ACI F5 Integration

Cisco APIC ( ACI) Integration with F5
This document is belong to yunan haris . 1

Spine
1/2 1/1
ACI Fabric
1/48 2/1 2/1
Leaf 1 Leaf 2
1/5-6
10G Settings, 2/1 2/3 40G Interfaces

LLDP, CDP Enabled 10G Interfaces
F5-5050
1G Interfaces
vNIC connection
2
F5 BigIP Integration
Step 1: Deploy F5 BigIP Appliance
The internal and external interfaces on the BIG-
IP system are connected to leaf nodes in the ACI
architecture. Items such as web servers,
database engines, and application tiers are also
connected to leaf nodes. Spine nodes handle the
routing between the BIG-IP system and the
various other end points necessary to deliver an
application service.
The management port of the BIG-IP system is
connected out-of-band to a switch outside of the
ACI architecture (not shown in the diagram) to
provide management access.
This diagram is not meant to illustrate all possible
architectures but rather communicate a typical
architecture showing where the BIG-IP system
fits into the Cisco ACI architecture.
This document is belong to yunan haris .

Cisco Confidential 3
Step 2: F5 BigIP Appliance Basic Setup • SSH to Appliance
• Using default credential to log

into the appliance:
root/default.
• Type config and press
Enter. The F5 Management
Port Setup screen appears.
• Click OK.
This document is belong to yunan haris . Cisco Confidential 4

Step 2: F5 BigIP Appliance Basic Setup • If you want DHCP to
automatically assign an
address for the management
port, select Yes. Otherwise,
select No and follow the
instructions for manually
assigning an IP address and
netmask for the management
port.
• Click OK to configure the
OOB IP and Subnet Mask
© 2014 Cisco and/or its affiliates. All rights reserved.
Step 2: F5 BigIP Appliance Basic Setup
• We will need to define the default

gateway
• Click Yes and Save the config
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Prepare the Environment for L4-L7
• F5 BIG-IP LTM can be deployed only in Go-to mode in Cisco APIC, where F5 BIG-IP serves as
a default gateway to all traffic in both one-arm and two-arm modes. In two-arm mode, either two
interfaces are used for the input and output flow of traffic, or single interface can be used with
separate VLANs indicating the input and output flow
• The target topology and the logical ACI Topology are as below:
Outside
Client 10.122.231.111
EPGout Bridge Domain BD1

10.100.1.1/24
Bridge Domain BD2
10.122.231.1/24 ExtVRF
ICMP_Contract EPGin
10.122.231.90 10.100.1.90
External Internal ASEAN_Tenant
10.122.231.91 10.100.1.100
F5 BigIP in Two-arm
This document is belong to yunan haris . VM Servers (10.100.1.50- 7
tes. All rights reserved. Mode
52)
VIP: 10.122.231.100
F5 BigIP Application view
ASEAN_Tenant
ANP_L47
EPGin
ICMP_Contract
EPG_OUT

F5 BigIP Networking View – ASEAN_Tenant
ASEAN_Tenant Customer/Tenant
Ext_VRF VRF
BD 1 – L47 BD 2 – L47 L2 Boundary
10.100.1.1/24 10.122.231.1/24 IP Space
Application
EPGin EPGout Network
Profiles
10.100.1.90
10.122.231.90
Inside
Outside
F5 BigIP
VIP: 10.122.231.100 9
Step 3: Device Package Upload
To download the F5 BIG-IP Device Package for Cisco APIC
1. Go to http://bock-bock.cisco.com/wiki/AS_ACI:l4l7 to download or from F5 as below
2. Open a web browser and go to https://downloads.f5.com.
3. Use your credentials to login. If you do not have an account, click Register for an
Account to create one.
4. After successfully logging in, click Find a Download.
5. In the Third-Party-Integrations row, click Cisco APIC.
6. From the Product Version list, select a version. Remember this must be 11.4.1 or
later.
7. Read and accept the End User License Agreement.
8. Click the README file to familiarize yourself with the files available.
9. Click F5-BIG-IP-Device-Package-for-Cisco-APIC.zip to download the F5 BIG-IP
Device Package for Cisco APIC file. Save the file to a location accessible from the
Cisco APIC user interface. We recommend you also download and read the
associated documentation. 10
L4-7 Services >Packages >L4-7 Service Device Types >Actions >Import

Device Package
11
After a successful import, you should see the following screen which indicate the
device package has imported into the APIC
12

Cisc
[L4-L7 SERVICES] – [PACKAGES]
Cisco APIC can support multiple versions of the F5 BIG-

IP Device Package. For example, a newer version may
be installed to take advantage of new functionality
without disrupting Service Graphs deployed with an
older version.
It has been defined in the Device Package

These Functions can be performed via the
APIC 13
Step 4: Application Network Profile Creation
Right click to
add Network
(VRF) Name: Ext_VRF
Check to “Create A Bridge

