Solved: Re: DCNM and L3 Peering to ASA Active/Standby Firewalls

dm2020 · ‎11-11-2022

Hi All,

I am currently installing a VXLAN EVPN fabric using DCMN that consists of 2 spines, 6 leafs and 2 border leafs. The border leafs will be paired in a vPC domain.

I am trying to connect an active/standby pair of ASA firewalls to the border leafs using vPCs matching the topology in the below. I understand how to setup the vPC, however I am confused about how to setup layer 3 as we want to configure eBGP peering between each border leaf and the active ASA.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/92x/vxlan-92x/configuration/guide/b-cisco-nexus-9000-series-nx-os-vxlan-configuration-guide-92x/b_Cisco_Nexus_9000_Series_NX-OS_VXLAN_Configuration_Guide_9x_appendix_010110.html#C...

When trying to setup an external network in DCNM, I discovered that DCNM can only configure VRF-Lite handoff using routed port sub-interfaces rather than having an option to configure SVIs over a trunk which is needed to support the firewalls in HA.

How are we supposed to do this in DCNM? Can this be automated or do we need to configure this manually using a freeform template?

Shyam Sundar · ‎11-20-2022

Hello,

I believe you can configure the Interface in 'int_routed_host_11_1' policy making the interface L3 and then configure 'Subinterface' to further configure SVI if required.

'Freeform Config' is a great way to customize your trunk interface too.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco NDFC through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.

View solution in original post

Shyam Sundar · ‎11-20-2022

Hello,

I believe you can configure the Interface in 'int_routed_host_11_1' policy making the interface L3 and then configure 'Subinterface' to further configure SVI if required.

'Freeform Config' is a great way to customize your trunk interface too.

If you find my reply solved your question or issue, kindly click the 'Accept as Solution' button and vote it as helpful.

You can also learn more about Cisco NDFC through our live Ask the Experts (ATXs) session. Check out this ATXs Resources [https://community.cisco.com/t5/data-center-and-cloud-knowledge/cisco-aci-ask-the-experts-resources/ta-p/4394491] to view the latest schedule for upcoming sessions, as well as the useful references, e.g. online guides, FAQs.