Important

End of Software Development for F5 OpenStack LBaaS version 1

F5 announces the End of Software Development (EoSD) for the F5 OpenStack LBaaS version 1 integration, effective October 1, 2016. This announcement is in compliance with the OpenStack community deprecation of the OpenStack Neutron LBaaS version 1 plugin. Customers are encouraged to move to OpenStack LBaaS version 2.

F5 will continue to repair defects and perform maintenance on the F5 OpenStack LBaaS version 1 integration until the Openstack Ocata release in April 2017.

For additional information, please refer to the F5 OpenStack Releases and Support Matrix.

Supported Network Topologies

The F5® agent supports a variety of network topologies, configurable on either BIG-IP® hardware or Virtual Edition (VE).

Important

Throughout our documentation, we refer to ‘overcloud’ and ‘undercloud’ deployments.

overcloud
  • BIG-IP® is deployed within your OpenStack cloud;
  • requires a BIG-IP® VE;
  • typically uses Global Routed Mode.
undercloud
  • BIG-IP® is deployed outside of your OpenStack cloud;
  • can use either physical devices or VE;
  • requires L2-Adjacent Mode to tunnel (VXLAN or GRE) traffic between the BIG-IP® and tenants in the cloud.

The F5® LBaaSv1 plugin supports the following Neutron network topologies which require dynamic L2 and L3 provisioning of BIG-IP® devices.

  • Provider VLANs - VLANs defined by the admin tenant and shared with other tenants
  • Tenant VLANs - VLANs defined by the admin tenant for other tenants, or defined by the tenants themselves
  • Tenant GRE Tunnels - GRE networks defined by the tenant
  • Tenant VxLAN Tunnels - VxLAN networks defined by the tenant

Global routed mode

Global Routed Mode

Fig. 5 Global Routed Mode

In global routed mode, all VIPs are assumed routable from clients and all members are assumed routable from BIG-IP®. All L2 and L3 objects, including routes, must be pre-provisioned on the BIG-IP® prior to provisioning LBaaSv1 services.

Global routed mode uses BIG-IP® AutoMap SNAT® for all VIPs. Because no explicit SNAT pools are defined, you should create enough SelfIP addresses to handle anticipated connection loads.

Warning

In global routed mode, there is no network segregation between tenant services on the BIG-IP®. Likewise, overlapping IP address spaces for tenant objects is not available.

+--------------------------------------+--------------------------------------+
| Topology                             | f5-oslbaasv1-agent.ini setting       |
+======================================+======================================+
| Global Routed mode                   | f5_global_routed_mode = True         |
+--------------------------------------+--------------------------------------+

L2 Adjacent Mode

L2/L3 Adjacent Mode

Fig. 6 L2 Adjacent Mode

Important

L2 adjacent mode is the default mode.

In L2 adjacent mode, the F5® agent provisions L2 networks – including VLANs and overlay tunnels – by associating a specific BIG-IP® device with each tenant network that has a VIP or pool member. L3 addresses for BIG-IP® SelfIPs and SNATs are dynamically allocated from Neutron tenant subnets associated with LBaaSv1 VIPs or members. VIP listeners are restricted to their designated Neutron tenant network.

L2 adjacent mode follows the micro-segmentation security model for gateways. Since each BIG-IP® device is L2-adjacent to all tenant networks for which LBaaSv1 objects are provisioned, the traffic flows do not logically pass through another L3 forwarding device. Instead, traffic flows are restricted to direct L2 communication between the cloud network element and the BIG-IP®.

+--------------------------------------+--------------------------------------+
| Topology                             | f5-oslbaasv1-agent.ini setting       |
+======================================+======================================+
| L2 Adjacent mode                     | f5_global_routed_mode = False        |
+--------------------------------------+--------------------------------------+

One-Arm Mode

One-arm Mode

Fig. 7 One-arm Mode

In a one-arm deployment, BIG-IP® has a single (hence, one-arm) connection to the router. VIPs and members are provisioned from a single Neutron subnet. Use of SNATs is required; you can opt to either allocate SNAT addresses automatically, or specify a number of SNAT addresses to make available from the subnet’s existing IP address pool (f5_snat_addresses_per_subnet).

+--------------------------------------+--------------------------------------+
| Topology                             | f5-oslbaasv1-agent.ini settings      |
+======================================+======================================+
| One-arm                              | f5_global_routed_mode = False        |
|                                      | f5_snat_mode = True                  |
|                                      |                                      |
|                                      | optional settings:                   |
|                                      | f5_snat_addresses_per_subnet = n     |
|                                      |                                      |
|                                      | where if n is 0, the virtual server  |
|                                      | will use AutoMap SNAT. If n is > 0,  |
|                                      | n number of SNAT addresses will be   |
|                                      | allocated from the member subnet per |
|                                      | active traffic group.                |
+--------------------------------------+--------------------------------------+

Multiple-Arm mode

Multiple-arm Mode

Fig. 8 Multiple-arm Mode

Multiple-arm mode is, essentially, multiple one-arm deployments. In each arm, VIPs and members are provisioned from a specific Neutron subnet.

+--------------------------------------+--------------------------------------+
| Topology                             | f5-oslbaasv1-agent.ini setting       |
+======================================+======================================+
| Multiple-arm                         | f5_global_routed_mode = False        |
|                                      | f5_snat_mode = True                  |
|                                      |                                      |
|                                      | optional settings:                   |
|                                      | f5_snat_addresses_per_subnet = n     |
|                                      |                                      |
|                                      | where if n is 0, the virtual server  |
|                                      | will use AutoMap SNAT. If n is > 0,  |
|                                      | n number of SNAT addresses will be   |
|                                      | allocated from the member subnet per |
|                                      | active traffic group.                |
+--------------------------------------+--------------------------------------+

Gateway Routed Mode

Gateway Routed Mode

Fig. 9 Gateway Routed Mode

In gateway routed mode, the F5® agent attempts to create a default gateway forwarding service on the BIG-IP® for member Neutron subnets.

+--------------------------------------+--------------------------------------+
| Topology                             | f5-oslbaasv1-agent.ini setting       |
+======================================+======================================+
| Gateway routed mode                  | f5_global_routed_mode = False        |
|                                      | f5_snat_mode = False                 |
|                                      |                                      |
+--------------------------------------+--------------------------------------+

VLANs

Device VLAN to interface and tag mapping

Fig. 10 Device VLAN to interface and tag mapping

In order to establish connectivity between a BIG-IP® and VLAN, you need to map an interface on the BIG-IP® to an interface on the physical network. In the example below, the BIG-IP interface 1.1 is mapping to the eth0 interface on the hypervisor on which it’s running; in turn, eth0 maps to the bridges that provide connectivity from the compute node to the VLAN. The external bridge (br-ex) should have a corresponding provider:physical_network attribute.

See also

F5 OpenStack Configuration Guide: Configure the Neutron Network -> Configure the Bridge.

To create the mapping, edit /etc/neutron/f5-oslbaasv1-agent.ini.

Tip

The f5_external_physical_mappings setting supports multiple, comma-separated entries. It’s good practice to include a default mapping, for cases where the provider:physical_network does not match any configuration settings. A default mapping simply uses the word ‘default’ instead of a known provider:physical_network attribute.

###############################################################################
#  L2 Segmentation Mode Settings
###############################################################################
#
# Device VLAN to interface and tag mapping
#
# For pools or VIPs created on networks with type VLAN we will map
# the VLAN to a particular interface and state if the VLAN tagging
# should be enforced by the external device or not. This setting
# is a comma separated list of the following format:
#
#    physical_network:interface_name:tagged, physical_network:interface_name:tagged
#
# where :
#   physical_network corresponds to provider:physical_network attributes
#   interface_name is the name of an interface or LAG trunk
#   tagged is a boolean (True or False)
#
# If a network does not have a provider:physical_network attribute,
# or the provider:physical_network attribute does not match in the
# configured list, the 'default' physical_network setting will be
# applied. At a minimum you must have a 'default' physical_network
# setting.
#
# standalone example:
#   f5_external_physical_mappings = default:1.1:True
#
# pair or scalen example (1.1 and 1.2 are used for HA purposes):
#   f5_external_physical_mappings = default:1.3:True
#
f5_external_physical_mappings = default:1.1:True
#

Tunnels

For GRE and VxLAN tunnels, the F5® BIG-IP® devices expect to communicate with Open vSwitch VTEPs. The VTEP addresses for Open vSwitch VTEPs are learned from their registered Neutron agent configuration’s tunneling_ip attribute.

Example:

# neutron agent-show 034bddd0-0ac3-457a-9e2c-ed456dc2ad53
+---------------------+--------------------------------------+
| Field               | Value                                |
+---------------------+--------------------------------------+
| admin_state_up      | True                                 |
| agent_type          | Open vSwitch agent                   |
| alive               | True                                 |
| binary              | neutron-openvswitch-agent            |
| configurations      | {                                    |
|                     |      "tunnel_types": [               |
|                     |           "gre"                      |
|                     |      ],                              |
|                     |      "tunneling_ip": "10.1.0.35",    |
|                     |      "bridge_mappings": {            |
|                     |           "ph-eth3": "br-eth3"       |
|                     |      },                              |
|                     |      "l2_population": true,          |
|                     |      "devices": 4                    |
|                     | }                                    |
| created_at          | 2013-11-15 05:00:23                  |
| description         |                                      |
| heartbeat_timestamp | 2014-04-22 16:58:21                  |
| host                | sea-osp-cmp-001                      |
| id                  | 034bddd0-0ac3-457a-9e2c-ed456dc2ad53 |
| started_at          | 2014-04-17 22:39:30                  |
| topic               | N/A                                  |
+---------------------+--------------------------------------+

The F5® LBaaSv1 agent supports the ML2 L2 population service in that overlay tunnels for Member IP access are only built to Open vSwitch agents hosting Members. When using the ML2 population service, you can also elect to use static ARP entries for BIG-IP® devices to avoid flooding. This setting is found in /etc/neutron/f5-oslbaasv1-agent.ini.

# Static ARP population for members on tunnel networks
#
# This is a boolean True or False value which specifies
# that if a Pool Member IP address is associated with a gre
# or vxlan tunnel network, in addition to a tunnel fdb
# record being added, that a static arp entry will be created to
# avoid the need to learn the member's MAC address via flooding.
#
f5_populate_static_arp = True

The necessary ML2 port binding extensions and segmentation model are defined by default with the community ML2 core plugin and Open vSwitch agents on the compute nodes.

When VIPs are placed on tenant overlay networks, the F5® LBaaSv1 agent sends tunnel update RPC messages to the Open vSwitch agents to inform them of BIG-IP® device VTEPs. This allows tenant guest virtual machines or network node services to interact with the BIG-IP®-provisioned VIPs across overlay networks.

BIG-IP® VTEP addresses should be added to the associated agent’s config file (/etc/neutron/f5-oslbaasv1-agent.ini).

# Device Tunneling (VTEP) selfips
#
# This is a single entry or comma separated list of cidr (h/m) format
# selfip addresses, one per BIG-IP device, to use for VTEP addresses.
#
# If no gre or vxlan tunneling is required, these settings should be
# commented out or set to None.
#
#f5_vtep_folder = 'Common'
#f5_vtep_selfip_name = 'vtep'

Run neutron agent-show <agent-id> to view/verify the VTEP configurations. The VTEP addresses are listed as tunneling_ips.

# neutron agent-show 014ada1a-91ab-4408-8a81-7be6c4ea8113
+---------------------+-----------------------------------------------------------------------+
| Field               | Value                                                                 |
+---------------------+-----------------------------------------------------------------------+
| admin_state_up      | True                                                                  |
| agent_type          | Loadbalancer agent                                                    |
| alive               | True                                                                  |
| binary              | f5-bigip-lbaas-agent                                                  |
| configurations      | {                                                                     |
|                     |      "icontrol_endpoints": {                                          |
|                     |           "10.0.64.165": {                                            |
|                     |                "device_name": "host-10-0-64-165.openstack.f5se.com",  |
|                     |                "platform": "Virtual Edition",                         |
|                     |                "version": "BIG-IP_v11.6.0",                           |
|                     |                "serial_number": "b720f143-a632-464c-4db92773f2a0"     |
|                     |           },                                                          |
|                     |           "10.0.64.164": {                                            |
|                     |                "device_name": "host-10-0-64-164.openstack.f5se.com",  |
|                     |                "platform": "Virtual Edition",                         |
|                     |                "version": "BIG-IP_v11.6.0",                           |
|                     |                "serial_number": "e1b1f439-72c3-5240-4358bbc45dff"     |
|                     |           }                                                           |
|                     |      },                                                               |
|                     |      "request_queue_depth": 0,                                        |
|                     |      "environment_prefix": "dev",                                     |
|                     |      "tunneling_ips":                                                 |
|                     |           "10.0.63.126",                                              |
|                     |           "10.0.63.125"                                               |
|                     |      ],                                                               |
|                     |      "common_networks": {},                                           |
|                     |      "services": 0,                                                   |
|                     |      "environment_capacity_score": 0,                                 |
|                     |      "tunnel_types": [                                                |
|                     |           "gre"                                                       |
|                     |      ],                                                               |
|                     |      "environment_group_number": 1,                                   |
|                     |      "bridge_mappings": {                                             |
|                     |           "default": "1.3"                                            |
|                     |      },                                                               |
|                     |      "global_routed_mode": false                                      |
|                     | }                                                                     |
| created_at          | 2015-08-19 13:08:15                                                   |
| description         |                                                                       |
| heartbeat_timestamp | 2015-08-20 15:19:15                                                   |
| host                | sea-osp-ctl-001:f5acc0d3-24d6-5c64-bc75-866dd26310a4                  |
| id                  | 014ada1a-91ab-4408-8a81-7be6c4ea8113                                  |
| started_at          | 2015-08-19 17:30:44                                                   |
| topic               | f5-lbaas-process-on-agent                                             |
+---------------------+-----------------------------------------------------------------------+