06-02-2020 07:57 PM
Greetings all,
I have a pair of Palo Alto firewalls in Active/Standby mode connected to legacy 6500 switches. ACI has a L2 link to 6500 switch with an SVI running EIGRP and advertising all networks to 6500. Also, having a static route on L2 directly pointed towards the SVI IP on 6500 as a next hop address.
When I move the standby firewall into ACI I don't want to kill the L2 link because it will be used to provide routing between 6500 and ACI for HA interfaces only and will make this firewall Active to test the configuration.
Now we have one static route pointed to newly migrated firewall on ACI via L3out. I also have an existing L2 connection with the existing Active firewall which will now be in Standby Mode. Question of the day is when the traffic would want to hit the firewall is it going to use the route directly connected on ACI or via the L2 link over the SVI with EIGRP running on it?
Thank you in advance.
06-02-2020 09:04 PM
06-03-2020 10:30 AM
Hello,
No nothing is on ACI yet both firewalls are currently connected to legacy 6500 switches. The switches are connected via L2 link to the ACI Leaf. There is a static route from Firewall pointed towards the 6500 and then from 6500 pointed towards ACI. Same goes back from ACI to 6500 there is a static route and then 6500 to Firewall. That's how the current traffic is flowing. Now we want to migrate Standby Firewall over and I am wondering that there is a static route already in ACI pointed to 6500 and now I will introduce another one which will be pointed towards this Standby Firewall. As soon as I put in this new Standby Firewall static route which will now be directly connected even though it is Standby, ill it start sending traffic to this link which is not servicing request? Hope this made it easier. Open to questions and appreciate your time in this.
06-03-2020 12:16 PM
Also forgot to add that all the SVI's currently reside in ACI and they all can communicate to each other because they all have been dropped in the Common Tennant VRF. The traffic I was referring to is the traffic from ACI since everything has been migrated over to ACI and this is the last piece of firewall pairs left for internet and DMZ access.
06-04-2020 06:43 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide