The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
Layer 4 to Layer 7 resource pools bring together related configurations with regard to deploying Layer 4 to Layer 7 service devices. The related configuration is packaged together so that it can be used by orchestration layers such as Cisco Application Centric Infrastructure (Cisco ACI) Windows Azure Pack integration to deploy Layer 4 to Layer 7 service devices.
For Layer 4 to Layer 7 resource pools created in Cisco APIC Release 3.0(x) and earlier, the public and external IP address pools were one and the same and were simply marked as external. For Layer 4 to Layer 7 resource pools created in Cisco APIC Release 3.1(x) and later, there is a separation and distinction between these two types of address pools. External IP address pools are used for the external interface of the Layer 4 to Layer 7 device, and L3Out SVI IP allocation. For Layer 4 to Layer 7 devices that are connected through a VPC into the fabric, 3 IP addresses are consumed by the L3Out configuration (side A primary IP address, side B primary IP address, and secondary IP address) while port channel and single interface connections consume 2 IP addresses (primary IP address and secondary IP address).
Public IP address pools are used to allocate dynamic NAT IP addresses (1 per tenant VRF), load balancers, virtual IP addresses (1 per tenant EPG), and additional public NAT IP addresses.
By separating the two IP address types, a Cisco APIC administrator is able to achieve the following:
Export only the IP addresses in the IP pool marked as public - hiding the device-level interface IP addresses
Incrementally add to the public IP address pool's varying blocks of IP addresses as they are acquired and available to the common tenant L3Out
The external L3Out routed domain is used to provision the L3Out for both the internal and external connectors of the Layer 4 to Layer 7 devices. These L3Outs allow for traffic to originate from outside of the Cisco Application Centric Infrastructure (Cisco ACI) fabric and be able to reach the resources that are inside of the Cisco ACI fabric. The L3Outs also allow for traffic to originate from within the Cisco ACI fabric and be able to reach outside of the Cisco ACI fabric. The VLANs within the VLAN pool that are associated with the Layer 3 routed domain must be unique for a given leaf or VPC leaf switch pair where the Layer 4 to Layer 7 service devices are connected. If the Layer 4 to Layer 7 service devices span across multiple leaf or VPC leaf switch pairs, then the limitation also extends to these leaf and VPC leaf switch pairs.
 Note |
VLAN blocks should not be reconfigured or removed from the VLAN pools once the Layer 4 to Layer 7 resource pool is in use. You can add VLAN blocks to the current VLAN block if required for expansion. |
The following VLAN pool sizing considerations apply:
1 VLAN is dynamically allocated per external IP address pool
1 VLAN is dynamically allocated per tenant virtual forwarding and routing (VRF) that is accessing the Layer 4 to Layer 7 resource pool
The external routed domain and the associated VLAN pool can be used across Layer 4 to Layer 7 resource pools
For information about configuring external routed networks, see the Cisco APIC Layer 3 Outside for Tenant Networks document at the following URL:
The following procedure creates an IP address pool for Layer 4 to Layer 7 resource pools using either GUI mode.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . |
|
Step 3 |
In the Work pane, choose . |
|
Step 4 |
In the Create IP Address Pool dialog box, fill in the fields as required. Do not include the gateway address in the Address Ranges. The gateway address will be used as the secondary IP address of the Layer 4 to Layer 7 device external L3Out, which will act as a pervasive gateway. Example:
|
|
Step 5 |
Click Submit. |
The following procedure creates a dynamic VLAN pool for Layer 4 to Layer 7 resource pools using the GUI mode.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . |
|
Step 3 |
In the Work pane, choose . |
|
Step 4 |
In the Create VLAN Pool dialog box, fill in the fields as required, except as specified below: |
|
Step 5 |
In the Create VLAN Pool dialog box, click Submit. |
The following procedure creates a dynamic VLAN pool for Layer 4 to Layer 7 resource pools using the GUI mode.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . |
|
Step 3 |
In the Work pane, choose . |
|
Step 4 |
In the Create Layer 3 Domain dialog box, fill in the fields as required, except as specified below:
|
|
Step 5 |
Click Submit. |
To configure the physical connectivity of the Layer 4 to Layer 7 devices, see the appropriate configuration guide for each respective device regarding port channel or VPC configuration within the device.
Note |
For ASA55xx firewall devices that are context aware, the path configuration must be consistent across all the ASA contexts for a given physical ASA55xx. Configuring ASA contexts using different interfaces is not allowed in this configuration. |
The following procedure validates the Cisco Application Policy Infrastructure Controller (Cisco APIC) configuration of a Layer 4 to Layer 7 services device for use in Layer 4 to Layer 7 resource pools using the GUI mode.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . |
|
Step 3 |
In the Work pane, choose the Policy tab. |
|
Step 4 |
In the Interfaces table, verify that there are at least 2 interfaces, with each one mapping to a validate path (port, port channel, or vPC) in the fabric. |
|
Step 5 |
For each ASA or NetScaler, verify that there is both a Cluster > consumer interface and a Cluster > provider interface defined. Even if the NetScalers will be used for internal load balancing, having such a configuration allows the tenant to use the NetScaler in both private and public IP address load balancing. |
|
Step 6 |
For HA configurations, verify that there are 2 concrete interfaces for each cluster interface. Doing so will ensure that each port, port channel, or vPC will be configured correctly. |
You must configure the management routes and remove the default route out of band directly on the Layer 4 to Layer 7 device.
The following example uses the Cisco Application Policy Infrastructure Controller (Cisco APIC) NX-OS-style CLI to configure the management route of an ASA firewall:
apic1(config)# route management 10.24.24.0 255.255.255.0 172.0.0.1The following example uses the Cisco APIC NX-OS-style CLI to remove the default route:
apic1(config)# no route 0.0.0.0 0.0.0.0 172.0.0.1The following example uses the Citrix NetScaler CLI to configure the management route of a NetScaler Application Delivery Controller (ADC) load balancer:
> add route 10.24.24.0 255.255.255.0 172.0.0.1The following example uses the Citrix NetScaler CLI to remove the default route:
> rm route 0.0.0.0 0.0.0.0 172.0.0.1Creating a Layer 4 to Layer 7 Resource Pool
The following procedure creates a Layer 4 to Layer 7 resource pool using the GUI mode. Once the resource pool has allocated various components for use by the tenants, you cannot modify to the resource pool. You can perform maintenance tasks such as adding IP address blocks, adding VLAN blocks, and adding logical devices, such as an ASA firewall or Citrix NetScaler load balancer.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . |
|
Step 3 |
In the Work pane, choose . |
|
Step 4 |
In the Create L4-L7 Resource Pool dialog box, fill in the fields as required, except as specified below: |
|
Step 5 |
Click Submit. |
This section provides example commands for using the NX-OS-style CLI to configure Layer 4 to Layer 7 resource pools.
|
Step 1 |
Enter the configure mode. |
||
|
Step 2 |
Enter the configure mode for tenant common. |
||
|
Step 3 |
Specify the Layer 4 to Layer 7 resource pool. |
||
|
Step 4 |
Set the resource pool version.
