F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. F5 iWorkflow
  4. F5 iWorkflow: Cisco APIC Administration
  5. Integrating with Cisco APIC
Manual Chapter : Integrating with Cisco APIC

Applies To:

Show Versions Show Versions

F5 iWorkflow

  • 2.3.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

About F5 and Cisco APIC integration

F5® products integrate with Cisco Application Policy Infrastructure Controller (APIC) using a Device Package. The F5 BIG-IP® Device Package for Cisco APIC downloads from a iWorkflow device, and then is imported into APIC. The file contains:

  • A device model, which describes the features and functions available to APIC on the BIG-IP system
  • A device script, which implements the features and functions described by the device model

APIC is built with a standard application programming interface (API) used to configure services implemented by integrated vendor devices, such as F5. The F5 BIG-IP device package for Cisco APIC implements the API specific to the semantics of the BIG-IP system.

Using Cisco APIC, a customer can configure tenants, device clusters containing one or two BIG-IP devices, and service graphs. When a service graph is pushed to the BIG-IP system, the F5 BIG-IP Device Package for Cisco APIC running on Cisco APIC uses iApps® to configure all aspects of the supported service.

Each Tenant context is assigned a unique partition on the BIG-IP system, in the form of apic-<APIC Tenant>-<VRF Name>-XXXX, where XXXX is the Tenant ID. Similarly, each Tenant is assigned a random, unique route domain ID. After successfully deploying a service graph on the BIG-IP system, you can log in to the BIG-IP system to view the configuration.

Cisco APIC uses a single admin-level userid and password to configure the BIG-IP system on behalf of all tenants. Tenants are not expected to log in to the BIG-IP system to diagnose issues: that is the responsibility of the provider administrator.

When you are choosing BIG-IP devices to integrate with Cisco APIC, F5 recommends you use dedicated device(s), and not a BIG-IP system that is already being used (or will be used) for another purpose. This is mainly because parts of this configuration, especially the device cluster HA setup, are managed by the device package.

logical flow between Cisco APIC and the BIG-IP system

The logical flow between Cisco APIC and the BIG-IP system

  1. An administrator uses the northbound API or the user interface on APIC for configuration.
  2. Service graphs created on APIC cause device packages to push network configurations to BIG-IPs and iApp configuration to iWorkflow.
  3. The APIC API for L4-L7 services is implemented by the F5 device script.
  4. The device script uses iApp calls to translate the standard APIC API calls into BIG-IP system calls. The iApp configuration is sent to iWorkflow by the device package. iWorkflow then translates this call and implements the service to the BIG-IP.
  5. Status and information from these calls are packaged and returned to APIC for processing.

APIC-related documentation

  • For detailed information about Cisco ACI, see http://www.cisco.com/c/en/us/solutions/data-center-virtualization/application-centric-infrastructure/index.html.
  • For detailed information about Cisco APIC, see http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html
  • For more information about APIC, refer to your Cisco APIC documentation set.

About network topology using the BIG-IP system integrated with Cisco APIC

apic network topology

A typical network topology using the BIG-IP® system integrated with Cisco ACI

The internal and external interfaces on the BIG-IP system are connected to leaf nodes in the ACI architecture. Items such as web servers, database engines, and application tiers are also connected to leaf nodes. Spine nodes handle the routing between the BIG-IP system and the various other end points necessary to deliver an application service.

The management port of the BIG-IP system is connected out-of-band to a switch outside of the ACI architecture (not shown in the diagram) to provide management access.

This diagram is not meant to illustrate all possible architectures but rather communicate a typical architecture showing where the BIG-IP system fits into the Cisco ACI architecture.

Important: Make sure you are using the most recent version of this guide, available at support.f5.com.

Version requirements

Make sure your environment meets or exceeds these requirements before you integrate F5® iWorkflow™ with Cisco APIC.

  • Cisco APIC and Switch software
  • F5 iWorkflow version 2.3.0

Minimum Cisco APIC requirements

Be sure your environment meets or exceeds these requirements before you integrate the F5® iWorkflow™ with Cisco APIC.

  • You must have access to an administrator-level account on the Cisco APIC.
  • All external network configuration must be complete.
  • The Layer 3 networks must be defined and operational.
  • The initial configuration of APIC and ACI must be complete. This includes racking and cabling the hardware, powering on the devices, installing the Cisco APIC and Switch version software, configuring the management IP address and verifying that it is reachable.
  • The AAA configuration (such as RADIUS or LDAP) must be completed and operational. You might need to create an application EPG to reach external AAA servers to verify the AAA configuration is functioning properly.
  • Any APIC tenants, security domains, private network(s), bridge domain(s), and related objects must be configured and operational.
  • Any inter-EPG application filters, contracts, and application profiles (if needed) to facilitate traffic flow between EPGs must be created.
  • You must have created a management EPG, which is required for APIC to reach the management IP addresses of the BIG-IP® system(s).
  • If you are testing multi-tenancy, you must have access to an account assigned to a tenant.
  • If you plan on using the BIG-IP Virtual Edition (VE) in your environment, you must have created a Virtual Machine Mobility (VMM) domain and configured vCenter integration.
  • If you plan on using a physical BIG-IP appliance in your environment, you must have created a physical domain.

Refer to the Cisco APIC Layer 4 to Layer 7 Services Deployment Guide for specific details about how to configure APIC.

Minimum F5 BIG-IP requirements

Be sure your environment meets or exceeds these requirements before you attempt to integrate the F5® iWorkflow™ with Cisco APIC. Refer to the BIG-IP® system documentation on the F5 technical support site (support.f5.com/kb/en-us/products/big-ip_ltm.html) for specific information about how to configure the BIG-IP system to meet these requirements.

  • You must have access to an administrator-level account on the BIG-IP system.
  • The BIG-IP system must be running a supported version.
    Note: For the most current list of compatible versions, refer to the F5 iWorkflow compatibility matrix (K11198324) on support.f5.com.
  • The BIG-IP system must be cabled to a leaf switch and powered on (if using an appliance, or started in a VMware environment (if using a Virtual Edition).
  • You must have discovered the BIG-IP devices you plan to use with the iWorkflow system.

About configuring the iWorkflow device for a Cisco APIC integration

Some of the tasks you perform to deploy iWorkflow™ in a Cisco APIC environment are performed on the iWorkflow device. You discover devices, create a connector and a custom template, and then export a device package. This device package is the key element of the integration from the Cisco APIC perspective. The parameters and values communicated when you import the package contains the configuration information the Cisco environment needs to perform the integration.

Provisioning the vCMP feature

Before performing this task, ensure that the amount of reserve disk space that the provisioning process creates is sufficient. Attempting to adjust the reserve disk space after you have provisioned the vCMP® feature produces unwanted results.
Performing this task creates the vCMP host (the hypervisor) and dedicates most of the system resources to running vCMP.
Warning: If the system currently contains any BIG-IP® module configuration data, this data will be deleted when you provision the vCMP feature.
  1. Log in to BIG-IP® device with the administrator user name and password.
  2. On the Main tab, click System > Resource Provisioning .
  3. Verify that all BIG-IP modules are set to None.
  4. From the vCMP list, select Dedicated.
  5. Click Submit.
After provisioning the vCMP feature, the system reboots TMOS® and prompts you to log in again. This action logs you in to the vCMP host, thereby allowing you to create guests and perform other host configuration tasks.

Create a vCMP connector

To enable integration between the vCMP® host and F5 iWorkflow™, you must configure a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters that are required by third-party cloud providers.

  1. Log in to iWorkflow™ with the administrator user name and password.
  2. At the top of the screen, click Clouds and Services and then, on the Clouds header, click the + icon.
    The New Cloud screen opens.
  3. In the Name and Description fields, type a name and description for this connector.
    You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  4. From the Connector Type list, select vCMP.
    The screen displays additional settings specific to vCMP.
  5. In the VCMP Host field, type the IP address of the vCMP host.
  6. For the vCMP Host Certificate SHA-512 Hash field, to avoid security threats, verify the SSL certificate hash of the host.
    Note: Either manually enter or automatically retrieve the certificate hash. Run the command openssl x509 -noout -fingerprint -sha512 -in <path to certificate file> | tr -d ':' to verify with OpenSSL. If the iWorkflow certificate unexpectedly changes in the future, a warning displays and interactions with the host are prevented.
  7. In the UserName and Password fields, type the credentials that the iWorkflow device will use to authenticate to the vCMP host.
  8. Click Save.

The vCMP connector begins managing the vCMP Host. vCMP guests will be automatically discovered and displayed in the Devices panel as they are created for this vCMP host.

During the automatic discovery of vCMP guests, you may need to enter the user name and password for the vCMP guest in the Devices panel. After you enter the credentials, click Rediscover.

It is important to associate a vCMP connector with each vCMP host before using the vCMP-based BIG-IP devices in an APIC deployment. The vCMP connector coordinates deployment of some network resources that affect vCMP guest and the vCMP host machines. These network resources include VLANs.

Creating a vCMP guest for Cisco APIC

Before creating a guest on the system, verify that you have provisioned the vCMP feature on the vCMP host.

The guests you create serve as virtual BIG-IP devices that manage traffic for your Cisco APIC integration.
Note: When creating a guest, if you see an error message such as Insufficient disk space on /shared/vmdisks. Need 24354M additional space., you must delete existing unattached virtual disks until you have freed up that amount of disk space.
Important: If you are planning to add this guest to a Sync-Failover device group and enable connection mirroring with a guest on another chassis, you must ensure that the two guests are configured identically with respect to slot assignment and core allocation. That is, the number of cores, the number of slots, and even the slot numbers on which the guests reside must be the same. Therefore, you must ensure that on each guest of the mirrored pair, the values match for the Cores per Slot, Number of Slots, Minimum Number of Slots, and Allowed Slots settings.
  1. Use a browser to log in to the vCMP® host, using the primary cluster management IP address.
  2. On the Main tab, click vCMP > Guest List .
    This displays a list of guests on the system.
  3. Click Create.
  4. From the Properties list, select Basic.
  5. In the Name field, type a name for the guest.
  6. In the Host Name field, type a fully-qualified domain name (FQDN) name for the guest.
    If you leave this field blank, the system assigns the name localhost.localdomain.
  7. From the Cores Per Slot list, select the total number of logical cores that the guest needs, based on the guest's memory requirements.
    The value you select causes the host to assign that number of cores to each slot on which the guest is deployed. The host normally allocates cores per slot in increments of two (two, four, six, and so on).
    Important: Cores for a multi-slot guest do not aggregate to provide a total amount of memory for the guest. Therefore, you must choose a Cores per Slot value that satisfies the full memory requirement of the guest. After you finish creating the guest, the host allocates this amount of memory to each slot to which you assigned the guest. This ensures that the memory is sufficient for each guest if any blade becomes unavailable. For blade platforms with solid-state drives, you can allocate a minimum of one core per guest instead of two. For metrics on memory and CPU support per blade model, see the vCMP® guest memory/CPU allocation matrix at http://support.f5.com.
  8. From the Number of Slots list, select the maximum number of slots that you want the host to allocate to the guest.
  9. From the Management Network list, select a value:
    Value Result
    Bridged (Recommended) Connects the guest to the management network. Selecting this value causes the IP Address setting to appear.
    Isolated Prevents the guest from being connected to the management network and disables the host-only interface.
    Important: If you select Isolated, do not enable the Appliance Mode setting when you initially create the guest. For more information, see the step for enabling the Appliance Mode setting.
  10. If the IP Address setting is displayed, specify the required information:
    1. In the IP Address field, type a unique management IP address that you want to assign to the guest.
      You use this IP address to access the guest when you want to manage the BIG-IP modules running within the guest.
    2. In the Network Mask field, type the network mask for the management IP address.
    3. In the Management Route field, type a gateway address for the management IP address.
    Important: Assigning an IP address that is on the same network as the host management port has security implications that you should carefully consider.
  11. From the Initial Image list, select the ISO image file for creating the guest's virtual disk that matches the other guests in the cluster.
  12. From the Initial Hotfix list, select the hot fix for creating the guest's virtual disk that matches the other guests in the cluster.
  13. Do not set up any VLANs.
  14. In the Requested State list, retain the default value, Configured.
  15. Click Finish.
    The system installs the selected ISO image onto the guest's virtual disk and displays a status bar to show the progress of the resource allocation.
You now have a new vCMP guest on the system in the Configured state with an ISO image installed.

Deploying a vCMP guest for Cisco APIC

Setting a guest to the Deployed state makes it possible to provision and configure BIG-IP® modules on the guest.
  1. Confirm that you are logged in to the vCMP host.
  2. On the Main tab, click vCMP > Guest List .
    The display lists the guests and their current configurations.
  3. Select the guest to deploy.
  4. Click Deploy.
When the vCMP® guest is in the Deployed state, you can provision and configure BIG-IP modules within the guest so that the guest can begin processing application traffic.

Discovering a BIG-IP guest

Before you can discover a vCMP guest, you must first create and deploy it on the vCMP host.

Discovering BIG-IP devices is the first step to managing them.
Important: If you are configuring an integration with a BIG-IP device, use the Discovering a BIG-IP device in your network by its IP address task instead of this one.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. On the Devices header, click the + icon, and then select Discover Device.
    The Devices panel expands to show the Discover Device screen.
  3. For the IP Address, specify the guest's management IP address.
  4. In the User Name and Password fields, type the administrator user name and password for the managed device.
  5. Click Save to start the discovery task.
The iWorkflow system populates the properties of the guest that you added in the Devices panel.
Repeat this task to create a second guest on a second BIG-IP host to serve as a high availability peer for this guest.

