L4-L7 Services Insertion Design and Deployment
Azeem Suleman, Sr. Architect, Insieme Business Unit
BRKACI-1102
• Introduction
• Services Insertion Overview
• Concepts and Terminology
• Design Scenario’s
• Deployment Snapshots
• Conclusion
Agenda
Challenges of Today’s L4-L7 Services Deployment
Router
Router
Switch
Load balancer
Firewall
Firewall
Servers
Configure Network to insert Firewall
Configure Load Balancer Network Parameters
Configure Network to insert Firewall
Configure Network to insert Firewall Configure Firewall Network Parameters
Configure Network to insert Firewall Configure Firewall Rules required by Application
Configure Network to insert Firewall Configure Load Balancer Network Parameter
Configure Network to insert Firewall Configure Router to steer traffic to/from LB
Configure Network to insert Firewall Configure Load Balancer as required by application
Service insertion takes days. Network configuration is time
consuming and error prone.
Difficult to track configuration on services
Goal’s of APIC Service Insertion & AutomationConfigure Network to insert Firewall
Configure Load Balancer Network Parameters
Configure Load Balancer as required by the application
APP DBWEBEXTERNAL
Application profile
PolicyPolicyPolicy
• Manage Physical and Virtual Services seamlessly
• VLAN allocation automation for Services Insertion
• Configure the network to direct traffic through Services device
• Network and Service function parameters on service device
• Ease of removing relevant configuration when re-tiring applications
• Periodic monitoring of device / service health as well as statistics
• Scale out L4-L7 Services based on load
ACI Nomenclature
Service Producers EPG “Users”EPG “Files”
Leaf Nodes
Spine Nodes
EPG “Internet”
AVS
Service Consumers
Services Insertion
WEBEXTERNAL Consumes Web Contract
HTTP: Accept, Service Graph
FW LB
Consumer Provider
• Contract provides a mechanism to add Network Services through associating a Services Graph
• A Services Graph identifies a set of service functions required by an application
• APIC configures service functions on the device like firewall, load balancers
• A device package can uploaded on APIC at run time
• Adding new service support through device package doesn’t require APIC reboot
Services Insertion Integration
1. Network and Service configuration on devices
2. Network configuration (Device Manager / Central Manager used for Service configuration)
3. No configuration on device
Services Insertion ArchitectureDevice Package
Configuration Model (XML File)
Python Scripts
Configuration Model
Device Interface: REST/CLI
APIC Script Interface
Python Scripts
Script Engine
APIC– Policy Manager
Service Device
APIC
• Service functions are added to APIC through device package
• Device Package contains a device model and device python scripts
• Device Model defines Service Function and Configuration
• Device scripts translates APIC API callouts to device specific callouts
• Script can interface with the device using REST, SSH or any mechanism
F5 BIG-IP and BIG-IQ Integration model with APIC
ACI Fabric Virtual Edition Appliance Chassis
BIG-IQ Device Packag
e
Device Packag
e
F5 Device Package Release 1.2 Deployment Model
BIG-IQ Integration with Cisco ACI
1
2
4a
BIG-IQ integration with APIC
1 - BIG-IP expose iApps to BIG-IQ
2 - BIG-IQ create custom device package
3 - Admin import BIG-IQ device package to APIC
4a - APIC sends iApp config to BIG-IQ -> BIG-IP
4b - APIC sends Device config to BIG-IP
BIG-IP integration with APIC
1 - Download device package from F5
2 - Admin import device package to APIC
3 - APIC sends config to BIG-IP directly
downloads.f5.com
3
32
4b
1
F5
Syn
the
sis
Fa
bric
Device Package
F5
Configuration{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '255.255.255.255'},
(5, 'DestinationPort',
'port1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '80'
BIG-IQ Device
PackageF5 iApps
Config{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '255.255.255.255'},
(5, 'DestinationPort',
'port1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '80'
F5 Device
Config{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '255.255.255.255'},
(5, 'DestinationPort',
'port1'): {'state': 1,
'transaction': 0, 'ackedState':
0, 'value': '80'
Concepts – Services Graph• Ordered set of network or service functions that are needed by the application.
