Installing Avi Vantage for Cisco APIC
This document describes how to integrate Avi Vantage with Cisco Application Policy Infrastructure Controller (APIC), using VMware vCenter as Cisco APIC’s Virtual Machine Manager (VMM).
Avi Vantage is a software-based solution that provides real-time analytics and elastic application delivery services, such as user-to-application timing, SSL termination, and load balancing.
Note: The Avi Networks device package is not used in Service Manager mode with REST API.
Cisco ACI and APIC
The Cisco Application Centric Infrastructure (ACI) is a distributed overlay network that is built on multipath leaf and spine switching nodes. Endpoint devices, such as servers and firewalls, are connected to leaf nodes. The Cisco Application Policy Infrastructure Controller (APIC) provides a single point of control and a repository of policy data for Cisco ACI. The APIC communicates with Cisco ACI spine and leaf nodes to create isolated tenant networks, set up network paths, and insert network services such as Layer 4-7 and security functions between endpoint devices.
In the Cisco ACI policy model, endpoint groups (EPGs) represent a set of terminal objects or communication endpoints, such as clients and servers. Objects in the same EPG can communicate with each other freely, but objects in different EPGs must have a contract in order to communication. The contract defines traffic filtering rules and can include a service graph to offer network functions, such as Layer 4-7 services.
A service graph defines a list of functions and specifies that the path from one EPG to another EPG must pass through those functions. Avi Vantage provides inline analytics, application visibility, SSL termination, load balancing, and content acceleration services. IT administrators can enable all of these features by including the nodes ADCTier1 and ADCTier2 into a service graph.
This two-node approach enables the ADC component of a virtual service to scale out in real time. Cisco APIC translates a service graph into a network path by associating it with concrete devices, associating the service graph with necessary bridge domains, and configuring IP addresses on the interfaces of the devices. In this model, Avi SEs represent concrete devices and the Avi Controller acts as a single management point to interact with Cisco APIC.
The Avi Device Package for Cisco APIC allows you to insert Avi Vantage services in Cisco ACI fabric. The Avi Controller includes the device package and automatically uploads it to Cisco APIC and creates logical devices as part of its installation. Note: The Avi Controller embeds the device package for Cisco APIC and automatically installs it into Cisco APIC as part of its installation.
Auto-reconfiguration of Device Cluster
The Avi Controller adds Avi SEs to the device cluster dynamically by interacting with APIC and VMware vCenter. The L4-7 service policies, such as SSL termination and load-balancing policies, are configured by the Avi Controller for implementation on the Avi SEs, whereas network policies are configured on the APIC controller. APIC places the data NICs of Avi SEs into the appropriate port groups.
You can export an Avi L4-L7 device to another tenant on APIC. Avi Vantage will create a tenant accordingly and add a new concrete device when you add a load-balanced virtual service.
Service Manager Mode with REST API (new for Avi Vantage 17.1)
Starting with 17.1, the Avi Controller can be integrated with Cisco ACI L4-L7 Service Integration in the service manager mode with REST APIs. When Avi Vantage is configured in this mode,
- Cisco ACI only configures the fabric, not the Layer 4 to Layer 7 device.
- The Avi Controller communicates with APIC using REST APIs instead of Device Package.
- A 2-node Avi Service Graph still needs to be created using the Avi Controller Logical Device as the Logical Node.
A “Managed Mode” checkbox in the Cloud editor (lower right in the below screenshot) is checked by default in Cisco APIC SDN configurations. To operate in Service Manager mode with REST API, it must be un-checked.
Verifying Avi Controller registration in Service Manager mode with REST API
The Avi Controller registers with the Cisco APIC specifying it is in Service Manager mode with REST API. Note in the below screenshot that the Management IP (Avi Controller’s IP) column is
Below is a detailed view of an Avi Controller which has registered with the Cisco APIC in Service Manager mode with REST API. Once again, notice that the “Managed” checkbox is un-checked.
Avi Service Graph Creation in Service Manager mode with REST API
It’s necessary to select the Avi Logical Device without the (Managed) keyword for the nodes of the multiple-node service graph. The Avi Service Graph is represented by a two-node Avi Service Graph that is similar to “Managed Mode.”
It is mandatory that each node of the two-node Avi Service Graph for Service Manager mode with REST API have node 1 as “ADCTier1” and node 2 as “ADC Tier 2.”
Below is the final, completed service graph.
The physical and software requirements differ, depending on the deployment mode.
Virtual Machine Requirements
The following table lists the minimum requirements for the VMs on which the Avi Controller and SEs are installed.
|Avi Controller||24 GB||8||64 GB|
|Service Engine||2 GB||2||10 GB|
Add 3 GB for each additional Controller vCPU. Add 1 GB for each additional SE vCPU.
If you allocate more than the minimum number of vCPUs required, make sure to also allocate at least the minimum required additional memory. Cloud administrators can create multiple flavors of the Avi Vantage Controller image with different resource allocations (for example, “avi_ctrl.small” with the minimum required resources, and “avi_se.medium” with more resources).
The following table lists the software requirements.
|Avi Controller||16.2 or later|
|Avi device package for Cisco APIC||1.1|
|Cisco APIC||1.03f or later|
|VMware vCenter||5.1, 5.5, 6.0 or 6.5|
The Avi Vantage software image is available as a QCOW2 or raw image of the Avi Controller and Avi SEs. The Avi device package for Cisco APIC is embedded in the Avi Vantage software image.
Administrator Credential Requirements
The credentials for administrator accounts for each of the following infrastructure components also is required:
- Cisco APIC
- VMware vCenter: The Avi Controller will need to present the correct credentials to Cisco APIC and VMware vCenter to automatically install the Avi Vantage device package, create an L4-L7 device cluster, and spin up an Avi Service Engine (SE).
In this installation procedure, VMware vCenter is used as Cisco APIC’s VMM to deploy Avi Vantage. The installation procedure consists of the following tasks:
- Deploy the Avi Controller OVA file.
- Configure initial Controller settings through a browser.
- Create a service graph for Avi L4-L7 service on APIC.
- Create a contract using APIC.
- Create a load-balancing Virtual Service (VS) using the Avi Controller. The installation workflow is shown in the following figure:
The Avi Controller, APIC, and vCenter all must be able to communicate with one other. The Avi Controller dynamically deploys an Avi SE VM instance as a concrete device. The Avi SE VM must be able to communicate with Avi Controller and APIC through its management vNIC. When the Avi Controller deploys an Avi SE, it places the management NIC of the Avi SE into the specified port group for out-of-band management access. When an L4-7 service graph is instantiated, APIC places the data vNICs of the Avi SE into the proper port groups based on EPGs.
Deploy Avi Controller OVA
- Log into vCenter server through a vCenter client.
- Click File on the top menu and choose Deploy OVF Template.
- Follow the instructions of the Deploy OVA Template wizard:
- Provide the location of the Avi Controller OVA file.
- Provide the name of the Avi Controller and specify the target ESX host for deployment.
- Choose Thick Provision Lazy Zeroed for disk format.
- Choose a port group for Destination Networks in Network Mapping. This port group will be used by the
Controller to communicate with vCenter.
- Specify the management IP address and default gateway. The management IP address must be in CIDR format
(example: 10.10.2.10/24). Do not leave them empty.
- Power on the VM.
Configure Avi Controller
Connect to the Avi Controller using a browser.
- Configure basic system settings:
- Administrator account
- DNS and NTP server information
- Email and SMTP information
- Choose VMware as the infrastructure type:
- Enter or select the following information:
- vCenter IP address and administrator credentials
- Write permission
- Integration with Cisco APIC
- Provide the following Cisco APIC information:
- APIC IP address and credentials
- APIC tenant where the Avi Vantage device package will be deployed
- APIC VMM Domain name
- Select a data center to which to deploy the Avi SEs:
- Select a port group for the SE management network: This port group should be an out-of-band network (not
managed by APIC). The management interface of the Avi SE will be connected to this port group. The SE will
communicate with the Avi Controller over the management interface.
- If DHCP service is available, select DHCP. Otherwise, select Static and fill out the IP Address Pool field.
- Select Yes on the Tenant Settings page of the wizard to support multiple tenants:
- When the page of additional tenant options appears, select the following:
- Service Engines are managed within the provider context, shared across tenants.
- Tenant has Read Access to Service Engines.
- To verify installation, navigate to Infrastructure > Clouds, click Default-Cloud, then click the Status
button. When the status turns green, installation is complete.
Verify Controller Device Package on Cisco APIC
The Controller automatically installs its device package after the initial settings are configured. To verify that the Avi Vantage device package is installed into Cisco APIC:
- Click L4-L7 Services.
- Expand L4-L4 Service Device Types (left pane) and verify that the Avi Vantage device package is available.
- Click on Tenants, and select the tenant specified above.
- Navigate to L4-L7 Services > L4-L7 Devices > Avi_(unique-id) to view ADC-Cluster.
Export Device Cluster to Tenant
The Avi ADC-Cluster can be exported to any tenant. This allows L4-L7 services to be inserted into that tenant.
- Right-click on L4-L7 Devices, and select Export L4-L7 Devices.
- Select the Avi Device and the tenant to which the device package should be exported.
Verify Service Graph Templates
As soon as the Avi device is exported to a tenant, the Controller will communicate with APIC to create the following Service Graphs:
- AviLBGraphEW: Used by applications to communicate across 2 EPGs within ACI.
- AviLBGraphNS: Used by applications inside the ACI datacenter that are accessed from the Internet (outside ACI). To verify the Service Graph templates:
- Select the tenant to which the device package was exported.
- Click on L4-L7 Services and expand L4-L7 Service Graph Templates.
- Click on a Service Graph Template.
Configure IP Address Pool for SE vNIC
Each Avi SE has 10 vNICs. The first vNIC is the management vNIC through which the SE communicates with the Controller. The rest of the vNICs are data vNICs, which are used to receive end-user traffic. After spinning up an SE, the Controller connects the SE’s management vNIC to the management network specified during initial configuration. Cisco APIC connects the data vNICs to port groups according to VS IP and pool member configuration. Data vNICs connected to back-end pool networks require interface IP addresses.
The Controller automatically assigns IP addresses to data vNICs from an IP address pool created by the administrator for each back-end pool network. For each back-end pool network, a static IP address pool is required. Each address pool must contain at least one IP address. After connection to networks (port groups), the data vNICs need to be assigned an IP address. To assign a static IP address pool to networks:
- Login to the Avi Controller using a browser.
- Navigate to Infrastructure > Cloud > Default-Cloud > Network.
- Find a bridge domain to which your servers are connected.
- Select the bridge domain by clicking the edit icon on the right.
- Check Static on Network IP Address Management.
- Select an IP subnet by clicking the edit icon.
- Enter a static IP address or a range. Repeat these steps to include all potential VS and pool member networks.
The Controller picks an IP address from the range and adds it to the data vNIC connected to the port group. Note: Cisco APIC completely controls distributed virtual switches and port groups. In other words, do not create port groups manually. APIC programs the SE vNICs to place them into the appropriate EPGs or port groups.
This completes the installation phase of deployment. The next phase is to create a virtual service: Virtual Service Creation: APIC