Solved: Re: ACI - l3 Out to Virtual F5

darreng · ‎01-07-2018

Originally posted to Application Networking Forum - Reposting Here:

--//--

Could someone give me a steer please.

I have a virtual F5 load balancer (VMM Domain is VMware). The VMM Domain is connected to my ACI and working for a number of VM's / Apps (excluding F5).

Having installed the F5 VM and added OSPF to it, I wish to setup L3 to the ACI.

If I'm building a L3 Out to the F5 LB's surely the ACI Interface would need to be a VLAN and trunked to the VMM Domain rather than configured as an Access port / Dot1p. is this correct.

Hope that makes sense.

Regards

Darren

Manuel Velasco · ‎01-09-2018

"My original question and hope was that I could use L3 on the ACI to route OSPF with the virtual F5 on VLAN 500."

Yes you can use this vlan on the L3out as long as you don't have another EPG with VMM domain using this vlan. In other words, If you already have a (normal) EPG associated to the vmm domain and it assigned to vlan 500 you won't be able to use this vlan 500 on the l3out.

View solution in original post

Manuel Velasco · ‎01-09-2018

Hi Darren,

As you know EPGs associated to a VMM domain get a vlan dynamically from the associated vlan Pool. Also, under the L3out you CAN’T associate a vmm domain for the l3out EPG, instead you need to associate this with a routed domain. Now having said, even if you define an EPG with the vmm domain for your F5 VM and grab the vlan assigned to configure the L3out the ACI will report that there is another EPG assigned to the same vlan encap.

What you can do instead, assuming you have ESXi host is to assign your F5 VM to vSwitch or a non ACI manage DVS. This way the vlan used for this traffic will not be part of a VMM EPGs and you can configured your l3out.

Note that this will require another uplink from the ESXi host.

hope this helps.

darreng · ‎01-09-2018

Thank you Manuel, this is great information.

My ACI setup needs some attention. The partner who helped me set it up didn't define dynamic VLAN's for the VMM Domain. We created a pool yes but it was statically defined so my server Admin and I have to coordinate the mappings. We hope to change this soon with our new Cisco partner.

Irregardless of whether it's static or dynamic I believe the issue still exists i.e. the VLAN assosciated to the L3 out will still in conflict with the one I would have to trunk to the VMM Domain. Is that correct.

I'll ask my server Admin if he has a spare uplink. It's a blade enclosure so I would have thought we were good on this.

Appreciate the help, thanks again.

Manuel Velasco · ‎01-09-2018

What do you mean by:

"We created a pool yes but it was statically defined so my server Admin and I have to coordinate the mappings."

Does this mean ACI doesn't manage the dVS but instead this is managed my your server Admin?

Or does it means that the vlan pool is set to dynamic but the vlan blocks are set static?

"Irregardless of whether it's static or dynamic I believe the issue still exists i.e. the VLAN assosciated to the L3 out will still in conflict with the one I would have to trunk to the VMM Domain. Is that correct."

I am not sure if I understand your question:

You can define a vlan (static vlan) under the vmm vlan pool and share vlan pool with the routed domain, and use this new static vlan on the L3out domain only.

darreng · ‎01-09-2018

Yes, sorry for the confusion. The vlan pool is set to dynamic but the vlan blocks are set static.

Under Fabric/Access Policies/VLAN, the pool is defined as 'dyanmic allocation; but the VLAN's within it (100-300) have the Allocation Mode set to Static Allocation.

In additon I have a seperate VLAN defined in the same pool - VLAN 500. This was the VLAN to be used to connect to the Virtual F5 in the VMM Domain.

The Domain section at the bottom of the screen shows the VMM Domain.

The ACI does manage the DVS. When we create a new EPG for a host in the range of 100-300, I add the assosciation statically and my server colleague does likewise to his uplink.

The install didn't follow the Cisco recommend method of using dyamic VLAN's.

My original question and hope was that I could use L3 on the ACI to route OSPF with the virtual F5 on VLAN 500.

Regards

Darren

Manuel Velasco · ‎01-09-2018

"My original question and hope was that I could use L3 on the ACI to route OSPF with the virtual F5 on VLAN 500."

Yes you can use this vlan on the L3out as long as you don't have another EPG with VMM domain using this vlan. In other words, If you already have a (normal) EPG associated to the vmm domain and it assigned to vlan 500 you won't be able to use this vlan 500 on the l3out.

darreng · ‎01-09-2018

Great. Thanks once again for the follow up, this is good news.

Regards

Darren

wantwang · ‎11-15-2018

I have the same scenario, actually I am connecting a virtual CSR to the fabric,

It is clear now that I should use a different vlan, but I have no sense on how to configure the "path" of Interface profile.

Could you tell me how you set this?

TOMYSIS · ‎11-21-2018

De plus, j'ai un VLAN séparé défini dans le même pool - VLAN 500. C'était le VLAN à utiliser pour se connecter au Virtual F5 dans le domaine VMM.