• Service functions within a graph are automatically provisioned on a service device that is based on application’s requirements.
Function Firewall
Function SSL offload
Function Load Balancer
Terminal Terminal
Firewall parametersPermit ip tcp * dest-ip <vip> dest-port 80Deny ip udp *
Load-Balancer parametersVirtual-ip <vip>Port 80 LB-algorithm: round-robin
SSL paramsIpaddress <vip> port 80
Connectors
Service Graph: “web-application”
Consumer Provider
Concepts – Rendering a Services Graph• APIC picks a logical
device from an Admin specified group of devices.
• Resolves configuration parameters & prepares configuration dictionary
FunctionFirewall
FunctionSSL offload
FunctionLoad Balancer
Service Graph: “web-application”
FirewallFunction SSL offload
FunctionLoad Balancer
Allocate & configure VLAN
EXTERNAL WEB
• Allocates VLANs for each connectors associated with the function
• Provisions the network (VLAN), EPGs and appropriate whitelist entries on leaf(s)
• APIC makes script calls to configuration the service device with appropriate information
Concepts
• Go To (Routed): In this mode packet is addressed to the service device and has specific destination. Represents any device that is Layer 3 (L3) attached.
• Go Through (Transparent / Bridged): In this mode a packet goes through without being addressed to the device, and the endpoints are not aware of the device.
• Device Package: is a zip file that manages a class of service devices and provides the APIC with information about the devices so that APIC knows what the device is and what device can do.
Terminology• Function Profile: Profile contains all the configurable parameters supported
by the device vendor organized into folders
• Terminal Nodes: connects a service graph with the contracts.
• Concrete Device: Represents an actual service device e.g. one Load Balancer or one Firewall
• Logical Device / Device Cluster: Managed through a management IP address that is assigned to the cluster. A cluster of 2 devices that operate in either active / active or active / standby mode for instance
• Logical Device Context: Specifies upon which criteria a specific device in the inventory should be used to render a service graph
• Connections: How traffic is forwarded through the network
Firewall as Transparent (Go Through)
inside interface
VLAN 1001
outside interface
VLAN 1002
VLAN
Translation
SVI 1002
VIP
VLAN 1001
IP: 10.10.10.10
IP: 10.10.10.1• VLAN translation between VLAN 1001 and VLAN
1002
• Default gateway for servers on VLAN 1001
• Defined on next hop router
• VIP defined on SVI 1002
• Hosts are on same ip subnets for inside and outside ports
• Acts as “bump in a wire”
Firewall as Transparent (Go Through)
Client EPG
Server EPG
FW
Graph A 10.0.0.0/24
Tenant A
External Internal
Hardware
Proxy
ARP
Flooding
Unknown
Unicast
Flooding
Unicast
Routing
Subnet (Default
Gateway
Configuration)
Association with
VRF Instance
Client-Side
Bridge
Domain
Yes No No Yes
Yes (default
gateway for
servers)
Yes
Server-Side
Bridge
Domain
No Yes Yes No NoYes (but not
used)
* Silent hosts require flooding on both sides
Firewall as Routed (Go To)
Client EPG
ServerEPG
FW
Graph A10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24
Tenant A
External Internal
Hardware
Proxy
ARP
Flooding
Unknown
Unicast
Flooding
Unicast
Routing
Subnet (Default
Gateway
Configuration)
Association with
VRF Instance
Client-Side
Bridge
Domain
No Yes Yes No No Yes
Server-Side
Bridge
Domain
No Yes Yes No NoYes (but not
used)
Load Balancer as One-Arm
Hardware
Proxy
ARP
Flooding
Unknown
Unicast
Flooding
Unicast
Routing
Subnet (Default
Gateway
Configuration)
Association with
VRF Instance
Client-Side
Bridge
Domain
Yes No No Yes
Yes (default
gateway for
servers)
Yes
Server-Side
Bridge
Domain
No Yes Yes Yes NoYes (but not
used)
Client EPG
ServerEPG
Graph A10.0.0.0/24
L3-BD1VLAN - 10
L3 – BD2VLAN - 20
20.0.0.0/24
Tenant A
LB30.0.0.1VIP: 40.1.1.1
L3-BD3VLAN-999
Load Balancer as Two-Arm
Hardware
Proxy
ARP
Flooding
Unknown
Unicast
Flooding
Unicast
Routing
Subnet (Default
Gateway
Configuration)
Association with
VRF Instance
Client-Side
Bridge
Domain
Yes No No Yes
Yes (default
gateway for
servers)
Yes
Server-Side
Bridge
Domain
No Yes Yes * No NoYes (but not
used)
Client EPG
ServerEPG
LB
Graph A10.0.0.0/24 10.0.0.1 20.0.0.1 20.0.0.0/24
Tenant A
External Internal
* If SNAT is done, routing can be enabled and flooding disabled
L4-L7 Design update in B-release (FCS+9)
New Features:
• L4-L7 Route Peering
• Shared Device and Bridge Domain (BD)
• ACI Fabric with IPv6 support
• Dynamic Attach Endpoint
• Device Package support matrix.
Route Peering IPv6 Interface NAT64, NAT46
ASA Yes Yes Yes
Citrix Yes Yes Yes
F5 No No No
L4-L7 Route Peering
• With “fabric as a transit” use case, in which route peering enables the ACI Fabric to serve as a transit OSPF or BGP domain for other points of delivery (PODs).
• A common use case for route peering is RHI (route health injection), in which the server load balancing virtual IP is advertised over dynamic routing protocol e.g. OSPF or iBGP to clients that are outside of the ACI Fabric.
• Route peering is used to configure OSPF or BGP peering on a Layer4 to Layer 7 service device so that the device can peer and exchange routes with the ACI leaf node to which it is connected.
RHI (Route Health Injection)
• RHI feature allows ADCs (LB) to advertise the availability of VIPs to other routers.
• Inject / Remote VIP host routes based on server and application health.
Clients Servers
OSPF/BGP neighbor
Inject / Remote VIP host routes depends on availability of VIP.
External
WAN
OSPF/BGP
Redistribute VIP host routes
into External WAN
Service
Node
OSPF/BGPVIP
Inject / Remote VIP host routes
depends on availability of VIP.
L4-L7 Route Peering with ASA
EPGWeb
ext int
VRF2
10.10.10.200/24
VRF1
30.30.30.0/2440.40.40.0/24
Loopback
200.200.200.200
Source: 20.20.20.200/24
Destination: 10.10.10.200/24
Need to know
10.10.10.0/24 route
10.10.10.0/24
Need to know
20.20.20.0/24 route
20.20.20.0/24
.254.203.101.101
.201
20.20.20.203/24
Loopback
200.200.200.200
10.10.10.200/24
L4-L7 Route Peering with Citrix
EPGWeb
ext int
VRF2
10.10.10.200/24
VRF1
30.30.30.0/2440.40.40.0/24
Loopback
200.200.200.200
Source: 20.20.20.200/24
Destination: 40.40.40.100 (VIP)
10.10.10.0/2420.20.20.0/24
.254.203
.101.101
.201VIP: 100
Source: 30.30.30.101/24
Destination: 10.10.10.200
20.20.20.203/24
Loopback
200.200.200.200
10.10.10.200/24
Shared Device and Bridge Domain
Contract
(Service Graph A)
ProvideConsume
EPGProvider
10.10.10.10/24
EPGConsumer
Contract
(Service Graph B)
Provide EPGProvider
20.20.20.0/24
30.30.30.0/24
.1
.1Tenant B
tn-common / tn-mgmt
Tenant A
EPGConsumer
10.10.10.10/24 20.20.20.0/24
30.30.30.0/24
.1
.1
10.10.10.1
EPGProvider
EPGProvider
VLAN 10
VLAN 20
VLAN 30
Share same concrete device
in tn-common/tn-mgmt by
multiple tenant.
