User Guide: Avi Networks Cloud Application Delivery Platform Integration with Cisco ACI / APIC June 2015 Table of Contents 1 Introduction Purpose Products 2 Avi Networks Cloud Application Delivery Platform (CADP) Components 3 Integration with Cisco APIC Cisco ACI and APIC Service Graph Device Package 4 Installation Avi Controller OVA deployment Avi Controller configuration Avi SE IP address pool Verification of device package on Cisco APIC 5 Virtual Service Deployment Creating a service graph template Adding logical interfaces Creating a contract and applying it to EPGs Creating a device selection policy Configuring a virtual service, using Avi UI 6 Troubleshooting Initial configuration failures Pool/VS not Up Common Pitfalls with APCI/vCenter Installations 2 1 Introduction Purpose This document describes how to deploy Avi Networks Cloud Application Delivery Platform with the Cisco Application Policy Infrastructure Controller, using VMware vCenter as Cisco APIC’s Virtual Machine Manager (VMM), and includes common troubleshooting steps. Products Product Versions Avi Networks CADP and device package for Cisco 15.1.1 or later APIC Cisco APIC 1.03f or later VMware vCenter 5.1, 5.5 2 Avi Networks Cloud Application Delivery Platform (CADP) Avi Networks CADP is a software-based solution that provides real-time analytics and elastic application delivery services, such as user-to-application timing, SSL termination, and load balancing. Components Avi Networks CADP is a fully distributed, virtualized system that consists of Avi Controller and Avi Service Engines (SEs), running as virtual machines (VMs). ● Avi Controller o A virtual machine that acts as a single point of control and management, providing GUI (Avi UI), analytics, and APIs. It manages the life cycle of Avi SEs by creating, ​ ​ controlling, and deleting them. It stores and manages all policies related to services and management. Avi Controller is also a single point of contact exposed to other cloud platforms and SDN controllers. For example, it communicates with VMware vCenter, the OpenStack controller, and Cisco APIC. ● Avi Service Engine (SE) o A virtual machine that takes actual user traffic and provides application delivery services while collecting real time metrics for user-to-application timing. An Avi SE is created, plumbed into network, and provisioned with a service policy dynamically by Avi Controller as required to deploy a virtual service (VS). The virtual service is a combination of an IP address and TCP/UDP port number that represents a load balancing service. 3 Note: Avi Controller embeds the device package for Cisco APIC and automatically installs it into Cisco ​ APIC as part of its installation. 3 Integration with Cisco APIC Cisco ACI and APIC The Cisco Application Centric Infrastructure (ACI) is a distributed overlay network that is built on multipath leaf and spine switching nodes. Endpoint devices, such as servers and firewalls, are connected to leaf nodes. The Cisco Application Policy Infrastructure Controller (APIC) provides a single point of control and a repository of policy data for Cisco ACI. It communicates with Cisco ACI spine and leaf nodes to create isolated tenant networks, set up network paths, and insert network services, such as Layer 4 to 7 and security functions between endpoint devices. In the Cisco ACI policy model, endpoint groups (EPGs) represent a set of terminal objects or communication endpoints, such as clients and servers. Objects in the same EPG can communicate with each other freely, but objects in different EPGs must have a contract for communication. The contract defines traffic filtering rules and can include a service graph to offer network functions, such as Layer 4–7 services. Service Graph A service graph defines a list of functions and specifies that the path from one EPG to another EPG must pass through the functions. Avi Networks CADP provides inline analytics, application visibility, SSL termination, load balancing, and content acceleration services. IT admins can enable all of these features by including function nodes called ADCTier1 and ADCTier2 in a service graph. This two-node approach allows a virtual service to scale out in real time. Cisco APIC translates a service graph into a network path by associating it with concrete devices, allocating necessary bridge domains, and configuring IP addresses on the interfaces of the devices (Figure 1). In this model, Avi SEs represent concrete devices and Avi Controller acts as a single management point to interact with Cisco APIC. Device Package Avi Networks Device Package for Cisco APIC allows you to insert Avi Networks’ CADP services in Cisco ACI fabric. Avi Controller includes the device package and automatically uploads it to Cisco APIC and creates logical devices as part of its installation. 4 Figure 1 Service Graph Rendering Avi Controller adds Avi SEs to the device cluster dynamically by interacting with VMware vCenter, as a user configures ADC policies. ADC policies, such as SSL termination and load-balancing policies exist on Avi Controller, whereas network policies exist on APIC controller. 4 Installation In this installation procedure, we use VMware vCenter as Cisco APIC’s Virtual Machine Manager (VMM) to deploy Avi Networks CADP. For successful installation, you need: ● Avi Networks CADP software release 15.1 ● Cisco APIC and VMware vCenter admin credentials Avi Controller needs to access Cisco APIC and VMware vCenter to automatically install its device package, create an L4-L7 device cluster, and spin up an Avi SE. The installation procedure consists of three steps: ● Deploy an OVA file of Avi Controller. ● Configure initial settings via browser. ● Assign at least two IP addresses to a pool for Avi SE use. Avi Controller OVA deployment Log in to your vCenter server via a vCenter client. Using the vCenter client, deploy the OVA file of Avi Controller. 