cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6654
Views
0
Helpful
6
Replies

ACI L3Out to Firewall

Rami Younis
Level 1
Level 1

Hi,

 

i have an issue when trying to configure L3Out using SVI over VPC with redundant firewalls using static route

 

i cannot configure 4 IP addresses (same subnet) for two different VPC interfaces as each firewall uplinks should be single PC

 

is there a best practice document from Cisco clarifying this type of connectivity or if someone tried this type of connectivity

 

Regards

 

Rami

6 Replies 6

Sergiu.Daniluk
VIP Alumni
VIP Alumni

Hi @Rami Younis 

You only need 2 SVIs, one on each Leaf, with a common secondary IP address used as next hop on the firewall.

Figure 26 from ACI L3Out whitepaper looks similar with what you have, except is only one router connected.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-743150.html#F26

 

Stay safe,

Sergiu

Hi Sergiu,

 

thank you for you help

 

the issue i found on the configurations i did that both SVI's should be same IP addresses, when i changed this it works fine

 

but i had another issue after that, i am trying to configure 2 x L3out each for separate physical domain but same VRF, is this will work since after establishing the connectivity for both L3out only one is reachable from the firewall

 

Regards

 

Rami

Hi @Rami Younis 

You do not need 2x separate L3Outs. You only need one.

Check this article on how to configure L3Out for interconnecting with Active/Standby firewalls:

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

 

Cheers,

Sergiu

Hi Sergiu,

 

thank you for the reply

 

i totally understand your concern

 

what i have here is a requirement from client that a group of VLANs need to have separate L3Out and the other group of VLANs on another L3Out as the firewall has two VRFs but from the ACI is two domains/vlan pools under same VRF

 

is this scenario applicable ?

 

Regards

 

Rami

Ahhhhh I got it now.

let's break it down to basics: you need two L3outs because you have to separate the VRFs on the firewall. That means, on ACI, you will need to create the two L3Outs and for communication with the firewall you will be using two distinct vlans, one for each L3Outs.

Now from perspective of the L3Outs, you can use the same L3 domain, pointing to a single vlan pool, which contain both vlans used for l3out neighborship).

if you already have the vlans used for L3out neighborship in separate vlan pools, then sure, you can use different L3 domains without any problems.

if you have problems with the cfg, and the communication over L3out does not work, share the config you have, plus check if you have any faults.

 

Stay safe,

Sergiu

 

 

Hi, 

I have this scenario: 

2 leaf connected in vPC to a Palo Alto pair (4 physical links), I have to know:

- How many IPs do I have to configure from the Palo Alto side?

- How many BGP sessions each Palo Alto should have with the leaves?

 

From the Leaf side, I think is enough to configure 2 SVI (one per leaf) within the same subnet with a shared secondary IP for L3OUT. Is it correct?

 

Can you help me? 

Thanks 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License