.1 *BDs have to be in tn-common
Dynamic Attach Endpoint
• APIC provides endpoint notification to the script through API callouts. This will help dynamically detect new endpoint, then the endpoint is automatically added to the pool member of VIP
EPGConsumer
EPGProvider
20.20.20.1
VIP: 10.10.10.200
20.20.20.100/2410.10.10.100/24
Web-Pool
20.20.20.2
New
20.20.20.3
New
IPv6 Support• In B-release, ACI Fabric supports IPv6
• ASA and Citrix Device Package support IPv6 interface and NAT64/NAT46.
• Tested Scenario:
• NAT64 and NAT46
• ASA: 1:1 Static NAT only
Consumer
V6 V4
FW ADC
NAT64
on ADCProvider
Consumer
V6
FW ADC
IPv6
only Provider
IPv6 Support (Cont.)
Consumer Provider
V6 V4
FW ADC
NAT64
on FW
Consumer
V4 V6
FW ADC
NAT46
on ADC Provider
Consumer
V4 V6
FW ADC
NAT46
on FWProvider
Physical Topology
1/4
Node: 104 (leaf 1)Node: 105 (leaf 2) Node: 106 (leaf 3)
1/201/10
10/1 10/2Gig 1/17
1/06
Gig 1/18
C1
Client Server VMs
ESXi
UCS220
Firewall
Load BalancerASA 5585-20
1/5
UCS220
Web Server VMs
10.0.0.3
Node: 107 (leaf 4)
w1
10.0.0.4
1/45
30.0.0.3 30.0.0.4
w2C2
Desired Network Topology
c110.0.0.3
10.0.0.4
w1 20.0.0.3
20.0.0.4
FirewallLoad
Balancer
10.0.0.0/24 30.0.0.0/2420.0.0.0/28
VIP: 40.0.0.1
RouterRouter
VRF 2VRF 1
w2c2
Policy and Graph Configuration
Client
EPGWeb
EPG
Contract: web
subject: http
filter: match http(80) action allow
graph: webGraph
subject: icmp
Filter match proto: icmp action allow
ProviderConsumer
FW LB
External
ConnectorGo-To Go-To
VIP: 40.0.0.1
Internal
ConnectorExternal
Connector
Internal
Connector
20.0.0.0/28
20.0.0.2/28 20.0.0.3/28
BD1 BD2BD3
VRF1
Subnet 20.0.0.1/28Subnet: 10.0.0.1/24
Subnet 30.0.0.1/24
webGraph
10.0.0.2/2430.0.0.2/24
VLAN 3000VLAN 2000
Service Graph: Dynamically provisioned EPGs
Client
EPG
Web
EPG
FW LB
External
Connector
Go-To Go-To
VIP: 40.0.0.1
Internal
Connector
External
Connector
Internal
Connector
20.0.0.0/28
20.0.0.2/28 20.0.0.3/28
BD1 BD2BD3
VRF2
Subnet 20.0.0.1/28Subnet: 10.0.0.1/24
Subnet 30.0.0.1/24
webGraph
10.0.0.2/24 30.0.0.2/24
FW
EPG
Ext
FW
EPG
Int
LB EPG
Ext
LB EPG
Int
APIC dynamically creates EPGs for each connector and allocates VLAN encap
VLAN 3000VLAN 2000
VLAN 1500 VLAN 1501 VLAN 1601 VLAN 1602
VRF1
Contract Enforcement
• Contract: web, subject: http is enforced between EPG1 and dynamically created EPG FW Ext
• No contract is enforced after service device – All traffic is permitted betweeno Dynamically created EPG FW Int and dynamically created LB EPG Ext
o Dynamically created EPG LB Int and EGP2
Client
EPG Web
EPG
BD1 BD2BD3
VRF1
Subnet 20.0.0.1/28
Subnet: 10.0.0.1/24 Subnet 30.0.0.1/24
FW
EPG
Ext
FW
EPG
Int
LB EPG
Ext
LB EPG
Int
VLAN 3000VLAN 2000
Contract: web
subject: http
filter: match http(80) action allow
Contract: web
subject: icmp
filter: match proto icmp action allow
VRF2
Device and Interface Selection
LB
Node
ProviderConsumer
Connector: External Connector: Internal
LIF Outside LIF Inside
Device Cluster: NS_cluster_1
LB-1
LB-2
10/2 10/2
WebGraph
Device Selection logic:
<vnsLDevCtx ctrctNameOrLbl="web graphNameOrLbl=“webGraph" nodeNameOrLbl=“FW">
<vnsRsLDevCtxToLDev tDn="uni/tn-Tenant1/lDevVip-FWCluster1"/>
</vnsLDevCtx>
Map Connector to Logical Interface:
<vnsLIfCtx connNameOrLbl=“Internal">
<fvSubnet ip=“20.0.0.1/24"/>
<vnsRsLIfCtxToLIf tDn="uni/tn-Tenant1/lDevVip-FWCluster1/lIf-internal"/>
</vnsLIfCtx>
<vnsLIfCtx connNameOrLbl=“External">
<fvSubnet ip="10.0.0.1/24" />
<vnsRsLIfCtxToLIf tDn="uni/tn-Tenant1/lDevVip-FWCluster1/lIf-external"/>
</vnsLIfCtx>
Map Logical Interface to device physical interface:
<vnsLDevVip name=“FWCluster1">
<vnsLIf name=“Internal">
<vnsRsMetaIf tDn="uni/infra/mDev-CISCO-ASA-1.0/mIfLbl-Internal"/>
<vnsRsCIfAtt tDn="uni/tn-Tenant1/lDevVip-FWCluster1/cDev-FW1/cIf-[gig1/0]"/>
</vnsLIf>
<vnsLIf name=“External">
<vnsRsMetaIf tDn="uni/infra/mDev-CISCO-ASA-1.0/mIfLbl-External"/>
<vnsRsCIfAtt tDn="uni/tn-Tenant1/lDevVip-FWCluster1/cDev-FW1/cIf-[gig1/1]"/>
</vnsLIf>
</vnsLDevVip>
EPG Configuration on Leaf Nodes webGraph
ADC1FW1
FW
EPG
Ext
FW
EPG
Int
LB
EPG
Ext
LB
EPG
Int
Gig 1/1 Gig 1/0 1/1 1/0
10.0.0.2/24
30.0.0.2/24
20.0.0.3/28
20.0.0.2/28
VLAN 1500 VLAN 1501VLAN 1601 VLAN 1602
VIP: 40.0.0.1
ADC1FW1
FW LB
External
ConnectorGo-To Go-To
VIP: 40.0.0.1
Internal
ConnectorExternal
Connector
Internal
Connector
20.0.0.0/28
20.0.0.2/28 20.0.0.3/2810.0.0.2/2430.0.0.2/24
Client
EPG
Web
EPG
Node: 104 (leaf 1)Node: 105 (leaf 2) Node: 106 (leaf 3)
Node: 107 (leaf 4)
VIP: 40.0.0.1
Data Path configuration on leaf Node 1BD, S_Class derivation:
Vlan 3000: s_class = Client EPG, BD1, VRF1
L2 Table:<BD1, FW_MAC> : NH: Leaf 2 VTEP, D_class: FW_ext
<BD1, Client 1>: NH: 1/1, D_class: Client EPG
<BD1, Client 2>: NH: 1/2, D_class: Client EPG
L3 Table:<vrf1, 10.0.0.3/32>: NH: Client 1 MAC, 1/1, d_class: FW_ext
<vrf1, 10.0.0.4/32>: NH: Client 2 MAC, 1/2, d_class: FW_ext
<vrf1, 10.0.0.2/32>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_ext
<vrf1, 20.0.0.0/28>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_ext
<vrf1, 40.0.0.1/32>: NH: FW1 MAC, Leaf 2 VTEP, d_Class: FW_ext
Policy: s_class: Client EPG, d_class: FW_ext, http : permit
s_class: Client EPG, d_class: Web EPG, icmp: permit
Data Path configuration on leaf Node 2BD, S_Class derivation:
VLAN 1500: s_class: FW_ext, BD 2, VRF 1
VLAN 1501: s_class: FW_int, BD 3, VRF 2
L2 Table:<BD1, FW MAC> : NH: 1/10, d_class: FW_ext
<BD3, FW MAC> : NH: 1/20, d_class: FW_int
<BD2, LB_MAC> : NH: Leaf 3 VTEP, d_class: LB_ext
L3 Table:<vrf1, 10.0.0.2/32>: NH: FW1 MAC, 1/10, d_class: FW_ext
<vrf1, 10.0.0.3/32>: NH: FW1 MAC, Leaf 1 VTEP, d_class: Client EPG
<vrf1, 10.0.0.4/32>: NH: FW1 MAC, Leaf 1 VTEP, d_class: Client EPG
<vrf1, 20.0.0.0/28>: NH: FW1 MAC, 1/10, d_class: FW_ext
<vrf1, 40.0.0.1/32>: NH: FW1 MAC, 1/10, d_class: FW_ext
<vrf2, 10.0.0.0/24>: NH: FW1 MAC, Leaf 1 VTEP, d_class: FW_ext
<vrf2, 20.0.0.2/32>: NH: FW1 MAC, 1/20, d_class: FW_int
<vrf2, 20.0.0.3/32>: NH: LB MAC, Leaf 3 VTEP, d_class: LB_ext
<vrf2, 40.0.0.1/32>: NH: LB MAC, leaf 3 VTEP, d_Class: LB_ext
<vrf2, 30.0.0.2/24>: NH: LB MAC, Leaf 3 VTEP, d_class: LB_ext
Policy: s_class: Client EPG, d_class: FW_ext, http : permit
s_class: FW_int, d_class: LB_ext, * : permit
Data Path configuration on leaf Node 3BD, S_Class derivation:
VLAN 1601: s_class: LB_ext, BD 2, VRF 2
VLAN 1602: s_class: LB_int, BD 3, VRF 2
L2 Table:<BD2, FW_MAC> : NH: Leaf 2 VTEP, d_class: FW_int
<BD2, LB_MAC> : NH: 1/30, d_class: LB_ext
<BD3, LB_MAC> : NH: 1/40, d_class: LB_int
L3 Table:<vrf2, 10.0.0.0/24>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_ext
<vrf2, 20.0.0.2/32>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_int
<vrf2, 20.0.0.3/32>: NH: LB MAC, 1/30, d_class: LB_ext
<vrf2, 40.0.0.1/32>: NH: LB MAC, 1/30, d_Class: LB_ext
<vrf2, 30.0.0.2/32>: NH: LB MAC, 1/40, d_class: LB_int
<vrf2, 30.0.0.3/32>: NH: LB MAC, Leaf 4 VTEP, d_class: Web EPG
<vrf2, 30.0.0.4/32>: NH: LB MAC, Leaf 4 VTEP, d_class: Web EPG
Policy: s_class: FW_int, d_class: LB_ext, * : permit
s_class: LB_int, d_class: Web EPG, * : permit
Data Path configuration on leaf Node 4
BD, S_Class derivation: VLAN 2000: s_class: Web EPG, BD 3, VRF 2
L2 Table:<BD2, LB_MAC> : NH: Leaf 3 VTEP, d_class: LB_int
<BD3, Web 1> : NH: 1/40, d_class: Web EPG
<BD3, Web 2> : NH: 1/41, d_class: Web EPG
L3 Table:<vrf2, 10.0.0.0/24>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_ext
<vrf2, 20.0.0.2/32>: NH: FW1 MAC, Leaf 2 VTEP, d_class: FW_int
<vrf2, 20.0.0.3/32>: NH: LB MAC, Leaf 3 VTEP, d_class: LB_int
<vrf2, 30.0.0.4/32>: NH: LB MAC, 1/30, d_class: Web EPG
<vrf2, 30.0.0.3/32>: NH: LB MAC, 1/30, d_Class: Web EPG
<vrf2, 30.0.0.2/24>: NH: LB MAC, Leaf 3 VTEP, d_class: LB_int
Policy: s_class: LB_int, d_class: Web EPG, * : permit
s_class: Client EPG, d_class: Web EPG, ICMP : permit
Cisco ACI Architecture
Active Standby
External / Internal
External / Internal
1-ARM topology + HA pair
Active Standby
External
2-ARM topology + HA pair
Internal ExternalInternal
BIG-IP connects to any Leaf in ACI topology independent of Leaf
location
Services Insertion Configuration Wizard
