Unmanaged Mode - what it means for ACI and BIG-IP integration [End of Life]

The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life.
The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’.
Visit https://f5.com/cisco for updated information on the integration.

The adoption of Cisco ACI with the APIC controller continue to gain traction in the market.  With their latest major APIC release, 1.2.1i , Cisco has streamlined how ADCs are connected to the fabric.    There have traditionally been two methods of connecting services:

  1. Service Insertion with a device package and a service graph (Managed)
  2. Connecting a device as an endpoint device into an EPG (Unmanaged)

What Cisco has done is simplified how a services device can be connected into the fabric as an Unmanaged device to the APIC.  This is known as “Unmanaged  Mode” vs the “Managed Mode” where a device package is used. 

Instead of the usual multi-step manual configuration process for specifying the network configuration in APIC, the attachment has been consolidated into the service graph.  Before it was necessary to manually static bind the VLAN to the EPG (Provider and Consumer) and assign the physical domain to the EPG. It was also required to bind contracts between multiple Provider and Consumer EPGs. Now, all you have to do is go into the service graph and specify connectivity just like you were building a managed service graph.  By doing this, there is now one common location and workflow for configuring services.  The process is simplified.

Advantages

  • Service graph representation with Unmanaged  and Managed modes mixed  (few devices managed by APIC, few devices NOT managed by APIC)
  • Unified view of a service chain

Why needed

  • Customers have requested to provide “Unmanaged ” mode for their custom devices
    • Need to manage their own security policies outside of the networking team
    • Need to use their existing orchestration infrastructure for a particular devices in the chain
    • Need to use advanced vendor specific functionality

What this means for BIG-IP integration

  • BIG-IP is attached as an EPG - but now being able to represent this mode within a service graph

Difference between Managed and Unmanaged mode

Mode

Goal

Unmanaged  Mode
(Device managed externally)

  • Service Chaining (traffic redirection) through ACI

Managed Mode
(Device managed by device package)

  • Service Chaining (traffic redirection) through ACI
  • Device configuration through APIC (Policy based configuration)

 

Some prerequisites for deploying an Unmanaged logical device cluster

  • BIGIP:
    • Define VLANS, Self IP’s and trunk (if needed)
  • APIC:
    • VLAN Pool – Static allocation
    • Fabric access policies to ensure physical connectivity to BIGIP

Click here to view a video with more details on how to deploy a BIGIP in Unmanaged mode on APIC

https://www.youtube.com/watch?v=OJPEYzNGD3A

Once deployed as an Unmanaged device cluster with traffic redirection through ACI configure your BIGIP with nodes, pools, monitors, virtual servers and all other features required by your application like you always do by using the BIG-IP GUI/CLI etc (not through the Cisco ACI)

References:

http://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver121x/b_L4L7_Deploy_ver121x_chapter_010000.pdf

http://blogs.cisco.com/datacenter/new-innovations-for-l4-7-network-services-integration-with-ciscos-aci-approach

Published Dec 28, 2015
Version 1.0
  • The video above explains setting up the F5 in unmanaged mode in a "two-arm" mode. What about one-arm configuration? Does a guide/video exist for this?
  • Payal_S's avatar
    Payal_S
    Ret. Employee
    Sarah unfortunately there is no guide/video for this right now, there should be one out by July. In the example above, a trunk is used between the BIG-IP and the ACI Leaf. So physically it's a one arm but logically it's two-arm , since we using a different VLAN tag for external and internal interface For one-arm 1) While creating the logical device cluster, under the 'Cluster Interfaces' section, specify just one interface and assign it a VLAN tag 2) When you create a graph template, you will get an option to have the template as 'one-arm' or 'two-arm', select one-arm at that point 3) Then apply the graph template (Specify the 'provider' and 'consumer' EPG', click next and assign the interface to the BD) 4) Assign the appropriate VLAN tag/Self-IP/routes on the BIG-IP
  • Hi Payal,

     

    Thanks for this informative article. I have couple of queries,

     

    If I am integrating F5 in unmanaged mode then do I need to create a tenant for same in Cisco ACI. How my traffic will land to F5 guest as this is not a full integration then how can I map my F5 guest with ACI.

     

    /Regards

     

    Amit Grover

     

  • Also wondering how was the spanning tree handled on the F5 interfaces that you connected to ACI? As you know ACI does not do spanning tree?

     

  • hi Payal, is there a guide available to deploy F5 in One-arm. Currently we are planning to attach F5 with ACI in one arm mode. The idea would to use SNAT poll to do Health check and for data communication with end servers as well. We will have F5-OUT-EPG and F5-IN-EPG attached to a single interface in one-arm. Subnet would be something like this

     

    • 10.20.30.x --> VIPS
    • 10.20.31.x --> SNAT Pool
    • 10.20.32.x --> VIPS
    • 10.20.33.X --> SNAT Pool