Global routed mode lets you use BIG-IP device(s) as edge load balancer(s) for your OpenStack cloud.
This mode generally applies to BIG-IP device(s) that have an L2 connection to the OpenStack external provider network.
Because all tenants are in the BIG-IP global route domain (rd0
),
Global routed mode uses BIG-IP Local Traffic Manager (LTM) secure network address translation (SNAT) ‘automapping’ to route traffic for OpenStack Neutron tenants.
Important
SNAT automap allocates existing self IP addresses into a SNAT pool. Be sure to create enough self IPs to handle anticipated connection loads before deploying the F5 agent in global routed mode. [1]
Important
The F5 agent cannot read existing BIG-IP configurations or non-Neutron network configurations. Be sure to set up the configuration file to correctly reflect the existing network architecture and the BIG-IP system configurations.
Edit the F5 Agent Configuration File
Use your text editor of choice to edit the F5 Agent Configuration File as appropriate for your environment.
vim /etc/neutron/services/f5/f5-openstack-agent.ini
Set the desired F5 agent configuration parameter(s). The example below represents the settings used in the F5 agent functional tests.
###############################################################################
# Copyright 2015-2017 F5 Networks Inc.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
#
###############################################################################
#
# ############
# ################
# ###/ _ \###| |#
# ###| |#| |##| |######
# ####| |######| |######
# ##| |####\ \### AGILITY YOUR WAY!
# ####| |#########| |###
# ####| |#########| |##
# ###| |########/ /##
# #| |####| /##
# ##############
# ###########
#
# NETWORKS
#
###############################################################################
#
[DEFAULT]
#
debug = True
#
#periodic_interval = 10
#
# How often should the agent throw away its service cache and
# resync assigned services with the neutron LBaaS plugin.
#
service_resync_interval = 300
#
###############################################################################
# Environment Settings
###############################################################################
#
# Since many TMOS object names must start with an alpha character
# the environment_prefix is used to prefix all service objects.
#
environment_prefix = 'Test'
#
###############################################################################
# Static Agent Configuration Setting
###############################################################################
#
# Static configuration data to sent back to the plugin. This can be used
# on the plugin side of neutron to provide agent identification for custom
# pool to agent scheduling. This should be a single or comma separated list
# of name:value entries which will be sent in the agent's configuration
# dictionary to neutron.
#
static_agent_configuration_data =
#
###############################################################################
# Device Setting
###############################################################################
#
# HA mode
#
# Device can be required to be:
#
# standalone - single device no HA
# pair - active/standby two device HA
# scalen - active device cluster
#
f5_ha_type = standalone
#
###############################################################################
# L2 Segmentation Mode Settings
###############################################################################
#
# Device VLAN to interface and tag mapping
#
# For pools or VIPs created on networks with type VLAN we will map
# the VLAN to a particular interface and state if the VLAN tagging
# should be enforced by the external device or not. This setting
# is a comma separated list of the following format:
#
# physical_network:interface_name:tagged, physical:interface_name:tagged
#
f5_external_physical_mappings = default:1.1:True
#
# VLAN device and interface to port mappings
#
vlan_binding_driver =
#
interface_port_static_mappings =
#
# Device Tunneling (VTEP) Self IPs
#
# This is the name of a BIG-IP self IP address to use for VTEP addresses.
#
#f5_vtep_folder = 'Common'
#f5_vtep_selfip_name = 'selfip.client'
#
# Tunnel types
#
#advertised_tunnel_types = vxlan
#
# Static ARP population for members on tunnel networks
#
f5_populate_static_arp = false
#
# Device Tunneling (VTEP) selfips
#
l2_population = True
#
# Hierarchical Port Binding
#
# If hierarchical networking is not required, these settings must be commented
# out or set to None.
#
# f5_network_segment_physical_network =
#
# f5_network_segment_polling_interval = 10
#
# f5_pending_services_timeout = 60
#
###############################################################################
# L3 Segmentation Mode Settings
###############################################################################
#
# Global Routed Mode - No L2 or L3 Segmentation on BIG-IP
#
# This setting will cause the agent to assume that all VIPs
# and pool members will be reachable via global device
# L3 routes, which must be already provisioned on the BIG-IPs.
#
f5_global_routed_mode = True
#
# This setting is forced to False if f5_global_routed_mode = True
use_namespaces = False
#
# max_namespaces_per_tenant = 1
# f5_route_domain_strictness = False
#
# SNAT Mode and SNAT Address Counts
#
# This setting will force the use of SNATs.
# This setting will be forced to True if
# f5_global_routed_mode = True.
#
f5_snat_mode = True
#
# This setting will be forced to 0 (zero) if
# f5_global_routed_mode = True.
#
f5_snat_addresses_per_subnet = 0
#
# Common Networks
#
# This setting causes all network objects to be created in the /Common
# partition
#
f5_common_networks = False
#
# These settings are overruled when f5_common_external_networks = True
#
# This setting will cause all networks with
# the router:external attribute set to True
# to be created in the Common partition and
# placed in route domain 0.
#
f5_common_external_networks = True
#
common_network_ids = <Neutron_external_net_UUID>:external
#
# L3 Bindings
#
l3_binding_driver =
#
l3_binding_static_mappings =
#
###############################################################################
# Device Driver Setting
###############################################################################
#
f5_bigip_lbaas_device_driver = f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver.iControlDriver
#
###############################################################################
# Device Driver - iControl Driver Setting
###############################################################################
#
icontrol_hostname = DEVICE_IP
#
icontrol_username = USERNAME
#
icontrol_password = PASSWORD
#
###############################################################################
# Certificate Manager
###############################################################################
# COMMENT OUT THIS ENTRY IF NOT USING BARBICAN TO MANAGE CERTS
#
cert_manager = f5_openstack_agent.lbaasv2.drivers.bigip.barbican_cert.BarbicanCertManager
#
# Two authentication modes are supported for BarbicanCertManager:
# keystone_v2, and keystone_v3
#
# Keystone v2 authentication:
#
# auth_version = v2
# os_auth_url = http://localhost:5000/v2.0
# os_username = USERNAME
# os_password = PASSWORD
# os_tenant_name = PROJECT
#
#
# Keystone v3 authentication:
#
auth_version = v3
os_auth_url = http://localhost:5000/v3
os_username = USERNAME
os_password = PASSWORD
os_user_domain_name = default
os_project_name = PROJECT
os_project_domain_name = default
#
#
# Parent SSL profile name
#
# An existing BIG-IP SSL profile you want to use as the parent SSL profile
# for the client SSL profiles created for TERMINATED_HTTPS LBaaS listeners.
#
f5_parent_ssl_profile = clientssl
#
Restart the F5 agent service.
systemctl restart f5-openstack-agent
service f5-oslbaasv2-agent restart
See F5 Agent modes for detailed information regarding each of the Agent’s modes of operation and example use cases.
Footnotes
[1] | In an overcloud deployment, BIG-IP Virtual Edition (VE) may allocate IP addresses automatically. |