cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1969
Views
0
Helpful
2
Replies

Palo Alto Active/Standby two single connection into the Common Tennant.

zafarsohail
Level 1
Level 1

Hello ACI Gurus.

 

I am currently migrating a two sets of Palo Alto Physical firewalls directly counted to old Cisco 6509 switches to ACI.  The way current environment is communicating between ACI and legacy 6509 switches is via a L2 link with a SVI created on it running EIGRP on both sides ACI and 6509.  Both 6509 switches are currently configured as standalone switches.  One connected to FW-A and other to FW-B. Both switches have L2 link with static route pointed to the Firewalls and SVI configured running EIGRP on it to communicate with ACI advertised Networks.  On ACI side all the EPGs are currently communicating between tenants via Common Tennant and via L2 Link with static route advertised under EIGRP on SVI.  Users traffic going out to internet first hits the 6509 switches and then to the Active Palo Alto Firewall.  If the traffic is destined for DMZ then it goes to the DMZ switches directly connected to Firewalls and then to its destination services.  Both Firewalls are single homed with Internal L3 connection going to A (6509) and B (6509) switches.

  The problem I am facing is traffic destined for Firewalls from ACI currently have this static route pointed to 6509 switches. If I cutover lets say Standby firewall first by creating a L3out from Common Tenant with a static route directly pointed to Firewall interface.  Would it work or two static routes will collide.  Two meaning the one which is currently there pointed to 6509 switch and the other one I will put in on this new L3out pointed to Firewall.

 

And

 

If I cut over the Active firewall the same way with a static route pointed to Active Firewall.  Would that be sufficient enough for the migration.

 

Also the firewall currently has a static route pointed back to the IP address currently configured on 6509 switches single homed link and off course that IP will be move to ACI when the physical link will move of each firewall.

 

Thanks in advance.

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

since we do not have high level how they connected,and cut over approach. because there is some issues i faced other firewall when we moving from tranditional to ACI - Like 1 box in ACI and another one in Traditional way as per my experience.

 

if you have enough maintenance window, suggest to cutover to ACI (if that is final solution you looking to or going forward)

 

here one good thread can help you :

 

https://community.cisco.com/t5/application-centric/cisco-aci-connectivity-to-palo-alto-firwall-active-standby-mode/m-p/3408764

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for your response and time in this.  

 

They are currently connected to 6509 switches and all I am doing is moving that physical link in the ACI.  Both HA1 and MGMT connections are already on ACI and working correctly as the HA2 interface is still connected to 6509 which will be moved as well as part of this migration as a L3 interface for High Availability.

 

The migration path is to move Standby Firewall HA2 interface to ACI first and confirm the communication is there and then move the internal interface.

 

After a day or two the same procedure will be performed to move the Active firewall over.

 

Hope this helps.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: