Cisco ACI integration with F5 Big-IP...

Cisco ACI integration with F5 Big-IP Appliances

Jan Van den Broeck Systems Engineer – Data Center CCIE #18985

[email protected]

Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.

§  Cisco and F5 partnership

§  Cisco ACI and F5 Big-IP Integration

§  ACI and F5 Customer Quotes and Competitive Differentiations

Agenda


Cisco and F5 are now partners

Announcement at Cisco ACI launch in November 2013

Cisco and F5 partnering to provide:

•  Deep technology integrations across L2-L7 network services to accelerate application deployments

•  Simplified data center and cloud rollouts

•  Comprehensive application-centric policy framework and enforcement

•  Intelligent services orchestration

•  High Performance application delivery and secure Fabric

•  Extensible platform supporting future service growth and needs


Configure firewall rules as required by the application

Configure Network to insert Firewall

Configure firewall network parameters

Configure Load Balancer as required by the application

Configure Load Balancer Network Parameters

Configure Router to steer traffic to/from Load Balancer

Challenges with Network Service Insertion

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

Service Insertion In traditional Networks Server

Virtual Firewall

Switch

Router

Firewall

Router

Load Balancer


From today’s model to a Policy Driven Fabric

Network

App 2 App 1 App 3

The policy driven fabric model first abstracts network constructs,

removing complexity, then drives infrastructure based on application

needs. Network

App 2 App 1 App 3 Complexity


Policy Driven Fabric

Network

App 2 App 1 App 3 Web App DB Web App DB Web App DB

Rather than looking at the applications as individual network end-points, policy is driven viewing the application as a whole; the grouping of end-points and

connectivity policies that makes up an application or service.


Stateless ACI Fabric

Non-Blocking Penalty Free Overlay

App DB Web

Outside (Tenant VRF)

QoS

Filter

QoS

Load Balance

QoS

Filter

Application Policy Infrastructure Controller

APIC

Application Network Profile


ACI Spine Nodes

ACI Leaf Nodes

•  ACI Fabric provides: ‒  Simplified Architecture

‒  Zero-touch-deployment

‒  Integrated overlay – Decoupling Identity from Location providing any workload anywhere

‒  Auto bind the overlay tunnels

‒  Innovative Load Balancing : Flowlet Switching

‒  Fast Restoration

IP fabric with integrated overlay

ACI Controller

APIC Cluster APIC APIC APIC

Loopback and VTEP IP addresses allocated from “infra VRF” through DHCP from APIC and advertised

throug IS IS

IP unnumbered 40G fabric

VTEP VTEP VTEP VTEP VTEP VTEP

Payload IP VXLAN VTEP


APPLICATION

SECURITY

Web Tier

App Tier

DB Tier

Trusted Zone DB

Tier DMZ

External Zone Application Admin

Security Admin

Network Admin

Universe ..

Tenant A Tenant B

App Profile App Profile

EPG EPG


•  Integrated gateway for VLAN, VxLAN, and NVGRE networks from virtual to physical to container

•  Normalization for NVGRE, VXLAN, and VLAN networks

•  Customer not restricted by a choice of hypervisor

•  Fabric is ready for ANY workload

Any workload Virtual / Bare Metal / Container

Network Admin

Application Admin

PHYSICAL SERVER

VLAN VXLAN

VLAN NVGRE

VLAN VXLAN

VLAN

Application Management

ACI Fabric

APIC

APIC

VMware Microsoft

Red Hat Docker

ESX VMware

Hyper-V Microsoft

KVM Red Hat

Container Docker

VLAN VXLAN


ACI : Open APIs with a Large Ecosystem

REST API

NORTHBOUND PROGRAMMABILITY LAYER

Automation Enterprise Monitoring

Systems Management

Orchestration Frameworks

APIC SUPPORTS A RICH ECOSYSTEM BUILT AROUND OPEN NORTHBOUND AND SOUTHBOUND APIS

SOUTHBOUND PROGRAMMABILITY LAYER

Fabric-attached Device API L4-7 Orchestration Scripting API

OVM

Hypervisor Management

APIC


•  Elastic service insertion architecture for physical and virtual services

•  Helps enable administrative separation between application tier policy and service definition

•  APIC as central point of network control with policy coordination

•  Automation of service bring-up/tear-down through programmable interface

•  Supports existing operational model when integrated with existing services

•  Service enforcement guaranteed, regardless of endpoint location

Web Server

App Tier A

Web Server

Web Server

App Tier B

App Server

Policy Redirection

Application Admin

Service Admin

Ser

vice

G

raph

begin end Stage 1 …..

Stage N

Pro

vide

rs inst

inst

…

Firewall

inst

inst

…

Load Balancer

……..

Ser

vice

Pro

file

“Load Balancing” Chain Defined


•  Service automation requires a vendor device package. It is a zip file containing

•  Device specification (XML file)

•  Device scripts (Python)

•  APIC interfaces with the device using device Python scripts

•  APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts

•  Device script handlers interface with the device using its REST or CLI interface

Device Package Device Specification <dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>

APIC – Policy Element Device Model

Device-Specific Python Scripts

APIC Script Interface

Script Engine

APIC Node

Device Interface: REST/CLI

Service Device

APIC


Understanding Device Package

Device Specification

•  XML file that defines •  Functions provided by a device - Load

Balancing, Content-Switching, SSL termination

•  Parameters required for configuring each use case – i.e. L4 SLB

•  Interfaces and Network connectivity information for each function within the use case

Device Script •  The integration between the Cisco APIC

and a Device is performed by a Device Script (in Python)

•  Cisco APIC programs the BIG-IP by invoking function calls defined in the device package.

A device package is a zip file with two components:


F5 Device Package 1.0.0 Supported Functions at FCS

Functions • Virtual Server Ø Layer 4 Server Load balancing Ø Layer 4 SLB with SSL offload Ø Layer 7 Server Load balancing Ø Layer 7 SLB with SSL offload

• Microsoft SharePoint

Parameters under Virtual Server •  Configuring Global and Tenant Self IP addresses •  Configuring Global and Tenant static routes •  Device Counters •  Server Pools •  TCP Optimizations (WAN/LAN/Mobile) •  HTTP optimization •  HTTP Security (Application protocol security) •  TCP connection multiplexing (One Connect) •  Validators and Creation of tenant OneConnect

profiles •  iRules •  Validators and Creation of tenant acceleration

profiles •  SNAT Pool management

More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases


ACI + F5 – Using the Language of Applications in the Network

Application Agility – Any where, Any time, Physical and Virtual

Rapid Deployment of Applications with Scale and Security

Application-centricity to Visibility and Troubleshooting

Open Source Application Policies

Common Operational Model through Open APIs

F5 DEVICE PACKAGE FOR APIC

DB DB HYPERVISOR HYPERVISOR HYPERVISOR

DB

WEB WEB WEB APP WEB APP WEB

PHYSICAL NETWORKING

HYPERVISORS AND VIRTUAL NETWORKING

COMPUTE L4–L7 SERVICES

STORAGE MULTI DC WAN & CLOUD

BIG-IP PHYSICAL AND/OR VIRTUAL


BIG-IP (Physical or Virtual)

•  Single BIG-IP instance supports “TRUE” Multi Tenancy with Traffic Isolation •  Supports single or multi tenants with single or multi graph scenarios

F5 extends APIC multi-tenancy to the application layer

Tenant (HR) Tenant (SALES) Tenant (Finance)

App X L4-L7 services: WEB graph uses L4 SLB Attach service graph to contract between EPGS

App Y

App Z

App P L4-L7 services: HTTP graph uses L4 SLB Attach service graph to contract between EPGS

App Q

App R

App M L4-L7 services: HTTP graph uses L4 SLB Attach service graph to contract between EPGS

App N

App O


F5 Synthesis value proposition is preserved in Cisco ACI •  Cisco ACI allows F5 to bring the value to ACI instead

of normalizing across vendors •  Customer can leverage existing investments •  F5 has rich programmability foundation

- easier to integrate with Cisco APIC

F5 is a seamlessly integrated with Cisco ACI •  preserves existing BIG-IP deployment topologies

and L2-L3 interoperability – no network redesign •  no HW upgrades needed on BIG-IP - no net new $$$

spending •  F5 device pkg preserves multi tenancy within

APIC – provides true traffic isolation per tenant through the ACI

• 

Benefits of using F5 Device Package

Flexibility in rolling out L4-L7 services on F5 fabric with APIC •  F5 iControl/TMSH or iAPP Config on Physical and/or Virtual

– broad customer environments (future phase) •  F5 Application policy framework aligns seamless

with APIC policy framework - F5 device package uses Use case model leveraging existing iAPP knowledge

•  Accelerated application deployments - Provides true application centric solution using profile based approach

Portfolio of services – combining application delivery and security •  Extensible to other L4-L7 services to address application

requirements - GTM, AAM, AFM, APM, ASM

Deep application performance visibility (future) •  Extensive application health score data – Device package

can integrate applications health score data from BIG IP


4000 series 10000 Series

5000 Series 7000 Series

Good, Better, Best Platforms

11000 Series

F5 BIG-IP Platform Options for Nexus 9K/ACI deployments

5Gbps

3Gbps

1Gbps

200M

25M

VIPRION 2400

VIPRION 4480 VIPRION 4800

Choose Your

Platforms

F5 physical ADCs High-performance with specialized and dedicated hardware

Physical ADC is best for: • Fastest performance • Highest scale • SSL offload, compression, and accelerated DoS mitigation • An all F5 solution: integrated HW+SW • Edge and front door services • Purpose-built isolation for application delivery workloads

Physical + virtual = hybrid ADC infrastructure Ultimate flexibility and performance

Hybrid ADC is best for: • Transitioning from physical to virtual and private data center to cloud • Cloud bursting • Splitting large workloads • Tiered levels of service

F5 virtual editions Provide flexible deployment options for virtual environments and the cloud

Virtual ADC is best for: • Accelerated deployment • Maximizing data center efficiency • Private and public cloud deployments • Application or tenant-based pods • Keeping security close to the app • Lab, test, and QA deployments

Physical Hybrid Virtual

Unique Application Delivery Architecture: TMOS is the implementation of software on hardware, which includes physical, virtual and hybrid deployments for complete Application Delivery flexibility

10Gbps


ACI + F5 – Efficient and Accelerated Application Deployment


1.  Nexus 9500 + Nexus 9300 or Nexus 3K Standalone designs •  Insert F5 10G or 40 – Traditional

data center deployment model

2.  Cisco ACI - Nexus 9K + APIC •  Customer can take full advantage of

ACI with F5 device package

F5 + Cisco Nexus 9000/ACI Deployment Scenarios

standalone

ACI

Nexus 9500

Nexus 9300

Nexus 9500

Nexus 9300

Physical/Virtual

Nexus 9300

Nexus 9300

Physical and/or Virtual


§  APIC integration with F5 device package demo §  ACI and F5 solution brief, whitepapers and design guides

Cisco ACI + F5 Additional Resources

Thank you.

In Collaboration with

Date post:	09-Jul-2018
Category:	Documents
Upload:	phamthien
View:	240 times
Download:	0 times

Cisco ACI integration with F5 Big-IP...

Documents