Hi Guys,

 I have 2 questions about Act/Stby Fw and L3 Out static routing (SVI) . Assume that my ACI fabric's default gateway is on FW. So if packet needs to leave ACI fabric ,  it must  go to the FW.

1) If Firewall pairs are connected to  different switch pairs , I need to write static route on Leaf101-Leaf102 and Leaf103-Leaf104.
But I guess that other leaf switches see 0.0.0.0/0 MP-BGP route over to the  that Leaf101-Leaf102-Leaf103-Leaf104.  Am I wrong ? Doesn't it cause blackhole ? How can we handle this problem ?   How can we make traffic go over to the only active firewall?

2) If my A/S fw pairs are connected to same vpc pair switches. I write static route to the FW Virtual IP and Leaf101-102 advertise 0.0.0.0/0 route to the rest of fabric. There is no problem about blackholing in this scenario because A/P firewalls are in the same vpc pair switches and Active FW can be found by ARP table.

 My question come into play now ,  if Active FW's one port would be down on Leaf101 , wouldn't occur blackhole in Leaf101? Because Leaf 101 still advertise 0.0.0.0 to the rest of fabric . If I use Auto State enabled , it wouldnt fixed it because in Leaf101 there is Passive FWs port. So SVI couldn't be down status.

 

 To sum up , Am I wrong in my ideas? Could you clarify me about my concerns