Hi,

I make the following configuration on the L3OUT. In each VPC I configured the same SVI, and the same addressing, additional I configured static route (default) pointing to the Firewall.

I have no way now to test the FW switch, but I would like to know if this is the best way to configure in this scenario.

Yes. Looks good. And I believe on the firewall, you have the next hop the secondary IP cfg of the ACI, right?

Regards,

Sergiu

Hello,

please, if are using OSPF between firewall and leaf, is it same solution? 

no, it is static routing

Yeah that's right

1) I know it's static route, but in case we use dynamic routing (ospf) could we follow same configuration here without default route next hope VIP of the firewall?

2) this solution support only SVI interface?

if you connect the FW in VPC, this means you need to configure SVIs on ACI.

If you use OSPF, then the routing protocol will take care of the next hop ^_^

Stay safe,

Sergiu

thanks for your response, 

what is the best practice design in this case (l3out FW ha failover ) , 

- two link from each fw to leaf switch using svi  vpc 

or

- two link from each fw to leaf switch using routed interface

or

sub interface

?

As usual, it depends. It depends on your setup / tenant(s) design / routing protocol etc. I would suggest to read the L3Out whitepaper where you will find out about pros vs cons of different l3out designs and you can choose one based on your setup:

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html 

Stay safe,

Sergiu

Hi Oscar 

did this config work. I am working on ACI and F5 which is also active standby. I am not sure about the same IP address for both the active and standby units