10-31-2018 08:22 PM - edited 03-08-2019 04:31 PM
HI expert,
im new to nexus. i would like some opinion whether the attached setup will work. no etherchannel on firewall side. what necessary config needed on nexus side. maybe somebody can lead me to a good example. thanks
thanks,
chris
11-01-2018 02:44 AM
Hey Chris,
That is not going to work. The firewall cannot have two interfaces sharing the same subnet. The best thing you could do here is to add a third switch wich supports lacp. You can then connect this L2 switch via a VPC port-channel, so it will be dual-homed to both nexus. Then you can create an interface vlan on both nexus and use HSRP/VRRP to provide gateway redundancy to the firewall.
This will avoid to maintain multiple subnets, multiple gateways and hence multiple routes.
HTH,
ADP
11-01-2018 04:53 AM
hi ADP, thanks for the reply. noted on that
11-01-2018 03:35 PM
Hello
What is it your wanting to accomplish?
is this just the one fw or an HA pair?
11-01-2018 07:39 PM
11-02-2018 01:57 AM - edited 11-02-2018 02:05 AM
Hello
So basically the HA will have the exact same ip addressing apart from the primary being specified as lan primary and the secondary as lan secondary and each fw will then be connected into your core exactly the same
Primary fw
failover lan unit primary
Outside interface x/x
ip address 10.1.12.1 255.255.255.0 standby 10.1.12.2
Inside interface x/x
ip address 10.1.13.1 255.255.255.0 standby 10.1.13.2
Primary LAN FO link - x/x 172.16.1.1/30 - Standby 172.16.1.2/30
Primary Stateful FO link - x/x 172.16.2.1/30 Standby 172.16.2.1/30
Secondary fw
failover lan unit secondary
(as above)
11-04-2018 11:43 PM
Hi paul,
thanks for the reply. i have a similar setup from this below post
i have 3 sets of non-cisco firewalls that needs to connect to nexus 3k. 1 of them is PA. if i follow the setup as what the above topic says like:
Primary PA (192.168.1.4/29) <-----> (192.168.1.2/29) (access vlanX)Primary Nexus (hsrp vip:192.168.1.1)
Secondary PA (192.168.1.5/29) <------> (192.168.1.3/29) (access vlanx)Secondary Nexus (hsrp vip : 192.168.1.1)
will i still achieve the redundancy on the nexus portion? i.e if primary nexus goes down the secondary will take over
thanks alot!
chris
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide