Solved: Re: Cisco APIC L4-L7 Services Tab removed

AshSe · ‎06-30-2024

Why starting from APIC ver 5.x L4-L7 Services Tab removed?

What is the impact of this on Services Graph configuration?

Remi-Astruc · ‎07-02-2024

Yes, any network service device (FW, LB, IPS, L1/2/3, ...) can be inserted in a Service Graph. Read the Service Graph Design document for more information.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-2491213.html

Previously, Device Packages aimed to additionally configure the L4-L7 device from ACI, but that was complex, non-exhaustive and benefit was limited.

Today, if you still want a tight management interaction between ACI and your L4-L7 device, you can find some tools supporting such integration. However many Service Graph deployments don't rely on such integration.

Regards

Remi Astruc

View solution in original post

Remi-Astruc · ‎07-01-2024

Hi @AshSe ,

The L4-L7 Services Tab was used in pre-5.x versions for Managed Mode integration. That mode has been deprecated and is not available since then.

The Service Graph configuration is now fully implemented into the Tenant subtree.

Regards

Remi Astruc

AshSe · ‎07-01-2024

Hi Remi,

So installing Device package option is now removed starting v5.x and is integrated in Services, could you tell me:

Can we install all (Cisco & non-Cisco) devices like firewalls, load-balancers etc. without having separate Device packages for them?
Is there any issue in creating Service Graph template?

Remi-Astruc · ‎07-02-2024

Yes, any network service device (FW, LB, IPS, L1/2/3, ...) can be inserted in a Service Graph. Read the Service Graph Design document for more information.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-2491213.html

Previously, Device Packages aimed to additionally configure the L4-L7 device from ACI, but that was complex, non-exhaustive and benefit was limited.

Today, if you still want a tight management interaction between ACI and your L4-L7 device, you can find some tools supporting such integration. However many Service Graph deployments don't rely on such integration.

Regards

Remi Astruc

AshSe · ‎07-05-2024

What I understand is:

L4-L7 Services tab removed > You cannot download and install any device package now
Function Profiles subfolder (Services > L4-L7 > Function Profiles) removed > You cannot configure L4-L7 device from APIC > e.g. if you need to configure IP Addresses and ACLs in ASAv you need to configure them separately and before hand (before configuring Service Graph Template)

Please correct/support my above understanding.

PFA, APIC v4.2 and v5.2 screenshot for Services folder.

AshSe · ‎07-07-2024

In addition to my above understanding,
The "Managed" option is removed from the Device creation in APIC starting with version 5. Hence, now we need to configure ASAv, etc. separately and cannot manage or configure them from APIC.

If I am correct, then this change in the APIC version looks absurd to me, and I would appreciate if someone could justify this stand of the Cisco ACI development team.

AshSe · ‎07-07-2024

Attaching the screen shots of Device creation in APIC v4.2 and v5.2

Remi-Astruc · ‎07-08-2024

Correct.

Regarding the reasons, I stated them above in the thread.

Regards

Remi Astruc

AshSe · ‎07-08-2024

In APIC v3.x and ASAv Goto Mode; I have witnessed failure in auto associating ASAv interfaces with the shadow EPG. Do you foresee any such issue with respect to APICv5.x and vCenter 7.0.0?

Would appreciate a response from your practical experience.

Remi-Astruc · ‎07-08-2024

I cannot formerly answer, but I strongly recommend upgrading your Fabric v3.x which is very old and being obsolete. You can expect many behavior enhancements.

Mark the topic as solved if your initial question was answered.

Regards

Remi Astruc