Accepted Solutions
Hello Thomas,
Let me add to this discussion if you don't mine Prashanth.
The way I see the topology is that you only have one Checkpoint Firewall passing traffic at a time while the other firewall is sitting idle. The key would be to make sure you dual connect them to the N5Ks. I assume the Checkpoint will be running VRRP to accomplish the failover. In this scenario I see you have two options available and what Checkpoint supports will steer you to the right option (I’m assuming you’re doing L2 to the Checkpoint).
1. Connect both Checkpoint firewalls directly to the N5K. If you do this then the recommendation would be build a port-channel (LACP or Static) to each Checkpoint. By building a port-channel to the N5K then from the Checkpoint perspective it’ll appear as a logical connection to both N5Ks. This way regardless which N5K receives the packet, it’ll be able to switch it to correct port-channel. Of course the port-channel will need to be in a vPC!
2. Seeing you are doing enhanced vPC, you could connect the Checkpoints to different N2K and Single attach them to the FEX. If Checkpoint doesn’t support port-channeling then this would be the option to go with. Things I would consider by connecting them to the FEX is if oversubscription will be a problem or not - I’m not sure if it will be in this environment!
By the way, option 1 can also be used in option 2. Instead of connecting the Checkpoints to the N5Ks they could be connected to two different FEXs and build a port-channel. Enhanced vPC gives you the flexibility of connecting dual connected hosts and single connected hosts to the FEXs.
Of course, testing this will be critical to make sure there are no caveats with this setup and that it works without an issue. 
To answer your question:
Thomas Park wrote:
is there any way to turn off the traffic forwarding (in the north direction) on Secondary vPC peer?
I don't believe this possible as far as I know. But, if you do the options above then I don't believe there should be an isuse.
Hope this helps!
Dave
Hello Thomas,
Let me add to this discussion if you don't mine Prashanth.
The way I see the topology is that you only have one Checkpoint Firewall passing traffic at a time while the other firewall is sitting idle. The key would be to make sure you dual connect them to the N5Ks. I assume the Checkpoint will be running VRRP to accomplish the failover. In this scenario I see you have two options available and what Checkpoint supports will steer you to the right option (I’m assuming you’re doing L2 to the Checkpoint).
1. Connect both Checkpoint firewalls directly to the N5K. If you do this then the recommendation would be build a port-channel (LACP or Static) to each Checkpoint. By building a port-channel to the N5K then from the Checkpoint perspective it’ll appear as a logical connection to both N5Ks. This way regardless which N5K receives the packet, it’ll be able to switch it to correct port-channel. Of course the port-channel will need to be in a vPC!
2. Seeing you are doing enhanced vPC, you could connect the Checkpoints to different N2K and Single attach them to the FEX. If Checkpoint doesn’t support port-channeling then this would be the option to go with. Things I would consider by connecting them to the FEX is if oversubscription will be a problem or not - I’m not sure if it will be in this environment!
By the way, option 1 can also be used in option 2. Instead of connecting the Checkpoints to the N5Ks they could be connected to two different FEXs and build a port-channel. Enhanced vPC gives you the flexibility of connecting dual connected hosts and single connected hosts to the FEXs.
Of course, testing this will be critical to make sure there are no caveats with this setup and that it works without an issue.
To answer your question:
Thomas Park wrote:
is there any way to turn off the traffic forwarding (in the north direction) on Secondary vPC peer?
I don't believe this possible as far as I know. But, if you do the options above then I don't believe there should be an isuse.
Hope this helps!
Dave
