DCNM 11.5(1) + Multi-Site Domain + FW active/standby peering question

Maciej Waliszko · ‎03-25-2022

Hello,

I have the following deployment:

- 2 sites/DCs

- site1 consists of: 5 pair of Leafs, 2 spines, 1 pair of BG

- site2 as above

- direct peering between BGs of both sites

- the deployment was done through DCNM

The above deployment is working ok and I do have L2/L3 communication between the sites. Now I want to attach an active/standby pair of FW to the above deployments to get out of DCs (north/south traffic). FW1 in site1, FW2 in site2. Each FW would be attached to a pair of Leafs within each site. Port-channel with LACP would be used for that. Now I wonder how I can do the dynamic peering between FWs and Leafs. My concerns are as follows:

1) I would have to enable l3 over vpc functionality for VPC to have a possibility to run a dynamic routing protocol through vpc. right? switch_freeform policy should be used for that?

2) FW failover between the sites means that L3 interface IP address of active FW mode will be moving between the sites. That means that the subnet between FW and pair of Leafs need to be the same. right?

3) how big should be the above subnet?

4) let's say that the dynamic protocol between pair of Leafs and an active FW would be BGP. Can it be so? BGP ASN is different between sites/DCs.

5) IMO I would have to create a dedicated vlan for the subnet between FW and 2 pair of Leafs. Then create an SVI for each Leafs (4 in total) and 5th IP for the active FW node (6th for the standby FW node). This means that the subnet from 3) should be at least /28. Correct?

6) To make a failover a non-disruptive I would have to create a BGP session on an active FW node to all 4 Leafs (each pair of Leafs is in a separate BGP ASN). Correct? Would that work?