Domain” under this Network

Next, we will create 2 BD as below:
1. BD1: ASEAN_Tenant
• Name: BD1_L47
• Network: Ext_VRF (as created above) Ext_VRF
• Subnet: 10.100.1.1/24
• All others: Default values.
1. BD2: BD 1 – L47 BD 2 – L47
• Name: BD2_L47
10.100.1.1/24 10.122.231.1/24
• Network: Ext_VRF (as created above)
• Subnet: 10.122.231.1/24
• All others: Default values
EPGin EPGout
10.100.1.90
10.122.231.90
Inside
Outside
F5 BigIP
VIP: 10.122.231.100
Step 4: Application Network Profile Creation - TBD
Name: BD1_L47
Click + to add Subnet inside BD1

Gateway Address: 10.100.1.1/24
Repeat to create BD2
Name: BD2_L47
Click + to add Subnet inside BD1

Gateway Address:
10.122.231.1/24
ASEAN_Tenant
Next, we will create 2 EPGs as below:
1. EPG_IN:
• Name: EPG_IN Ext_VRF
• Bridge Domain: BD1_L47
• Domain: VMM vCenter Domain BD 2 – L47
BD 1 – L47
2. EPG_OUT:
• Name: EPG_OUT 10.100.1.1/24 10.122.231.1/24
• Bridge Domain: BD2_L47
• Domain: VMM vCenter Domain
EPGin EPGout
10.100.1.90
10.122.231.90
Inside
Outside
F5 BigIP
VIP: 10.122.231.100
18
Step 4: Application Network Profile Creation - TBD
Right-Click to create
another ANP inside Name: L47_App
ASEAN_Tenant
Click “+” to add

EPG
Name: EPGin
Bridge Domain:
BD1_L47
Domains: VMM
20

Name: EPGout
Bridge Domain:
BD2_L47
Domains: VMM
21

Port groups equivalent with EPGs on

APIC will be created on vCenter
(Name Rule: Tenant|ANP|EPG
22
 Attach the “client” VM10 to epg_out

 Set IP address, for the secondary NIC, to
one in the Subnet configured for BD2_L47,
e.g. 10.122.231.111
 Set default route for the VM to gateway for
the subnet, e.g. 10.122.231.1
 Attach the some servers VMs (VM1-3) to

epg_in
 Set IP address, for the secondary NIC, to Choose the Port Group to
one in the Subnet configured for BD2_L47, plug the VM into EPGout for
e.g. 10.100.1.50-52 client and EPGin for server
 Set default route for the VM to gateway for

the subnet, e.g. 10.100.1.1

 From client (VM10) and servers (VM1-3), we can ping to
the default gateway. But we still can not ping the VIP.
 We need to configure the F5 to allow this load balancing
communication.
 The next step is to create the contract. We have two EPGs. They are bound
by a contract which consists of a simple subject and a common/icmp filter. We
can use the previous created ICMP contract.

/or its affiliates. All rights reserved.
 TENANTS > Select ASEAN_Tenant > Application Profiles
> L47_App > Application EPGs > EPGin
Add provided contract into EPGin with

created ICMP
Right-Click to
“Add Provided
Contract”
 TENANTS > Select ASEAN_Tenant > Application Profiles
> L47_App > Application EPGs > EPGout
Right-Click to
“Add Consumed
Contract”
Add consumed contract into EPGout

with created ICMP
 TENANTS > Select ASEAN_Tenant > Application Profiles > L47App>
Application EPGs
view the graph showing the contract

associated between the EPGin and
EPGout
28
Step 5: Device Cluster Creation
• We can create the device cluster next (although, the order in which the service graphs and device clusters are created doesn’t matter).
• For L4-L7 automation, a device cluster should be created. The device cluster configuration is required for even a single device. As there is a single device, we
configure the Cluster with the same configuration as the single device.
• To create a device cluster: TENANTS > Select ASEAN_Tenant > L4L7 Services > L4-L7 Devices. We assume that the appliance is configured for
management access through HTTPS, and the Virtual IP Address is the F5 management IP address. The password is the one configured earlier on the F5
(“C1sco12345”).
• Select the device package to be used and provide the necessary information in the dialog box.
• Create two logical interfaces (internal and external) and map them to the corresponding internal and external interfaces that the device package makes
Right Click to create L4-L7 Device

Step 5: Device Cluster Creation Name: F5
Device Package: choose latest
Model: BIG-IP-GENERIC
Mode: Single Node
As this is the Appliance, so we
need to add the physical domain
and connecting with APIC
through OOB.
Add Credential.
Add Mgmt IP and physical
interface for internal and
External interface.
Important: The format of this
name is critical, as it must map
to the physical interfaces on the
Click Next and exit the BIG-IP system. In APIC, the
concrete device wizard, format is x_y; in the BIG-IP
leaving the Parameters system, the interface format is
fields untouched. x.y. Thus, 1_1 in APIC
corresponds to interface 1.1 on
the BIG-IP system; 1_2 in APIC
corresponds to 1.2 on the BIG-
IP system, and so on
30

