04-20-2016 07:36 AM - edited 03-08-2019 05:25 AM
Hi Everyone,
I have a pair of Nexus 5548up in VPC mode also doing layer 3 routing between some vlans. I have an active/standby setup for my ASA firewalls. What is the appropriate method for routing traffic from the Nexus over the the ASA. Do I need to created routed ports? Or do I create another SVI/Vlan and just assign that port into this VLAN? Please let me know if you need more clarification.
Thank You
04-21-2016 11:47 PM
Hi
if you have two ASAs in active/standby failover configuration, it is better to connect them two both Nexuses - one ASA to one Nexus, other ASA to another Nexus. You will not be able to configure different IP networks on same interfaces for your ASA, so you will need to use SVIs on Nexuses and pass this VLAN to ASA posrts.
04-22-2016 05:48 AM
Hi,
I do plan on connecting the active firewall to the primary Nexus and the standby firewall the secondary Nexus. I believe you answered my question about the SVI. I plan to create a point to point VLAN/SVI that will use hrsp. I will then put the uplink ports to the firewalls into that VLAN.
04-22-2016 05:50 AM
Yes, you are going right way.
04-22-2016 05:54 AM
OK thank you. I got the following advice in another thread but I was a bit confused by it.
"As for routed interfaces, for such setup you need SVI for egress vlan on Nexus (default gateway) and BVI interface bridging ingress and egress vlans on ASA."
04-22-2016 06:06 AM
Strange advice, not sure what is meant exactly :)
04-25-2016 07:53 AM
Depends how you want to configure ASA "transparent or routed mode" . In routed mode, BVI not needed see below sample configuration below for dual and single connection and attachment. I preferred dual connections cause its provide redundancy and high availability.
For ASA with port-channel
-----------------------------------
interface Port-channel30
description Uplink Inside
lacp max-bundle 8
nameif Inside (VLAN X)
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
!
interface GigabitEthernet1/0
description Uplink Inside
channel-group 30 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
description Uplink Inside
channel-group 30 mode active
no nameif
no security-level
no ip address
Nexus
-------
interface Ethernet1/3
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
channel-group 32 mode active
!
interface Ethernet1/4
description Inside-backup
switchport access vlan X
speed 1000
no negotiate auto
channel-group 33 mode active
!
interface port-channel 32
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
vpc 32
interface port-channel 33
description Inside-backup
switchport access vlan X
speed 1000
no negotiate auto
vpc 33
------------------------------------------------------------
ASA single connection
------------------------------------------------------------
interface GigabitEthernet1/0
description Uplink Inside
nameif Inside (VLAN X)
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
Nexus
-------
interface Ethernet1/3
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
channel-group 32 mode active
!
interface port-channel 32
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
vpc 32
Hope this sample configuration helps out
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide