NimbostratusDoes anyone have any experience configuring active/standby 5250v appliances and 2 x 9K with dual vPC (one for PCI Vlans and the other for non-PCI Vlans).
I have a requirement to physically separate PCI from non-PCI Vlans. The 9K are running ACI but the F5 will be managed.
Thanks
Cirrus"A physical requirement to separate"
This is why PCI is such a pain. People do silly things and jump through nonexistent hoops to try to make some non-technical pencil pusher happy. And I know this is not a requirement you created so I apologize for the mini-rant.
Run trunks to the F5s and land the VLANs in their own route domains on the F5. ACI should create ample separation once you hit the 9ks. For the record this is not required by PCI and is just going to make life more annoying and raise MTTR. :(
NimbostratusI appreciate your feedback. I was told by the customer to do a physical separation, which as you said is not required by PCI. It all comes down to an extra check for the non-technical paper pusher.
Right now I have the following physical setup:
F5A - port 2.1 and 2.2 connected to 9KA port e1/5 e1/6 F5A - port 2.3 and 2.4 connected to 9KB port e1/5 e1/6 ---------------------(PCI vPC - A)---------------------------
F5A - port 2.5 and 2.6 connected to 9KA port e1/9 e1/10 F5A - port 2.7 and 2.8 connected to 9KB port e1/9 e1/10 ---------------------(non-PCI vPC - A)---------------------------
F5B - port 2.1 and 2.1 connected to 9KA port e1/7 e1/8 F5B - port 2.3 and 2.4 connected to 9KB port e1/7 e1/8 ---------------------(PCI vPC - B)---------------------------
F5B - port 2.5 and 2.6 connected to 9KA port e1/11 e1/12 F5B - port 2.7 and 2.8 connected to 9KB port e1/11 e1/12 ---------------------(non-PCI vPC - B)---------------------------
This will be a one arm setup. The only thing is that I only have done one vPC per each F5 one arm setup. I have never done 2 vPC setups pear each F5. Is there something special that needs to be configured.
The F5 and Cisco APIC integration based on the device package and iWorkflow is End Of Life.
The latest integration is based on the Cisco AppCenter named ‘F5 ACI ServiceCenter’.
Click here to view the Cisco ACI and F5 BIG-IP design guide which discusses the following topics:
Visit https://devcentral.f5.com/s/articles/F5-and-Cisco-ACI-Essentials-Design-guide-for-a-single-POD-APIC-cluster to learn how to access a lab for hands on experience using the F5 ACI ServiceCenter
https://f5.com/cisco for updated information on the integration.
