I set "lacp rate fast" on all interfaces so that control packets are sent every second instead of every 30 seconds by default.
On the 9470, I set a low value (higher priority) for system-priority, and set a low value for port-priority on the 1Gbps link, leaving the 100Mbps link at the default port-priority. When I set "lacp max-bundle 1", it put the 100Mbps link into hot standby.
On the Datacenter/Nexus side, it also showed the 100Mbps link in hot standby. I simulated a circuit outage by turning off the port connected to the 1Gbps link, and within a couple of seconds, traffic was flowing across the 100Mbps link. When I turned the 1Gbps link back on, it switched over to being the active link almost instantly. I only dropped 2 pings between buildings. This will suit our needs, as we may exceed 100Mbps of traffic between the 2 buildings quite often, but probably won't come close to hitting 1Gbps and didn't want to pay for a second 1Gpbs link just for redundancy. In the event the 1Gpbs circuit goes down, the building can continue to work at a slightly degraded max bandwidth with hardly any interruption to service and without any manual intervention. If the 1Gbps circuit will be down for an extended period of time, we can increase the bandwidth on the secondary link through the ISP to keep up with demand.
Thank you to everyone who read and commented on this.
... View more
What about using lacp port-priority to prioritize the 1Gbps link, and set lacp max-bundle on the port-channel to 1? This way, both links would be bundled in the port-channel, but the 1Gbps would be prioritized and active while the 100Mbps would be in standby until the 1Gbps isn't available. Is that feasible? The concern is that by simply using spanning tree, there would be a period of time that the other building would have no connectivity if the 1Gbps link went down while spanning tree recalculates. With both links in a port-channel together, we simulated loss of one circuit or the other and never dropped pings across the port-channel to devices in the other building.
... View more
We have installed a 9407 in a new building down the street from our primary datacenter, which has a VPC pair of Nexus 3Ks). We have 2 separate ISPs each providing us a real-time L2 link to that building. The intention is to provide redundant connections to support business-critical devices over there.
The handoffs from both ISPs are 1Gbps. The primary circuit is capped at 1Gbps and the secondary connection is capped at 100Mbps but the bandwidth can be manually increased if needed (for additional cost, of course). Because the ISP handoffs are both 1Gbps, I was able to create an LACP etherchannel between our datacenter and the new building, and it seems to be working during our testing. Both ISPs are showing traffic across their links. Can default source-dest-mac port-channel load balancing saturate the 100Mbps link and cause issues for any hosts/clients doing bandwidth-intensive things like video streaming? Is there a way to prioritize traffic so that it uses the higher-bandwidth primary link unless it is down? Should we not use an etherchannel and instead let spanning tree handle which link is active?
... View more
We have an FP2130 managed by FMC 6.2. For Remote Access VPN, we have a policy that is using AAA Only for authentication method, and a configured AD realm for authentication server. This same AD realm is set up to download users and some specific groups that we are using in some access rules. That is all working fine, and with our identity policy in place (passive authentication using AD client on domain controllers), we're able to provide/block access to resources based on group membership. What we've noticed is that any AD user can connect using AnyConnnect, but we want to restrict it to members of a specific group. I don't see anywhere in the VPN policy configuration to scope it to a specific AD group.
My workaround has been to create an access rule that allows traffic that matches source network (VPN DHCP pool) to destination inside networks AND user is in the appropriate group, and another rule just below it that matches all of the same parameters except Users (set to any) and block with reset. This allows only members of the proper group to have access to our internal network, but unauthorized users (with valid AD credentials) can't get to anything. We'd prefer that they couldn't connect to AnyConnect in the first place.
In the ASA world, this could be done through DAP, but I haven't found a way to do this on the FP2130 yet. I'm hoping that I'm just missing something simple.
... View more