07-08-2018 02:02 AM - edited 03-01-2019 05:35 AM
Hi there.
i have a setup where i have 2 separate firewalls connected on the same vlan and subnet with an SVI on a Cat6500. It is a transit vlan with 3 exit points. The 2 firewalls can also route directly to each other.
Bad drawing attempt:
------------------------- vlan/subnet e.g. 10.1.1.0/24
| | |
SVI FW1 FW2
.10 .1 .2
I'm trying desperately to implement this in ACI (3.2.1(m)) but keep running into stumbling blocks.
In ACI world I figured i'd have to do this:
------------------------------------------------vlan/subnet e.g. 10.1.1.0/24
| | | | |
SVI FW1 FW2 IF:FW1 IF:FW2
.10 .1 .2 .11 .12
...with the SVI implemented as a secondary IP on each interface.
In my L3out i have added the interface to FW1 (10.1.1.11) on leaf 111 port 5. This of course means i've added the SVI (10.1.1.10) as well, as a secondary IP.
When i try to add the FW2 interface on leaf 111 port 6 (with the same encap and IP 10.1.1.12/24) i get this error:
Error:400 - Invalid Configuration - VRF Validation failed for VRF = uni/tn-common/ctx-extranet: Found IP address mismatch for path = uni/tn-common/out-L3-Extranet/lnodep-Nodes-Extranet/lifp-Interfaces-Extranet/rspathL3OutAtt-[topology/pod-1/paths-111/pathep-[eth1/5]] while processing IP address = 10.1.1.11/24; existing IP address(es) = {Ipv4: 10.1.1.12/24, Ipv6: 0.0.0.0} (Additional details: Interface: {type: SVI, tDn: topology/pod-1/paths-111/pathep-[eth1/5], nodeId: 111, encap: vlan-370, vpc: false, side: N/A}) If this was an attempt to modify, consider deletion followed by addition.
Given that I've configured the L3out as an SVI, it's logical to assume that there might be a vlan/subnet with multiple things in it. ACI doesn't seem to like this!
Can you think of a way around this? I tried adding a second interface profile to the L3out; same error.
I would prefer a solution which doesn't include reassigning firewalls to new subnets etc.
Cheers!
Solved! Go to Solution.
07-10-2018 11:08 AM
Hi
The L3out configured with SVIs is correct. Also configuring your "SVI-IP" as a secondary address. But your "physical IP" must be the same for all ports on the same leaf.
Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
Leaf-111 eth1/6 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
You must change the interface IP only if you connect the FW on another leaf - for example if the FW members are connected on leaf-111 and leaf-112 then the IP will change:
Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
Leaf-112 eth1/5 IP: 10.1.1.12/24 Secondary-IP: 10.1.1.10/24
HTH
Marcel
07-10-2018 11:08 AM
Hi
The L3out configured with SVIs is correct. Also configuring your "SVI-IP" as a secondary address. But your "physical IP" must be the same for all ports on the same leaf.
Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
Leaf-111 eth1/6 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
You must change the interface IP only if you connect the FW on another leaf - for example if the FW members are connected on leaf-111 and leaf-112 then the IP will change:
Leaf-111 eth1/5 IP: 10.1.1.11/24 Secondary-IP: 10.1.1.10/24
Leaf-112 eth1/5 IP: 10.1.1.12/24 Secondary-IP: 10.1.1.10/24
HTH
Marcel
07-11-2018 01:41 AM
Marcel you little genius!!
that worked!
thanks so much!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: