ravi balakrishnan senior marketing manager, … the power of cisco aci and f5 synthesis for...

Unleash the power of Cisco ACI and F5 Synthesis for Accelerated Application deployments

Ravi Balakrishnan

Senior Marketing Manager, Cisco Systems

© F5 Networks, Inc Confidential Under NDA only 2

Cisco – F5 Solutions Outline

Cisco ACI + F5

Integration

Overview

Cisco Nexus 7000 +

F5 LTM Design

Overview

Cisco and F5 Areas

of Partnership and

Integration

Cisco SourceFire

NGIPS + F5 LTM

integration


• Deep technology integrations across all L2-L7 network services

• Simplified data center and cloud rollouts

• Comprehensive application-centric policy framework and enforcement

• Intelligent services orchestration

• High Performance application delivery and security Fabric

• Extensible platform supporting future service growth and needs

• Accelerated application deployments

F5 and Cisco are now Partners! Cisco - Leader in Networking and F5 - Leader in ADC partnering to provide:

Cisco ACI Launch Nov’13


F5 and Cisco Partnership

Partnering to integrate F5 Synthesis architectural framework into the Cisco (ACI) Sharing a common vision for simplifying networking end to end by taking an application-centric policy-driven approach

Joint testing for VMDC2.3 for traditional data center deployments

F5 LTM tested with Nexus 7000. ACE customers can migrate to F5 utilizing VMDC2.3 guidance

Exploring additional opportunities to bring joint solutions to Data Center customers

Discussions underway to integrate RISE (Nexus 7000) and vPATH (Nexus 1KV) technologies

Partnering to integrate F5 LTM with Cisco sourceFire NGIPS

F5 and Cisco Sourcefire enhance security posture and improved operational efficiency

Application Centric Infrastructure (ACI) Vision

Rapid Deployment of Applications onto

Networks with Scale, Security and Full Visibility

ACI

APPLICATION CENTRIC

POLICY CONTROLLER NEXUS 9500 AND 9300


The Benefit of Application Centric Policy

• Application Centric Infrastructure (ACI) allows the entire infrastructure to take commands in a business-relevant language.

• Policy = The Business-Relevant Commands that Drive Infrastructure Automation

“Let my app servers talk

to my web servers.”

1. “Figure out where app lives in physical net”

2. “Trunk VLAN 112 to switch 22.”

3. “Add route….”

4. “Plumb ports 7-12…”

5. “Configure ACL…”

6. “Apply QoS…”

7. Repeat every time app moves or needs more capacity

ACI Process Existing Process

DB APP ADC

WEB F/W

ADC

Physical Networking

L4–L7 Services

Multi DC WAN + Cloud

Compute Storage Hypervisors and Virtual Networking

APIC

APPLICATION CENTRIC POLICY MODEL

APIC

FASTER APP AVAILABILITY SIMPLIFIED OPERATIONAL PROCESSES + AUTOMATION

ARCHITECT DESIGN COMPUTE Service

Request STORAGE SECURITY NETWORK

Cisco Confidential 8

Application

Available

TIME

APP F/W L/B WEB L/B DB APP F/W ADC WEB ADC DB

POLICY AUTOMATION APPLICATION POLICY LANGUAGE COMMON POLICY FRAMEWORK AND

PLATFORM FOR ALL IT TEAMS

APIC

APPLICATION

COMPUTE NETWORK

CLOUD

STORAGE SECURITY

Business

Agility


F5 DEVICE PACKAGE FOR APIC

F5 and Cisco ACI Joint Solution Benefits

ACI Fabric

Programmability (iRule / iApp / iControl)

Data Plane Control Plane Management Plane

F5 Synthesis Fabric

Virtual Edition Appliance Chassis

• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP -Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection

• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI

• Application agility using policy driven application delivery approach to significantly reduce operating costs - Provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams


• Lacks application agility - requires provisioning across different layers by different organizations

• Time to operationalize purchased assets is longer due to inefficient provisioning

• Longer time to deploy Applications with scale and security

• Harder to achieve application elasticity

Application Provisioning in Today’s Data Centers

TENANT (HR) TENANT (FINANCE)

NETWORK CONNECTIVITY

L4-L7

COMPUTE + VM

STORAGE

App x

App y

App z

App p

App q

App r


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


Configure firewall rules as

required by the application

Configure Network to insert Firewall

Configure firewall network

parameters

Configure Load Balancer as

required by the application

Configure Load Balancer

Network Parameters

Configure Router to steer

traffic to/from Load Balancer

Challenges with Network Service Insertion

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

Service Insertion In traditional Networks

Server

vFW

Switch

Router

FW

Router

LB


F5 DEVICE PACKAGE FOR APIC

• Application Agility – Any where, Any time, Physical and Virtual

• Rapid Deployment of Applications with Scale and Security

• Application-centricity to Visibility and Troubleshooting

• Open Source Application Policies

• Common Operational Model through Open APIs

ACI slide Source: Cisco

Acentric infrastructure USING the language of apps in the network

DB DB HYPERVISOR HYPERVISOR HYPERVISOR

DB

WEB WEB WEB APP WEB APP WEB

PHYSICAL NETWORKING

HYPERVISORS AND VIRTUAL NETWORKING

COMPUTE L4–L7 SERVICES

STORAGE MULTI DC WAN & CLOUD

BIG-IP PHYSICAL AND/OR VIRTUAL

ACI Fabric

Non-Blocking Penalty Free Overlay

App DB Web

Outside

(Tenant VRF)

QoS

Filter

QoS

Service

QoS

Filter

Application Policy

Infrastructure Controller

APIC

• Extend the principle of Cisco UCS® Manager

service profiles to the entire fabric

• Network profile: stateless definition of

application requirements

Application tiers

Connectivity policies

Layer 4 – 7 services

XML/JSON schema

• Fully abstracted from the infrastructure

implementation

Removes dependencies of the infrastructure

Portable across different data center fabrics

## Network Profile: Defines Application Level Metadata (Pseudo Code Example)

<Network-Profile = Production_Web>

<App-Tier = Web>

<Connected-To = Application_Client>

<Connection-Policy = Secure_Firewall_External>

<Connected-To = Application_Tier>

<Connection-Policy = Secure_Firewall_Internal & High_Priority>

. . .

<App-Tier = DataBase>

<Connected-To = Storage>

<Connection-Policy = NFS_TCP & High_BW_Low_Latency>

. . .

App Tier DB Tier

Storage Storage

Web Tier

Application

The network profile fully describes the application connectivity requirements

• Elastic service insertion architecture for

physical and virtual services

• Helps enable administrative separation

between application tier policy and service

definition

• APIC as central point of network control with

policy coordination

• Automation of service bring-up / tear-down

through programmable interface

• Supports existing operational model when

integrated with existing services

• Service enforcement guaranteed, regardless of

endpoint location

• N+1 scale of cluster capable service nodes

Web Server

App Tier

A

Web

Server Web Server

App Tier

B

App

Server

Chain

“Security 5”

Policy Redirection

Application

Admin

Service

Admin

Se

rvic

e

Gra

ph

begin end Stage 1 …..

Stage N

Pro

vid

ers

inst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Se

rvic

e P

rofi

le

“Security 5” Chain Defined


F5 Device Package

Device Package contains

Configuration Model (XML File)

Python Scripts

BIG-IP

Script Engine

Python Scripts

APIC Script Interface

APIC Script Interface

APIC– Policy Manager

Configuration Model (XML File)

Policy Engine

Service Automation Through Device Package – ACI + F5 Deployment

Provider Administrator can upload a Device Package

APIC provides extendable policy model through Device Package

Device Package contains XML file defining Device Configuration Model

Device scripts translates APIC API callouts to device specific callouts

F5 has rich programmability foundation - easier to integrate with Cisco APIC


Device Specification

• Is an XML file that defines

• Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc

• Parameters required for configuring each use case ex: L4 SLB

• Interfaces and Network connectivity information for each function within the use case

Understanding Device Package A Device Package is a zip file containing two parts

Device Script

• The integration between the Cisco APIC and a Device is performed by a Device Script (in Python)

• Cisco APIC programs the BIG-IP by invoking function calls defined in the device package.


F5 Use cases – Target for APIC FCS

Virtual Server

• Function Profiles

• Layer 4 Server Load balancing with SSL Off load

• Layer 7 Server Load balancing with SSL off load

• HTTP SLB

• FTP SLB

• SMTP SLB

• Microsoft SharePoint

Parameters/Folders under each function

• Configuring Global and Tenant Self IP addresses

• Configuring Global and Tenant static routes

• Server Pools

• TCP Optimizations (WAN/LAN/Mobile)

• HTTP optimization

• HTTP Security (Application protocol security)

• TCP connection multiplexing (One Connect)

• Validators and Creation of tenant OneConnect profiles

• iRules

• Validators and Creation of tenant acceleration profiles

• SNAT Pool management

More than 80% of F5 customers use L4 SLB / L7 SLB with SSL off load, MSFT SharePoint hence 1st release targets these use cases


Defining Policy Model for an Application in a Tenant - APIC

APPLICATION NETWORK PROFILE

Traditional 3-Tier Application

WEB WEB WEB WEB

APP APP APP APP

DB DB DB DB

F/W ADC

ADC

TENANT (HR)

NETWORKING POLICY (CONNECTIVITY FOR THE TENANT L2-L3)

TROUBLESHOOTING POLICY SPAN, ERSPAN ETC

MONITORING POLICY (EVENTS, SNMP ETC)

APPLICATION PROFILE (3 TIER APP) EPGS ARE DEFINED HERE

End Point Group (EPG) – collection of bare metal servers, VMs, vNIC Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG

SECURITY POLICY (DEPLOYMENT OF A GRAPH IS DONE HERE)

FILTERS – WHICH EPG CAN TALK TO WHICH OTHER EPG

Contract – services between the WEB and APP EPG (web graph, HTTP graph) Graph can be single graph or muti graph Ex: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined

L4-L7 SERVICES POLICY (CREATION OF A GRAPH IS DONE HERE)

Service Graph (Ex: WEB graph utilizes L4 SLB) Device cluster


BIG-IP (Physical or Virtual)

• Single BIG-IP instance supports “TRUE” Multi Tenancy with Traffic Isolation

• Supports single or multi tenants with single or multi graph scenarios

Where does F5 fit in the Application Policy – Multi Tenants?

Tenant (HR) Tenant (SALES) Tenant (Finance)

App X

L4-L7 services: WEB graph uses L4 SLB

Attach service graph to contract between EPGS

App Y

App Z

App P

L4-L7 services: HTTP graph uses L4 SLB


App Q

App R

App M

L4-L7 services: HTTP graph uses L4 SLB


App N

App O


F5 Synthesis value proposition is preserved in Cisco ACI

• Cisco ACI allows F5 to bring the value to ACI instead of normalizing across vendors

F5 is a seamlessly integrated with Cisco ACI

• Preserves existing BIG-IP deployment topologies and L2-L3 interoperability – no network redesign

• No HW upgrades needed on BIG-IP - no net new $$$ spending

Benefits of using F5 Device Package

Flexibility in rolling out L4-L7 services on F5 fabric with APIC

• F5 Application policy framework aligns seamless with APIC policy framework

• Accelerated application deployments - Provides true application centric solution using profile based approach

Portfolio of services – combining application delivery and security

• Extensible to other L4-L7 services to address application requirements - GTM, AAM, AFM, APM, ASM

Deep application performance visibility (future)

• Extensive application health score data – Device package can integrate applications health score data from BIG IP

10-20% Compute and

Storage

Optimization

58%

Reduce

Network

Provisioning

21%

Reduce

Management

Costs

45%

Reduce Power

and Cooling

Costs

25%

CAPEX

Reduction

“Cisco’s open* standards approach makes

ACI even stronger. We conducted testing on

ACI … it fully delivered everything we

expected, and proved to be quite stable and

mature.”

Nik Weidenbacher

Principal Engineer, SunGard

“Cisco ACI is an open*, future-proofed data

center architecture that can continue to grow

as we enhance client services.”

Chuck Crane

Network and Security Architect, Axciom

(Transitioning from AWS to Private Cloud)

“This will enable Telstra to deliver service

agility, security and performance that our

customers expect from an enterprise grade

cloud.”

Erez Yarkoni

Executive Director, Telstra

Greater

Business Agility

Lower Capital

Expenses

Reduced Costs/

Complexity

Lower Operating

Cost

Resource Optimization

Source: Cisco IT * 4/2014 Cisco announced Opflex a standards track southbound protocol for integration of ACI with a broad

ecosystem of L4-7 Services. Opflex was coauthored by: Microsoft, Citrix, IBM, and Sungard Availability Services

ACI Delivering Business Outcomes Lower

Costs/TCO

ravi balakrishnan senior marketing manager, … the power of cisco aci and f5 synthesis for...

Documents