Solved: vPC to ASA5525-X

Steven Williams · ‎03-19-2013

From the ASA I should be able to ping 10.170.105.1 without a route because they are directly connected, yes? Unless the ASA does not follow the same rules. I also noticed in the show int tru command that po105 is forwarding "none"

N5K1

N5K2

ASA5525-X

NEXUS5K001(config)# show run int po105

interface port-channel105

description vPC TO ASA5525

switchport mode trunk

switchport trunk allowed vlan 105

spanning-tree port type network

speed 1000

duplex full

vpc 105

NEXUS5K001(config)# show run int vlan 105

interface Vlan105

no shutdown

description ASA5525 ROUTED VLAN

no ip redirects

ip address 10.170.105.2/24

hsrp version 2

hsrp 105

ip 10.170.105.1

NEXUS5K001(config)# show port-channel summary

Flags: D - Down P - Up in port-channel (members)

I - Individual H - Hot-standby (LACP only)

s - Suspended r - Module-removed

S - Switched R - Routed

U - Up (port-channel)

M - Not in use. Min-links not met

--------------------------------------------------------------------------------

Group Port- Type Protocol Member Ports

Channel

--------------------------------------------------------------------------------

10 Po10(SU) Eth LACP Eth1/31(P) Eth1/32(P)

50 Po50(SU) Eth LACP Eth1/27(P)

51 Po51(SU) Eth LACP Eth1/25(P)

101 Po101(SU) Eth NONE Eth1/29(P)

102 Po102(SU) Eth NONE Eth1/30(P)

105 Po105(SU) Eth LACP Eth1/26(P)

205 Po205(SU) Eth LACP Eth1/3(P)

206 Po206(SU) Eth LACP Eth1/4(P)

NEXUS5K002# show run int po105

interface port-channel105

description vPC TO ASA5525

switchport mode trunk

switchport trunk allowed vlan 105

spanning-tree port type network

speed 1000

duplex full

vpc 105

NEXUS5K002# show run int vlan 105

interface Vlan105

no shutdown

description ASA5525 ROUTED VLAN

no ip redirects

ip address 10.170.105.3/24

hsrp version 2

hsrp 105

ip 10.170.105.1

NEXUS5K002# show port-channel sum

Flags: D - Down P - Up in port-channel (members)

I - Individual H - Hot-standby (LACP only)

s - Suspended r - Module-removed

S - Switched R - Routed

U - Up (port-channel)

M - Not in use. Min-links not met

--------------------------------------------------------------------------------

Group Port- Type Protocol Member Ports

Channel

--------------------------------------------------------------------------------

10 Po10(SU) Eth LACP Eth1/31(P) Eth1/32(P)

50 Po50(SU) Eth LACP Eth1/27(P)

51 Po51(SU) Eth LACP Eth1/25(P)

101 Po101(SU) Eth NONE Eth1/29(P)

102 Po102(SU) Eth NONE Eth1/30(P)

105 Po105(SU) Eth LACP Eth1/26(P)

205 Po205(SU) Eth LACP Eth1/3(P)

206 Po206(SU) Eth LACP Eth1/4(P)

interface Gi0/6

speed 1000

duplex full

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface Gi0/7

speed 1000

duplex full

channel-group 1 mode active

no nameif

no security-level

no ip address

!

interface Port-channel1

description Port-Channel to N5Ks

lacp max-bundle 2

no nameif

security-level 100

no ip address

!

interface Port-channel1.105

vlan 105

nameif inside

security-level 100

ip address 10.170.105.20 255.255.255.0

!

ATIASA5525-01# show port-channel summary

Flags: D - down P - bundled in port-channel

I - stand-alone s - suspended

H - Hot-standby (LACP only)

U - in use N - not in use, no aggregation/nameif

M - not in use, no aggregation due to minimum links not met

w - waiting to be aggregated

Number of channel-groups in use: 1

Group Port-channel Protocol Span-cluster Ports

------+-------------+---------+------------+------------------------------------

1 Po1(U) LACP No Gi0/6(P) Gi0/7(P)

David Lucas · ‎03-19-2013

Hello!

Can you try to remove "spanning-tree port type network"? The ASA connections should be "spanning-tree port type edge trunk" as they do not run spanning-tree.

Let me know if this helps!

Dave

View solution in original post

David Lucas · ‎03-19-2013

Ah!

Just a FYI, a "sh vpc " would should you that there were no active VLANs on the vPC. Also, another usefull command in this case would be "sh spanning-tree int " which you'd then see there were no VLANs in the Forwarding state.

I'm glad you were able to resolve it!

Dave

View solution in original post

David Lucas · ‎03-19-2013

Hello!

Can you try to remove "spanning-tree port type network"? The ASA connections should be "spanning-tree port type edge trunk" as they do not run spanning-tree.

Let me know if this helps!

Dave

Steven Williams · ‎03-19-2013

spanning-tree port type edge trunk was added. I did not know that was a command. I thought normal would work. Although that didnt fix the issue it was good to know, I probably need to add that to my vPC's to my NetApp and ESX Hosts. To solve the issue I created the vlan for 105 on the Nexus. UGH! That gets me all the time, unlike IOS where it creates the vlan for you, nexus doesn't. That has bitten me more than once! Thanks for the knowledge on spanning-tree!

David Lucas · ‎03-19-2013

Ah!

Just a FYI, a "sh vpc " would should you that there were no active VLANs on the vPC. Also, another usefull command in this case would be "sh spanning-tree int " which you'd then see there were no VLANs in the Forwarding state.

I'm glad you were able to resolve it!

Dave