Blueprint inputs reference guide

Depending upon your solution, copy and paste one of the following inputs code samples into a yaml file, and then save the file locally. You will upload this inputs file when deploying the F5 blueprint.

Sample Gi LAN inputs file for both Gi LAN and Gi Firewall solutions

  1. Copy and paste the following code sample into a new YAML file, which you will use for the F5 blueprint for the Gi LAN Solution and/or Gi Firewall solution.
  2. Change the values according to your application and network requirements, and then save it locally.
  3. Following the inputs.yaml file code sample, you will find F5 AS3 declaration samples that you can use to help define your application delivery controller for BIG-IP in tenant- and application-oriented terms:
  1. Once completed, you will upload this inputs file into F5 VNF Manager to auto-complete the F5 blueprint. Learn more about these parameter descriptions.
# VNF Resource Information Collector inputs
ric_licensing: firewall
ric_purchasing_model: perpetual
ric_throughput: '10'
ric_vnfm_license: PEM

# VNF inputs
auto_last_hop: "disabled"
bgp_dag_pgw_peer_ip: 192.168.1.103
bgp_vnf_pgw_peer_ip: 192.168.21.11
bgp_pgw_peer_as: '200'
bgp_dag_egw_peer_ip: 192.168.11.104
bgp_egw_peer_as: '300'

ctrl_net: control
ctrl_subnet: control
ha_net: ha
ha_subnet: ha

# Min/Max total number of 'instances' that can be created during scale out

#   Min/Max Dag Group Members
max_scale_dag_group: '1000'

#   Min/Max
max_scale_vnf_group: '1000'

# Max number of times that a heal can be tried before giving up.
max_heal_vnfd_dag_ve: '5'
max_heal_vnf_layer: '5'
max_heal_vnf_slave_ve: '5'

# VNF Layer scaling inputs
vnf_layer_cpu_threshold: '75'
vnf_layer_cpu_threshold_check_interval: '1'

# VNF Group scaling inputs
vnf_group_throughput: '10'
vnf_group_throughput_threshold: '75'
vnf_group_throughput_check_interval: '1'

# DAG Group scaling inputs
dag_group_cpu_threshold: '75'
dag_group_cpu_threshold_check_interval: '1'

# Monitoring inputs
floating_network_id: fa541932-4156-4185-8344-a961cf4c8e41
centos_image_id: c32f9684-aed0-455f-ab25-76035a21be56
nagios_flavor_id: e752819a-095c-450f-a3c7-87c10cd7ae25

# Common inputs
cm_ip: 10.10.2.16
default_gateway: 10.10.12.1
sw_ref_dag:
    data:
        image: BIGIP-13.1.0.5-0.0.5.ALL_1SLOT
        flavor: f5.cloudify_small
    revision: 0
sw_ref_vnf:
    data:
        image: BIGIP-13.1.0.5-0.0.5.ALL_1SLOT
        flavor: f5.cloudify_medium
    revision: 0
bigip_os_ssh_key: mysshkey

#    BIG-IQ License Manager
big_iq_host: 10.190.54.148
big_iq_lic_pool: vnfm-4

#    Security Groups In OpenStack
ctrl_sg_name: allow_22
mgmt_sg_name: allow_22
pgw_sg_name: allow_22
pdn_sg_name: allow_22
snmp_sg_name: allow_22

# Networks in OpenStack
mgmt_net: mgmt
mgmt_subnet: mgmt
pgw_net: pgl
pgw_subnet: pgl
pdn_net: pdn
pdn_subnet: pdn
pgw_dag_net: vnfs
pgw_dag_subnet: vnfs
pgw_dag_subnet_cidr: 10.10.10.0/23
pgw_dag_subnet_mask: /23
pdn_dag_net: vnfe
pdn_dag_subnet: vnfe
pdn_dag_subnet_cidr: 10.10.14.0/23

# Configuration of the F5 VNF Service Layers in AS3 Declaration format
#    Example: Your Firewall Configuration.
#    Example: Your Subscriber based Policy enforcement Configuration.
vnf_as3_nsd_payload: ""

Sample Gi LAN AS3 Declaration

The following YAML code sample, is an example of an AS3 declaration that you can use to help you define the desired configuration for your Gi LAN application delivery controller (ADC), such as F5 BIG-IP in tenant- and application-oriented terms. Learn more about F5 AS3 declaration.

vnf_as3_nsd_payload:
  class: ADC
  schemaVersion: 3.0.0
  id: cfy_vnf_01
  label: vnf
  remark: VNF
  f5vnf:
    class: Tenant
    Shared:
      class: Application
      template: shared
      profileDiameterEndpointOcs:
        class: Enforcement_Diameter_Endpoint_Profile
        supportedApps:
        - Gy
        destinationRealm: f5net.com
        originHost: pcef.f5net.com
        originRealm: f5net.com
      profileDiameterEndpointPcrf:
        class: Enforcement_Diameter_Endpoint_Profile
        supportedApps:
        - Gx
        destinationRealm: f5net.com
        originHost: pcef.f5net.com
        originRealm: f5net.com
      endpointForwarding:
        addressTranslationEnabled: False
        class: Enforcement_Forwarding_Endpoint
        defaultPersistenceType: disabled
        fallbackPersistenceType: disabled
        persistenceHashSettings:
          length: 1024
          offset: 0
        pool:
          use: poolForwarding
        portTranslationEnabled: False
        sourcePortAction: preserve
      endpointInterception:
        class: Enforcement_Interception_Endpoint
        persistence: disabled
        pool:
          use: poolInterception
      endpointServiceChain:
        class: Enforcement_Service_Chain_Endpoint
        serviceEndpoints:
        - forwardingEndpoint:
            use: endpointForwarding
          name: myServiceEndpoint
          sourceVLAN:
            bigip: /Common/lbs_vnf_net
          steeringPolicy:
            use: policyEnforcement
      poolForwarding:
        class: Pool
        members:
        - enable: True
          serverAddresses:
          - 255.255.255.2
          servicePort: 8081
      poolInterception:
        class: Pool
        members:
        - enable: True
          serverAddresses:
          - 255.255.255.1
          servicePort: 8080
      lbSelectedRule:
        class: iRule
        iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
        remark: Log load balanced server
      policyEnforcement:
        allTransactions: False
        class: Enforcement_Policy
        enable: True
        rules:
        - name: testPolicyRule1
          precedence: 1
          modifyHttpHeader:
            headerName: myHeaderName
            operation: insert
            valueContent: myHeaderValue
            valueType: string
          tcpAnalyticsEnabled: True
          tcpOptimizationDownlink:
            use: profileTcpClient
          tcpOptimizationUplink:
            use: profileTcpServer
        - name: testPolicyRule2
          precedence: 1
          dscpMarkingDownlink: 0
          dscpMarkingUplink: 0
          classificationFilters:
          - application:
              bigip: /Common/acrobat
            invertMatch: True
            name: testClassFilter1
          - category:
              bigip: /Common/Audio
            invertMatch: True
            name: testClassFilter2
          gateStatusEnabled: True
      policyEnforcementDefault:
        class: Enforcement_Policy
        rules:
        - name: enforcementPolicyRuleDefault
          precedence: 10
      profileClassification:
        class: Classification_Profile
        preset:
          bigip: /Common/ce_pem
      profileIPOther:
          class: IP_Other_Profile
      profileSpm:
        class: Enforcement_Profile
        connectionOptimizationEnabled: True
        policiesGlobalHighPrecedence:
        - use: policyEnforcement
        policiesUnknownSubscribers:
        - use: policyEnforcementDefault
      profileSubscriberManagement:
        class: Enforcement_Subscriber_Management_Profile
        serverSideSessionsEnabled: True
      profileTcpClient:
        autoProxyBufferSize: True
        autoReceiveWindowSize: True
        autoSendBufferSize: True
        class: TCP_Profile
        congestionControl: woodside
        earlyRetransmit: True
        enhancedLossRecovery: True
        fastOpen: True
        fastOpenCookieExpiration: 21600
        idleTimeout: 300
        initCwnd: 16
        initRwnd: 16
        maxSegmentSize: 0
        minimumRto: 1000
        mptcp: passthrough
        proxyBufferHigh: 262144
        proxyBufferLow: 196608
        proxyMSS: True
        receiveWindowSize: 131072
        sendBufferSize: 262144
        synRtoBase: 3000
        tailLossProbe: True
        verifiedAccept: False
      profileTcpServer:
        autoProxyBufferSize: True
        autoReceiveWindowSize: True
        autoSendBufferSize: True
        class: TCP_Profile
        congestionControl: woodside
        earlyRetransmit: True
        enhancedLossRecovery: True
        fastOpen: True
        fastOpenCookieExpiration: 21600
        idleTimeout: 300
        initCwnd: 16
        initRwnd: 16
        maxSegmentSize: 0
        minimumRto: 1000
        mptcp: passthrough
        proxyBufferHigh: 262144
        proxyBufferLow: 196608
        proxyMSS: True
        receiveWindowSize: 131072
        sendBufferSize: 262144
        synRtoBase: 3000
        tailLossProbe: True
        verifiedAccept: False
      profileL4:
        class: L4_Profile
      serviceAddress:
        class: Service_Address
        arpEnabled: False
        icmpEcho: disable
        spanningEnabled: True
        virtualAddress: 0.0.0.0
    DiameterEndpoint_Gx:
      class: Application
      template: generic
      serviceMain:
        servicePort: 3868
        allowVlans:
        - bigip:  /Common/control
        translateServerAddress: False
        layer4: any
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 3868
        translateServerPort: False
        profileDiameterEndpoint:
          use: /f5vnf/Shared/profileDiameterEndpointPcrf
        profileTCP:
          bigip: /Common/tcp-lan-optimized
        snat: none
        class: Service_Generic
      pcrfPool:
        class: Pool
        members:
        - servicePort: 3868
          serverAddresses:
          - 10.1.1.27
    DiameterEndpoint_Gy:
      class: Application
      template: generic
      serviceMain:
        servicePort: 3867
        allowVlans:
        - bigip:  /Common/control
        translateServerAddress: False
        layer4: any
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 3867
        translateServerPort: False
        profileDiameterEndpoint:
          use: /f5vnf/Shared/profileDiameterEndpointOcs
        profileTCP:
          bigip: /Common/tcp-lan-optimized
        snat: none
        class: Service_Generic
      pcrfPool:
        class: Pool
        members:
        - servicePort: 3868
          serverAddresses:
          - 10.1.1.27
    Discovery_RADIUS:
      class: Application
      template: udp
      serviceMain:
        class: Service_UDP
        allowVlans:
        - bigip: /Common/control
        translateServerAddress: True
        translateServerPort: True
        snat: none
        persistenceMethods: []
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 1813
        profileRADIUS:
          bigip: /Common/radiusLB-subscriber-aware
    gilan_any:
      class: Application
      template: generic
      serviceMain:
        allowVlans:
        - bigip: /Common/lbs_vnf_net
        class: Service_Generic
        iRules:
        - /f5vnf/Shared/lbSelectedRule
        layer4: any
        profileClassification:
          use: /f5vnf/Shared/profileClassification
        profileEnforcement:
          use: /f5vnf/Shared/profileSpm
        profileIPOther:
          use: /f5vnf/Shared/profileIPOther
        profileL4:
          use: /f5vnf/Shared/profileL4
        profileSubscriberManagement:
          use: /f5vnf/Shared/profileSubscriberManagement
        snat: none
        lastHop: disable
        translateServerAddress: False
        translateServerPort: False
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 0
    gilan_tcp:
      class: Application
      template: tcp
      serviceMain:
        allowVlans:
        - bigip: /Common/lbs_vnf_net
        class: Service_TCP
        iRules:
        - /f5vnf/Shared/lbSelectedRule
        layer4: tcp
        profileClassification:
          use: /f5vnf/Shared/profileClassification
        profileEnforcement:
          use: /f5vnf/Shared/profileSpm
        profileL4:
          use: /f5vnf/Shared/profileL4
        profileTCP:
          bigip: /Common/f5-tcp-mobile
        profileSubscriberManagement:
          use: /f5vnf/Shared/profileSubscriberManagement
        snat: none
        translateServerAddress: False
        translateServerPort: False
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 0
    gilan_udp:
      class: Application
      template: udp
      serviceMain:
        allowVlans:
        - bigip: /Common/lbs_vnf_net
        class: Service_UDP
        iRules:
        - /f5vnf/Shared/lbSelectedRule
        layer4: udp
        profileClassification:
          use: /f5vnf/Shared/profileClassification
        profileEnforcement:
          use: /f5vnf/Shared/profileSpm
        profileL4:
          use: /f5vnf/Shared/profileL4
        profileSubscriberManagement:
          use: /f5vnf/Shared/profileSubscriberManagement
        profileUDP:
          bigip: /Common/udp_decrement_ttl
        snat: none
        translateServerAddress: False
        translateServerPort: False
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 0
    gilan_http:
      class: Application
      template: http
      serviceMain:
        allowVlans:
        - bigip: /Common/lbs_vnf_net
        class: Service_HTTP
        iRules:
        - /f5vnf/Shared/lbSelectedRule
        layer4: tcp
        profileClassification:
          use: /f5vnf/Shared/profileClassification
        profileEnforcement:
          use: /f5vnf/Shared/profileSpm
        profileHTTP:
          bigip: /Common/http-transparent
        profileL4:
          use: /f5vnf/Shared/profileL4
        profileSubscriberManagement:
          use: /f5vnf/Shared/profileSubscriberManagement
        profileTCP:
          bigip: /Common/f5-tcp-mobile
        snat: none
        translateServerAddress: False
        translateServerPort: False
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 80
    gilan_inbound:
      class: Application
      template: generic
      serviceMain:
        allowVlans:
        - bigip: /Common/vnf_lbs_net
        class: Service_Generic
        iRules:
        - /f5vnf/Shared/lbSelectedRule
        layer4: any
        profileL4:
          use: /f5vnf/Shared/profileL4
        profileSubscriberManagement:
          use: /f5vnf/Shared/profileSubscriberManagement
        snat: none
        translateServerAddress: False
        translateServerPort: False
        virtualAddresses:
        - use: /f5vnf/Shared/serviceAddress
        virtualPort: 0

Sample Gi Firewall AS3 Declaration

The following YAML code sample, is an example of an AS3 declaration that you can use to help you define the desired configuration for your Firewall application delivery controller (ADC), such as F5 BIG-IP in tenant- and application-oriented terms. Learn more about F5 AS3 declaration.

vnf_as3_nsd_payload:
    class: AS3
    action: deploy
    persist: true
    declaration:
        class: ADC
        schemaVersion: 3.0.0
        id: cfy_vnf_01
        label: vnf
        remark: VNF
        f5vnf:
            class: Tenant
            Shared:
                class: Application
                template: shared
                fwAllowedAddressList:
                    addresses:
                        - 10.0.0.0/8
                        - 172.20.0.0/16
                        - 192.168.0.0/16
                    class: Firewall_Address_List
                fwAllowedPortList:
                    class: Firewall_Port_List
                    ports:
                        - 8080-8081
                        - 22
                        - 443
                        - 53
                        - 80
                fwDefaultDenyAddressList:
                    addresses:
                        - 0.0.0.0/0
                    class: Firewall_Address_List
                fwLogDestinationHsl:
                    class: Log_Destination
                    distribution: adaptive
                    pool:
                        use: poolHsl
                    protocol: tcp
                    type: remote-high-speed-log
                fwLogDestinationSyslog:
                    class: Log_Destination
                    format: rfc5424
                    remoteHighSpeedLog:
                        use: fwLogDestinationHsl
                    type: remote-syslog
                fwLogPublisher:
                    class: Log_Publisher
                    destinations:
                        - use: fwLogDestinationSyslog
                fwPolicy:
                    class: Firewall_Policy
                    rules:
                        -
                            use: fwRuleList
                fwRuleList:
                    class: Firewall_Rule_List
                    rules:
                        -
                            action: accept
                            destination:
                                portLists:
                                    -
                                        use: fwAllowedPortList
                            loggingEnabled: true
                            name: tcpAllow
                            protocol: tcp
                            source:
                                addressLists:
                                    - use: fwAllowedAddressList
                        -
                            action: accept
                            loggingEnabled: true
                            name: udpAllow
                            protocol: udp
                            source:
                                addressLists:
                                    - use: fwAllowedAddressList
                        -
                            action: drop
                            loggingEnabled: true
                            name: defaultDeny
                            protocol: any
                            source:
                                addressLists:
                                    - use: fwDefaultDenyAddressList
                fwSecurityLogProfile:
                    class: Security_Log_Profile
                    network:
                        logIpErrors: true
                        logRuleMatchAccepts: true
                        logRuleMatchDrops: true
                        logRuleMatchRejects: true
                        logTcpErrors: true
                        logTcpEvents: true
                        logTranslationFields: true
                        publisher:
                            use: fwLogPublisher
                        storageFormat:
                            fields:
                                - action
                                - bigip-hostname
                                - context-name
                                - context-type
                                - date-time
                                - dest-ip
                                - dest-port
                                - drop-reason
                                - protocol
                                - src-ip
                                - src-port
                poolHsl:
                    class: Pool
                    members:
                        -
                            enable: true
                            serverAddresses:
                                - 255.255.255.254
                            servicePort: 514
                    monitors:
                        -
                            bigip: /Common/udp
                lbSelectedRule:
                    class: iRule
                    iRule: when LB_SELECTED {log local0. "Selected server [LB::server]"}
                    remark: Log load balanced server
                profileL4:
                    class: L4_Profile
                serviceAddress:
                    class: Service_Address
                    arpEnabled: False
                    icmpEcho: disable
                    spanningEnabled: True
                    virtualAddress: 0.0.0.0
                firewall_any:
                    class: Application
                    template: generic
                serviceMain:
                    allowVlans:
                        - bigip: /Common/vnfs
                    class: Service_Generic
                    iRules:
                        - /f5vnf/Shared/lbSelectedRule
                    layer4: any
                    policyFirewallEnforced:
                        use: /f5vnf/Shared/fwPolicy
                    profileL4:
                        use: /f5vnf/Shared/profileL4
                    securityLogProfiles:
                        - use: /f5vnf/Shared/fwSecurityLogProfile
                    snat: none
                    lastHop: disable
                    translateServerAddress: false
                    translateServerPort: false
                    virtualAddresses:
                        - use: /f5vnf/Shared/serviceAddress
                    virtualPort: 0
            firewall_fastL4:
                class: Application
                template: l4
                serviceMain:
                    class: Service_L4
                    layer4: tcp
                    allowVlans:
                        - bigip: /Common/vnf
                    profileL4:
                        use: /f5vnf/Shared/profileL4
                    virtualAddresses:
                        - use: /f5vnf/Shared/serviceAddress
                    virtualPort: 0
                    translateServerAddress: false
                    translateServerPort: false
                    snat: none
                    lastHop: disable
                    iRules:
                        - /f5vnf/Shared/lbSelectedRule
                    policyFirewallEnforced:
                        use: /f5vnf/Shared/fwPolicy
                    securityLogProfiles:
                      - use: /f5vnf/Shared/fwSecurityLogProfile
            firewall_inbound:
              class: Application
              template: generic
              serviceMain:
                allowVlans:
                - bigip: /Common/vnfe
                class: Service_Generic
                iRules:
                - /f5vnf/Shared/lbSelectedRule
                layer4: any
                profileL4:
                  use: /f5vnf/Shared/profileL4
                snat: none
                translateServerAddress: false
                translateServerPort: false
                virtualAddresses:
                - use: /f5vnf/Shared/serviceAddress
                virtualPort: 0

Sample VNFM Base inputs file

  1. Copy and paste the following code sample into a new YAML file, which you will use for the F5 blueprint, VNFM Base Solution.
  2. Change the values according to your application and network requirements, and save it locally.
  3. Upload this inputs file into VNFM to auto-complete the F5 blueprint and create a new deployment. Learn more about these parameter descriptions.
# VNF inputs
auto_last_hop: "disabled"
bgp_dag_pgw_peer_ip: 192.168.1.103
bgp_vnf_pgw_peer_ip: 192.168.21.11
bgp_pgw_peer_as: '200'
bgp_dag_egw_peer_ip: 192.168.11.104
bgp_egw_peer_as: '300'
ctrl_net: control
ctrl_subnet: control
ha_net: ha
ha_subnet: ha

# Min/Max total number of 'instances' that can be created during scale out

#   Min/Max Dag Group Members
max_scale_dag_group: '1000'

#   Min/Max
max_scale_vnf_group: '1000'

# Max number of times that a heal can be tried before giving up.
max_heal_vnfd_dag_ve: '5'
max_heal_vnf_layer: '5'
max_heal_vnf_slave_ve: '5'

# VNF Layer scaling inputs
vnf_layer_cpu_threshold: '75'
vnf_layer_cpu_threshold_check_interval: '1'

# VNF Group scaling inputs
vnf_group_throughput: '10'
vnf_group_throughput_threshold: '75'
vnf_group_throughput_check_interval: '1'

# DAG Group scaling inputs
dag_group_cpu_threshold: '75'
dag_group_cpu_threshold_check_interval: '1'

# Common inputs
cm_ip: 10.10.2.16
default_gateway: 10.10.12.1
sw_ref_dag:
    data:
        image: BIGIP-13.1.0.5-0.0.5.ALL_1SLOT
        flavor: f5.cloudify_small
    revision: 0
sw_ref_vnf:
    data:
        image: BIGIP-13.1.0.5-0.0.5.ALL_1SLOT
        flavor: f5.cloudify_medium
    revision: 0
bigip_os_ssh_key: mysshkey

#    BIG-IQ License Manager
big_iq_host: 10.190.54.148
big_iq_lic_pool: vnfm-4

#    Security Groups In OpenStack
ctrl_sg_name: allow_22
mgmt_sg_name: allow_22
pgw_sg_name: allow_22
pdn_sg_name: allow_22
snmp_sg_name: allow_22

# Networks in OpenStack
mgmt_net: mgmt
mgmt_subnet: mgmt
pgw_net: pgl
pgw_subnet: pgl
pdn_net: pdn
pdn_subnet: pdn
pgw_dag_net: vnfs
pgw_dag_subnet: vnfs
pgw_dag_subnet_cidr: 10.10.10.0/23
pgw_dag_subnet_mask: /23
pdn_dag_net: vnfe
pdn_dag_subnet: vnfe
pdn_dag_subnet_cidr: 10.10.14.0/23

# Configuration of the F5 VNF Service Layers in AS3 Declaration format
vnf_as3_nsd_payload: ""