Layer 4 to Layer 7 Services

Layer 4 to Layer 7 Services

The Cisco Application Centric Infrastructure (ACI) treats services as a key part of an application. Any services that are required are treated as a service graph that is instantiated on the ACI fabric from the Cisco Application Policy Infrastructure Controller (APIC). You define the service for the application, while service graphs identify the set of network or service functions that the application requires.

Beginning with Cisco ACI Virtual Edge Release 1.2(1), Layer 4 to Layer 7 service graphs are supported for Cisco ACI Virtual Edge.

For information about configuring Layer 4 to Layer 7 services on Cisco ACI Virtual Edge, see the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide. However, you first must follow the guidelines and understand the limitations in the next section of this chapter.

When you follow instructions in the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, instead of configuring services on the VMware Distributed Virtual Switch (DVS) VMM domain, configure the services on the Cisco ACI Virtual Edge VMM domain with AVE as the switching mode.

Guidelines and Limitations for Layer 4 to Layer 7 Configuration

Follow the guidelines in this section when preparing to configure Layer 4 to Layer 7 service graphs for Cisco ACI Virtual Edge:

  • Layer 4 to Layer 7 services are supported only for routed mode in the initial release; there is no support for transparent mode.

  • Do not deploy both service VMs of an HA pair behind the same Cisco ACI Virtual Edge.

    To ensure that both service VMs of an HA pair do not end up behind the same Cisco ACI Virtual Edge after deployment, create a VM-host affinity rule. That enables that each service VM of an HA pair runs on different hosts.

    When creating VM-host affinity rule, for Type, choose Virtual Machines to Hosts and in DRS groups, choose Must run on hosts in group. For more information about creating a VM-host-affinity rule, refer to VMware documentation for the corresponding vSphere version.

  • Do not manually associate non-service VMs to a service EPG. At any point on a single host, only one endpoint for each service EPG is supported.

  • Do not tag service VM interfaces deployed on Cisco ACI Virtual Edge; Cisco ACI Virtual Edge does not support trunk port groups.

  • Cisco ACI Virtual Edge does not support virtual MAC-based service VM deployments.

    The supported modes of service VM deployment on Cisco ACI Virtual Edge are standalone and HA mode (active/standby).

  • Cisco ACI Virtual Edge supports vMotion of service VMs.


    Note

    Refer to corresponding vendor documentation for support of vMotion of service VMs on the VMware environment. The vMotion support is vendor-specific and may have certain guidelines and limitations.
  • Only service-graph based deployments are supported on Cisco ACI Virtual Edge.

  • Cisco ACI Virtual Edge does not support Route-Peering, Trunking Port, and Promiscuous Mode.

  • Ensure that the management and HA interfaces of service VMs are on the VDS/vSwitch.

  • When you configure the Cisco ACI Virtual Edge VMM domain, it is mandatory to associate a VLAN pool with the domain.

    Associating a VLAN pool with the domain is required because service VMs are deployed on the Cisco ACI Virtual Edge VMM domain with VLAN encapsulation mode. Configure both internal and external ranges for the VLAN pool. See the chapter Mixed-Mode Encapsulation in this guide for information.

  • Compute VMs (providers and consumers) can be deployed in the Cisco ACI Virtual Edge VMM domain with VXLAN or VLAN encapsulation mode.

    To support compute VMs in either mode, configure the Cisco ACI Virtual Edge VMM domain with mixed-mode encapsulation. See the chapter Mixed-Mode Encapsulation in this guide for information.

Qualified Service Devices

Service graph deployments for Cisco ACI Virtual Edge are qualified for the following service devices:

  • Cisco Adaptive Security Virtual Appliance (ASAv) firewall Version 9.9(1)


    Note

    Before you deploy ASAv on the Cisco ACI Virtual Edge VMM domain, enable monitoring of externalIf and internalIf. To enable monitoring through the CLI, you can use the commands monitor-interface externalIf and monitor-interface internalIf on ASAv.
  • F5 Networks BIG-IP load balancer (Unmanaged mode) Version 13.1.0.3

  • Citrix NetScaler VPX (Unmanaged mode) Version 11.0 build 70.16

Supported Deployments

The Cisco ACI Virtual Edge supports the following deployments:

  • ASAv in Routed Mode

  • F5 Networks BIG-IP load balancer (Unmanaged mode)

    • One-arm mode

    • Two-arm mode

  • Standalone and HA mode (Active/Standby)

  • One-node and two-node deployments

Bridge Domain Configuration for Cisco ASAV, Citrix NetScaler, or F5 BIG-IP ADC

When you configure the bridge domains for Cisco ASAv, Citrix NetScaler, or F5 BIG-IP ADC, configure the bridge domains as you would for a generic configuration, except as follows:

Configuration

Action

L2 Unknown Unicast

Choose Flood.

ARP Flooding check box

Check the check box.

Unicast Routing check box

This configuration depends on deployment. For example, put a check in the Unicast Routing check box if you want the Cisco ACI fabric to route the traffic. Additionally, when configuring the inside bridge domain, enable Unicast Routing if you plan to use endpoint attach.

References

For more information on configuring Bridge domains on Cisco ACI, see the Cisco APIC Layer 2 Networking Configuration Guide.

For general information regarding bridge domain setting with respect to service graph design, see Service Graph Design with Cisco application Centric Infrastructure White Paper.