Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
763
Views
10
Helpful
2
Replies

Cisco ACI multiple devices under single l3out

Blaise.Hennessey
Level 1
Level 1

‎01-12-2023 08:52 AM

Hello everyone,

I want to get some clarification on what deployment method is preferred and what others are doing.

I have some Palo firewall chassis's that we are connecting to ACI all in the same OSPF area in the same L3out. To save on interfaces we are using shared interfaces for L3 and L2 (agggregates) so each Palo Vsys uses the same physical interfaces for L3 and L2.  I have a SVI configuration on the L3Out using Side A, B and Secondary IPs each vsys has its own /28. Is it best practice to have each Palo Vsys under its own Node Profile or Its own Interface Profile.  Since its shared the physical interfaces all go to the same pair of leafs (VPC).

In Summary whats preferred? Are there any caveats one way or the other?

This

PALOL3OUT->LEAFxxNodeProfile->PaloVsys1InterfaceProfile

PALOL3OUT->LEAFxxNodeProfile->PaloVsys2InterfaceProfile

etc

OR

PALOL3OUT->PaloVsys1NodeProfile->Vsys1InterfaceProfile

PALOL3OUT->PaloVsys2NodeProfile->Vsys2InterfaceProfile

etc

 

Thanks

 

 

Labels:
0 Helpful
2 Replies 2

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎01-13-2023 11:44 PM

Hi @Blaise.Hennessey 

Multiple patterns are possible and all are programming the BL correct, but there are few guidelines which you must keep in mind:

1. If you use VPC border leafs, then VPC peers must be in the same Node Profile

2. If you use both Ipv4 and IPv6 on the same BL, then Logical Interface Profiles for ipv4 and ipv6 must be different, but the node profile can be the same

3. If you want to apply different policies at node/interface level (example different OSFP interface type) then the profiles must be different.

4. If the config is similar for all ext nodes, then it's better to keep it simple: single node profile, with single interface profile. Ofc this is subjective opinion, you might find it better as single node profile different interface profiles. Once again, if you do not fall under one of the restrictions above, you can choose whatever you find more simple for you.

 

Cheers,

Sergiu

 

 

 

 

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎01-14-2023 06:04 AM

There is this slide from a Cisco ACI best practices, presented by Takuya Kishida (Cisco TME):

SergiuDaniluk_0-1673704953505.png

 

Take care,

Sergiu

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License