Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
901
Views
0
Helpful
6
Replies

nexus 3k vpc with no etherchannel

Meuserid1979
Level 1
Level 1

‎10-31-2018 08:22 PM - edited ‎03-08-2019 04:31 PM

HI expert,

im new to nexus. i would like some opinion whether the attached setup will work. no etherchannel on firewall side. what necessary config needed on nexus side. maybe somebody can lead me to a good example. thanks

 

thanks,

chris 

Labels:
Preview file
33 KB
0 Helpful
6 Replies 6

ADP_89
Level 1
Level 1

‎11-01-2018 02:44 AM

Hey Chris,

 

That is not going to work. The firewall cannot have two interfaces sharing the same subnet. The best thing you could do here is to add a third switch wich supports lacp. You can then connect this L2 switch via a VPC port-channel, so it will be dual-homed to both nexus. Then you can create an interface vlan on both nexus and use HSRP/VRRP to provide gateway redundancy to the firewall.

This will avoid to maintain multiple subnets, multiple gateways and hence multiple routes.

 

HTH,

ADP

 

0 Helpful

Meuserid1979
Level 1
Level 1
In response to ADP_89

‎11-01-2018 04:53 AM

hi ADP, thanks for the reply. noted on that 

0 Helpful

paul driver
VIP
VIP

‎11-01-2018 03:35 PM

Hello

What is it your wanting to accomplish?
is this just the one fw or an HA pair?


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Meuserid1979
Level 1
Level 1
In response to paul driver

‎11-01-2018 07:39 PM

HI paul,

it will be 2 firewalls that will be on HA as well. what i need to do is setup firewalls linking to 2xnexus 3k then will support high availability on core switch side.
0 Helpful

paul driver
VIP
VIP
In response to Meuserid1979

‎11-02-2018 01:57 AM - edited ‎11-02-2018 02:05 AM

Hello

So basically the HA will have the exact same ip addressing apart from the primary being specified as lan primary and the secondary as lan secondary and each fw will then be connected into your core exactly the same

Primary fw
failover lan unit primary
Outside interface x/x
ip address 10.1.12.1 255.255.255.0 standby 10.1.12.2

Inside interface x/x
ip address 10.1.13.1 255.255.255.0 standby 10.1.13.2

Primary LAN FO link - x/x 172.16.1.1/30  - Standby 172.16.1.2/30
Primary Stateful FO link - x/x   172.16.2.1/30  Standby 172.16.2.1/30

Secondary fw
failover lan unit secondary

(as above)


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul
0 Helpful

Meuserid1979
Level 1
Level 1
In response to paul driver

‎11-04-2018 11:43 PM

Hi paul,

 

thanks for the reply. i have a similar setup from this below post

 

https://community.cisco.com/t5/switching/connecting-active-passive-palo-alto-pair-850-to-nexus-vpc-7k/td-p/3095033

 

i have 3 sets of non-cisco firewalls that needs to connect to nexus 3k. 1 of them is PA. if i follow the setup as what the above topic says like:

Primary PA (192.168.1.4/29) <-----> (192.168.1.2/29) (access vlanX)Primary Nexus (hsrp vip:192.168.1.1)

 

Secondary PA (192.168.1.5/29) <------> (192.168.1.3/29) (access vlanx)Secondary Nexus  (hsrp vip : 192.168.1.1)

 

will i still achieve the redundancy on the nexus portion? i.e if primary nexus goes down the secondary will take over

 

thanks alot!

chris

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card