Cisco ACI and F5 LTM Integration for accelerated application deployments. Dennis de Leest Sr. Systems Engineer F5

(1)

Cisco ACI and F5 LTM Integration for

accelerated application deployments

Dennis de Leest

Sr. Systems Engineer F5

(2)

• F5 Networks – Who are we and what is Big-IP ?

• F5 Synthesis – Software Defined Application Services (SDAS) Overview

• Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion

• F5 and Cisco ACI Integration

• Key Takeaways

• Q&A

Agenda

(3)

Deliver the most secure, fast,

and reliable applications to anyone

anywhere at any time.

F5 MISSION

(4)

F5 Networks

Connecting users with data

File Storage

Application Server

Web Server

Data Center

Application Servers Servers Web

(5)

F5’s Strategic Point of Control

Resources

Physical Virtual Multi-Site DCs Cloud

OS APP

OS

APP Private

Public

Users

Security

• Network

• Application

• Data

• Access

Management

• Integration

• Visibility

• Automation

• Orchestration

Availability

• Scale

• HA / DR

• Bursting

• Load-Balancing

Optimization

• Network

• Application

• Storage

• Offload

(6)

The F5 Application Delivery Framework

Bringing deep application fluency to security

One platform

SSL inspection Traffic

management DNS

security Access

control Application

security Network

firewall DDoS

mitigation

EAL 2+, EAL4+ in process

LTM GTM AFM APM ASM AAM SWG SDN PEM CGN

Websafe Mobilesafe

(7)

Inspection SSL

LT E Ro ami ng Au thori ta tiv e D N S

Cloud Federation

Cl ou d Br idg ing

Acceleration

Mobile Optimization

Mobile App

Management

SDN

VDI

^Diameter& Routing

Policy Enforcement

Ca ch ing

Op tim iza tio n

SPDY

Gateway

CGNA T

D is as ter R ec ov er y Bu si ne ss C on tin uit y

Endpoint Inspection

DNSSEC

Ap p De liv er y Fir ew all

Anti-Fraud

DDo S Sin gle S ign -On

Access

Control

SAML

Federation

VPN SSL

Application Optimization Traffic

Shaping and QoS

Global Load Balancing

MDM

Mobile Acceleration

Anti-Phishing

Anti-Malware

VAS Bursting

Enrichment

D NS Fir ew all

Quota Management

Application

Traffic Control

Service

Chaining

Subscriber Traffic Control

Firewall

Compression

Web Performance Optimization

Intelligence

SSL

NfV VO LT E

Web Access Management

Act ive Syn c P ro xy

Programmability

Traffic Management

Secure Web Gateway

Intelligent EPC node selection

Traffic Management

SAML Federation

Cloud

Bursting

DNS Caching & Resolving

Web App

Firewall

Global Server

Load

Balancing

Application Services Portfolio

Firewall Gi

(8)

(9)

The Evolution of F5

• Security

• Mobility/LTE

• Domain Name Services

• Hypervisor/Cloud ubiquity

• Multi-tenancy, all-active

• Identity access management

• Traffic management

• Optimization

• Acceleration

1

2

3

(10)

Mobility

SDDC/Cloud

Advanced threats

Internet of Things

“Software defined”

everything

HTTP is the new TCP

(11)

Applications

Impact on Data Center Architecture

MICRO-ARCHITECTURES

Each service is isolated and requires its own:

• Load balancing

• Authentication / authorization

• Security

• Layer 7 Services

• May be API-based, expanding services required

More applications needing services

API DOMINANCE

Proxies are used in emerging API-centric architectures for:

• API versioning

• Client-based steering

• API Load balancing

• Metering & billing

• API key management

More intelligence needed in services

Service A Service C

Service B Service D

API v1

API v2

(12)

Software Defined Application Services

4 The Evolution of F5

Application Delivery Controller

1 Broadened Application Services

2 Cloud Ready

3

(13)

F5 Synthesis Partner Ecosystem

/

DevOps

(14)

SDDC/Cloud

(15)

Software Defined Application Services Elements

High-Performance

Services Fabric

Simplified

Business Models

(16)

High Performance Services Fabric

(17)

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Virtual Edition Appliance Chassis

Data Plane

Programmability

Control Plane Management Plane

(18)

High-Performance Services Fabric

Network [Physical • Overlay • SDN]

Data Plane

Programmability

Control Plane Management Plane

(19)

Intelligent Services Orchestration

(20)

Hybrid Cloud

BIG - IQ

Centralized Management Platform

BIG-IP BIG-IP

Data Center

(21)

Fabric Connectors

Module Connectors

Cloud Connectors Orchestration

Connectors

Intelligent Services Orchestration

BIG-IQ

(22)

Orchestration Connectors

Intelligent Services Orchestration

Fabric Connectors

Module Connectors

Cloud Connectors

BIG-IQ

(23)

Cisco Application Centric Infrastructure

(ACI)

(24)

AGILITY: Any application, anywhere – Physical and Virtual

common application network profile

24

CONNECTIVITY

POLICY SECURITY POLICIES

QOS BANDWIDTH RESERVATION

AVAILABILITY

APPLICATION L4-L7 SERVICES

STORAGE AND COMPUTE

APPLICATION

NETWORK PROFILE

SLA QoS Security Load

Balancing

WEB

WEB WEB WEB

APP

APP APP APP

DB

DB DB DB

F/W ADC ADC

Extensible Scripting Model

DB DB

DB

WEB WEB WEB APP WEB APP WEB

HYPERVISOR HYPERVISOR HYPERVISOR

APPLICATION NETWORK PROFILE

Traditional 3-Tier

Application

(25)

Service Graph: “web-application”

• Service graph is an ordered set of functions between a set of terminals

• A Service Graph can be defined through GUI, CLI or through APIC API

• A function has one or more connectors

• Network connectivity like VLAN tag is assigned to these connectors

Service Graph Definition

25

Func:

SSL offload Func:

Load Balancing Func:

Firewall

Connectors Terminals

Terminals

Functions rendered on the same device

Firewall params

Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *

SSL params

Ipaddress <vip> port 80 Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin

• A function within a graph may require one or more parameters

– Parameters can be scoped by an EPG or an application profile or tenant context

– Parameters could also be assigned at the time of defining a service graph. Parameter values can be locked from further changes

(26)

F5 integration with Cisco Application

Centric Infrastructure (ACI)

(27)

F5 and Cisco ACI Joint Solution Benefits

ACI Fabric

Programmability (iRule / iApp / iControl)

Data Plane Control Plane Management Plane F5 Synthesis Fabric

• Automated layer 4-7 application service

insertion, policy updates, and optimization within the ACI-enabled fabric with BIG- IP

F5 DEVICE PACKAGE FOR APIC

• Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection

• Accelerated application

deployments with reliability, security and consistent

scalable network and L4-L7 services

• Existing F5 Physical and Virtual appliances,

topologies integrate

seamlessly with Cisco ACI

• Application agility using policy driven application delivery approach to significantly reduce operating costs

• Provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams

(28)

APIC

Service Automation Through Device Package

Configuration Model (XML File) Python Scripts

Script Engine

Python Scripts APIC Script Interface APIC Script Interface APIC– Policy Manager

Configuration Model

Policy Engine

Provider Administrator can upload a Device Package APIC provides extendable policy model through

Device Package

Device Package contains XML file defining Device Configuration Model

Device scripts translates APIC API callouts to device specific callouts

Open DevicePackage

(29)

APIC

Understanding Device Package

Device Specification

• Is an XML file that defines

• Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc

• Parameters required for configuring each function

• Interfaces and Network connectivity information for each function

APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices

A Device Package is a zip file containing two parts

Device Script

• The integration between the APIC and a Device is performed by a Device Script

• APIC events are mapped to function calls defined in Device Script

29

XML / REST

API Device

Package

BIG-IP Physical or

VE EPG level L4-L7 config

Service Graph Function Node level

L4-L7 config

Python iControl

(30)

APIC Service Graph Config / F5 ADC (LTM) Config

APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP

In this example, BIG-IP populates Pools configuration from APIC.

Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP

(31)

A function node identifies a set of network service functions that are required by an application

APIC Tenant / F5 ADC (LTM) Partition

Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs

An ACI tenant will be represented as a partition within BIG-IP

A function node within a service graph will be represented as a Virtual Server within BIG-IP

(32)

Use cases

32

Functions

• Virtual Server

• Layer 4 Server Load balancing

• Layer 4 SLB with SSL offload

• Layer 7 Server Load balancing

• Layer 7 SLB with SSL offload

• Microsoft SharePoint

Parameters under Virtual Server

• Configuring Global and Tenant Self IP addresses

• Configuring Global and Tenant static routes

• Device Counters

• Server Pools

• TCP Optimizations (WAN/LAN/Mobile)

• HTTP optimization

• HTTP Security (Application protocol security)

• TCP connection multiplexing (One Connect)

• Validators and Creation of tenant OneConnect profiles

• iRules

• Validators and Creation of tenant acceleration profiles

• SNAT Pool management

More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases

(33)

Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM – VPN SSL solution) or Application Security Manager (ASM – WAF solution), and have it

incorporated with F5 Local Traffic Manager (LTM – ADC solution)device package in the same service graph.

Device Package: User Defined (Future)

To Consumer

EPG F5 BIG-IP

ASM

F5 BIG-IP LTM

To Provider EPG User Defined

Device Package

F5 Provided Device Package

(34)

• F5 SDAS and Cisco ACI Solution Brief

http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22- 730004.html

• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-

controller-apic/index.html

• Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure

http://tools.cisco.com/search/results/display?url=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fc ollateral%2fdata-center-virtualization%2fapplication-centric-infrastructure%2fwhite-paper-c11-

732413.pdf&pos=4&query=f5+Cisco+ACI+Integration+white+paper

• F5 BIG-IP LTM and Nexus 9000

http://ri.search.yahoo.com/_ylt=A9mSs2aMnAlUfB0AR04zCQx.;_ylu=X3oDMTE0MmhtMWJtBHNlYwNzcgRwb3MDMQRjb2xvA 2lyMgR2dGlkA1ZJUERFMDVfMQ--

/RV=2/RE=1409944844/RO=10/RU=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fcollateral%2f data-center-virtualization%2fapplication-centric-infrastructure%2fsolution-overview-c22-

732522.pdf/RK=0/RS=cT30NyClam50D8fRBZ0JL3pY0iY-

• Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks  Official F5 Networks Channel

Reference Material

34

For Your Reference

(35)

• Cisco and F5 extending partnership across the board from Service Provider and Security to Next-gen Data Centers

• Cisco ACI and F5 solves traditional network service insertion challenges through automated ACI policy model and F5 device package

• Application provisioning and configuration is made simple and agile through ACI policy model, F5 use-case driven device package approach and open Northbound APIs

• Key benefits of F5 / ACI model:

• Multi-Tenancy, separate Route-domain/L3 and Multi-Graph Support

• Use Case Focus

• Application level visibility and monitoring

Summary

(36)