Re: ACI routing issue

islam.kamal · ‎10-20-2018

Dears

I have ACI act as l2 between distribution swithch and servers farm and load balancer. We are going to migrate HA firewalls on ACI , also change routing between distribution switch and ACI to be L3 OSPF.

My questions:-

1-After doing L3 static between FW which is gateway for servers farm and by the way ACI.L3 routing will be on same domain and same vrf , i need to redistribute these static routes to L3 ospf between ACI and distribution switch to br routed outside . I need to verif is there any need t create any new BD or EPG for HA frewalls.

Please support me to share static routes with HA fW gateway to be learned by OSPF.

islam.kamal · ‎10-21-2018

Is there any help , please?.We need to know if we have same vrf , r we need any special BD or EPG for L3OUT to "FW and Core_SW"?. We will have static route to FW to get servers farm Gateway and we need to advertise these routes to L3 OSPF which running between Core and ACI.

jose.tamayo.segarra · ‎10-23-2018

Hello,

I am having some trouble understanding your case. As I understand, ACI will be the GW for the Endpoints connected there (so far, ACI is layer2 so the GW for those subnets is elsewhere), but then you mention that the FW will be the GW for the servers, so... you think of having 2 GWs on the same subnets?

How would you expect traffic to be after migration? Here are some incomplete ideas:

Server => BD ACI => FW IP inside as GW | FW IP outside => L3 interco => ( ACI L3out to FW | ACI L3out to Core ) => L3 Interco => Core Router

Server => BD ACI => ACI BD as GW => ACI L3out to FW => L3 interco => ( FW inside | FW outside ) => ( ACI L3out to FW | ACI L3out to Core) => L3 Interco => Core Router

islam.kamal · ‎10-23-2018

Server => BD ACI => FW IP inside as GW | FW IP outside => L3 interco => ( ACI L3out to FW | ACI L3out to Core ) => L3 Interco => Core Router

yes above is the correct . How core switch will receive L3 routes of firewall?.

e.x

web_app subnet 10.x.y.z/24 which G.w is a firewall.How can i advertise 10.x.y.z/24 to l3_out OSPF between core switch and ACI?.

jose.tamayo.segarra · ‎10-24-2018

Hello,

This would seen a case for Transit Routing using OSPF, possibly using the same Border Leaf.

Some information:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01010.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_010010.html

https://learningnetwork.cisco.com/docs/DOC-33572

So I would say that your FW needs to start speaking OSPF with ACI, announcing the subnets for which it is the GW. ACI will receive those OSPF Routes via its L3out_FW and pass them along to the Core using L3out_Core.

If you want the FW, ACI and Core to share the same OSPF Area (I guess area 0), then you need only 1 L3out for all. If you want area separation, then you need 2 L3outs. Of course, you need to setup Route Export configuration and perhaps contracts to allow Transit Routing inside the same L3out.

So, FW announces subnets over OSPF to ACI. ACI lets the routes and the traffic pass along to the Core. For the way back, FW can have just a static default route to ACI, which has also a default route to Core.

Hope this helps.