Solved: Provide a gateway on 6509 in VSS for firewall in active standby

Jas1066 · ‎03-27-2018

Hello all,

A core switch pair 6509 with VSS enabled, i need to free up two 10G (X2 type 10G) ports, the sup 720 is being used to provide two VSL redundant links 1 and 2. Thinking to FREE up link 2. Read this is a L3 port and cannot be turned into a L2.

Anyway two questions

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP, priority inline with VSS priority. L3 portchanel with IP?? assume firewall does not understand LACP or PAGP as i have no control that side.

Thanks for any help

Jas

Reza Sharifi · ‎03-27-2018

Hi,

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

Yes, VSL will work with one link as well. The reason for 2 links is redundancy but if you need the other port you can use it for something else.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP, priority inline with VSS priority. L3 portchanel with IP?? assume firewall does not understand LACP or PAGP as i have no control that side.

Best practice for VSS is to connect the firewall to both chassis via some sort of aggregation.Cisco firewalls understand Portchannel. So, aggregation using LACP or mode on should not be an issue.

HTH

View solution in original post

Reza Sharifi · ‎03-27-2018

Hi,

1) Is the above okay to have just one VSL interlink and best way to bring out link 2 from VSS.

Yes, VSL will work with one link as well. The reason for 2 links is redundancy but if you need the other port you can use it for something else.

2) Best way to provide a gateway IP using two L3 links freed up from each core in VSS for an ASA in active/standby. HSRP/VRRP, priority inline with VSS priority. L3 portchanel with IP?? assume firewall does not understand LACP or PAGP as i have no control that side.

Best practice for VSS is to connect the firewall to both chassis via some sort of aggregation.Cisco firewalls understand Portchannel. So, aggregation using LACP or mode on should not be an issue.

HTH

Jas1066 · ‎03-28-2018

Thanks for your reply Reza.

What would be used for a non cisco firewall. They are having options with brands. supports LACP but will have one link per firewall ie two cisco uplinks and one firewall down link per firewall.

Think that should work one link in the cisco port-channel would not be used until failover?

Thanks

Jas

Reza Sharifi · ‎03-28-2018

Hi,

For a none Cisco firewall what I have seen is usually one link from one firewall to one switch and another link from the other firewall to the other switch (no cross-connects).

HTH

Jas1066 · ‎04-02-2018

Thanks Reza. Just had a thought ..should the port channel seen from the cisco router side see one link up and one down as the other link is in standby (standby firewall)?

Thanks

Jas

Reza Sharifi · ‎04-02-2018

Hi,

No, both links in the Portchannel should be in up and up mode.

HTH

Jas1066 · ‎04-03-2018

Thanks Reza.