Re: vpc static port mapping

Monsinka · ‎02-23-2026

helle , i have ACI operating as pure Layer 2 and the servers’ default gateway is on the firewall. The firewall is connected to two ACI leafs using a vPC that is already configured for an L3Out (SVI + vPC).

Do I need to use that same firewall vPC to carry the Layer 2 VLANs of the servers so they can reach their gateway on the firewall? or i create a seperate vpc

balaji.bandi · ‎02-23-2026

In an ACI design where the Firewall acts as the Default Gateway (L2-only ACI), the VPC used for the L3Out is logically distinct from the VPCs used for your servers.

You do not use the same VPC (Interface Selector) for your servers that you used for your Firewall L3Out.

i believe you may need separate for each Server vPC group.

BB

=====️ Preenayamo Vasudevam ️=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Monsinka · ‎02-23-2026

hello , I have modified my previous problem description because it was a bit misleading.

HaiCa · ‎02-26-2026

As my understanding, your logical topology may look like attached image:

If you WANT TO use the same physical interfaces/same vPC, so yes, you need to static binding the corresponding VLAN - that mapping with Server/LB/Storage subnet - in EPG that Server/LB/Storage belonging to.

You may think to configure an other vPC for Server/LB/Storage's gateway, like inside zone. Then the vPC configure as L3Out will be in outside zone.

Best regards!

ankushtayade · ‎03-22-2026

This is a very common scenario today, especially with the increasing adoption of ACI in enterprise networks. I have written a detailed practical post on Layer 2 bridging—please take a look and let me know if you have any questions.

Cisco ACI: FortiGate as Gateway with Servers Behind ACI(L2)