F5® products integrate with Cisco Application Policy Infrastructure Controller (APIC) using a Device Package. The F5 BIG-IP® Device Package for Cisco APIC downloads from a BIG-IQ device, and then is imported into APIC. The file contains:
APIC is built with a standard application programming interface (API) used to configure services implemented by integrated vendor devices, such as F5. The F5 BIG-IP device package for Cisco APIC implements the API specific to the semantics of the BIG-IP system.
Using Cisco APIC, a customer can configure tenants, device clusters containing one or two BIG-IP devices, and service graphs. When a service graph is pushed to the BIG-IP system, the F5 BIG-IP Device Package for Cisco APIC running on Cisco APIC uses iApps® to configure all aspects of the supported service.
Each Tenant context is assigned a unique partition on the BIG-IP system, in the form of apic_XXXX, where XXXX is the Tenant ID. Similarly, each Tenant is assigned a random, unique route domain ID. After successfully deploying a service graph on the BIG-IP system, you can log in to the BIG-IP system to view the configuration.
Cisco APIC uses a single admin-level userid and password to configure the BIG-IP system on behalf of all tenants. Tenants are not expected to log in to the BIG-IP system to diagnose issues: that is the responsibility of the provider administrator.
When you are choosing BIG-IP devices to integrate with Cisco APIC, F5 recommends you use dedicated device(s), and not a BIG-IP system that is already being used (or will be used) for another purpose. This is mainly because parts of this configuration, especially the device cluster HA setup, are managed by the device package.
The logical flow between Cisco APIC and the BIG-IP system
A typical network topology using the BIG-IP® system integrated with Cisco ACI
The internal and external interfaces on the BIG-IP system are connected to leaf nodes in the ACI architecture. Items such as web servers, database engines, and application tiers are also connected to leaf nodes. Spine nodes handle the routing between the BIG-IP system and the various other end points necessary to deliver an application service.
The management port of the BIG-IP system is connected out-of-band to a switch outside of the ACI architecture (not shown in the diagram) to provide management access.
This diagram is not meant to illustrate all possible architectures but rather communicate a typical architecture showing where the BIG-IP system fits into the Cisco ACI architecture.
Be sure your environment meets or exceeds the requirements described here before you integrate the F5® BIG-IQ® Cloud with Cisco APIC.
Be sure your environment meets or exceeds these requirements before you integrate the F5® BIG-IQ® Cloud with Cisco APIC.
Refer to the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide for specific details about how to configure APIC.
Be sure your environment meets or exceeds these requirements before you attempt to integrate the F5® BIG-IQ® Cloud with Cisco APIC. Refer to the BIG-IP® system documentation on the F5 technical support site (http://support.f5.com/kb/en-us/products/big-ip_ltm.html) for specific information about how to configure the BIG-IP system to meet these requirements.
Some of the tasks you perform to deploy BIG-IQ® Cloud in a Cisco APIC environment are performed on the BIG-IQ device. You discover devices, create a connector and a custom template, and then export a device package. This device package is the key element of the integration from the Cisco APIC perspective. The parameters and values communicated when you import the package contains the configuration information the Cisco environment needs to perform the integration.
An iApp is an application template located on F5 devices. When you discover an F5 device, all iApps® application templates installed on that device are imported to the BIG-IQ® system.
You must create at least one custom catalog template, based on an iApps template, that provides the network settings, levels of services, and so forth, that you expect to see in your APIC environment. You can modify the base template, choosing default values for selected parameters and specifying which parameters can be edited by the tenant. The values specified in the application templates you create are included in the device package that you export to Cisco APIC.
After you finish configuring BIG-IQ® Cloud for integration, there are some tasks to perform in the Cisco APIC environment to complete the integration. You install the device package, create a device cluster, and then create a service graph.
A device cluster is a logical representation of one or more concrete devices acting as a single device. Concrete devices are physical (or virtual) BIG-IP® devices added to the device cluster. For more information, refer to the Cisco APIC documentation.
Importing the Device Package
Verifying successful installation of the package
For Cisco APIC version 1.2 users, you can use Device Manager and Chassis Manager to extend the function of the Cisco APIC user interface to provide support for BIG-IQ® high availability and vCMP®.
If you are going to enable Device Manager and Chassis Manager, you must do so before you create the device cluster.
<polUni> <infraInfra> <vnsMDevMgr vendor="F5" model="BIGIQ" version="2.0-<APIC-Connector>"> <vnsRsMDevMgrToMDev tDn="uni/infra/mDev-F5-BIGIQ-2.0-<APIC-Connector>" /> </vnsMChassis> </infraInfra> </polUni>
<polUni> <infraInfra> <vnsMChassis vendor="F5" model="BIGIQ" version="2.0-<APIC-Connector>"> <vnsRsMChassisToMDev tDn="uni/infra/mDev-F5-BIGIQ-2.0-<APIC-Connector>" /> </vnsMChassis> </infraInfra> </polUni>
As part of the BIG-IQ® Cloud and Cisco APIC integration, you need to create an L4-L7 device cluster. Creating the cluster using the F5 Device Package tells APIC a number of things about the F5 devices:
Additionally, when you create the device cluster, you specify all of the configuration details that Cisco APIC needs for the cluster.
When you create the APIC device cluster, there are a number of parameter settings to specify. The following table serves as a guide for specifying the correct settings for a BIG-IQ® Cloud integration.
|Parameter||Factors to consider when specifying|
Choose the tenant for whom you want to create the device cluster.
|L4-L7 device||Specify the F5 BIG-IQ® device package that you imported.|
Select the model that best describes the BIG-IP device that will service your applications.
The model you choose also controls which interfaces you can select.
|Mode||Select single node if you have a single BIG-IP device in the cluster, or HA Cluster if you have two BIG-IP devices in a cluster.|
|Physical Domain||Select the physical domain you created previously.|
|APIC to Device Management Connectivity||Select Out of Band.|
|Credentials||Specify a BIG-IQ user with administrative privileges.
Important: For APIC version 1.1 users, the user name and password must be the same for both the BIG-IP Cloud and the BIG-IQ devices you intend to add to the device cluster instance.
Specify the management IP address for the BIG-IP device.
Select https for the management port.
Identify each of the physical interfaces that connect to the ACI fabric.
Important: BIG-IQ Cloud, version 1.0, supports Cisco APIC version 1.1 and 1.2.
For Cisco APIC version 1.1 users:
For Cisco APIC Version 1.2 users, you can use Device Manager and Chassis Manager to extend the function of the Cisco APIC user interface to provide support for BIG-IQ HA and vCMP.
|Device Configuration||For each parameter you want to specify for the device, double-click the parameter
and specify the value. The device package configures the BIG-IP Cloud appropriately.
Exporting the device cluster
You should be able to view the device cluster you exported.
Viewing the device cluster
A service graph is a single listener (virtual server) with its associated configuration objects that are required to allow traffic to go through the BIG-IP® system to a destination pool and the nodes in that pool.
The virtual server itself is unique, so each service graph is one virtual server. You can associate configuration objects and you can share some of those objects between the service graphs (virtual servers). The virtual server port, protocol, and IP address are all unique.
A multigraph means that a BIG-IQ system has multiple service graphs that are associated with a single tenant on the BIG-IQ device.
Applying the service graph template
Applying the service graph template to EPGs
If you log in to the BIG-IQ® device and look at the Applications tab, you can confirm that the application deployed successfully.
If you log in to one of the BIG-IP® devices and look at thescreen, you can confirm that the iApp deployed successfully.