Active/Standby Network Devices connected via vPC

Within this article we will  look at a simple network design and the various caveats and considerations involved.

Initial Design

The initial design (shown below) is simple – a pair of network devices (in this instance Cisco ASAs) connected to a pair of Nexus 3k’s switches. Each firewall is connected to both switches via the use of vPC.
This design is sometimes considered based on the thought that connecting each network device to both switches providers a greater level of redundancy.

Can you see the problem ?


Port Outage

In our first  scenario one of the port channel members, for Firewall A (left) goes down. However as the ASA is monitoring the logical portchannel as the other port is still up failover does not occur (read more). This results in the firewalls upstream connection being reduced by 50%.


To ensure a device-level failover occurs in the event of a single member link failure the port-channel min-bundle command is used. Below shows the necessary commands,

monitor-interface port-channel 1.1000
interface port-channel 1.1000   port-channel min-bundle 2


Switch Outage

Onto our next scenario. So you’ve configured your ASAs with the port-channel min-bundle.This time though the actual switch goes down. This results in a portchannel member on each firewall going down. This results in each portchannel only having a single active member, in turn causing in the portchannel on each ASA node going down.


Recommended Design

To eliminate such issues below shows the recommended design,


Here each ASA is connected to a single switch and the ports are not configured as vPC member ports on the Nexus switches. Because of this and to ensure device level failover at the ASA layer the following must be configured,

  • port-channel min-bundle should still be configured on the ASAs to ensure they failover in the event of one of the portchannel member links going down.
  • orphan port suspend should be configured on each of the switchports for each of the portchannels. This is to prevent traffic black holing. i.e  the vPC peerlink going down and all vPC member ports being shutdown on the secondary switch. Without this command the orphan ports would remain up but the traffic would not be able to leave the switch as the vPC peerlink would be down.


Rick Donato

Want to become a networking expert?

Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial