Solved: Re: Multipod L3out with ASAs failover

Antonio Macia · ‎01-11-2020

Hi there,

I need to connect a pair of ASAs in failover mode to two pods. Then configure the firewalls as a L3Out using static routes. At each pod, each failover member will use a VPC in trunk mode.

The trunk will carry the ASA "outside" VLAN (100) used as a next-hop for ACI in the L3Out. In this sense, I will configure two different SVI interface profile for the L3Out (one per pod path) and match the outside ASA VLAN in the encapsulation (100).

My question is, in order to let the ASA outside interfaces see each other, the encapsulation scope should be set to VRF? Per my understanding, ACI should create kind of bridge domain between both interface profiles using the same encapsulation VLAN, right?

Thanks.

richmond · ‎01-12-2020

Encap Scope of Local will work if it is within the same L3Out.

You only need to use VRF scope if you want to have the L2 domain span between L3Outs. See here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L3_config/b_Cisco_APIC_Layer_3_Configuration_Guide/b_Cisco_APIC_Layer_3_Configuration_Guide_chapter_01010.html

View solution in original post

richmond · ‎01-12-2020

Encap Scope of Local will work if it is within the same L3Out.

You only need to use VRF scope if you want to have the L2 domain span between L3Outs. See here: https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L3_config/b_Cisco_APIC_Layer_3_Configuration_Guide/b_Cisco_APIC_Layer_3_Configuration_Guide_chapter_01010.html