cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
513
Views
1
Helpful
2
Replies

ACI multipod with vPC HA FW

Fairytale16
Level 1
Level 1

Hi All,

I need your assistance to check if the following configuration going to work and are there any drawbacks/caveats?
So far I identified OSPF convergence time and impact on a relatively large area 0 *(legacy design).

Solution details:
I have ACI Multipod over 2 DCs.
Version: 6.0
I'm looking forward to deploy a Palo Alto HA Physical cluster stretched across DCs.
The Firewall Cluster is going to receive default route from 2 WAN routers and then advertise it to ACI via OSPF.
I've checked some configuration and come up with the following:
Interconnect subnet: 10.0.0.0/28
Single L3Out with OSPF P2P policy and SVI:
VPC 1 (POD1)
Encap: 205
IP A: 10.0.0.2
IP B: 10.0.0.3
Secondary IP: 10.0.0.1


vPC2 (POD2)
Encap: 205
IP A: 10.0.0.5
IP B: 10.0.0.6
Secondary IP: 10.0.0.1

Firewall will have an Aggregated interface (ae1.205)
IP: 10.0.0.7

Screenshot 2024-04-23 160131.png

Kind regards,

Paul

1 Accepted Solution

Accepted Solutions

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @Fairytale16 ,

That is valid.

However, set OSPF Policy Broadcast instead of P2P, and the Secondary IP on the Leaves is useless when peering with OSPF.

Remi Astruc

Remi Astruc

View solution in original post

2 Replies 2

Remi-Astruc
Cisco Employee
Cisco Employee

Hi @Fairytale16 ,

That is valid.

However, set OSPF Policy Broadcast instead of P2P, and the Secondary IP on the Leaves is useless when peering with OSPF.

Remi Astruc

Remi Astruc

Dubois3
Level 1
Level 1

Your proposed solution involves deploying a Palo Alto HA Physical cluster stretched across two data centers (DCs) with ACI Multipod, using OSPF for routing between the firewall cluster and ACI.

Here are some considerations and potential drawbacks to be aware of:

1. **OSP Convergence Time**: As you've identified, OSPF convergence time can be a concern, especially in a large area 0 network. Convergence time refers to the time it takes for the network to stabilize after a change in the network topology. In a large OSPF area, convergence time can be longer due to the time it takes for LSAs (Link State Advertisements) to propagate throughout the area. This can impact network stability and performance during topology changes.

2. **Stretched Cluster Considerations**: Stretching a firewall cluster across two data centers introduces additional complexity and potential points of failure. It's essential to ensure that the data center interconnect (DCI) between the two sites is highly resilient and low-latency to support synchronous replication between the firewall nodes.

3. **Data Center Interconnect (DCI)**: The effectiveness of the stretched firewall cluster depends on the reliability and performance of the DCI. Any issues or outages in the DCI can impact the availability and performance of the firewall services. Palm Beach County Property Appraiser

4. **ACI Integration**: Integrating the firewall cluster with ACI using OSPF requires careful configuration to ensure proper routing and failover behavior. Make sure to test the integration thoroughly and consider any limitations or requirements specific to your ACI deployment.

5. **IP Addressing and Subnetting**: Ensure that the IP addressing scheme and subnetting design align with best practices and accommodate future growth and scalability requirements.

6. **High Availability and Failover**: Verify that the Palo Alto firewall cluster is configured for high availability (HA) and that failover behavior is tested and validated to ensure seamless failover in the event of a node or link failure.

7. **Security Considerations**: Review and implement appropriate security measures to protect the stretched firewall cluster, including access control, encryption, and intrusion detection/prevention.

8. **Vendor Support and Best Practices**: Consult with Palo Alto Networks and Cisco (for ACI) for recommended deployment practices and ensure that your deployment aligns with vendor guidelines and best practices.

Overall, while stretching a firewall cluster across two data centers can provide geographic redundancy and high availability, it also introduces complexity and potential challenges. Thorough planning, testing, and monitoring are essential to ensure the success and reliability of the deployment.

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License