cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
0
Helpful
2
Replies

4500X VSS

Eugen Bitca
Level 1
Level 1

Hello,

A typical Data Center ASA cluster with vPC and VSS(file attached)

All interfaces and port-channels are up, vPC, VSS, Cluster all OK.

1. From Core-S1 Vlan 200 I can reach Vlan 200 on Servers LAN
2. From Core-S1 Vlan 200 I can reach ip 10.44.124.1 (Vlan124 on Core-S4)
3. From Core-S1 some traffic to Vlan 124 are ok and some not
4. From Core-S4 Vlan 124 some traffic to Vlan 124 are ok and some not
5. If I disable Te1/1/10 and Te1/2/7, vlan 124 is reachable from Core-S1
6. If I enable Te1/1/10 and Te1/2/7 and disable Te2/1/10 and Te2/2/7, some
traffic to vlan 124 are ok and some not.
7. If I move trunk from Core-S1 to Core-S4 with interfaces Te2/1/10 and Te2/2/7 disabled, vlan 124 is reachable.

Do I need special configuration for L3 routing on VSS?

Thank you

2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

What I have seen in the past is that when you connect VSS to a firewall cluster, you can't have cross connects. So, if you remove ports 2/2/7 and 1/1/10 (cross connects) from the VSS switches and just put interface 2/1/10 and 1/2/7 in po3, your design should work fine.  Can you test that?

HTH

Hi,

ASA cluster with cross connects to vPC work great, but to VSS on 4500x not very well.

To remove cross connects and test I will not be able because I converted 4500X back to standalone.

I found a link where Cisco do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing(https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137822), so I will not convert them to VSS.

How can ASA Cluster (transparent mode) have links to both Core Switches Core-S3 and Core-S4?

How do you think the following configuration is a good one(file attached)?

ASA-Cluster

!
interface Port-channel2.124
 vlan 124
 nameif inside124
 bridge-group 1
 security-level 100
!
interface Port-channel1.324
 vlan 324
 nameif outside324
 bridge-group 1
 security-level 0
!
interface Port-channel5.524
 vlan 524
 nameif outside524
 bridge-group 1
 security-level 0
----------------------------------------------------
Core-S3
!
interface Port-channel3
 switchport
 switchport trunk allowed vlan 124
 switchport mode trunk
 switchport vlan mapping 324 124
!
---------------------------------------------------
Core-S4
!
interface Port-channel4
 switchport
 switchport trunk allowed vlan 124
 switchport mode trunk
 switchport vlan mapping 524 124

Thanks

Review Cisco Networking for a $25 gift card