan between nexus and ASAs

to route the datacenter to the LANs. This part is working well.

All the reference i found are for a couple of Nexus using vPC, so i'm a little in doubt.

Thanks all ll reply.

smaikol

ps: hope datacenter is the right place to post this.

8 Replies 8

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

You don't have to have 2 Nexus switches.  You can simply connect your 9000 switch to both ASA using one gig or 10Gig (depending on the type of ASA you have) links and trunk the vlans.

You may want to look into using a Portchannel if it is supported on the ASAs.

HTH

Hi Reza,

thanks for your answer, i was thinking about using portchannel, my question is, the portchannel should be unic from the nexus to the ASAs or should be better to have one portchannel from nexus to ASA_1 and one portchannel to ASA_2 ?  (in my scenario i have 1 Gig port on ASA and they support portchannel)

thanks a lot

Hi Michele,

If the ASAs are in active/stand-by and they logically look like one device, than you can use one Portchannel with 2 physical links in it and connect the Nexus to both ASAs.  If the ASAs are acting as 2 different devices than you don't need any Portchannel, you can simply use one link to each ASA and trunk them. So there will be 2 physical links with no Portchannel.

HTH

An active/standby ASA pair does not act as one device, so you must not bundle N1-A1 and N1-A2 links into a port-channel. A standby ASA cannot process and forward traffic destined to the Active's MAC address (next hop is active IP address so ARP sets the MAC to Active ASA's MAC).

However, with a full mesh

N1-A1 and N2-A1 can form Po31 on Nexus

N1-A2 and N2-A2 can form Po32 on Nexus

while both is Po30 on ASA

But Michele has only N1 so two layer2 switchports in the same VLAN can be used on N1 and a Vlan interface for routing.

Hi 

I am facing a issue in port channel.

port channel is UP interfaces in it is UP both at ASA and Nexus 9K level.  but not able to ping the gateway, Gateway is ASA.

Scenario is .

two Nexus switches N1 and N2 connected to two ASA  A1 and A2.

N1-A1 and N2-A1 can form Po91 on Nexus

N1-A2 and N2-A2 can form Po92 on Nexus

on ASA Po10.

we have created sub-interfaces on port channel at ASA side with VLAN 702,703. and having ip add for both Vlans. 

on Nexus switch level ports are as trunk ports.

the issue is a host kept in vlan 702 or 703 is not able to ping its gateway IPs which are defined on ASA as Sub-interfaces.

when i remove vlan 702 from port channel and defines it any Physical interface of ASA and connects it a direct cable to physical interfcace of nexus switch defined for vlan702 than the host is able to ping. but when i removes it from physical interface and defines 702 under port channel as a sub interface ,host is not able to ping.  port channel from ASA and Nexus side is up.

Config on ASA .

interface TenGigabitEthernet0/8
channel-group 10 mode active
no nameif
no security-level
no ip address
!
interface TenGigabitEthernet0/9
channel-group 10 mode active
no nameif
no security-level
no ip address

interface Port-channel10
nameif port-channel-conf
security-level 0
no ip address

interface Port-channel10.702
vlan 702
nameif site1
security-level 30
ip address 10.10.10.1 255.255.255.192 standby 10.10.10.2
!
interface Port-channel10.703
vlan 703
nameif site2
security-level 10
ip address 10.10.10.65 255.255.255.192 standby 10.10.10.66

icmp permit any port-channel-conf
icmp permit any site1
icmp permit any site2

access-list global_access extended permit ip any any 

access-list site1_access_in extended permit ip any any
access-list site2_access_in extended permit ip any any

access-group site1_access_in in interface site1
access-group site2_access_in in interface site2
access-group global_access global

Nexus config

interface ethernet 1/3

description "connect to site"

switchport

switchport mode trunk

channel-group 92 mode active

no shut

interface ethernet 1/4

description "connect to site"

switchport

switchport mode trunk

channel-group 92 mode active

no shut

interface port-channel 92

description "abc"

switchport

switchport mode trunk

spanning-tree port type network

vpc 91

interface ethernet 1/3

description "connect to site"

switchport

switchport mode trunk

channel-group 91 mode active

no shut

interface ethernet 1/4

description "connect to site"

switchport

switchport mode trunk

channel-group 91 mode active

no shut

interface port-channel 91

description "abc"

switchport

switchport mode trunk

spanning-tree port type network

vpc 92

now host laptop  kept in vlan 702 and 703  are not abe to ping ASA Gateway.

Please suggest any step that is missed in configuration.  or please share a test config as template for both ASA and Nexus.

Peter Koltl
Level 7
Level 7

Fix your Nexus config (or cabling)

N1(E1/3)-A1(T0/8) and N2(E1/3)-A1(T0/9) can form Po91 on Nexus

N1(E1/4)-A2(T0/8) and N2(E1/4)-A2(T0/9) can form Po92 on Nexus

on ASA Po10.

Your config refers to something different. In addition, the vpc id's are incorrect in the config.

Hi peter

can you please share the cinfiguration that should be done on Nexus as weel as on ASA.

Our network team says that they are ok with the configuration in Nexus.

if you can please share the configuration that we have to configure on nexus also on ASA.

vlan information ip add for corresponding Vlans is also i have shared.

it would be a great help if you can share configuration for this scenario,

Vivek

+917838151576

Peter Koltl
Level 7
Level 7

N1

interface ethernet 1/3

description "connect to site"

switchport

switchport mode trunk

channel-group 91 mode active

no shut

interface ethernet 1/4

description "connect to site"

switchport

switchport mode trunk

channel-group 92 mode active

no shut

interface port-channel 91

description "abc"

switchport

switchport mode trunk

spanning-tree port type edge trunk

vpc 91

interface port-channel 92

description "abc"

switchport

switchport mode trunk

spanning-tree port type edge trunk

vpc 92

N2

interface ethernet 1/3

description "connect to site"

switchport

switchport mode trunk

channel-group 91 mode active

no shut

interface ethernet 1/4

description "connect to site"

switchport

switchport mode trunk

channel-group 92 mode active

no shut

interface port-channel 91

description "abc"

switchport

switchport mode trunk

spanning-tree port type edge trunk

vpc 91

interface port-channel 92

description "abc"

switchport

switchport mode trunk

spanning-tree port type edge trunk

vpc 92

Review Cisco Networking for a $25 gift card