High Availability in Cisco ACI with the Device Package

Firewalls integrated into an ACI fabric supports an active-passive high availability configuration. Any interface can be used for the HA link, including the HA1 and HA2 interfaces, management interfaces, or data interfaces. Additionally, the dedicated HA1 and HA2 interfaces can be directly connected between the firewalls for out-of-band HA or use static EPG binding to connect in-band through the ACI switches.
Because virtual firewalls do not have dedicated HA ports, the management port is used as HA1 by default and the HA2 must be specified.
HA on physical firewalls can be combined with a Link Aggregation/Virtual Port Channel to create redundant links between the firewalls and switches. This provides protection against a scenario where the active firewall is up but the link to the firewall or the leaf it connects to have failed. The firewall then switches to the redundant link and leaf node. Link aggregation supports static aggregation mode only.

