Using F5 Big IP Load Balancer Virtual Edition with Cisco ACI (Part 1)

If you would like to be notified when Lauren Malhoit releases the next part in this article series please sign up to our Real-Time Article Update newsletter.


Last week I worked booth duty at Cisco Live. For those not familiar with the term “booth duty” it basically means I stood in one place for several hours a day and gave demos and answered questions, specifically on ACI and CliQr. Sometimes when working from the inside of a company you lose sight of what customers are still not learning. I found a lot of folks weren’t aware that Cisco ACI can control many layer 4-7 devices through the ACI APIC. There are actually two ways it can do this, in managed mode or unmanaged mode. Managed mode allows you to configure the parameters of the layer 4-7 device directly from the APIC and it is directly in the Application Network Profile. Unmanaged mode still allows the device to be in the Application Network Profile, but configuration changes are actually made from the device itself still. Also, really in either case configuration changes can be made from the device itself. That’s a brief intro into Layer 4-7 service graphing (sometimes called stitching) but let’s get into the technical side of how we actually do this. For this article I’m going to show how to stitch in an F5 virtual load balancer into the ACI fabric. We’ll be using it in “one-arm” mode mostly because I’m not planning on using the F5 as a default gateway for the server. It can be setup in “two-arm” mode as well if you prefer.

Where to get it?

First of all, you’ll need the actual F5 appliance which you can get from the F5 site. Just click on the link and create an account to download the F5 VE appliance. Once downloaded, you’ll then deploy the OVA to your virtual environment. In this case I’m using VMware vSphere 6.0 as my virtual environment. I’ve already connected my ACI fabric to the VMM domain. If you need help with that, refer to this blog.

Initial Configuration

Once you deploy the F5 appliance, you’ll need to do some initial setup. Login to the F5 via the vSphere console and using the default credentials of root/default. Once at the command line type “config.” A wizard will appear and you will enter your management IP address, subnet mask, and default gateway in this wizard.

Now that you have the IP configured, you can open a browser and then browse to the IP address of the appliance. Login using the default credentials admin/admin. Click Next to get into the Setup Utility in the GUI. Enter your license next to Base Registration Key and click Next. After the license is accepted you’ll see the following screen and which features you have access to depending on your license.

Figure 1

Deploying the Device Package

Now that the F5 appliance has been deployed and configured we can integrate it into ACI. We’ll do this using a device package. The device package is something built by the vendor of the L4-7 device, which in this case is F5. In order to download it go here and find the 3rd Party Cisco APIC download. Click on that, select the theater from which to download and finally download it. There are also guides and quick starts which can be downloaded and might be helpful for further information.

On the APIC click L4-7 Services at the top. Then click on Packages in the sub-header. Right click on L4-7 Service Device Types on the Left and select Import Device Package. Browse for the .zip file you downloaded from the F5 site and click OK. Now you have an uploaded Device Package in your APIC.

Click on Tenants at the top and select the Common tenant. Expand L4-7 Services in the left navigation tree under the Common tenant. Right click on L4-7 Devices and click on Create L4-7 Device. Make sure the device is Managed by putting a check in the box in the upper left (you may leave it unmanaged if you plan on managing the device from the device itself).

  1. Give it a name, such as F5-LB.

  2. Make sure you choose ADC (Application Delivery Controller) from the drop down menu.

  3. Select Device Type to be Virtual.

  4. Select the correct VMM Domain.

  5. Select whether it will be a single node or an HA cluster. In this case I’m only doing a single node.

  6. Click the pull down menu to select the correct device, in this case the F5.

  7. Select the model, which will be BIG-IP-VE-GENERIC in this case.

  8. Under credentials enter the admin credentials which are admin/admin by default if you haven’t changed it (you should probably change it to be secure ;)).

  9. Put in the management IP and select https from the pull down menu.

  10. Select the VM, which will probably say something like Big-IP VE followed by a version number.

  11. Finally Click Next.

Figure 2

  1. Click Finish

Exporting the Service Graph

Finally we’ll export the F5 service device to the tenant we’ll plan on using it in. In my example I’ll be exporting it for use in my HQ-Production tenant. This tenant contains one of the application network profiles where I plan on stitching in my F5 appliance. Obviously now that we’ve created the F5 service device, though, we can use and re-use it wherever we like.

  1. Right click on L4-7 Service Devices on the left side again.

  2. This time select Export L4-7 Service Devices.

  3. Select the device, in this case F5-LB.

  4. Select the tenant to which you’d like to export it, in this case HQ-Production.

  5. Click Submit.

Figure 3

You can verify that this was done properly by going to the tenant (HQ-Production) at the top. Then expand L4-7 Services and expand Imported Devices. You should see your device in there.

Figure 4

To continue with our one-arm setup, we’ll configure the function profile in our Common tenant. The function profile is where we configure the actual parameters of the firewall. We’ll then create a service graph template which we’ll apply to the application network profile where we plan on using this load balancer. This article is getting a little long, though, so we’ll continue on with creating a Function Profile and adding the Service Graphs in Part 2 of this article series.

I do want to note that even though we’re using a virtual edition, we can absolutely use physical layer 4-7 devices within the ACI fabric as well. If we were doing this in unmanaged mode, we wouldn’t need to create a Function Profile, we could just create a service graph template and apply the service graph within a contract between two EPGs. If you have any questions or comments, please leave them below or reach out to me on Twitter @Malhoit.

If you would like to be notified when Lauren Malhoit releases the next part in this article series please sign up to our Real-Time Article Update newsletter.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top