Manualsbrain.com
  1. Manuals
  2. Brands
  3. Cisco
  4. Cisco Prime Network Services Controller Adaptor for DFA
  5. Leaflet

Cisco Cisco Prime Network Services Controller Adaptor for DFA Leaflet

Download
Page of 45
 
 
© 2015 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. 
Page 18 of 45 
Case 1c: Unified Fabric with Tenant-Edge Firewall, Redundant Connectivity, and Dynamic 
Routing 
All the preceding scenarios used nonredundant, single-attached appliances. When appliances are attached 
redundantly to a fabric, additional configuration may be required, depending on the appliance vendor.  
When dual-attachment of an appliance is required, the recommended approach is to use enhanced virtual 
PortChannel (vPC+) technology with the Link Aggregation Control Protocol (LACP) to maintain the working 
condition of the PortChannel. 
Figure 9 shows a firewall with a two-member PortChannel for each inside and outside interface. Depending on the 
firewall vendor, this setup may not be possible. In those cases in which only two physical ports are available on the 
firewall, you can use one VLAN to represent the inside network and the second VLAN to represent the outside 
network. In either case, autoconfiguration profiles will be deployed in the same way. 
Figure 9.    Attaching the Tenant-Edge Firewall with Redundant Dynamic Routing Using vPC+ 
 
Figure 9 shows the tenant-edge firewall with dynamic routing redundantly attached using vPC+. The deployment 
case is similar to the scenarios described earlier. However, several differences and additional considerations need 
to be noted: 
● 
Configure vPC+ in the POAP templates of the leaf nodes to which the dual-homed firewall is attached. 
● 
Verify that the vpc peer-gateway command is specified as part of the vPC+ domain configuration. This 
command is required to support dynamic routing over vPC+. 
● 
The Secondary Gateway IPv4 Address field in the network autoconfiguration profiles for both the inside and 
outside interfaces must be specified. This field is needed to help ensure that SVIs on both vPC+ peers have 
unique IP addresses, to establish routing adjacency with the tenant-edge firewall.  
● 
The IP address in the Secondary Gateway IPv4 Address field needs to be in the same subnet as 
gatewayIpAddress, as shown in Figure 10.