Showing results for 
Search instead for 
Did you mean: 

What is the best way to create a connection between FW and ACI fabric. Need to use static routes.

Level 1
Level 1


On my classical network I have two switches with  connections to 2 sets of HA Pair of firewalls( Palo)  The connection is made via a subnet we can data transport, It's just a /24 network. On the switches I have an SVI for data transport and we run HSRP on this SVI. The firewalls are connected to this same subnet via trunk ports.  We use static routing on the switches to route to the firewalls. The firewalls also use static routing to route to other subnets on the switches. The important detail here is the FW uses the SVI HSRP virtual IP as the destination gateway for it's static routes. 


My Question is how do I configure this same setup on an ACI fabric? This is what I've done so far.

On ACI I configured an l3out. The l3out is using SVI Trunk  interfaces. I cannot use routed or sub interface. The SVI interfaces will be my data transport.  I have the routing working correctly but the FW static routes definitions use just the SVI interface on Leaf1.  HSRP is not supported on ACI SVI so I have a single point of failure if leaf1 goes down. I was thinking about adding two equal costs routes on the fw. One for  SVI leaf1 and one for SVI leaf2. I have not tested this yet.  Is there a better way to do this?



12 Replies 12

Jason Williams
Level 1
Level 1

You could configure an L3 out on ACI using VPC (VPC only supports SVI). Below is how the L3 out node interface profile should be configured. 


Leaf-A (Side-A)

Primary Address = IP address A

Secondary Address = IP address C

Leaf-B (Side-B)

Primary Address = IP address B

Secondary Address = IP address C

Both leaf nodes in the VPC share the same secondary IP address. For the external router, use the L3 out secondary IP address as the next hop IP. 


I cant see how a VPC connection will help me. The FW has a single internal connection to the fabric. I also think HSRP requires external switches which I don't plan on adding between the FW and the ACI fabric.

If I understand correctly, the FW (or some external device) does connect to Leaf-1 and Leaf-2 in the fabric. Also, the end goal is to have static routes to each leaf with HA (if Leaf-1 fails then Leaf-2 can still forward traffic from the FW). 

Is this correct? If not, then please further clarify and upload a topology diagram. 

If this is correct, then you can do link aggregation on the firewall (2 links on the firewall :: 1 link to each leaf). If there are 2 firewalls, then you can have 2 VPCs (4 links total :: VPC-1 goes to FW-1 and VPC 2 goes to FW-2). Both leaf nodes in the VPC will share the same secondary IP address. No need for HSRP on ACI and no need to use the primary SVI IP for the next hop. 


The Firewalls are Palo Alto. FW1 has a single  connection to leaf1 and FW2 has a single  connection to leaf2. One is active and the other s standby, We don't do link aggregation on those.


use a SVI on each side together with a common secondary address.


SVI 1: Primary IP 10.1.1 2, Secondary IP

SVI 2: Primary IP, Secondary IP

Hi Jason,


I am planning to depoly the same way you have mentioned.. Between in the configuration window there is also one more field called Link Local address what is that..

Ignore my previous question......

Initially i configured Port-channel however i am planning to go for VPC, During Port-channel configuration i had to configure two Logical Interface profiles, however for VPC i believe it is going to be only one.. Please correct me if i am wrong.


If we are building VPC between two Leaf.. How the facbric is determining ( For example leaf 1 is site A and leaf 2 is site B )



For VPCs, you would need 1 node profile which contains both Leaf-A and Leaf-B. Inside that leaf profile is a single interface profile. This single interface profile can create one path for your VPC. Typically, the leaf node with the smaller node ID is the A side (e.g., node 101 and node 102 are in a VPC. Node 101 is usually the side-A node). 


Thank you So much.. It was really helpfull..

I have successfully completed my L3 out....

Level 1
Level 1

Kinda late to the party, but I will leave the link to this article here:


Is a step by step guide of what the OP was asking for. 

as per my knowledge best way is create *L3out* to the firewall. if you want
you can use static routes or you can use *OSPF* for the routing exchange.

Save 25% on Day-2 Operations Add-On License