Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
548
Views
0
Helpful
2
Replies

ACI MultiPod Independet Firewalls per pod

Go to solution
neroshake
Level 1
Level 1

‎10-23-2022 11:16 PM

Hello Team,

Have a quick question about ACI MultiPod fabric and Firewall design. The goal is to have a cluster of two Firepower 4112s in the first Pod and separate/standalone single Firepower 4112 in the second Pod (I cant afford a split spanned Ethrchannel between Pods since my DCI link is just 1Gbps). The issue is that in both Pods firepowers should be default gateways for attached EPGs for North-South inspection. So the interface on Firepower will have 192.168.x.1/24 IP address and this IP should be the Gateway on the VMs in attached EPGs. When the VMs in EPG move to the second Pod (no Live vMotion, just shutdown and restart) they should keep their IP address and reach the GW with the same IP but in another Pod. How can I accomplish this in the ACI Fabric?

Thank you!
Nero.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-25-2022 12:50 AM

Hi @neroshake 

Because you have independent clusters in each pod, meaning both will be active forwarding and responding to ARP requests, you cannot configure both clusters in the same layer 2 domain with the same IP address. This will generate duplicate IP address.

One way to solve this is to move the GW to ACI. This way you will have the same distributed anycast gateway configured in both Pods, and you will not need to reconfigure your servers. And with the firewalls, you can configure a L3Out to both clusters and have a default route for NS traffic to both of them.

 

Cheers,

Sergiu

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎10-25-2022 12:50 AM

Hi @neroshake 

Because you have independent clusters in each pod, meaning both will be active forwarding and responding to ARP requests, you cannot configure both clusters in the same layer 2 domain with the same IP address. This will generate duplicate IP address.

One way to solve this is to move the GW to ACI. This way you will have the same distributed anycast gateway configured in both Pods, and you will not need to reconfigure your servers. And with the firewalls, you can configure a L3Out to both clusters and have a default route for NS traffic to both of them.

 

Cheers,

Sergiu

0 Helpful

Go to solution
neroshake
Level 1
Level 1
In response to Sergiu.Daniluk

‎11-30-2022 12:25 AM

Hello Sergiu! Thanks a lot! Nero.

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License