Re: North-South Firewall in ACI

Claudia de Luna · ‎05-15-2022

We are looking at options for a North/South firewall into and out of a single-site ACI Fabric.

The current preferred option is to use an HA Active/Standby firewall cluster in transparent mode with two ACI border leafs (also vPC pair) eBGP peering with two Nexus switches configured in a vPC domain.

- Two 10Gig interfaces to each firewall but all 4 in a vPC in ACI and on Nexus.
- L3Out SVI Each border leaf BGP peers with the Nexus HSRP. Next Hop reachability maintained by using physical interfaces so no additional protocol or static routes are needed.
- In this configuration, 20Gigs into/out of the fabric are guaranteed in the event one of the firewalls in the cluster fails.

1. Wondering if anyone has implemented such a configuration and if so, it you can share any issues found particularly around traffic flows on the "standby" interfaces?
2. Are there other design alternatives that retain the full bandwidth (20Gig) to the active firewall (without using additional firewall interfaces) which you would recommend?

3. Is it possible to use vZany and the L3Out EPG for PBR L2 redirect? Is this even recommended?

Sergiu.Daniluk · ‎05-15-2022

Hi @Claudia de Luna

First of all, very nice diagram!

Second of all, there is a critical flow in this design: one single vPC with both active and standby firewall in it.

I assume if any user traffic is passing through the standby firewall, it will be dropped. If my assumption is correct, then having one single vPC is not good. You should break it into two vPCs - so you'll need to do some re-cabling there as well.

About the point 3, could you give more details about the PBR and how would you like to use it? As far as I can see, for the NS traffic, there is no need for PBR there.

Stay safe,

Sergiu

Claudia de Luna · ‎05-16-2022

Hi @Sergiu.Daniluk
Thank you!
Yes..I was afraid of that. Let me confirm the FWL behavior. So if I understand correctly you are recommending something like this?: