10-20-2018 12:05 AM - edited 03-01-2019 05:40 AM
Dears
I have ACI act as l2 between distribution swithch and servers farm and load balancer. We are going to migrate HA firewalls on ACI , also change routing between distribution switch and ACI to be L3 OSPF.
My questions:-
1-After doing L3 static between FW which is gateway for servers farm and by the way ACI.L3 routing will be on same domain and same vrf , i need to redistribute these static routes to L3 ospf between ACI and distribution switch to br routed outside . I need to verif is there any need t create any new BD or EPG for HA frewalls.
Please support me to share static routes with HA fW gateway to be learned by OSPF.
10-21-2018 01:35 AM
10-23-2018 06:17 AM
Hello,
I am having some trouble understanding your case. As I understand, ACI will be the GW for the Endpoints connected there (so far, ACI is layer2 so the GW for those subnets is elsewhere), but then you mention that the FW will be the GW for the servers, so... you think of having 2 GWs on the same subnets?
How would you expect traffic to be after migration? Here are some incomplete ideas:
Server => BD ACI => FW IP inside as GW | FW IP outside => L3 interco => ( ACI L3out to FW | ACI L3out to Core ) => L3 Interco => Core Router
Server => BD ACI => ACI BD as GW => ACI L3out to FW => L3 interco => ( FW inside | FW outside ) => ( ACI L3out to FW | ACI L3out to Core) => L3 Interco => Core Router
10-23-2018 07:25 AM
Server => BD ACI => FW IP inside as GW | FW IP outside => L3 interco => ( ACI L3out to FW | ACI L3out to Core ) => L3 Interco => Core Router
yes above is the correct . How core switch will receive L3 routes of firewall?.
e.x
web_app subnet 10.x.y.z/24 which G.w is a firewall.How can i advertise 10.x.y.z/24 to l3_out OSPF between core switch and ACI?.
10-24-2018 10:20 AM
Hello,
This would seen a case for Transit Routing using OSPF, possibly using the same Border Leaf.
Some information:
https://learningnetwork.cisco.com/docs/DOC-33572
So I would say that your FW needs to start speaking OSPF with ACI, announcing the subnets for which it is the GW. ACI will receive those OSPF Routes via its L3out_FW and pass them along to the Core using L3out_Core.
If you want the FW, ACI and Core to share the same OSPF Area (I guess area 0), then you need only 1 L3out for all. If you want area separation, then you need 2 L3outs. Of course, you need to setup Route Export configuration and perhaps contracts to allow Transit Routing inside the same L3out.
So, FW announces subnets over OSPF to ACI. ACI lets the routes and the traffic pass along to the Core. For the way back, FW can have just a static default route to ACI, which has also a default route to Core.
Hope this helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide