A common use-case for ACI deployments is to attach a pair of firewalls northbound of ACI to filter traffic in and out of the fabric.
For this use case, we will be using “UNMANAGED” mode to connect the FW pair, by attaching the firewall via an L3out (External Routed Connection), and pointing static routes (0.0.0.0/0) to the firewall pair in question.
Assumptions for this design:
- Unmanaged, Active/standby FW pair
- Connectivity to firewalls is port-level (no port-channel, no vPC)
- Static routing will be used to route all traffic to FW pair
- L3EPG for L3out is not a Preferred Group Member EPG
- Transit routing is not configured
Prerequisites for this design:
- Configure ACI Fabric BGP route reflectors
- Configure Fabric Access Policies (ACI Leaf Interfaces that connect to your firewalls will need to be configured)
- Tenant Configuration is complete (Application Profile, EPG, BD, and VRF already exist)
Caveats for this design:
From our border leafs, (leaf 201/202), we will configure an SVI-based, L3out. HSRP-like functionality will be provided by selecting a “secondary” address for each of our border leafs, in this case, 10.1.1.1/24.
Define your L3out (Tenant > Networking > External Routed Networks)
- Select VRF
- Select External Routed Domain (the external routed domain will have to have access to a vlan pool that contains the vlan you will define later)
Configure Node Profiles (a node profile for each border leaf)
- Define Router ID (must be defined, but you do not have to create a loopback)
- Configure your static routes to the FW
Configure Interface Profiles (an interface profile for each border leaf)
- Select SVI-based
- Select switch and interface
- Enter VlanID
- Select Mode (Tagging (trunk), untagged, or Native (dot1p))
- Enter Primary IP for switch (this is the real IP of the switch)
- Enter Secondary IP for the switch (this is the floating / VIP IP for the switch) – The secondary IP will be the IP address that is used in the firewall to statically route traffic back towards the fabric.
- Enter Subnet under L3Epg
- 0.0.0.0/0 can be used if you did not configure the L3EPG as a preferred group member EPG