F5 Agent for OpenStack Neutron 8.3.6

Current Page

Contents

Cloud Docs Home > F5 Agent for OpenStack Neutron Index

L2-adjacent mode

L2-adjacent mode (f5_global_routed_mode = False) is the default mode of operation for the F5 Agent for OpenStack Neutron (F5 agent). The F5 agent does not automatically detect any network or BIG-IP configurations. You must provide the appropriate L2/L3 network settings for your BIG-IP device(s) in the L2 segmentation mode and L3 segmentation mode sections of the F5 agent configuration file.

Learn more

Prerequisites

You should have VLANs and VxLAN or GRE tunnels configured as appropriate for your environment. If you’re using GRE or VxLAN tunnels, you must have a BIG-IP Better or Best license that supports SDN.

Warning

Many L3 segmentation mode parameters depend on other configuration parameters. Read the text in the F5 Agent Configuration File carefully before changing these settings to ensure they don’t conflict.

Configuration

  1. Edit the F5 Agent Configuration File

    Use your text editor of choice to edit the F5 Agent Configuration File as appropriate for your environment.

vim /etc/neutron/services/f5/f5-openstack-agent.ini

See also

  1. Set up the Device driver settings and HA mode.
  2. Set up the appropriate L2- and L3-segmentation settings for your deployment.

Interface and port mapping

f5_external_physical_mappings

Maps Neutron networks with type VLAN to a specific BIG-IP interface. It follows the format physical_network:interface_name:tagged, where:

  • physical_network is the external provider network (Neutron’s provider:physical_network).
  • interface_name is the name of a BIG-IP interface or LAG trunk.
  • tagged is a boolean indicating whether or not the BIG-IP should enforce VLAN tagging.
# standalone example:
f5_external_physical_mappings = default:1.1:True
#
# pair or scalen example:
f5_external_physical_mappings = default:1.3:True

Note

If using pair or scalen on a 3-NIC device, use interface 1.3. Interface 1.1 usually maps to an external VLAN and 1.2 to internal VLANs.

vlan_binding_driver

Binds tagged VLANs to specific BIG-IP ports. For example, if an LBaaS iControl endpoint uses tagged VLANs, and you add a VLAN tagged network to a specific BIG-IP device, the facing switch port needs to allow traffic for that VLAN tag through to the correct BIG-IP port.

Caution

This setting requires a custom software hook. If you choose to write one, keep the following in mind:

  • A vlan_binding_driver class must reference an iControl VLANBindingBase subclass.
  • You must provide the methods to bind VLAN tags to ports and prune unused VLAN tags.
# the path to your custom software hook
vlan_binding_driver = f5-openstack-agent.drivers.bigip.vlan_binding.MyBindingDriver

Tunneling

f5_vtep_

f5_vtep_folder: The name of the BIG-IP partition in which the VTEP (VxLAN tunnel endpoint) resides; the default partition is /Common. f5_vtep_selfip_name: The name of the VTEP self IP.

Can be a single entry or a comma-separated list (one per BIG-IP device); must be in cidr (h/m) format. The VTEP self IPs must already exist on the BIG-IP device(s).

# Device Tunneling (VTEP) selfips
#
f5_vtep_folder = Common
f5_vtep_selfip_name = my_vtep
#

Hint

If you’re not using GRE or VxLAN tunneling, you can comment these settings out or set both to None.

advertised_tunnel_types

Tells the F5 agent what type of tunnel(s) connect the BIG-IP device(s) to controller/compute node(s) in OpenStack (GRE or VxLAN). This can be a single entry or comma-separated values. If you are not using tunnels, leave this setting blank.

Note

The F5 Agent for OpenStack Neutron creates profiles for all available tunnel types on the BIG-IP device(s) when you start it for the first time. See Neutron to BIG-IP command mapping for more information.

# Tunnel types
#
# If you are using only gre tunnels:
#
advertised_tunnel_types = gre
#
# If you are using only vxlan tunnels:
#
advertised_tunnel_types = vxlan
#
# If you are using both gre and vxlan tunnel networks:
#
advertised_tunnel_types = gre,vxlan
#
# If you are NOT using tunnel networks (vlans only):
#
advertised_tunnel_types =
#

Routing

f5_populate_static_arp

A boolean indicating whether or not you want to create static arp entries for pool member IP addresses on VxLAN or GRE tunnel networks.

The static ARP entry is in addition to the tunnel forwarding database (FDB) entry for the pool member. It helps avoid the need to learn the member’s MAC address via flooding.

# Static ARP population for members on tunnel networks
#
f5_populate_static_arp = True
#

l2_population

A boolean indicating whether or not the BIG-IP device should use the L2 population service to update FBD tunnel entries.

Important

If you’re running any other OpenStack tunnel agents, be sure to set all of them up the same way.

#
l2_population = True
#

use_namespaces

A boolean indicating whether or not the BIG-IP should use tenant routing tables to route traffic. Set this value to True to allow overlapping subnet IP addresses.

#
use_namespaces = True
#

max_namespaces_per_tenant

An integer indicating the maximum number of route domains allowed per tenant. This allows a tenant to have overlapping IP subnets.

#
max_namespaces_per_tenant = 1
#

f5_route_domain_strictness

A boolean indicating whether VIPS and members in different tenants can communicate with each other. Set this value to True to force the BIG-IP to prefer tenant routing tables over the global routing table and provide tenant isolation.

#
f5_route_domain_strictness = False
#

f5_snat_mode

A boolean indicating whether or not to use SNATs.

f5_snat_addresses_per_subnet

An integer indicating the number of self IP addresses the BIG-IP device should add to a SNAT pool for each subnet.

#
f5_snat_mode = True
#
f5_snat_addresses_per_subnet = 1
#

f5_common_external_networks

A boolean that controls how the BIG-IP device routes traffic on Neutron networks. Set this value to True to use the global routing table for traffic on all Neutron networks with the external router type.

#
f5_common_external_networks = True
#

common_network_ids

A ‘name-value’ pair mapping BIG-IP VLANs to Neutron networks; multiple values can be comma-separated. The first value is the Neutron network ID; the second is the BIG-IP network name.

For example, if the Internet VLAN on your BIG-IP device, /Common/external, has the Neutron uuid 71718972-78e2-449e-bb56-ce47cc9d2680, the entry would look like this:

# Common Networks
#
common_network_ids = 71718972-78e2-449e-bb56-ce47cc9d2680:external
#

You can separate multiple values with commas, as shown below.

#
common_network_ids = 71718972-78e2-449e-bb56-ce47cc9d2680:external,396e06a0-05c7-4a49-8e86-04bb83d14438:vlan1222
#

l3_binding_driver

A software hook that binds L3 addresses to specific ports, allowing communications between Nova guest instances.

Important

If you’re managing overcloud BIG-IP VE instances, uncomment this line in the F5 Agent Configuration File.

#
l3_binding_driver = f5_openstack_agent.lbaasv2.drivers.bigip.l3_binding.AllowedAddressPairs
#

Software-defined networking

f5_network_segment_physical_network

The name of the network segment where the BIG-IP device resides.

f5_network_segment_polling_interval

The number of seconds to wait between polling Neutron for a network_id to segmentation_id mapping (default=10).

f5_pending_services_timeout

The maximum number of seconds to wait for network discovery before a pending service errors out (default=60).

Tip

These Hierarchical Port Binding settings allow you to integrate and manage SDN services using F5 LBaaS. If you’re not using this feature, comment out all three settings, or set them to None, to avoid errors.

# Hierarchical Port Binding
#
f5_network_segment_physical_network = <switch_name>
#
# Periodically scan for disconected listeners (a.k.a virtual servers).  The
# interval is number of seconds between attempts.
#
f5_network_segment_polling_interval = 10
#
f5_pending_services_timeout = 60
#

Learn more

Example Use Case

Typically, the F5 Agent for OpenStack Neutron manages one (1) or more BIG-IP devices deployed in the services tier of an external provider network. The BIG-IP devices may have direct lines of communication with nodes in the OpenStack cloud (VXLAN or GRE tunnels) or they may connect to the same VLAN subnet(s) as OpenStack nodes.

L2-adjacent BIG-IP cluster diagram shows a BIG-IP device cluster as part of an L3-routed network external to the OpenStack cloud. VXLAN or GRE tunnels connect OpenStack nodes directly to the device cluster.

L2-adjacent BIG-IP device cluster

The F5 agent can also manage BIG-IP Virtual Edition (VE) instances deployed ‘over the cloud’ (or overcloud) using L2-adjacent mode. These VE instances would connect to individual OpenStack nodes via VLANs, as opposed to VXLAN or GRE tunnels. This type of deployment is commonly used as part of a software-defined networking (SDN) solution, such as with Cisco ACI.

Important

The F5 agent L2/L3 segmentation mode settings must match the configurations of your existing external network and BIG-IP device(s).

Next steps

  • If this is your initial launch, start the F5 agent.
  • If you have updated the configurations for a running F5 agent , restart the service:
    • CentOS: systemctl systemctl start f5-openstack-agent
    • Ubuntu service f5-oslbaasv2-agent start

See the F5 Integration for OpenStack documentation for more information.