cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3859
Views
0
Helpful
5
Replies

Best Practices for Layer 2-3 and vPC Configuration

Dear,
At our data center, we have a new pair of N9K's in a vpc domain, both connecting two downstream FEX switches in straight-through fashion. My concern doesn't relate to the downstream fabric extenders however, but mainly towards the vpc domain. What is best practice for uplinking a L2 or L3 device such as a firewall or router towards your vpc domain.? (pair of N9K's)
These Nexus switches are currently not used yet, but should soon be operational as the heart of our new DMZ environment.

So, for instance, our current DMZ stack uplinks towards the firewall using single uplinks for some of our security zones. Logically, the new nexus parent switches should uplink in a redundant fashion using uplinks to both N9K parent switches.(vpc domain) For L2 links such as trunks towards other bridging devices, this is no issue. However, for L3 devices I'm somewhat confused with the recommendation in the configuration guide for vPC.  This new DMZ environment is a pure L2 environment and so 

Layer 3 and vPC Configuration Overview

When a Layer 3 device is connected to a vPC domain through a vPC, it has the following views:

  • At Layer 2, the Layer 3 device sees a unique Layer 2 switch presented by the vPC peer devices.

  • At Layer 3, the Layer 3 device sees two distinct Layer 3 devices (one for each vPC peer device).

vPC is a Layer 2 virtualization technology, so at Layer 2, both vPC peer devices present themselves as a unique logical device to the rest of the network.

There is no virtualization technology at Layer 3, so each vPC peer device is seen as a distinct Layer 3 device by the rest of the network.

 

 

My question is:

If we uplink our firewall using a vPC from the Nexus switches towards the firewall, can we do this without breaking any "rules"?

The firewall uses the concept of a router on a stick but shouldn't we be configuring L3 links for this, according to the following guidelines?

 

  • Do not use a Layer 2 vPC to attach a Layer 3 device to a vPC domain unless the Layer 3 device can statically route to the HSRP address configured on the vPC peer devices

     

  • When both routed and bridged traffic are required, use individual Layer 3 links for routed traffic and a separate Layer 2 port-channel for bridged traffic when both routed and bridged traffic are required.

 

Thanks in advance for your help!

 

Regards,

Kristof

PS: included the base topology in jpg format, specifically showing the firewall vPC uplink...

5 Replies 5

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

Are the firewalls configured in the cluster as active/passive?

What vendor firewalls are you using?

In most cases, layer-3 vPC is not supported.  If the firewalls are in active/passive you can use a /29 with a vlan and span it across the 9ks and the firewalls. 

HTH

Hello,

 

They are Fortinet & Palo Alto and they're both in an active/passive setup.
Of course the firewall sees the N9K's  as a single switch from a layer 2 perspective. However, my concern is mainly to what is actually best practice/recommended by Cisco for these kinds of uplinks?
You mention a dedicated vlan for routing between Nexus & firewall but this implies that all vlans housed on these switches, should have L3 vlan interfaces as well to route back out?

 

Am I seeing this right?

Thanks!

Hi,

However, my concern is mainly to what is actually best practice/recommended by Cisco for these kinds of uplinks?

There isn't really any best practice especially when you are using other vendor's firewall as each vendor is different. My recommendation is to test each scenario really well before deciding.

You mention a dedicated vlan for routing between Nexus & firewall but this implies that all vlans housed on these switches, should have L3 vlan interfaces as well to route back out?

That is correct. I assumed you are terminating your vlans on the 9ks and then routed links to the firewalls.

HTH

Thanks for clarifying where needed. Now I know what to do, basically. But one can safely assume that using soley L2 uplinks towards your L3 firewall is less preferable, though not impossible, correct?

Once again, thanks for the straight forward answer!

Kristof

Sure. Glad to help!

Thanks for clarifying where needed. Now I know what to do, basically. But one can safely assume that using soley L2 uplinks towards your L3 firewall is less preferable, though not impossible, correct?

That is correct. I personally prefer layer-3, and it has been working fine for me for years now.

HTH

Review Cisco Networking for a $25 gift card