Extreme Networks NetSight SDN Integration with A10 Networks Load Balancer, Service Pools and Virtualization Resources Configuration and Installation Guide Abstract: This document describes the NetSight Network Access Control (NAC) and A10 Networks configurations required to implement a dynamic asymmetric data center load balancing solution. Published: December 2014 Extreme Networks, Inc. 145 Rio Robles San Jose, California 95134 Phone / +1 408.579.2800 Toll-free / +1 888.257.3000 www.extremenetworks.com 2012 2014 Extreme Networks, Inc. All Rights Reserved. AccessAdapt, Alpine, Altitude, BlackDiamond, Direct Attach, EPICenter, ExtremeWorks Essentials, Ethernet Everywhere, Extreme Enabled, Extreme Ethernet Everywhere, Extreme Networks, Extreme Standby Router Protocol, Extreme Turbodrive, Extreme Velocity, ExtremeWare, ExtremeWorks, ExtremeXOS, Go Purple Extreme Solution, ExtremeXOS ScreenPlay, ReachNXT, Ridgeline, Sentriant, ServiceWatch, Summit, SummitStack, Triumph, Unified Access Architecture, Unified Access RF Manager, UniStack, XNV, the Extreme Networks logo, the Alpinelogo, the BlackDiamond logo, the Extreme Turbodrive logo, the Summit logos, and the Powered by ExtremeXOS logo are trademarks or registered trademarks of Extreme Networks, Inc. or its subsidiaries in the United States and/or other countries. sflow is the property of InMon Corporation. Specifications are subject to change without notice. All other registered trademarks, trademarks, and service marks are property of their respective owners. For additional information on Extreme Networks trademarks, see www.extremenetworks.com/company/legal/trademarks.
Contents Overview... 3 Prerequisites... 3 Reference topology... 4 A10 Networks SLB and GSLB pool configuration overview... 5 Netsight pool-sync.py script installation... 14 NetSight end-system event trigger configuration... 15 Troubleshooting... 18 Initial Extreme Networks, Inc. All rights reserved. 2
Overview Extreme Networks NetSight Network Management Suite is an application leveraging a centralized network management and NAC architecture to gather and aggregate information related to end-systems and users in a single database and process all data internally through a rule engine. Once the data is processed, NetSight then assigns network profiles to the devices that the switches enforce. The A10 Networks Load Balancing solution allows traffic balancing across multiple Data Centers through multiple criteria in order to maximise performances and reliability. The documented APIs (axapi) allow external applications to interact and reprogram dynamically the balancing service. This document describes the NetSight and A10 Networks configurations needed to implement a dynamic asymmetric Data Center load balancing solution. Note: This document focuses on specific integration details such as API management and scripting installations. For specific implementation details of each technology, please refer to both Extreme Networks NetSight Advanced and A10 Networks Load Balancer configuration manuals. Prerequisites Software Requirements Extreme Networks NetSight 6.1 or above NMS- XXX (e.g. NMS-10 - NetSight License for up to 10 devices and 100 thin Aps) Extreme Networks NAC 6.1 or above NAC-A-XX, NAC-V-XX or IA-ES-XX (e.g.ia-es- 1k - Identity and Access 1,000 end-system license, IA licenses with appliance IA-A-XX require NMS-ADV-XXX NetSight Advanced licenses) Extreme Networks Data Center Manager (DCM) plugin installed and configured A10 load balancer configuration across at minimum 2 Data Centers (two appliances) ACOS 2.6 or above Extreme Networks, Inc. All rights reserved. 3
Reference topology The following reference topology illustrates two data centers connected through a L2 link (VPLS) extending the same broadcast domain across multiple virtualization pools (Note: VPLS is not mandatory; any L2 setup among data centers will work). Each AX balancer is also the L3 default gateway for all virtual machines, routing traffic from and to the pool s subnet. Both AX appliances shares a VRRP VIP address in order to assist vmotion, without the need to reconfigure the default gateway on the virtual machines. In this example, AX balancing configuration requires GSLB (weighted-site) service enabled on the client-facing network, and at least an SLB pool for each site. NetSight Data Center Manager authenticates and authorizes VMs in the network, so each time a vmotion event occurs, NetSight will update the pool member lists on each AX balancer through axapi. This way the balancing algorithm will always reflect the actual resources distribution in the vistualization environment. Extreme Networks, Inc. All rights reserved. 4
A10 Networks SLB and GSLB pool configuration overview Note: Please refer to A10 Networks Admin, SLB and GSLB configuration guides for details concerning configuration of the AX balancer. SLB configuration requires VMs IP addresses to be added (or deleted) to the pools of at least two different sites, in order for GSLB to perform weighted-site balancing. Following is an example of basic SLB pool and GSLB service configuration required for each balancer: Add a server (VM) IP address record, including the port for the service (i.e. 80) Extreme Networks, Inc. All rights reserved. 5
Create a service group pool (i.e. www ) which will include all the servers: Extreme Networks, Inc. All rights reserved. 6
Create a virtual server record (site) that will contain both service and server groups (virtual server name must be different for each balancer) Extreme Networks, Inc. All rights reserved. 7
Create a virtual service, including the service group and virtual server previously created: Extreme Networks, Inc. All rights reserved. 8
Configure the VRRP VIP used as gateway by the pool s VMs: Extreme Networks, Inc. All rights reserved. 9
Select the VRRP interface and enable it: Extreme Networks, Inc. All rights reserved. 10
Configure VRRP Enable and configure the VIP address Extreme Networks, Inc. All rights reserved. 11
Specify the VRRP interface Extreme Networks, Inc. All rights reserved. 12
Configure and enable GSLB (CLI): Create a NS entry on the DNS server to point to this virtual slb virtual-server NS1 10.65.50.75 port 53 udp gslb-enable Create the service IP s (Note: The service IP will be a virtual server already created) gslb service-ip GSLB-WWW-RDU 10.65.50.70 port 80 tcp! gslb service-ip GSLB-WWW-GOA 10.65.50.71 port 80 tcp Bind the service IP s to the gslb site configuration gslb site RDU slb-dev SLB-RDU 10.65.50.7 vip-server GSLB-WWW-RDU gslb site GOA slb-dev SLB-GOA 10.65.50.8 vip-server GSLB-WWW-GOA Create GSLB policy gslb policy portal_1 dns active-only dns best-only 1 dns server authoritative ns auto-ns ptr auto-ptr dns sticky aging-time 120 dns ttl 30 metric-order weighted-ip health-check weighted-site capacity geographic active-servers active-rtt connection-load num-session admin-preference bw-cost least-response ordered-ip no geographic ordered-ip no round-robin - Create Zone configuration gslb zone sai.lab ttl 30 policy portal_1 service https www dns-a-record GSLB-WWW-RDU static dns-a-record GSLB-WWW-GOA static ip-order GSLB-WWW-RDU GSLB-WWW-GOA Enable GSLB On GSLB Site gslb protocol enable device On GSLB Controller gslb protocol enable controller Extreme Networks, Inc. All rights reserved. 13
Netsight pool-sync.py script installation Copy file pool_sync.py and pool_sync_conf.py under Netsight /usr/local/enterasys_networks/netsight/ directory. Edit pool_sync_conf.py file, specifying the correct IPs and credentials that Netsight will have to use, in order to reconfigure the A10 balancers, i.e. vt01_ip = "10.65.50.7" vt01_user = "admin" vt01_pass = "a10" vt02_ip = "10.65.50.8" vt02_user = "admin" vt02_pass = "a10" The script arguments, passed by NAC when a VM is authenticated due to a vmotion, are the following: SLB group name (i.e. www ) Member server IP address (i.e. 10.65.50.23) SLB service port (i.e. 80) From command line, run the following command, to verify basic connectivity and API responses: >python pool_sync.py retrieve www 10.65.50.23 80 If the member server is already part of the SLB group, the script will report the balancer IP managing the pool in that moment, i.e.: server IP 10.65.50.23 found on 10.65.50.7 balancer If the server is not already part of the SLB in any balancer, the script will report the following message: server IP not found anywhere Extreme Networks, Inc. All rights reserved. 14
NetSight End-System Event Trigger Configuration This section describes the NAC/DCM configurations required to trigger the pool-sync script each time a VM moves: Under NAC manager, open the notification tool: Create a new notification (i.e. pool-sync ) including the VMs groups and End-System. Moved trigger condition. Extreme Networks, Inc. All rights reserved. 15
Override the content, specifying statically the script action (move) and the service port. The VM IP address will be automatically retrieved by NAC from the End-System properties. Extreme Networks, Inc. All rights reserved. 16
On switch properties (I.e. ToR01) be sure that the switch type is Layer 2 out-of-band Data Center so when a V-motion occurs, the old MAC auth session is cleaned from the previous switch. Extreme Networks, Inc. All rights reserved. 17
Troubleshooting This section lists some of the troubleshooting features and commands available to assist in identifying configuration and system issues. Refer to the NetSight Users Guide and ExtremeXOS Concepts and CLI Guides for additional information. NAC Manager events The Event View at the bottom of the NAC Manager main window displays error and informational messages about NAC Manager operations and provides information on endsystems that have attempted to connect to the network through a NAC appliance. Server Information Window The Server Information window lets you view and configure certain NetSight Server functions, including management of client connections, database backup and restore, locks, and licenses. It also provides access to the server log and server statistics. Extreme Networks, Inc. All rights reserved. 18