F5 & Cisco ACI Essentials - ServiceCenter: A troubleshooting tool for network admins

Introduction

The F5 ACI ServiceCenter is an application developed to run only on the Cisco ACI App Center platform. It is an integration point between the F5 BIG-IP and Cisco ACI. The application provides an APIC administrator a unified way to manage both L2-L3 and L4-L7 infrastructure.

Once day-0 activities are performed and BIG-IP is deployed within the ACI fabric then the F5 ACI ServiceCenter can be used to handle day-1 and day-2 operations.

For more information, check this informative lightboard video

Topology

Let's take a simple and basic scenario where a pair of BIG-IP's are deployed in an ACI environment and are load balancing a HTTP application.



In an ideal world one single administrator would handle all the network related tasks including managing the load balancing capabilities, but in reality that is not the case.

In reality a typical network administrator is aware of how the ACI is configured: how many tenants are present on APIC, how many end point groups (EPG) and bridge domains(BD) are deployed, how many contracts are deployed to make sure these end points groups are able to talk to each other etc.

On the other hand, a typical BIG-IP administrator is aware of what VIP's are configured on the BIG-IP, what monitors are assigned to the HTTP application, how many pools and pool members exist on the BIG-IP etc.

The network administrator has little or no visibility into the BIG-IP configuration and vice-versa and this leads to inconsistency in deployments as well as communication and coordination overhead in making any changes to the network.

The F5 ACI ServiceCenter visibility use case aims at bridging this gap. It provides the network administrator some visibility into the BIG-IP configuration which will give a better picture of the entire network to the network administrator. This helps with making troubleshooting easier and also providing a means for making informed decisions.

Use Case: Visibility and mapping of APIC and BIG-IP constructs

In this article we will dive right into the visibility use case. Click for details on how to get started using the F5 ACI ServiceCenter.

Using the visibility tab of the application the network administrator will be able to visually view how application workload on the APIC is tied to the BIG-IP. Workload on APIC is learned by an end point group on APIC. For example, if an application is being served by web servers with IPs

192.168.56.*, then these IP addresses will be present as an end poinst in an end point group (EPG) on the APIC. From the perspective of BIG-IP these web servers are pool members on a particular pool.


The F5 ACI ServiceCenter has access to both APIC and BIG-IP and will co-relate this information and provide a mapping.

BIG-IP: VIP|Pool|Pool Member <=> APIC: Tenant|Application Profile|End Point group

This gives the network administrator a view of how the APIC workload is associated with the BIG-IP and what all applications and virtual IP's are tied to a tenant. Along with the mapping the health statistics from the BIG-IP are collected. The health status is reflected based on the monitor assigned to the VIP, pool and pool members on the BIG-IP. 


After any change that a network administrator would make on the network, he/she can login to the F5 ACI ServiceCenter and check if the health of the VIP's/pool member's was affected and troubleshoot on the appropriate tenant/app/epg on the APIC.

Advantages:

  • Reduce the network administrator's time on waiting on the BIG-IP admin to confirm that the application is or is not healthy.
  • Network administrator has to have minimal knowledge of BIG-IP and still be able to make an informed decision.
  • Can use the F5 ACI ServiceCenter to create a snapshot of the network before and after a network change is made.

Automation

The information can be viewed visually, but for those network administrators who are automating their environment they can also take advantage of the API support provided by the F5 ACI ServiceCenter.

Click here for details on API’s supported on the F5 ACI ServiceCenter

Let’s take an example of collecting the snapshot of the VIP and Pool member statistics. Ansible is being used in this example but any automation tool can be used to collect and parse the API response. All API calls are made to the APIC controller.

Ansible playbook for gathering virtual IP address and the status of the VIP. After parsing the data copying the content to a file.

---
- name: Get VIP and status
  hosts: localhost
  gather_facts: false
  connection: local

  vars:
   apic_ip: "10.192.73.xx"
   big_ip: "10.192.73.xx"
   partition: "Dynamic"

  tasks:

  - name: Login to APIC
    uri:
       url: https://{{apic_ip}}/api/aaaLogin.json
       method: POST
       validate_certs: no
       body_format: json
       body:
        aaaUser:
         attributes:
          name: "admin"
          pwd: "<<apic_password>>"
       headers:
         content_type: "application/json"
       return_content: yes
    register: cookie

  - debug: msg="{{cookie['cookies']['APIC-cookie']}}"

  - set_fact:
     token: "{{cookie['cookies']['APIC-cookie']}}"

  - name: Login to BIG-IP
    uri:
      url: https://{{apic_ip}}/appcenter/F5Networks/F5ACIServiceCenter/loginbigip.json
      method: POST
      validate_certs: no
      body:
       url: "{{big_ip}}"
       user: "admin"
       password: "<<bigip_password>>"
      body_format: json
      headers:
       DevCookie: "{{token}}"

  - name: Get complete visibility information
    uri:
       url: https://{{apic_ip}}/appcenter/F5Networks/F5ACIServiceCenter/getvipstats.json
       method: POST
       validate_certs: no
       body:
        url: "{{big_ip}}"
        partition: "{{partition}}"
       body_format: json
       headers:
        DevCookie: "{{token}}"
       return_content: yes
    register: complete_info

  - name: Save only VIP information into a fact
    set_fact:
     vip_info: "{{ complete_info.json.vipStats}}"

  - name: Display VIP and status information
    debug:
     var: vip_info

  - name: Set fact with key value pairs
    set_fact:
     vip_status: "{{ vip_status|default([]) + [ {'vip': item.address.split(':')[0], 'status': item.status } ] }}"
    loop: "{{vip_info | json_query(query_string) }}"
    vars:
      query_string: "[].vip"

  - name: Display key value pairs
    debug:
     msg: "{{item}}"
    with_items:
     "{{vip_status}}"

  - name: Create VIP ip:status file
    blockinfile:
     path: ./vip_status
     create: yes
     block: |
      {{item.vip}}: {{item.status}}
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.vip }}"
    with_items:
     "{{vip_status}}"

  - name: Delete comments from file
    lineinfile:
      path: ./vip_status
      regexp: '^#'
      state: absent

  - name: Sort the content for the file for easy comparision
    shell: sort -k2 vip_status > before_nw_change_vip

Output of file 'before_nw_change_vip'

10.168.56.50: available

Ansible playbook for gathering node IP address and the status . After parsing the data copying the content to a file.

---
- name: Get node and status
  hosts: localhost
  gather_facts: false
  connection: local

  vars:
   apic_ip: "10.192.73.xx"
   big_ip: "10.192.73.xx"
   partition: "Dynamic"

  tasks:

  - name: Login to APIC
    uri:
       url: https://{{apic_ip}}/api/aaaLogin.json
       method: POST
       validate_certs: no
       body_format: json
       body:
        aaaUser:
         attributes:
          name: "admin"
          pwd: "<<apic_password>>"
       headers:
         content_type: "application/json"
       return_content: yes
    register: cookie

  - debug: msg="{{cookie['cookies']['APIC-cookie']}}"

  - set_fact:
     token: "{{cookie['cookies']['APIC-cookie']}}"

  - name: Login to BIG-IP
    uri:
      url: https://{{apic_ip}}/appcenter/F5Networks/F5ACIServiceCenter/loginbigip.json
      method: POST
      validate_certs: no
      body:
       url: "{{big_ip}}"
       user: "admin"
       password: "<<bigip_password>>"
      body_format: json
      headers:
       DevCookie: "{{token}}"

  - name: Get complete visibility information
    uri:
       url: https://{{apic_ip}}/appcenter/F5Networks/F5ACIServiceCenter/getvipstats.json
       method: POST
       validate_certs: no
       body:
        url: "{{big_ip}}"
        partition: "{{partition}}"
       body_format: json
       headers:
        DevCookie: "{{token}}"
       return_content: yes
    register: complete_info

  - name: Save only VIP information into a fact
    set_fact:
     vip_info: "{{ complete_info.json.vipStats}}"

  - debug:
     var: vip_info

  - name: Set fact with key value pairs for pool members
    set_fact:
     node_status: "{{ node_status|default([]) + [ {'ip': item.address, 'status': item.status, 'tenant': item.epgs[0].tenant.name, 'app': item.epgs[0].app.name, 'epg': item.epgs[0].epg.name} ] }}"
    loop: "{{vip_info | json_query(query_string) }}"
    vars:
      query_string: "[].nodes[]"

  - name: Display key value pairs
    debug:
     msg: "{{item}}"
    with_items:
     "{{node_status}}"

  - name: Create node ip:status file
    blockinfile:
     path: ./node_status
     create: yes
     block: |
      {{item.ip}}: {{item.status}}: {{item.tenant}} {{item.app}} {{item.epg}}
     marker: "# {mark} ANSIBLE MANAGED BLOCK {{ item.ip }}"
    with_items:
     "{{node_status}}"

  - name: Delete comments from file
    lineinfile:
      path: ./node_status
      regexp: '^#'
      state: absent

  - name: Sort the content for the file for easy comparision
    shell: sort -k2 node_status > before_nw_change_node

Output of file 'before_nw_change_node'

192.168.56.150: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.151: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.152: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.153: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.154: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.155: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.156: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.157: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.158: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.159: available: uni/tn-AspireDemo/ap-AppProfile
192.168.56.167: available: uni/tn-AspireDemo/ap-AppProfile

Once a network change is made, this information can be collected again and a comparison can be made of if any VIP's/Pool members were affected by the network change.

Summary

Few key highlights of the F5 ACI ServiceCenter:

  • Free of cost, no license needed
  • Installed on the APIC natively, no external software/hardware component
  • Operates in the control plane and does not disrupt traffic flow
  • Visibility use case is ideal for new and existing BIG-IP deployments


Using the F5 ACI ServiceCenter application within your ACI environment where BIG-IP's are deployed is a win-win for both network administrators and BIG-IP administrators.

Network administrators can use it for visibility into the BIG-IP and making sure the network is setup correctly to serve the application sitting behind the BIG-IP.

The BIG-IP administrators can take it for granted that the network is intact and the network administrators have done their due diligence by using the F5 ACI ServiceCenter. BIG-IP administrators can focus their efforts on application specific challenges and configurations on the BIG-IP using their day to day operational model.

However maybe there is an ideal world and the BIG-IP and network administrators both have access to the APIC controller, in that case the BIG-IP administrator can also take advantage of L4-L7 use case provided by the F5 ACI ServiceCenter.


For more details visit: https://www.f5.com/cisco

Published Jun 10, 2020
Version 1.0
No CommentsBe the first to comment