Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) First Published: April20,2016 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 THESPECIFICATIONSANDINFORMATIONREGARDINGTHEPRODUCTSINTHISMANUALARESUBJECTTOCHANGEWITHOUTNOTICE.ALLSTATEMENTS, INFORMATION,ANDRECOMMENDATIONSINTHISMANUALAREBELIEVEDTOBEACCURATEBUTAREPRESENTEDWITHOUTWARRANTYOFANYKIND, EXPRESSORIMPLIED.USERSMUSTTAKEFULLRESPONSIBILITYFORTHEIRAPPLICATIONOFANYPRODUCTS. THESOFTWARELICENSEANDLIMITEDWARRANTYFORTHEACCOMPANYINGPRODUCTARESETFORTHINTHEINFORMATIONPACKETTHATSHIPPEDWITH THEPRODUCTANDAREINCORPORATEDHEREINBYTHISREFERENCE.IFYOUAREUNABLETOLOCATETHESOFTWARELICENSEORLIMITEDWARRANTY, CONTACTYOURCISCOREPRESENTATIVEFORACOPY. TheCiscoimplementationofTCPheadercompressionisanadaptationofaprogramdevelopedbytheUniversityofCalifornia,Berkeley(UCB)aspartofUCB'spublicdomainversion oftheUNIXoperatingsystem.Allrightsreserved.Copyright©1981,RegentsoftheUniversityofCalifornia. NOTWITHSTANDINGANYOTHERWARRANTYHEREIN,ALLDOCUMENTFILESANDSOFTWAREOFTHESESUPPLIERSAREPROVIDED“ASIS"WITHALLFAULTS. CISCOANDTHEABOVE-NAMEDSUPPLIERSDISCLAIMALLWARRANTIES,EXPRESSEDORIMPLIED,INCLUDING,WITHOUTLIMITATION,THOSEOF MERCHANTABILITY,FITNESSFORAPARTICULARPURPOSEANDNONINFRINGEMENTORARISINGFROMACOURSEOFDEALING,USAGE,ORTRADEPRACTICE. INNOEVENTSHALLCISCOORITSSUPPLIERSBELIABLEFORANYINDIRECT,SPECIAL,CONSEQUENTIAL,ORINCIDENTALDAMAGES,INCLUDING,WITHOUT LIMITATION,LOSTPROFITSORLOSSORDAMAGETODATAARISINGOUTOFTHEUSEORINABILITYTOUSETHISMANUAL,EVENIFCISCOORITSSUPPLIERS HAVEBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES. AnyInternetProtocol(IP)addressesandphonenumbersusedinthisdocumentarenotintendedtobeactualaddressesandphonenumbers.Anyexamples,commanddisplayoutput,network topologydiagrams,andotherfiguresincludedinthedocumentareshownforillustrativepurposesonly.AnyuseofactualIPaddressesorphonenumbersinillustrativecontentisunintentional andcoincidental. CiscoandtheCiscologoaretrademarksorregisteredtrademarksofCiscoand/oritsaffiliatesintheU.S.andothercountries.ToviewalistofCiscotrademarks,gotothisURL:http:// www.cisco.com/go/trademarks.Third-partytrademarksmentionedarethepropertyoftheirrespectiveowners.Theuseofthewordpartnerdoesnotimplyapartnership relationshipbetweenCiscoandanyothercompany.(1110R) ©2016CiscoSystems,Inc.Allrightsreserved. CONTENTS Preface Preface vii Audience vii DocumentConventions vii RelatedDocumentation ix DocumentationFeedback xi ObtainingDocumentationandSubmittingaServiceRequest xi CHAPTER 1 Overview 1 AboutServiceGraphs 2 AdvantagesandDisadvantagesofUsingaServiceGraph 3 WhentoUseaServiceGraph 3 MethodsforConfiguringaServiceGraph 4 AboutMulti-NodeServiceGraphs 5 AbouttheServiceGraphOperationalModel 5 AboutGotoDevicesandGoThroughDevices 9 AboutContracts 10 AboutDevicePackages 10 AboutDevicePackageVersions 11 AboutDevicePackageUpgrades 12 AboutVirtualAppliancesandPhysicalAppliances 13 Dataplane 14 AboutDeploymentModes 14 AboutConfiguringBridgeDomains 18 DeterminingtheNumberofVRFstoUse 19 AbouttheSubnetCheck 20 AboutHardwareProxy 20 AboutMulticontextSupport 21 Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) iii Contents AboutMulticontextSupportandDataplaneSeparation 22 AboutSharingServiceDevices 23 AboutUnmanagedMode 24 OtherTerminology 25 CHAPTER 2 SupportedDevices 27 ADCDevicePackageSupport 27 FirewallDevicePackageSupport 28 CHAPTER 3 DeployingaServiceGraph 31 OverviewofDeployingaServiceGraph 31 AboutAPIC-to-Layer4toLayer7DeviceCommunication 32 AboutLayer4toLayer7ConfigurationParameters 35 SettingUpManagementAccesstotheLayer4toLayer7Device 35 ImportingaDevicePackageUsingtheGUI 35 CreatingBridgeDomainsandVRFsUsingtheGUI 36 CreatingEndpointGroupsandContractsUsingtheGUI 37 LogicalDevicesandConcreteDevices 37 AboutModelChoice 38 AboutConnectivityOptions 38 AboutInterfaceNumbering 39 CreatingaLogicalorConcreteDeviceUsingtheGUI 39 CreatingaLogicalorConcreteDevicewithanHAClusterUsingtheGUI 41 VerifyingtheStatusofaLogicalorConcreteDevice 42 FunctionProfiles 42 AboutFunctionProfiles 42 CreatingaFunctionProfileUsingtheGUI 43 ImportingaFunctionProfileUsingtheGUI 44 ServiceGraphTemplates 44 CreatingaLayer4toLayer7ServiceGraphTemplateUsingtheGUI 44 ApplyingaServiceGraphTemplatetoEndpointGroupsUsingtheGUI 45 VerifyingaServiceGraphDeploymentUsingtheGUI 47 UndoingaServiceGraphConfigurationUsingtheGUI 49 CreatingaDeviceSelectionPolicyUsingtheGUI 50 Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) iv Contents CHAPTER 4 DeployingF5 51 AbouttheF5OperationalModel 51 TranslationofF5Terminology 52 AboutF5Partitions 53 F5inGoToMode 55 AboutDeployingF5inGoToMode 55 OverviewofPreparinganF5DeviceinGoToMode 56 ConfiguringBridgeDomainsforF5inGoToMode 56 AddingEndpointAttachSupportforF5inGoToMode 58 TuningtheServer-SideBridgeDomainforFloodRemovalforF5inGoToMode 59 F5GoToModeDesignExamples 59 DeployingF5inGoToMode 61 F5inOne-ArmMode 68 AboutDeployingF5inOne-ArmMode 68 OverviewofPreparinganF5DeviceinOne-ArmMode 70 DeployingF5inOne-ArmMode 70 VerifyingtheConfigurationforanF5Device 78 UndoingaServiceGraphConfigurationforF5 78 CHAPTER 5 DeployingASA 81 ASADeploymentModesinACIFabric 81 AbouttheASAOperationalModel 82 TranslationofASATerminology 82 AboutASAMulti-ContextMode 83 AboutASAHighAvailabilityandScalability 83 ASAinGoToMode 84 AboutDeployingASAinGoToMode 84 OverviewofPreparinganASADeviceinGoToMode 85 ConfiguringBridgeDomainsforASAinGoToMode 86 TuningtheServer-SideBridgeDomainforFloodRemovalforASAinGoToMode 86 AddingEndpointAttachSupportforASAinGoToMode 87 ASAGoToModeDesignExamples 88 DeployingASAinGoToMode 90 ASAinGoThroughMode 97 Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) v Contents AboutDeployingASAinGoThroughMode 97 OverviewofPreparinganASADeviceinGoThroughMode 98 ConfiguringBridgeDomainsforASAinGoThroughMode 99 DeployingASAinGoThroughMode 100 VerifyingtheConfigurationforanASADevice 105 UndoingaServiceGraphConfigurationforASA 106 APPENDIX A RoutePeering 107 AboutRoutePeering 107 ConfiguringRoutePeeringUsingtheGUI 108 ConfiguringanExternalRoutedNetworkforRoutePeeringwithaStaticRouteUsingthe GUI 115 ConfiguringanExternalRoutedNetworkforRoutePeeringwithOSPFUsingtheGUI 117 VerifyingaRoutePeeringWithaStaticRouteConfigurationUsingtheGUI 119 VerifyingaRoutePeeringWithOSPFConfigurationUsingtheGUI 120 Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) vi Preface Thisprefaceincludesthefollowingsections: • Audience, page vii • DocumentConventions, page vii • RelatedDocumentation, page ix • DocumentationFeedback, page xi • ObtainingDocumentationandSubmittingaServiceRequest, page xi Audience Thisguideisintendedprimarilyfordatacenteradministratorswithresponsibilitiesandexpertiseinoneor moreofthefollowing: •Virtualmachineinstallationandadministration •Layer4toLayer7Servicesinstallationandadministration •Switchandnetworkadministration Document Conventions Commanddescriptionsusethefollowingconventions: Convention Description bold Boldtextindicatesthecommandsandkeywordsthatyouenterliterally asshown. Italic Italictextindicatesargumentsforwhichtheusersuppliesthevalues. [x] Squarebracketsencloseanoptionalelement(keywordorargument). Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) vii Preface Document Conventions Convention Description [x|y] Squarebracketsenclosingkeywordsorargumentsseparatedbyavertical barindicateanoptionalchoice. {x|y} Bracesenclosingkeywordsorargumentsseparatedbyaverticalbar indicatearequiredchoice. [x{y|z}] Nestedsetofsquarebracketsorbracesindicateoptionalorrequired choiceswithinoptionalorrequiredelements.Bracesandaverticalbar withinsquarebracketsindicatearequiredchoicewithinanoptional element. variable Indicatesavariableforwhichyousupplyvalues,incontextwhereitalics cannotbeused. string Anonquotedsetofcharacters.Donotusequotationmarksaroundthe stringorthestringwillincludethequotationmarks. Examplesusethefollowingconventions: Convention Description screen font Terminalsessionsandinformationtheswitchdisplaysareinscreenfont. boldface screen font Informationyoumustenterisinboldfacescreenfont. italicscreenfont Argumentsforwhichyousupplyvaluesareinitalicscreenfont. <> Nonprintingcharacters,suchaspasswords,areinanglebrackets. [] Defaultresponsestosystempromptsareinsquarebrackets. !,# Anexclamationpoint(!)orapoundsign(#)atthebeginningofaline ofcodeindicatesacommentline. Thisdocumentusesthefollowingconventions: Note Meansreadertakenote.Notescontainhelpfulsuggestionsorreferencestomaterialnotcoveredinthe manual. Caution Meansreaderbecareful.Inthissituation,youmightdosomethingthatcouldresultinequipmentdamage orlossofdata. Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) viii Preface Related Documentation Warning IMPORTANTSAFETYINSTRUCTIONS Thiswarningsymbolmeansdanger.Youareinasituationthatcouldcausebodilyinjury.Beforeyou workonanyequipment,beawareofthehazardsinvolvedwithelectricalcircuitryandbefamiliarwith standardpracticesforpreventingaccidents.Usethestatementnumberprovidedattheendofeachwarning tolocateitstranslationinthetranslatedsafetywarningsthataccompaniedthisdevice. SAVETHESEINSTRUCTIONS Related Documentation TheApplicationCentricInfrastructuredocumentationsetincludesthefollowingdocumentsthatareavailable onCisco.comatthefollowingURL:http://www.cisco.com/c/en/us/support/cloud-systems-management/ application-policy-infrastructure-controller-apic/tsd-products-support-series-home.html. Web-Based Documentation •CiscoAPICManagementInformationModelReference •CiscoAPICOnlineHelpReference •CiscoAPICPythonSDKReference •CiscoACICompatibilityTool •CiscoACIMIBSupportList Downloadable Documentation •KnowledgeBaseArticles(KBArticles)areavailableatthefollowingURL:http://www.cisco.com/c/en/ us/support/cloud-systems-management/application-policy-infrastructure-controller-apic/ tsd-products-support-series-home.html •CiscoApplicationCentricInfrastructureControllerReleaseNotes •CiscoApplicationCentricInfrastructureFundamentalsGuide •CiscoAPICGettingStartedGuide •CiscoACIBasicConfigurationGuide •CiscoACIVirtualizationGuide •CiscoAPICRESTAPIUserGuide •CiscoAPICObjectModelCommandLineInterfaceUserGuide •CiscoAPICNX-OSStyleCommand-LineInterfaceConfigurationGuide •CiscoAPICFaults,Events,andSystemMessagesManagementGuide •CiscoACISystemMessagesReferenceGuide •CiscoAPICLayer4toLayer7ServicesDeploymentGuide •CiscoAPICLayer4toLayer7DevicePackageDevelopmentGuide Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) ix Preface Related Documentation •CiscoAPICLayer4toLayer7DevicePackageTestGuide •CiscoACIFirmwareManagementGuide •CiscoACITroubleshootingGuide •CiscoAPICNX-OSStyleCLICommandReference •CiscoACISwitchCommandReference,NX-OSRelease11.0 •VerifiedScalabilityGuideforCiscoACI •CiscoACIMIBQuickReference •CiscoNexusCLItoCiscoAPICMappingGuide •ApplicationCentricInfrastructureFabricHardwareInstallationGuide •CiscoNX-OSReleaseNotesforCiscoNexus9000SeriesACI-ModeSwitches •Nexus9000SeriesACIModeLicensingGuide •CiscoNexus9332PQACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9336PQACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9372PXand9372PX-EACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9372TXACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9396PXACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9396TXACI-ModeSwitchHardwareInstallationGuide •CiscoNexus93128TXACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9504NX-OSModeSwitchHardwareInstallationGuide •CiscoNexus9508ACI-ModeSwitchHardwareInstallationGuide •CiscoNexus9516ACI-ModeSwitchHardwareInstallationGuide Cisco Application Centric Infrastructure (ACI) Simulator Documentation ThefollowingCiscoACISimulatordocumentationisavailableathttp://www.cisco.com/c/en/us/support/ cloud-systems-management/application-centric-infrastructure-simulator/tsd-products-support-series-home.html. •CiscoACISimulatorReleaseNotes •CiscoACISimulatorInstallationGuide •CiscoACISimulatorGettingStartedGuide Cisco Nexus 9000 Series Switches Documentation TheCiscoNexus9000SeriesSwitchesdocumentationisavailableathttp://www.cisco.com/c/en/us/support/ switches/nexus-9000-series-switches/tsd-products-support-series-home.html. Cisco Application Virtual Switch Documentation TheCiscoApplicationVirtualSwitch(AVS)documentationisavailableathttp://www.cisco.com/c/en/us/ support/switches/application-virtual-switch/tsd-products-support-series-home.html. Cisco APIC Layer 4 to Layer 7 Service Graph Deployment Guide, Release 1.2(2g) x