Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1774
Views
0
Helpful
5
Replies

Extended L3OUT in a Dual Site ACI environment

guillerm
Level 1
Level 1

‎06-02-2017 10:06 AM - edited ‎03-01-2019 05:14 AM

Hello,

we have to insert Firewalls between some VRFs (intra-Tenants and inter-Tenants VRFs) in a Dual Site ACI environment;

to make things easier, the wished design is to use a pair of firewalls, 1 Fiewall per DC, 1 active and 1 standby, with the need of extended VLANs between both FWs;

so, this would require to extend L3OUT Vlans between the 2 DCs.

Although this extended L3OUT feature should be available in version 2.3, it should require some specific N9K models ;

so, we are trying to extend the L3OUT using some specific setup that are supposed to work ...

although it does not seem to work for now ;

the trick is just to add the DCI VPC (between both DCs) as a second path in the FW L3OUT, the 1st path being the VPC to the FW itself ;

well, doing so, the L3OUT VLAN is well extended betwen the 2 DCs, and both FWs can ping each other,

but, there is no way to route IP packets from a standard endpoint (on a standard extended EPG) located on 1 DC to the FW located on the other DC;

when taking traces on both FWs, we can see that the ACI on the endpoint side only sends ARPs to its attached FW via the L3OUT, and never thru the DCI VPC to reach the FW on the other DC;

Any idea appreciated

1 person had this problem
Labels:
0 Helpful
5 Replies 5

Marcel Zehnder
Spotlight
Spotlight

‎06-05-2017 02:02 AM

Hi 

So you want to deploy a active/standby FW-cluster over two ACI fabrics (dual fabric)? There is a design guide available at http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737077.pdf which describes the configuration.

IMHO I would never (again) do such a setup, I would recommend to build a active/standby cluster per datacenter instead - makes life much easier.

HTH

Marcel

0 Helpful

guillerm
Level 1
Level 1

‎09-15-2017 02:32 AM

Hello,

we managed to make our design work (extended L3OUT in a dual Fabric envt);

the trick is to code a different MAC on L3OUT per DC, e.g. :

on DC1, code L3OUT MAC = "00:22:BD:F8:19:FF" for both Paths defined : Path to the FW and path to the DCI

on DC2, code L3OUT MAC = "00:22:BD:F8:19:FE" for both Paths defined : Path to the FW and path to the DCI

 

For the IPs, code 1 distinct primary IP per Leaf and per DC (so 4 IPs needed) and 1 shared secondary IP for all Leafs of both DCs (same second. IP on both DC) on Paths to FW,

You can use either the same primary IPs on Paths to DCI as on the Paths to FW or distinct ones,

and no secondary IP is coded on Paths to DCI

 

 

0 Helpful

x00008037
Level 1
Level 1

‎02-18-2019 03:21 AM

Hi Mate,

 

We have the same topology with two Checkpoint Firewall in an Active Standby Cluster. When you say the below can you explain how you did this?

 

Thanks in adva

 

"the trick is just to add the DCI VPC (between both DCs) as a second path in the FW L3OUT, the 1st path being the VPC to the FW itself"

0 Helpful

guillerm
Level 1
Level 1
In response to x00008037

‎02-18-2019 05:01 AM

Hello,

see attached XML example "L3OUT-for-Active-Standby-FW-config-V1.txt" for 1 of the 2 interconnected DCs;

same kind of config for the 2nd DC

 

Preview file
4 KB
0 Helpful

x00008037
Level 1
Level 1
In response to guillerm

‎02-18-2019 05:12 AM

Hi 

 

Thanks for that, im kinda new to ACI and havnt used XML to configure the fabric yet.

 

I assume this is all within the GUI??

 

The below is what we are trying to achieve. Vlan 155 will have SVI l3out to FW and it is also stretched to DR site.

 

We peer with the FW VIP Cluster XL IP

Preview file
72 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License