Discovering a BIG-IP device in your network by its IP address

After you license and perform the initial configuration for the iWorkflow™ system, you can discover BIG-IP® devices running supported versions.
Note: For the most current list of compatible versions, refer to the F5 iWorkflow compatibility matrix (K11198324) on support.f5.com.
For discovery to succeed, you must configure the iWorkflow system with a route to each F5 device that you want to manage. If you do not specify the required network communication route between the devices, then device discovery fails.
Important: The iWorkflow system will attempt discovery of BIG-IP devices running versions other than those noted (above) as fully supported. Discovering unsupported devices is not recommended.
Important: If you are configuring an integration with a BIG-IP guest, use the Discovering a BIG-IP guest task instead of this one.
Important: A vCMP® host cannot be discovered using the Device panel. To manage a vCMP host, you must create a vCMP Cloud connector.
Important: In this release of iWorkflow, guests in a VIPRION® cluster cannot be discovered using the Device panel.
Discovering BIG-IP devices is the first step to managing them.
Important: When you discover a device, iWorkflow software installs components on the device. The installation process can cause the traffic management interface (TMM) on the BIG-IP device to restart. Therefore, before discovering a device, verify that no critical network traffic is targeted to the BIG-IP device.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. Select either the Clouds and Services or BIG-IP Connectivity component.
  3. On the Devices header, click the + icon, and then select Discover Device.
    Note: You can perform this step in either iWorkflow Device or iWorkflow Cloud.
    The Devices panel expands to show the Discover Device screen.
  4. For the IP Address, specify the device's internal self-IP address.
  5. In the User Name and Password fields, type the administrator user name and password for the managed device.
    Important: For successful device discovery, you must use the admin account; not the root account. If root access is needed, the system prompts you for it.
  6. Click Save to start the discovery task.
The iWorkflow system populates the properties of the device that you added in the Devices panel.

Adding a Cisco APIC connector

Before you add a Cisco APIC connector, you must discover the F5 devices that you plan to include in your Cisco APIC integration.

To use vCMP® with iWorkflow 2.3.0, you must create the vCMP connectors before you create an APIC connector.

To enable integration between an APIC and iWorkflow™, you must create a cloud connector. A cloud connector is a resource that identifies the local or virtual environment in which a tenant deploys applications and, when necessary, adds parameters required by third-party cloud providers.
Important: Do not create more than one Cisco APIC connector.
  1. Log in to iWorkflow™ with the administrator user name and password.
  2. On the Clouds header, click the + icon.
    The New Cloud screen opens.
  3. In the Name and Description fields, type a name and description.
    You can use the name and description to help you organize network resources into logical groups based on certain criteria, such as the location or application.
  4. From the Connector Type list, select Cisco APIC.
  5. Click Save.

Exporting an iApps template

Before exporting an iApps® Template, make sure to discover a BIG-IP® device or guest in your network by its IP address.
You export an iApps Template on a BIG-IP system in order to continue the discovery process before importing an iApps Template to iWorkflow™.
  1. Log in to a BIG-IP system with your username and password.
  2. On the Main tab, click iApps > Templates .
    The Templates list screen opens.
  3. In the template list Name column, click f5.http.
    The template properties screen opens.
  4. Scroll to the bottom of the screen and click Export.
  5. On the Export Templates and Scripts screen, for the Archive File setting, click Download:<file name> and save the file locally.
  6. With a text editor, open the file you just downloaded. The default file name is template.tmpl.
  7. Search for the template value within the iApps file; this is typically found toward the top of the file.
    Example of the template value for f5.http.iApp: sys application template /Common/f5.http.
  8. Update the version details in compliance with the iWorkflow requirements.
    The version numbers are arbitrary, but must increment in ascending order for iWorkflow to automatically import updates. Use this format for an iApps file: name.v#.#.# or name_v#.#.#, where name is the file name and v#.#.# is the version number. Example using f5.http: sys application template /Common/f5.http.v1.0.0.
  9. Click Save.

Importing an iApps template

Before you can import an iApps® Template, you must discover the F5® devices that you plan to include in your Cisco APIC integration, and add a Cisco APIC connector.
You manually import an iApps Template to the iWorkflow™ system. ® iApps templates create configuration-specific forms used by application services to guide authorized users through complex system configurations.
Important: If you make a modification to an iApps Template, the version number in the file must change, but the file name can remain the same. It is a best practice to include the version number in the file. The version numbers are arbitrary, but must increment in ascending order for iWorkflow to automatically import updates. Use this format for an iApp file: name.v#.#.# or name_v#.#.#, where name is the file name and v#.#.# is the version number.
  1. Log in to iWorkflow with your administrator user name and password.
  2. At the top of the screen, click Clouds and Services.
  3. On the iApps Templates header, click the + icon.
    The panel expands to display the New iApps Template.
  4. For the iApps Source setting, either import a template from a local file or copy and paste the template content:
    • To select a file to import, click Choose File.
    • To paste template content that you have, first, from the drop-down list select Paste TMPL file contents, and then paste the contents of the template in the text box.
  5. In the iApps APL JSON setting, either select a BIG-IP device to use, or paste JSON content.
    • Use an existing BIG-IP device:
      1. Leave the first list setting as Retrieve JSON from BIG-IP.
      2. From the second drop-down list, click Select and select a managed BIG-IP device to use to retrieve the JSON representation.
    • Provide custom JSON from a local file:
      1. From the first drop-down list, select Provide JSON.
      2. Then click Choose File to import a file.
    • Provide custom JSON directly:
      1. From the first drop-down list, select Provide JSON.
      2. Then from the second drop-down list, select Paste JSON file content.
      3. In the text box, paste the contents of a template.
  6. Optional: In the Minimum Supported BIG-IP Version field, type a minimum BIG-IP version supported for deployment with the iApps Template.
  7. Optional: In the Maximum Supported BIG-IP Version field, type a maximum BIG-IP version supported for deployment with the iApps Template.
  8. Optional: In the Unsupported BIG-IP Versions field, click the + icon to type each individual BIG-IP version you want to exclude.
    Click the x icon to remove a version.
  9. Click Save.

Creating a customized service template

Before you can customize an application template for a tenant, you must discover the F5® devices that you plan to include in your Cisco APIC integration, and add a Cisco APIC connector.

You must create at least one custom catalog template, based on an iApps® Template, that provides the network settings, levels of services, and so forth, that you expect to see in your APIC environment. You can modify the base template, choosing default values for selected parameters and specifying which parameters can be edited by the tenant. The values specified in the application templates you create are included in the device package that you export to Cisco APIC.

Note: Once you have deployed a service using a template, the template cannot be modified until the associated services are removed. Alternatively, you can create a new template based on the template already in use.
  1. Log in to iWorkflow™ with your administrator user name and password.
  2. At the top of the screen, click Clouds and Services.
  3. On the Service Templates header, click the + icon.
    The panel expands to display the New L4-L7 Service Template screen.
  4. For the Input method setting, you can retain the default, import a template from a local file, or copy and paste the template content:
    • To retain the default:
      1. Verify that Use Form is selected.
      2. Proceed to the iApps Template - Name & Version setting, and step 5.
    • To select a file to import:
      1. From the list, select Use pre existing JSON.
      2. Then click Choose File.
      3. Click Save.
    • To paste template content that you have:
      1. From the list, select Use pre existing JSON.
      2. From the second list, select Paste JSON file contents, and then paste the contents of the template into the text box.
      3. Click Save.
  5. For the iApps Template - Name & Version setting, select the name of the iApps template you want to use, and then select an iApps Template version.
  6. Optional: From the Inherited Values list, select an existing Service Template to inherit all the settings that have been configured.
  7. In the Name field, type a name for a new L4-L7 Service Template.
  8. From the Cloud Availability list, select the name of the cloud template previously created.
  9. For the Displayed Parameters setting, select All to view all of the parameters for the template you select.
  10. In the Service Tier Information area, define variable names in the drop-down lists.
    Examples of variable names that are known to work with the f5.http iApps Template:
    • Name: base_template
    • Virtual Address: pool_addr
    • Virtual Port: pool_port
    • Pool:pool_members
    • Server Address:addr
    • Server Port:port
    • SSL Cert:ssl_cert
    • SSL Key:ssl_key
  11. In the Sections area that displays each of the variable names, either type a Default Value, or select the Tenant Editable check box to define each variable name. The exception is Name, which is not defined in the iApps Template.
    Note: Wrong values can cause issues with deployments as Cisco APIC tries to set variable names that are not defined in the Service Template.
  12. Click Save to save the template.
    The values set as Tenant Editable are now part of the defined Common Options for the newly created Service Template.
You can now use this connector to complete the Cisco APIC integration.

About configuring the Cisco APIC for iWorkflow integration

After you finish configuring iWorkflow™ for integration, there are some tasks to perform in the Cisco APIC environment to complete the integration. You install the device package, create a device cluster, and then create a service graph.

A device cluster is a logical representation of one or more concrete devices acting as a single device. Concrete devices are physical (or virtual) BIG-IP® devices added to the device cluster. For more information, refer to the Cisco APIC documentation.

Installing the F5 BIG-IP device package on Cisco APIC

Before you install the F5® BIG-IP® device package on your Cisco APIC, you must have fully set up and configured your Cisco APIC environment.
Install the BIG-IP device package after you have downloaded the device package but before you create device clusters.
Note: The steps and illustrations in this task make reference to the Cisco APIC version 1.2(2h). Controls for later versions of the user interface are likely to differ slightly.
  1. Log into Cisco APIC as an administrator.
  2. On the menu bar, click L4-L7 SERVICES, and then click PACKAGES.
  3. In the right pane, click Import a Device Package.
    apic import device package

    Importing the Device Package

  4. Click BROWSE, and then navigate to the location where you downloaded and saved the device package.
  5. Click SUBMIT to start the installation process.
  6. Once the installation is complete, verify the device package is accepted by APIC.
    1. In the left pane, click L4-L7 Service Device Types to open the folder.
    2. Click the device service package that you want, such as F5-iWorkflow-2.0, to expand the F5 iWorkflow device package for Cisco APIC.
    3. Click L4-L7 Service Functions.
    apic device package imported

    Verifying successful installation of the package

Once the F5 iWorkflow device package is successfully installed, you are ready to use Cisco APIC to deploy the services supported by the custom iApp templates you created previously. Each template you created is represented by a unique service package listed under L4-L7 Service Types > L4-L7 Services Function Profiles .
After you install the device package, you must fully configure your base Cisco APIC network settings. Consult your Cisco documentation for details. At a minimum you must:
  • Confirm that you have specified the tenants for whom you plan to make services available. If you have not, then create and configure those tenants.
  • Create and configure the end point groups and bridge domains that your tenants require.
  • Create the Physical Domain with associated VLAN and VXLANs name space.

Creating a new chassis type

You must create a new L4-L7 chassis type before you can specify configuration details for it.
Note: If you are not using a vCMP® guest, you do not need to create a new chassis type.
  1. On the menu bar, click L4-L7 Services and then click Inventory.
  2. In the left pane, right-click L4-L7 Chassis Types, and select Create L4-L7 Chassis Type.
  3. For the Vendor, type F5.
  4. For the Model, type iWorkflow.
  5. For the Version, type 2.0-apic.
  6. For the L4-L7 Service Device Type, select the name of the device package you created for this integration.
  7. Click Submit.
The new chassis type appears in the list under L4-L7 Chassis Types.

Creating a chassis manager

You need the management IP address, user name and password for the vCMP hosts on which your guests reside.

Using the chassis manager, you specify the configuration details for the vCMP hosts on which your vCMP guests reside. Cisco APIC needs these details so it can communicate with the guests. When you use multiple vCMP hosts to create a high availability cluster, create a new chassis for each host.

Note: Do not perform this procedure if you don't use vCMP guests to form your device cluster.
  1. On the menu bar, click Tenants, and then double-click the tenant for whom you are creating configurations.
    Note: You will probably want to create the chassis manager and the L4-L7 Devices in the same APIC tenant.
  2. In the left pane, expand L4-L7 Services, then right-click Chassis, and select Create Chassis.
  3. For the Chassis Name, type a name that will help you identify this chassis.
  4. For the Chassis Type, select the type you just created.
  5. Under Management, type in the IP address and port number for the vCMP host that house your guests.
  6. Use the vCMP host credentials to fill in the Username and Password, and Confirm Password fields.
  7. Click Submit.

Creating a new device manager type

You must create a new device manager type before you can create a new device manager and you need a device manager before you can create a new cluster.
  1. On the menu bar, click L4-L7 Servicesand then click Inventory.
  2. In the left pane, right-click Device Manager Types, and select Create Device Manager Type.
  3. For the Vendor, type F5.
  4. For the Model, type iWorkflow
  5. For the Version, type 2.0-<name>
    Where <name> is a descriptive name of your choosing.
  6. For the L4-L7 Service Device Type, select the name of the device package you uploaded for this integration.
  7. Click Submit.
The new device manager type appears in the list under L4-L7 Chassis Types. The name will appear as F5-iWorkflow-2.0-<name>

Creating a new device manager

You must create a new device manager before you can create a new device cluster.
  1. On the Tenants tab select tenant for which you want to create a new device manager.
  2. In the left pane, expand L4-L7 Services.
  3. In the left pane, right-click Device Manager, and select Create Device Manager.
  4. For the Device Manager Name, type a name for the new device manager.
  5. Leave Management EPG blank, or if you are managing the iWorkflow system in-band, select the appropriate end-point-group.
  6. For Managememt, specify the IP address and port for the iWorkflow system and then click UPDATE.
    If you have additional iWorkflow systems managed by the device manager, click the + icon to add additional addresses and ports for each system. Click UPDATE for each new entry in the list.
  7. For the Username and Password, type the credentials required to access the iWorkflow system.
    Note: All of the iWorkflow systems managed by this device manager must use the same credentials.
  8. Click Submit.
The new device manager type appears in the list under L4-L7 Chassis Types. The name will appear as F5-iWorkflow-2.0-<name>

Creating a device cluster for BIG-IP devices

If the devices in the cluster are vCMP® guests, before you create the device cluster, you must create the vCMP guests.

As part of the iWorkflow™ and Cisco APIC integration, you create an L4-L7 device cluster. Creating the BIG-IP® device cluster using the F5 Device Package tells APIC a number of things about the F5 BIG-IP devices:

  • Their network topology
  • Access credentials
  • IP addresses
  • Configuration details

Additionally, when you create the device cluster, you specify all of the configuration details that Cisco APIC needs for the cluster.

  1. On the menu bar, click Tenants, and then double-click the tenant for whom you are creating configurations.
    Note: You will probably want to create your device clusters (L4-L7 Devices) in the tenant named Common. While not required, it is helpful to put these objects in a designated shared tenant.
  2. In the left pane, expand L4-L7 Services, then right-click L4-L7 Devices, and select Create L4-L7 Devices.
  3. Specify the settings under General:
    1. For the Name, type in a name to identify this cluster.
    2. For the Physical Domain, select phys.
    3. For the Mode, select Single Node for a standalone device, or HA Cluster, if you are configuring a high availability vCMP cluster.
    4. For the Device Package, select the one you created previously for this integration.
    5. For Model, select Unknown (Manual).
    6. For Context Aware, click Multiple.
  4. For Credentials, type in the user name and password for the iWorkflow device that you are using for this integration.
  5. Specify the settings for Device 1:
    1. For the Management IP Address, type in the IP address for the first device in your new cluster
      Important: If you are configuring a vCMP integration, use the IP address of the guest.
    2. For the Chassis, select the chassis that you created that corresponds to the vCMP host that houses your guest.
      Note: If you are not using vCMP, leave this field empty.
    3. For the Management Port, select https.
    4. For the Device Interfaces, identify each of the physical interfaces that connect to the ACI fabric.
  6. Specify the settings for Device 2; just as you did for Device 1.
  7. Specify the settings for the Cluster:
    1. For the Management IP Address, type in the IP address of the iWorkflow device you are using to manage this integration.
    2. For the Management Port, select https.
    3. For Device Manager, select the name of the manager you created for this integration.
    4. For the Cluster Interfaces, identify each of the physical interfaces that connect to the ACI fabric.
      Note: For the external interface, you select consumer; for the internal interface, you select provider.
  8. When you finish specifying the settings for the device cluster, click NEXT.
    The Device Configuration screen opens.
  9. Click All Parameters, then expand High Availability.
    Note: These two settings are required for both pre-configured and APIC-configured BIG-IP® clusters.
    1. Identify the physical interfaces that connect each of your devices.
    2. Specify values for the following parameters for your both of your BIG-IP devices: High Availability Interface Name, High Availability Self IP Address, High Availability Self IP Netmask, and High Availability VLAN.
  10. If you are creating a preconfigured BIG-IP cluster, specify the following settings:
    1. Under High Availability, for the BIG-IP Cluster pre-configured? setting, select Yes for both of your BIG-IP devices.
    2. Expand Cluster and select All Parameters.
    3. Expand Cluster Preconfigured, and then for BIG-IP Cluster pre-configured?, select Yes.
    Note: To complete this task, you must provide the required parameters in the High Availability folder. Although these parameters are required, APIC ignores the values you specify because you selected Yes in the BIG-IP Cluster pre-configured? field.
  11. If you are creating an APIC-configured BIG-IP cluster, specify the following settings:
    1. Click All Parameters, then expand Device Host Configuration.
    2. For the Host Name, type the host names for both devices; one under Device 1 Value, and the other under Device 2 Value. Click Update, when you finish.
    3. For the NTP Server, type the IP address of your NTP server under Device 1 Value (Device 2 Value should then populate automatically).
    4. Expand High Availability, and identify the physical interfaces that connect each of your devices. Specify values in all four fields for both devices.
      Note: You do not need to specify a setting for the VCMP Configuration parameter. With APIC 2.0, the Chassis Manager supplies this information.
      Note: If you selected a device manager, you do not need to specify an address for the iWorkflow Configuration. If you did not select a device manager, expand iWorkflow Configuration and type the management IP address of the iWorkflow system in the BigiqHost field.
  12. Optionally, you can assign a label for each BIG-IP device. Expand the device cluster you just created, click a device, then click Policy near the top right. In Context Label, type a name that will help you recognize this device in the cluster.
    Note: The context label will be useful when you fill in network information (such as self IP addresses) when you deploy a graph.
  13. Click FINISH.
Cisco APIC processes the information you provided and creates the device cluster. As part of the creation process, iWorkflow creates a new VLAN and associates both guests with it. After a pause, the Device State displays Init, and then eventually changes to Stable.
Note: Do not be alarmed if this process takes some time. It can take several minutes to complete.

Viewing the device cluster you created

You might want to view the device cluster to confirm that you successfully created it before you export it to the tenant.
  1. On the menu bar, click TENANTS, and then click the tenant for whom the device cluster was created.
  2. In the left pane, expand the Tenant folder and then the L4-L7 Services folder.
  3. Click Device Clusters.
You should be able to view the device cluster you created.

Exporting the device cluster to a tenant

An APIC administrator can choose which tenant(s) are permitted to use the device clusters created in APIC. Use the following steps to export a device cluster to a tenant.
  1. On the menu bar, click TENANTS.
  2. From the sub-menu, click the tenant where the device cluster was created. In our example, we created the device cluster in the common tenant, so click common.
  3. In the left pane, expand the Tenant folder and then the L4-L7 Services folder.
  4. Click L4-L7 Devices.
  5. From the ACTIONS list, select Export Device Cluster.
  6. From the Device Cluster list, select the device cluster you want to export.
  7. From the Tenant list, select the tenant to which you want to export the device cluster.
  8. In the Description field, you can optionally type a description.
  9. Click SUBMIT.
    exporting device cluster

    Exporting the device cluster

You should be able to view the device cluster you exported.

apic imported device clusters

Viewing the device cluster

You can repeat these steps if you want to export the same device cluster to multiple tenants. This functionality is useful for assigning iWorkflow® resources in your network to meet your end-user's requirements.

About service graphs

A service graph is a single listener (iApp) with its associated configuration objects that are required to allow traffic to go through the BIG-IP® system to a destination pool and the nodes in that pool.

The iApp itself is unique, so each service graph is one iApp. You can associate configuration objects and you can share some of those objects between the service graphs (iApps). The iApp port, protocol, and IP address are all unique.

A multigraph means that a iWorkflow system has multiple service graphs that are associated with a single tenant on the iWorkflow device.

Managing SSL certificates and keys

To enhance security, SSL certificates and keys are managed locally in the SSL Certificate List under BIG-IP File Management.

Using the iWorkflow service catalog workflow, when you create a template, you can reference SSL certificates and keys that are stored in the Common partition. You must have Administrator rights to peform this task.

In the following example, the f5.http iApp template is being used to create a new template. It is referencing SSL certificates and keys that are stored in the /Common partition.

SSL certificate and key management

Managing SSL certificates and keys

As Administrator, you have the option to make this field tenant editable, which makes the SSL certificate and key fields visible in the Cisco APIC user interface.

Creating a service graph

Creating a service graph provides you with the controls for specifying the parameters defined by the iApp template you created for this integration.
  1. On the menu bar, click TENANTS.
  2. From the sub-menu, select the tenant in which you want to create the service graph, for example, Customer1.
  3. In the left pane, expand the Tenant folder and then the L4-L7 Services folder.
  4. Right-click L4-L7 Service Graph Templates, and then click Create a L4-L7 Service Graph Template.
  5. In the Graph Name field, type a name for the service.
  6. From the Type list, select either Single Node - ADC in One-Arm Mode or Single Node - ADC in Two-Arm Mode, depending on your requirements.
    This setting determines the node configuration.
  7. For the Device Function, select the entry with the name that matches the catalog template you created on the iWorkflow® device.
    Note: You can do this step by dragging and dropping the device cluster you want to the center of the window.
  8. For the Profile, select the entry with the name that matches the catalog template you created on the iWorkflow device.
  9. Click SUBMIT.
    The system creates the service graph template as you specified it, and displays a model of it on screen.
At this point, the configuration has not yet been pushed to the BIG-IP® system(s); this occurs once you deploy the service graph.

Selecting your service graph for deployment

Deploying the service graph applies the parameter values to the BIG-IP® devices that are part of this integration.
  1. On the menu bar, click TENANTS.
  2. From the sub-menu, select the tenant that contains the service graph.
  3. In the left pane, expand the Tenant folder and then the L4-L7 Services folder.
  4. Expand the L4-L7 Service Graph Templates folder.
  5. Right-click the service graph you created, and then select Apply L4-L7 Service Graph Template.
    apply l4-l7 service graph template

    Applying the service graph template

Applying the L4-L7 service graph template

After selecting the service graph for deployment, you edit the service graph, EPGs, and contracts.
Note: The following figure depicts the APIC version 1.2(2h) interface. Later versions will likely be slightly different.
apic l4-l7 service graph template

Applying the service graph template to EPGs

  1. From the Consumer EPG list, select the appropriate EPG.
  2. From the Provider EPG list, select the appropriate EPG.
  3. In the Contract Information area, either select the appropriate existing contract, or create a new one.
  4. Click NEXT.
    The L4-L7 SERVICE GRAPH TEMPLATE TO EPGS screen displays so that you can configure the graph parameters. The parameters and default values that display are the ones that you configured on the iWorkflow device. You can revise the parameters that you marked as tenant editable.
  5. Under Device Config on the ALL PARAMETERS tab, configure the self IP addresses and floating IP addresses needed for each BIG-IP device in the cluster.
    • If the BIG-IP devices are in an HA pair, configure internal and external self IP addresses for each BIG-IP device. Also; configure internal and external floating IP addresses for each HA pair.
    • If the BIG-IP devices are standalone, only the internal and external self IP addresses for each BIG-IP device are needed.
  6. Under Function Config on the ALL PARAMETERS tab, configure (at least) the required parameters for the iApp template you used to create the device package.
    Required parameters appear in red text. Additionally, you must specify the parameter that identifies the pool address and the parameter that defines the table of pool members.
  7. Click FINISH to complete the process.
    The APIC deploys the iApp using the iWorkflow device that you specified to the BIG-IP device(s) you specified.

If you log in to the iWorkflow™ device and look at the Services panel, you can confirm that the application deployed successfully.

If you log in to one of the BIG-IP® devices and look at the iApps > Application Services screen, you can confirm that the iApp deployed successfully.

Note: The iApps® are not placed in the Common partition. Instead, the Cisco APIC integration places the iApp in a new partition. Navigate to the new partition before you look to confirm deployment.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information