Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1185
Views
0
Helpful
0
Replies

Static Routes spread over ACI leafs

Mario Rosi
Level 1
Level 1

‎06-27-2017 07:06 AM - edited ‎03-01-2019 05:16 AM

Hi,

i'm going in a while to approach the study of a "Grownfield to ACI Greenfield" migration process for a customer.

Among the many aspects to be analysed, one of them is the following one:

- at the moment the customer has a classical double-side vPC configuration among many access switches (ToR) and a couple of Nexus 7010 that are working as L2/L3 demarcation line between the L2 world at access layer and the L3 one towards external devices for internet access or Intranet access.

- the routing is done via static routes configured on the couple of N7010 that represent the default gateway for access endpoint (HSRP on each subnet) and the themselves are pointing to FW connected to them as next hop by static routes to exit to external world.

My question is concerning the static routes impementation: considering that along the migration Path, the ACI DC will be for a while interconnected via L2Out to the Brownfield stretching all the VLANs over the ACI infrastructure, the steps of migration that I've in mind should be:

1) Migrate the VMs over the new hosts connected to ACI Leafs leaving the FWs connected to the Brownfield DC and the default gateway for them still on HSRP configured on N7010. That means that traffic will be crossing East & West the L2Out channel between the legacy and ACI DCs before leaving the DC via the old path towards the external world

2) Migrate the FWs on the Service POD on ACI infrastructure taking profit of the HA due to dual presence of FWs (moving before the standby one and then the Active one - the keepalive sync between FWs will be crossing the L2Out connection in band on the proper VLAN). Again traffic will be crossing the L2Out due to FWs presence in ACI side and default gateway on legacy DC

3) Migrate the default gateway from N7010 (removing the HSRP subnet by subnet) to ACI introducing the "IP anycast default gateway" on Leafs. The traffic will be exiting from DC still using the old connection between N7010 and the external world (not yet migrated to ACI Border Leafs)

My question is concerning the 3rd step:

Since the N7010 have already routing (via static routes) in place, in the legacy DC, once the traffic coming from a VM, wants to exit from DC (North-South traffic), it reaches the HSRP VIP as default gateway configured on N7010, then they have static routes pointing to Inside FW interface, the FW has a static route pointing to Next Hop direct connected to Outside subnet and that's it... viceversa, static routes on the opposite direction.

Now, i've to move the default gateway on Leafs introducing the "IP anycast gateway"; i should have already prepared the static routes (the identical ones of N7010 VLAN by VLAN) on Leafs that forward traffic towards the Inside FW interface seen from ACI as L3Out connection and that should be done on all the Leafs that have the EPG/BD relate to the subnet/VLAN we are going to migrate step by step.

Is this the right process?  
Have i correctly understood how should manage the FWs through L3Out connections based on a "Network Centric paradigm" once i have to use static routes?

Any your contribution will be really appreciated.
Mario

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License