Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2037
Views
5
Helpful
1
Replies

ACI and external Firewall Cluster - Recommendation

udo.konstantin
Level 1
Level 1

‎04-03-2018 10:31 PM - edited ‎03-01-2019 05:30 AM

Hello, 

 

we need a recommendation for connecting a Checkpoint Firewall Cluster to a ACI fabric. It should be a layer 3 connectivity and each Cluster member must be connected to a different leaf switch. 

Between the Cluster and the ACI fabric there is a transfer network and the cluster is working in active/standby. 

I noticed there are different solutions to solve this.

1. HSRP VIP on ACI side - > CP Cluster has a static route to this VIP 

2. SVI on ACI side - > CP Cluster has a static route to this SVI IP Address

...tbd

 

There is no Portchannel between the fabric and the CP cluster. There are single connections. The CP Cluster has also a VIP configured and each physical interface has its own IP Address. From the fabric there a static routed pointing to the firewall VIP. 

 

Are there any best practices for this design? 

 

Thanks 

Udo 

Labels:
0 Helpful
1 Reply 1

Alexander Deca
Level 1
Level 1

‎04-12-2018 03:50 AM

Hi Udo,

 

We did the setup with a CP FW cluster (Active/Standby) spanning 2 different datacenters, we do have vPC's between the CP and the leaf switches per datacenter. We configured a L3Out in the common tenant so this can be used by different tenants (on a per needed base).

 

We solved this with using SVI interfaces, meaning configuring a /28 for each vPC we have (.1 VIP CP, .2 CP1, .3 CP2 and .4 LF1 [side A IP] and .5 LF2 [side B IP].

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License