Nexus 5548up VPC pair Layer 3 and ASA connection

adamwhelan4 · ‎04-20-2016

Hi Everyone,

I have a pair of Nexus 5548up in VPC mode also doing layer 3 routing between some vlans. I have an active/standby setup for my ASA firewalls. What is the appropriate method for routing traffic from the Nexus over the the ASA. Do I need to created routed ports? Or do I create another SVI/Vlan and just assign that port into this VLAN? Please let me know if you need more clarification.

Thank You

dukenuk96 · ‎04-21-2016

Hi

if you have two ASAs in active/standby failover configuration, it is better to connect them two both Nexuses - one ASA to one Nexus, other ASA to another Nexus. You will not be able to configure different IP networks on same interfaces for your ASA, so you will need to use SVIs on Nexuses and pass this VLAN to ASA posrts.

adamwhelan4 · ‎04-22-2016

Hi,

I do plan on connecting the active firewall to the primary Nexus and the standby firewall the secondary Nexus. I believe you answered my question about the SVI. I plan to create a point to point VLAN/SVI that will use hrsp. I will then put the uplink ports to the firewalls into that VLAN.

dukenuk96 · ‎04-22-2016

Yes, you are going right way.

adamwhelan4 · ‎04-22-2016

OK thank you. I got the following advice in another thread but I was a bit confused by it.

"As for routed interfaces, for such setup you need SVI for egress vlan on Nexus (default gateway) and BVI interface bridging ingress and egress vlans on ASA."

dukenuk96 · ‎04-22-2016

Strange advice, not sure what is meant exactly :)

osahx1500 · ‎04-25-2016

Depends how you want to configure ASA "transparent or routed mode" . In routed mode, BVI not needed see below sample configuration below for dual and single connection and attachment. I preferred dual connections cause its provide redundancy and high availability.

For ASA with port-channel
-----------------------------------
interface Port-channel30
description Uplink Inside
lacp max-bundle 8
nameif Inside (VLAN X)
security-level 100
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
!
interface GigabitEthernet1/0
description Uplink Inside
channel-group 30 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/1
description Uplink Inside
channel-group 30 mode active
no nameif
no security-level
no ip address

Nexus
-------

interface Ethernet1/3
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
channel-group 32 mode active
!
interface Ethernet1/4
description Inside-backup
switchport access vlan X
speed 1000
no negotiate auto
channel-group 33 mode active
!
interface port-channel 32
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
vpc 32

interface port-channel 33
description Inside-backup
switchport access vlan X
speed 1000
no negotiate auto
vpc 33

------------------------------------------------------------
ASA single connection
------------------------------------------------------------
interface GigabitEthernet1/0
description Uplink Inside
nameif Inside (VLAN X)
ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2
!
Nexus
-------

interface Ethernet1/3
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
channel-group 32 mode active
!
interface port-channel 32
description Inside-Primary
switchport access vlan X
speed 1000
no negotiate auto
vpc 32

Hope this sample configuration helps out