03-09-2020 09:31 AM - edited 03-09-2020 09:44 AM
Hi All,
Working on ACI. I have to connect a physical firewall hardware (purely in un-managed mode and without service graph) with ACI leafs in dual home connectivity along with vPC and L3Out.
no L4-L7 configuration require... as we'll configure firewall manually and will not manage from APIC.
I only have some basic clue about configuration , Could anyone pls help and share configuration steps to acheive the scenario or share some article with sample configuration.
Rgds
***
***
03-09-2020 10:09 PM
Dear All,
Not Sure, Why i am hardly getting response on this forum. :-)
03-10-2020 12:41 AM
Hi @netbeginner ,
Not Sure, Why i am hardly getting response on this forum. :-)
Because when the answer is as simple as googling for 5 seconds, that does not excite the crowd ;-)
Anyway, I saved your 5 seconds:
03-10-2020 01:43 AM
Hi Remi, Thanks for spending 15 seconds.
:-))
Probably you did'nt read my question properly. I have requested for dual home L3Out configuration on ACI for hardware firewall....
Adding a point here, Since we are running with lack of interfaces on firewall..we may have to create Subinterface on Firewall and on ACI end also with L3Out.
03-10-2020 03:15 AM
Hi,
You can use
1- Service Graph in unmanaged mode, and APIC will not handle FW, OR
2- u can use L3Out with VPC and sub-interface as u like (bottleneck)
In case it's edge FW, so I prefer to use L3Out, in case it's DataCenter FW, so I prefer to use Service Graph.
03-10-2020 04:05 AM
Hi,
You will not use L3Out Subinterface while you need a Layer 2 connection between your 2 FW members. You will use L3Out SVI feature.
If you don't find the first link to be as straight forward as you expected, let's try that one which exactly covers your case with step by step:
https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/
The detail of using VPC instead of single link only differs in the step of defining the Path within the SVI object. Just ensure you are using Generation 2 Leaves (EX, FX) and ACI 2.3 or above.
03-10-2020 10:45 AM - edited 03-10-2020 10:46 AM
Hi Friends,
Thanks for response, Sounds good now.
but still for all... to understand the actual scenario and to get exact best out of best configuration...i am attaching a proposed connectivity diagram here. As per which.
We have Multipod (Stretched) fabric across two locations (i.e Site-1 & Site-2). We only have two hardware firewalls. One will be active at Site-1 and other will remain in Standby State in Site-2 (or vice versa).
- Active Firewall will connect (multi-homed) with Leaf-1 and Leaf-2 of SITE-1. Similarly Standby firewall will also connect (multi-homed) with Leaf-1 and Leaf-2 of SITE-2.
- At firewall level, we have to aggregate (club) the physical interface for dual homing to two leafs per site & then create the sub-interface of that aggregated interface to cater multiple zones traffic (as we don't have enough physical interfaces on firewall)
- At ACI end (Leafs) we have to create respective sub-interfaces with L3Out or L3out SVI feature. Not sure whichever is best fitting in our environment.
- Kindly note again, we are using firewall in "un-managed mode" , will not create or use any "service-graph" and will not do "L4-L7 integration" as well. It would be plain external firewall connectivity just to manage and filter East-West and North-South traffic.
Diagram attached.
before posting on this forum initially i did a lot of googling and did'nt found even close configuration. Everyone is either reffering to Service-Graph or L4-L7 integration Or Saw some configuration which are purely performed in different ways which leading to confusion and so many queries, second & very important.. It's just a starting for me in ACI :-).
This is why i am here to see all you experts.
Rgds
***
03-10-2020 03:36 PM
Hi @netbeginner ,
There may be a misunderstanding, but your questionings are precisely already answered in my previous post...
- At ACI end (Leafs) we have to create respective sub-interfaces with L3Out or L3out SVI feature. Not sure whichever is best fitting in our environment.
=> You will not use L3Out Subinterface while you need a Layer 2 connection between your 2 FW members. You will use L3Out SVI feature.
- Kindly note again, we are using firewall in "un-managed mode" , will not create or use any "service-graph" and will not do "L4-L7 integration" as well. It would be plain external firewall connectivity just to manage and filter East-West and North-South traffic.
=> That guide does not talk about SG or L4-L7 integration at all...
https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/
Hopefully you'll see it clearer at the second reading.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide