Run the F5 Agent in L2-adjacent mode

L2-adjacent mode lets you use BIG-IP device(s) deployed in micro-segmentation architectures that require L2 and L3 routing, including software-defined networks (SDN).

L2-adjacent mode is the default mode of operation for the F5 agent.

Important

  • Set up all Neutron and external network components before you deploy the F5 agent in L2-adjacent mode.
  • This mode of deployment may require a BIG-IP Better or Best license that supports SDN.

Warning

Many L3 segmentation mode parameters depend on other configuration parameters. Read about the F5 agent configuration parameters before changing these settings to ensure they don’t conflict.

L2 Population Service

The F5 LBaaS agent supports the OpenStack Neutron ML2 population service. When you enable L2 population, the agent registers for Neutron L2 population updates and populates tunnel FDB entries in your BIG-IP device. When you place VIPs on tenant overlay networks, the F5 LBaaS agent sends tunnel update messages to the Open vSwitch agents, informing them of TMOS device VTEPs. This enables tenant guest virtual machines or network node services to interact with the TMOS provisioned VIPs across overlay networks. The F5 LBaaS Agent reports the BIG-IP VTEP addresses stored in its configuration to Neutron.

Enable L2 population if you intend to migrate pool members to different virtual machines without re-creating your load balancer configuration. Pool member migration won’t function properly if L2 population isn’t enabled.

With L2 population enabled, the F5 agent can also create static ARP entries on the BIG-IP device(s). This eliminates the need for the BIG-IP device to use ARP broadcast (flooding) across tunnels to learn the location of pool members.

Note

You can set the F5 Agent to create Static ARP entries for BIG-IP devices running version 12.x or later.

Set-up

Important

The F5 agent cannot read existing BIG-IP configurations or non-Neutron network configurations. Be sure to set up the configuration file to correctly reflect the existing network architecture and the BIG-IP system configurations.

  1. Edit the F5 Agent Configuration File

    Use your text editor of choice to edit the F5 Agent Configuration File as appropriate for your environment.

    vim /etc/neutron/services/f5/f5-openstack-agent.ini
    
  2. Set the desired F5 agent configuration parameter(s). The example below represents the settings used in the F5 agent functional tests.

    ###############################################################################
    # Copyright (c) 2015-2018, F5 Networks, Inc.
    #
    # Licensed under the Apache License, Version 2.0 (the "License");
    # you may not use this file except in compliance with the License.
    # You may obtain a copy of the License at
    #
    #    http://www.apache.org/licenses/LICENSE-2.0
    #
    # Unless required by applicable law or agreed to in writing, software
    # distributed under the License is distributed on an "AS IS" BASIS,
    # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    # See the License for the specific language governing permissions and
    # limitations under the License.
    #
    ###############################################################################
    #
    #                   ############
    #                 ################
    #               ###/ _ \###|     |#
    #              ###| |#| |##| |######
    #             ####| |######| |######
    #             ##|     |####\    \###    AGILITY YOUR WAY!
    #             ####| |#########| |###
    #             ####| |#########| |##
    #              ###| |########/ /##
    #               #|    |####|  /## 
    #                ##############
    #                 ###########
    #
    #                  NETWORKS
    #
    ###############################################################################
    #
    [DEFAULT]
    # Show debugging output in log (sets DEBUG log level output).
    debug = True
    #
    # periodic_interval = 10
    #
    service_resync_interval = 300
    #
    ###############################################################################
    #  Environment Settings
    ###############################################################################
    #
    environment_prefix = 'Test'
    #
    ###############################################################################
    #  Static Agent Configuration Setting
    ###############################################################################
    #
    static_agent_configuration_data =
    #
    ###############################################################################
    #  Device Setting
    ###############################################################################
    #
    # HA mode
    #
    # Device can be required to be:
    #
    # standalone - single device no HA
    # pair - active/standby two device HA
    # scalen - active device cluster
    #
    f5_ha_type = standalone
    #
    ###############################################################################
    #  L2 Segmentation Mode Settings
    ###############################################################################
    #
    # Device VLAN to interface and tag mapping 
    #
    f5_external_physical_mappings = default:1.1:True
    #
    # VLAN device and interface to port mappings
    #
    vlan_binding_driver =
    #
    interface_port_static_mappings =
    #
    # Device Tunneling (VTEP) selfips
    #
    f5_vtep_folder = Common
    f5_vtep_selfip_name = selfip.client
    #
    # Tunnel types
    #
    advertised_tunnel_types = vxlan
    #
    # Static ARP population for members on tunnel networks
    #
    f5_populate_static_arp = False
    #
    # Device Tunneling (VTEP) selfips
    #
    l2_population = True
    #
    # Hierarchical Port Binding
    #
    # If hierarchical networking is not required, these settings must be commented
    # out or set to None.
    #
    # Restrict discovery of network segmentation ID to a specific physical network
    # name.
    #
    f5_network_segment_physical_network = <Neutron_physical_network_UUID>
    #
    f5_network_segment_polling_interval = 1
    #
    f5_pending_services_timeout = 5
    #
    ###############################################################################
    #  L3 Segmentation Mode Settings
    ###############################################################################
    #
    # Global Routed Mode - No L2 or L3 Segmentation on BIG-IP
    f5_global_routed_mode = False
    #
    use_namespaces = True
    #
    max_namespaces_per_tenant = 1
    #
    f5_route_domain_strictness = False
    #
    # SNAT Mode and SNAT Address Counts
    #
    # This setting will force the use of SNATs. 
    #
    f5_snat_mode = True
    #
    f5_snat_addresses_per_subnet = 1
    #
    f5_common_external_networks = True
    #
    # Common Networks
    #
    common_network_ids =
    #
    # L3 Bindings
    #
    l3_binding_driver =
    #
    l3_binding_static_mappings =
    #
    ###############################################################################
    #  Device Driver Setting
    ###############################################################################
    #
    f5_bigip_lbaas_device_driver = f5_openstack_agent.lbaasv2.drivers.bigip.icontrol_driver.iControlDriver
    #
    ###############################################################################
    #  Device Driver - iControl Driver Setting
    ###############################################################################
    #
    icontrol_hostname = DEVICEIP
    #
    icontrol_username = USERNAME
    #
    icontrol_password = PASSWORD
    #
    password_cipher_mode = False
    #
    ###############################################################################
    # Certificate Manager
    ###############################################################################
    # COMMENT OUT THIS ENTRY IF NOT USING BARBICAN TO MANAGE CERTS
    #
    cert_manager = f5_openstack_agent.lbaasv2.drivers.bigip.barbican_cert.BarbicanCertManager
    #
    # Two authentication modes are supported for BarbicanCertManager:
    #   keystone_v2, and keystone_v3
    #
    # Keystone v2 authentication:
    #
    # auth_version = v2
    # os_auth_url = http://localhost:5000/v2.0
    # os_username = USERNAME
    # os_password = PASSWORD
    # os_tenant_name = PROJECT
    #
    #
    # Keystone v3 authentication:
    #
    auth_version = v3
    os_auth_url = http://localhost:5000/v3
    os_username = USERNAME
    os_password = PASSWORD
    os_user_domain_name = default
    os_project_name = PROJECT
    os_project_domain_name = default
    #
    #
    # Parent SSL profile name
    #
    # An existing BIG-IP SSL profile you want to use as the parent SSL profile
    # for the client SSL profiles created for TERMINATED_HTTPS LBaaS listeners.
    #
    f5_parent_ssl_profile = clientssl
    #
    

    Download the example configuration file

    Tip

    To enable L2 population and static ARP (optional), use the settings shown below.

    #
    f5_populate_static_arp = True
    #
    l2_population = True
    #
    
  3. Restart the F5 agent service.

    CENTOS
    systemctl restart f5-openstack-agent
    
    UBUNTU
    service f5-oslbaasv2-agent restart
    

What’s Next