unleash the power of cisco aci and f5 synthesis for ... · filters – which epg can talk to which...
TRANSCRIPT
Unleash the power of Cisco ACI and F5 Synthesis for accelerated application deployments
Paolo Pio – Product Manager @ Cisco
Nicolas Ménant – Solution Architect @ F5
F5 Agility 2014 2F5 Agility 2014 2
Cisco’s Application Centric Infrastructure (ACI) and F5 Synthesis are focused on efficiently delivering applications by taking a fabric-based approach to networking and services architectures. Cisco ACI is designed to translate application requirements into services required for successfully deploying applications in a simplified and automated fashion.
In this session, you’ll learn how F5 and Cisco technologies integrate and collaborate to enable IT to execute on its strategic mission. Learn how:
• Cisco ACI and F5 Synthesis SDAS can accelerate application deployment
• Cisco ACI translates application requirements into network services by taking advantage of F5 SDAS architectural components
• Assure the performance, security and reliability of applications by taking advantage of application-centric network services
Abstract
For YourReference
F5 Agility 2014 3F5 Agility 2014 3
• F5 Synthesis – Software Defined Application Services (SDAS) Overview
• Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion
• F5 BIG-IP and Cisco ACI Integration• Topologies • Terminologies• How does F5 BIG-IP integrate with Cisco ACI?• L4 SLB workflow
• Key Takeaways
• Q&A
Agenda
F5 Synthesis Overview
Applications Impact on Data Center Architecture
MICRO-ARCHITECTURES
Each service is isolated and requires its own:• Load balancing• Authentication / authorization • Security • Layer 7 Services • May be API-based, expanding
services requiredMore applications needing services
API DOMINANCE
Proxies are used in emerging API-centric architectures for:• API versioning • Client-based steering • API Load balancing • Metering & billing • API key management
More intelligence needed in services
Service A Service C
Service B Service D
API v1
API v2
F5 Agility 2014 6F5 Agility 2014 6
Evolution in Application Environment
F5 VISION
Applicationswithout constraints
SDN and Private Cloud
Software Defined Data Centers
Cloud and DevOps
Cloud SLA and controlprivate network agility
Accelerate time to market
Agile Development
Rapid deployment─network and operations velocity
Speed, customer-driven, and quality of app development
Failed to Address:L4–7 device sprawl and application awareness
F5 Agility 2014 7F5 Agility 2014 7
High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition Chassis Appliance
Data Plane
Programmability (iRule / iApp / iControl)
Control Plane Management Plane
F5 Agility 2014 8F5 Agility 2014 8
High-Performance Services Fabric
Simplified Business Models
• New licensing models• Easy to procure• Save by purchasing bundles
f5 Synthesis
F5 Agility 2014 9F5 Agility 2014 9
F5 DEVICE PACKAGE FOR APIC
• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP –Preserves richness of F5 Synthesis offering through policy abstraction
• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 HW/SW, topologies integrate seamlessly with Cisco ACI
• Application agility using policy driven application delivery approach to significantly reduce operating costs - provisioning workflows is efficient and faster while maintaining operational best practices across multiple teams
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Virtual Edition Chassis Appliance
Data PlaneProgrammability (iRule / iApp / iControl)
Control Plane Management Plane
F5 SYNTHESIS FABRIC
APIC
Cisco Application Centric Infrastructure (ACI)
F5 Agility 2014 11F5 Agility 2014 11
• Lacks application agility -requires provisioning across different layers by different organizations
• Time to operationalize purchased assets is longer due to inefficient provisioning
• Longer time to deploy Applications with scale and security
• Harder to achieve application elasticity
Application Provisioning in Today’s Data Centers
TENANT (HR) TENANT (FINANCE)
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
App x
App y
App z
App p
App q
App r
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
Configure firewall rules as required by the application
Configure Network to insert Firewall
Configure firewall network parameters
Configure Load Balancer as required by the application
Configure Load Balancer Network Parameters
Configure Router to steer traffic to/from Load Balancer
Traditional Network Service InsertionChallenges
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
Server
vFW
Switch
Router
FW
Router
LB
Rapid Deployment of Applications with Scale and Security
Application-centricity to Visibility and Troubleshooting
Application Agility – Any where, Any time, Physical and Virtual
Open Source Application Policies
Common Operational Model through Open APIs
Application Centric InfrastructureUsing the Language of Apps in the Network
Physical Networking
L4–L7Services
Multi DC WAN & Cloud
Compute StorageHypervisors and Virtual Networking
F5 Device package for APIC
BIG-IPPhysical and or Virtual
AGILITY: Any application, anywhere – Physical and Virtualcommon application network profile
14
CONNECTIVITY POLICY
SECURITY POLICIES
QOSBANDWIDTH
RESERVATION AVAILABILITY
APPLICATION L4-L7
SERVICES
STORAGE AND COMPUTE
APPLICATION NETWORK PROFILE
SLA
QoS
Security
LoadBalancing
WEB
WEB WEB WEB
APP
APP APP APP
DB
DB DB DB
F/WADC ADC
Extensible Scripting Model
DB DBDB
WEB WEB WEB APP WEB APP WEB
HYPERVISOR HYPERVISOR HYPERVISOR
APPLICATION NETWORK PROFILE
Traditional3-TierApplication
F5 Agility 2014 15F5 Agility 2014 15
Goals of APIC Service Insertion and Automation
Configure and Manage VLAN allocation for service insertion
Configure the network to redirect traffic through service device
Configure network and service function parameters on service device
F5 Agility 2014 16F5 Agility 2014 16
Service Graph: “web-application”
• Service graph is an ordered set of functions between a set of terminals• A Service Graph can be defined through GUI,
CLI or through APIC API
• A function has one or more connectors • Network connectivity like VLAN tag is assigned
to these connectors
Service Graph Definition
16
Func: SSL offload
Func: Load Balancing
Func: Firewall
Connectors TerminalsTerminals
Functions rendered on the same device
Firewall paramsPermit ip tcp * dest-ip <vip> dest-port 80Deny ip udp *
SSL paramsIpaddress <vip> port 80
Load-Balancing paramsvirtual-ip <vip> port 80 Lb-aglorithm: round-robin
• A function within a graph may require one or more parameters– Parameters can be scoped by an EPG or an application
profile or tenant context – Parameters could also be assigned at the time of defining
a service graph. Parameter values can be locked from further changes
F5 Agility 2014 17F5 Agility 2014 17
Application Policy Example
17
dB ContractMSSQL: Accept
MySQL: Accept
HTTP: Accept, Count
Contract
APP
APP APP APP
DB
DB DB DB
Consumes Provides
EPG - APP EPG - DB
FilterNamed collection of L4 port ranges• HTTP = [80, 443]• MSSQL = [1433-1434]• MySQL = [3306, 25565]• DNS = [53, 953, 1337, 5353]
ActionWhat action or actions to take on packet• Accept• Service Insert
F5 Agility 2014 18F5 Agility 2014 18
APIC L4 – L7 Service Integration
APPLICATION NETWORK PROFILE
Traditional3-TierApplication
WEBWEB WEB WEB
APPAPP APP APP
DBDB DB DB
F/WADC ADC
TENANT (HR)
NETWORKING POLICY(CONNECTIVITY FOR THE TENANT L2-L3)
TROUBLESHOOTING POLICYSPAN, ERSPAN ETC
MONITORING POLICY(EVENTS, SNMP ETC)
APPLICATION PROFILE (3 TIER APP)EPGS ARE DEFINED HERE
End Point Group (EPG) – collection of bare metal servers, VMs, vNICEx: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPGEx: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
SECURITY POLICY (POLICY DECISION IS DONE HERE)
FILTERS – WHICH EPG CAN TALK TO WHICH OTHER EPGTRAFFIC STEERING – WHICH EPGS NEEDS SERVICE
SERVICES
Contract – services between the WEB and APP EPG (web graph, HTTP graph) Graph can be single graph or muti graphEx: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined
L4-L7 SERVICES POLICY(CREATION OF A GRAPH IS DONE HERE)
Service Graph (Ex: WEB graph utilizes L4 SLB)Device cluster
F5 BIG-IP Integration with
Cisco ACI
Topology ConsistencyCore/Aggregation/Access model 1 ARM mode + HA pair
Active Standby
Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone
Active Standby
Users can transition to Cisco ACI seamlessly from BIG-IP 1 ARM + HA topologies within
Nexus 7000 and Nexus 9000 standalone
deployment
For YourReference
Topology ConsistencyCore/Aggregation/Access model 2 ARM mode + HA pair
Active Standby
Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone
Active Standby
Users can transition to Cisco ACI seamlessly from BIG-IP 2 ARM + HA topologies within
Nexus 7000 and Nexus 9000 standalone
deployment
For YourReference
Cisco ACI ArchitectureBIG-IP 1 ARM and 2 ARM + HA
APIC
Active Standby
APIC
Active Standby
External ExternalInternal InternalExternal / Internal
External / Internal
1 ARM mode + HA pair 2 ARM mode + HA pair
BIG-IP connects to any iLeaf in ACI topology independent of iLeaf
location
F5 Agility 2014 23F5 Agility 2014 23
APIC
Service Automation Through Device Package
Configuration Model (XML File)
Python Scripts
Script Engine
Python Scripts
APIC Script Interface
APIC Script Interface
APIC– Policy Manager
Configuration Model
PolicyEngine
Provider Administrator can upload a Device Package
APIC provides extendable policy model through Device Package
Device Package contains XML file defining DeviceConfiguration Model
Device scripts translates APIC API callouts to device specific callouts
Open DevicePackage
F5 Agility 2014 24F5 Agility 2014 24
APIC
Understanding Device Package
Device Specification
Is an XML file that definesFunctions provided by a device – Like Load Balancing, Content-Switching, SSL termination etcParameters required for configuring each functionInterfaces and Network connectivity information for each function
APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices
A Device Package is a zip file containing two parts
Device Script
The integration between the APIC and a Device is performed by a Device Script
APIC events are mapped to function calls defined in Device Script
24
XML / REST API
Device Package
BIG-IP Physical or
VE
EPG level L4-L7 config
Service Graph Function Node level
L4-L7 config
Python iControl
Device Package: Function ProfilesFunction Profiles are XML schema and function very much like iApp, user can define new function profiles where it can be imported to the service graph
Function Profiles can be:• WebProfile• HTTPS• Application-1Click to configure L4-
L7 Service Node Configurations
F5 Agility 2014 26F5 Agility 2014 26
Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM) or Application Security Manager (ASM), and have it incorporated with F5 LTMdevice package in the same service graph.
Device Package: User Defined (Future)
To Consumer EPG F5 BIG-IP
ASMF5 BIG-IP
LTM
To Provider EPG
User Defined Device Package
F5 Provided Device Package
F5 Agility 2014 27F5 Agility 2014 27
Use cases
27
Functions
• Virtual Server• Layer 4 Server Load balancing
• Layer 4 SLB with SSL offload• Layer 7 Server Load balancing
• Layer 7 SLB with SSL offload• Microsoft SharePoint
Parameters under Virtual Server• Configuring Global and Tenant Self IP addresses• Configuring Global and Tenant static routes• Device Counters• Server Pools• TCP Optimizations (WAN/LAN/Mobile)• HTTP optimization• HTTP Security (Application protocol security)• TCP connection multiplexing (One Connect)• Validators and Creation of tenant OneConnect
profiles• iRules• Validators and Creation of tenant acceleration
profiles• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
F5 Agility 2014 28F5 Agility 2014 28
• F5 SDAS and Cisco ACI Solution Briefhttp://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html
• F5 BIG-IP LTM and Cisco ACI Integration white paper Coming Soon !
• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) Coming Soon !
• Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel
Reference Material
28
For YourReference
F5 Agility 2014 29F5 Agility 2014 29
• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application Centric Infrastructure
• How Cisco ACI solves network services insertion challenges
• F5 BIG-IP automated integration into Cisco APIC
• Cisco ACI integration into existing F5 BIG-IP LTM deployments
• Key benefits of BIG-IP / ACI model:• Multi-Tenancy, Multi-Graph Support• Use Case Focus• Automation Ready• Application level visibility and monitoring
Key Takeaways
30
Tenancy Model
31
F5 Agility 2014 32F5 Agility 2014 32
A function node identifies a set of network service functions that are required by an application
Terminology: APIC Tenant / BIG-IP Partition
Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs
An ACI tenant will be represented as a partition within BIG-IP
A function node within a service graph will be represented as a Virtual Server within BIG-IP
F5 Agility 2014 33F5 Agility 2014 33
Multiple Virtual Servers for different applications in the same BIG-IP partition/APIC Tenant, sharing the same device
Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC and partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy
Multiple Graph Single Tenant
Client EPG
App EPG 1Virtual Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2App EPG
2
Single BIG-IP physical / virtual
instance
F5 Agility 2014 34F5 Agility 2014 34
• Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device
• Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy
• Scalability is based on BIG-IPAPIC : 64k tenantsBIG-IP : 128 partitions
F5 supports TRUEMultiple Graph Multiple Tenancy
Client EPG
App EPG 1Virtual
Server 1
APIC partition: apic7890
Route Domain N
Virtual Server 2
App EPG 2
Tenant N
Client EPG
App EPG 1Virtual
Server 1
APIC partition: apic2345
Route Domain B
Virtual Server 2
App EPG 2
App EPG 1Virtual
Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2
App EPG 2
Tenant B
Tenant A
Single BIG-IP physical / virtual instance
Client EPG
F5 Agility 2014 35F5 Agility 2014 35
Terminology: APIC Service Graph Config / BIG-IP LTM Config
APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP
In this example, BIG-IP populates Pools configuration from APIC.Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP
F5 Agility 2014 36F5 Agility 2014 36
Mixed Mode Support
Common PartitionUser can define custom iRules under Common partition and they can be called by APIC,
APIC PartitionConfiguration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition.
BIG-IP created Partition: User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iApp and iRules in this scenario.
APIC
BIG-IP Physical or Virtual
ClientEPG
ServerEPG
Contract:Including L4-L7
servicesClientEPG
ServerEPGContract
BIG-IPExt
EPG
BIG-IPInt
EPGContract
F5 Agility 2014 37F5 Agility 2014 37
APIC can provide EPG level atomic counters on the Function Node (F5 BIG-IP)
Monitoring
User will continue to use BIG-IP to monitor LTM specific monitors as before
F5 Agility 2014 38F5 Agility 2014 38
Bring it all together: Multi-Tenant/Multi-Graph SLB use case
38
InternetInternet
Client IP172.16.1.10 10.10.1.2:80
10.10.1.3:8010.10.1.4:80
10.10.1.210.10.1.310.10.1.4
Tenant A10.10.1.2:8010.10.1.3:8010.10.1.4:80
10.10.1.210.10.1.310.10.1.4
Tenant B Client IP173.17.1.10
EPG Web
EPG App
EPG Web
EPG App
1 4 4 1
2
3 3
2
Workflow: Multi-Tenant / Multi-Graph L4 SLB use case
1. Install F5 device package
2. Create logical device cluster
3. Add concrete devices (BIG-IP physical or virtual) to device cluster
4. Map logical interfaces (external and internal) to physical interfaces
5. Export device cluster to other tenants (multi-tenancy)
6. Create service graph (1) using F5 BIG-IP as function node
7. Create service graph (2) using the same BIG-IP as function node (multi-graph)
8. Assign service graph to contracts
* Prior to integrate F5 BIG-IP into ACI, user should configure tenants (application profiles / networking / security policies) and VM Networking (if necessary)
Steps to integrate F5 BIG-IP into ACI: