ACI Multi-Pod with Redundant firewalls?

m1xed0s · ‎05-11-2023

It could be any branded firewalls but for simplicity, lets just use ASA within a two-Pod multipod fabric as an example for this post...

If I remember correctly, within a Single Pod ACI Fabric, the redundant ASA management links (including the HA link or control link) are recommended to NOT be connected through the ACI fabric, especially when using Service Graph.

Now coming to the ACI Multi-Pod with redundant firewalls, high-level speaking, Cisco supports and recommends to deploy redundant firewalls/ASAs in two ways:

Active/Standby pair with one ASA in Pod 1 and the other ASA in Pod 2.
Active/Active firewall cluster with multiple ASAs spread across two Pods.

So my questions:

For the Active/Standby ASA pair, how would the two ASAs to be connected for HA links? Through the ACI Multi-Pod fabric?
For the Active/Active Cluster, how would the control links be connected for the ASAs located in two Pods?

abhjha2 · ‎06-06-2023

Hi,
I would say that if the distance between ASA1 and ASA2 is short enough that you can connect them back-to-back even being in a multi-pod deployment, do it that way. Otherwise, you can create a BD/EPG specific for device synchronization/control.

-----------------------------------------
If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco ACI through our live Ask the Experts (ATXs) session. Check out the ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.
-----------------------------------------