cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2099
Views
15
Helpful
2
Replies

L3out - 2 firewalls on same subnet

jamie-nicol
Level 1
Level 1

Hi there.


i have a setup where i have 2 separate firewalls connected on the same vlan and subnet with an SVI on a Cat6500. It is a transit vlan with 3 exit points. The 2 firewalls can also route directly to each other.
Bad drawing attempt:

 

------------------------- vlan/subnet e.g. 10.1.1.0/24
|        |      |
SVI     FW1    FW2
.10     .1      .2

 

I'm trying desperately to implement this in ACI (3.2.1(m)) but keep running into stumbling blocks.

 

In ACI world I figured i'd have to do this:

 

------------------------------------------------vlan/subnet e.g. 10.1.1.0/24
|        |      |         |            |
SVI     FW1    FW2        IF:FW1       IF:FW2
.10     .1      .2         .11          .12

 

...with the SVI implemented as a secondary IP on each interface.

 

In my L3out i have added the interface to FW1 (10.1.1.11) on leaf 111 port 5. This of course means i've added the SVI (10.1.1.10) as well, as a secondary IP.
When i try to add the FW2 interface on leaf 111 port 6 (with the same encap and IP 10.1.1.12/24) i get this error:

 

Error:400 - Invalid Configuration - VRF Validation failed for VRF = uni/tn-common/ctx-extranet: Found IP address mismatch for path = uni/tn-common/out-L3-Extranet/lnodep-Nodes-Extranet/lifp-Interfaces-Extranet/rspathL3OutAtt-[topology/pod-1/paths-111/pathep-[eth1/5]] while processing IP address = 10.1.1.11/24; existing IP address(es) = {Ipv4: 10.1.1.12/24, Ipv6: 0.0.0.0} (Additional details: Interface: {type: SVI, tDn: topology/pod-1/paths-111/pathep-[eth1/5], nodeId: 111, encap: vlan-370, vpc: false, side: N/A}) If this was an attempt to modify, consider deletion followed by addition.

 

Given that I've configured the L3out as an SVI, it's logical to assume that there might be a vlan/subnet with multiple things in it. ACI doesn't seem to like this!

 

Can you think of a way around this? I tried adding a second interface profile to the L3out; same error.

 

I would prefer a solution which doesn't include reassigning firewalls to new subnets etc.

 

Cheers!

1 Accepted Solution

Accepted Solutions

Marcel Zehnder
Spotlight
Spotlight

Hi 

 

The L3out configured with SVIs is correct. Also configuring your "SVI-IP" as a secondary address. But your "physical IP" must be the same for all ports on the same leaf.

Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

Leaf-111 eth1/6 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

 

You must change the interface IP only if you connect the FW on another leaf - for example if the FW members are connected on leaf-111 and leaf-112 then the IP will change:

Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

Leaf-112 eth1/5 IP: 10.1.1.12/24 Secondary-IP: 10.1.1.10/24

 

HTH

Marcel

 

 

 

View solution in original post

2 Replies 2

Marcel Zehnder
Spotlight
Spotlight

Hi 

 

The L3out configured with SVIs is correct. Also configuring your "SVI-IP" as a secondary address. But your "physical IP" must be the same for all ports on the same leaf.

Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

Leaf-111 eth1/6 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

 

You must change the interface IP only if you connect the FW on another leaf - for example if the FW members are connected on leaf-111 and leaf-112 then the IP will change:

Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24

Leaf-112 eth1/5 IP: 10.1.1.12/24 Secondary-IP: 10.1.1.10/24

 

HTH

Marcel

 

 

 

Marcel you little genius!!

that worked!

 

thanks so much!

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: