We will look now under the hood of Cisco ACI and the APIC in order to understand how the so-called magic happens for the L4-L7 services insertion.

First, it is important to note that the cloud is all about multi-tenancy whether public or private as applications need their secure virtual environment. Cisco ACI and F5 Synthesis do support a multi-tenant architecture. An APIC tenant is a logical grouping of application policies and is represented on a F5 Big-IP device by a partition. As an application may be tied to one or more Big-IP virtual servers, the name of the virtual server will be prefixed by the APIC partition number. This enables a F5 Big-IP physical or virtual device to support multiple APIC Tenants and their applications can be associated with one or more Big-IP virtual servers.

On the APIC, L4-L7 network services are instantiated between application Tiers or EPGs by stitching or chaining together the F5 Big-IP physical or virtual devices such as LTM, ASM or AFM. This stitching or chaining is accomplished via a Service Graph on the APIC GUI. The APIC refers to the Big-IP devices in the service graph as Function Nodes which functionality is configured from the list of features provided in the APIC F5 function profiles e.g. L4-L7 load balancing, SSL offload, Pools, SNAT etc.. Multiple Service Graphs can be associated with the same F5 Big-IP device as in the case of multiple APIC tenants sharing one Big-IP. 

The association of a Service Graph to an Application Network Profile contract (policy defining how two EPGs communicate) allows the abstraction of the all network details which are not relevant for the application admin or developper. The Service Graph automates the routing of the network traffic through each of the designated F5 Big-IP devices in the Service Graph chain until all the steps in the chain are complete. It is important to note that the APIC Service Graph function node parameters will be configured on the F5 Big-IP devices via the F5 Device Package. The APIC admin will then be able to easily automate the addition, removal or the editing of the APIC functions nodes or F5 Big-IP devices based on a new policy without having to reposition them and reconfigure the ACI switch fabric. This is made possible as the ACI fabric architecture enables location independence for the F5 Big-IP devices from the network underlay. Customers can be guaranteed the insertion and enforcement of the F5 Synthesis L4-L7 network services regardless of the location of the F5 Big-IP devices in the ACI network fabric.    


Lets look closer now at the network switch fabric..The ACI fabric is composed a new Layer 3 40 GB spine and leaf switch fabric architecture with an integrated overlay using the Nexus 9000 platform. This allows the ACI switch fabric to act as one big logical switch to all End Point devices. Cisco is taking an innovative hybrid approach with the addition of a new ASIC or Application Leaf Engine (ALE) where the APIC can add application policies requirements to the regular network forwarding. The ACI fabric underlay is a fully meshed switch fabric using IS-IS under the covers for fast convergence and where every Leaf switches connected to all Spines (and vice-versa). The integrated overlay allows the connectivity for the ACI nodes (ACI Spine and Leaf switches) and the insertion of the L4-L7 network services. No external device is allowed to be connected to a Spine besides Leaf nodes. The spines build their global reachability database from the reachability information advertised by all the attached Leaf switches and synchronize each other. In SDN fashion, the spines have then a fully synchronized and singular view of the whole network fabric permitting an ingress leaf switch to route or redirect traffic destined to the F5 Big-IP devices in the chain through any of the available spines. This will prove to be instrumental as well with the ACI application health monitoring and scoring…Stay tuned for an upcoming blog.

Cisco accomplished two things: Integrating the overlay to the underlay by abstracting any encapsulation of the traffic ingressing a leaf switch. The Leaf switch effectively acts as a unified HW Gateway for any packet encapsulation whether VxLAN, NvGRE, VLAN or Dot1Q allowing the support of both virtualized and bare metal applications. Nothing new for Cisco as it has been using the abstraction of tagging mechanisms with technologies such as MPLS, LISP and OTV. With ACI, it encapsulates all the packets ingressing the ACI fabric with a new VxLAN header termed as "eVxLAN" by swapping the incoming packet encapsulation (VxLAN, NvGRE, VLAN and Dot1Q). The ACI Leaf switch acts as a Virtual Termination End Points (VTEP) identifying the location of the ACI End Point within the ACI fabric. Cisco knows VxLAN well as it developed the VxLAN header in cooperation with VMware and pushed it as a standard in the Internet Engineering Task Force (IETF) forum.

Cisco ACI leveraged the VxLAN header structure by using the 24 bits VxLAN Network Indentifier (VNID) and 16 bits from the first Reserved field termed as Source Group field.

1- The Source Group field is used to identify the application from the incoming traffic

2- The eVxLAN VNID field will be used to identify the Application Network Profile EPGs and the F5 Big-IP devices associated with them.

The ACI EPG information will be derived from the VNID provided by the F5 Big-IP devices VxLAN or VLAN header as they do not natively support ACI EPG information. The F5 Big-IP device's VNID is mapped to their EPGs in the eVxLAN VNID field based on the APIC policy.


The Cisco APIC becomes the central point of management for the programmability and automation of the L4-L7 service insertion of the F5 Big-IP physical or virtual devices.The elasticity of the L4-L7 services is facilitated through the Cisco APIC by conveniently adding and removing the F5 Big-IP devices from the service graph based on the actual tenant application policy requirement. This effectively removes the challenges of inserting the L4-L7 services in the network with the seamless integration of the F5 Synthesis fabric with Cisco ACI.