Cisco ACI and F5 LTM Integration for accelerated...

Cisco ACI and F5 LTM Integration for accelerated application deployments

Dennis de Leest

Sr. Systems Engineer F5

© F5 Networks, Inc 2

• F5 Networks – Who are we and what is Big-IP ?

• F5 Synthesis – Software Defined Application Services (SDAS) Overview

• Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion

• F5 and Cisco ACI Integration

• Key Takeaways

• Q&A

Agenda


Deliver the most secure, fast,

and reliable applications to anyone anywhere at any time.

F5 MISSION


F5 NetworksConnecting users with data

File

Sto

rage

Appl

icat

ion

Serv

er

Web

Ser

ver

Dat

a Ce

nter

Application Servers

Web Servers


F5’s Strategic Point of Control

Resources

Physical Virtual Multi-Site DCs Cloud

OS APP

OS APP

OS APP

OS APP

OS APP

OS APP

OS APP

OS APP Private

Public

Users

Security • Network • Application • Data • Access

Management • Integration • Visibility • Automation • Orchestration

Availability • Scale • HA / DR • Bursting • Load-Balancing

Optimization • Network • Application • Storage • Offload


The F5 Application Delivery Framework Bringing deep application fluency to security

One platform

SSL inspection

Traffic management

DNS security

Access control

Application security

Network firewall

DDoS mitigation

EAL 2+, EAL4+ in process

LTM GTM AFM APM ASM AAM SWG SDN PEM CGN Websafe Mobilesafe


SSL Inspection

LTE Roam

ing Au

thor

itativ

e D

NS

Cloud Federation Cl

oud

Br

idgi

ng

Acceleration Mobile Optimization

Mobile App Management

SDN

VDI Diameter & Routing

Policy Enforcement

Cach

ing

Optim

izat

ion

SPDY Gateway

CGN

AT

Disaster Recovery

Business Continuity

Endpoint Inspection

DNSSEC

App

D

eliv

ery

Fire

wal

l

Anti-Fraud

DD

oS

Single Sign-On

Access Control

SAML Federation

SSL VPN

Application Optimization

Traffic Shaping and QoS

Global Load Balancing M

DM

Mobile Acceleration

Anti-Phishing Anti-Malware

VAS Bursting Enrichment

DN

S Firewall

Quota Managem

ent

Application Traffic Control

Service Chaining

Subscriber Traffic Control

Firewall

Compression

Web Performance Optimization

SSL Intelligence

NfV VOLTE

Web Access Management Active Sync Proxy

Programmability

Traf

fic

Man

agem

ent

Secure Web Gateway Intelligent EPC node selection

Traf

fic

Man

agem

ent

SAML Federation

Cloud Bursting

DNS Caching & Resolving

Web App Firewall

Global Server Load Balancing

Application Services Portfolio

Gi Firewall


The Evolution of F5

• Security • Mobility/LTE • Domain Name Services

• Hypervisor/Cloud ubiquity • Multi-tenancy, all-active • Identity access management

• Traffic management • Optimization • Acceleration

1

2

3


Mobility

SDDC/Cloud

Advanced threats

Internet of Things

“Software defined” everything

HTTP is the new TCP

Applications Impact on Data Center Architecture

MICRO-ARCHITECTURES

Each service is isolated and requires its own: • Load balancing • Authentication / authorization • Security • Layer 7 Services • May be API-based, expanding

services required More applications needing services

API DOMINANCE

Proxies are used in emerging API-centric architectures for: • API versioning • Client-based steering • API Load balancing • Metering & billing • API key management

More intelligence needed in services

Service A Service C

Service B Service D

API v1

API v2


Software Defined Application Services 4

The Evolution of F5

Application Delivery Controller 1

Broadened Application Services 2

Cloud Ready 3

© F5 Networks, Inc. 12


F5 Synthesis Partner Ecosystem

/

© F5 Networks, Inc. 13

DevOps


SDDC/Cloud


Software Defined Application Services Elements

High-Performance Services Fabric

Simplified Business Models


High Performance Services Fabric



Network [Physical • Overlay • SDN]

Virtual Edition Chassis Appliance

Data Plane

Programmability

Control Plane Management Plane

Intelligent Services Orchestration


Public Cloud Hybrid Cloud

BIG - IQ

Centralized Management Platform

BIG-IP

BIG-IP

Data Center


Fabric Connectors

Module Connectors

Cloud Connectors

Orchestration Connectors


BIG-IQ


Orchestration Connectors


Fabric Connectors

Module Connectors

Cloud Connectors BIG-IQ

Cisco Application Centric Infrastructure (ACI)

AGILITY: Any application, anywhere – Physical and Virtual common application network profile

24

CONNECTIVITY POLICY

SECURITY POLICIES

QOS BANDWIDTH

RESERVATION AVAILABILITY

APPLICATION L4-L7

SERVICES

STORAGE AND COMPUTE

APPLICATION NETWORK PROFILE

SLA QoS Security Load Balancing

WEB

WEB WEB WEB

APP

APP APP APP

DB

DB DB DB

F/W ADC ADC

Extensible Scripting Model

DB DB DB

WEB WEB WEB APP WEB APP WEB

HYPERVISOR HYPERVISOR HYPERVISOR

APPLICATION NETWORK PROFILE

Traditional 3-Tier Application


Service Graph: “web-application”

• Service graph is an ordered set of functions between a set of terminals • A Service Graph can be defined through GUI,

CLI or through APIC API

• A function has one or more connectors • Network connectivity like VLAN tag is assigned

to these connectors

Service Graph Definition

25

Func: SSL offload

Func: Load Balancing

Func: Firewall

Connectors Terminals Terminals

Functions rendered on the same device

Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *

SSL params Ipaddress <vip> port 80

Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin

• A function within a graph may require one or more parameters – Parameters can be scoped by an EPG or an application profile

or tenant context – Parameters could also be assigned at the time of defining

a service graph. Parameter values can be locked from further changes

F5 integration with Cisco Application Centric Infrastructure (ACI)


F5 and Cisco ACI Joint Solution Benefits

ACI Fabric

Programmability (iRule / iApp / iControl)

Data Plane Control Plane Management Plane

F5 Synthesis Fabric

Virtual Edition Appliance Chassis

• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP

F5 DEVICE PACKAGE FOR APIC

• Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection

• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services

• Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI

• Application agility using

policy driven application delivery approach to significantly reduce operating costs

• Provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams


APIC

Service Automation Through Device Package

Configuration Model (XML File)

Python Scripts

Script Engine

Python Scripts

APIC Script Interface

APIC Script Interface

APIC– Policy Manager

Configuration Model

Policy Engine

Provider Administrator can upload a Device Package

APIC provides extendable policy model through Device Package

Device Package contains XML file defining Device Configuration Model

Device scripts translates APIC API callouts to device specific callouts

Open DevicePackage


APIC

Understanding Device Package

Device Specification

• Is an XML file that defines • Functions provided by a device – Like Load Balancing,

Content-Switching, SSL termination etc

• Parameters required for configuring each function

• Interfaces and Network connectivity information for each function

APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices

A Device Package is a zip file containing two parts

Device Script

• The integration between the APIC and a Device is performed by a Device Script

• APIC events are mapped to function calls defined in Device Script

29

XML / REST API

Device Package

BIG-IP Physical or

VE

EPG level L4-L7 config

Service Graph Function Node level

L4-L7 config

Python iControl


APIC Service Graph Config / F5 ADC (LTM) Config

APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP

In this example, BIG-IP populates Pools configuration from APIC. Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP


A function node identifies a set of network service functions that are required by an application

APIC Tenant / F5 ADC (LTM) Partition

Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs

An ACI tenant will be represented as a partition within BIG-IP

A function node within a service graph will be represented as a Virtual Server within BIG-IP


Use cases

32

Functions • Virtual Server

• Layer 4 Server Load balancing

• Layer 4 SLB with SSL offload • Layer 7 Server Load balancing

• Layer 7 SLB with SSL offload • Microsoft SharePoint

Parameters under Virtual Server • Configuring Global and Tenant Self IP addresses • Configuring Global and Tenant static routes • Device Counters • Server Pools • TCP Optimizations (WAN/LAN/Mobile) • HTTP optimization • HTTP Security (Application protocol security) • TCP connection multiplexing (One Connect) • Validators and Creation of tenant OneConnect

profiles • iRules • Validators and Creation of tenant acceleration

profiles • SNAT Pool management

More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases


Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM – VPN SSL solution) or Application Security Manager (ASM – WAF solution), and have it incorporated with F5 Local Traffic Manager (LTM – ADC solution)device package in the same service graph.

Device Package: User Defined (Future)

To Consumer EPG F5 BIG-IP

ASM F5 BIG-IP

LTM

To Provider EPG

User Defined Device Package

F5 Provided Device Package


• F5 SDAS and Cisco ACI Solution Brief http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html

• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html

• Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure http://tools.cisco.com/search/results/display?url=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fcollateral%2fdata-center-virtualization%2fapplication-centric-infrastructure%2fwhite-paper-c11-732413.pdf&pos=4&query=f5+Cisco+ACI+Integration+white+paper

• F5 BIG-IP LTM and Nexus 9000 http://ri.search.yahoo.com/_ylt=A9mSs2aMnAlUfB0AR04zCQx.;_ylu=X3oDMTE0MmhtMWJtBHNlYwNzcgRwb3MDMQRjb2xvA2lyMgR2dGlkA1ZJUERFMDVfMQ--/RV=2/RE=1409944844/RO=10/RU=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fcollateral%2fdata-center-virtualization%2fapplication-centric-infrastructure%2fsolution-overview-c22-732522.pdf/RK=0/RS=cT30NyClam50D8fRBZ0JL3pY0iY-

• Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel

Reference Material

34

For Your Reference

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html

http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html

http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html

http://tools.cisco.com/search/results/display?url=http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-732413.pdf&pos=4&query=f5+Cisco+ACI+Integration+white+paper



http://ri.search.yahoo.com/_ylt=A9mSs2aMnAlUfB0AR04zCQx.;_ylu=X3oDMTE0MmhtMWJtBHNlYwNzcgRwb3MDMQRjb2xvA2lyMgR2dGlkA1ZJUERFMDVfMQ--/RV=2/RE=1409944844/RO=10/RU=http:/www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/solution-overview-c22-732522.pdf/RK=0/RS=cT30NyClam50D8fRBZ0JL3pY0iY-






• Cisco and F5 extending partnership across the board from Service Provider and Security to Next-gen Data Centers

• Cisco ACI and F5 solves traditional network service insertion challenges through automated ACI policy model and F5 device package

• Application provisioning and configuration is made simple and agile through ACI policy model, F5 use-case driven device package approach and open Northbound APIs

• Key benefits of F5 / ACI model: • Multi-Tenancy, separate Route-domain/L3 and Multi-Graph Support • Use Case Focus • Application level visibility and monitoring

Summary

Cisco ACI and F5 LTM Integration for accelerated...

Documents

Transcript of Cisco ACI and F5 LTM Integration for accelerated...