Installation Guide Avi Networks Cloud Application Delivery Platform Integration with Cisco Application Policy Infrastructure August 2015
Table of Contents 1 Introduction... 3 Purpose... 3 Products... 3 2 Avi Networks Cloud Application Delivery Platform (CADP)... 3 Components... 3 3 Integration with Cisco APIC... 4 Cisco ACI and APIC... 4 Service Graph... 4 Device Package... 4 Auto Reconfiguration of Device Cluster... 5 4 Installation... 5 Avi Controller OVA deployment... 7 Avi Controller configuration... 7 Avi SE IP address pool... 9 Verification of device package on Cisco APIC... 10 5 Virtual Service Deployment... 11 Creating a service graph template... 11 Creating a contract and applying it to EPGs... 12 Configuring a load balancing virtual service, using Avi UI... 13 2
1 Introduction Purpose This document describes how to deploy Avi Networks Cloud Application Delivery Platform with the Cisco Application Policy Infrastructure Controller, using VMware vcenter as Cisco APIC s Virtual Machine Manager (VMM), and includes common troubleshooting steps. Products Product Avi Networks CADP Avi Networks Device Package for Cisco APIC Cisco APIC VMware vcenter Versions 15.2 1.1 (This is embedded in Avi Networks CADP software) 1.03f or later 5.1, 5.5 2 Avi Networks Cloud Application Delivery Platform (CADP) Avi Networks CADP is a software- based solution that provides elastic application delivery services and real- time analytics, such as load balancing, SSL termination, and user- to- application timing. Components Avi Networks CADP is a fully distributed, virtualized system that consists of Avi Controller and Avi Service Engines (SEs), running as virtual machines (VMs). Avi Controller o A virtual machine that acts as a single point of control and management, providing GUI (Avi UI), analytics, and APIs. It manages the life cycle of Avi SEs by creating, controlling, and deleting them. It stores and manages all policies related to services and management. Avi Controller is also a single point of contact exposed to other cloud platforms and SDN controllers. For example, it communicates with VMware vcenter, the OpenStack controller, and Cisco APIC. Avi Service Engine (SE) o A virtual machine that takes actual user traffic and provides application delivery services while collecting real time metrics for user- to- application timing. An Avi SE is created, plumbed into network, and provisioned with a service policy dynamically by Avi Controller as required to deploy a virtual service (VS). The virtual service is a combination of an IP address and TCP/UDP port number that represents a load balancing service. 3
3 Integration with Cisco APIC Cisco ACI and APIC The Cisco Application Centric Infrastructure (ACI) is a distributed overlay network that is built on multipath leaf and spine switching nodes. Endpoint devices, such as servers and firewalls, are connected to leaf nodes. The Cisco Application Policy Infrastructure Controller (APIC) provides a single point of control and a repository of policy data for Cisco ACI. It communicates with Cisco ACI spine and leaf nodes to create isolated tenant networks, set up network paths, and insert network services, such as Layer 4 to 7 and security functions between endpoint devices. In the Cisco ACI policy model, endpoint groups (EPGs) represent a set of terminal objects or communication endpoints, such as clients and servers. Objects in the same EPG can communicate with each other freely, but objects in different EPGs must have a contract for communication. The contract defines traffic filtering rules and can include a service graph to offer network functions, such as Layer 4 7 services. Service Graph A service graph defines a list of functions and specifies that the path from one EPG to another EPG must pass through the functions. Avi Networks CADP provides inline analytics, application visibility, SSL termination, load balancing, and content acceleration services. IT admins can enable all of these features by including function nodes called ADCTier1 and ADCTier2 in a service graph. This two- node approach allows a virtual service to scale out in real time. Cisco APIC translates a service graph into a network path by associating it with concrete devices, associating the service graph with necessary bridge domains, and configuring IP addresses on the interfaces of the devices (Figure 1). In this model, Avi SEs represent concrete devices and Avi Controller acts as a single management point to interact with Cisco APIC. Device Package Avi Networks Device Package for Cisco APIC allows you to insert Avi Networks CADP services in Cisco ACI fabric. Avi Controller includes the device package and automatically uploads it to Cisco APIC and creates logical devices as part of its installation. Note: Avi Controller embeds the device package for Cisco APIC and automatically installs it into Cisco APIC as part of its installation. 4
Auto Reconfiguration of Device Cluster Figure 1 Service Graph Rendering Avi Controller adds Avi SEs to the device cluster dynamically by interacting with APIC and VMware vcenter. The L4-7 service policies, such as SSL termination and load- balancing policies are configured on Avi Controller, whereas network policies are configured on APIC controller. APIC places an Avi SE s data vnic in a proper port- group. Multi- tenancy You can export an Avi s device package to another tenant on APIC. Avi CADP will create a tenant accordingly and add a new concrete device when you add a load balancing virtual service. 4 Installation In this installation procedure, we use VMware vcenter as Cisco APIC s Virtual Machine Manager (VMM) to deploy Avi Networks CADP. For successful installation, you need: Avi Networks CADP software release 15.2 o The CADP software embeds Avi Networks Device Package for Cisco APIC Cisco APIC and VMware vcenter admin credentials Avi Controller needs to access Cisco APIC and VMware vcenter to automatically install its device package, create an L4- L7 device cluster, and spin up an Avi SE. The installation procedure consists of three tasks (Figure 2): Deploy an OVA file of Avi Controller and configure initial settings on Avi Controller via browser 5
Create a service graph for Avi L4- L7 service on APIC Create a contract, using APIC and a load balancing virtual service, using Avi Controller Figure 2 Avi CADP deployment workflow for APIC Avi Controller, APIC and vcenter must be able to communicate with each other. Avi Controller dynamically deploys an Avi SE VM instance as a concrete device. The Avi SE VM must be able to communicate with Avi Controller and APIC via its management vnic. When Avi Controller deploys an Avi SE, it places the management NIC of the Avi SE in a specified port- group for out- of- band management access (Figure 3). When an L4-7 service graph is instantiated, APIC places data vnics of the Avi SE in proper port- groups according to EPGs. Figure 3 Logical Network Diagram for Avi Deployment in APIC environment 6
Avi Controller OVA deployment Log in to your vcenter server via a vcenter client. Using the vcenter client, deploy the OVA file of Avi Controller. 1. Click File on the top menu and choose Deploy OVF Template. 2. Follow the instructions of the Deploy OVA Template wizard. 3. Provide the location of the Avi Controller OVA file. 4. Provide the name of Avi Controller and specify the target ESX host to deploy. 5. Choose Thick Provision Lazy Zeroed for disk format. 6. Choose a port group for Destination Networks in Network Mapping. This port group will be used by Avi Controller to communicate with your vcenter. 7. Specify the management IP address and default gateway. The management IP address must be of the CIDR format, e.g., 10.10.2.10/24. Do not leave them empty. 8. Power on the VM. Avi Controller configuration Connect to Avi Controller via browser. Follow the instructions of the setup wizard. 1. Create an administrator account. 2. Enter DNS server and NTP server information. 3. Choose VMware as your infrastructure a. Enter your vcenter IP address and credentials. b. Choose Write for permission and select the check box for Integration with Cisco APIC. 4. Provide the Cisco APIC information (Figure 4). a. Enter your APIC IP address and credentials. b. Enter an APIC tenant in which the Avi CADP device package will be deployed. c. Enter the APIC VMM Domain name. Figure 4 vcenter and APIC integration 7
5. Select a data center to deploy Avi SEs. 6. Select a port- group for Avi SE management network. a. This port- group should be out- of- band network in that it is not managed by APIC. b. The management interface of Avi SE will be connected to this port- group to communicate with the Avi Controller. c. If DHCP service is available, select DHCP. d. Otherwise, select Static and fill out the IP Address Pool field (Figure 5) Figure 5 Management Network selection After the installation, the Avi Controller creates a device cluster named ADCCluster for L4- L7 services (Figure 6). 8
