Sunday, December 22, 2013

Choosing ASA connectivity with vPC

`There always comes a point where a design decision has to be made. When we connect ASA with the nexus switch, we have the option of making the connection with vPC or with a straightforward port-channel.

The above is a free-hand drawing i put up depicting the options we have. I assume AGG1 & AGG2 are in a vPC domain. AGG1 is having the higher role priority, HSRP active forwarder and ASA1 to be the active firewall. ASA2 is in standby state.

The above drawing the first topology shows the ASA connected to a nexus switch with VPC. Assuming we have a ASA 5585-X, we assume that there are 2x10G links connected to each ASA. One link from each chassis. The connectivity is established using vPC. Now the advantage is that the connectivity is made using both the chassis & leveraging vPC. In realisty we have a 20G link from the AGG switch to the ASA.

Assuming we lose AGG1 switch due to some problem we effectively have only 10G link connecting the AGG Switch & the ASA firewall. Irrespective of which ASA firewall is considered we only have a 10G link.

In the second second topology we see the ASA1 connected to AGG1 using a port-channel & ASA2 connected to AGG2 using a port-channel. Assuming the same failure condition, if AGG1 fails we can swithover ASA2 be the active forwarder & still effectively have a 20G link towards between the ASA and AGG. But the disadvantage being as long as ASA1 is the active firewall, there will be some traffic traversing the peer-link.

I always prefer placing the ASA in a vPC with the nexus switch. I assume the failure rate of the nexus switch to be very negligible and very rare. But in environments where we need to maintain a 20G link between the switch and the firewall we can go ahead with the port-channel. But  when laying out a design I always prefer the vPC connection.


  1. Hi, I have a question about Option 2.

    In this case, Etherchannel from Nexus to ASA it's not considered and vPC Port so we should enable orphan ports to disable ports in case of link-peer failures. This it's done in the 2 physical interfaces forming the channel in each peer. N7K (config-if)# vpc orphan-ports suspend

    Is this correct?


  2. Its a design choice. If the ASA is in active-passive mode you would not require it.

  3. Can you please share the port channel configuration between nexus 5k to ASA

  4. did't found any valid config regarding ASA VPC config on both nexus as it is tricky. can you pleas share some good tutorial/documentation.

  5. in Option 1 what is your choice of routing? Are the ports are native L2 or L3?
    assume that Active ASA`s L2 and L3 hash are different, that means traffic will flow over Peer Link. right? This will break vPC data-plane loop avoidance rule.


Top 7 popular posts on cciedash !