cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2399
Views
10
Helpful
7
Replies

Firewall (Unmanaged Mode) connectivity with ACI Leafs

netbeginner
Level 2
Level 2

Hi All,

 

Working on ACI. I have to connect a physical firewall hardware (purely in un-managed mode and without service graph) with ACI leafs in dual home connectivity along with vPC and L3Out. 

 

no L4-L7 configuration require... as we'll configure firewall manually and will not manage from APIC.

 

I only have some basic clue about configuration , Could anyone pls help and share configuration steps to acheive the scenario or share some article with sample configuration.

 

Rgds

***

 ***

7 Replies 7

netbeginner
Level 2
Level 2

Dear All, 

 

Not Sure, Why i am hardly getting response on this forum. :-)

Hi @netbeginner ,

 

Not Sure, Why i am hardly getting response on this forum. :-)


Because when the answer is as simple as googling for 5 seconds, that does not excite the crowd ;-)

 

Anyway, I saved your 5 seconds:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/L3-configuration/Cisco-APIC-Layer-3-Networking-Configuration-Guide-42x/Cisco-APIC-Layer-3-Networking-Configuration-Guide-42x_chapter_0100.html

 

Remi Astruc

Hi Remi, Thanks for spending 15 seconds. 

 

:-))

 

Probably you did'nt read my question properly. I have requested for dual home L3Out configuration on ACI for hardware firewall....

 

Adding a point here, Since we are running with lack of interfaces on firewall..we may have to create Subinterface on Firewall and on ACI end also with L3Out.

Hi, 

 

You can use

 

1- Service Graph in unmanaged mode, and APIC will not handle FW, OR

2- u can use L3Out with VPC and sub-interface as u like (bottleneck) 

 

In case it's edge FW, so I prefer to use L3Out, in case it's DataCenter FW, so I prefer to use Service Graph.

Hi,

You will not use L3Out Subinterface while you need a Layer 2 connection between your 2 FW members. You will use L3Out SVI feature.

If you don't find the first link to be as straight forward as you expected, let's try that one which exactly covers your case with step by step:

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

The detail of using VPC instead of single link only differs in the step of defining the Path within the SVI object. Just ensure you are using Generation 2 Leaves (EX, FX) and ACI 2.3 or above.

Remi Astruc

Hi Friends, 

 

Thanks for response, Sounds good now. 

 

but still for all... to understand the actual scenario and to get exact best out of best configuration...i am attaching a proposed connectivity diagram here. As per which. 

 

We have Multipod (Stretched) fabric across two locations (i.e Site-1 & Site-2). We only have two hardware firewalls. One will be active at Site-1 and other will remain in Standby State in Site-2 (or vice versa). 

 

- Active Firewall will connect (multi-homed) with Leaf-1 and Leaf-2 of SITE-1. Similarly Standby firewall will also connect (multi-homed) with Leaf-1 and Leaf-2 of SITE-2.

 

- At firewall level, we have to aggregate (club) the physical interface for dual homing to two leafs per site & then create the sub-interface of that aggregated interface to cater multiple zones traffic (as we don't have enough physical interfaces on firewall) 

 

- At ACI end (Leafs) we have to create respective sub-interfaces with L3Out or L3out SVI feature. Not sure whichever is best fitting in our environment. 

 

- Kindly note again, we are using firewall in "un-managed mode" , will not create or use any "service-graph" and will not do "L4-L7 integration" as well. It would be plain external firewall connectivity just to manage and filter East-West and North-South traffic.

 

Diagram attached.

 

before posting on this forum initially i did a lot of googling and did'nt found even close configuration. Everyone is either reffering to Service-Graph or L4-L7 integration Or Saw some configuration which are purely performed in different ways which leading to confusion and so many queries, second & very important.. It's just a starting for me in ACI :-).

 

This is why i am here to see all you experts.

 

Rgds

***

 

Hi @netbeginner ,

There may be a misunderstanding, but your questionings are precisely already answered in my previous post...

 

- At ACI end (Leafs) we have to create respective sub-interfaces with L3Out or L3out SVI feature. Not sure whichever is best fitting in our environment. 


=> You will not use L3Out Subinterface while you need a Layer 2 connection between your 2 FW members. You will use L3Out SVI feature.

 

- Kindly note again, we are using firewall in "un-managed mode" , will not create or use any "service-graph" and will not do "L4-L7 integration" as well. It would be plain external firewall connectivity just to manage and filter East-West and North-South traffic.


=> That guide does not talk about SG or L4-L7 integration at all...

https://unofficialaciguide.com/2017/08/03/l3out-connecting-to-activestandby-fw/

 

Hopefully you'll see it clearer at the second reading.

Remi Astruc
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License