Hi there.
i have a setup where i have 2 separate firewalls connected on the same vlan and subnet with an SVI on a Cat6500. It is a transit vlan with 3 exit points. The 2 firewalls can also route directly to each other.
Bad drawing attempt:
------------------------- vlan/subnet e.g. 10.1.1.0/24
| | |
SVI FW1 FW2
.10 .1 .2
I'm trying desperately to implement this in ACI (3.2.1(m)) but keep running into stumbling blocks.
In ACI world I figured i'd have to do this:
------------------------------------------------vlan/subnet e.g. 10.1.1.0/24
| | | | |
SVI FW1 FW2 IF:FW1 IF:FW2
.10 .1 .2 .11 .12
...with the SVI implemented as a secondary IP on each interface.
In my L3out i have added the interface to FW1 (10.1.1.11) on leaf 111 port 5. This of course means i've added the SVI (10.1.1.10) as well, as a secondary IP.
When i try to add the FW2 interface on leaf 111 port 6 (with the same encap and IP 10.1.1.12/24) i get this error:
Error:400 - Invalid Configuration - VRF Validation failed for VRF = uni/tn-common/ctx-extranet: Found IP address mismatch for path = uni/tn-common/out-L3-Extranet/lnodep-Nodes-Extranet/lifp-Interfaces-Extranet/rspathL3OutAtt-[topology/pod-1/paths-111/pathep-[eth1/5]] while processing IP address = 10.1.1.11/24; existing IP address(es) = {Ipv4: 10.1.1.12/24, Ipv6: 0.0.0.0} (Additional details: Interface: {type: SVI, tDn: topology/pod-1/paths-111/pathep-[eth1/5], nodeId: 111, encap: vlan-370, vpc: false, side: N/A}) If this was an attempt to modify, consider deletion followed by addition.
Given that I've configured the L3out as an SVI, it's logical to assume that there might be a vlan/subnet with multiple things in it. ACI doesn't seem to like this!
Can you think of a way around this? I tried adding a second interface profile to the L3out; same error.
I would prefer a solution which doesn't include reassigning firewalls to new subnets etc.
Cheers!