1. Click File on the top menu and choose Deploy OVF Template. ​ ​ ​ ​ 5 2. Follow the instructions of the Deploy OVA Template wizard. ​ ​ 3. Provide the location of the Avi Controller OVA file. 4. Provide the name of Avi Controller and specify the target ESX host to deploy. 5. Choose Thick Provision Lazy Zeroed for disk format. ​ ​ 6. Choose a port group for Destination Networks in Network Mapping. This port group will be ​ ​​ ​ used by Avi Controller to communicate with your vCenter. 7. Specify the management IP address and default gateway. The management IP address must be of the CIDR format, e.g., 10.10.2.10/24. Do not leave them empty. 8. Power on the VM. Avi Controller configuration Connect to Avi Controller via browser. Follow the instructions of the setup wizard. 1. Create an administrator account. 2. Enter DNS server and NTP server information. 3. Choose VMware as your infrastructure ​ ​ a. Enter your vCenter IP address and credentials. b. Choose Write for permission and select the check box for Integration with Cisco ​ ​ ​ APIC. 4. Provide the Cisco APIC information (Figure 2). a. Enter your APIC IP address and credentials. b. Enter an APIC tenant in which Avi Networks CADP will be deployed. c. Enter the APIC VMM Domain name. Note that if APIC has multiple VMM Domains, the  ​ Domain name here should match the vCenter that Avi Controller was configured with in  the previous step Figure 2 vCenter and APIC integration 6 5. Select a data center to deploy Avi SEs. 6. Select Default Network IP Address Management as static or DHCP which will be used in ​ ​​ ​ ​ ​ Step 9. ​ 7. User can select to prefer static routes instead of directly connected networks for Virtual Service placement. 8. User can also select to use Static Routes to resolve VIP for Virtual Service placement. 9. Select a management network. a. If user selects Static for Default Network IP Address Management. ​ ​ ​ i. Enter an IP subnet for the management network. ii. Enter an IP address pool. Avi Controller will pick an IP from the pool and assign it to the management interface of an Avi SE. b. If user selects DHCP for Default Network IP Address Management then, DHCP ​ ​ server will IP address for Avi Controller & Avi SEs management communication. 10. Select Service Engine Location folder in vCenter. NOTE: If User is statically managing “Management network IP addresses” then user needs to configure default gateway by going to Infrastructure, network and then static routes. Avi SE IP address pool Avi SE has 10 vNICs. The first vNIC is the management vNIC via which Avi SE communicates with Avi Controller. The rest of vNICs called data vNICs are used to take user traffic. After spinning up an Avi SE, Avi Controller connects the Avi SE’s management vNIC to the network specified as management during the initial configuration; the data vNICs to networks according to virtual service IP and pool member configuration. To perform this network plumbing automatically, Avi Controller builds a table with mapping information between port groups and IP subnets. Using this table, Avi Controller is able to connect Avi SE’s data vNICs to port groups that match a VS network and pool network. After connected to port groups, the data vNICs need to be assigned an IP address. Assign a static IP address pool to port groups: 1. Log in to the Avi Controller via browser. 2. Select Infrastructure from the pull-down menu on the top left corner. ​ ​ 3. Select the Networks tab. ​ ​ 4. Find out a bridge domains in which your servers are connected. 5. Select the bridge domain network by clicking the edit icon on the right end. 6. Check Static on Network IP Address Management. ​ ​ ​ 7. Select an IP subnet by clicking the edit icon. 8. Enter a static IP address or a range (Figure 3). 7 9. If new pool members are added in different bridge domain then, user is required to repeat steps 6 till 8. Avi Controller picks an IP address from the range and adds it to the data vNIC connected to the port group. Add default and static routes for Service engines. If the SE’s management subnet will differ from the Controller’s management subnet, you may need to provide a default route to allow the SE’s to communicate with the controller. Similarly, If the servers are in a different subnet than the ip pools provided to the Controller, you may need to configure static routes to allow the SE’s to communicate with the backend servers. If this is the case and static routes are not configured, the Avi Controller will not place the VS. A default route will not be used in VS placement decisions. 1. Navigate to infrastructure> Networks> Static Routes and configure both a default gateway and any necessary static routes. 8 Verification of device package on Cisco APIC Avi Controller automatically installs its device package after the initial settings are done. Verify that Avi CADP’s device package is installed into the Cisco APIC. ● Click L4-L7 Services. ​ ● Expand L4-L4 Service Device Types on the left pane and verify that the Avi CADP device ​ ​ package is available (Figure 4). Figure 4 Device Package verification 9 5 Virtual Service Deployment Creating a service graph template 1. Select the tenant in which you deployed an Avi Controller. 2. Navigate to L4-L7 Services – L4-L7 Service Graph Templates. ​ ​​ 3. Click Actions and select on the pull-down menu Create an L4-L7 Service Graph Template ​ (Advanced). ​ 4. Provide a name for the graph template. 5. Drag ADCTier1 under the Avi device from the left pane, drop to the main window, and select AviADCTier1 on the pull-down menu for Node Properties. Do the same for ADCTier2. 6. Connect Consumer EPG with the external connector of ADCTier1, the intermediate connectors to each other, and Provider EPG with the internal connector of ADCTier2 (Figure 5). Figure 5 Service Graph template 7. Under the graph template, navigate to Function Node N1 – external and select ​ ​ ADCTier1/external on the Meta Connector pull-down menu. Navigate to Function Node N1 ​ ​ ​ ​ – internal and select ADCTier1/intermediate (Figure 6). ​ ​ ​ 10