01-27-2020 07:37 AM - edited 01-27-2020 07:38 AM
Good afternoon,
We are configuring L3OUT using shared secondary IP address with dynamic routing (BGP) to Palo Alto Firewall. We have doubts about if is necessary configure VPC mandatory and if dymanic routing are supported. Testing with single ports in trunk mode in different leaves (neither Po nor VPC) isn´t working. We think that we need deploy a VPC scenery but we cannot be able to find any documentation according with this requirements. Could somebody help us ?
Thank you very much in advanced,
Regards,
02-18-2020 08:06 AM
Hi @Daniel Blanco,
Yes, L3Out with BGP, OSPF, EIGRP and even Static Routes over vPC is supported.
A BGP session will be sourced only from a primary IP address of each interface even when secondary IP addresses are configured on the interface. Sourcing BGP sessions via secondary IPs is not supported.
This means, on your Palo Alto Firewall you need to configure:
You may find this documentation helpful.
ACI Fabric L3Out Guide
Best Regards.
02-10-2022 02:17 PM
Hi Hector,
If I want to create a static route on the firewall pointing to ACI, what should be the next hop IP?
Primary IP or Secondary IP on VPC?
If the static route on the firewall can be pointed to the secondary IP on ACI-VPC, is it the same as HSRP?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide