cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
275
Views
0
Helpful
6
Replies
Highlighted
Beginner

Provide a gateway on 6509 in VSS for firewall in active standby

Hello all,

 

A core switch pair 6509 with VSS enabled,  i need to free up two 10G (X2 type 10G) ports, the sup 720 is being used to provide two VSL redundant links 1 and 2.  Thinking to FREE up link 2.  Read this is a L3 port and cannot be turned into a L2.

 

Anyway two questions

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP,  priority inline with VSS priority. L3 portchanel with IP??  assume firewall does not understand LACP or PAGP as i have no control that side.

 

 

Thanks for any help

Jas

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Expert

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Hi,

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

Yes, VSL will work with one link as well.  The reason for 2 links is redundancy but if you need the other port you can use it for something else.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP,  priority inline with VSS priority. L3 portchanel with IP??  assume firewall does not understand LACP or PAGP as i have no control that side.

Best practice for VSS is to connect the firewall to both chassis via some sort of aggregation.Cisco firewalls understand Portchannel. So, aggregation using LACP or mode on should not be an issue.

HTH 

 

6 REPLIES 6
VIP Expert

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Hi,

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

Yes, VSL will work with one link as well.  The reason for 2 links is redundancy but if you need the other port you can use it for something else.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP,  priority inline with VSS priority. L3 portchanel with IP??  assume firewall does not understand LACP or PAGP as i have no control that side.

Best practice for VSS is to connect the firewall to both chassis via some sort of aggregation.Cisco firewalls understand Portchannel. So, aggregation using LACP or mode on should not be an issue.

HTH 

 

Beginner

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Thanks for your reply Reza. 

What would be used for a non cisco firewall. They are having options with brands. supports LACP but will have one link per firewall ie two cisco uplinks and one firewall down link per firewall.

Think that should work one link in the cisco port-channel would not be used until failover?

 

Thanks

 

Jas

 

 

VIP Expert

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Hi,

For a none Cisco firewall what I have seen is usually one link from one firewall to one switch and another link from the other firewall to the other switch (no cross-connects).

HTH

Beginner

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Thanks Reza.  Just had a thought ..should the port channel seen from the cisco router side see one link up and one down as the other link is in standby (standby firewall)?

 

Thanks

 

Jas

 

 

VIP Expert

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Hi,

No, both links in the Portchannel should be in up and up mode.

HTH

Beginner

Re: Provide a gateway on 6509 in VSS for firewall in active standby

Thanks Reza.
CreatePlease to create content
Content for Community-Ad