03-07-2013 06:01 AM
Hi, Mr/Mrs Cisco gurus.
Trying to do a design for a customer and have question.
We are trying to put dual Nexus 5548UP and Fex into their data center.
enhanced vPC design.
There will be dual checkPoint firewalls in Active/Standby mode. (customer's request!)
As you know when there is vPC configured in Nexus 5K, since the N5K have separate control plane,
they are both forwarding traffics. My question here is how would I cable dual 5K into dual CheckPoint firewall.
If I were to connect one 5K to one firewall, there will be an issue since the second 5K will also try to send traffic north bound.
(in this case, HSRP configuration with vPC)
So in this case, do I cable them in "x" way? or is there any way to turn off the traffic forwarding (in the north direction) on Secondary vPC peer?
Any design suggestion is appreciated!
Thanks
Solved! Go to Solution.
03-09-2013 08:56 AM
Hello Thomas,
Let me add to this discussion if you don't mine Prashanth.
The way I see the topology is that you only have one Checkpoint Firewall passing traffic at a time while the other firewall is sitting idle. The key would be to make sure you dual connect them to the N5Ks. I assume the Checkpoint will be running VRRP to accomplish the failover. In this scenario I see you have two options available and what Checkpoint supports will steer you to the right option (I’m assuming you’re doing L2 to the Checkpoint).
1. Connect both Checkpoint firewalls directly to the N5K. If you do this then the recommendation would be build a port-channel (LACP or Static) to each Checkpoint. By building a port-channel to the N5K then from the Checkpoint perspective it’ll appear as a logical connection to both N5Ks. This way regardless which N5K receives the packet, it’ll be able to switch it to correct port-channel. Of course the port-channel will need to be in a vPC!
2. Seeing you are doing enhanced vPC, you could connect the Checkpoints to different N2K and Single attach them to the FEX. If Checkpoint doesn’t support port-channeling then this would be the option to go with. Things I would consider by connecting them to the FEX is if oversubscription will be a problem or not - I’m not sure if it will be in this environment!
By the way, option 1 can also be used in option 2. Instead of connecting the Checkpoints to the N5Ks they could be connected to two different FEXs and build a port-channel. Enhanced vPC gives you the flexibility of connecting dual connected hosts and single connected hosts to the FEXs.
Of course, testing this will be critical to make sure there are no caveats with this setup and that it works without an issue.
To answer your question:
Thomas Park wrote:
is there any way to turn off the traffic forwarding (in the north direction) on Secondary vPC peer?
I don't believe this possible as far as I know. But, if you do the options above then I don't believe there should be an isuse.
Hope this helps!
Dave
03-09-2013 07:19 AM
Hi Thomas
I do not understand your intended topology. Will you be connecting Active firewall to one Nexus 5k and the standby firewall to the other Nexus 5k? Why do you say the secondary vPC peer sending traffic northbound is a problem?
Thanks
-Prashanth
03-09-2013 08:56 AM
Hello Thomas,
Let me add to this discussion if you don't mine Prashanth.
The way I see the topology is that you only have one Checkpoint Firewall passing traffic at a time while the other firewall is sitting idle. The key would be to make sure you dual connect them to the N5Ks. I assume the Checkpoint will be running VRRP to accomplish the failover. In this scenario I see you have two options available and what Checkpoint supports will steer you to the right option (I’m assuming you’re doing L2 to the Checkpoint).
1. Connect both Checkpoint firewalls directly to the N5K. If you do this then the recommendation would be build a port-channel (LACP or Static) to each Checkpoint. By building a port-channel to the N5K then from the Checkpoint perspective it’ll appear as a logical connection to both N5Ks. This way regardless which N5K receives the packet, it’ll be able to switch it to correct port-channel. Of course the port-channel will need to be in a vPC!
2. Seeing you are doing enhanced vPC, you could connect the Checkpoints to different N2K and Single attach them to the FEX. If Checkpoint doesn’t support port-channeling then this would be the option to go with. Things I would consider by connecting them to the FEX is if oversubscription will be a problem or not - I’m not sure if it will be in this environment!
By the way, option 1 can also be used in option 2. Instead of connecting the Checkpoints to the N5Ks they could be connected to two different FEXs and build a port-channel. Enhanced vPC gives you the flexibility of connecting dual connected hosts and single connected hosts to the FEXs.
Of course, testing this will be critical to make sure there are no caveats with this setup and that it works without an issue.
To answer your question:
Thomas Park wrote:
is there any way to turn off the traffic forwarding (in the north direction) on Secondary vPC peer?
I don't believe this possible as far as I know. But, if you do the options above then I don't believe there should be an isuse.
Hope this helps!
Dave
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide