Deploy Secure Mesh Site v2 on Baremetal (ClickOps)

Important: The instructions of this document are not currently supported.

Objective

This guide provides instructions on how to create a customer edge (CE) site using F5® Distributed Cloud Console (F5XC) to deploy on a baremetal server. For more information, see F5® Distributed Cloud - Customer Edge.

As part of the new site deployment workflow, you can deploy the CE site as a Secure Mesh Site using a baremetal server.

Important: This guide does not provide instructions to deploy an F5® App Stack Site.

General Prerequisites

The following general prerequisites apply:

  • A Distributed Cloud Services Account. If you do not have an account, see Create an Account.

  • Resources required per node: Minimum 4 vCPUs, 14 GB RAM, and 80 GB disk storage. For a full listing of the resources required, see the Customer Edge Site Sizing Reference guide. All the nodes in a given CE Site should have the same resources regarding the compute, memory, and disk storage. When deploying in cloud environments, these nodes should use the same instance flavor.

  • Allow traffic from and to the Distributed Cloud public IP addresses to your network and allowlist related domain names. See Firewall and Proxy Server Allowlist Reference guide for the list of IP addresses and domain names.

  • F5 assumes that an existing subnet exists with Internet connectivity to attach to the node.

  • The new Secure Mesh Site workflow enables you to have up to eight interfaces. However, these interfaces should be in different subnets. Therefore, make sure you have the required subnets available before creating the CE Site nodes.

  • Internet Control Message Protocol (ICMP) needs to be opened between the CE nodes on the Site Local Outside (SLO) interfaces. This is needed to ensure intra-cluster communication checks.

Important: After you deploy the CE Site, the IP address for the SLO interface cannot be changed. Also, the MAC address cannot be changed.

Configuration Overview

To create a Secure Mesh Site, here are the high-level steps:

  1. Site object creation: Configure the site within F5 Distributed Cloud Console.
  2. Image management: Download node image.
  3. Node management: Use the node image from previous step to boot and install required bare metal nodes.
  4. Interface management: Add additional interfaces on the nodes, as necessary.

Procedure

The example below will deploy a single node secure mesh site with dual interfaces. However, the procedure will also explain the optional deviations from this specific model, making it flexible to adjust to different node & interface requirements.

Create Site Object

Create a Secure Mesh Site.

  • Log into Console.

  • From the Console homepage, select the Multi-Cloud Network Connect service.

  • Click Manage > Site Management > Secure Mesh Sites.

Figure: Navigate to Secure Mesh Site

Figure: Navigate to Secure Mesh Site

  • Click Add Secure Mesh Site.
Figure: Create New Secure Mesh Site

Figure: Create New Secure Mesh Site

  • Enter a name for the new site.
Figure: Set Provider to Baremetal

Figure: Set Provider to Baremetal

  • Provider should be set to Baremetal. You will automatically see the Orchestration mode set to Not Managed by F5XC i.e. Manual mode.
Figure: Disable High Availability

Figure: Disable High Availability

  • For the High Availability option, refer to the Create Secure Mesh Site guide for information on the feature.

  • Apart from this, you can leave all settings with their default values.

  • Click Save and Exit to create the new site.

  • The ISO filename will follow this naming convention: f5xc-ce-<version>-securemeshv2-<timestamp> e.g. f5xc-ce-9.2024.22-securemeshv2-20240711-0205.iso. This downloaded ISO image will be used to bootstrap Baremetal nodes.

Download Node Image

For the site object, under Actions, click ... > Copy Image URL to receive a download link to use for CLI with the curl or wget commands. To download the image file locally, click ... > Download Image.

Figure: Copy Image URL

Figure: Copy Image URL

The ISO filename will follow this naming convention: f5xc-ce-<version>-securemeshv2-<timestamp> e.g. f5xc-ce-9.2024.22-securemeshv2-20240711-0205.iso. This downloaded ISO image will be used to bootstrap Baremetal nodes.

Connect CE Node hosted on BareMetal to F5 Distributed Cloud SaaS

The CE node(s) require connectivity to F5 Distributed Cloud using the public Internet. To facilitate this, the first interface associated with the CE node must be connected to an IPv4 subnet with connectivity to the public Internet. Traffic originating from this interface on a CE node must be allowed to access F5 Distributed Cloud services. Refer to the Firewall and Proxy Server Allowlist Reference for more information.

Generate Node Token

A one-time node token is required to register a CE Site node to the Distributed Cloud Console. A new token must be generated for every new node in a CE Site.

  • In Distributed Cloud Console, select the Multi-Cloud Network Connect service.

  • Navigate to Manage > Site Management > Secure Mesh Sites v2.

  • For your site, click ... > Generate Node Token.

Figure: Generate Node Token

Figure: Generate Node Token

  • Click Copy and save the value locally. This token will be used later in the Create Bare Metal Node section. The token value is hidden for security purposes.
Figure: Copy Node Token

Figure: Copy Node Token

Create Bare Metal Node

Bootstrap the Baremetal Node.
  • Boot the node from the ISO image, and have console access available to monitor the installation. Accept the default boot option or simply wait for the timer to expire.
Figure: Boot the Node

Figure: Boot the Node

  • The installer is fully automated, and you will be greeted with a login window once completed.
Figure: Node Login

Figure: Node Login

Provision the Baremetal Node.

  • Log in as user admin, password Volterra123. You are asked to change this default password, followed by a choice of configuration options.

  • Use configure-network to configure the first interface with Internet access, either manually set an IPv4 address or select DHCP.

Figure: Node Startup

Figure: Node Startup

  • The screenshot above shows NIC ens16f0np0 as primary outside NIC with DHCP and IPv6 auto-configuration enabled. Only set the HTTP_PROXY if you have your own proxy server deployed; otherwise, leave it empty to use the F5 XC proxy. NOTE: We need to adjust this configure message.

  • The next step requires copy-paste of the generated Node Token and this is best done over a network connection to the node. Use execcli ip a to display the network interfaces and assigned addresses:

Figure: Configure Node

Figure: Configure Node

  • Log into the node via SSH, run configure, and paste the Node Token generated earlier.
Figure: Node Final Configuration

Figure: Node Final Configuration

  • Confirm configuration will start the registration process. No further interaction via CLI is required.
Verify CE Registration.

  • Navigate to Overview > Sites and choose your new site from the Sites list at the bottom of the Sites dashboard.

  • The Site dashboard for your site should clearly show that CE has registered successfully with the System Health of 100 as well as Data Plane and Control Plane both being up.

Figure: Site Successfully Registered

Figure: Site Successfully Registered

  • Click the Infrastructure tab to see the Nodes and Interfaces with their IP addresses:
Figure: Node Infrastructure

Figure: Node Infrastructure

Interface Management

Now that the CE has registered successfully, you might want to add additional interfaces to cater to different customer requirements.

Troubleshooting

For troubleshooting issues, see the Troubleshooting Guide for Secure Mesh Site v2 Deployment guide. It provides step-by-step instructions to debug and resolve the issues that may arise due to registration and provisioning errors.

Concepts

On this page: