Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6367
Views
20
Helpful
16
Replies

ACI Static Routing L3OUT VPC Secondary IP

PatrickH1
Level 1
Level 1

‎03-20-2019 06:44 AM

Dear Community,

I have a question about L3OUT with static routes. We have the following scenario. The L3OUT is distributed over 4 Leafs, each with 2 VPC pairs (SVI).

 

The question: Can I assignto the SVIs one secondary IP address for all 4  Leafs, or do I need one Secondary IP per VPC pair?

 

I Listed both in the following with #1 and #2

 

#1

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

#2

VPC1

Leaf-1 (Side-A)

Primary Address = IP address A

Secondary Address = IP address X

Leaf-2 (Side-B)

Primary Address = IP address B

Secondary Address = IP address X

 

VPC2

Leaf-3 (Side-A)

Primary Address = IP address A

Secondary Address = IP address Y

Leaf-4 (Side-B)

Primary Address = IP address B

Secondary Address = IP address Y

 

It would be good if you also find a document from Cisco describing this.

 

Kind Regards

 

Patrick

1 person had this problem
Labels:
0 Helpful
16 Replies 16

ksatish01
Level 1
Level 1
In response to micgarc2

‎12-04-2021 09:15 PM

Thank you, yes all of the interfaces are in the same broadcast domain, and ACI is the gateway for endpoints.. the attached diagram is for reference.

 

So, In Normal conditions, all 4 leaf switches will process the traffic for the primary IP, and send the traffic to the firewall on their own using MAC of the Firewall VIP, regardless of which FW is active?

(assume routing is configured on the leaf SW with the FW VIP as next hop)

 

For example, If there is any traffic flow from ACI to the outside network through the firewall, the following will be the possibilities : -

if the endpoint sends the traffic to Leaf1, then the traffic will flow "Leaf1 --> active firewall

if the endpoint sends the traffic to Leaf2, then the traffic will flow "Leaf2 -->active firewall

if the endpoint sends the traffic to Leaf3, then the traffic will flow "Leaf3 -->active firewall

if the endpoint sends the traffic to Leaf4, then the traffic will flow "Leaf4 -->active firewall

 

for the return traffic from the FW to an endpoint, always flow from the active firewall through one of the 2 leaf SWs that is directly connected to the firewall.. and then it will be routed towards the endpoint.

in my scenario,  leaf 1 or leaf 2 will always process the return traffic that is coming in with the primary IP.. and leaf 3 & 4 will not be receiving any traffic for the primary IP coming from the FW.

 

Please correct me if any of my understanding is wrong. Thank you.

 

Preview file
136 KB
0 Helpful

ChrisMac70330
Level 1
Level 1
In response to ksatish01

‎12-06-2021 02:28 AM

We are currently in the same situation just with 2 leafs, From my understanding from the FW team , the traffic always comes from the active node, if you need to scale up, you might want to read about the 400GB topics.

 

https://blogs.cisco.com/tag/400g

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License