`There always comes a point where a design decision has to be made. When we connect ASA with the nexus switch, we have the option of making the connection with vPC or with a straightforward port-channel.
The above is a free-hand drawing i put up depicting the options we have. I assume AGG1 & AGG2 are in a vPC domain. AGG1 is having the higher role priority, HSRP active forwarder and ASA1 to be the active firewall. ASA2 is in standby state.
The above drawing the first topology shows the ASA connected to a nexus switch with VPC. Assuming we have a ASA 5585-X, we assume that there are 2x10G links connected to each ASA. One link from each chassis. The connectivity is established using vPC. Now the advantage is that the connectivity is made using both the chassis & leveraging vPC. In realisty we have a 20G link from the AGG switch to the ASA.
Assuming we lose AGG1 switch due to some problem we effectively have only 10G link connecting the AGG Switch & the ASA firewall. Irrespective of which ASA firewall is considered we only have a 10G link.
In the second second topology we see the ASA1 connected to AGG1 using a port-channel & ASA2 connected to AGG2 using a port-channel. Assuming the same failure condition, if AGG1 fails we can swithover ASA2 be the active forwarder & still effectively have a 20G link towards between the ASA and AGG. But the disadvantage being as long as ASA1 is the active firewall, there will be some traffic traversing the peer-link.
I always prefer placing the ASA in a vPC with the nexus switch. I assume the failure rate of the nexus switch to be very negligible and very rare. But in environments where we need to maintain a 20G link between the switch and the firewall we can go ahead with the port-channel. But when laying out a design I always prefer the vPC connection.
The above is a free-hand drawing i put up depicting the options we have. I assume AGG1 & AGG2 are in a vPC domain. AGG1 is having the higher role priority, HSRP active forwarder and ASA1 to be the active firewall. ASA2 is in standby state.
The above drawing the first topology shows the ASA connected to a nexus switch with VPC. Assuming we have a ASA 5585-X, we assume that there are 2x10G links connected to each ASA. One link from each chassis. The connectivity is established using vPC. Now the advantage is that the connectivity is made using both the chassis & leveraging vPC. In realisty we have a 20G link from the AGG switch to the ASA.
Assuming we lose AGG1 switch due to some problem we effectively have only 10G link connecting the AGG Switch & the ASA firewall. Irrespective of which ASA firewall is considered we only have a 10G link.
In the second second topology we see the ASA1 connected to AGG1 using a port-channel & ASA2 connected to AGG2 using a port-channel. Assuming the same failure condition, if AGG1 fails we can swithover ASA2 be the active forwarder & still effectively have a 20G link towards between the ASA and AGG. But the disadvantage being as long as ASA1 is the active firewall, there will be some traffic traversing the peer-link.
I always prefer placing the ASA in a vPC with the nexus switch. I assume the failure rate of the nexus switch to be very negligible and very rare. But in environments where we need to maintain a 20G link between the switch and the firewall we can go ahead with the port-channel. But when laying out a design I always prefer the vPC connection.
