06-02-2017 10:06 AM - edited 03-01-2019 05:14 AM
Hello,
we have to insert Firewalls between some VRFs (intra-Tenants and inter-Tenants VRFs) in a Dual Site ACI environment;
to make things easier, the wished design is to use a pair of firewalls, 1 Fiewall per DC, 1 active and 1 standby, with the need of extended VLANs between both FWs;
so, this would require to extend L3OUT Vlans between the 2 DCs.
Although this extended L3OUT feature should be available in version 2.3, it should require some specific N9K models ;
so, we are trying to extend the L3OUT using some specific setup that are supposed to work ...
although it does not seem to work for now ;
the trick is just to add the DCI VPC (between both DCs) as a second path in the FW L3OUT, the 1st path being the VPC to the FW itself ;
well, doing so, the L3OUT VLAN is well extended betwen the 2 DCs, and both FWs can ping each other,
but, there is no way to route IP packets from a standard endpoint (on a standard extended EPG) located on 1 DC to the FW located on the other DC;
when taking traces on both FWs, we can see that the ACI on the endpoint side only sends ARPs to its attached FW via the L3OUT, and never thru the DCI VPC to reach the FW on the other DC;
Any idea appreciated
06-05-2017 02:02 AM
Hi
So you want to deploy a active/standby FW-cluster over two ACI fabrics (dual fabric)? There is a design guide available at http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737077.pdf which describes the configuration.
IMHO I would never (again) do such a setup, I would recommend to build a active/standby cluster per datacenter instead - makes life much easier.
HTH
Marcel
09-15-2017 02:32 AM
Hello,
we managed to make our design work (extended L3OUT in a dual Fabric envt);
the trick is to code a different MAC on L3OUT per DC, e.g. :
on DC1, code L3OUT MAC = "00:22:BD:F8:19:FF" for both Paths defined : Path to the FW and path to the DCI
on DC2, code L3OUT MAC = "00:22:BD:F8:19:FE" for both Paths defined : Path to the FW and path to the DCI
For the IPs, code 1 distinct primary IP per Leaf and per DC (so 4 IPs needed) and 1 shared secondary IP for all Leafs of both DCs (same second. IP on both DC) on Paths to FW,
You can use either the same primary IPs on Paths to DCI as on the Paths to FW or distinct ones,
and no secondary IP is coded on Paths to DCI
02-18-2019 03:21 AM
Hi Mate,
We have the same topology with two Checkpoint Firewall in an Active Standby Cluster. When you say the below can you explain how you did this?
Thanks in adva
"the trick is just to add the DCI VPC (between both DCs) as a second path in the FW L3OUT, the 1st path being the VPC to the FW itself"
02-18-2019 05:01 AM
02-18-2019 05:12 AM
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: