Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
658
Views
0
Helpful
1
Replies

Double Sided vPC with Cisco ASAs topology flow

Jim Araujo
Level 1
Level 1

‎11-26-2013 10:18 AM - edited ‎03-07-2019 04:47 PM

Hey all, I am having an issue conceptual understanding how flow would work with the following. For Access Layer devices trying to leave the internal network.

Notes:

On the Core Nx7K's I have an HSRP of 10.0.0.1, also there is a static default gateway route set to go to 10.1.1.1 (the ASA)

For the Nx5K they are aggregate switches. They don't have layer 3 info, but separte different traffic zones based on local VLANs on them.

The ASA's are in Active/Standby with heartbeat between them.

My question is a host with IP of 10.0.0.55 ,as depicted, trying to go out to 8.8.8.8. The host will see it has to use the default gateway and the frame will be sent to either Nx7K. Each Nx7K in it's routing table has a static default gateway to go to the next hop of 10.1.1.1 (which is the active VIP of the ASA). The thing I am having trouble understanding is how will the Nx7K's (CORE) now how to get to teh ASA? Which Nx5K will the frame be sent to? does it matter? Do I need a layer 3 presecens on the 5k's ?

P.S.

this all stems from, currently we have a single  Nx5K acting as an aggreagte switch. I am trying to add an additional  Nx5K with vPC and Port-Channeling on the ASA side to add failover in  case a Nx5K fails.

Thanks everyone for taking the time to look.

-Jim

Labels:
Preview file
44 KB
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-26-2013 11:49 AM

The 7k knows how to get to the ASA based on it's ARP processes determining and then caching (in the ARP cache table) the MAC address for the gateway.

As long as the VLAN where 10.1.1.1 address extends through the portchannel (and there's an associated VPC on the 5k for those portchannels) and through the VPC 1 from your 5ks to 7ks it should work fine.

The 5ks don't need to be involved in L3 forwarding decisions for flows out to the ASAs - only L2 as they will determine the correct physical port based on the destination MAC address (and load balance across the portchannel to the active ASA based on the load balancing algorithm - default is source-dest MAC so in the case where most everything comes from the 7k MAC and to the ASA MAC, you may want to change that to source-dest ip to optimize. Reference.)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card