F5® products integrate with Cisco Application Policy Infrastructure Controller (APIC) using a Device Package. The F5 BIG-IP® Device Package for Cisco APIC downloads from a iWorkflow device, and then is imported into APIC. The file contains:
APIC is built with a standard application programming interface (API) used to configure services implemented by integrated vendor devices, such as F5. The F5 BIG-IP device package for Cisco APIC implements the API specific to the semantics of the BIG-IP system.
Using Cisco APIC, a customer can configure tenants, device clusters containing one or two BIG-IP devices, and service graphs. When a service graph is pushed to the BIG-IP system, the F5 BIG-IP Device Package for Cisco APIC running on Cisco APIC uses iApps® to configure all aspects of the supported service.
Each Tenant context is assigned a unique partition on the BIG-IP system, in the form of apic-<APIC Tenant>-<VRF Name>-XXXX, where XXXX is the Tenant ID. Similarly, each Tenant is assigned a random, unique route domain ID. After successfully deploying a service graph on the BIG-IP system, you can log in to the BIG-IP system to view the configuration.
Cisco APIC uses a single admin-level userid and password to configure the BIG-IP system on behalf of all tenants. Tenants are not expected to log in to the BIG-IP system to diagnose issues: that is the responsibility of the provider administrator.
When you are choosing BIG-IP devices to integrate with Cisco APIC, F5 recommends you use dedicated device(s), and not a BIG-IP system that is already being used (or will be used) for another purpose. This is mainly because parts of this configuration, especially the device cluster HA setup, are managed by the device package.
The logical flow between Cisco APIC and the BIG-IP system
A typical network topology using the BIG-IP® system integrated with Cisco ACI
The internal and external interfaces on the BIG-IP system are connected to leaf nodes in the ACI architecture. Items such as web servers, database engines, and application tiers are also connected to leaf nodes. Spine nodes handle the routing between the BIG-IP system and the various other end points necessary to deliver an application service.
The management port of the BIG-IP system is connected out-of-band to a switch outside of the ACI architecture (not shown in the diagram) to provide management access.
This diagram is not meant to illustrate all possible architectures but rather communicate a typical architecture showing where the BIG-IP system fits into the Cisco ACI architecture.
Be sure your environment meets or exceeds the requirements described here before you integrate the F5® iWorkflow™ with Cisco APIC.
Be sure your environment meets or exceeds these requirements before you integrate the F5® iWorkflow™ with Cisco APIC.
Refer to the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide for specific details about how to configure APIC.
Be sure your environment meets or exceeds these requirements before you attempt to integrate the F5® iWorkflow™ with Cisco APIC. Refer to the BIG-IP® system documentation on the F5 technical support site (support.f5.com/kb/en-us/products/big-ip_ltm.html) for specific information about how to configure the BIG-IP system to meet these requirements.
Some of the tasks you perform to deploy iWorkflow™ in a Cisco APIC environment are performed on the iWorkflow device. You discover devices, create a connector and a custom template, and then export a device package. This device package is the key element of the integration from the Cisco APIC perspective. The parameters and values communicated when you import the package contains the configuration information the Cisco environment needs to perform the integration.
Before creating a guest on the system, verify that you have provisioned the vCMP feature on the vCMP host.
|Bridged (Recommended)||Connects the guest to the management network. Selecting this value causes the IP Address setting to appear.|
|Isolated||Prevents the guest from being connected to the management network
and disables the host-only interface.
Important: If you select Isolated, do not enable the Appliance Mode setting when you initially create the guest. For more information, see the step for enabling the Appliance Mode setting.
Before you can discover a vCMP guest, you must first create and deploy it on the vCMP host.
You must create at least one custom catalog template, based on an iApps® Template, that provides the network settings, levels of services, and so forth, that you expect to see in your APIC environment. You can modify the base template, choosing default values for selected parameters and specifying which parameters can be edited by the tenant. The values specified in the application templates you create are included in the device package that you export to Cisco APIC.
After you finish configuring iWorkflow™ for integration, there are some tasks to perform in the Cisco APIC environment to complete the integration. You install the device package, create a device cluster, and then create a service graph.
A device cluster is a logical representation of one or more concrete devices acting as a single device. Concrete devices are physical (or virtual) BIG-IP® devices added to the device cluster. For more information, refer to the Cisco APIC documentation.
Importing the Device Package
Verifying successful installation of the package
Using the chassis manager, you specify the configuration details for the vCMP hosts on which your vCMP guests reside. Cisco APIC needs these details so it can communicate with the guests. When you use multiple vCMP hosts to create a high availability cluster, create a new chassis for each host.
As part of the iWorkflow™ and Cisco APIC integration, you create an L4-L7 device cluster. Creating the BIG-IP® device cluster using the F5 Device Package tells APIC a number of things about the F5 BIG-IP devices:
Additionally, when you create the device cluster, you specify all of the configuration details that Cisco APIC needs for the cluster.
Exporting the device cluster
You should be able to view the device cluster you exported.
Viewing the device cluster
A service graph is a single listener (iApp) with its associated configuration objects that are required to allow traffic to go through the BIG-IP® system to a destination pool and the nodes in that pool.
The iApp itself is unique, so each service graph is one iApp. You can associate configuration objects and you can share some of those objects between the service graphs (iApps). The iApp port, protocol, and IP address are all unique.
A multigraph means that a iWorkflow system has multiple service graphs that are associated with a single tenant on the iWorkflow device.
To enhance security, SSL certificates and keys are managed locally in the SSL Certificate List under BIG-IP File Management.
Using the iWorkflow service catalog workflow, when you create a template, you can reference SSL certificates and keys that are stored in the Common partition. You must have Administrator rights to peform this task.
In the following example, the f5.http iApp template is being used to create a new template. It is referencing SSL certificates and keys that are stored in the /Common partition.
Managing SSL certificates and keys
As Administrator, you have the option to make this field tenant editable, which makes the SSL certificate and key fields visible in the Cisco APIC user interface.
Applying the service graph template
Applying the service graph template to EPGs
If you log in to the iWorkflow™ device and look at the Services panel, you can confirm that the application deployed successfully.
If you log in to one of the BIG-IP® devices and look at thescreen, you can confirm that the iApp deployed successfully.