Re: You could configure an L3 out

jgesualdi · ‎06-30-2017

On my classical network I have two switches with connections to 2 sets of HA Pair of firewalls( Palo) The connection is made via a subnet we can data transport, It's just a /24 network. On the switches I have an SVI for data transport and we run HSRP on this SVI. The firewalls are connected to this same subnet via trunk ports. We use static routing on the switches to route to the firewalls. The firewalls also use static routing to route to other subnets on the switches. The important detail here is the FW uses the SVI HSRP virtual IP as the destination gateway for it's static routes.

My Question is how do I configure this same setup on an ACI fabric? This is what I've done so far.

On ACI I configured an l3out. The l3out is using SVI Trunk interfaces. I cannot use routed or sub interface. The SVI interfaces will be my data transport. I have the routing working correctly but the FW static routes definitions use just the SVI interface on Leaf1. HSRP is not supported on ACI SVI so I have a single point of failure if leaf1 goes down. I was thinking about adding two equal costs routes on the fw. One for SVI leaf1 and one for SVI leaf2. I have not tested this yet. Is there a better way to do this?

Thanks.

Jason Williams · ‎06-30-2017

You could configure an L3 out on ACI using VPC (VPC only supports SVI). Below is how the L3 out node interface profile should be configured.

VPC

Leaf-A (Side-A)

Primary Address = IP address A

Secondary Address = IP address C

Leaf-B (Side-B)

Primary Address = IP address B

Secondary Address = IP address C

Both leaf nodes in the VPC share the same secondary IP address. For the external router, use the L3 out secondary IP address as the next hop IP.

Jason

jgesualdi · ‎06-30-2017

I cant see how a VPC connection will help me. The FW has a single internal connection to the fabric. I also think HSRP requires external switches which I don't plan on adding between the FW and the ACI fabric.

Jason Williams · ‎06-30-2017

If I understand correctly, the FW (or some external device) does connect to Leaf-1 and Leaf-2 in the fabric. Also, the end goal is to have static routes to each leaf with HA (if Leaf-1 fails then Leaf-2 can still forward traffic from the FW).

Is this correct? If not, then please further clarify and upload a topology diagram.

If this is correct, then you can do link aggregation on the firewall (2 links on the firewall :: 1 link to each leaf). If there are 2 firewalls, then you can have 2 VPCs (4 links total :: VPC-1 goes to FW-1 and VPC 2 goes to FW-2). Both leaf nodes in the VPC will share the same secondary IP address. No need for HSRP on ACI and no need to use the primary SVI IP for the next hop.

Jason

jgesualdi · ‎06-30-2017

The Firewalls are Palo Alto. FW1 has a single connection to leaf1 and FW2 has a single connection to leaf2. One is active and the other s standby, We don't do link aggregation on those.

jorgensor · ‎08-17-2017

Hi,

use a SVI on each side together with a common secondary address.

Example:

SVI 1: Primary IP 10.1.1 2, Secondary IP 10.1.1.1

SVI 2: Primary IP 10.1.1.3, Secondary IP 10.1.1.1

Hemakumar Sampath · ‎10-05-2017

Hi Jason,

I am planning to depoly the same way you have mentioned.. Between in the configuration window there is also one more field called Link Local address what is that..

Hemakumar Sampath · ‎10-05-2017

Ignore my previous question......

Hemakumar Sampath · ‎10-05-2017

Initially i configured Port-channel however i am planning to go for VPC, During Port-channel configuration i had to configure two Logical Interface profiles, however for VPC i believe it is going to be only one.. Please correct me if i am wrong.

If we are building VPC between two Leaf.. How the facbric is determining ( For example leaf 1 is site A and leaf 2 is site B )

Jason Williams · ‎10-05-2017

Hemakumar,

For VPCs, you would need 1 node profile which contains both Leaf-A and Leaf-B. Inside that leaf profile is a single interface profile. This single interface profile can create one path for your VPC. Typically, the leaf node with the smaller node ID is the A side (e.g., node 101 and node 102 are in a VPC. Node 101 is usually the side-A node).

-JW

Hemakumar Sampath · ‎10-06-2017

Thank you So much.. It was really helpfull..

I have successfully completed my L3 out....

josedelpino · ‎09-18-2019

Kinda late to the party, but I will leave the link to this article here:

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

Is a step by step guide of what the OP was asking for.

chathurangaj@kbsl.lk · ‎09-18-2019

as per my knowledge best way is create *L3out* to the firewall. if you want
you can use static routes or you can use *OSPF* for the routing exchange.

titusroz03 · ‎02-03-2026

@Jason Williams chathurangaj@kbsl.lk I came through this posting and I want to recommence this post, since I have a same kind of rerquirement. Please excuse me..

We are planning for migration from MPLS to SDWAN, for this we are replacing the MPLS routers with a Fortigate firewall.

This is our Current setup were we have mpls in place

And for the planned SD WAN setup we are moving the same connectivity behind a cluster firewall with VPC setup Like below

I am listing the steps I am planning please correct me out if I am missing anything..
I will use the same AAEP used in the existing single link and create a new Port-channel policy for bundling the planned physical links. In this PO policy what are the parameters which i need to check..? only LACP ..?

2.Now I will mingle the AAEP and this port channel policy in a vPC Interface Policy Group. I will create seperate VPC interface policies for 1/45 and 1/46.
3.I will create a interface profile for this and add the access port selectors and map those to created VPC policies seperately for 1/45 and 1/46.

4. I already have a VPC switch profile for LF01 and 02,since there are many VPCs existing in Leaf 01 and 02 and those are called under this VPC switch profile, so I will create this VPC interface profile under the same.

5.I will call out this VPC policy in the Existing L3 out were my SVI is created under Primary and Sec node profiles, but instead of ip address 10.231.255.134 in Sec node's SVI I will put the same 10.231.255.129, since the external device is a cluster firewall and not standalone. Please correct me if this design is correct or wrong..?

In this setup , my thought process is I can achieve resillency without any issues but if you have any Cons kindly let me mw know, I have called out this L3 out in all the BDS which needs to be externally advertised and in the L3 Out's external epgs I have allowed 0.0.0.0/0 for External Subnet for External EPG with common contract in place and for exporting the ACI subnets I use the route control profile..Do I need to make or ensure any changes in this for this migration..?

What is the best way to create a connection between FW and ACI fabric. Need to use static routes.