Palo Alto Active/Standby Migration to ACI.

I have a pair of Palo Alto firewalls in Active/Standby mode connected to legacy 6500 switches.  ACI has a L2 link to 6500 switch with an SVI running EIGRP and advertising all networks to 6500.  Also, having a static route on L2 directly pointed towards the SVI IP on 6500 as a next hop address.


When I move the standby firewall into ACI I don't want to kill the L2 link because it will be used to provide routing between 6500 and ACI for HA interfaces only and will make this firewall Active to test the configuration.


Now we have one static route pointed to newly migrated firewall on ACI via L3out.  I also have an existing L2 connection with the existing Active firewall which will now be in Standby Mode.  Question of the day is when the traffic would want to hit the firewall is it going to use the route directly connected on ACI or via the L2 link over the SVI with EIGRP running on it?


Francesco Molino
Your active firewall is in aci, i got that. But what traffic are you talking about? Outside the fabric? In the fabric?
Also is your firewall doing inter vrf routing? Can you give use more details please?

No nothing is on ACI yet both firewalls are currently connected to legacy 6500 switches.  The switches are connected via L2 link to the ACI Leaf.  There is a static route from Firewall pointed towards the 6500 and then from 6500 pointed towards ACI.  Same goes back from ACI to 6500 there is a static route and then 6500 to Firewall.  That's how the current traffic is flowing.  Now we want to migrate Standby Firewall over and I am wondering that there is a static route already in ACI pointed to 6500 and now I will introduce another one which will be pointed towards this Standby Firewall.  As soon as I put in this new Standby Firewall static route which will now be directly connected even though it is Standby, ill it start sending traffic to this link which is not servicing request?  Hope this made it easier.  Open to questions and appreciate your time in this.

Also forgot to add that all the SVI's currently reside in ACI and they all can communicate to each other because they all have been dropped in the Common Tennant VRF.  The traffic I was referring to is the traffic from ACI since everything has been migrated over to ACI and this is the last piece of firewall pairs left for internet and DMZ access.

I won’t have migrated all svi into common tenant. This tenant is a shared space for all tenants.
Usually for firewalls, we connect them into a tenant using a L3out.
HA won’t be an issue as your L2 for that purpose is spanned from ACI to 6500.

