Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5547
Views
5
Helpful
5
Replies

Cisco ACI connectivity to Palo Alto Firwall Active/Standby mode

Go to solution
Shahin901
Level 1
Level 1

‎07-01-2018 07:09 PM - edited ‎03-01-2019 05:35 AM

Hi,

 

I am designing ACI connectivity to Palo Alto firewall in Active/Standby  mode. Just have few queries -

 

1. will it be possible to create vPC to each Firewall and have an L3Out to each?

2. Is there any white paper regarding the connectivity to the active/standby firewall without L4 to L7 integration to ACI? 

 

regards,

 

Shahin

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Manuel Velasco
Cisco Employee
Cisco Employee
In response to Shahin901

‎07-05-2018 09:17 AM

Hi Shahin,

 

In this particular scenario you can create a second VPC SVI and assign the same IPs as the first VPC.  Note that since you have an active/stanby FW setup, only the active FW should respond to ARP so the fabric would know to which FW if you forward the traffic.

 

2VPCs.JPG

View solution in original post

Preview file
34 KB
5 Replies 5

Go to solution
Manuel Velasco
Cisco Employee
Cisco Employee

‎07-03-2018 08:42 AM

Hi Shahin,

 

1) Technically yes, you can have a VPC to each FW to two leaf nodes on its own L3OUT. My question is why couldn’t you have both FWs VPC to your border leaf nodes on the same L3Out? 

 

2) I don’t know of any specific white paper, but in this scenario you can configure the l3out as if you were configuring it to any external router. 

0 Helpful

Go to solution
Shahin901
Level 1
Level 1
In response to Manuel Velasco

‎07-03-2018 11:40 PM

Hi Manuel,

 

Thank you for your reply.

Have you done vPC to Active/Standby to Firewall pair and have L3out to those Firewalls?

In my scenario the Firewalls are in active/standby mode. Once the active firewall fails the secondary will take on that IP address. Now if I create vPC to the Primary firewall I have to assign SVI IP address to each Leaf and a secondary IP as the next hop from the Firewall. And for the second vPC to the secondary Firewall, how do I assign the IP address? They have to be on the same subnet as the next hop has to be the same from the Firewall. 

So my issue is not the vPC, it the L3Out to the HA Firewall. 

 

Would really appreciate your comments.

 

Kind regards,

 

Shahin

 

 

0 Helpful

Go to solution
Manuel Velasco
Cisco Employee
Cisco Employee
In response to Shahin901

‎07-05-2018 09:17 AM

Hi Shahin,

 

In this particular scenario you can create a second VPC SVI and assign the same IPs as the first VPC.  Note that since you have an active/stanby FW setup, only the active FW should respond to ARP so the fabric would know to which FW if you forward the traffic.

 

2VPCs.JPG

Preview file
34 KB

Go to solution
Shahin901
Level 1
Level 1
In response to Manuel Velasco

‎07-06-2018 12:09 AM

Hi Manuel,

 

That is the answer I was after. Really do appreciate your help.

 

Kind regards,

 

Shahin

0 Helpful

Go to solution
harshal.shahane
Level 1
Level 1
In response to Shahin901

‎07-05-2018 11:07 PM

Hi,

 

When you create L3 OUT for connectivity with the Firewall in Active/Standby mode, SVI Based L3 OUT needs to be configured, and regarding the IP Address, please refer to the below example.

 

Palo Alto Virtual IP 10.0.0.1/24

 

ACI Leaf 1 Primary IP 10.0.0.4/24

ACI Leaf 1 Secondary IP 10.0.0.3/24 (Virtual)

ACI Leaf 2 Primary IP 10.0.0.5/24

ACI Leaf 2 Secondary IP 10.0.0.3/24 (Virtual)

 

Route on both the Leaf will be towards the Palo Alto Virtual IP.

 

Regards,

Harshal

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License