Figure 6 ADCCluster from Avi Networks device package Avi SE IP address pool Avi SE has 10 vnics. The first vnic is the management vnic via which Avi SE communicates with Avi Controller. The rest of vnics called data vnics are used to take user traffic. After spinning up an Avi SE, Avi Controller connects the Avi SE s management vnic to the network specified for management during the initial configuration. Cisco APIC connects the data vnics to port- groups according to virtual service IP and pool member configuration. Data vnics connected to backend pool networks require interface IP addresses. Avi Controller automatically assigns IP addresses to data vnics from an IP address pool created by the administrator for each backend pool network. For every backend pool networks, create a static IP address pool. Each address pool must contain at least one IP address. After connected to networks (port groups), the data vnics need to be assigned an IP address. Assign a static IP address pool to networks: 1. Log in to the Avi Controller via browser. 2. Select Infrastructure from the pull- down menu on the top left corner. 3. Select the Networks tab. 2015 Avi Networks. All Rights Reserved. 9
4. Find out a port group to which your servers are connected. 5. Select the port group by clicking the edit icon on the right end. 6. Check Static on Network IP Address Management. 7. Select an IP subnet by clicking the edit icon. 8. Enter a static IP address or a range (Figure 7). 9. Repeat the steps to include all your potential VS and pool member networks. Avi Controller picks an IP address from the range and adds it to the data vnic connected to the port group. Figure 7 Adding a static IP address pool for SE data vnics Verification of device package on Cisco APIC Avi Controller automatically installs its device package after the initial settings are done. Verify that Avi CADP s device package is installed into the Cisco APIC. Click L4- L7 Services. Expand L4- L4 Service Device Types on the left pane and verify that the Avi CADP device package is available (Figure 8). 10
Figure 8 Device Package verification Note: Cisco APIC completely controls distributed virtual switches and port groups. In other words, do not create port groups manually. APIC programs Avi SE s vnics to place them in proper EPGs or port- groups. 5 Virtual Service Deployment Creating a service graph template 1. Select the tenant in which you deployed an Avi Controller. 2. Navigate to L4- L7 Services L4- L7 Service Graph Templates. 3. Click Actions and select on the pull- down menu Create an L4- L7 Service Graph Template (Advanced). 4. Provide a name for the graph template. 5. Drag ADCTier1 under the Avi device from the left pane, drop to the main window, and select AviADCTier1 on the pull- down menu for Node Properties. Do the same for ADCTier2. 6. Connect Consumer EPG with the external connector of ADCTier1, the intermediate connectors to each other, and Provider EPG with the internal connector of ADCTier2 (Figure 9). While connecting nodes, choose L2 for Adjacency Type and check Unicast Route. 11
Figure 9 Service Graph template 7. Under the graph template, navigate to Function Node N1 external and select ADCTier1/external on the Meta Connector pull- down menu. Navigate to Function Node N1 internal and select ADCTier1/intermediate (Figure 7). Figure 10 Function Connectors 8. Similarly, navigate to Function Node N2 external and select ADCTier2/intermediate on the Meta Connector pull- down menu. Navigate to Function Node N2 internal and select ADCTier2/internal. 9. After these changes, the graph template should look like Figure 8. Figure 11 Service Graph Template Creating a contract and applying it to EPGs Create a contract for the load balancing policy with the graph template. 12
1. Select the tenant in which you deployed an Avi Controller. 2. Navigate to Security Policies Contracts on the left pane. 3. Click Actions and select Create Contract on the pull- down menu. 4. Provide a name for the contract and add a subject with filters and the graph template created previously (Figure 12). 5. Associate the contract with a consumer EPG and a provider EPG. The provider EPG must contain servers to load balance. Figure 12 Creating a Contract Configuring a load balancing virtual service, using Avi UI Create a VS in the tenant you deployed the Avi CADP device package or a tenant to which you exported the device package. 1. Click admin in the top right corner and select a tenant (Figure 13) 2. Navigate to Applications Dashboard 3. Click New Virtual Service and select Basic Setup on the pull- down menu 4. On the New Virtual Service edit menu, select a graph instance in the Name field identified by <contract name>:<graph name> (Figure 14) 5. Check EPG on the Select Server menu 6. Select an EPG for your servers to be load balanced on the APIC EPG pull- down menu 7. Click Save Note: It can take up to 3 mins until the VS becomes online because a new concrete device needs to be added 13
Figure 13 Selecting a tenant Figure 14 Creating a Virtual Service for load balancing 14