Manual Chapter : SFC Manager Setup

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 15.0.0, 14.1.0
Manual Chapter

SFC Manager Setup

Configure general SFC settings

Before doing this task, make sure you have opened the SFC Manager package.

You configure general settings on the Setup screen of the SFC Manager. The BIG-IP system uses this information as part of configuring the lightweight SFC Manager and all service nodes for the service function chain.

  1. Click Launch SFC Config Editor.
    The Setup screen of the SFC Manager opens.
  2. In the VNI for SFC field, type a virtual network identifier (VNI), for example 100, for the overlay network that connects the SFFs.
    This value is used for the field key in the tunnel object that the BIG-IP system creates later.
  3. In the REST Trust Group field, type a unique name for the trust group.
    The SFC application creates REST-based trust relationships between all BIG-IP devices that are service nodes in the chain. By default, the SFC application assigns the default name __f5_sfc_config_app__ to the trust group
  4. In the Config Prefix field, type a unique prefix for all object names that the SFC application will automatically create on the BIG-IP devices that will become service nodes in the chain.
    By default, the SFC application will apply the prefix __f5_sfc_app__ to each object name that the SFC Manager internally creates in the service chain.
  5. In the Administrative Partition field, type a unique name for the BIG-IP administrative partition that objects in the service chain are created in.
    By default, the SFC application creates objects in partition Common.
  6. In the Audit Interval field, specify the time interval, in seconds, that is available to the SFC Manager for auditing the configuration of all classifiers and SFFs.
    If there is any difference between the SFC Manager configuration and the configuration of the SFFs and classifiers, the system displays an error message. The allowed range is 0 to 86400. Setting the value to 0 disables the audit feature.

Specify BIG-IP service nodes

Every BIG-IP device that is to become an SFC Manager, classifier, and SFF in the service chain must reside in a REST trust group. Members of a REST trust group are known as service nodes in an SFC configuration. In our configuration, you need to add devices for a combination classifier/SFF and a second SFF. The SFC Manager is added automatically to the list of service nodes. Here, you add each device to the REST trust group.

  1. From the SFC Manager menu on the left side of the screen, select Service Nodes.
  2. In the upper left corner, click Create.
  3. Type the management IP address or the fully-qualified domain name (FQDN) of a BIG-IP device.
  4. Type the user name for the BIG-IP system’s admin user account.
  5. Type the password for the BIG-IP system’s admin user account.
  6. Click Add.
  7. Repeat these steps for all the other BIG-IP devices you are adding.
After you complete this task, the REST trust group contains all service nodes that you added.

Create a service function forwarder

A service function forwarder (SFF) is responsible for forwarding traffic to one or more connected service functions according to information carried in the SFC encapsulation, as well as handling traffic coming back from the service function (SF).
  1. From the SFC Manager menu on the left side of the screen, choose Service Function Forwarders.
  2. Click Create.
  3. In the Name field, type a unique name, such as sff1.
  4. From the Device list, select a BIG-IP service node for this SFF.
  5. In the Underlay Address field, type the non-floating self IP address that you previously created on the device corresponding to this SFF for the local tunnel endpoint for the VXLAN-GPE tunnel.
  6. From the Entry Virtual Server list, select Yes.
    The SFC Manager automatically creates a Performance (Layer 4) virtual server on this SFF. Selecting No requires the user to manually create the necessary virtual server, using either the BIG-IP Configuration utility or the Traffic Management Shell (TMSH).
  7. In the Overlay Address field, type a non-floating self IP address and mask (in CIDR notation, for example 10.1.1.1/24) for the VXLAN tunnel on this service node.
    The SFC application will automatically create the self IP address on the BIG-IP device corresponding to this SFF.
  8. Click Create.
    After you complete this step, the SFC Manager propagates the SFF configuration data to the new SFF.
  9. Repeat these steps for the other SFF, assigning a name such as sff2.
After you complete this task, two service nodes are designated as SFFs in the SFC chain configuration. Also, the SFC Manager creates a VX-LAN GPE tunnel between each pair of SFFs.

Configure a non-NSH-aware service function of type IP

Each SFF has some number of service functions (SFs) associated with it. A service function is the service on a device that processes requests from, and sends responses to, an SFF in a service chain. You must associate a non-NSH-aware service function with an SFF.

  1. From the SFC Manager menu on the left side of the screen, select Service Functions.
  2. In the upper left corner, click Create.
    The Create New Service Function screen opens.
  3. Type a unique name for the SF.
    In our sample configuration, this is sf1-1.
  4. From the Service Function Forwarder list, select an SFF.
    In our sample configuration, this is sff1.
  5. From the NSH Aware list, select No.
  6. From the Resource Type list, select IP.
  7. Type the IP address of the SF device.
  8. From the Ingress Interface and Egress Interface lists, select two interfaces.
    In our sample configuration, these are the VLANs that you created as prerequisites, sff-sf-vlan and sf-sff-vlan, respectively.
  9. Click Create.
    After you complete this step, the SFC Manager propagates the SF configuration data you entered to the relevant SFF.
After completing this task, the SFC configuration contains one non-NSH-aware SF. This is the only non-NSH-aware SF required for the sample configuration.

Configure an NSH-aware service function of type IP

Each SFF has some number of service functions (SF) associated with it. A service function is the service on a device that processes requests from, and sends responses to, an SFF in a service chain. You must associate an NSH-aware service function with an SFF.
  1. From the SFC Manager menu on the left side of the screen, select Service Functions.
  2. In the upper left corner, click Create.
    The Create New Service Function screen opens.
  3. Type a unique name for the SF.
    In our sample configuration, this is sf2-1.
  4. From the Service Function Forwarder list, select an SFF.
    In our sample configuration, this is sff2.
  5. From the NSH Aware list, select Yes.
  6. From the Resource Type list, select IP.
  7. Type the IP address of the SF device.
  8. From the Ingress Interface and Egress Interface lists, select the tunnel you created as a prerequisite.
    In our sample configuration, this is /Common/sf-tunnel.
  9. Click Create.
    After you complete this step, the SFC Manager propagates the SF configuration data you entered to the relevant SFF.
After doing these steps, you have configured an NSH-aware SF of type IP. This is the first of the two NSH-aware SFs in our sample configuration.

Configure an NSH-aware service function of type Virtual

Each SFF has some number of service functions (SF) associated with it. A service function is the service on a device that processes requests from, and sends responses to, an SFF in a service chain. You must associate a n NSH-aware service function of type Virtual with an SFF.

Note: Unlike the other SFs in the sample configuration, this SF resides directly on its associated SFF.
  1. From the SFC Manager menu on the left side of the screen, select Service Functions.
  2. In the upper left corner, click Create.
    The Create New Service Function screen opens.
  3. Type a unique name for the SF.
    In our sample configuration, this is sf2-2.
  4. From the Service Function Forwarder list, select an SFF.
    In our sample configuration, this is sff2.
  5. From the NSH Aware list, select Yes.
  6. From the Resource Type list, select Virtual.
  7. From the Virtual Server list, select the virtual server that you created as a prerequisite for this SF.
  8. Click Create.
    After you complete this step, the SFC Manager propagates the SF configuration data you entered to the relevant SFF.
After completing this task, you have configured an NSH-aware SF of type Virtual. This is the second of the two NSH-aware SFs in the sample configuration.

Create a service chain object

This procedure creates a new service chain object. A service chain represents a particular service function path through the SFC configuration. A service chain automates the task that network administrators traditionally do to connect a set of L4 through L7 devices to process network traffic. The object needs a name and some associated information, namely a path ID and a start index. You must also specify whether you want the service chain to be enabled or disabled.

Important: You cannot modify a chain object after you have created it. In general, if you need to modify a chain, you must delete the chain and re-create it.
  1. From the SFC Manager menu on the left side of the screen, select Service Function Chains.
  2. In the upper left corner, click Create.
    The Create New Service Chain screen opens.
  3. Type a unique name for the chain.
    In our sample configuration, this is chain1.
  4. Type a Path ID, such as 880.
    This ID is an identifier for the service chain and is used by service nodes for forwarding.
  5. In the Start Index field, type an index number, such as 255.
    This index number is a location identifier for a packet within the service path.
  6. From the Classifier list, select an SFF, and choose the list of classification rules to be applied.
    In our sample configuration, this SFF is sff1.
  7. From the right side of the screen, drag all SFs and drop them into the chain, in the correct order.
  8. Click Create.
After completing this task, the SFC configuration contains a service chain representing a defined path.

SFC configuration results

After doing all of the tasks outlined in this document, you can view a list of the prerequisite and service function chaining (SFC) objects that you created on the BIG-IP system.

You can also use the BIG-IP Traffic Management Shell (TMSH) command-line interface to view the service function forwarder (SFF) configurations that you created as part of your SFC configuration.

List of resulting prerequisite and SFC objects

The prerequisite objects that you created are:

  • One tunnel for the NSH-aware service function (SF) of type IP in the chain
  • Two VLANs for the non-NSH-aware SF in the chain
  • A self IP address for each SFF’s underlay network
  • A self IP address for each of the two SFs of type IP (non-NSH-aware and NSH-aware)
  • A Performance (Layer 4) and custom virtual server, for each forwarding SFF and SF of type virtual, respectively

The objects that the SFC Manager created are:

  • A REST trust group containing a group of BIG-IP devices designated as service nodes
  • A BIG-IP device that functions as an SFC Manager
  • Two service function forwarders (SFFs)
  • A VXLAN-GPE tunnel that connects the SFFs
  • A default or custom virtual server to handle traffic through the tunnel that connects the SFFs
  • A self IP address on each SFF that functions as an overlay address for the VXLAN tunnel
  • Three SFs, each associated with a specific SFF
  • A service chain connecting the service chain components

Viewing SFF configurations using TMSH

The following TMSH output shows the SFF configurations that the SFC Manager creates, excluding PEM policy rules. (The SFC Manager updates the sfc-action field of existing rules but does not create them.)

This syntax shows the configuration for the SFFs only, and not for the other service nodes.

SFF1:

			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net sfc
			
			net sfc chain sfc_chain1 {
			hops {
			0 {
			nexthop-endpoint-ip 4.100.5.30
			service-index 255
			}
			}
			path-id 761
			}
			net sfc sf sf1-1 {
			egress-interface sff-sf-vlan
			ingress-interface sf-sff-vlan
			ip-address 1.2.3.4
			}
			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net tunnels 
			net tunnels tunnel __f5_sfc_app___tunnel {
			description "Created by F5-SFC-Agent"
			if-index 320
			key 100
			local-address 4.10.5.20
			profile __f5_sfc_app___profile
			}
			net tunnels vxlan __f5_sfc_app___profile {
			app-service none
			description "Created by F5-SFC-Agent"
			encapsulation-type vxlan-gpe
			flooding-type multipoint
			port 4790
			}
			
			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net self
			net self __f5_sfc_app____non-floating {
			address 4.100.5.20/32
			description "Created by F5-SFC-Agent"
			traffic-group traffic-group-local-only
			vlan __f5_sfc_app___tunnel
			}
			net self 4.10.5.20 {
			address 4.10.5.20/24
			traffic-group traffic-group-local-only
			vlan external
			}
			
			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
			ltm virtual __f5_sfc_app__ {
			creation-time 2018-06-06:19:08:30
			description "Created by F5-SFC-Agent"
			destination 0.0.0.0:any
			last-modified-time 2018-06-06:19:08:30
			mask any
			profiles {
			fastL4 { }
			}
			source 0.0.0.0/0
			translate-address disabled
			translate-port disabled
			vlans {
			__f5_sfc_app___tunnel
			}
			vlans-enabled
			vs-index 8
			}
			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
			ltm virtual __f5_sfc_app__ {
			creation-time 2018-06-06:19:08:30
			description "Created by F5-SFC-Agent"
			destination 0.0.0.0:any
			last-modified-time 2018-06-06:19:08:30
			mask any
			profiles {
			fastL4 { }
			}
			source 0.0.0.0/0
			translate-address disabled
			translate-port disabled
			vlans {
			__f5_sfc_app___tunnel
			}
			vlans-enabled
			vs-index 8
			}
			root@(bigip1)(cfg-sync Standalone)(Active)(/Common)(tmos)# list pem policy 
			pem policy P1 {
			rules {
			Rule1 {
			http-redirect {
			redirect-url https://a.com
			}
			insert-content {
			tag-name abcd
			value-content 1
			}
			precedence 6
			}
			Rule2 {
			precedence 9
			sfc-action {
			path-name /Common/sfc_chain1
			}
			}
			}
			}
			pem policy P2 {
			rules {
			Rule8 {
			precedence 8
			sfc-action {
			path-name /Common/sfc_chain1
			}
			}
			}
			}
			pem policy P3 {
			rules {
			R1 {
			precedence 8
			}
			R2 {
			precedence 6
			sfc-action {
			path-name /Common/sfc_chain1
			}
			}
			R3 {
			precedence 3
			sfc-action {
			path-name /Common/sfc_chain1
			}
			}
			}
			}

SFF2:

			root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net sfc
			
			net sfc chain sfc_chain1 {
			hops {
			1 {
			nexthop-service sf2-1
			service-index 255
			}
			2 {
			nexthop-terminate
			service-index 254
			}
			}
			path-id 761
			}
			net sfc sf sf2-1 {
			egress-interface sf-tunnel
			ingress-interface sf-tunnel
			ip-address 10.192.17.224
			nsh-aware enabled
			}
			root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net tunnels 
			net tunnels tunnel __f5_sfc_app___tunnel {
			description "Created by F5-SFC-Agent"
			if-index 288
			key 100
			local-address 4.10.5.30
			profile __f5_sfc_app___profile
			}
			net tunnels vxlan __f5_sfc_app___profile {
			app-service none
			description "Created by F5-SFC-Agent"
			encapsulation-type vxlan-gpe
			flooding-type multipoint
			port 4790
			}
			root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list net fdb tunnel 
			net fdb tunnel __f5_sfc_app___tunnel {
			records {
			ff:ff:ff:ff:ff:ff {
			endpoints { 4.10.5.20 4.10.5.30 }
			}
			}
			}
			root@(bigip2)(cfg-sync Standalone)(Active)(/Common)(tmos)# list ltm virtual
			ltm virtual __f5_sfc_app__ {
			creation-time 2018-06-06:19:08:47
			description "Created by F5-SFC-Agent"
			destination 0.0.0.0:any
			last-modified-time 2018-06-06:19:08:47
			mask any
			profiles {
			fastL4 { }
			}
			source 0.0.0.0/0
			translate-address disabled
			translate-port disabled
			vlans {
			__f5_sfc_app___tunnel
			}
			vlans-enabled
			vs-index 9
			}