Re: ACI F5 integration unmanaged mode

Jaya_tv · ‎04-18-2020

Hello Everyone,

I just want to understand how service graph works in the below scenario.

Scenario 1 (Unmanaged Service graph)

###############################

EPG-INSIDE-->BD(L3-10.0.0.1)--->VMM domain --->Provider

EPG-OUTSIDE-->BD(L3-20.0.0.1)-->VMM domain --->Consumer

INSIDE VM -->10.0.0.10 GW-- 10.0.0.1

OUTSIDE VM -->20.0.0.10 GW-- 20.0.0.1

VMM domain integration

L4-L7 Device - F5 BIG IP unmanaged mode-->Routed mode-->Two arm mode

Outcome

#######

When I deploy a service graph ACI is not learning any mac/IP from BIG IP

Do I need to keep GW in load balancer?

Scenario 2 (EPG Mode)

##################

EPG-INSIDE-->BD(L3-10.0.0.1)--->VMM domain --->Provider

EPG-OUTSIDE-->BD(L3-20.0.0.1)-->VMM domain --->Consumer

INSIDE VM -->10.0.0.10 GW-- 10.0.0.1

OUTSIDE VM -->20.0.0.10 GW-- 20.0.0.1

VMM domain integration

Outcome

#######

This scenario works as expected

Questions

#######

1. For service graph unmanaged mode do I need to keep GW in ACI or service device?

Sergiu.Daniluk · ‎04-19-2020

Hi,

I believe what you want to achieve is redirect traffic through your F5, which is functioning in routed mode. Is this correct?

If yes, you have two options:

1) L3out between ACI and each arm of your F5 BIGIP

2) use Service graph + PBR

The diagram of each scenario is highlighted below:

In the first scenario (l3Out) you will configure each user BD (inside and outside) in different VRF. This way you can manipulate the traffic path between the BDs, to route everything through L3out.

Second scenario can use a single VRF, and you will redirect everything through the F5, through the use of PBR (which is attached on a contract)

Both scenarios works ok. Myself, I opted for the first option in my implementations, as I did not had a lot of constrains from the perspective of traffic flow and I also prefer to have control of the configured ACI constructs.

In the end, less is more. If you keep the design clean and simple, the overall administration and troubleshooting will be also easier.

For more details about PBR, check out the whitepaper: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html

You have examples for different use cases, advantages, disadvantages etc.

Hope it helps,

Sergiu

Jaya_tv · ‎04-19-2020

No, I am not looking for PBR solution.

Service graph without a redirect(PBR)

Regards

Jai

Sergiu.Daniluk · ‎04-20-2020

Hi @Jaya_tv

Since your GW is on the BD and and F5 in routed mode, solution is either PBR or L3out.

Regards,

Sergiu

Gaurav Gambhir · ‎04-21-2020

For simple service graph with no PBR as explained in the SG design whitepaper would be easiest.

for design options with routing enabled in both Provider and Consumer BDs you can go through the following in the document.

Figure 25. If Routing is Enabled in Both Bridge Domains, in Some Scenarios like the One in This Picture, the VRF Instance Will Need to Be Split.

Figure 27. Design with L4-L7 Device Performing NAT and IP Routing Enabled on Both Bridge Domains; Only One VRF Instance Is Needed for Both Bridge Domains

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-734298.html#_Toc494918059

Before a design is selected one should be able to answer these questions.

1. Provider EPG >> all traffic need to go through the LB?

Yes ( LB should be the GW)
No (ACI should be the GW)

2. Consumer EPG >> all traffic need to go through the LB? ( same considerations)

Yes ( LB should be the GW)
No (ACI should be the GW)

3. If ACI GW for both provider and consumer EPGs?

Need both EPGs/BD in same VRF?
- two options one with NAT and
- the other one is PBR.
Can keep EPGs/BDs in different vrf?
- use option explained in Fig25.
- this also opens a possibility of totally getting away from service graph. When you split provider and consumer in different vrfs and have LB as external router have one leg in each VRF ( just by routing itself, the traffic b/w the provider and consumer EPGs will go through the LB, no need of SG at all.