BGP between ACI and firewall, strange routing learned to firewall

Geir Sand-Strand · ‎07-11-2024

I have an ACI fabric with 3 POD's. 2 leaf's in vpc in each POD.
To each leafpair in each POD, I have an Catalyst 4500X connected with port-channel.
And in POD1 and POD3 I have a Checkpoint firewall connected with port-channel.
The attached jpg-file shows more info about the issue.
The issue is that the active FW is connected to Leaf201/202, and the 3 Cat4500X are connected to 201/202, 401/402 and 601/602.
The l3out between FW are up, and the firewall learns the routes. But why does the firewall learn the subnet from 4500X-1 connected to Leaf201/202 from the IP of Leaf601?

Remi-Astruc · ‎07-11-2024

Hi @Geir Sand-Strand ,

We miss some L3Out details but from your diagram I assume the L3Out to FW is built with SVI and eBGP sessions are full meshed with all 4 Leaves 201, 202, 601, 602 (correct?).

Then from your FW perspective, all the 10.177.132 routes are 1 AS apart in ACI without specific distinction. If you want preference via L201/202 for 10.177.132.0/29, create a Route-map and BGP policy with high MED attribute and attach it to L601/602.

(btw, the subnet mask of your ACI-SW L3Outs should be written /29 instead of /28, no?)

Regards

Remi Astruc

AshSe · ‎07-15-2024

Hello @Geir Sand-Strand

Your subnet 10.177.132.8/28 in POD2 is incorrect. In fact 10.177.132.8 is one of the host address in the subnet 10.177.132.0/28 which is a subnet in POD1.

Could you please correct Subnet allocation first.