Re: Nexus VPC loop prevention on ASA active/standby pair?

egilles123 · ‎04-05-2018

I have a network design with 2 Nexus 9K's as the core swithces and an upstream ASA active/standby pair. The ports connecting the Cisco ASA to the Nexus are access ports and those SVI's live on the Nexus. The Nexus's are connected with the peer link and all ports all allowed on that trunk. All the SVI's between both 9K's are advertised into EIGRP. Will I have any issues when one ASA fails over to the other ASA or if the Nexus fails over. I looked at Brad Hedlunds routing over VPC document and I don't see my exact design. Can you guys hel[p me out on this. I attached a diagram.

http://bradhedlund.com/2010/12/16/routing-over-nexus-7000-vpc-peer-link-yes-and-no/

egilles123 · ‎04-10-2018

Any ideas or thoughts?

Reza Sharifi · ‎04-10-2018

You need an IP address on the active firewalls. I also assume you have a link between the 2 ASAs. Beside that, this design should work fine. You probably need to turn on some sort of tracking, so in case the link between 9k-1 and active ASA fails, the firewall should switch to the standby and forward all traffic.

HTH

egilles123 · ‎04-10-2018

What about the VPC rules regarding loop prevention? Is this only a problem if I enabled EIGRP between the ASA and the Nexus?

Reza Sharifi · ‎04-10-2018

Should not be an issue. After enabling it, you probably will see a peering between the firewalls and the HSRP VIP. The other option would be to peer the firewalls with the physical IPs of the Nexus (no HSRP) which should show as 2 peerings.

HTH