L3out – Connecting to Active/Standby FW

A common use-case for ACI deployments is to attach a pair of firewalls northbound of ACI to filter traffic in and out of the fabric.

For this use case, we will be using “UNMANAGED” mode to connect the FW pair, by attaching the firewall via an L3out (External Routed Connection), and pointing static routes ( to the firewall pair in question.

Assumptions for this design:

  • Unmanaged, Active/standby FW pair
  • Connectivity to firewalls is port-level (no port-channel, no vPC)
  • Static routing will be used to route all traffic to FW pair
  • L3EPG for L3out is not a Preferred Group Member EPG
  • Transit routing is not configured

Prerequisites for this design:

Caveats for this design:

Screen Shot 2017-08-03 at 8.56.08 AM

From our border leafs, (leaf 201/202), we will configure an SVI-based, L3out. HSRP-like functionality will be provided by selecting a “secondary” address for each of our border leafs, in this case,

Configuration Steps

Define your L3out (Tenant > Networking > External Routed Networks)

  • Select VRF
  • Select External Routed Domain (the external routed domain will have to have access to a vlan pool that contains the vlan you will define later)

Screen Shot 2017-09-25 at 7.23.55 PM

Configure Node Profiles (a node profile for each border leaf)

  • Define Router ID (must be defined, but you do not have to create a loopback)
  • Configure your static routes to the FW

Screen Shot 2017-08-03 at 10.33.31 AM.png

Configure Interface Profiles (an interface profile for each border leaf)

  • Select SVI-based
  • Select switch and interface
  • Enter VlanID
  • Select Mode (Tagging (trunk), untagged, or Native (dot1p))
  • Enter Primary IP for switch (this is the real IP of the switch)
  • Enter Secondary IP for the switch (this is the floating / VIP IP for the switch) – The secondary IP will be the IP address that is used in the firewall to statically route traffic back towards the fabric.

Screen Shot 2017-08-03 at 10.30.02 AM.png

Screen Shot 2017-08-09 at 10.24.46 PM.png

Configure L3EPG

  • Enter Subnet under L3Epg
    • can be used if you did not configure the L3EPG as a preferred group member EPG


11 thoughts on “L3out – Connecting to Active/Standby FW

    1. The Pervasive BD gateway is for use inside of ACI; in this example we are establishing L3 connectivity to external FWs from the ACI fabric. That is why we define primary addresses on the external l3out SVI for each leaf, and a secondary address is used much like what you would see for HSRP in a non-ACI/FW connection.

    2. No – the Pervasive GW applies to internal BDs; with the L3out, you will need to utilize the secondary IP address.

  1. This is great, but I’m looking for something a little more production ready. That would include, in my scenario port-channels for bandwidth, trunking for multiple VRFs, and a dynamic routing protocol. Would love to see this solution more developed. Thanks!

  2. Hi there.
    This is more or less what i’ve done for A/S firewalls, although i’ve noticed that the secondary IP is not necessarily required; you can simply assign your “main” IP to ONE of the L3out interfaces. If that interface goes down (e.g. firewall fails) the IP assigned to that down interface remains reachable elsewhere. Having said that, your config appears better and cleaner – e.g. if you move the firewall to another interface you may have to delete the main IP. I will be implementing the secondary IP on my interfaces now 🙂

    i have a setup where i have 2 separate firewalls connected on the same vlan and subnet with an SVI on a Cat6500. It is a transit vlan with 3 exit points. The 2 firewalls can also route directly to each other.
    Bad drawing attempt:

    ———————– vlan/subnet e.g.
    | | |
    SVI FW1 FW2
    .10 .1 .2

    I’m trying desperately to implement this in ACI (3.2.1(m)) but keep running into stumbling blocks.

    In my L3out i have added FW1 ( on leaf 111 port 5. This of course means i’ve added the SVI ( as well.
    When i try to add FW2 on leaf 111 port 6 (with the same encap and IP i get this error:

    Error:400 – Invalid Configuration – VRF Validation failed for VRF = uni/tn-common/ctx-extranet: Found IP address mismatch for path = uni/tn-common/out-L3-Extranet/lnodep-Nodes-Extranet/lifp-Interfaces-Extranet/rspathL3OutAtt-[topology/pod-1/paths-111/pathep-[eth1/5]] while processing IP address =; existing IP address(es) = {Ipv4:, Ipv6:} (Additional details: Interface: {type: SVI, tDn: topology/pod-1/paths-111/pathep-[eth1/5], nodeId: 111, encap: vlan-370, vpc: false, side: N/A}) If this was an attempt to modify, consider deletion followed by addition.

    Given that I’ve configured the L3out as an SVI, it’s logical to assume that there might be a vlan/subnet with multiple things in it. ACI doesn’t seem to like this!

    Can you think of a way around this? I tried adding a second interface profile to the L3out; same error.


      1. Hi Jody.

        I solved this by allocating the *same* IP address to each L3out interface.
        If you’re using 2 interfaces in the same L3out (with same encap) on the *same* leaf, the IPs must be the same.
        If the interfaces are on *different* leaves (same L3out, same encap), then the IPs must be different (but in the same subnet).

        The secondary IP (analogous to an HSRP address) can be the same throughout all interfaces.

        When the interfaces are on the same leaf, it’s analogous to (in old money):

        interface vlan 123
        ip address x.x.x.x/x ! same leaf, same IP for both interfaces in the L3out
        standby 123 ip y.y.y.y ! secondary IP for all interfaces in the L3out

        ! physical paths and encaps:
        interface g1/1
        switchport trunk allowed vlan 123
        interface g1/2
        switchport trunk allowed vlan 123

  3. I cannot get Palo to BGP peer with the secondary IP in SVI. BGP peer does not come up.
    BGP peer only forms on Side A and/or Side B IPs. Is there a way to BGP peer with secondary IP address?

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.