Technical Articles
F5 SMEs share good practice.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

F5 BIG-IP Design Considerations in Cisco ACI Multi-Site and Multi-Pod

When we integrate F5 BIG-IP DNS and LTM into Cisco ACI Multi-Site or Multi-Pod, we should consider the following:

F5 BIG-IP DNS and LTM communication path via iQuery

This is important to establish communication between F5 BIG-IP DNS and LTM so that they can exchange information, which allows BIG-IP DNS to select  the best available BIG-IP LTM VIP across data centers for a DNS request from a client.  A BIG-IP system communicates to another BIG-IP system using iQuery which is a F5 proprietary protocol running on port 4353.  Thus, TCP port 4353 must be opened on the BIG-IP DNS and BIG-IP LTM, and it must also be allowed in the network between the BIG-IP DNSs and BIG-IP LTMs. All iQuery communications are encrypted through SSL. TCP port 22 also needs to be opened because secure shell (SSH) protocol is used for iQuery SSL certificates exchange between BIG-IP LTM and DNS so that they are authorized to communicate to each other.

F5 BIG-IP DNS location 

To optimize the latency in DNS responses, the location of F5 BIG-IP DNS deployment is very important.  While it may be common to deploy BIG-IP DNSs in data centers that are larger in size, we should also consider the type of services that we have as well as the services volumes. For example, if the large data centers are in close proximity whereas a lot of services are accessed globally, it may be better that BIG-IP DNSs are spread out geographically to multiple regions instead of in a single region to provide a lower latency for DNS responses across the globe.

Minimize the risk of a complete DNS outage

We should always be prepared and think ahead on how we can minimize the risk of a complete DNS outage whether it is caused by expected events (such as maintenance or upgrade tasks) or unexpected events (such as a power outage).  We should deploy the DNSs in such a way not to expose any single point of failure even when one of the systems had failed.  For example, three single standalone F5 BIG-IP DNSs in the same DNS synchronization group is better than two single standalone BIG-IP DNSs because single point of failure can be avoided even when one of the BIG-IP DNSs failed unexpectedly or expectedly.  A standalone BIG-IP DNS is an individual BIG-IP with only DNS module deployed and it can be single or in HA pair.  BIG-IP DNS synchronization group (sync group) is a collection of BIG-IP DNSs that have synchronized configuration settings and metrics information.

F5 BIG-IP LTM traffic symmetricity

Traffic symmetricity is a critical requirement to integrate F5 BIG-IP LTM into Cisco ACI Multi-Site or Multi-Pod.  BIG-IP LTM is a stateful device and we must ensure both directions of traffic flow through the same BIG-IP LTM in the same data center, otherwise, the connection will be dropped due to lack of state on the BIG-IP LTM (one exception is direct server return (DSR) which does not have this requirement).   BIG-IP Source Network Address Translantion (SNAT) and ACI Policy Based Redirect (PBR) are options that we can use to fulfill such requirement of steering the return traffic sourced from the real server and destined to the client through the same BIG-IP LTM when BIG-IP is not in the traffic path based on routing.


There are two HA modes:

  • Active/Standby: only one of the F5 BIG-IP LTM is active at any given time.  The BIG-IP LTM that is in active state is the only system that is actively processing traffic while the other BIG-IP LTM remains in standby state and is ready to take over if failover occurs.
  • Active/Active: both F5 BIG-IP LTM are active and they both process traffic for different VIPs simultaneously.  If one of the BIG-IP LTM becomes unavailable for any reasons, the other BIG-IP LTM automatically begins processing traffic for the unavailable peer while continuing to process the VIP traffic for its own.

Cisco ACI Multi-Pod is recommended by Cisco when a F5 BIG-IP HA pair (active/standby or active/active) is required to stretch across data centers, while an independed F5 BIG-IP HA pair (active/standby or active/active) deployed in each data center can be integrated into either Cisco ACI Multi-Site or Multi-Pod.  Unlike deploying an independent HA pair (active-active or active-standby) in each data center in Cisco ACI Multi-Site or Multi-Pod, when a BIG-IP LTM HA pair is stretched across data centers in Cisco ACI Multi-Pod, traffic symmetricity is always there by nature no matter which HA mode is deployed.

Other considerations

F5 BIG-IP LTM VIP and its pool members location, BIG-IP failover types, MAC masquerade, HA groups to manage failover and more, should also be considered in the integration, and all these topcis are covered and discsused in Cisco ACI Multi-Site/Multi-Pod and F5 BIG-IP Design guide.  To find out more, please check out Cisco ACI Multi-Site/Multi-Pod and F5 BIG-IP Design Guide, a white paper jointly developed by Cisco and F5.  



Other DevCentral articles and videos in this series

F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Understand Your Requirements
F5 BIG-IP in Cisco ACI Multi-Site and Multi-Pod - Design Options

Don't forget to check out the Brightboard Lesson - Designing Cisco ACI and F5 Solutions together too! 

Version history
Last update:
‎06-Jun-2023 11:36
Updated by: