Showing results for 
Search instead for 
Did you mean: 

ACI L4-L7 PBR Second IP?

Hi community,

I'm integrating a CheckPoint ClusterXL HA (Active/Standby) to ACI for a client, using PBR Unmanaged Mode to redirect traffic to the CheckPoint. The CheckPoint will be connected to the ACI via two vPC - one for each unit, logically "One-armed" model.

It is a little bit different from other firewall Active/Standby setup. Usually when failover happens, the Standby Unit takes over the IP and MAC address of the previously Active Unit. Hence, the normal L4-L7 Redirect Policy configuration only needs to use one IP and one MAC address.

Here we got a Cluster IP (virtual IP) which is associated with the burned-in MAC of the Active Unit's pNIC. So whenever failover happens, the Standby (now-Active) sends GARP and re-associate that Cluster vIP to its pNIC's MAC.

So I got a few questions:

1. For the BD used for connecting to the PBR nodes, do I have to enable ARP Flooding?

- As far as I know, normally we don't need to enable ARP Flooding for A/S Firewall setup since there's only one active IP-MAC

- For CheckPoint, the IP that matters is associated with different MAC depending on whichever unit is active.

2. For the L4-L7 Redirect Policy (as per below image), does the Second IP means the virtual IP of the PBR node? (for use in this case, or cases where there's a Floating IP like LB or Active/Active Firewall setup)

Also, CheckPoint has a configuration to associate the Cluster vIP with a vMAC, which my client is not using since changing to it would affect production. If it was used then this case would've been solved (since ACI would only have to care about 1 IP-MAC association for PBR). I've heard winds of it being notoriously bad, but that's other people's claim and not really relevant to my question here.

Thanks in advance for any responses.



Cisco Employee

Re: ACI L4-L7 PBR Second IP?

Hi @tuanquangnguyen ,

No, the PBR feature requires the Active/Passive FW to use the same MAC address when failing over.

ARP Flooding will not help here.

The "Second IP" feature and multiple destination in the Redirect Policy is also not relevant here while it is used in Active/Active scenario for health monitoring the PBR devices.

If using your Checkpoint in A/P in PBR, you must modify it to use vMAC.


Remi Astruc
CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey