A common use-case for ACI deployments is to attach a pair of firewalls northbound of ACI to filter traffic in and out of the fabric.
For this use case, we will be using “UNMANAGED” mode to connect the FW pair, by attaching the firewall via an L3out (External Routed Connection), and pointing static routes (0.0.0.0/0) to the firewall pair in question.
Assumptions for this design:
- Unmanaged, Active/standby FW pair
- Connectivity to firewalls is port-level (no port-channel, no vPC)
- Static routing will be used to route all traffic to FW pair
- L3EPG for L3out is not a Preferred Group Member EPG
- Transit routing is not configured
Prerequisites for this design:
- Configure ACI Fabric BGP route reflectors
- Configure Fabric Access Policies (ACI Leaf Interfaces that connect to your firewalls will need to be configured)
- Tenant Configuration is complete (Application Profile, EPG, BD, and VRF already exist)
Caveats for this design:
From our border leafs, (leaf 201/202), we will configure an SVI-based, L3out. HSRP-like functionality will be provided by selecting a “secondary” address for each of our border leafs, in this case, 10.1.1.1/24.
Configuration Steps
Define your L3out (Tenant > Networking > External Routed Networks)
- Select VRF
- Select External Routed Domain (the external routed domain will have to have access to a vlan pool that contains the vlan you will define later)
Configure Node Profiles (a node profile for each border leaf)
- Define Router ID (must be defined, but you do not have to create a loopback)
- Configure your static routes to the FW
Configure Interface Profiles (an interface profile for each border leaf)
- Select SVI-based
- Select switch and interface
- Enter VlanID
- Select Mode (Tagging (trunk), untagged, or Native (dot1p))
- Enter Primary IP for switch (this is the real IP of the switch)
- Enter Secondary IP for the switch (this is the floating / VIP IP for the switch) – The secondary IP will be the IP address that is used in the firewall to statically route traffic back towards the fabric.
Configure L3EPG
- Enter Subnet under L3Epg
- 0.0.0.0/0 can be used if you did not configure the L3EPG as a preferred group member EPG
Thank you, great help!!
In this scenario, can we use pervasive gateway concept instead of using second ip address?
The Pervasive BD gateway is for use inside of ACI; in this example we are establishing L3 connectivity to external FWs from the ACI fabric. That is why we define primary addresses on the external l3out SVI for each leaf, and a secondary address is used much like what you would see for HSRP in a non-ACI/FW connection.
No – the Pervasive GW applies to internal BDs; with the L3out, you will need to utilize the secondary IP address.
This is great, but I’m looking for something a little more production ready. That would include, in my scenario port-channels for bandwidth, trunking for multiple VRFs, and a dynamic routing protocol. Would love to see this solution more developed. Thanks!
Hi there.
This is more or less what i’ve done for A/S firewalls, although i’ve noticed that the secondary IP is not necessarily required; you can simply assign your “main” IP to ONE of the L3out interfaces. If that interface goes down (e.g. firewall fails) the IP assigned to that down interface remains reachable elsewhere. Having said that, your config appears better and cleaner – e.g. if you move the firewall to another interface you may have to delete the main IP. I will be implementing the secondary IP on my interfaces now 🙂
Question:
i have a setup where i have 2 separate firewalls connected on the same vlan and subnet with an SVI on a Cat6500. It is a transit vlan with 3 exit points. The 2 firewalls can also route directly to each other.
Bad drawing attempt:
———————– vlan/subnet e.g. 10.1.1.0/24
| | |
SVI FW1 FW2
.10 .1 .2
I’m trying desperately to implement this in ACI (3.2.1(m)) but keep running into stumbling blocks.
In my L3out i have added FW1 (10.1.1.1) on leaf 111 port 5. This of course means i’ve added the SVI (10.1.1.10) as well.
When i try to add FW2 on leaf 111 port 6 (with the same encap and IP 10.1.1.2/24) i get this error:
Error:400 – Invalid Configuration – VRF Validation failed for VRF = uni/tn-common/ctx-extranet: Found IP address mismatch for path = uni/tn-common/out-L3-Extranet/lnodep-Nodes-Extranet/lifp-Interfaces-Extranet/rspathL3OutAtt-[topology/pod-1/paths-111/pathep-[eth1/5]] while processing IP address = 10.1.1.1/24; existing IP address(es) = {Ipv4: 10.1.1.2/24, Ipv6: 0.0.0.0} (Additional details: Interface: {type: SVI, tDn: topology/pod-1/paths-111/pathep-[eth1/5], nodeId: 111, encap: vlan-370, vpc: false, side: N/A}) If this was an attempt to modify, consider deletion followed by addition.
Given that I’ve configured the L3out as an SVI, it’s logical to assume that there might be a vlan/subnet with multiple things in it. ACI doesn’t seem to like this!
Can you think of a way around this? I tried adding a second interface profile to the L3out; same error.
Cheers!
Can you send me an email with a visio of the environment and save the xml for your L3out and email that as well? joddavis74055@gmail.com – I’ll take a look!
Hi Jody.
I solved this by allocating the *same* IP address to each L3out interface.
If you’re using 2 interfaces in the same L3out (with same encap) on the *same* leaf, the IPs must be the same.
If the interfaces are on *different* leaves (same L3out, same encap), then the IPs must be different (but in the same subnet).
The secondary IP (analogous to an HSRP address) can be the same throughout all interfaces.
When the interfaces are on the same leaf, it’s analogous to (in old money):
interface vlan 123
ip address x.x.x.x/x ! same leaf, same IP for both interfaces in the L3out
standby 123 ip y.y.y.y ! secondary IP for all interfaces in the L3out
! physical paths and encaps:
interface g1/1
switchport trunk allowed vlan 123
interface g1/2
switchport trunk allowed vlan 123
Hay.. I came across an article on the following link which may help someone who is looking for a solution to a similar issues. Good Luck.
https://www.linkedin.com/pulse/l3out-aci-bundle-fws-sharing-same-external-routing-domain-mario-rosi?trk=portfolio_article-card_title
Rajesh
I cannot get Palo to BGP peer with the secondary IP in SVI. BGP peer does not come up.
BGP peer only forms on Side A and/or Side B IPs. Is there a way to BGP peer with secondary IP address?
Thanks very much for this. It was exactly what I needed.