Create L4-L7 Service Graph Template
Create L4-L7 Service Devices
Apply L4-L7 Service Graph Template to EPGs
Three step process and each can be re-used
1
2
3
Create a L4-7 Service Devices – Single Device
Name of the device
Specify Device Package to manage this Cluster
Model of the device
Login Credentials to manage the device and connectivity information
Policy domain
Device Management IP Address and port
Create a L4-7 Service Devices – Device Package
List of device package that APIC has will be shown here
Create a L4-7 Service Devices – Model (Citrix)
Single device or cluster / HA
Associated interfaces on the device to interface labels
Create a L4-7 Service Graph Template
Templates gives you option to
choose simple Service Graph
based on your requirement
Create a L4-7 Service Graph Template – Single Node ADC
Device Package gives you an
option that you want to use for
the particular Services Graph
Profile will give the service
graph all the parameters that is
needed. E.g. SSL
Users can also customize the
profile. You can click on profile
to see what parameters are
available.
Apply L4-L7 Service Graph Template to EPGs
EPG and Service Graph
Template
If you uncheck “Allow All
Traffic” i.e. IP Any any or you
can create your own specific
filter entries
L4-L7 Route Peering with ASA (Physical)
Configure VRF, Bridge Domain, EPG and Service Graph as usual
1. Make sure Adjacency type is L3.
2. Create static VLAN pool and External Routed Domain
3. Create Route Tag Policy
4. Create L3Out
5. Change Devices Selection Policies setting
Step2: Create static VLAN pool & External Routed Domain
• Create a static VLAN pool that will be used for the encap VLAN between L4-L7 device and fabric
Step3: Create Route Tag Policy
• Every context (VRF) used by route peering needs a unique route tag to avoid OSPF loops.
Step4: Create L3Out – ASA External
Create L3Out for routing
between Leaf and L4-L7 device.
Set External Routed Domain which
contains VLAN Pool for encap ID
between Leaf and L4-L7 device.
Step4: Create L3Out – ASA Internal
Create L3Out for routing
between Leaf and L4-L7 device.
Set External Routed Domain which
contains VLAN Pool for encap ID
between Leaf and L4-L7 device.
L4-L7 Route Peering with Citrix (Virtual)
Configure VRF, Bridge Domain, EPG and Service Graph as usual
1. Make sure Adjacency type is L3.
2. Create static VLAN pool and External Routed Domain
3. Create Route Tag Policy
4. Create L3Out
5. Change Devices Selection Policies setting
Shared Device and Bridge Domain
EPGConsumer
• Server A needs to connect provider EPGs in multiple tenants via ASA, but customer don’t want to deploy FW/ASA context per tenant.
