07-01-2018 07:09 PM - edited 03-01-2019 05:35 AM
Hi,
I am designing ACI connectivity to Palo Alto firewall in Active/Standby mode. Just have few queries -
1. will it be possible to create vPC to each Firewall and have an L3Out to each?
2. Is there any white paper regarding the connectivity to the active/standby firewall without L4 to L7 integration to ACI?
regards,
Shahin
Solved! Go to Solution.
07-05-2018 09:17 AM
Hi Shahin,
In this particular scenario you can create a second VPC SVI and assign the same IPs as the first VPC. Note that since you have an active/stanby FW setup, only the active FW should respond to ARP so the fabric would know to which FW if you forward the traffic.
07-03-2018 08:42 AM
Hi Shahin,
1) Technically yes, you can have a VPC to each FW to two leaf nodes on its own L3OUT. My question is why couldn’t you have both FWs VPC to your border leaf nodes on the same L3Out?
2) I don’t know of any specific white paper, but in this scenario you can configure the l3out as if you were configuring it to any external router.
07-03-2018 11:40 PM
Hi Manuel,
Thank you for your reply.
Have you done vPC to Active/Standby to Firewall pair and have L3out to those Firewalls?
In my scenario the Firewalls are in active/standby mode. Once the active firewall fails the secondary will take on that IP address. Now if I create vPC to the Primary firewall I have to assign SVI IP address to each Leaf and a secondary IP as the next hop from the Firewall. And for the second vPC to the secondary Firewall, how do I assign the IP address? They have to be on the same subnet as the next hop has to be the same from the Firewall.
So my issue is not the vPC, it the L3Out to the HA Firewall.
Would really appreciate your comments.
Kind regards,
Shahin
07-05-2018 09:17 AM
07-06-2018 12:09 AM
Hi Manuel,
That is the answer I was after. Really do appreciate your help.
Kind regards,
Shahin
07-05-2018 11:07 PM
Hi,
When you create L3 OUT for connectivity with the Firewall in Active/Standby mode, SVI Based L3 OUT needs to be configured, and regarding the IP Address, please refer to the below example.
Palo Alto Virtual IP 10.0.0.1/24
ACI Leaf 1 Primary IP 10.0.0.4/24
ACI Leaf 1 Secondary IP 10.0.0.3/24 (Virtual)
ACI Leaf 2 Primary IP 10.0.0.5/24
ACI Leaf 2 Secondary IP 10.0.0.3/24 (Virtual)
Route on both the Leaf will be towards the Palo Alto Virtual IP.
Regards,
Harshal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide