Blueprint inputs reference guide¶
Depending upon your solution, copy and paste one of the following inputs code samples into a yaml file, and then save the file locally. You will upload this inputs file when deploying the F5 blueprint.
- Gi LAN and Gi Firewall solution inputs file These two solution blueprints use the same set of inputs.
- VNFM Base inputs file
Sample Gi LAN inputs file for both Gi LAN and Gi Firewall solutions¶
- Copy and paste the following code sample into a new YAML file, which you will use for the F5 blueprint for the Gi LAN Solution and/or Gi Firewall solution.
- Change the values according to your application and network requirements, and then save it locally.
- Following the inputs.yaml file code sample, you will find F5 AS3 declaration samples that you can use to help define your application delivery controller for BIG-IP in tenant- and application-oriented terms:
- Sample Gi LAN AS3 declaration and related Application Delivery Controller (ADC), F5 AS3 declaration
- Sample Gi Firewall AS3 declaration and related Application Delivery Controller (ADC), F5 AS3 declaration
- Once completed, you will upload this inputs file into F5 VNF Manager to auto-complete the F5 blueprint. Learn more about these parameter descriptions.
# VNF Resource Information Collector inputs
ric_purchasing_model: perpetual
ric_vnfm_serial:
# vnf inputs
auto_last_hop: "disabled"
ctrl_net: control
ctrl_subnet: control
ha_net: ha
ha_subnet: ha
# optional inputs:
bgp_dag_pgw_peer_ip: 192.168.1.103
bgp_vnf_pgw_peer_ip: 192.168.21.11
bgp_pgw_peer_as: '200'
bgp_dag_egw_peer_ip: 192.168.11.104
bgp_egw_peer_as: '300'
# min/max total number of 'instances' that can be created during scale out
# min/max dag group members
max_scale_dag_group: '1000'
# min/max
max_scale_vnf_group: '1000'
# max number of times that a heal can be tried before giving up.
max_heal_vnfd_dag_ve: '5'
max_heal_vnf_layer: '5'
max_heal_vnf_slave_ve: '5'
# vnf layer scaling inputs
vnf_layer_cpu_threshold: '75'
vnf_layer_cpu_threshold_check_interval: '1'
# vnf group scaling inputs
vnf_group_throughput: '10'
vnf_group_throughput_threshold: '75'
vnf_group_throughput_check_interval: '1'
# dag group scaling inputs
dag_group_cpu_threshold: '75'
dag_group_cpu_threshold_check_interval: '1'
# monitoring inputs
floating_network_id: fa541932-4156-4185-8344-a961cf4c8e41
# common inputs
manager_mgmt_host: 10.10.2.16
default_gateway: 10.10.12.1
sw_ref_dag:
data:
image: bigip-13.1.0.5-0.0.5.all_1slot
flavor: f5.cloudify_small
availability_zone: nova
revision: 0
sw_ref_vnf:
data:
image: bigip-13.1.0.5-0.0.5.all_1slot
flavor: f5.cloudify_medium
availability_zone: nova
revision: 0
sw_ref_nagios:
data:
image: CentOS-7-x86_64-GenericCloud
flavor: f5.cloudify_small
availability_zone: nova
revision: 0
bigip_os_ssh_key: mysshkey
tenant:
manager_rest_host: 'string'
manager_rest_username: 'string'
manager_rest_password: 'string'
manager_rest_tenant: 'string'
# big-iq license manager
big_iq_host: 10.190.54.148
big_iq_lic_pool: vnfm-4
# security groups in openstack
ctrl_sg_name: allow_22
mgmt_sg_name: allow_22
pgw_sg_name: allow_22
pdn_sg_name: allow_22
snmp_sg_name: allow_22
# networks in openstack
mgmt_net: mgmt
mgmt_subnet: mgmt
pgw_net: pgl
pgw_subnet: pgl
pdn_net: pdn
pdn_subnet: pdn
pgw_dag_net: vnfs
pgw_dag_subnet: vnfs
pdn_dag_net: vnfe
pdn_dag_subnet: vnfe
ntp_server: 132.163.96.1
timezone: 'string'
# configuration of the f5 vnf service layers in as3 declaration format
# example: your firewall configuration.
# example: your subscriber based policy enforcement configuration.
vnf_as3_nsd_payload: ""
Sample Gi LAN AS3 Declaration¶
The following YAML code sample, is an example of an AS3 declaration that you can use to help you define the desired configuration for your Gi LAN application delivery controller (ADC), such as F5 BIG-IP in tenant- and application-oriented terms. Learn more about F5 AS3 declaration.
vnf_as3_nsd_payload:
class: ADC
schemaVersion: 3.0.0
id: cfy_vnf_01
label: vnf
remark: VNF
f5vnf:
class: Tenant
Shared:
class: Application
template: shared
profileDiameterEndpointOcs:
class: Enforcement_Diameter_Endpoint_Profile
supportedApps:
- Gy
destinationRealm: f5net.com
originHost: pcef.f5net.com
originRealm: f5net.com
profileDiameterEndpointPcrf:
class: Enforcement_Diameter_Endpoint_Profile
supportedApps:
- Gx
destinationRealm: f5net.com
originHost: pcef.f5net.com
originRealm: f5net.com
endpointForwarding:
addressTranslationEnabled: False
class: Enforcement_Forwarding_Endpoint
defaultPersistenceType: disabled
fallbackPersistenceType: disabled
persistenceHashSettings:
length: 1024
offset: 0
pool:
use: poolForwarding
portTranslationEnabled: False
sourcePortAction: preserve
endpointInterception:
class: Enforcement_Interception_Endpoint
persistence: disabled
pool:
use: poolInterception
endpointServiceChain:
class: Enforcement_Service_Chain_Endpoint
serviceEndpoints:
- forwardingEndpoint:
use: endpointForwarding
name: myServiceEndpoint
sourceVLAN:
bigip: /Common/vnfs
steeringPolicy:
use: policyEnforcement
poolForwarding:
class: Pool
members:
- enable: True
serverAddresses:
- 255.255.255.2
servicePort: 8081
poolInterception:
class: Pool
members:
- enable: True
serverAddresses:
- 255.255.255.1
servicePort: 8080
lbSelectedRule:
class: iRule
iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
remark: Log load balanced server
policyEnforcement:
allTransactions: False
class: Enforcement_Policy
enable: True
rules:
- name: testPolicyRule1
precedence: 1
modifyHttpHeader:
headerName: myHeaderName
operation: insert
valueContent: myHeaderValue
valueType: string
tcpAnalyticsEnabled: True
tcpOptimizationDownlink:
use: profileTcpClient
tcpOptimizationUplink:
use: profileTcpServer
- name: testPolicyRule2
precedence: 1
dscpMarkingDownlink: 0
dscpMarkingUplink: 0
classificationFilters:
- application:
bigip: /Common/acrobat
invertMatch: True
name: testClassFilter1
- category:
bigip: /Common/Audio
invertMatch: True
name: testClassFilter2
gateStatusEnabled: True
policyEnforcementDefault:
class: Enforcement_Policy
rules:
- name: enforcementPolicyRuleDefault
precedence: 10
profileClassification:
class: Classification_Profile
preset:
bigip: /Common/ce_pem
profileIPOther:
class: IP_Other_Profile
profileSpm:
class: Enforcement_Profile
connectionOptimizationEnabled: True
policiesGlobalHighPrecedence:
- use: policyEnforcement
policiesUnknownSubscribers:
- use: policyEnforcementDefault
profileSubscriberManagement:
class: Enforcement_Subscriber_Management_Profile
serverSideSessionsEnabled: True
profileTcpClient:
autoProxyBufferSize: True
autoReceiveWindowSize: True
autoSendBufferSize: True
class: TCP_Profile
congestionControl: woodside
earlyRetransmit: True
enhancedLossRecovery: True
fastOpen: True
fastOpenCookieExpiration: 21600
idleTimeout: 300
initCwnd: 16
initRwnd: 16
maxSegmentSize: 0
minimumRto: 1000
mptcp: passthrough
proxyBufferHigh: 262144
proxyBufferLow: 196608
proxyMSS: True
receiveWindowSize: 131072
sendBufferSize: 262144
synRtoBase: 3000
tailLossProbe: True
verifiedAccept: False
profileTcpServer:
autoProxyBufferSize: True
autoReceiveWindowSize: True
autoSendBufferSize: True
class: TCP_Profile
congestionControl: woodside
earlyRetransmit: True
enhancedLossRecovery: True
fastOpen: True
fastOpenCookieExpiration: 21600
idleTimeout: 300
initCwnd: 16
initRwnd: 16
maxSegmentSize: 0
minimumRto: 1000
mptcp: passthrough
proxyBufferHigh: 262144
proxyBufferLow: 196608
proxyMSS: True
receiveWindowSize: 131072
sendBufferSize: 262144
synRtoBase: 3000
tailLossProbe: True
verifiedAccept: False
profileL4:
class: L4_Profile
serviceAddress:
class: Service_Address
arpEnabled: False
icmpEcho: disable
spanningEnabled: True
virtualAddress: 0.0.0.0
DiameterEndpoint_Gx:
class: Application
template: generic
serviceMain:
servicePort: 3868
allowVlans:
- bigip: /Common/control
translateServerAddress: False
layer4: any
