01-12-2023 08:52 AM
Hello everyone,
I want to get some clarification on what deployment method is preferred and what others are doing.
I have some Palo firewall chassis's that we are connecting to ACI all in the same OSPF area in the same L3out. To save on interfaces we are using shared interfaces for L3 and L2 (agggregates) so each Palo Vsys uses the same physical interfaces for L3 and L2. I have a SVI configuration on the L3Out using Side A, B and Secondary IPs each vsys has its own /28. Is it best practice to have each Palo Vsys under its own Node Profile or Its own Interface Profile. Since its shared the physical interfaces all go to the same pair of leafs (VPC).
In Summary whats preferred? Are there any caveats one way or the other?
This
PALOL3OUT->LEAFxxNodeProfile->PaloVsys1InterfaceProfile
PALOL3OUT->LEAFxxNodeProfile->PaloVsys2InterfaceProfile
etc
OR
PALOL3OUT->PaloVsys1NodeProfile->Vsys1InterfaceProfile
PALOL3OUT->PaloVsys2NodeProfile->Vsys2InterfaceProfile
etc
Thanks
01-13-2023 11:44 PM
Multiple patterns are possible and all are programming the BL correct, but there are few guidelines which you must keep in mind:
1. If you use VPC border leafs, then VPC peers must be in the same Node Profile
2. If you use both Ipv4 and IPv6 on the same BL, then Logical Interface Profiles for ipv4 and ipv6 must be different, but the node profile can be the same
3. If you want to apply different policies at node/interface level (example different OSFP interface type) then the profiles must be different.
4. If the config is similar for all ext nodes, then it's better to keep it simple: single node profile, with single interface profile. Ofc this is subjective opinion, you might find it better as single node profile different interface profiles. Once again, if you do not fall under one of the restrictions above, you can choose whatever you find more simple for you.
Cheers,
Sergiu
01-14-2023 06:04 AM
There is this slide from a Cisco ACI best practices, presented by Takuya Kishida (Cisco TME):
Take care,
Sergiu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide