Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
476
Views
0
Helpful
1
Replies

ACI connectivity for Active-Standby ASA FWs (no vPC)

womblefoot
Level 1
Level 1

‎10-18-2022 06:52 AM - edited ‎10-18-2022 06:55 AM

Hello community

I'm quite new to ACI so bear with me.

I am trying to get eBGP L3Outs working from ACI to an active/standby pair of ASA firewalls (Picture attached). I want resilient BGP peerings that will failover when the ASA fails over. Using routed sub-interfaces I have managed to get BGP running between Leaf 1 and the active ASA and after ASA failover I get BGP between Leaf 2 and the *new* active ASA but never the two peerings at the same time.

I tried moving to a Bridge Domain model and could get IP connectivity from the leaf switches to the active/standby IP addresses but L3Outs wouldn't work. 

Essentially, I'm after an L2 interconnect that will allow resilient eBGP peerings. I've seen a few posts about active/standby firewall connections but they seem to focus on static routing only. 

Chasing my tail at the moment so any ideas/solutions appreciated. Thanks.

Labels:
Preview file
71 KB
0 Helpful
1 Reply 1

Dirk Feldhaus
Level 1
Level 1

‎10-20-2022 10:11 AM

Hello, we have that setup quite often, although with Juniper firewalls and not Cisco ASA. I guess the trick is to use an SVI in the L3Out interface policy instead of routed subinterfaces. Every border leaf will get an unique IP adress within the network used here. On the firewall you can configure both ACI leafs as BGP peers. That should even work in a multi-pod fabric with the firewall nodes in different pods.

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License