ACI and external Firewall Cluster - Recommendation
we need a recommendation for connecting a Checkpoint Firewall Cluster to a ACI fabric. It should be a layer 3 connectivity and each Cluster member must be connected to a different leaf switch.
Between the Cluster and the ACI fabric there is a transfer network and the cluster is working in active/standby.
I noticed there are different solutions to solve this.
1. HSRP VIP on ACI side - > CP Cluster has a static route to this VIP
2. SVI on ACI side - > CP Cluster has a static route to this SVI IP Address
There is no Portchannel between the fabric and the CP cluster. There are single connections. The CP Cluster has also a VIP configured and each physical interface has its own IP Address. From the fabric there a static routed pointing to the firewall VIP.
Re: ACI and external Firewall Cluster - Recommendation
We did the setup with a CP FW cluster (Active/Standby) spanning 2 different datacenters, we do have vPC's between the CP and the leaf switches per datacenter. We configured a L3Out in the common tenant so this can be used by different tenants (on a per needed base).
We solved this with using SVI interfaces, meaning configuring a /28 for each vPC we have (.1 VIP CP, .2 CP1, .3 CP2 and .4 LF1 [side A IP] and .5 LF2 [side B IP].
There is a difference between something you know and something you understand. Recently, I came across such kind of a situation, when I realized I perfectly knew how to configure Inter VRF communication in ACI, but the in-depth understanding was missing. ...
WinSCP configuration required for Nexus 9000
feature scpfeature bash
Configuration required in WinSCP
After these configuration changes are made you can click "ok" then proceed to connecting to the device as per usual.
A few weeks ago, I attended Think 2019, IBM’s flagship conference. One of the key themes in keynotes, sessions, workshops, and discussions was the cloud and what it means for businesses. Here are my top three takeaways from Think 2019.
Howdy out there in automation land!!! I hope that the entry of a new product into our tool bet has excited you. If it has not yet, then you need to go back and read last month's blog post :) This time we begin a series that will take us back to the basics...