Cisco Nexus 9000 Series Configuration Manual page 66

Configuration Example
#OUTSIDE service uses Dest IP.
no shut
itd OUTSIDE
vrf OUTSIDE
#applies ITD service to VRF 'OUTSIDE'
device-group FW_OUTSIDE
ingress interface vlan 20
failaction node reassign
load-balance method dst ip buckets 16
#load balances traffic based on Dest IP.
#INSIDE service uses Src IP.
no shut
Step 2: Configure ASA.
interface port-channel 11
nameif aggregate
security-level 100
no ip address
interface port-channel 11.100
description INSIDE
vlan 100
nameif inside
security-level 100
ip address 192.168.100.111 255.255.255.0
interface port-channel 11.200
description OUTSIDE
vlan 200
nameif outside
security-level 100
ip address 192.168.200.111 255.255.255.0
same-security-traffic permit inter-interface
interface TenGigabitEthernet 0/6
description CONNECTED_TO_SWITCH-A-VPC
channel-group 11 mode active
no nameif
no security-level
interface TenGigabitEthernet 0/7
description CONNECTED_TO_SWITCH-B-VPC
channel-group 11 mode active
no nameif
no security-level
The following points apply to this example topology:
• VLANs 10, 20, 100, and 200 and their SVIs are mapped to appropriate VRFs.
• This example uses an ITD load-balancing configuration to achieve flow symmetry.
• In a vPC scenario, as long as one member of the vPC is up, there is no change to ITD. The ITD redirection
on the switch with a failed vPC leg will traverse the peer switch through the peer link as in a typical vPC
deployment.
• In this topology, traffic is not lost upon physical link failure because the inside and outside interfaces
are tied to the same physical or virtual interface on the ASA (dot1q subinterfaces).
Cisco Nexus 9000 Series NX-OS Intelligent Traffic Director Configuration Guide, Release 9.x
58
Configuring ITD