Cisco Application Policy Infrastructure Controller 2.1(1h) with F5 iWorkflow and BIG-IP Integration
Last Updated: 20-JULY-2017
The Cisco Application Policy Infrastructure Controller (Cisco APIC) is the unifying point of automation and management for the Cisco Application Centric Infrastructure (Cisco ACI™) fabric. The Cisco APIC provides centralized access to all fabric information, optimizes the application lifecycle for scale and performance, supporting flexible application provisioning across physical and virtual resources.
For additional information, visit www.cisco.com/go/apic.
This preconfigured demonstration includes:
- Scenario 1: Deploy Service Graph using F5 iApps in Cisco ACI with F5 iWorkflow
- Scenario 2: Modify L4 – L7 deployed graph parameters
- Scenario 3: Remove APIC Service Graph
- Scenario 4: Using POSTMAN REST client to deploy service graph
There are two options to complete each lab task
- Using iWorkflow and APIC UI – Scenario 1
- Using POSTMAN REST client (APIC Only) – Scenario 4
The goal of ACI is to accelerate application deployment by building L4-L7 policy into Cisco ACI model. We recommend using the REST client model as the most effective way to execute the APIC portion of the lab; for BIG-IP and iWorkflow, please continue to use the UI. You are encouraged to use the UI screen shots as a reference to the tasks executed by POSTMAN.
Demonstration Requirements
- Demonstration Requirements
| Required | Optional |
|---|---|
|
|
Demonstration Configuration
This demonstration contains preconfigured users and components to illustrate the scripted scenarios and features of this Cisco solution. All access information needed to complete the demonstration scenario, is located in the Topology and Servers menus of your active demonstration, and throughout this script.
- Topology Menu. Click on any server in the topology to display the available server options and credentials.
- Servers Menu. Click on
or 
next to any server
name to display the available server options and credentials.
Demonstration Topology
The following is the virtual demonstration topology, which consists of the following virtual machines:
- APIC Simulator – version 2.1(1h)
- APIC1, APIC2, APIC3
- Leaf1 and Leaf2
- Spine1 and Spine2
- VMware Virtual Center Server 5.5 Appliance
- F5 iWorkflow – release 2.0.2
- F5 BIG-IP – release 12.0.0 HF4
- VMware ESXi 5.5 Host 1
- VMware ESXi 5.5 Host 2
- Workstation – Windows 8
- NetApp EDGE Storage Appliance – ONTAP 8.2
- Linux Tools Repository (Ubuntu 12.04)
- Demonstration Topology
This demonstration contains preconfigured users and components to illustrate the scripted scenarios and features. All access information needed to complete the scripted scenarios is located in the Topology and Servers menus of your active demonstration, and throughout this script.
Demonstration Preparation
Follow the steps below to schedule and configure your environment.
BEFORE DEMONSTRATING We strongly recommend that you go through this process at least once, before presenting in front of a live audience. This will allow you to become familiar with the structure of the document and the demonstration. PREPARATION IS KEY TO A SUCCESSFUL CUSTOMER PRESENTATION. |
|---|
- Browse to dcloud.cisco.com, choose the location closest to you, and then login with your Cisco.com credentials.
- Schedule a session. [Show Me How].
- Test your bandwidth from the demonstration location before performing any scenario. [Show Me How]
- Verify your session has a status of Active under My Demonstrations on the My Dashboard page in the Cisco dCloud UI.
- It may take up to 15 minutes for your demo to become active.
- Access the workstation named wkst1 located at 198.18.133.36 and login using the following credentials: Username: dcloud\demouser, Password: C1sco12345.
- Option 1: (Preferred) Use Cisco AnyConnect [Show Me
How]
and the local RDP client on your laptop [Show Me
How].
- Accept any certificates or warnings.
- From the Start menu, click Desktop.
- Option 2: Use the Cisco dCloud Remote Desktop client with
HTML5. [Show Me
How]
- Accept any certificates or warnings.
- From the Start menu, click Desktop.
- Start Menu
- The fabric discovery is automatically started at demo setup.
Double-click the APIC Login icon
and login
(admin/C1sco12345). - Select Fabric from the top menu.
- Select Inventory from the top sub-menu.
- In the left menu, click Fabric Membership and check that you have the 4 devices populated as shown in Figure 3. (IP addresses may vary.)
NOTE: The fabric discovery can take up to 15 minutes to complete. If you login before 15 minutes have passed, all devices may not be fully discovered.
- Completed Fabric Membership
NOTE: To demonstrate Fabric Discovery, reset the APIC Simulator (see Appendix A.) If only TEP-1-101 is present at login, see Appendix B to discover the Fabric.
- Double-click the VI Login icon
and login with the
following credentials: Username: demouser, Password:
C1sco12345. (If password is grayed out, click Login.) - Check that the F5 iWorkflow and BIG-IP virtual machine is present and running as below.
- Virtual Center Inventory
NOTE: If the F5 BIG-IP and iWorkflow VMs are not present in the L4-L7 Services Resource Pool, add it manually.
** **
Cisco Application Centric Infrastructure (ACI) technology provides the capability to insert Layer 4 through Layer 7 (L4-L7) functions using an approach called a service graph. One of Cisco ACI’s changes to the operation model with the service graph function is that a configuration now includes not only the network connectivity consisting of VLANs, IP addresses, etc., but also the configuration of access control lists, load-balancing rules, etc., on service appliances, such as the firewalls and load balancers. This approach differs from the traditional operation model of service insertion. Prior to Cisco ACI, the fabric configuration would have consisted only of connectivity for firewalls and load balancers. With Cisco ACI, the service graph configuration includes the ability to push configuration of firewalls and load balancers from ACI.
The top of the GUI screen is the Menu bar tab, the middle of the GUI is the Submenu bar tab, the bottom left of the GUI screen is the Navigation Pane, and the middle-right of the GUI is the Work Pane.
The goal of this lab is to demonstrate a WEB application deployment that has L4-L7 ADC requirements in ACI environment. Using F5 iWorkflow service catalog model, the WEB application ADC requirements are defined in iWorkflow service catalog template using F5 iApps technology. Thru F5 dynamic device package, this service catalog is imported into ACI. In Cisco ACI, when deploy application WEB, administrator can now pick WEB template to apply ADC functionality to application WEB.
To achieve this scenario, you will configure ACI L4-L7 service insertion in managed mode with device manager using F5 BIG-IP VE Virtual ADC and F5 iWorkflow orchestration + automation platform using User Interface.
F5 iApps is a user-customized framework for deploying application, providing a flexible way to automate tasks and templatize F5 virtual server configurations.
The iApps must be imported into F5 BIG-IP in order to allow F5 iWorkflow to create an application template based on this iApps. In this step, we will verify the iApps is already exist in F5 BIG-IP.
Log into the F5 BIG-IP with the following username and password from the web browser:
BIG-IP: https://198.18.128.130 (https://198.18.128.130)
Username: admin
Password: C1sco12345
After you have logged into the F5 BIG-IP GUI. In the Navigation pane, click the iApps -> Templates. You should see the iApps template appsvcs_integration_v1.0_001 pre-loaded into the F5 BIG-IP:
NOTE: Up to iWorkflow release 2.0.2, iApps to be used by iWorkflow / APIC integration must be exist in BIG-IP in order for iWorkflow to be discovered. Beginning iWorkflow release 2.1.0, user import iApps into iWorkflow and iWorkflow will push the iApps to BIG-IP
F5 iApps template is ALREADY added in iWorkflow:
F5 iWorkflow Clouds and Services allows administrator to create a cloud connector to Cisco APIC by generating a customized device package that contains the service catalog. It is also where administrator can manage service catalog life cycle.
In this step, we will configure F5 iWorkflow prior to Cisco ACI integration.
Log into the F5 iWorkflow 198.18.128.135 with the following username and password from the web browser:
iWorkflow: https:// 198.18.128.135 (https:// 198.18.128.135)
Username: admin
Password: C1sco123
After you have logged into the F5 iWorkflow GUI. Click on “Clouds and Services”, select “+” Devices
Register F5 BIG-IP by selecting “Discover Device”
Register the F5 BIG-IP by using the BIG-IP’s IP address and credential as the following:
IP Address: 198.18.128.130
Username: admin
Password: C1sco12345
Click Save to register the BIG-IP device:
You can now double click the registered BIG-IP and verify its status. It should say “Available” when the BIG-IP is communicating with the iWorkflow:
After BIG-IP is successfully discovered by iWorkflow, the iApps reside on BIG-IP are now exposed to iWorkflow.
In this step, we will create a WEB application template based on iApps in iWorkflow Cloud Catalog. We can specify the WEB application F5 virtual server requirements here and build it into a template.
Move your mouse to the left or right side of the screen and the Cloud Catalog menu should appear, click “+” to add a template
A New Template screen will appear. Enter and select the following in the New Template:
Name: WEB
Input Parameters: All Options
Cloud: All Clouds
Application Type: appsvcs_integration_v1.0_001
NOTE: Only field that mark “Tenant Editable” will be visible in Cisco APIC
You can now edit all the available options that need to be included with this template.
Expand the Virtual Server Listener & Pool Configuration by clicking the >. Scroll down and CHECK the following to make them Tenant Editable. What this does is allow the parameters expose to Cisco APIC thru F5 device package. Administrator has total control over what is exposed via a custom device package (this reduces the complexity). It is highly recommended to expose only what is needed to APIC:
pool__addr: this is the VIP
pool__port: this is the VIP listening port
Notice: by default, this iApps allow VIP as tenant editable field. When you check VIP listening port as tenant editable, iWorkflow will highlight it.
Click “Tenant Preview” to review the parameters will be visible in Cisco APIC:
You should only see 3 parameters:
Virtual Server: Address
Virtual Server: Port
Pool: Members
Click 
to go back, then “Save”
Notice a new application template now under iWorkflow Cloud Catalog. The "Save" operation will also update the F5 iWorkflow Cloud APIC device package with the updated service catalog.
This service catalog is ready to be consumed by Cisco APIC.
The next step is to create the iWorkflow Cloud APIC Connectors which will generate a custom device package that contains iWorkflow service catalog. The template we created in the previous step will appear in APIC as a service function.
Move your mouse to the left / right side of the screen to make the Clouds menu to appear.
To create a new Connectors, move the mouse to the Clouds menu and the + should appear.
Click “+” to create a new Cloud Connector:
Name: dcloud
Connector Type: Cisco APIC
Click “Save” to finish
Double Click the dcloud connector, you can download this customized device package that contains iWorkflow Catalog to your desktop.
We now complete the configuration steps on iWorkflow necessary prior to F5 ACI integration.
Starting here, you will use Cisco APIC to perform the workflow in deploying the WEB application, with the integration of F5 iWorkflow and BIG-IP, user can apply WEB application L4-L7 requirements within APIC policy model, reducing significant amount of operation complexity.
In this step, you will import the customized device package generated by F5 iWorkflow into Cisco APIC. This will allow the iWorkflow service catalog available in Cisco APIC. The device package serves as a conduit to facilitate communications between F5 iWorkflow and BIG-IP.
Switch to your APIC GUI and click the following to import the device package:
L4-L7 Services -> Packages -> L4-L7 Service Device Type
Click the ACTIONS button at the Work pane and choose IMPORT DEVICE PACKAGE
A new pop-up should appear to allow you to choose the device package to be installed, click “Browse”:
Go to Desktop and select F5DevicePackage.zip
Click “Submit”
Now F5 device package is imported into APIC
Expand the Device Package, notice Service Function “WEB” is equivalent to iWorkflow Catalog template “WEB”. Under Operational, parameters visible in APIC are the “Tenant Editable” parameters in iWorflow:
Under Function Profiles, you can see if there is any default value assigned to the parameters:
In order to integrate F5 iWorkflow cluster into Cisco APIC L4-L7 devices, we use Cisco APIC device manager feature to define and specify F5 iWorkflow.
From APIC perspective, F5 iWorkflow is a "device manager" managing the F5 BIG-IP ADC (both physical and virtual form factors).
We will first define the device manager type. In the APIC GUI, click the following to configure the Device Manager Type:
L4-L7 Services -> Inventory -> Device Manager Type
Click the ACTIONS button at the Work pane and choose Create Device Manager Type
A new pop-up should appear to allow you to enter the device manager information. Enter the following information:
Vendor: F5
Model: iWorkflow
Version: 2.0-dcloud
L4-L7 Service Device Type: F5-iWorkflow-2.0-dcloud
Device Manager: Leave this field empty
NOTE: It is extremely import to match the Version number with the major version of the device package
Click SUBMIT to accept the configuration.
The Device Manager Type is now configured and we can now associate this device manager type with a device manager.
To create a device manager, navigate to your tenant common to create a new L4-L7 Device Manager by clicking the following:
Tenants Common -> L4-L7 Services -> Device Managers
In the Work pane, click: ACTIONS -> Create Device Manager
A new pop-up should appear to allow you to Create Device Manager in your tenant. You will specify F5 iWorkflow management IP here and associate it with the device manager type created in the previous step. Enter the following information:
Device Manager Name: dcloud-device-manager
Management EPG: Leave this field empty since we use OOB to communicate
Device Manager Type: F5-iWorkflow-2.0-dcloud
Click the + to enter the iWorkflow management IP for device manager Management connectivity:
Host: 198.18.128.135
Port: 443
Click UPDATE to accept.
Enter the Device Manager's login credential:
Username: admin
Password: C1sco12345
Confirm Password: C1sco12345
Click SUBMIT to accept the configuration.
This complete the steps to create APIC L4-L7 device manager. We will use this device manager in the next step when creating APIC L4-L7 device.
In this step, we will create an APIC L4-L7 device, this is the logical construct that contains F5 BIG-IP and iWorkflow information. You will see in the later steps on how to build an APIC service graph using this L4-L7 device.
Navigate to your tenant to create a new L4-L7 Device by clicking the following:
Tenants Common -> L4-L7 Services -> L4-L7 Devices
In the Work pane, click:
ACTIONS -> Create L4-L7 Devices
A new window should appear for you to create the L4-L7 Devices.
In the Create L4-L7 Devices window, enter the following:
Managed: CHECK
Name: F5-BIG-IP
Service Type: ADC
Device Type: Virtual
VMM Domain, click the down arrow to select: My-vCenter
Mode: Single Node
Device Package: F5-iWorkflow-2.0–dcloud
Model: Unknown (Manual)
Context Aware: Single
APIC to Device Management Connectivity: Out-Of-Band
Username: admin
Password: C1sco12345
Confirm Password: C1sco12345
After completion, it should look like:
*What did I configure?*
Managed: this means this L4-L7 device will be managed by Cisco APIC to be used in L4-L7 service insertion
Name: User defined name of the L4-L7 device
Service Type: Firewall or ADC, F5 BIG-IP is considered an ADC device
Device Type: Physical or Virtual, we use BIG-IP Virtual Edition in this lab
VMM Domain: If device type is virtual, select the VMM domain for this L4-L7 device, the VMM domain contains BIG-IP VE virtual machine
Mode: Single or HA, in this lab, only one BIG-IP VE, so select Single Node
Device Package: Drop down menu, pick the device package dcloud
Model: Choose Unknown(Manual) giving you flexibility to enter any F5 BIG-IP interface convention
Context Aware: Single Context device can be used by only 1 tenant; where Multi Context device can be shared among multiple tenants. In the case of virtual, we will select single context
APIC to Device Management Connectivity: All management connections are out-of-band in this lab Credentials: F5 BIG-IP admin credentials
On the right-hand side of the wizard, in the Device 1, enter the following:
Management IP Address: 198.18.128.130
VM: Click the down arrow and select dcloud-DC/F5-BIG-IP
Management Port: https
Click the + to add a Device Interface:
Name: 1_1
VNIC: Network adapter 2
Click UPDATE to accept the Device Interface configuration.
Click the + to add 2nd Device Interface:
Name: 1_2
VNIC: Network adapter 3
Click UPDATE to accept the Device Interface configuration.
*What did I configure?*
Under Device 1, enter the BIG-IP VE management IP and management port of https (443)
Since this is a BIG-IP VE cluster, the VM field is visible and based on the VMM domain specified earlier, pick the VM for this L4-L7 device.
Device Interfaces: specify the BIG-IP VE interface to be used in data plane. We are configuring physical 2-arm in this lab, two BIG-IP interfaces are specified in this cluster. Notice the interface naming is 1_1, which is equivalent to interface 1.1 of BIG-IP. "_" is used instead of "." is because APIC does not allow "." as parameter value.
Next part of the configuration is L4-L7 device cluster information.
By default, APIC will populate Device 1's management IP as the Cluster Management IP. In this lab, since we are going to use the iWorkflow to manage BIG-IP, the Cluster IP will be changed to the iWorkflow’s IP. The device will eventually ignore this setting and it will use the Device Manager information configured earlier to establish communication.
Management IP Address: 198.18.128.135
Management Port: https
Device Manager: common/dcloud-device-manager
Click the + to add the 1st Logical Interface:
Type: consumer
Name: External
Concrete Interface: Device1/1_1
Click UPDATE to accept the consumer interface configuration.
Click the + to add the 2nd Logical Interface:
Type: provider
Name: Internal
Concrete Interface: Device1/1_2
Click UPDATE to accept the consumer interface configuration.
Make sure all L4-L7 Devices parameters are entered correctly, click “NEXT”
STEP2, Device Configuration. We would like to set up some basic information on the BIG-IP by choosing the All Parameters tab.
Click > to expand the field Device Host Configuration and enter the following parameters and click UPDATE to save the change:
Host Name: bigip1.dcloud.cisco.com
Click “FINISH”
Navigate to the newly created L4-L7 Device to verify its Configuration State is stable:
Tenants common ->L4-L7 Services -> L4-L7 Devices -> F5-BIG-IP
In the Work pane, ensure the Configuration State is stable, if the device is not stable, click the Faults tab and ensure no faults or all the faults are in clearing state.
We now complete the configuration of the ACI L4-L7 device, and we will use this device when creating L4-L7 Service Graph Template in the next step.
Export F5-BIG-IP L4-L7 device as a resource to another tenant where application profile is configured.
Right click on F5-BIG-IP, and select “Export L4-L7 Device”
Drop down and select tenant “SJC”, the “SUBMIT”
An APIC L4-L7 Service Graph Template is an abstract object allowing L4-L7 configuration build into ACI policy model. In this step, you will create a service graph template and add L4-L7 device you created in the previous step, then select the WEB service function for this graph.
Go to Tenant SJC by typing “SJC” in the Tenant search box
To create a new Service Graph Template, click the following in the navigation pane:
Tenants SJC -> L4-L7 Services -> L4-L7 Service Graph Template
In the Work pane:
ACTIONS -> Create L4-L7 Service Graph Template
In the new window, enter the following:
Graph Name: WEB
Graph Type: Create a New One (should be the default)
Now, drag the Device Clusters to the right side of the window into the graph. You should be able to place the Node “SJC/F5-BIG-IP (Imported Managed)” between the Consumer EPG and the Provider EPG.
When this graph template is deployed, the traffic will be redirected to the F5 BIG-IP of this device cluster automatically by Cisco ACI.
Double click the word N1 under the Node to change the name to ADC.
Under F5-BIG-IP Information, click the Two-Arm option for this graph.
Select the Profile: F5-iWorkflow-2.0–dcloud/WEB <- this coming from the F5 device package
This is WEB application template that we created earlier.
Click “SUBMIT”
The new ADC L4-L7 Service Graph Template is now created and we are ready to deploy the BIG-IP with the pre-created web and app EPG.
In this step, we are deploying WEB graph, connecting between the web tier and the app tier. Inside contract between the web and app EPG, we will assign the service graph template created in the previous step, this will provide F5 BIG-IP ADC functionality to APP tier.
To deploy the service graph, click the following in the Navigation pane of your tenant:
Tenants SJC -> L4-L7 Services -> L4-L7 Service Graph Template
Select the Service Graph Template you just created from the Work pane. Right click and choose the option to
Apply L4-L7 Service Graph Template
In the new window, you will have the ability to choose which EPGs the Service Graph will be inserted in between.
Select the following for the EPG information:
Consumer EPG / External Network: SJC/App1/epg-web
Provider EPG / External Network: SJC/App1/epg-app
Under Contract Information, use the option to create a new Contract:
Create a New Contract: SELECTED
Contract Name: web2app-contract
No Filter (Allow All Traffic): CHECKED
Click NEXT to continue to the next screen.
A new window to apply the service graph template will now appear. This window will show the Service Graph Template that you created earlier.
In addition to the Service Graph Template, there are some options that need to be selected to deploy the BIG-IP with a Service Graph. Under the SJC/WEB Information, you need to choose the appropriate connector information:
Under the Connector, choose the following:
Type: General
BD: SJC/SJCBDWeb
Cluster Interface: External
We use the External interface for the communication between the BIG-IP and the Web servers. The Web servers belong to Web EPG, which tied to the SJCBDWeb Bridge Domain.
Type: General
BD: SJC/SJCBDApp
Cluster Interface: internal
We use the Internal interface for the communication between the BIG-IP and the App servers. The App servers belong to App EPG, which tied to the SJCBDApp Bridge Domain.
Click NEXT to continue to the next screen.
A new window for the BIG-IP parameters will now appear. In this window, you will have the ability to modify the parameters to be deployed to the BIG-IP. Let us modify some parameters to push the Service Graph into the BIG-IP.
Under Feature, it should be selected All. Parameters should be All Parameters.
Once you click the All Parameters tab, the folder and parameters will appear. To edit the parameter, you need to expand the parameter by clicking the > and double the field to change the parameter’s name and value. Let us edit the following parameters:
Under Device Config
Press > to expand the Network configuration folder
Press > to expand the folder ExternalSelfIP
Double click the parameter Enable Floating? and select No as the value
Click UPDATE to apply
Double click the parameter External Self IP Address and enter 10.10.10.130 as the value
Click UPDATE to apply
Double click the parameter External Self IP Netmask and enter 255.255.255.0 as the value
Click UPDATE to apply
Double click the parameter Port Lockdown and select Default as the value
Click UPDATE to apply
Press > to expand the folder InternalSelfIP
Double click the parameter Enable Floating? and select No as the value
Click UPDATE to apply
Double click the parameter Internal Self IP Address and enter 192.168.10.130 as the value
Click UPDATE to apply
Double click the parameter Internal Self IP Netmask and enter 255.255.255.0 as the value
Click UPDATE to apply
Double click the parameter Port Lockdown and select Default as the value
Click UPDATE to apply
Device config is BIG-IP device level configuration, like self-IP and default route. Resource configured in the device config will be used by Function Config
Assign Device Config “Network” to Function Config “NetworkRelation”
NOTE: It is extremely important to assign Network to NetworkRelation, fail to perform this step will result in graph deployment failure, as there will not be any network resource associated with the graph
The above step associates the network information under device config to the BIG-IP virtual server.
Apply at deployment WEB service graph configuration under Function Config
Press > to expand the WEB configuration folder
Double click on the name and delete Default
Click UPDATE to apply
Press > to expand the Pool Members folder
Press > to expand the Member folder
Double click to enter value into the IPAddress field: 192.168.10.150
Click UPDATE to apply
Back to the WEB configuration folder
Double click to enter value into the Address field (pool__addr): 10.10.10.100
Click UPDATE to apply
Double click the parameter Port field (pool__port): 80
Click UPDATE to apply
Function config is BIG-IP virtual server level configuration. We define the WEB service catalog parameters here, as well as associating the device level network config to this virtual server.
Make sure both the device config and function config are correct
Device Config
Function Config
Click “FINISH” to deploy the graph
APIC: Verifying the service graph deployment
You can now verify if APIC has deployed the service graph correctly. First, navigate the following:
Tenant SJC -> L4-L7 Services -> Deployed Graph Instances
You should be able to see a screen similar to the following. The State should say “applied”
Tenant SJC -> L4-L7 Services -> Deployed Devices
You should be able to see a screen similar to the following. The State should say “allocated”
Make sure there is no faults to the deployment:
Once the service graph is deployed in Cisco APIC, administrator can also view application status in F5 iWorkflow.
Log into the F5 iWorkflow 198.18.128.135 with the following username and password from the web browser (if the previous session has timed out):
iWorkflow: https://198.18.128.135 (https://198.18.128.135)
Username: admin
Password: C1sco12345
Under the iWorkflow Cloud and Services. In the Work pane, under:
Services: graph deployment status
Tenant: APIC tenant information
Nodes: pool members information
Notice the graph is “unhealthy” because no servers are available to the BIG-IP virtual server. This is expected because dCloud only validate control plane, as a result, BIG-IP data plane validation to the servers failed.
Tenants:
Services
Notices “Customize Application Template” contains the fields visible in APIC. User input the values from APIC.
In case Customize Application Template is empty, please check back in a few minutes until the resource is refresh
Nodes:
This the member IP entered through APIC.
Log into the F5 BIG-IP 198.18.128.130 with the following username and password from the web browser (if the previous session has timed out):
BIG-IP: https://198.18.128.130 (https://198.18.128.130)
Username: admin
Password: C1sco12345
On the Main menu, click Local Traffic -> Network Map. Then on the top right corner, next to the Log out button, click the drop down to select the newly created Partition (please note that this reflects the APIC Virtual Device ID):
Once you are in the partition, click Local Traffic -> Network Map. You should be able to see the virtual server is configured along with its pool and pool members.
On the right Navigation menu, click the Local Traffic -> Virtual Servers and you should be able to see the brief Virtual IP information. You can see that the VIP is currently listening on HTTP port 80.
The number (in this example, 2848) after the % mark represents the route domain (RD) number. There will be a RD number assign to each APIC partition, which equivalent to an ACI L3 VRF. This allows BIG-IP to provide multi-tenancy support in ACI environment.
In the Virtual Server List, click the Name in the hyperlink and you will see the Property of the Virtual Server with more detailed information. The configured the parameters will appear here.
Click on “Resource”, notice the pool name being used
Click Local Traffic -> Pools and you should see the brief information of the real server pool information:
Go back to the Navigation pane and click the iApps -> Application Services. Notice the name of the Application Services is same as the Services name in iWorkflow.
Template is the iApps template that associated with this application service
Partition/Path is the APIC created partition and the name of the application service
F5 iWorkflow service name
Click the application service name will direct to the Application Services Components. By using iApps template, you can configure a full features virtual server by specifying customized parameters exposed to APIC. Only the highlighted ones are entered by APIC, the rest of the virtual servers features are built inside the iApps template.
Network -> Self IP configuration from APIC
VLAN information imported from APIC:
Same VLAN tags are being assigned in APIC
This conclude Scenario 1 “Deploy Service Graphs in Cisco ACI using F5 iWorkflow” lab.
User can modify deployed graph parameters, only parameters mark “Tenant Editable” in iWorkflow can be changed in APIC. Once a graph is deployed, user need to go under Application Profiles / EPG level in order to make changes to deployed graph parameters. The deployed graph parameters reside under the provider EPG, in this case, it is the app EPG.
Go to APIC Tenant SJC -> Application Profiles -> App1 -> Application EPGs -> EPG app -> L4-L7 Service Parameters, click the pen button:
Select the following:
Contract Name: SJC/web2app-contract
Graph Name: SJC/WEB
Node Name: ADC
Then click “All Parameters”
Expand “WEB” folder, double click on “pool__port”, change the value from 80 to 8080, then “UPDATE”
Then “SUBMIT”
Notice on iWorkflow, under Services, the port value is updated to 8080
BIG-IP virtual server reflects the same configuration update
This conclude Scenario 2 “Modify L4 – L7 deployed graph parameters” lab.
The easiest way to remove a service graph deployment, which is same as removing virtual server from the BIG-IP, yet remain all the EPG and device selection policy parameters for easy re-deployment is to un-associate a service graph under the contract subject.
Go to the contract subject by clicking the following:
Tenants SJC -> Security Policies -> Contracts -> web2app-contract -> Subject
Move the mouse to Service Graph and hover near the drop-down menu, you will see “X”, click “X” and graph will be removed from contract subject:
Click “X”, the service graph SJC/WEB will disappear:
Click “SUBMIT”
Notice iWorkflow: Tenant, Service and Node are empty:
BIG-IP, the partition is removed, including all virtual servers and network related configurations:
In order to re-deploy the same graph, simply go to contract subject and re-associate SJC/WEB under Service Graph:
Click “SUBMIT”
You will see the Application Service is redeployed in
iWorkflow and BIG-IP
Notice the tenant VID, graph ID and the RD values are different from previous deployment.
If you want to clean up all the related objects of the deployed graph template, go to:
Tenants SJC ->L4-L7 Services -> L4-L7 Service Graph Templates, right click on the graph template WEB, then select
“Removed Related Objects of Graph Template”
Select:
Contract: web2app-contract
Provider EPF: App1/app
Radio button: “remove both contracts and relations to the EPGs”
Check box:
Remove related EPF parameters <- this will remove all L4-L7 parameters of this particular contract/graph/node under EPG
Remvoe related device selection policies <- this will remove connectivity policy of this particular contract/graph/node
Click “SUBMIT”
Notice on APIC:
EPG app: related L4-L7 Services Parameters are removed
Related Devices Selection Policies is removed
Related contract is removed
F5 iWorkflow configuration related to APIC tenant and service graph is un-configured
BIG-IP is also clean:
Remove the L4-L7 logical device cluster from common tenant.
Tenant Common->L4-L7 Services -> L4-L7 devices -> , right click on the logical device cluster and click delete
This will also delete the device group from the BIG-IP (no device group correcponding to the logcail device cluster present anymore)
Remove the device manager from common tenant.
Tenant Common->L4-L7 Services -> L4-L7 devices -> Device Managers-> ‘dcloud-device-manager, right click on the device manager and click delete
Remove the device manager type from L4-L7 services
Go to L4-L7 Services -> Inventory -> Device manager types , right click on the device manager and click delete
vThis conclude Scenario 3 “Remove APIC Service Graph” lab.
Launch POSTMAN from desktop
Import the POSTMAN collection
The JSON collection if saved on your desktop - ‘dCloud-F5-iWorkflow-App-iApps-Final.postman_collection.json’
Click on Collection->Import
Click on the ‘Choose Files’ button and browse to the json collection and import it
The POSTMAN collection will be loaded in your POSTMAN window:
To view what each API call executed, click on the POST requests
Click on the Body to view the payload being passed
Click the Send button to execute the request
Check the status at the bottom of the window to see if the request got executed successfully (200 OK)
ASSUMPTION – Device package install, device manager configuration has already been done, POSTS are from the point of when a graph is to be created
Run each postman POST and then see the corresponding object created on the APIC
- Login Token to APIC – Used for authentication to the APIC. The response to the POST operation will contain an authentication token. Subsequent operations on the REST API will use this token value to authenticate future requests.
- CreateDeviceManagerType – Used to create a device manger type under L4-L7 services->Inventory
- CreateDeviceManager-Common – Will create a device manager which has iWorkflow credentials under tenant common
- Create-Ldev-Common– Creates a logical device cluster on the APIC in tenant common
- Export from Common to SJC tenant – Exports the LDev from common tenant to SJC tenant
- Scope Network under AP – This will scope the network parameters like self IP/route under the application profiles
- Create contract – Creates a contract to be used in tenant SJC
- Assign contract to web EPG
- Assign contract to app EPG
- Create service graph template – Creates the service graph template to be used
- Apply service graph template – Specifies the parameters (virtual server/pool. Pool members etc.) to be configured for this particular graph
- Create device selection policy – Creates a device selection policy (This construct gets created automatically when using the UI, this is an extra step needed when using automation)
- Apply graph to contact – Attach the graph to the contract
This conclude Scenario 4 “POSTMAN REST client” lab.
- Reset APIC Simulator
APIC Fabric Members are created by default, so that the demonstration can begin with the creation of the APIC objects.
If you want to demonstrate the fabric discovery, reboot the apic-fcs via Guest OS Control as follows:
- From the Demo Dashboard, click Servers.
- Servers Tab
- From the Servers list, click the
next to
apic-fcs.
- Click the Reboot button in Guest OS Control to restart the server.
NOTE: It will take up to 5 minutes before you can login and rebuild the Fabric using one of the Fabric Discovery methods in Appendix B.
- Fabric Discovery
If they are not configured, use one of the three methods below to configure:
| Method | Automation Level | Explanation | Completion Time |
|---|---|---|---|
| Script Configuration | High | Skip the configuration steps and discover the APIC Fabric automatically, as shown in Configure APIC Fabric Using Scripts. | 1 minute, followed by
15 minutes to build the fabric
|
| Wizard Configuration | Medium | Set up the APIC Fabric using the Postman–REST client, as shown in Configure APIC Fabric Using Postman–REST Client. | 5 minutes, followed by 15 minutes to build the fabric |
NOTE: The full fabric discovery can take up to 15 minutes. The apic3 controller will be discovered after all the devices are discovered. You can check monitor the progress by selecting Topology from the Inventory pane in the APIC GUI. While the discovery is taking place, you can complete Scenario 1, which ends in the APIC Topology window showing the discovered elements.
Demonstration Steps
Configure APIC Fabric Using Scripts
- From the demonstration workstation, click the Build ACI Fabric
icon.
- Type Y <Enter> at the Do you want to continue (Y/N)? prompt. The script will begin building the fabric, which will take about 15 minutes.
- Build ACI Fabric Script
- Type Y <Enter> at the Do you want to continue (Y/N)? prompt. The script will begin building the F5, which will complete before the ACI fabric is set up.
Configure APIC Fabric Using Postman–REST Client
- From the demonstration workstation, launch ‘APIC Login’, and then log in to the Application Policy Infrastructure Controller with the following credentials: Username: admin, Password: C1sco12345.
- From the menu bar, click Fabric.
- From the sub-menu bar, click Inventory.
- In the left-pane, choose Fabric Membership.
- Review the current members of the Fabric.
- Fabric Membership
- Launch the Postman – REST Client [
] from the taskbar.
You are automatically be logged in. This is where you will register
the switches for the APIC.
Important: If you get a status of 403 Forbidden while performing
the activity in this scenario, review the text below for more
information on the error. If you see Token was invalid (Error: Token
timeout), this means that your session has timed out. You will need to
launch the APIC Login POST [
] and then proceed with the
next POST.
- In the left-pane, click the arrow [
] next to dCloud APIC
Demo, and then click the arrow next to Create Fabric and
dCloud APIC Connectivity.
- dCloud APIC Demo
- Go to dCloud APIC Connectivity and then choose APIC Login. Click Send to connect to the APIC.
- APIC Login and Send
- Review the Status of the submission. A result of 200 OK means the submission was successful.
- Status
- Go to Create Fabric.
- Choose the Add Spine1 to Fabric post. Click Send to configure the first spine,a and then it will discover the others.
- Review the status of the submission.
- In the APIC application window, you can see Spine1 is now part of the Fabric Membership.
- Fabric Membership
- Go to the Postman – REST Client window.
- Under Create Fabric, choose the Add Spine2 to Fabric post and then click Send to configure the second spine.
- Review the status of the submission.
- In the APIC window, you can see Spine2 is now part of the Fabric Membership.
- Fabric Membership
- Go to the Postman – REST Client window.
- Under Create Fabric, choose the Add Leaf2 to Fabric post.
- Review the command for this post and you can see that it:
- Looks for the serial number (TEP-1-102)
- Sets up the serial number for node 102
- Names Leaf2
- Add Leaf2 to Fabric
- Click Send.
- Review the status of the submission.
- In the APIC window, you can see Leaf2 is now part of the Fabric Membership.
- Fabric Membership
- Go to the Postman – REST Client window.
- Under Create Fabric, choose the Configure Leaf 1 to Fabric post, which will update the first member of the Fabric.
- Click Send.
- Review the status of the submission.
- In the APIC window, you can see that Node ID and Node Name have been set for serial number TEP-1-101.
- As it discovers Leaf1, an IP address is allocated.
- The discovery will continue until it finds all of the links to the other members and populates the IP Addresses.
- Fabric Membership
- Wait for discovery to finish. In the APIC window, select Fabric > Inventory from the main menu. Click Topology and demonstrate that the entire fabric has been discovered and is included in the topology.
- Fabric Discovery Topology
