04-29-2019 03:41 AM
Hello Folks,
The question is regarding the Brownfield migration to ACI. Please find below scenario.
In Existing Switch
Server Gateway is VLAN10
VLAN 10- SVI-10.0.0.1/24
VRF- Prod
We have around 5 servers whose DFW is 10.0.0.1
Same Switch is connected to Checkpoint firewall with Switchport access VLAN10
Routing from existing Sw to Checkpoint via SW PRD VRF - ip route 0.0.0.0/0 10.0.0.12 [ Checkpoint VIP]
Checkpoint to Switch - ip route 10.0.0.0/24 10.0.0.1 [Vlan 10 SVI ]
Need to replicate this setup to ACI without changing any IP address:
So server EPGs and BDs will be created and BD will be configured with VLAN 10 GW IP [ 10.0.0.1/24]
SO we want to establish the L3 out connectivity towards Checkpoint Fw using transfer vlan 10 [ SVI 10]
As Customer is not willing to make any IP or routing change in Checkpoint Fw, Is it possible to keep both BD and L3out SVI IP as same IP ?
Please suggest alternate solution if above solution is not feasible
05-02-2019 11:27 PM - edited 05-02-2019 11:27 PM
No. BDs use ACI endpoint learning semantics and will learn /32 or /128 IPs only. You can't have /0 or longer routes pointing at a BD connected IP (with the exception of /32 and /128 host routes). You need to use a Layer 3 Out for this.
05-03-2019 12:03 AM
Thank you. Customer requirement was to keep same subnet range in BD as well in L3 out SVI. But we have conveyed customer that BD subnet and L3 out subnet cant be in same range so the L3out SVI VLAN must be in different subnet in order for routing to happen external.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide