Showing results for 
Search instead for 
Did you mean: 

ACL L3 Out to a Firewall

Hi Team,

Like to know what would be the best option to establish a L3 out from ACI Leaf directly to Firewall. Thought of enabling HSRP on the ACI side however due to code versions i am not able to move beyond.

The topology is i have two checkpoint firewalls and i have to connect them to the Leaf switches ( Going to use port-channel between firewall and switch )

19 Replies 19

Cisco Employee
Cisco Employee


There isn't anything too special about that configuration. To configure an L3 out you would need to create your access policies for the port-channel connected from the FW to the leaf(s). Depending on whether you are using a vPC or a PC the access polices will be configured a tad different (interface policy group will be set to PC or vPC). Once you create the access polices (switch profile, interface profiles) you will tie the interface policy group to an AEP. The AEP you can think of as a meeting point between your ports and VLANs. The external routed domain will be tied to the AEP and also associated to the L3 out you create. Under the desired tenant you can create the L3 out, tie the external routed domain, VRF, and create your node profiles and logical interface profiles (using SVIs, routed or sub-interfaces). Depending on your design of your checkpoint FW you have the option of using a routing protocol or static routing when you create the L3 out.

Let me know if you have any other questions.


Michael G.

Thanks Michael..

I believe i cannot use VPC since the firewalls are acting as Active/Standby unit.. My real concern is the return route from the Firewall.. The route in the firewall has to be pointed to a virtual IP.. In this case i believe only SVI gives me that option. I can be wrong.. Please share your suggestions..

Between i thought of using HSRP however the limitation is i have to upgrade the code.. Which at this stage not possible. Hence planning to use other options.

You can still use a vPC with an SVI you can just create a secondary IP address on ACI that can act as a virtual IP on ACI. Then you can point the static route on the firewall to the secondary address. 

Thank you so much.. Can you share me any good article on this..

Hi Hemakumar,

I am not aware of a specific article for Active/Standby FW L3 out configuration but if you run into any issues or have questions when you are configuring it please let me know!


Michael G.

Thank you for participating in the Cisco Support Forum for ACI! If you have other questions related to this post, please let us know. If this response answers your questions, please mark this post "answered" and assign a rating to the response(s) provided. This will help notify other viewers that your question(s) is answered and this helps us provide better responses for this and future questions.


I have configured the L3 Out as a port-channel initially, now i am planning to move towards your idea of VPC Topology..


Can you help me the with the configuration steps.. I feel under External Routed Network i have to set up only one Logical Node Profile ?

Also how the farbic chooses Site A & Site B for Leaf ( I mean which Leaf would act as a Site A & Site B if we have Leaf A & Leaf B )


Hi Michael,


With revards to this topic, I am setting up a multipod aci environment ( the fabric is up and running) and what I would like to do is (as we have 2 internet connections (active/standby) per pod, connect the checkpoint firewalls (active/standby mode), heartbeat should traverse the aci fabric, to the fabric.


The checkpoint firewall will connect to 2 different leafs per pod and using a vpc.


Any guidance on setting this up? The idea is to do eBGP with the firewall.





Hi Alexander, 


Were you able to find a soloution? We are facing the same design but with cisco ASA instead of Checkpoint. Where we want one firewall connected via VPC to each pod but we can't get it working however we do it. The best we have got so far is to set the secondary ip adress for both VPC in pod-1 and pod-2 to be the same. This makes traffic flows to the active firewall correct, however our standby firewall lose connection due to getting arp responses from pod-1 L3out mac-adress which casues traffic to the standby firewall to fail.


If we use different secondary for the two VPCs the traffic flow fails 50% of the time since traffic from the active firewall sometimes route the traffic to pod-2. this can be solved with some basic traffic-engineering so that pod-1 is prioritized. However, due to ASA's simple failover where the standby firewall takes over all config and ip addresses from the active firewall when a failover happens the standby firewall routes all traffic to pod-1 instead of pod-2 which causes the traffic to fail.


