I am planning to do attached deployment wherein i need the input from the expert.
without vss it seems little simple in which the connectivity between 4506-6509 will be dual uplink connectivty wherein stp will block one of the link (preferably link going towards HSRP Standby 6509 ) and both cat 6509 will run HSRP for the vlans configured in 4506.
for the connectivity between 6509-ASA5520 i can configure L3 subnets for all teh 4 links ospf can be configured and link cost can be manipulated for best paths.
now with vss i am confused on the configuration to be done for the link between 4506-6509.can i configure ether channel for teh 2 links going from 4506 to 6509 considering MEC in vss.what kind of configuration is recommended for the connectivty between 6509 and ASA 5520..
please suggest me teh best possible option as we will do the deployement in couple of days.
>> but it seems ordering alredy being done and consignment awaited :-)
this is typical ordering done before network designer does his/her job.
1) WS-6704 is not suitable for building VSS link because it lacks an ASIC chip for VSL protocol encapsulation
The 10-Gigabit Ethernet port can be located on the supervisor engine module or on one of the following switching modules:
•WS-X6708-10GE-3C or WS-X6708-10GE-3CXL
•WS-X6716-10GE-3C or WS-X6716-10GE-3CXL
2) I personally prefer BFD and fast hellos. My understanding is that a dedicated link is required but it doesn't need to be a 10GE link
To use the IP BFD detection method, you must provision a direct Ethernet connection between the two switches. Regular Layer 3 ping will not function correctly on this connection, as both chassis have the same IP address. The VSS instead uses the Bidirectional Forwarding Detection (BFD) protocol.
To use the dual-active fast hello packet detection method, you must provision a direct Ethernet connection between the two switches. You can dedicate up to four non-VSL links for this purpose.
3) dual active detection doesn't need to run on all possible links, so the question about missing of support of enhanced PAGP on the ASA is not relevant.
I prefer BFD and IP fast hellos because they don't involve any external device, but just the two chassis that form the VSS pair.
According to other colleagues you can combine multiple methods of active detection for increased security.
see best practices
IP fast hellos requires Cisco IOS Software Release 12.2(33)SXI and later.
Hope to help
Hello Sameer, Jon,
>> Option 2 is problematic because you have 2 inside interfaces per ASA and this can cause problems.
I agree, the ASA is versatile and has several router capabilities, but its main job is to be a firewall.
I had some doubts about option2 it might be technically possible but it would require tuning and increased complexity, but I see that Jon has the same opinion.
It does not pay off. Option 1 is a well know design that works and provide fault tolerance of link or node (one ASA or one chassis in the VSS)
Hope to help
I've direct experience of ASA active/standby failover pair.
In this case a common subnet is required.
The two vertical links on VSS should be switchport in access mode on a specific vlan, with SVI ip address that is the next-hop for the ASA.
The L2 broadcast domain should be in common between the two chassis.
I don't think you can take advantage of MEC either L3 or L2 when interacting with ASA unless bundling is supported on ASA.
Also Active/Active just refers to the fact that in multicontext mode, contexts can be divided in failover groups and ASA1 can be active for failover-group1 and ASA2 can be active for failover-group2 but for a given context only one ASA is active:
>> Active/Active failover is only available to adaptive security appliances in multiple context mode. In an Active/Active failover configuration, both adaptive security appliances can pass network traffic. In Active/Active failover, you divide the security contexts on the adaptive security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default. >> (end of text)
Active/Active Failover Overview
Active/Active failover is only available to adaptive security appliances in multiple context mode. In an Active/Active failover configuration, both adaptive security appliances can pass network traffic.
In Active/Active failover, you divide the security contexts on the adaptive security appliance into failover groups. A failover group is simply a logical group of one or more security contexts. You can create a maximum of two failover groups. The admin context is always a member of failover group 1. Any unassigned security contexts are also members of failover group 1 by default.
>> (end of text)
For the VSS the next-hop is the ip address of active ASA: HSRP is not needed on VSS side and not supported on ASA side.
The ASA active/standby failover pair in case of failover the new active takes the ip address of active ASA, gratuioutus ARP is sent and ARP table of VSS should be updated.
We use these failover-groups but this would be needed only if multiple exit vlans are between the VSS and the ASA pair
ASA should not support etherchannels see config chapter about interfaces
So as I wrote before vertical links should be layer2 ports in access mode (mono context) or L2 trunk (if multicontext is needed). L2 vlan(s) have L3 obejcts defined in VSS.
Hope to help