I am experiencing a very strange configuration on ACI.
Please have a look at the topology as below:
We have 4 ASA, which are configure in two clusters.
Each firewall has a port-channel 1 that will be configured as sub-interface for each subnet (each EPG)
On aci, I configured two unmanaged clusterd devices, one is INT-FW, the other is SRV-FW.
On the Firewalls, I confiugre sub-interface as normal.
The strange thing is about the configuration of INT-FW inside interface and SRV-FW outside interface on ACI.
If, on ACI, I configure the inside and outside interface with the same vlan encap, connection between INT-FW and SRV-FW fail (cannot ping between x.x.10.1 and x.x.10.10 and no packet is transferred between them). However, if the configured vlan encap on inside interface and outside interface are different, the ping is success (sub-interface on FW config is still in the same vlan).
I have opened a case for this issue but it seem there is not many aci expert.
By default the switch will consider a Vlan ID to map with a given EPG on the whole Leaf (within a given Physical Domain), which is called Global Scope. In that case, the 2 EPGs representing Inside and Outisde probably conflict with faults raised.
Check the Leaf Access port policy that you use for the FW ports and note the L2 Interface Policy field. Check the corresponding Interface Policy to see its VLAN Scope. If it is set to Global scope, try to set it as Port Local scope. That gives the Vlan ID a local port significance.
Openness, Programmability, DevOps
Software applications are the life blood of corporate enterprises. Enterprise IT departments (and Lines of Business) are under immense pressure to bring applications faster to market. To remain competitive, many businesse...
There is a difference between something you know and something you understand. Recently, I came across such kind of a situation, when I realized I perfectly knew how to configure Inter VRF communication in ACI, but the in-depth understanding was missing. ...
WinSCP configuration required for Nexus 9000
feature scpfeature bash
Configuration required in WinSCP
After these configuration changes are made you can click "ok" then proceed to connecting to the device as per usual.
A few weeks ago, I attended Think 2019, IBM’s flagship conference. One of the key themes in keynotes, sessions, workshops, and discussions was the cloud and what it means for businesses. Here are my top three takeaways from Think 2019.
Howdy out there in automation land!!! I hope that the entry of a new product into our tool bet has excited you. If it has not yet, then you need to go back and read last month's blog post :) This time we begin a series that will take us back to the basics...