Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1929
Views
15
Helpful
8
Replies

PortChannel between a VSS pair switches and HA pair of Firewalls

Go to solution
atsukane
Level 1
Level 1

‎01-06-2023 08:35 AM

Hi team,

I've been cabling up between VSS/stacked switches and HA pair of Firewalls like below, so they are connected across both switches:

ChilledBeverage_0-1673022659142.png

I'm now working with a consultant for a project and he pointed out that this is wrong and it should be like this, so the failover kicks in properly:

ChilledBeverage_1-1673022739687.png

Is this right?

 

Thanks,

 

 

 

 

Labels:
3 Accepted Solutions

Accepted Solutions

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎01-06-2023 09:53 AM

Hi,

Not sure what vendor firewall you are using, but if you are using clustering on the firewalls with one IP representing both devices, the diagram without the cross-connects should work fine. So, let's look at a couple of scenarios assuming the firewall on the right is the primary device and the VSS chassis on the right is also the primary device. If the primary VSS device fails, the secondary chassis on the left will take over and forward traffic to the passive firewall. Now in this situation, you want to make sure when the primary VSS goes down, the primary firewall hands over the traffic forwarding responsibility to the standby firewall so the traffic is not sub-optimal by going through the passive firewall, the interconnect, and then the active firewall. The second scenario is if there is a link failover between the primary switch and the primary firewall. In this case, the same concept as above should apply and the traffic should simply go through the secondary chassis and the new active firewall both on the left.

HTH 

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎01-09-2023 02:14 AM

@atsukane you can cross connect the ASA or FTD to a VSS/VPC

If you use the threat defense device in an Active/Standby failover deployment, then you need to create separate EtherChannels on the switches in the VSS/vPC, one for each threat defense device. On each threat defense deivce, a single EtherChannel connects to both switches.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/interfaces-settings-ifcs-firewall.html#id_90517

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎01-09-2023 02:27 AM - edited ‎01-09-2023 02:28 AM

@atsukane no, it's not wrong at all if you are using VSS/VPC. The ASA has supported this configuration for a long time, as has the FTD.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
MHM Cisco World
VIP
VIP

‎01-06-2023 08:44 AM

depend what is port-channel is it L2 or L3?

0 Helpful

Go to solution
atsukane
Level 1
Level 1
In response to MHM Cisco World

‎01-09-2023 12:19 AM

Thanks @MHM Cisco World   It would be L3, the switch's default route is pointing to the Firewall. Thanks

0 Helpful

Go to solution
Reza Sharifi
Hall of Fame
Hall of Fame

‎01-06-2023 09:53 AM

Hi,

Not sure what vendor firewall you are using, but if you are using clustering on the firewalls with one IP representing both devices, the diagram without the cross-connects should work fine. So, let's look at a couple of scenarios assuming the firewall on the right is the primary device and the VSS chassis on the right is also the primary device. If the primary VSS device fails, the secondary chassis on the left will take over and forward traffic to the passive firewall. Now in this situation, you want to make sure when the primary VSS goes down, the primary firewall hands over the traffic forwarding responsibility to the standby firewall so the traffic is not sub-optimal by going through the passive firewall, the interconnect, and then the active firewall. The second scenario is if there is a link failover between the primary switch and the primary firewall. In this case, the same concept as above should apply and the traffic should simply go through the secondary chassis and the new active firewall both on the left.

HTH 

 

Go to solution
atsukane
Level 1
Level 1
In response to Reza Sharifi

‎01-09-2023 12:30 AM

Thanks for the explanation @Reza Sharifi.  They are a HA pair of Cisco ASAs, soon to be replaced with Cisco FTDs.

The consultant was saying the cross-connect is WRONG, so I was a bit shocked as I've been following this design passed on from my mentor so just wanted to check with experts here.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎01-09-2023 02:14 AM

@atsukane you can cross connect the ASA or FTD to a VSS/VPC

If you use the threat defense device in an Active/Standby failover deployment, then you need to create separate EtherChannels on the switches in the VSS/vPC, one for each threat defense device. On each threat defense deivce, a single EtherChannel connects to both switches.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/device-config/730/management-center-device-config-73/interfaces-settings-ifcs-firewall.html#id_90517

 

Go to solution
atsukane
Level 1
Level 1
In response to Rob Ingram

‎01-09-2023 02:21 AM

Thanks @Rob Ingram "Figure 2. Active/Standby Failover and VSS/vPC" in the link is exactly how we are set up. 

So it's not "wrong" as such.

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to atsukane

‎01-09-2023 02:27 AM - edited ‎01-09-2023 02:28 AM

@atsukane no, it's not wrong at all if you are using VSS/VPC. The ASA has supported this configuration for a long time, as has the FTD.

0 Helpful

Go to solution
atsukane
Level 1
Level 1

‎01-09-2023 02:32 AM

That's great, thanks a lot @Rob Ingram 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card