Within this article we will look at a simple network design and the various caveats and considerations involved.
Initial Design
The initial design (shown below) is simple – a pair of network devices (in this instance Cisco ASAs) connected to a pair of Nexus 3k’s switches. Each firewall is connected to both switches via the use of vPC.
This design is sometimes considered based on the thought that connecting each network device to both switches providers a greater level of redundancy.
Can you see the problem ?
Port Outage
In our first scenario one of the port channel members, for Firewall A (left) goes down. However as the ASA is monitoring the logical portchannel as the other port is still up failover does not occur (read more). This results in the firewalls upstream connection being reduced by 50%.
To ensure a device-level failover occurs in the event of a single member link failure the port-channel min-bundle command is used. Below shows the necessary commands,
monitor-interface port-channel 1.1000 interface port-channel 1.1000 port-channel min-bundle 2
Switch Outage
Onto our next scenario. So you’ve configured your ASAs with the port-channel min-bundle.This time though the actual switch goes down. This results in a portchannel member on each firewall going down. This results in each portchannel only having a single active member, in turn causing in the portchannel on each ASA node going down.
Recommended Design
To eliminate such issues below shows the recommended design,
Here each ASA is connected to a single switch and the ports are not configured as vPC member ports on the Nexus switches. Because of this and to ensure device level failover at the ASA layer the following must be configured,
- port-channel min-bundle should still be configured on the ASAs to ensure they failover in the event of one of the portchannel member links going down.
- orphan port suspend should be configured on each of the switchports for each of the portchannels. This is to prevent traffic black holing. i.e the vPC peerlink going down and all vPC member ports being shutdown on the secondary switch. Without this command the orphan ports would remain up but the traffic would not be able to leave the switch as the vPC peerlink would be down.
- How to Configure a BIND Server on Ubuntu - March 15, 2018
- What is a BGP Confederation? - March 6, 2018
- Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018
Want to become a networking expert?
Here is our hand-picked selection of the best courses you can find online:
Cisco CCNA 200-301 Certification Gold Bootcamp
Complete Cyber Security Course – Network Security
Internet Security Deep Dive course
Python Pro Bootcamp
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial