L2-L3 Network Management

In the top-left of L2-L3 tab, the Logical Device list filters devices based on high availability type (standalone or HA) and on device type (physical or virtual). If someone is logged in to a physical standalone BIG-IP device, the list shows only APIC logical devices of devtype physical, which have a single APIC Concrete device entry (CDEV) associated with them.

VLAN, Self IP, and Default Gateway Tasks

Create VLAN and Self IP

1. Click the L2-L3 Stitching tab.

2. From the Logical Device list, click the logical device (LDEV) that you want to perform L2-L3 stitching on (for the current BIG-IP device).

   The APIC information is displayed: Tenant, Concrete Devices and Interfaces, and Device Type (Physical/Virtual). You can also view a list of VLANs configured under the APIC Logical Device in the Available box.

3. Select one or more VLANs and move them to the Selected box.

   The details of all VLANs in the selected box are displayed below. The details consist of the APIC logical interface name.

4. After selecting the VLANS click Manage Selected.

   Note

   • A VLAN configuration form is displayed to add VLANs and information for one or more self IPs. For VLAN, the fields to be configured are: (1) Tag (2) Interface (3) Partition (4) Route Domain. For self IPs, the fields to be configured are (1) Address (2) Netmask (3) Traffic-group (4) Port-lockdown.
   • Partitions and Route Domains should be created from the BIG-IP UI.
   • If a Partition and Route Domain are not selected during the creation of the VLAN/self IP, it defaults to the Common Partition and Route Domain 0.
   • The Route Domain dropdown list displays Route Domains present in the selected partition.
   • For an HA setup, the floating self IPs will automatically sync to the BIG-IP peer device.
   • Whether the interface is tagged or untagged depends on its device type. For a Physical device, VLANs are tagged and for virtual devices, VLANs are untagged. This option isn’t configurable or supported.
   • The only options available for port lockdown are All, None, and Default.
   • ACI ServiceCenter doesn’t support custom port lockdown (which is supported by BIG-IP).

5. Click Submit.

The BIG-IP device has the same VLANs configured as the APIC LDEV VLAN and L2-L3 stitching is complete.

Update VLAN and/or Self IPs

There are two options for updating VLAN/self IPs.

1. Follow the steps from the previous task and edit the values in the VLAN configuration.

   The only difference is, when you click Manage Selected, the VLAN form is pre-populated with information from the existing VLAN/self IP configuration. Or For VLAN edit: From L2-L3 stitching section, select the VLAN and use the Edit icon in the top right of the VLAN card.

2. For self IP edit: From the L2-L3 stitching tab, select the VLAN and use the Edit icon, located next to the self IP under Action. For an HA setup, the floating self IPs will automatically sync to the BIG-IP peer device.

Floating IP Automatic Sync

In a BIG-IP HA setup, the recommended workflow of Network configuration is as follows:

1. Create a VLAN and at least 1 local self IP on each of the devices of the BIG-IP. Ensure that both the BIG-IPs have the same VLAN name. If not, delete either of the VLANs and recreate it. F5 ACI ServiceCenter should take care of creating the same VLAN name.
2. Create any number of additional local and floating self IPs on either of the BIG-IPs. When floating IP synchronizes from 1 BIG-IP to the other out of band, F5 ACI ServiceCenter will automatically sync it to database.

Note: It is important to create VLAN on both the devices before a floating IP can be created. If this prerequisite is not met, the HA devices can enter the ‘Sync Failed’ state.

Delete VLAN

1. In the top right of the VLAN card, click Delete icon.
2. When prompted, click Confirm.

The VLAN and all corresponding self IPs are deleted from the BIG-IP device, as well as from the application database.

Delete Self IPs

1. Next to the self IP entry you want to delete on a specific VLAN card, click the Delete icon.
2. When prompted, click Confirm.

The self IP is deleted from the BIG-IP device, as well as from the application database.

Create Default Gateway

1. Click the L2-L3 Stitching tab.

2. In the Default Gateway section, click +Add Default Gateway.

   A form is displayed.

3. In the Gateway IP field, enter the default gateway IP address. The Default Gateway form also displays Partition and Route Domain fields. All other fields are disabled for user configuration, but are displayed in the Default Gateway form.

4. Click Submit.

The default gateway is created on the BIG-IP device and is added to the application database. For an HA setup, the default gateway will automatically sync to the BIG-IP peer device. F5 ACI ServiceCenter v2.9 added support for a brownfield default gateway, where the default gateway automatically syncs to the FASC database once the user navigates to the L2-L3 tab. FASC added support to allow any Default Gateway name to be synced to the FASC database (in previous versions, the only supported default gateway name was apic-default-gateway).

Note

• Partition and Route Domain configuration are supported in v2.11+

Update Default Gateway

1. Click the Pencil icon besides default Gateway entry to open the default gateway form.

   The Default Gateway form opens.

2. Follow same steps as Workflow Create Default Gateway, steps 3 and 4.

Delete Default Gateway

1. Next to the Default Gateway entry, click the Delete icon.
2. When prompted, confirm you want to delete the Default Gateway.

The Default Gateway is deleted from the BIG-IP device, as well as from the application database.

Sync Tasks

When you complete the following tasks, the F5 ACI ServiceCenter and BIG-IP device may become out of sync if any VLAN/self IP operations are carried out from the BIG-IP Configuration utility or CLI. If this happens, the app will detect the sync status between app data and BIG-IP data. But this feature will work only for VLAN names and self IP names that were originally created through the app, and not for other network elements with different naming conventions.

VLANs, self IPs, and default gateways that were created with a different naming convention will be detected, but the only operation allowed will be to delete them from the BIG-IP device to proceed with VLAN configuration.

Sync VLAN Data from ACI ServiceCenter to BIG-IP

1. If there is an Out-of-Sync link on the VLAN card, click it.

   A window shows ACI ServiceCenter data and BIG-IP data (VLAN and self IP details).

2. Click Sync to BIG-IP.

For the specified VLAN, the BIG-IP has the same VLAN details as the F5 ACI ServiceCenter.

Sync VLAN Data from BIG-IP to ACI ServiceCenter

1. If there is an Out-of-Sync link on the VLAN card, click it.

   A window shows ACI ServiceCenter data and BIG-IP data (VLAN and self IP details).

2. Click the Sync to App button.

The ACI ServiceCenter is updated to have the same VLAN details and self IPs for the specific VLAN.

Sync route data from ACI ServiceCenter to BIG-IP

1. If there is an Out-of-Sync link on Default Gateway, click it.

   A window shows ACI ServiceCenter data and BIG-IP data (Gateway IP).

2. Click Sync to BIG-IP to sync the BIG-IP default route information to ACI ServiceCenter.

Sync route data from BIG-IP To ACI ServiceCenter

1. If there is an Out-of-Sync link on Default Gateway, click it.

   A window shows ACI ServiceCenter data and BIG-IP data (Gateway IP).

2. Click Sync to ACI ServiceCenter to sync BIG-IP default route information to the ACI ServiceCenter.

Refresh L2-L3 Stitching tab

• In the top right of the L2-L3 Stitching tab, click the Refresh icon.

All the content on this tab is refreshed, including Ldevs in the LDEV list: Default Gateway, VLANs and self IPs.

vCMP Host Tasks

BIG-IP devices of type vCMP Host will only have certain features available: - Visibility: Only VLAN table will be available. VIP table and Node table will not be available. - L2-L3 Network Management: VLAN configuration will be available. Self IP and Default Gateway configuration will be disabled. All the VLAN workflows will be same as mentioned in VLAN workflows - L4-L7 App Services tab will be disabled and unavailable

Create a VLAN for HA setup

1. Click the L2-L3 Network Management tab.
2. From the Logical Device list, click the logical device (LDEV) that you want to perform L2-L3 stitching on (for the current BIG-IP device).
3. The APIC information is displayed: Tenant, Concrete Devices and Interfaces, and Device Type (Physical/Virtual). You can also view a list of VLANs configured under the APIC Logical Device in the Available box.
4. Select one or more VLANs and move them to the Selected box.
5. The details of all VLANs in the selected box are displayed below. The details consist of the APIC logical interface name. After selecting the VLANS click Manage Selected.

Note

• A VLAN configuration form is displayed to add VLANs and information for one or more self IPs. For VLAN, the fields to be configured are: (1) Name (2) Tag (3) Interface.
• If a configuration with 2 vCMP guests on separate vCMP hosts in HA configuration has to be supported, the 2 vCMP hosts will need to have the same VLAN name. Hence please add the same VLAN Name for such vCMP Hosts - guests of which hosts are going to form HA pair. The steps to do so are as follows:
  • Create a VLAN on vCMP host 1
  • Copy the VLAN name from host 1 and create VLAN on host 2 with same name
  • Assign these VLANs to the corresponding vCMP Guests vCMP guest 1 (on host 1) and vCMP guest 2 (on host 2)
  • Create local and floating IPs for these VLANs. The VLAN and local Self IP should be present on both the BIG-IP devices of the HA pair before Floating Self IPs can be created.
  • Click Submit.

6. The BIG-IP device has the same VLANs configured as the APIC LDEV VLAN and L2-L3 stitching is complete.

vCMP Guest Tasks

L2-L3 Network Management workflows for vCMP Guests will be different since VLAN configuration will be unavailable. Only Self IP configuration and Default Gateway configuration will be available. Default configuration workflows will be same as mentioned in the VLAN workflows. SelfIP workflows will be as below.

Create Self IPs

1. Click the L2-L3 Network Management tab.
2. Select one or more available VLANs and move them to the Selected box. These VLANs are already present on the vCMP Guest BIG-IP device. After selecting the VLANS click Manage Selected.

Note

• A VLAN configuration form is displayed to add Self IPs. For self IPs, the fields to be configured are (1) Address (2) Netmask (3) Traffic-group (4) Port-lockdown.
• The only options available for port lockdown are All, None, and Default.
• ACI ServiceCenter doesn’t support custom port lockdown (which is supported by BIG-IP).
• For an HA setup, the floating self IPs will automatically sync to the BIG-IP peer device.

3. Click Submit.

The BIG-IP device now has the new Self IPs created.

Update Self IPs

1. There are two options for updating self IPs.
2. Follow the steps as mentioned in the previous Create Self IPs task and edit the values in the VLAN configuration. The only difference is, when you click Manage Selected, the VLAN form is pre-populated with information from the existing self IP configuration. Or For self IP edit: From L2-L3 network management section, select the self IP and use the Edit icon in the top right of the card.
3. For individual self IP edit: From the L2-L3 network management tab, select the VLAN and use the Edit icon, located next to the self IP under Action. For an HA setup, the floating self IPs will automatically sync to the BIG-IP peer device.

Delete Self IPs

1. Next to the self IP entry you want to delete on a specific VLAN card, click the Delete icon OR click the Delete icon of the card to delete all self IPs.
2. When prompted, click Confirm.

The self IPs are deleted from the BIG-IP device, as well as from the application database.

---

Frequently Asked Questions (FAQ)

Q. Why do I get an error for VLAN/self IP delete operation from the App?

This is a known issue for BIG-IP v 12.x. If a pool with nodes is associated with a self IP of the same subnet, the BIG-IP doesn’t allow a user to delete that self IP. As a result, the VLAN delete operation also fails with the error.

Workaround:

• Delete the corresponding pool member from the BIG-IP.
• Perform the VLAN/self IP delete from the App.
• Recreate the pool member on the BIG-IP.

---

Q. When I try to stitch a VLAN tag, why do I see “VLAN not available for stitching”, and I am unable to configure the VLAN?

For a single BIG-IP device, after a VLAN tag is stitched for a particular logical device (say LDEV1), the same VLAN tag is not available for stitching again for a different Logical device (say LDEV2). This is because the VLAN tag is already present on the BIG-IP device and re-creating it for a different logical device is not allowed. In order to proceed with stitching, delete the original VLAN from the stitched LDEV, which is mentioned in this VLAN card’s info message.

Note

For a different BIG-IP login, this stitched VLAN tag will still be available for configuration.

---

Q. Why don’t I see the pre-existing BIG-IP VLANs and self IPs that have a different naming convention than the application?

The application does not support pre-existing VLANs that have a different naming convention than the app. It is able to detect VLANs that have been created and managed from the application only.

Although, after uninstalling and reinstalling the application, if the app database is lost, the application will be able to detect the previously created application VLANs by reading BIG-IP information and show them as Out-of-sync VLANs. The users will also be able to sync them to the application to rebuild the app database.

The application displays APIC VLAN tags for a particular Logical Device Cluster on the L2-L3 stitching page. If there is an out-of-band VLAN with a different naming convention but the same VLAN tag on the BIG-IP device, the application detects it and shows it in the Out-of-sync information too. But the only action available for such a VLAN or self IP will be deletion of that object from the BIG-IP. It cannot sync to the application, since it has a different naming convention. The application also does not detect out-of-band information for any of the other VLAN tags that are not a part of APIC VLAN list.

---

Q. What is the best way to delete LDEV from APIC?

Do not delete Logical devices from APIC directly. Instead, as a first step, delete self IPs, VLANs and routes from the BIG-IP device by using the application. When you are done, you can delete the Logical Device from APIC. This ensures there are no stale self IP, VLAN, and route entries on the BIG-IP.

---

Q. Why do I see a “Sync Failed” state on both the HA devices when clicking the Sync to BIG-IP button on the L2-L3 Stitching Tab?

In a BIG-IP HA setup, the recommended workflow of the Network configuration is:

1. Create a VLAN and at least 1 local self IP on the BIG-IP. Ensure that both the BIG-IPs have the same VLAN name. If not, delete either of the VLANs and recreate it. F5 ACI ServiceCenter should take care of creating the same VLAN name.
2. Create any number of additional local and floating self IPs on either of the BIG-IPs. When the floating IP synchronizes from 1 BIG-IP to the other out of band, F5 ACI ServiceCenter will automatically sync it to the database.

Therefore, it is important to create VLANs on both the devices before a floating IP can be created on both devices. If this prerequisite is not met, the HA devices can enter the ‘Sync Failed’ state.

---

Q. Why do I have to configure a new Partition using L4-L7 Application Services first before setting up a L2-L3 Network Configuration in that Partition?

The L2-L3 Network Management Tab on FASC application does not support creating a new Partition. In order to set up a Network Configuration in a non-Common partition, it is necessary for the non-Common partition to be present on the BIG-IP. Hence, you should first create a new partition to deploy a new application using the L4-L7 Application tab. This will create the Partition on the BIG-IP. On reloading the L2-L3 Network Tab, this newly created partition would display in the Partitions dropdown. You can then use this Partition to set up a VLAN/self IP Network configuration.