Solved: Re: Configuring MEC ports in VSS

kick534 · ‎11-01-2019

Hi,

need to configure MEC ports in VSS for Firewall,

existing Scenario:

existing 4500 and 6807 switch are configured in HSRP,

below configuration of ports :

6807 (config) #interface TenGigabitEthernet1/1
description "To Firewall "
ip address 192.268.25.1 255.255.255.252

4500(config) #interface GigabitEthernet1/1
                      description "To Firewall"
                      no switchport
                      bandwidth 1000000
                      ip address 192.168.25.1 255.255.255.252
Please help to configure this port in MEC for VSS

Reza Sharifi · ‎11-06-2019

This will be a routed, layer-3 Po. So, there is no need for Switch port trunk command at all.

HTH

View solution in original post

balaji.bandi · ‎11-01-2019

Can you elaborate more on the issue?

You can not mix 2 devices into one MEC

HSRP is a Virtual IP address you can have the same IP address on different devices in the same network.

existing 4500 and 6807 switches are configured in HSRP, <<- is this your live environment?

the configuration you provided was working one, or proposing one?

Like to see your high-level network diagram how these 2 switches connected and how your FW connected, what mode you like to configure, transparent or route mode?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kick534 · ‎11-01-2019

existing 4500 and 6807 switches are configured in HSRP, <<- is this your live environment? Yes Running environment,

Now we are migrating from HSRP to VSS

we will replace 4500 series switch with 6807xl ; ( please find the attach design)

in two 6807 switches we will configure VSS, after achieving VSS i need how to configured Firewall ports,

existing configuration of firewall ports in HSRP mode is in my first post.

balaji.bandi · ‎11-01-2019

attachment missed here--post again.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

kick534 · ‎11-02-2019

please find the attach visio design,

Reza Sharifi · ‎11-02-2019

In order to achieve what you need is that you have to put both ports from the VSS 6807 switches in a Portchannel and than configure a /30 subnet on the Portchannel interface (Layer-3 PO). You also have to make sure that the firewall supports some sort of aggregation with LACP or mode on. I am assuming this is only one firewall and not 2.

HTH

kick534 · ‎11-02-2019

Thank you for your reply @Reza Sharifi

Correct me in below configuration :

VSS- Switches :

interface Port-channel10
description *** To firewall ***
switchport
switchport mode trunk

interface TenGigabitEthernet 1/1/7
description *** To Firewall ***
switchport mode trunk
channel-group 10 mode active
!
interface TenGigabitEthernet 2/1/7
description *** To Firewall ***
switchport mode trunk
channel-group 10 mode active

1) Please suggest for L3 PO ???

2) please suggest me for Cisco firewall side configuration .

3) only 1 firewall is there.

Reza Sharifi · ‎11-02-2019

Ok, the config you posted in for a lyer-2 po. If you are planning to do layer-3, the config should look like this

interface Port-channel10
description *** To firewall ***
no switchport
ip address x.x.x.x/30

interface TenGigabitEthernet 1/1/7
description *** To Firewall ***
channel-group 10 mode active
!
interface TenGigabitEthernet 2/1/7
description *** To Firewall ***
channel-group 10 mode active

You also need a po config on the firewall with an IP in the same segment as the /30.

HTH

kick534 · ‎11-06-2019

Thank you for reply @Reza Sharifi @balaji.bandi

so i will configure L3 PO as below

interface Port-channel10
description *** To firewall ***
no switchport
ip address 182.30.210.1 255.255.255.252 ( and my other side ip 182.30.210.2 255.255.255.252)

interface TenGigabitEthernet 1/1/7
description *** To Firewall ***
channel-group 10 mode active
!
interface TenGigabitEthernet 2/1/7
description *** To Firewall ***
channel-group 10 mode active

we don't need Switch port trunk command in Interface ports ????

Please reply me as above commands will work or i need to add Switch port command in Interface ports .