Белая книга для Cisco Cisco Nexus 5010 Switch
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 49 of 75
Clustered Mode: vPC Dual-Attached Tenant-Edge Firewalls in Routed Mode with Static Routing
An active-active clustered firewall setup avoids suboptimal routing by presenting two firewall units as a single unit
to the fabric. This approach requires vPC dual-attachment of both firewall cluster units to vPC leaf nodes, as shown
. As mentioned earlier, border leaf nodes are rarely deployed in vPC pairs, limiting the applicability of
this scenario to regular leaf nodes. In addition, only static routing is supported in the current software.
This deployment scenario assumes that the border leaf of the fabric is advertising a default route in VRF EXT.
The configuration for this deployment scenario is almost identical to Configurations 8a and 8b. The difference is
that port channels are now configured as dual-homed vPCs.
The ASA firewalls used in this scenario use a spanned EtherChannel configuration. Please refer to the
configuration guide for details:
Clustered Mode: Single-Attached Tenant-Edge Firewalls in Routed Mode with Dynamic Routing
An active-active cluster with single-attached firewalls uses a split individual cluster configuration and is described in
the configuration guide:
perspective. It provides active-active clustering and allows you to run either static routing or dynamic routing
peering between the firewall and the fabric. Firewalls rely on Equal-Cost Multipath (ECMP) to distribute the load
between the firewall cluster units. This document describes only the scenario with dynamic routing peering
(Figure 23).
The respective routed interfaces of the firewall do not need to be in the same Layer 2 domain, which allows simpler
Layer 3 subinterface-based configuration. SVIs and BDIs and VLANs and bridge domains are not needed here to
establish routing adjacency.
Figure 23. One VLAN Is Used for Each VRF Instance for Routing Peering between the Leaf Nodes and Tenant-Edge Firewalls
The configurations on both switches are very similar except for the locally significant IP addresses on the Layer 3
subinterfaces used for OSPF peering.