f5 demystifying network service orchestration and...
Post on 02-Aug-2018
219 Views
Preview:
TRANSCRIPT
F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures
Jeffrey Wong - Solution Architect
F5 Networks
February, 2015
© F5 Networks, Inc 3
Agenda
• F5 Synthesis Overview
• ACI L4 –L7 Service Insertion Overview
• F5 Device Package Release 1.1.0 Details
• F5 BIG-IP LTM Integration with Cisco ACI
• Workload Migration from Traditional Networks to Cisco ACI
• F5 BIG-IQ Integration with Cisco ACI
© F5 Networks, Inc 5
Impact on Data Center Architecture: Applications
MICRO-ARCHITECTURES
Each service is isolated and requires its own: • Load balancing
• Authentication / authorization
• Security
• Layer 7 Services
• May be API-based, expanding services required
API DOMINANCE
Proxies are used in emerging API-centric architectures for: • API versioning
• Client-based steering
• API Load balancing
• Metering & billing
• API key management
More applications needing services
Service A Service C
Service B Service D
More intelligence needed in services
API v1
API v2
© F5 Networks, Inc 6
High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition Chassis Appliance
Data Plane
Programmability (iRules / iApps / iControl)
Control Plane Management Plane
© F5 Networks, Inc 7
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Programmability (iRules / iApps / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
F5 DEVICE PACKAGE FOR APIC • Preserves richness
of F5 Synthesis offering. Ease of integration due to rich programmability
• Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI
• Maintains operational best practices & offers faster provisioning of workflows
• Automated L4-L7 application service insertion
• Accelerated application deployments with scalableL4-L7 services
• Application agility & significant reduction in operating costs
© F5 Networks, Inc 8
F5 and Cisco ACI Integration – Latest Addition Announcing APIC and BIG-IQ Integration Early Availability
Virtual Edition Appliance Chassis
BIG-IQ
APIC to BIG-IP Integration Model Phase 1 (Shipping)
APIC to BIG-IQ Integration Model Phase 2 (Early Availability Jan’15, FCS Q2 CY15)
BIG-IP
Customers have choice to leverage Cisco APIC to BIG-IP or through BIG-IQ Integration Models
ACI Fabric
F5
Syn
the
sis
Fa
bric
© F5 Networks, Inc 9
Choosing F5 BIG-IP for Cisco ACI Supports 11.4.1 and above, Platform Independent
4000 series 10000 Series
5000 Series 7000 Series
Good, Better, Best Platforms
11000 Series
5Gbps
3Gbps
1Gbps
200M
25M
VIPRION 2400
VIPRION 4480 VIPRION 4800
F5 physical ADCs High-performance with specialized and
dedicated hardware
Physical ADC is best for: • Fastest performance
• Highest scale
• SSL offload, compression, and DoS mitigation
• An all F5 solution: integrated HW+SW
• Edge and front door services
• Purpose-built isolation for application delivery workloads
Physical + virtual =
hybrid ADC infrastructure Ultimate flexibility and performance
Hybrid ADC is best for: • Transitioning from physical to
virtual and private data center to
cloud
• Cloud bursting
• Splitting large workloads
• Tiered levels of service
F5 virtual editions Provide flexible deployment options for virtual
environments and the cloud
Virtual ADC is best for: • Accelerated deployment
• Maximizing data center efficiency
• Private and public cloud deployments
• Application or tenant-based pods
• Keeping security close to the app
• Lab, test, and QA deployments
Physical Hybrid Virtual
2000 series*
10Gbps
VIPRION 2200
1600 series*
© F5 Networks, Inc 11
Traditional Network Service Insertion Challenges
Configure firewall rules as
required by the application
Configure Network to insert Firewall
Configure firewall
network parameters
Configure Load Balancer as
required by the application
Configure Load Balancer
Network Parameters
Configure Router to steer traffic
to/from Load Balancer
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
Server
vFW
Switch
Router
FW
Router
LB
© F5 Networks, Inc 12
APIC L4 – L7 Service Integration
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
WEB WEB WEB WEB
APP APP APP APP
DB DB DB DB
F/W ADC
ADC
TENANT (HR)
NETWORKING POLICY CONNECTIVITY FOR THE TENANT L2-L3
TROUBLESHOOTING POLICY SPAN, ERSPAN ETC
MONITORING POLICY EVENTS, SNMP
APPLICATION PROFILE (3 TIER APP) EPGS ARE DEFINED HERE
endpoint Group (EPG) – collection of bare metal servers, VMs, vNIC Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
SECURITY POLICY (POLICY DECISION IS DONE HERE) FILTERS, QOS, TRAFFIC STEERING
Contract – services between the WEB and APP EPG (web graph, HTTP graph) Ex: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined
L4-L7 SERVICES POLICY DEFINE L4-L7 SERVICE POLICY
Service Graph (Ex: WEB graph utilizes L7 SLB) Logical Device Cluster
© F5 Networks, Inc 13
F5 Device Package: Definition
APIC requires a Device Package to communicate with service devices.
A Device Package is a zip file containing two parts:
Device Specification (xml): The configuration of the
APIC is represented as an object model consisting of a
large number of Managed Objects (MOs). A Device
type is defined by a tree of MOs with a Meta Device
(MDev) at the root.
DeviceScript (py): The integration between the
APIC and a Device is performed by a
DeviceScript, which maps APIC events function
calls defined in Device Script
Device Script
APIC
Configuration through UI or North Bound
APIs Device
Package BIG-IP Physical
or VE
EPG level L4-L7 config
Service Graph Function Node level L4-L7 config
Python
iControl /
SouthBound
API
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
© F5 Networks, Inc 14
Service Graph: Definition Abstract graph concept mapping to Service Graph
• Service graph is an ordered set of functions between a set of terminals e-g; Firewall Function, Load balancer Function
• A function has one or more connectors
• Network connectivity like VLAN/VNID tag is assigned to these connectors
Functions rendered on the same device
• A function within a graph may require one or more parameters
• Parameters can be scoped by an EPG or an application profile or tenant context
• Parameter values can be locked from further changes
Service Graph: “web-application”
Func: SSL offload
Func: Load Balancing
Func: Firewall
Connectors Terminals Terminals
Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *
SSL params Ipaddress <vip> port 80
Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin
EXT
EXT EXT EXT
EPG - EXT
WEB
WEB WEB WEB
EPG - WEB
Consumes Provides
© F5 Networks, Inc 15
F5 Service Insertion
Ext
Users
EPG EXT
Web
Server
EPG WEB
Ap
plica
tio
n
Co
nstr
uct
Node
inst
inst
…
firewall
inst
inst
…
ADC: Virtual Server
graph
….
start end stage
1 ….. stage
N
Concrete Device Concrete Device
Logical Device Cluster
Provide Consume Web Farm provide services to External Users; Policy Contract defines relationship between Web Farm and Users
Users assign to EPG EXT Web Farm assign to EPG WEB Users accessing the Web Servers
Service Graph Insertion at the Policy Contract Subject level
Service Graph contains Function Nodes, Virtual Server is a Function Node
F5 BIG-IPs are Concrete Devices belong to a Logical Device Cluster that enables ADC as a Function Node within a Service Graph
© F5 Networks, Inc 16
Goals of APIC Service Insertion and Automation
Configure and Manage VLAN allocation for service insertion
Configure the network to redirect traffic through service device
Configure network and service function parameters on service device
© F5 Networks, Inc 18
F5 and Cisco ACI Integration Models
Virtual Edition Appliance Chassis
BIG-IQ
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
BIG-IP
ACI Fabric
F5
Syn
the
sis
Fa
bric
© F5 Networks, Inc 19
F5 ACI Device Package 1.1.0 is now Released! Supports ACI FCS+3 version 1.0(2m)
• vCMP support (New with 1.1.0)
• Dynamic endpoint attach and detach (New with 1.1.0)
• Supports any BIG-IP LTM physical and virtual form factor running version 11.4.1 and above
• Device package can be downloaded from downloads.f5.com at no cost
• Does not require any new module installation on the BIG-IP
• Can leverage BIG-IQ as device management
• iRules (custom defined) that reside in common partition can be called by APIC
• BIG-IP is licensed and OOB management configured prior to APIC integration
• Supports Active / Standby High Availability model per APIC logical device cluster
© F5 Networks, Inc 20
F5 Device Package 1.1.0 Supported Functions
Functions
• Virtual Server Layer 4 Server Load balancing
Layer 4 SLB with SSL offload
Layer 7 Server Load balancing
Layer 7 SLB with SSL offload
• Microsoft SharePoint
Parameters under Virtual Server
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Device Counters
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect profiles
• iRules
• Validators and Creation of tenant acceleration profiles
• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
Device Package 1.1.0 continue to support the same L4 – L7 service functions as 1.0.0 with additional support of vCMP and dynamic endpoint attach/detach
© F5 Networks, Inc 21
F5 Device Package 1.1.0: vCMP Guests Support
In release 1.1.0; in vCMP HA configuration, both vCMP guests must reside on the same vCMP host
vCMP (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow multiple virtual ADC instances, called vCMP guests, reside on the same vCMP host
Using vCMP guests as L4-L7 Devices when creating Logical Device Cluster
vCMP guest 1 and 2 mgmt. IP
vCMP host mgmt. IP
© F5 Networks, Inc 22
