Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
0
Helpful
2
Replies

4500X VSS

Eugen Bitca
Level 1
Level 1

‎08-07-2017 05:02 AM - edited ‎03-10-2019 01:13 PM

Hello,

A typical Data Center ASA cluster with vPC and VSS(file attached)

All interfaces and port-channels are up, vPC, VSS, Cluster all OK.

1. From Core-S1 Vlan 200 I can reach Vlan 200 on Servers LAN
2. From Core-S1 Vlan 200 I can reach ip 10.44.124.1 (Vlan124 on Core-S4)
3. From Core-S1 some traffic to Vlan 124 are ok and some not
4. From Core-S4 Vlan 124 some traffic to Vlan 124 are ok and some not
5. If I disable Te1/1/10 and Te1/2/7, vlan 124 is reachable from Core-S1
6. If I enable Te1/1/10 and Te1/2/7 and disable Te2/1/10 and Te2/2/7, some
traffic to vlan 124 are ok and some not.
7. If I move trunk from Core-S1 to Core-S4 with interfaces Te2/1/10 and Te2/2/7 disabled, vlan 124 is reachable.

Do I need special configuration for L3 routing on VSS?

Thank you

Labels:
Preview file
82 KB
0 Helpful
2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

‎08-07-2017 08:32 AM

Hi,

What I have seen in the past is that when you connect VSS to a firewall cluster, you can't have cross connects. So, if you remove ports 2/2/7 and 1/1/10 (cross connects) from the VSS switches and just put interface 2/1/10 and 1/2/7 in po3, your design should work fine.  Can you test that?

HTH

0 Helpful

Eugen Bitca
Level 1
Level 1
In response to Reza Sharifi

‎08-07-2017 10:25 PM

Hi,

ASA cluster with cross connects to vPC work great, but to VSS on 4500x not very well.

To remove cross connects and test I will not be able because I converted 4500X back to standalone.

I found a link where Cisco do not recommend using this switch for data EtherChannels in Spanned EtherChannel mode due to asymmetric load-balancing(https://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html#pgfId-137822), so I will not convert them to VSS.

How can ASA Cluster (transparent mode) have links to both Core Switches Core-S3 and Core-S4?

How do you think the following configuration is a good one(file attached)?

ASA-Cluster

!
interface Port-channel2.124
 vlan 124
 nameif inside124
 bridge-group 1
 security-level 100
!
interface Port-channel1.324
 vlan 324
 nameif outside324
 bridge-group 1
 security-level 0
!
interface Port-channel5.524
 vlan 524
 nameif outside524
 bridge-group 1
 security-level 0
----------------------------------------------------
Core-S3
!
interface Port-channel3
 switchport
 switchport trunk allowed vlan 124
 switchport mode trunk
 switchport vlan mapping 324 124
!
---------------------------------------------------
Core-S4
!
interface Port-channel4
 switchport
 switchport trunk allowed vlan 124
 switchport mode trunk
 switchport vlan mapping 524 124

Thanks

Preview file
77 KB
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card