05-11-2021 07:07 AM
Thanks for the reply . can you explain what do you mean by "From a PAN perspective a vPC is invisible"
You don't do anything special on the firewall when using a virtual PortChannel (vPC) versus a normal PortChannel. It's still just a simple aggregate interface from the firewalls perspective.
and also "you can lose a chassis without an associated firewall failover"
Generally for folks who don't have Nexus switches that have a similar setup, they wouldn't be able to use a vPC and would just use two regular PortChannel configurations. One firewall would be connected to one switch, and the other firewall would be connected to the other.
The downside of the above configuration is that if you lose the switch your Active firewall is operating off of, you would also trigger a firewall failover. That's not an issue with your vPC configuration, because if one of your Nexus switches goes down the firewall still has the leg to the other switch to operate off of.
Second question
in vpc 101 since there is all ports are designated both active and passive firewall will receive traffic. (Correct me if I am wrong)
If that yes how a passive firewall handle the traffic
VPC 100 is going to your passive/secondary firewall and VPC 101 is going to your Active/Primary firewall correct? When your firewall is in a Passive state, it drops all traffic that it receives. So with you using an Aggregate interface, you'll actually want to run LACP and enable LACP pre-negotitation so that your passive firewall sends LACP messages to bring the AE link up to allow faster failover. The passive firewall will drop any actual traffic that it receives, but the LACP messages are enough to keep the vPC up to allow fast failover.
