We've got 2 ACI fabrics (not linked) and are now nearing the end of the migration of services from our old Cat6500 DC switches to ACI. One ACI fabric is in our main DC, the second is in other backup DC (although a couple of live servers do run there; so it's not truly active:standby or active:active).
One of the remaining things to move over to ACI are some firewalls, and trying to get my head around how to do it is causing me a lot of pain! I'd be grateful for any help.
We have 2x firewalls in a HA pair at the main DC, and a second HA pair at the backup DC. The internal interfaces of the firewall's are configured with addresses in a /28 range (a separate range for each site) and use OSPF in broadcast mode. The internal interfaces connect to Cat6500's. The interfaces on the 6500 are access ports with an SVI acting as the gateway for the /28. This /28 is advertised into OSPF.
ACI has a single L3out with a single Logical Interface Profile containing 2x routed interfaces to WAN router A, 2x routed interfaces to WAN router B, 1x routed interface to 6500 A and 1x routed interface to 6500 B. As they are all in the same Logical Interface Profile they therefore all use the same OSPF policy (Point-to-Point, no authentication, standard timers). L3out interfaces to the 6500's will be removed once all devices are migrated.
To get the firewalls connected I need to start with the usual interface policies, policy groups and profiles. These will then be access ports and be added to the appropriate switch profile.
Next step is where I am getting myself confused.....
I want to get the firewalls to form an OSPF adjacency with ACI. If I was connecting a server now I would go to the appropriate EPG (or create one if needed) and add the static port. Is that the right action here? My gut says no as I don't think the Bridge Domain linked to the EPG will form an OSPF adjacency with ACI.
So process of elimination says I go to the L3Out and add the SVI. Is that right? As the current Logical Interface Profile uses OSPF in Point-to-Point I'll need to create another under the same Logical Node Profile which uses an new OSPF profile set for broadcast.
I've spent the last 3 hours searching the web and reading articles but am yet to find anything which really goes into detail of using L3out with SVI's. I may be well off the mark here with my thoughts, but if anyone can advise or point me at a white paper I'd be grateful.
Thanks in advance,
A new l3out connection would either have to be deployed in an existing l3out as a new path in the logical interface profile or it would have to be deployed as a new logical interface profile in a new l3out.
I would just think about it from the perspective of policy and data flow. Should traffic come in from the firewall and be routed out the WAN l3out (transit routing)? If this is the case then use a new l3out so that you can apply policy between external epgs. Should each external connection have different policy? Use a different l3out.
Thanks for this. A follow-up question if I may (and sorry if this sounds simplistic.....)
As the network is a /28, the SVI on current 6500's is acting as the gateway. If we move the SVI to the L3out in ACI, would it still function as a gateway or would we need to create a bridge domain to do this? And if so, presumably we can't reuse the same IP address so would need to use one address in the L3out and one in the BD?
I wouldn't recommend using an L3out address as a gw. You open yourself up to a lot of unsupported configs. I would recommend moving the gateway into ACI. And you are right, you can't have external EPG subnet and BD subnet overlap.
Have you tried this:
Configure the SVI in ACI BD, build OSPF in L3out. and then assign the firewall interface into an EPG that's in the same bridge domain as the SVI.
That way your firewall will hit ACI SVI for routing and still have an OSPF between the firewall and ACI ?
I might try to lab this out, it's an interesting one. I don't usually do OSPF between firewall and routers.
When you say "Configure the SVI in ACI BD", is that adding a Subnet in L3 Configurations?
If so, how can this be used to form the OSPF adjacency to the ASA? I can't see how to link it to L3out in the Logical Interface Profile (although I may have misunderstood!).
Can you not use a different subnet for the OSPF between ACI and your firewall since that's a new connection ?
I tried this in the lab, it's not possible to use the same SVI in both BD and L3out profile, only one SVI will be deployed to the leaf switch and as Joseph mentioned, using SVI as gateway for servers in L3out is not recommended though do-able. ( This is actually also a solution to avoid stale IP entries in ACI, but that's entirely a different conversation )
Edit: what about slicing up the /28 into 2 x /29 ?