The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life. The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’. Visit https://f5.com/cisco for updated information on the integration.
The adoption of Cisco ACI with the APIC controller continue to gain traction in the market. With their latest major APIC release, 1.2.1i , Cisco has streamlined how ADCs are connected to the fabric. There have traditionally been two methods of connecting services:
Service Insertion with a device package and a service graph (Managed)
Connecting a device as an endpoint device into an EPG (Unmanaged)
What Cisco has done is simplified how a services device can be connected into the fabric as an Unmanaged device to the APIC. This is known as “Unmanaged Mode” vs the “Managed Mode” where a device package is used.
Instead of the usual multi-step manual configuration process for specifying the network configuration in APIC, the attachment has been consolidated into the service graph. Before it was necessary to manually static bind the VLAN to the EPG (Provider and Consumer) and assign the physical domain to the EPG. It was also required to bind contracts between multiple Provider and Consumer EPGs. Now, all you have to do is go into the service graph and specify connectivity just like you were building a managed service graph. By doing this, there is now one common location and workflow for configuring services. The process is simplified.
Advantages
Service graph representation with Unmanaged and Managed modes mixed (few devices managed by APIC, few devices NOT managed by APIC)
Unified view of a service chain
Why needed
Customers have requested to provide “Unmanaged ” mode for their custom devices
Need to manage their own security policies outside of the networking team
Need to use their existing orchestration infrastructure for a particular devices in the chain
Need to use advanced vendor specific functionality
What this means for BIG-IP integration
BIG-IP is attached as an EPG - but now being able to represent this mode within a service graph
Difference between Managed and Unmanaged mode
Mode
Goal
Unmanaged Mode (Device managed externally)
Service Chaining (traffic redirection) through ACI
Managed Mode (Device managed by device package)
Service Chaining (traffic redirection) through ACI
Device configuration through APIC (Policy based configuration)
Some prerequisites for deploying an Unmanaged logical device cluster
BIGIP:
Define VLANS, Self IP’s and trunk (if needed)
APIC:
VLAN Pool – Static allocation
Fabric access policies to ensure physical connectivity to BIGIP
Once deployed as an Unmanaged device cluster with traffic redirection through ACI configure your BIGIP with nodes, pools, monitors, virtual servers and all other features required by your application like you always do by using the BIG-IP GUI/CLI etc (not through the Cisco ACI)
Sarah unfortunately there is no guide/video for this right now, there should be one out by July.
In the example above, a trunk is used between the BIG-IP and the ACI Leaf. So physically it's a one arm but logically it's two-arm , since we using a different VLAN tag for external and internal interface
For one-arm
1) While creating the logical device cluster, under the 'Cluster Interfaces' section, specify just one interface and assign it a VLAN tag
2) When you create a graph template, you will get an option to have the template as 'one-arm' or 'two-arm', select one-arm at that point
3) Then apply the graph template (Specify the 'provider' and 'consumer' EPG', click next and assign the interface to the BD)
4) Assign the appropriate VLAN tag/Self-IP/routes on the BIG-IP
Thanks for this informative article. I have couple of queries,
If I am integrating F5 in unmanaged mode then do I need to create a tenant for same in Cisco ACI.
How my traffic will land to F5 guest as this is not a full integration then how can I map my F5 guest with ACI.
hi Payal, is there a guide available to deploy F5 in One-arm. Currently we are planning to attach F5 with ACI in one arm mode. The idea would to use SNAT poll to do Health check and for data communication with end servers as well. We will have F5-OUT-EPG and F5-IN-EPG attached to a single interface in one-arm. Subnet would be something like this
