Buy or Renew
Buy or Renew
Register Here! - Join us 11/13 for the "Navigating DHCP Processes in SD-Access Network" Community Live event
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
366
Views
3
Helpful
6
Replies

L3-Border Handoff External Interface to Active-Pasive Fusion Firewall

Se1r
Level 1
Level 1

‎03-05-2025 03:29 AM

Hello, team I’m deploying a DNAC environment version 2.3.7.7-70047

We have 2 C9500 BN/CP in co-located mode and configuring the L3-Handoff link against 2 Firewalls in active/passive cluster.

Following BRKENS-2824 documentation due both BN/CP are not in VSL and I cant do a port-channel between them , so we will connect them as showed in attached image1.

So my doubt is that I cant configure more than 1 external link in the GUI for the same BN (only 1 physical or portchannel port and if I want to add another external interface for the same BN it has to be with another SVIs and ip addresses.).

 

Checking the configuration pushed by dnac for the external link I see that it only does a trunk allowed all in the selected port (apart from all the ebgp configuration for each VN/VRF). It is correct?

 

So as attached image1, green connections will be configured through GUI external link option and Orange connections to the passive FW will be configured as “manual mode” switchport trunk via CLI.

Does anyone know if DNAC does any internal configuration? Since the orange links will not be reflected as "external ports" in the GUI it could cause any issue?

Thanks

Labels:
Preview file
55 KB
0 Helpful
6 Replies 6

Torbjørn
VIP
VIP

‎03-05-2025 04:06 AM

If it is a requirement to use the same VLANs/SVIs for the peering with both firewalls I would probably just do this manually. You are correct in that GUI configuration of handoffs only configure the interfaces as trunks, creates the SVIs and then the BGP configuration. I also like to manually prune any unneccesary VLANs on the trunks towards my fusion nodes. The handoffs will not show up in the GUI, but it won't be an issue other than not being gui configurable.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev

Andrii Oliinyk
VIP
VIP

‎03-05-2025 04:09 AM - edited ‎03-05-2025 04:10 AM

"Checking the configuration pushed by dnac for the external link I see that it only does a trunk allowed all in the selected port (apart from all the ebgp configuration for each VN/VRF). It is correct?"
yes, DNAC configures IP-transit L3-handoff as trunk with transit VLANs per VRF
"Does anyone know if DNAC does any internal configuration?"
can u rephrase this Q pls?
"Since the orange links will not be reflected as "external ports" in the GUI it could cause any issue?"
Orange links MUST be configured as well. even if they wont be active in peering until FW SSO happens.
UPD. I'd recommend you to consolidate your BN|CPs into VSL to decrease unnecessary peering...


0 Helpful

Se1r
Level 1
Level 1

‎03-13-2025 09:51 AM - edited ‎03-13-2025 10:32 AM

Hello, thanks for replying.

We are not configuring them in VSL due as single point of failure, we are already collocating BN and CP roles, we will do as Torbjorn indications.

Another question if you can help me... We are placing both Border Nodes as Anywhere Borders. With a Lisp PUB/SUB Deployment. It is still needed the manual iBGP peering between both borders? (image 2 our topology)

Thanks

Preview file
51 KB
0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Se1r

‎03-13-2025 12:15 PM - edited ‎03-13-2025 12:25 PM

i'm familiar to Cisco CX designs with single BN\CP represented by VSL. & from my perspective declaring VSL as SPoF is the same as declaring VSS as such. @ least i'm not familiar to single case where VSL would show up itself with invalid redundancy. But it's up to u to decide.
u dont need iBGP between BN|CPs with Pub/Sub

 

Se1r
Level 1
Level 1
In response to Andrii Oliinyk

‎03-13-2025 12:39 PM - edited ‎03-13-2025 12:40 PM

Hello,

Thanks for the reply. We've decided to not stack the BN/CP due BRKENS-2824 recommendations (Cisco live 2024)  as our firewall team confirmed that Fusion FW supports ECMP we will mantain Active/Active borders.


"Upstream Connectivity – Fusion Firewall
Solution 4. Stack Border Nodes.
Make only single interface on the firewall by stacking Border
Nodes. Please avoid.
• Single point of failure, especially if you collocate CP and BN
roles.
• Hardware changes require SVL reboot (=fabric outage).
• No In-Service Software Upgrade (ISSU) for SVL in SDAccess."

Se1r_0-1741894853663.png

 


Thanks

0 Helpful

Andrii Oliinyk
VIP
VIP
In response to Se1r

‎03-13-2025 02:19 PM

now i got your point about redundancy. the case when maintenance for entire fabric is not the case :0)
btw with separate BN|CPs u can reuse VLANs/SVIs for peering with FN w/o manual configuration on the BN|CPs (assuming your FW as FN supports multiple peerings in the same VLAN/Subnet & u introduced legacy L2-switch(stack) in the middle bw BN\CPs & FW)

Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card