Palo Alto Active/Standby two single connection into the Common Tennant.
Hello ACI Gurus.
I am currently migrating a two sets of Palo Alto Physical firewalls directly counted to old Cisco 6509 switches to ACI. The way current environment is communicating between ACI and legacy 6509 switches is via a L2 link with a SVI created on it running EIGRP on both sides ACI and 6509. Both 6509 switches are currently configured as standalone switches. One connected to FW-A and other to FW-B. Both switches have L2 link with static route pointed to the Firewalls and SVI configured running EIGRP on it to communicate with ACI advertised Networks. On ACI side all the EPGs are currently communicating between tenants via Common Tennant and via L2 Link with static route advertised under EIGRP on SVI. Users traffic going out to internet first hits the 6509 switches and then to the Active Palo Alto Firewall. If the traffic is destined for DMZ then it goes to the DMZ switches directly connected to Firewalls and then to its destination services. Both Firewalls are single homed with Internal L3 connection going to A (6509) and B (6509) switches.
The problem I am facing is traffic destined for Firewalls from ACI currently have this static route pointed to 6509 switches. If I cutover lets say Standby firewall first by creating a L3out from Common Tenant with a static route directly pointed to Firewall interface. Would it work or two static routes will collide. Two meaning the one which is currently there pointed to 6509 switch and the other one I will put in on this new L3out pointed to Firewall.
If I cut over the Active firewall the same way with a static route pointed to Active Firewall. Would that be sufficient enough for the migration.
Also the firewall currently has a static route pointed back to the IP address currently configured on 6509 switches single homed link and off course that IP will be move to ACI when the physical link will move of each firewall.
since we do not have high level how they connected,and cut over approach. because there is some issues i faced other firewall when we moving from tranditional to ACI - Like 1 box in ACI and another one in Traditional way as per my experience.
if you have enough maintenance window, suggest to cutover to ACI (if that is final solution you looking to or going forward)
They are currently connected to 6509 switches and all I am doing is moving that physical link in the ACI. Both HA1 and MGMT connections are already on ACI and working correctly as the HA2 interface is still connected to 6509 which will be moved as well as part of this migration as a L3 interface for High Availability.
The migration path is to move Standby Firewall HA2 interface to ACI first and confirm the communication is there and then move the internal interface.
After a day or two the same procedure will be performed to move the Active firewall over.
We delivered a partner enablement training session in September 2021 to share the ACI upgrade Best Practices.
The slide deck is enclosed here for wider audience in the community, it provides more details in terms of the best practices, tools and co...
What is Cisco ACI Anywhere?What are ACI connectivity options for managing Primary On-Prem DCs?What are ACI options for extending your Data center to secondary remote locations (Physical)?How ACI provides centralized network policy framework for workloads ...
Cloud Networking Community on Cisco Customer Connection
Join our community!!
As a valued Cisco Cloud Networking (former DCN) customer, you can be part of Cisco Customer Connection Program (CCP), Cisco’s global online community program. Connect ...
Join us for a live demo of Cisco Intersight Cloud Orchestrator to learn how you can simplify the orchestration and automation of your infrastructure and workloads across your hybrid cloud environment. We will take a closer look at Cisco Intersight Cloud O...
Hybrid Cloud Demo Series: Simplify Orchestration of Your Infrastructure and Workloads
Tuesday, September 7, 202110:00 am Pacific Time(San Francisco, GMT-08:00)Join us for a live demo of Cisco Intersight Cloud Orchestrator to learn how you can simpli...