unleash the power of cisco aci and f5 synthesis for ... · filters – which epg can talk to which...

Unleash the power of Cisco ACI and F5 Synthesis for accelerated application deployments

Paolo Pio – Product Manager @ Cisco

Nicolas Ménant – Solution Architect @ F5

F5 Agility 2014 2F5 Agility 2014 2

Cisco’s Application Centric Infrastructure (ACI) and F5 Synthesis are focused on efficiently delivering applications by taking a fabric-based approach to networking and services architectures. Cisco ACI is designed to translate application requirements into services required for successfully deploying applications in a simplified and automated fashion.

In this session, you’ll learn how F5 and Cisco technologies integrate and collaborate to enable IT to execute on its strategic mission. Learn how:

• Cisco ACI and F5 Synthesis SDAS can accelerate application deployment

• Cisco ACI translates application requirements into network services by taking advantage of F5 SDAS architectural components

• Assure the performance, security and reliability of applications by taking advantage of application-centric network services

Abstract

For YourReference


• F5 Synthesis – Software Defined Application Services (SDAS) Overview

• Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion

• F5 BIG-IP and Cisco ACI Integration• Topologies • Terminologies• How does F5 BIG-IP integrate with Cisco ACI?• L4 SLB workflow

• Key Takeaways

• Q&A

Agenda

F5 Synthesis Overview

Applications Impact on Data Center Architecture

MICRO-ARCHITECTURES

Each service is isolated and requires its own:• Load balancing• Authentication / authorization • Security • Layer 7 Services • May be API-based, expanding

services requiredMore applications needing services

API DOMINANCE

Proxies are used in emerging API-centric architectures for:• API versioning • Client-based steering • API Load balancing • Metering & billing • API key management

More intelligence needed in services

Service A Service C

Service B Service D

API v1

API v2


Evolution in Application Environment

F5 VISION

Applicationswithout constraints

SDN and Private Cloud

Software Defined Data Centers

Cloud and DevOps

Cloud SLA and controlprivate network agility

Accelerate time to market

Agile Development

Rapid deployment─network and operations velocity

Speed, customer-driven, and quality of app development

Failed to Address:L4–7 device sprawl and application awareness


High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

Data Plane

Programmability (iRule / iApp / iControl)

Control Plane Management Plane


High-Performance Services Fabric

Simplified Business Models

• New licensing models• Easy to procure• Save by purchasing bundles

f5 Synthesis


F5 DEVICE PACKAGE FOR APIC

• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP –Preserves richness of F5 Synthesis offering through policy abstraction

• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 HW/SW, topologies integrate seamlessly with Cisco ACI

• Application agility using policy driven application delivery approach to significantly reduce operating costs - provisioning workflows is efficient and faster while maintaining operational best practices across multiple teams

F5 and Cisco ACI Joint Solution Benefits

ACI Fabric

Virtual Edition Chassis Appliance

Data PlaneProgrammability (iRule / iApp / iControl)

Control Plane Management Plane

F5 SYNTHESIS FABRIC

APIC

Cisco Application Centric Infrastructure (ACI)


• Lacks application agility -requires provisioning across different layers by different organizations

• Time to operationalize purchased assets is longer due to inefficient provisioning

• Longer time to deploy Applications with scale and security

• Harder to achieve application elasticity

Application Provisioning in Today’s Data Centers

TENANT (HR) TENANT (FINANCE)

NETWORK CONNECTIVITY

L4-L7

COMPUTE + VM

STORAGE

App x

App y

App z

App p

App q

App r


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE


L4-L7

COMPUTE + VM

STORAGE

Configure firewall rules as required by the application

Configure Network to insert Firewall

Configure firewall network parameters

Configure Load Balancer as required by the application

Configure Load Balancer Network Parameters

Configure Router to steer traffic to/from Load Balancer

Traditional Network Service InsertionChallenges

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

Service Insertion In traditional Networks

Server

vFW

Switch

Router

FW

Router

LB

Rapid Deployment of Applications with Scale and Security

Application-centricity to Visibility and Troubleshooting

Application Agility – Any where, Any time, Physical and Virtual

Open Source Application Policies

Common Operational Model through Open APIs

Application Centric InfrastructureUsing the Language of Apps in the Network

Physical Networking

L4–L7Services

Multi DC WAN & Cloud

Compute StorageHypervisors and Virtual Networking

F5 Device package for APIC

BIG-IPPhysical and or Virtual

AGILITY: Any application, anywhere – Physical and Virtualcommon application network profile

14

CONNECTIVITY POLICY

SECURITY POLICIES

QOSBANDWIDTH

RESERVATION AVAILABILITY

APPLICATION L4-L7

SERVICES

STORAGE AND COMPUTE

APPLICATION NETWORK PROFILE

SLA

QoS

Security

LoadBalancing

WEB

WEB WEB WEB

APP

APP APP APP

DB

DB DB DB

F/WADC ADC

Extensible Scripting Model

DB DBDB

WEB WEB WEB APP WEB APP WEB

HYPERVISOR HYPERVISOR HYPERVISOR


Traditional3-TierApplication


Goals of APIC Service Insertion and Automation

Configure and Manage VLAN allocation for service insertion

Configure the network to redirect traffic through service device

Configure network and service function parameters on service device


Service Graph: “web-application”

• Service graph is an ordered set of functions between a set of terminals• A Service Graph can be defined through GUI,

CLI or through APIC API

• A function has one or more connectors • Network connectivity like VLAN tag is assigned

to these connectors

Service Graph Definition

16

Func: SSL offload

Func: Load Balancing

Func: Firewall

Connectors TerminalsTerminals

Functions rendered on the same device

Firewall paramsPermit ip tcp * dest-ip <vip> dest-port 80Deny ip udp *

SSL paramsIpaddress <vip> port 80

Load-Balancing paramsvirtual-ip <vip> port 80 Lb-aglorithm: round-robin

• A function within a graph may require one or more parameters– Parameters can be scoped by an EPG or an application

profile or tenant context – Parameters could also be assigned at the time of defining

a service graph. Parameter values can be locked from further changes


Application Policy Example

17

dB ContractMSSQL: Accept

MySQL: Accept

HTTP: Accept, Count

Contract

APP

APP APP APP

DB

DB DB DB

Consumes Provides

EPG - APP EPG - DB

FilterNamed collection of L4 port ranges• HTTP = [80, 443]• MSSQL = [1433-1434]• MySQL = [3306, 25565]• DNS = [53, 953, 1337, 5353]

ActionWhat action or actions to take on packet• Accept• Service Insert


APIC L4 – L7 Service Integration


Traditional3-TierApplication

WEBWEB WEB WEB

APPAPP APP APP

DBDB DB DB

F/WADC ADC

TENANT (HR)

NETWORKING POLICY(CONNECTIVITY FOR THE TENANT L2-L3)

TROUBLESHOOTING POLICYSPAN, ERSPAN ETC

MONITORING POLICY(EVENTS, SNMP ETC)

APPLICATION PROFILE (3 TIER APP)EPGS ARE DEFINED HERE

End Point Group (EPG) – collection of bare metal servers, VMs, vNICEx: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPGEx: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG

SECURITY POLICY (POLICY DECISION IS DONE HERE)

FILTERS – WHICH EPG CAN TALK TO WHICH OTHER EPGTRAFFIC STEERING – WHICH EPGS NEEDS SERVICE

SERVICES

Contract – services between the WEB and APP EPG (web graph, HTTP graph) Graph can be single graph or muti graphEx: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined

L4-L7 SERVICES POLICY(CREATION OF A GRAPH IS DONE HERE)

Service Graph (Ex: WEB graph utilizes L4 SLB)Device cluster

F5 BIG-IP Integration with

Cisco ACI

Topology ConsistencyCore/Aggregation/Access model 1 ARM mode + HA pair

Active Standby

Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone

Active Standby

Users can transition to Cisco ACI seamlessly from BIG-IP 1 ARM + HA topologies within

Nexus 7000 and Nexus 9000 standalone

deployment

For YourReference

Topology ConsistencyCore/Aggregation/Access model 2 ARM mode + HA pair

Active Standby

Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone

Active Standby

Users can transition to Cisco ACI seamlessly from BIG-IP 2 ARM + HA topologies within

Nexus 7000 and Nexus 9000 standalone

deployment

For YourReference

Cisco ACI ArchitectureBIG-IP 1 ARM and 2 ARM + HA

APIC

Active Standby

APIC

Active Standby

External ExternalInternal InternalExternal / Internal

External / Internal

1 ARM mode + HA pair 2 ARM mode + HA pair

BIG-IP connects to any iLeaf in ACI topology independent of iLeaf

location


APIC

Service Automation Through Device Package

Configuration Model (XML File)

Python Scripts

Script Engine

Python Scripts

APIC Script Interface

APIC Script Interface

APIC– Policy Manager

Configuration Model

PolicyEngine

Provider Administrator can upload a Device Package

APIC provides extendable policy model through Device Package

Device Package contains XML file defining DeviceConfiguration Model

Device scripts translates APIC API callouts to device specific callouts

Open DevicePackage


APIC

Understanding Device Package

Device Specification

Is an XML file that definesFunctions provided by a device – Like Load Balancing, Content-Switching, SSL termination etcParameters required for configuring each functionInterfaces and Network connectivity information for each function

APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices

A Device Package is a zip file containing two parts

Device Script

The integration between the APIC and a Device is performed by a Device Script

APIC events are mapped to function calls defined in Device Script

24

XML / REST API

Device Package

BIG-IP Physical or

VE

EPG level L4-L7 config

Service Graph Function Node level

L4-L7 config

Python iControl

Device Package: Function ProfilesFunction Profiles are XML schema and function very much like iApp, user can define new function profiles where it can be imported to the service graph

Function Profiles can be:• WebProfile• HTTPS• Application-1Click to configure L4-

L7 Service Node Configurations


Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM) or Application Security Manager (ASM), and have it incorporated with F5 LTMdevice package in the same service graph.

Device Package: User Defined (Future)

To Consumer EPG F5 BIG-IP

ASMF5 BIG-IP

LTM

To Provider EPG

User Defined Device Package

F5 Provided Device Package


Use cases

27

Functions

• Virtual Server• Layer 4 Server Load balancing

• Layer 4 SLB with SSL offload• Layer 7 Server Load balancing

• Layer 7 SLB with SSL offload• Microsoft SharePoint

Parameters under Virtual Server• Configuring Global and Tenant Self IP addresses• Configuring Global and Tenant static routes• Device Counters• Server Pools• TCP Optimizations (WAN/LAN/Mobile)• HTTP optimization• HTTP Security (Application protocol security)• TCP connection multiplexing (One Connect)• Validators and Creation of tenant OneConnect

profiles• iRules• Validators and Creation of tenant acceleration

profiles• SNAT Pool management

More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases


• F5 SDAS and Cisco ACI Solution Briefhttp://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html

• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html

• F5 BIG-IP LTM and Cisco ACI Integration white paper Coming Soon !

• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) Coming Soon !

• Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel

Reference Material

28

For YourReference


• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application Centric Infrastructure

• How Cisco ACI solves network services insertion challenges

• F5 BIG-IP automated integration into Cisco APIC

• Cisco ACI integration into existing F5 BIG-IP LTM deployments

• Key benefits of BIG-IP / ACI model:• Multi-Tenancy, Multi-Graph Support• Use Case Focus• Automation Ready• Application level visibility and monitoring

Key Takeaways

Tenancy Model

31


A function node identifies a set of network service functions that are required by an application

Terminology: APIC Tenant / BIG-IP Partition

Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs

An ACI tenant will be represented as a partition within BIG-IP

A function node within a service graph will be represented as a Virtual Server within BIG-IP


Multiple Virtual Servers for different applications in the same BIG-IP partition/APIC Tenant, sharing the same device

Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC and partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy

Multiple Graph Single Tenant

Client EPG

App EPG 1Virtual Server 1

APIC partition: apic1234

Route Domain A

Virtual Server 2App EPG

2

Single BIG-IP physical / virtual

instance


• Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device

• Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy

• Scalability is based on BIG-IPAPIC : 64k tenantsBIG-IP : 128 partitions

F5 supports TRUEMultiple Graph Multiple Tenancy

Client EPG

App EPG 1Virtual

Server 1


Route Domain N

Virtual Server 2

App EPG 2

Tenant N

Client EPG

App EPG 1Virtual

Server 1


Route Domain B

Virtual Server 2

App EPG 2

App EPG 1Virtual

Server 1


Route Domain A

Virtual Server 2

App EPG 2

Tenant B

Tenant A

Single BIG-IP physical / virtual instance

Client EPG


Terminology: APIC Service Graph Config / BIG-IP LTM Config

APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP

In this example, BIG-IP populates Pools configuration from APIC.Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP


Mixed Mode Support

Common PartitionUser can define custom iRules under Common partition and they can be called by APIC,

APIC PartitionConfiguration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition.

BIG-IP created Partition: User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iApp and iRules in this scenario.

APIC

BIG-IP Physical or Virtual

ClientEPG

ServerEPG

Contract:Including L4-L7

servicesClientEPG

ServerEPGContract

BIG-IPExt

EPG

BIG-IPInt

EPGContract


APIC can provide EPG level atomic counters on the Function Node (F5 BIG-IP)

Monitoring

User will continue to use BIG-IP to monitor LTM specific monitors as before


Bring it all together: Multi-Tenant/Multi-Graph SLB use case

38

InternetInternet

Client IP172.16.1.10 10.10.1.2:80

10.10.1.3:8010.10.1.4:80

10.10.1.210.10.1.310.10.1.4

Tenant A10.10.1.2:8010.10.1.3:8010.10.1.4:80

10.10.1.210.10.1.310.10.1.4

Tenant B Client IP173.17.1.10

EPG Web

EPG App

EPG Web

EPG App

1 4 4 1

2

3 3

2

Workflow: Multi-Tenant / Multi-Graph L4 SLB use case

1. Install F5 device package

2. Create logical device cluster

3. Add concrete devices (BIG-IP physical or virtual) to device cluster

4. Map logical interfaces (external and internal) to physical interfaces

5. Export device cluster to other tenants (multi-tenancy)

6. Create service graph (1) using F5 BIG-IP as function node

7. Create service graph (2) using the same BIG-IP as function node (multi-graph)

8. Assign service graph to contracts

* Prior to integrate F5 BIG-IP into ACI, user should configure tenants (application profiles / networking / security policies) and VM Networking (if necessary)

Steps to integrate F5 BIG-IP into ACI:

unleash the power of cisco aci and f5 synthesis for ... · filters – which epg can talk to which...

Documents