Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
550
Views
0
Helpful
1
Replies

ACI L3Out Routed Ports to Active/Passive Firewall

pgerstenberger
Level 1
Level 1

‎10-17-2022 01:17 AM

Hi all,

is it possible and recommended to connect a active/passive firewall (Cisco Firepower) with a L3Out to Cisco ACI without SVI? Instead of SVI we want to use routed port because we need multicast support on this L3Out. Multicast over SVI is not supported yet in our ACI version.

POD1:
Leaf101/Leaf102 -> active firewall with routed port

POD2:
Leaf201/Leaf202 -> passive firewall with routed port

 

Thanks in advance.

Labels:
0 Helpful
1 Reply 1

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-26-2022 06:03 AM

Hi @pgerstenberger

I suppose you plan on configuring same subnet on both Leaf101/102 and Leaf201/202 with identical secondary IP address, right?

With dynamic routing protocols I guess should work without any issues, since the external routes will be learned only behind the BLs where active FW is located. With static routing, the APIC will push the static route to all 4 BL, regardless if the next hop is responding or not to ARP. In other words, on non-BL leafs, you will see the route learned through both Leaf101/102 and Leaf201/202, with local pod preference. So there will be problems there.

This is just an educated guess, not sure if is really right or not. Needs to be checked in lab and at the moment I don't have enough resources to test.

 

Take care,

Sergiu

 

0 Helpful
Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License