Hi Vincent,
I have read this document and my own scenario is a little bit different. I have two 8320 VSX nodes (single VRF model) connecting one firewall as the Core. My concern is the OSPF routing between the VSX nodes and the firewall.
In my case, servers have their SVIs on the VSX peers so using the Active-Gateway concept makes sense. Basically, the reason for the firewall is Internet access for the servers.
However, while reading through the document, I noticed that the OSPF p2p routing between the AGG and the Core switches (page 12) was done using Routed Ports (ROP). I am not sure if this should apply in my case.
I was thinking of using an SVI interface on the VSX-peer side since on the firewall side, I assigned an IP address (/30) to a Dot1Q aggregate interface (binding the two physical connections to the VSX peers) for OSPF p2p routing. I guess I am expecting the firewall to see only one OSPF neighbor. I am not sure if what I am thinking is appropriate. I am honestly open to corrections. I just need advice on how best to do the OSPF routing in my own case.
Generally, what I expect is: traffic from the servers (destined to the Internet) to pass through the primary VSX peer to the firewall and vice-versa; except in an event when the primary VSX peer fails. Traffic can also pass through the secondary VSX peer via the ISL anyway. I am just trying to avoid asymmetric and/or sub-optimal routing in the end.
I have a diagram attached.
Thanks.