Please see attached photo for design
I know this is a VERY VERY VERY common design, but I just can't convince myself on how the VLANs can have internet.
InterVLAN routing is okay. VLANs talk to each other inside the N3k.
But if they want to have internet, what config does the N3k do and also the FW?
* is it L3 point to point (creating static routes)? how? because I think you cannot share one IP for each port in each N3K.
* or creating a VLAN Interface in the FW? so create a trunk connection from FW to Nexus3k?
* will vPC play a role here? can I do portchannel in firewall going down to Nexus? (will the FW see the 2 nexus as ONE nexus because of vPC?)
(If the switches were stackable, L3 would be the easiest way. static route from Core Sw to FW, and vice versa.)
But this is HSRP and really confuses me.
Hope anyone can clear this up. Thanks in advance!
You can create a layer-3 Portchannel (not VPC) between the Nexus and the Firewalls. Not sure if the FWs support link aggregation. Maybe LACP as long as the FWs can support it.
The firewalls are fortigate, they support 802.3ad aggregate.
I agree with L3 between NX and Fortigate FWs. I like to have a L3 connection between the Nexus and FW.
But my concern in the Nexus is if I create a Layer3 Porchannel, who are the member ports?
NX01 Port01 and NX01 Port02, right? and they connect to FW01 Port01 and FW02 Port01, respectively.
so I give this portchannel an IP address lets say, 192.168.1.1.
But how about the 2nd Nexus.
NX02 Port01 to FW01 Port02
NX02 Port02 to FW02 Port02
Port channel, but what IP address do I give this port channel? 192.168.1.1 also? I think that wont work.
I tested the solution between nexus 9k and fortigate 1200D firewall and everything works fine. On nexus switches i created two VPC's and one fortinet firewall i created LACP port channels.
Nexus 1 - Port 1 - Connecting to FW1 - In vPC 17
Nexus 1 - Port 2 - Connecting to FW2 - In vPC 18
Nexus 2 - Port 1 - Connecting to FW1 - In vPC 17
Nexus 2 - Port 2 - Connecting to FW2 - In vPC 18
Based on above vPC concept firewall will see both ports from nexus 1 and nexus 2 which are in vPC 17 as single port channel. Once we create port channel on foritage for ports coming from nexus 1 and nexus 2 which are in vPC 17 it will acts as single virtual bundled link. Similar for port channel & vPC 18.
Attached is the configs for Nexus SW 1 and SW 2.
On Fortigate we just have to create port channel (802.3ad) on primary and same will be replicated on secondary.
VSAN trunking enables interconnect ports to transmit and receive frames in more than one VSAN, over the same physical link, using enhanced ISL (EISL) frame format. VSAN trunking is supported on native Fibre Channel interfaces, but not on virtual Fibre Channel interfaces.
It depends on how your firewall HA setup works, most likely it will be something HSRP alike with a VIP shared between the two FWs?
If so, then simply trunk the transport vlan between Nexus and the Fortinet FWs to all 4 devices and point the default route from Nexus upstream to the VIP of the FW cluster and vice versa the route to the DC vlans (summary route) towards the HSRP IP of the Nexus.
You could definetly go for VPC in this case which provides better throughput and more resilience against a single link failure.
The second option would be to run some dynamic routing protocol between Nexus and the firewall, this is normally done in an active/active setup, this means the links between Nexus and the FWs are individual L3 Links and failover or loadbalancing will rely on the routing protocol, this is usually not the way a firewall cluster is operated.
Edit: if you plan to purchase those Nexus switches, be advised that you don't need the L3 Enterprise License for that setup. HSRP and static Routing is included in the LAN Base license. And depending on which Nexus3k switch you are planning, consider to use a Nexus 9k instead, they are the better switches and are just slightly more expensive. (talking about the newest generation like 93180YC-EX, not the old generations)