Cisco ACI multipod and firewalls cluster activ/activ or activ/stdby ?

ANAKIN_TN · ‎04-18-2022

Dear cisco community,

I need your help so let me expose yout he scenatio;

In case Cisco aci multipod fabric composed of 2 pods each pod is in a different Datacenter and connected over ipn network, i placed a cluster of 2 firewalls, in the pod 1 i put the activ firewall and in the pod 2 the standby.

Is this the best practice ?or should i use active/active firewalls ?

I have an issue when i switch roles between firewalls, when i activate the standby firewall and put the actif firewall ins standby it cuts, the virtual mac address of firewall clusters are seen by the fabric but detached and attached suddenly until it stabilizes, theres is something to avoid this ?

Thank you

Robert Burns · ‎04-19-2022

Best practice for a multipod deployment split across DCs would be for A/A, rather than A/S. The obvious reason is that you avoid hairpin routing when devices in the a pod need to reach the active FW in the other Pod. The other option is independent FW pairs for each Pod, which would provide an even higher level of redundancy.

For the issue you're seeing with A/S pairs, this may be due to the VIP/MAC moving between active nodes. There are a few tuning recommendations you can implement to mitigate this. Have you reviewed the L4-7 Whitepaper? These recommendations are well documented. https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739571.html

Robert

ANAKIN_TN · ‎04-21-2022

Hello,

The document describes scenarios but dont givbe any solution , it is a way to optimize the remote endpoint learning for active /standby firewall cluster through different pods ?

regards