Step 5: Device Cluster Creation
• Click Next and exit the concrete device wizard, leaving the
Parameters fields untouched. These fields are required
when we have more than one device in the device cluster.
• Click Finish after leaving the device cluster parameters also

Step 6: Service Graph Creation
• TENANTS > Select ASEAN_Tenant > L4-L7 Services
> L4-L7 Service Graphs Template > Create L4-L7 Service Graph Template
Right click to create Service Graph
Name: F5_LB
Type: Single Node – ADC in Two-
Arm Mode
Device Function: depends on
device package
Profile: create Function Profile Cisco Confidential 32

Unchecked to configure
new profile Parameters
Step 7: Function Parameters
configuration
 We will create a normal service graph to load balancing from VIP to 3 VM servers.
 Configuration Parameters:
 Function Type: GoTo
 To configure the table of values, expand the Folders, and to set the values, double click the row. Be sure to
update after each entry. Please note the values in bold match the names in bold.
 Note: there must have any “-” between the Name of Function/Param. If there is, the firewall still allow
to pass the parameter through, but don’t apply, and the deployment will be failed.
37
Step 7: Function Parameters configuration
 TENANTS > ASEAN_Tenant > L4-L7 Services > Function Profile > F5_Func_Prof/F5_LB_Func
 Please note that for each parameter being configured, all the parent folders need to be configured with a
name. In addition, if a folder has been configured, then all the mandatory parameters in that folder are
required to be configured.
/or its affiliates. All rights reserved. Cisco Confidential 38

39
sco and/or its affiliates. All rights reserved.

Cisc
The listener portion of the

F5 configuration is for the
virtual IP address (VIP)
that traffic will be destined
to. This is the IP address
that resolves to the name
of something like
www.cisco.com. The load
balancer then takes that
and routes to it's different
hosts behind it.
Step 7: Apply Service Graph into Contract
• The next step we need to take is
to map together the service
graph, node names (defined in
the service graphs), contract on
which the service insertion is
required as well as mapping the
logical connectors with the bridge
domains and the logical
interfaces created in the previous
steps.
• Under the L4-L7 services folder,
right click the Device Cluster
Selection Policies node and
launch the “Create Logical
Device Context” dialog (shown
below). We have mapped
together various elements based
on our design discussion earlier.
Step 7: Apply Service Graph into Contract
• The only thing left now to do is to attach the service graph created to the contract subject. Expand security policies under the
tenant and browse to the subject under the contract for which service insertion is required. Select the appropriate service graph
and click submit.
• This will deploy the service graph as well as configure the device with the parameters provided during service graph creation.
43
ts affiliates. All rights reserved.
Step 8: Verification
46
• Verify that the endpoints show up as Client end-points in the UI.
• Also, click deployed device clusters and select the device cluster deployed. Check the encapsulation VLANs
47
Cisco and/or its affiliates. All rights reserved.
• Verifying configuration on F5:
• Check if a partition is created
• Switch to the partition corresponding
to the Service Graph (a partition is
assigned to a Tenant with a Service
graph on F5)
• Verifying configuration on F5:
• Check the route domain list if the new one is created
49

ACI F5 Integration

Uploaded by

Copyright:

Available Formats

ACI F5 Integration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ACI F5 Integration

Uploaded by

Copyright:

Available Formats

Cisco APIC ( ACI) Integration with F5

This document is belong to yunan haris . 1

10G Settings, 2/1 2/3 40G Interfaces

This document is belong to yunan haris .

• Using default credential to log

This document is belong to yunan haris . Cisco Confidential 4

• We will need to define the default

EPGout Bridge Domain BD1

This document is belong to yunan haris . 8

BD 1 – L47 BD 2 – L47 L2 Boundary

10.100.1.1/24 10.122.231.1/24 IP Space

L4-7 Services >Packages >L4-7 Service Device Types >Actions >Import

© 2014 Cisco and/or its affiliates. All rights reserved.

Cisco APIC can support multiple versions of the F5 BIG-

It has been defined in the Device Package

Check to “Create A Bridge

This document is belong to yunan haris .

Click + to add Subnet inside BD1

Click + to add Subnet inside BD1

Click “+” to add

© 2014 Cisco and/or its affiliates. All rights reserved.

© 2014 Cisco and/or its affiliates. All rights reserved.

Port groups equivalent with EPGs on

 Attach the “client” VM10 to epg_out

 Attach the some servers VMs (VM1-3) to

 Set default route for the VM to gateway for

This document is belong to yunan haris .

This document is belong to yunan haris . 25

Add provided contract into EPGin with

Add consumed contract into EPGout

view the graph showing the contract

Right Click to create L4-L7 Device

© 2014 Cisco and/or its affiliates. All rights reserved.

• Click Finish after leaving the device cluster parameters also

This document is belong to yunan haris . 31

Right click to create Service Graph

This document is belong to yunan haris .

/or its affiliates. All rights reserved. Cisco Confidential 38

sco and/or its affiliates. All rights reserved.

The listener portion of the

You might also like