ACI L3Out to Firewall

Rami Younis · ‎02-10-2021

Hi,

i have an issue when trying to configure L3Out using SVI over VPC with redundant firewalls using static route

i cannot configure 4 IP addresses (same subnet) for two different VPC interfaces as each firewall uplinks should be single PC

is there a best practice document from Cisco clarifying this type of connectivity or if someone tried this type of connectivity

Regards

Rami

Sergiu.Daniluk · ‎02-10-2021

Hi @Rami Younis

You only need 2 SVIs, one on each Leaf, with a common secondary IP address used as next hop on the firewall.

Figure 26 from ACI L3Out whitepaper looks similar with what you have, except is only one router connected.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html#F26

Stay safe,

Sergiu

Rami Younis · ‎02-11-2021

Hi Sergiu,

thank you for you help

the issue i found on the configurations i did that both SVI's should be same IP addresses, when i changed this it works fine

but i had another issue after that, i am trying to configure 2 x L3out each for separate physical domain but same VRF, is this will work since after establishing the connectivity for both L3out only one is reachable from the firewall

Regards

Rami

Sergiu.Daniluk · ‎02-11-2021

Hi @Rami Younis

You do not need 2x separate L3Outs. You only need one.

Check this article on how to configure L3Out for interconnecting with Active/Standby firewalls:

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

Cheers,

Sergiu

Rami Younis · ‎02-11-2021

Hi Sergiu,

thank you for the reply

i totally understand your concern

what i have here is a requirement from client that a group of VLANs need to have separate L3Out and the other group of VLANs on another L3Out as the firewall has two VRFs but from the ACI is two domains/vlan pools under same VRF

is this scenario applicable ?

Regards

Rami

Sergiu.Daniluk · ‎02-11-2021

Ahhhhh I got it now.

let's break it down to basics: you need two L3outs because you have to separate the VRFs on the firewall. That means, on ACI, you will need to create the two L3Outs and for communication with the firewall you will be using two distinct vlans, one for each L3Outs.

Now from perspective of the L3Outs, you can use the same L3 domain, pointing to a single vlan pool, which contain both vlans used for l3out neighborship).

if you already have the vlans used for L3out neighborship in separate vlan pools, then sure, you can use different L3 domains without any problems.

if you have problems with the cfg, and the communication over L3out does not work, share the config you have, plus check if you have any faults.

Stay safe,

Sergiu

MatteoBolognino6613 · ‎07-28-2021

Hi,

I have this scenario:

2 leaf connected in vPC to a Palo Alto pair (4 physical links), I have to know:

- How many IPs do I have to configure from the Palo Alto side?

- How many BGP sessions each Palo Alto should have with the leaves?

From the Leaf side, I think is enough to configure 2 SVI (one per leaf) within the same subnet with a shared secondary IP for L3OUT. Is it correct?

Can you help me?

Thanks