Regards Marcus

Hey Marcus,


Yes we did get this up and running, specifically for our Checkpoint L3out (internet acces) and as well our MPLS L3out. 


So I am assuming your vPC's are up and running and you created some vlan pools (the one you are using between the firewall and the leaf switches (vlan 2997) and the heartbeat vlan (not sure if you are using this, we have a dedicated vlan for this, vlan 18) and routed external domain (for the MPLS out we are using physical domain with vlans 2990 - 2993), please refer to the attached screenshot.


We are using the L3Out and MPLS out in the common tenant (shared services for all other tenants), specifically for the L3Out we are using a /28 to be configured between the firewall(s) and the leaf switches (single /28 for both POD1 and POD2) and for example if the range is (see screenshots :


  1. - VIP Checkpoint FW  (important because you will run eBGP and need to have SVI configured for the vPC with this)
  2. - Checkpoint FW POD1
  3. - Checkpoint FW POD 2
  4. - Site A IP (SVI within ACI Fabric) for vPC POD1
  5. - Site B IP (SVI within ACI Fabric) for vPC POD1
  6. - Site A IP (SVI within ACI Fabric) for vPC POD2
  7. - Site B IP (SVI within ACI Fabric) for vPC POD2 

This means your fw will built up 4 eBGP sessions (2 per pod ie .36 and .37 for POD1 and .38 and .39 for POD2) and the leaf switches will setup a bgp session with the VIP and traffic will always go via the active firewall.


Hope this helps a bit?


Let me know if you need more info



Hi Alexander,

Thanks for the answer!

I see why your solution works and ours do not. I have tried getting it working in a couple of different ways by using secondary IPs for VPCs on the border leaf side and by connecting the BGP directly to the leafs but I have been unsucessfull. As you say the VIP on the firewall is important in the setup.

I am not sure if the ASA have any kind of configuration like this, I will have to read up on it a bit I guess. the default way of building failover with ASA is just to let the standby firewall inherit all configuration from the active firewall when the current active firewall fail. this basically makes it impossible to build this kind of solution with a FHRP protocol (like HSRP) involved on the asa peering and it also makes traffic engineering with routing protcols non-existent since the secondary firewall will always use the same paths as the primary did.

Thanks again!

Regards Marcus

Hi Alexander,


Hoping you may be able to help me, apologies for hijacking this thread but maybe this will be beneficial.


We are trying to set up the exact same thing as you except we have a third FW in the cluster attached to a Separate ACI Fabric at our DR site.


All our FW cluster interfaces are in vlan 155 and vlan 155 is stretched across OTV. Will the ACI Fabrics try and form an OSPF relationship as they will all be in this layer 2 Bcast segment?


Any help you can give appreciated.





Hey ,


Not sure I understand the full picture what you are trying to achieve, technically adding a 3rd firewall to a HA setup does not matter, I assume your "sync" interface is in plan 155 ?


You are speaking about ACI domains, are you referring to single ACI fabrics or Multipod or? We are running bgp with the checkpoint clusters, those checkpoints are connected via vPC to the leafs (l3outs) and we are using svi's with a /28 where you will define an ip for each leaf and you will peer with the vip of the firewall.


Let me know if you need more info on this





Hi ,


So we have the same setup with two CPs in our HO and another CP in our DR all in a cluster and their cluster interface (inside interface) in a stretched vlan 155.


We run a Dual Fabric with a stretched L2 across sites.


My question is?

1.Does the Active CP FW with the vip form a OSPF neighbor relationship over the stretched L2 to the second Fabric?


Iv attached the  physical layout to give you an idea of how things are setup in terms of the L2.


We will be creating the same setup as you with L3outs and SVI over a VPC to each firewall but the OSPF hello packets will essentially be transferred over that vlan 155 to the second fabric.. Or am i wrong?



Save 25% on Day-2 Operations Add-On License