04-18-2020 05:58 PM - edited 04-18-2020 06:41 PM
Hello Everyone,
I just want to understand how service graph works in the below scenario.
Scenario 1 (Unmanaged Service graph)
###############################
EPG-INSIDE-->BD(L3-10.0.0.1)--->VMM domain --->Provider
EPG-OUTSIDE-->BD(L3-20.0.0.1)-->VMM domain --->Consumer
INSIDE VM -->10.0.0.10 GW-- 10.0.0.1
OUTSIDE VM -->20.0.0.10 GW-- 20.0.0.1
VMM domain integration
L4-L7 Device - F5 BIG IP unmanaged mode-->Routed mode-->Two arm mode
Outcome
#######
When I deploy a service graph ACI is not learning any mac/IP from BIG IP
Do I need to keep GW in load balancer?
Scenario 2 (EPG Mode)
##################
EPG-INSIDE-->BD(L3-10.0.0.1)--->VMM domain --->Provider
EPG-OUTSIDE-->BD(L3-20.0.0.1)-->VMM domain --->Consumer
INSIDE VM -->10.0.0.10 GW-- 10.0.0.1
OUTSIDE VM -->20.0.0.10 GW-- 20.0.0.1
VMM domain integration
Outcome
#######
This scenario works as expected
Questions
#######
1. For service graph unmanaged mode do I need to keep GW in ACI or service device?
04-19-2020 02:48 AM - edited 04-19-2020 02:50 AM
Hi,
I believe what you want to achieve is redirect traffic through your F5, which is functioning in routed mode. Is this correct?
If yes, you have two options:
1) L3out between ACI and each arm of your F5 BIGIP
2) use Service graph + PBR
The diagram of each scenario is highlighted below:
In the first scenario (l3Out) you will configure each user BD (inside and outside) in different VRF. This way you can manipulate the traffic path between the BDs, to route everything through L3out.
Second scenario can use a single VRF, and you will redirect everything through the F5, through the use of PBR (which is attached on a contract)
Both scenarios works ok. Myself, I opted for the first option in my implementations, as I did not had a lot of constrains from the perspective of traffic flow and I also prefer to have control of the configured ACI constructs.
In the end, less is more. If you keep the design clean and simple, the overall administration and troubleshooting will be also easier.
For more details about PBR, check out the whitepaper: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html
You have examples for different use cases, advantages, disadvantages etc.
Hope it helps,
Sergiu
04-19-2020 03:47 AM
No, I am not looking for PBR solution.
Service graph without a redirect(PBR)
Regards
Jai
04-20-2020 11:14 PM
Hi @Jaya_tv
Since your GW is on the BD and and F5 in routed mode, solution is either PBR or L3out.
Regards,
Sergiu
04-21-2020 07:10 PM
For simple service graph with no PBR as explained in the SG design whitepaper would be easiest.
for design options with routing enabled in both Provider and Consumer BDs you can go through the following in the document.
Figure 25. If Routing is Enabled in Both Bridge Domains, in Some Scenarios like the One in This Picture, the VRF Instance Will Need to Be Split.
Figure 27. Design with L4-L7 Device Performing NAT and IP Routing Enabled on Both Bridge Domains; Only One VRF Instance Is Needed for Both Bridge Domains
Before a design is selected one should be able to answer these questions.
1. Provider EPG >> all traffic need to go through the LB?
2. Consumer EPG >> all traffic need to go through the LB? ( same considerations)
3. If ACI GW for both provider and consumer EPGs?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: