Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
9877
Views
15
Helpful
12
Replies

What is the best way to create a connection between FW and ACI fabric. Need to use static routes.

jgesualdi
Level 1
Level 1

‎06-30-2017 03:34 PM - edited ‎03-01-2019 05:16 AM

 

On my classical network I have two switches with  connections to 2 sets of HA Pair of firewalls( Palo)  The connection is made via a subnet we can data transport, It's just a /24 network. On the switches I have an SVI for data transport and we run HSRP on this SVI. The firewalls are connected to this same subnet via trunk ports.  We use static routing on the switches to route to the firewalls. The firewalls also use static routing to route to other subnets on the switches. The important detail here is the FW uses the SVI HSRP virtual IP as the destination gateway for it's static routes. 

 

My Question is how do I configure this same setup on an ACI fabric? This is what I've done so far.

On ACI I configured an l3out. The l3out is using SVI Trunk  interfaces. I cannot use routed or sub interface. The SVI interfaces will be my data transport.  I have the routing working correctly but the FW static routes definitions use just the SVI interface on Leaf1.  HSRP is not supported on ACI SVI so I have a single point of failure if leaf1 goes down. I was thinking about adding two equal costs routes on the fw. One for  SVI leaf1 and one for SVI leaf2. I have not tested this yet.  Is there a better way to do this?

 

Thanks.

Labels:
0 Helpful
12 Replies 12

Jason Williams
Level 1
Level 1

‎06-30-2017 03:47 PM

You could configure an L3 out on ACI using VPC (VPC only supports SVI). Below is how the L3 out node interface profile should be configured. 

VPC

Leaf-A (Side-A)

Primary Address = IP address A

Secondary Address = IP address C

Leaf-B (Side-B)

Primary Address = IP address B

Secondary Address = IP address C

Both leaf nodes in the VPC share the same secondary IP address. For the external router, use the L3 out secondary IP address as the next hop IP. 

Jason

jgesualdi
Level 1
Level 1
In response to Jason Williams

‎06-30-2017 04:03 PM

I cant see how a VPC connection will help me. The FW has a single internal connection to the fabric. I also think HSRP requires external switches which I don't plan on adding between the FW and the ACI fabric.

0 Helpful

Jason Williams
Level 1
Level 1
In response to jgesualdi

‎06-30-2017 04:10 PM

If I understand correctly, the FW (or some external device) does connect to Leaf-1 and Leaf-2 in the fabric. Also, the end goal is to have static routes to each leaf with HA (if Leaf-1 fails then Leaf-2 can still forward traffic from the FW). 

Is this correct? If not, then please further clarify and upload a topology diagram. 

If this is correct, then you can do link aggregation on the firewall (2 links on the firewall :: 1 link to each leaf). If there are 2 firewalls, then you can have 2 VPCs (4 links total :: VPC-1 goes to FW-1 and VPC 2 goes to FW-2). Both leaf nodes in the VPC will share the same secondary IP address. No need for HSRP on ACI and no need to use the primary SVI IP for the next hop. 

Jason

0 Helpful

jgesualdi
Level 1
Level 1
In response to Jason Williams

‎06-30-2017 07:54 PM

The Firewalls are Palo Alto. FW1 has a single  connection to leaf1 and FW2 has a single  connection to leaf2. One is active and the other s standby, We don't do link aggregation on those.

0 Helpful

jorgensor
Level 1
Level 1
In response to jgesualdi

‎08-17-2017 11:16 AM

Hi,

use a SVI on each side together with a common secondary address.

Example:

SVI 1: Primary IP 10.1.1 2, Secondary IP 10.1.1.1

SVI 2: Primary IP 10.1.1.3, Secondary IP 10.1.1.1

0 Helpful

Hemakumar Sampath
Level 1
Level 1
In response to Jason Williams

‎10-05-2017 03:22 AM

Hi Jason,

 

I am planning to depoly the same way you have mentioned.. Between in the configuration window there is also one more field called Link Local address what is that..

Capture.JPG
Preview file
38 KB
0 Helpful

Hemakumar Sampath
Level 1
Level 1
In response to Hemakumar Sampath

‎10-05-2017 03:54 AM

Ignore my previous question......

0 Helpful

Hemakumar Sampath
Level 1
Level 1
In response to Jason Williams

‎10-05-2017 04:05 AM

Initially i configured Port-channel however i am planning to go for VPC, During Port-channel configuration i had to configure two Logical Interface profiles, however for VPC i believe it is going to be only one.. Please correct me if i am wrong.

 

If we are building VPC between two Leaf.. How the facbric is determining ( For example leaf 1 is site A and leaf 2 is site B )

 

0 Helpful

Jason Williams
Level 1
Level 1
In response to Hemakumar Sampath

‎10-05-2017 11:05 AM

Hemakumar, 

For VPCs, you would need 1 node profile which contains both Leaf-A and Leaf-B. Inside that leaf profile is a single interface profile. This single interface profile can create one path for your VPC. Typically, the leaf node with the smaller node ID is the A side (e.g., node 101 and node 102 are in a VPC. Node 101 is usually the side-A node). 

-JW

Hemakumar Sampath
Level 1
Level 1
In response to Jason Williams

‎10-06-2017 05:12 AM

Thank you So much.. It was really helpfull..

I have successfully completed my L3 out....

josedelpino
Level 1
Level 1

‎09-18-2019 06:19 PM

Kinda late to the party, but I will leave the link to this article here: 

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

 

Is a step by step guide of what the OP was asking for. 

0 Helpful

chathurangaj@kbsl.lk
Level 1
Level 1
In response to josedelpino

‎09-18-2019 08:36 PM

as per my knowledge best way is create *L3out* to the firewall. if you want
you can use static routes or you can use *OSPF* for the routing exchange.
0 Helpful

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License

Top