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 3868
translateServerPort: False
profileDiameterEndpoint:
use: /f5vnf/Shared/profileDiameterEndpointPcrf
profileTCP:
bigip: /Common/tcp-lan-optimized
snat: none
class: Service_Generic
pcrfPool:
class: Pool
members:
- servicePort: 3868
serverAddresses:
- 10.1.1.27
DiameterEndpoint_Gy:
class: Application
template: generic
serviceMain:
servicePort: 3867
allowVlans:
- bigip: /Common/control
translateServerAddress: False
layer4: any
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 3867
translateServerPort: False
profileDiameterEndpoint:
use: /f5vnf/Shared/profileDiameterEndpointOcs
profileTCP:
bigip: /Common/tcp-lan-optimized
snat: none
class: Service_Generic
pcrfPool:
class: Pool
members:
- servicePort: 3868
serverAddresses:
- 10.1.1.27
Discovery_RADIUS:
class: Application
template: udp
serviceMain:
class: Service_UDP
allowVlans:
- bigip: /Common/control
translateServerAddress: True
translateServerPort: True
snat: none
persistenceMethods: []
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 1813
profileRADIUS:
bigip: /Common/radiusLB-subscriber-aware
gilan_any:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
profileClassification:
use: /f5vnf/Shared/profileClassification
profileEnforcement:
use: /f5vnf/Shared/profileSpm
profileIPOther:
use: /f5vnf/Shared/profileIPOther
profileL4:
use: /f5vnf/Shared/profileL4
profileSubscriberManagement:
use: /f5vnf/Shared/profileSubscriberManagement
snat: none
lastHop: disable
translateServerAddress: False
translateServerPort: False
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
gilan_tcp:
class: Application
template: tcp
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_TCP
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: tcp
profileClassification:
use: /f5vnf/Shared/profileClassification
profileEnforcement:
use: /f5vnf/Shared/profileSpm
profileL4:
use: /f5vnf/Shared/profileL4
profileTCP:
bigip: /Common/f5-tcp-mobile
profileSubscriberManagement:
use: /f5vnf/Shared/profileSubscriberManagement
snat: none
translateServerAddress: False
translateServerPort: False
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
gilan_udp:
class: Application
template: udp
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_UDP
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: udp
profileClassification:
use: /f5vnf/Shared/profileClassification
profileEnforcement:
use: /f5vnf/Shared/profileSpm
profileL4:
use: /f5vnf/Shared/profileL4
profileSubscriberManagement:
use: /f5vnf/Shared/profileSubscriberManagement
profileUDP:
bigip: /Common/udp_decrement_ttl
snat: none
translateServerAddress: False
translateServerPort: False
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
gilan_http:
class: Application
template: http
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_HTTP
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: tcp
profileClassification:
use: /f5vnf/Shared/profileClassification
profileEnforcement:
use: /f5vnf/Shared/profileSpm
profileHTTP:
bigip: /Common/http-transparent
profileL4:
use: /f5vnf/Shared/profileL4
profileSubscriberManagement:
use: /f5vnf/Shared/profileSubscriberManagement
profileTCP:
bigip: /Common/f5-tcp-mobile
snat: none
translateServerAddress: False
translateServerPort: False
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 80
gilan_inbound:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfe
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
profileL4:
use: /f5vnf/Shared/profileL4
profileSubscriberManagement:
use: /f5vnf/Shared/profileSubscriberManagement
snat: none
translateServerAddress: False
translateServerPort: False
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
Sample Gi Firewall AS3 Declaration¶
The following YAML code sample, is an example of an AS3 declaration that you can use to help you define the desired configuration for your Firewall application delivery controller (ADC), such as F5 BIG-IP in tenant- and application-oriented terms. Learn more about F5 AS3 declaration.
vnf_as3_nsd_payload:
class: AS3
action: deploy
persist: true
declaration:
class: ADC
schemaVersion: 3.0.0
id: cfy_vnf_01
label: vnf
remark: VNF
f5vnf:
class: Tenant
Shared:
class: Application
template: shared
fwAllowedAddressList:
addresses:
- 10.0.0.0/8
- 172.20.0.0/16
- 192.168.0.0/16
class: Firewall_Address_List
fwAllowedPortList:
class: Firewall_Port_List
ports:
- 8080-8081
- 22
- 443
- 53
- 80
fwDefaultDenyAddressList:
addresses:
- 0.0.0.0/0
class: Firewall_Address_List
fwLogDestinationHsl:
class: Log_Destination
distribution: adaptive
pool:
use: poolHsl
protocol: tcp
type: remote-high-speed-log
fwLogDestinationSyslog:
class: Log_Destination
format: rfc5424
remoteHighSpeedLog:
use: fwLogDestinationHsl
type: remote-syslog
fwLogPublisher:
class: Log_Publisher
destinations:
- use: fwLogDestinationSyslog
fwPolicy:
class: Firewall_Policy
rules:
-
use: fwRuleList
fwRuleList:
class: Firewall_Rule_List
rules:
-
action: accept
destination:
portLists:
-
use: fwAllowedPortList
loggingEnabled: true
name: tcpAllow
protocol: tcp
source:
addressLists:
- use: fwAllowedAddressList
-
action: accept
loggingEnabled: true
name: udpAllow
protocol: udp
source:
addressLists:
- use: fwAllowedAddressList
-
action: drop
loggingEnabled: true
name: defaultDeny
protocol: any
source:
addressLists:
- use: fwDefaultDenyAddressList
fwSecurityLogProfile:
class: Security_Log_Profile
network:
logIpErrors: true
logRuleMatchAccepts: true
logRuleMatchDrops: true
logRuleMatchRejects: true
logTcpErrors: true
logTcpEvents: true
logTranslationFields: true
publisher:
use: fwLogPublisher
storageFormat:
fields:
- action
- bigip-hostname
- context-name
- context-type
- date-time
- dest-ip
- dest-port
- drop-reason
- protocol
- src-ip
- src-port
poolHsl:
class: Pool
members:
-
enable: true
serverAddresses:
- 255.255.255.254
servicePort: 514
monitors:
-
bigip: /Common/udp
lbSelectedRule:
class: iRule
iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
remark: Log load balanced server
profileL4:
class: L4_Profile
serviceAddress:
class: Service_Address
arpEnabled: False
icmpEcho: disable
spanningEnabled: True
virtualAddress: 0.0.0.0
firewall_any:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfs
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
profileL4:
use: /f5vnf/Shared/profileL4
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
snat: none
lastHop: disable
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
firewall_fastL4:
class: Application
template: l4
serviceMain:
class: Service_L4
layer4: tcp
allowVlans:
- bigip: /Common/vnfs
profileL4:
use: /f5vnf/Shared/profileL4
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
translateServerAddress: false
translateServerPort: false
snat: none
lastHop: disable
iRules:
- /f5vnf/Shared/lbSelectedRule
policyFirewallEnforced:
use: /f5vnf/Shared/fwPolicy
securityLogProfiles:
- use: /f5vnf/Shared/fwSecurityLogProfile
firewall_inbound:
class: Application
template: generic
serviceMain:
allowVlans:
- bigip: /Common/vnfe
class: Service_Generic
iRules:
- /f5vnf/Shared/lbSelectedRule
layer4: any
profileL4:
use: /f5vnf/Shared/profileL4
snat: none
translateServerAddress: false
translateServerPort: false
virtualAddresses:
- use: /f5vnf/Shared/serviceAddress
virtualPort: 0
Sample VNFM Base inputs file¶
- Copy and paste the following code sample into a new YAML file, which you will use for the F5 blueprint, VNFM Base Solution.
- Change the values according to your application and network requirements, and save it locally.
- Upload this inputs file into VNFM to auto-complete the F5 blueprint and create a new deployment. Learn more about these parameter descriptions.
# Inputs
big_iq_host: 10.190.54.148
big_iq_lic_pool: vnfm-4
ntp_server: 132.163.96.1
timezone: 'string'
default_ltm_number: '1'
default_gateway: 10.10.12.1
manager_mgmt_host: 10.10.2.16
mgmt_net: mgmt
mgmt_subnet: mgmt
mgmt_sg_name: allow_22
internal_net: vnfs
internal_subnet: vnfs
external_net: vnfe
external_subnet: vnfe
internal_sg_name: allow_22
external_sg_name: allow_22
sw_ref_ltm:
data:
image: BIGIP-13.1.0.5-0.0.5.ALL_1SLOT
flavor: f5.cloudify_medium
availability_zone: nova
revision: 0
bigip_os_ssh_key: mysshkey
# Configuration of the F5 VNF Service Layers in AS3 Declaration format
vnf_as3_nsd_payload: ""
What’s Next?