EPGProvider
EPGProvider
Tenant B
Tenant A20.20.20.100/24
30.30.30.100/24
Source: A
Destination: 20.20.20.100
Server A
Source: A
Destination: 30.30.30.100
10.10.10.1
20.20.20.1
30.30.30.1
*We can use this feature not only with ASA, but also other service appliances(F5, Citrix)
Steps
1. Create BDs in tn-common
2. Create concrete device in tn-common
3. Create Contract with Global scope in user tenant
4. Create Service Graph in user tenant
5. Device Selection Policy in user tenant
6. Deploy Service Graph in user tenant
Step1: Create Bridge Domain in Tenant Common
EPGConsumer
.1
.1
10.10.10.1
EPGProvider
EPGProvider
Common-BD3Common-BD1
Common-BD2
Step2: Create Concrete Device in Tenant Common
Physical domain with
dynamic VLAN pool
ASA5585 user
context mgmt IP
ASA5585 system
context mgmt IP
Step3: Create Contract with Global Scope in User Tenant
Scope: Global Export to tenant including
consumer EPG
Step5: Device Selection Policy in User Tenant
Select concrete
device in tn-common
Select BD in tn-common
Step5: Device Selection Policy in User Tenant (Cont.)
Select BD in tn-common
Select same BD for
external side.
Deployed Graph Instance in User Tenant
Encap of external
connector is same.Encap for external
connector is same.
Deployed Devices in Tenant Common
Deployed Device is showed up
in tn-common, not user tenant
EPGConsumer
10.10.10.10/24 20.20.20.0/24
30.30.30.0/24
.1
.1
10.10.10.1
EPGProvider
EPGProvider
VLAN 624
VLAN 625
VLAN 618
ASA Configuration
ciscoasa/mihiguch-common# show run
<snip>
interface GigabitEthernet0/2.618
nameif externalIf-T1
security-level 0
ip address 10.10.10.1 255.255.255.0
!
interface GigabitEthernet0/2.624
nameif internalIf-T1
security-level 100
ip address 20.20.20.1 255.255.255.0
!
interface GigabitEthernet0/2.625
nameif internalIf-T2
security-level 100
ip address 30.30.30.1 255.255.255.0
### ASA5585 system context ###
ciscoasa# show run context mihiguch-common
context mihiguch-common
allocate-interface GigabitEthernet0/2.618
allocate-interface GigabitEthernet0/2.624-GigabitEthernet0/2.625
allocate-interface Management0/0
config-url disk0:/mihiguch-common.cfg
APIC add allocate-interface
configuration with dynamically
assigned VLAN from VLAN pool
EPGConsumer
10.10.10.10/24 20.20.20.0/24
30.30.30.0/24
.1
.1
10.10.10.1
EPGProvider
EPGProvider
VLAN 624
VLAN 625
VLAN 618
Dynamic Attach Endpoint - Configuration
• Check “Attachment Notification” on Function Connector under Service Graph template
APIC debug.log
• Locate the APIC that contains the shard configuring the BIG-IP, then go to the following location
admin@apic1:~> cd /data/devicescript/F5.BIGIP.1.0.0/logs
• You will see debug.log and periodic.log
admin@apic1:logs> ls –all
• You can “tail –f debug.log” to monitor the process
References
• F5 BIG-IP: Workload Migration from Traditional Networks to Cisco ACI http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-
infrastructure/guide-c07-733816.pdf
• F5 and Cisco ACI: Solution Profilehttp://www.f5.com/pdf/solution-profiles/cisco-aci-f5-synthesis-solution-profile.pdf
• Cisco ACI Whitepapershttp://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/white-
paper-listing.html
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
• Your favorite speaker’s Twitter handle azeem_suleman
• Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could Be a Winner
Complete Your Online Session Evaluation
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
• Give us your feedback to be entered into a Daily Survey Drawing. A daily winner will receive a $750 Amazon gift card.
• Complete your session surveys though the Cisco Live mobile app or your computer on Cisco Live Connect.
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
• Related sessions