Hello everyone! I have seen some forums about that, but im not clear about de topology when i have 2 FW in active/standby.
We have two firewall and we have 4 leaves (2 per site) in the topology. There are 2 sites, but connected directly by a pair of fibers.
So i need to connect a FW in each site. Regarding, i have read, i can to do 2 vpc each per site, but i haven´t undestood if i have to create 1 or 2 L3out. and how is the best practice to connect these FWs (routed interface with HSRP, or SVI with secondary ip).
Could you clarify this for me?
Thanks in advance
Solved! Go to Solution.
Hopefully this guide help you : ( i have not done, but i was exploring with Foritgate IPS for one of customer).
How are you connecting these 2 sites together ? via multi-site or multi-POD ?
Assuming you are using multi-POD, you need to be careful of asymmetrical traffic. ACI will always prefer the local L3Out, so in the event that traffic came in through DC1, and need to return via DC2 it will be dropped. This can occur if you have VMs v-motioned across the data center. Remember that ACI gateways are pervasive.
When you have VMM domain integration configured and ESXi from both DCs are added to the vCenter, you don't actually have control of where the gateway is deployed into the switch because APIC only tells the switch "what to do", not "how to do". In the event that a vMotion occurs from DC1 to DC2, or a VM admin simply provisioned a new VM in DC2, the EPG, along with the BD will be deployed to DC2 whether you like it or not, in this case, your subnet just got stretched.
So it really depends on the desired traffic flow. You can configure 2 L3Outs for active/active data center setup, but just need to be fully aware of the traffic flow.
Hi!!! Sorry for the deleay, i was on holiday :)!!
Im gonna to attach de the topoly, there is not multipod nor multisite. It is a single Pod, with two nearly sites.
I have configured 1 L3out with SVI, 1 vpc per site to each Fortinet.
Leaf1: 10.1.1.2 Ip secondary 10.1.1.4
Leaf2: 10.1.1.3 Ip secondary 10.1.1.4
Leaf3: 10.1.1.5 Ip secondary 10.1.1.4
Leaf4: 10.1.1.6 Ip secondary 10.1.1.4
Fortinet (next hop): 10.1.1.1
We have statics routes to Fortinet. Regarding your experiencie, is it a valid design? We have done some test, migrating the active to standby and viceversa. And the solution would be working. But i don´t sure, if it is a valid design.