Re: Cisco ACI L3OUT with shared secondary IP address

Daniel Blanco · ‎01-27-2020

Good afternoon,

We are configuring L3OUT using shared secondary IP address with dynamic routing (BGP) to Palo Alto Firewall. We have doubts about if is necessary configure VPC mandatory and if dymanic routing are supported. Testing with single ports in trunk mode in different leaves (neither Po nor VPC) isn´t working. We think that we need deploy a VPC scenery but we cannot be able to find any documentation according with this requirements. Could somebody help us ?

Thank you very much in advanced,

Regards,

Hector Gustavo Serrano Gutierrez · ‎02-18-2020

Hi @Daniel Blanco,

Yes, L3Out with BGP, OSPF, EIGRP and even Static Routes over vPC is supported.

A BGP session will be sourced only from a primary IP address of each interface even when secondary IP addresses are configured on the interface. Sourcing BGP sessions via secondary IPs is not supported.

This means, on your Palo Alto Firewall you need to configure:

one BGP session to the primary IP of Border Leaf A
one BGP session to the primary IP of Border Leaf B

You may find this documentation helpful.

ACI Fabric L3Out Guide

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html

Best Regards.

bineesh_philip · ‎02-10-2022

Hi Hector,

If I want to create a static route on the firewall pointing to ACI, what should be the next hop IP?

Primary IP or Secondary IP on VPC?

If the static route on the firewall can be pointed to the secondary IP on ACI-VPC, is it the same as HSRP?