Active/Standby Firewalls with vPC

If you have active/standby firewalls, what's the recommended way to connect them to a vPC domain? Am I correct in saying best practice would be to port channel the firewalls to each vpc peer?

Comments

  • This is what I've seen in most deployments. a single vPC between SW1 and SW2 with both active/stdby FW connected into it. 

    I've also seen deployments move away from this and just port-channel the active FW to SW1 and the stdby FW to SW2 for a "more predictable" design (easier to troubleshoot).

     

  • Just wanted to mention that dynamic routing over vPC is not supported on the Nexus 7000. So if you're going to be routing with your firewalls, you will want FW1 - SW1 and FW2 - SW2 with a non-vPC trunk between the switches.

  • This is what I've seen in most deployments. a single vPC between SW1 and SW2 with both active/stdby FW connected into it. 

    I've also seen deployments move away from this and just port-channel the active FW to SW1 and the stdby FW to SW2 for a "more predictable" design (easier to troubleshoot).

     

    A single vPC? Do you mean, if you were using Po4096 for peer link, and Po50/vpc 50 for Active firewall, you'd also put the Stdby firewall in po50/vpc 50?

    If you go with the second scenario where you put FW1 to SW1 and FW2 to SW2, what happens when traffic hashes to SW2? Wouldn't it go over the peer link at that point?

    Ben - Thanks as well, I was aware of the dynamic routing. In that situation, it would probably be a problem if your firewalls were on the same subnet as the servers that are part of vpc. I'm assuming, you'd have to put your firewalls on a different subnet

     

     

Sign In or Register to comment.