F5 Device Package 1.1.0: vCMP Guests Support
vCMP and HA configuration under Concrete Devices specific configurable parameters
vCMP guest 1 and 2 host name
vCMP host mgmt. IP under device config as well
vCMP guests HA parameters
© F5 Networks, Inc 23
F5 Device Package 1.1.0: Dynamic endpoint attach/detach Pool members, which consider endpoint in ACI fabric, once “attached to” OR “detach
from” an EPG; APIC will send notification to BIG-IP to add or remove this pool member
Eable Attachement Notification
Internal Connector, which tied to the provider EPG, assign to the WEB servers = pool members in F5 LTM Pool
Under Graph Template, function node ADC has two logical interfaces: external and internal
© F5 Networks, Inc 24
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
BIG-IP Pool has no pool members
vCMP host mgmt. IP under device config as well
No need to define pool members when adding configurable parameters to the service graph template
© F5 Networks, Inc 25
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
After receiving attach notification from APIC, BIG-IP add members to pool
Same for endpoint detach
Assign provider EPG (Web) to the servers
© F5 Networks, Inc 27
Terminology: APIC Tenant Single Context / BIG-IP Partition
A function node identifies a set of network service functions that are required by an application
Tenant is a container for policies (filters, contracts, bridge domains and application profiles)
BIG-IP partition is equivalent to a single context ACI tenant
BIG-IP Virtual Server is equivalent to service graph function node
© F5 Networks, Inc 28
Terminology: APIC Service Graph Config pushed to BIG-IP
APIC Service Graph Function Node Config Parameters, for example, webPool, will be pushed from APIC to BIG-IP
In this example, BIG-IP populates Pool configuration from APIC.
© F5 Networks, Inc 29
Device Package Feature: Referencing iRules
APIC can reference iRules that resides in BIG-IP Common partition
BIG-IP is responsible for iRules management, including creation / modification / validation
© F5 Networks, Inc 30
F5 supports TRUE Multiple Graph Multiple Tenancy
• Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device
• Partition created by APIC inside BIG-IP is prefixed by the apic,”_” tenant-id to represent the partition in F5 (for ex : apic_5437)
• F5 demonstrate true multi-tenancy using different partitions for each tenant in APIC
• Each partition has been assigned individual route domain for L3 separation
• Virtual Servers created by APIC inside BIG-IP is prefixed by the apic,”_” tenant_id”_”graph (for ex : apic_5437_3456)
Client EPG
App EPG 1 Virtual Server
1
APIC partition: apic7890
Route Domain N
Virtual Server 2
App EPG 2
Tenant N
Client EPG
App EPG 1 Virtual Server
1
APIC partition: apic2345
Route Domain B
Virtual Server 2
App EPG 2
App EPG 1 Virtual Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2 App EPG 2
Tenant B
Tenant A
Single BIG-IP physical
Client EPG
© F5 Networks, Inc 31
Mixed Mode Support
Common Partition User can define custom iRules under Common partition and they can be called by APIC,
APIC Partition Configuration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition.
BIG-IP created Partition: User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iApp and iRules in this scenario.
APIC
BIG-IP Physical or Virtual
Client
EPG
Server
EPG
Contract: Including L4-L7
services
Client
EPG
Server
EPG Contract
BIG-IP
Ext
EPG
BIG-IP
Int
EPG
Contract
© F5 Networks, Inc 32
F5 BIG-IP + Cisco ACI Integration Options
Cisco ACI + F5 BIG-IP without service insertion (using EPG)
Cisco ACI + F5 BIG-IP Integration using L4 – L7 service insertion using service graph
Mixed Mode: same BIG-IP connects to ACI fabric with and without L4-L7 service insertion
All the above Integration Options support 1-Arm / Inline; Physical / Virtual in HA deployment
Contract Contract
Ext EPG
Web EPG
BIG-IP EPG
BIG-IP phy link to ACI fabric
ACI Fabric
Contract with L4-L7 Service Insertion
Ext EPG
Web EPG
BIG-IP phy link to ACI fabric
No BIG-IP EPG required
ACI Fabric
Contract
APIC partition
Contract with L4-L7 Service Insertion
APIC partition
Common or BIG-IP partition
ACI Fabric
Common or BIG-IP partition
© F5 Networks, Inc 34
Migration: Physical Topology
BIG-IP Platform
VIP Traditional VIP ACI
Traditional Network
ACI Fabric
F5 DEVICE PACKAGE FOR APIC
CISCO ACE
C B A
WEB
BIG-IP Platform BIG-IP Platform
© F5 Networks, Inc 35
Migration: Approach VIP Traditional ACI VIP
C B A
Step 1:
• Bring up BIG-IP in ACI fabric
• Create Application Server
• ACI L4-L7 service insertion with BIG-IP
VIP Traditional ACI VIP
C B A Step 2:
• Add ACI VIP to Traditional Pool
ACI VIP
WEB
WEB
C B A ACI VIP
WEB
C B A
WEB
Step 3:
• Move Servers
Step 4:
• Update DNS or GTM
• Remove ACI VIP From Traditional Pool
VIP Traditional
VIP Traditional
ACI VIP
ACI VIP
Clients access
Traditional Network VIP
Expanding workload to ACI fabric
Moving workload from
traditional network to ACI
Completing workload
migration to ACI
Clients now access ACI VIP
© F5 Networks, Inc 36
Migration: Logical Diagram
Client
Traditional
Network
VIP
DNS
1
4
2
Server
(Node)
Server Pool
ACI VIP
3
Server
(Node)
Server
(LTM #2 VIP)
Server
(Node)
Server Pool
Server
(Node)
5
Client
DNS
1
2
ACI VIP
Server
(Node)
Server Pool
Server
(Node)
Server
(Node)
3
Wiki.mycorp.com = Traditional VIP
Wiki.mycorp.com = ACI VIP
F5 & Cisco Joint Whitepaper:
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-733816.pdf
© F5 Networks, Inc 38
F5 and Cisco ACI Integration Models
Virtual Edition Appliance Chassis
BIG-IQ
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
BIG-IP
ACI Fabric
F5
Syn
the
sis
Fa
bric
© F5 Networks, Inc 39
F5 is Industry Leader in Application Delivery
How can we provide full set of F5 functionality to ACI environment that is “application” focused?
F5 has an extensive library of iApps for deploying applications
© F5 Networks, Inc 40
What are iApps?
An iApps is an application-centric configuration template:
• User answers a few questions about deploying an application
• iApps translates answers into a set of configuration options
• iApps can touch almost all BIG-IP functionality
• iRules, profiles, monitors, security policies, and much more …
• There are many F5-provided iApps:
• HTTP, Sharepoint, Exchange, VMware View, …
• Users can build their own iApps
© F5 Networks, Inc 41
Using BIG-IQ to bring iApps to APIC
ACI Fabric Virtual Edition Appliance Chassis
BIG-IQ Device
Package
Device Package
F5 Device Package Release 1.1.0 Deployment Model
BIG-IQ Integration with Cisco ACI
1
2
4a
BIG-IQ integration with APIC
1 - BIG-IP expose iApps to BIG-IQ
2 - BIG-IQ create custom device package
3 - Admin import BIG-IQ device package to APIC
4a - APIC sends iApp config to BIG-IQ -> BIG-IP
4b - APIC sends Device config to BIG-IP
BIG-IP integration with APIC
1 - Download device package from F5
2 - Admin import device package to APIC
3 - APIC sends config to BIG-IP directly
downloads.f5.com
3
3 2
4b
1
F5
Syn
the
sis
Fa
bric
Device Package
F5 Configuration {'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0,
'ackedState': 0, 'value':
'255.255.255.255'}, (5,
'DestinationPort', 'port1'):
{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': '80'
BIG-IQ Device
Package F5 iApps Config {'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0,
'ackedState': 0, 'value':
'255.255.255.255'}, (5,
'DestinationPort', 'port1'):
{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': '80'
F5 Device Config {'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0,
'ackedState': 0, 'value':
'255.255.255.255'}, (5,
'DestinationPort', 'port1'):
{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': '80'
© F5 Networks, Inc 42
Reference Material • F5 and Cisco ACI Solution Overview http://www.f5.com/pdf/solution-center/cisco-aci-overview.pdf • F5 SDAS and Cisco ACI Solution Brief http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html
• F5 BIG-IP LTM and Cisco ACI Integration white paper http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-732413.pdf
• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/BIG-IP-LTM/CiscoVMDCwithF5_BIG-IP_LTM_WhitePaper.pdf • F5 BIG-IP: Workload Migration from Traditional Networks to Cisco Application Centric Infrastructure http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-733816.pdf
• Follow us on Twitter @f5Networks Official F5 Networks Channel
For Your Reference i
© F5 Networks, Inc 43
DevCentral F5 User Community Over 105,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python, Powershell,
...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring Pack
Key Takeaways
If I can be of further assistance please contact me:
Jeffrey Wong (j.wong@f5.com)
• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application Centric
Infrastructure
• How Cisco ACI solves network services insertion challenges
• How F5 BIG-IP LTM integrates into Cisco ACI architecture
• Key benefits of BIG-IP / ACI model:
Multi-Tenancy, Multi-Graph Support
Use Case Focus
Automation Ready
Application level visibility and monitoring
• F5 iApps Integration with Cisco ACI using BIG-IQ bringing application requirements to ACI policy
top related