|
||
|
Step 5 |
Associate an Layer 4 to Layer 7 devices to a resource pool. |
||
|
Step 6 |
Associate an IP address pool as an external IP address pool to a resource pool. |
||
|
Step 7 |
(For normalized resource pools) Associate an IP address pool as a public IP address pool to a resource pool. |
||
|
Step 8 |
Associate to an external routed domain. |
||
|
Step 9 |
Configure the private IP address subnet for a resource pool. |
||
|
Step 10 |
Associate to an L3Out EPG in tenant common. |
Configuring a Layer 4 to Layer 7 Resource Pool Using the GUI
Configuring Layer 4 to Layer 7 Devices in a Resource Pool
Note |
A dedicated VLAN will be consumed for each for each L3Out created for the tenant in their private VRF. The dynamic VLAN pool associated with the Layer 3 domain may need additional VLANs added to accommodate the additional devices to the resource pool. |
You can add new Layer 4 to Layer 7 devices to the resource pool at any time.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool to which you want to add a device. |
|
Step 4 |
From the Work pane, click the L4-L7 Devices tab. |
|
Step 5 |
From the L4-L7 Devices table, click the plus icon (+). The Create An L4-L7 Device dialog appears. |
|
Step 6 |
Click the Device drop-down arrow and choose a Layer 4 to Layer 7 device. |
|
Step 7 |
Click Submit. |
The resource pool is unusable by any tenants without available Layer 4 to Layer 7 devices configured. If the L4-L7 Device is not allocated and exported to any tenants, perform the following:
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool with the device you want to remove. |
|
Step 4 |
From the Work pane, click the L4-L7 Devices tab. |
|
Step 5 |
Click to highlight the Layer 4 to Layer 7 device you want to remove then click the trashcan icon. A confirmation dialog appears. |
|
Step 6 |
Click Yes to confirm the deletion. |
Configuring External IP Address Pools in a Resource Pool
If the resource pool is in use, do not remove or update the external IP address pool as it is in use by tenants.
|
Step 1 |
On the menu bar, choose . |
||
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
||
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool to which you want to add an external IP address pool. |
||
|
Step 4 |
From the Work pane, click the Basic tab. |
||
|
Step 5 |
From the External IP Address Pool table, click the plus icon (+) . The External IP Address Pool fields appear. |
||
|
Step 6 |
Click the Connect Type drop-down arrow and choose L3 External Network then enter the appropriate values in the remaining External IP Address Pool fields.
|
||
|
Step 7 |
Click Update. |
Note |
|
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool with the external IP address pool you want to remove. |
|
Step 4 |
From the Work pane, click the Basic tab. |
|
Step 5 |
From the External IP Address Pool table, click to highlight the external IP address pool you want to remove then click the trashcan icon. A confirmation dialog appears. |
|
Step 6 |
Click Yes to confirm the deletion. |
Configuring Public IP Address Pools in a Resource Pool
Note |
|
|
Step 1 |
On the menu bar, choose . |
||
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
||
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool to which you want to add a public IP address pool. |
||
|
Step 4 |
From the Work pane, click the Basic tab. |
||
|
Step 5 |
From the Public IP Address Pool table, click the plus icon (+). The Public IP Address Pool fields appear. |
||
|
Step 6 |
Click the Connect Type drop-down arrow and choose L3 External Network then enter the appropriate values in the remaining External IP Address Pool fields.
|
||
|
Step 7 |
Click Update. |
Note |
|
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool with the public IP address pool you want to remove. |
|
Step 4 |
From the Work pane, click the Basic tab. |
|
Step 5 |
From the Public IP Address Pool table, click to highlight the public IP address pool you want to remove then click the trashcan icon. A confirmation dialog appears. |
|
Step 6 |
Click Yes to confirm the deletion. |
The resource pool is unusable by any tenant if no external routed domain is configured.
|
Step 1 |
On the menu bar, choose . |
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool with the external routed domain you want to update. |
|
Step 4 |
From the Work pane, click the External tab. |
|
Step 5 |
Click the External Routed Domain drop-down arrow and choose a Layer 3 domain. |
|
Step 6 |
Click Submit. |
The resource pool is unusable by any tenant if no external routed networks are configured.
|
Step 1 |
On the menu bar, choose . |
||
|
Step 2 |
In the Navigation pane, choose . The resource pools appear in the Navigation pane as a drop-down list under L4-L7 Resource Pools. |
||
|
Step 3 |
Click the Layer 4 to Layer 7 resource pool with the external routed network you want to update. |
||
|
Step 4 |
From the Work pane, click the External tab. |
||
|
Step 5 |
From the External Routed Networks table, click the plus icon (+). The External Routed Networks fields appear. |
||
|
Step 6 |
Enter the appropriate value in the External Routed Networks fields.
|
||
|
Step 7 |
Click Update. |
Feedback