vwire setup in active-active mode with port-channels

Reply
Highlighted
L0 Member

vwire setup in active-active mode with port-channels

I am trying to add a pair of PA 850's in vwire mode between a Cisco ASR1001 router and a nexus 6k over that has a port-channel configured. I setup the PA interfaces as a vwire , setup the zones, and polices. Am I suppose to aggregate the interfaces on the 850's?

 

When I tried to insert the 850's in between the router and switch this weekend all interfaces came up and I could see the router from the switch and the switch from the router via cdp neighbor,  however had various connectivity issues. In the firewall logs I noticed that certain traffic was showing up on the new vwire zones that shouldnt have shown up on those interfaces. Should also mention that the this pair of firewalls has another vwire setup for another segment of the network wondering if they are conflicting...

Highlighted
Cyber Elite

@JeremyTanquary,

You didn't really give enough information, at least for me, to really give you any insight into what the issue could have possibly been. If you are seeing traffic come across on the wrong vwire interface, that would point towards a routing issue on the router or the 6k. 

The mere fact that you have two different v-wire configurations on the same equipment wouldn't matter at all baring a configuration issue being made. 

Highlighted
L0 Member

Re-examined routing and the routes are pointing to the Upstream router so traffic is coming in on the first set of vwire interfaces on the 850's Ethernet 1/2 (untrust) exiting Ethernet 1/1 (trust) then to the nexus switch then back in to ethernet 1/6 (MPLS-Untrust) out Ethernet 1/5 (MPLS-Trust) , this routing looks like a mis-config by the previous engineer which I will address soon.

 

My questions are

1. For traffic sourced from behind the existing vwire untrust interface why didn't I see log entries for the traffic traversing the Trust/Untrust zones after adding the new vwire. I only saw this traffic on mpls-trust/mpls-untrust . I would expect to see it first hit the Trust/Untrust then another log entry for the MPLS-Trust/MPLS-Untrust. 

 

2. The setup for the existing vwire is a non-port channel. Do I need to do anything special for setting up the vwire in between the router and switch which is a  port-channel

 

 

I attached a quick network diagram i put together, the green link is the existing vwire setup, the red is the new one. I know this setup is a little crazy and not ideal, we are trying to simply use the PA's to capture IPFIX netflow traffic between the router and switch.

 

 

 

 

Vwire-setup1.PNG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!