Académique Documents
Professionnel Documents
Culture Documents
February, 2015
Agenda
• State of IT
• ACI Overview
• F5 Synthesis Overview
• ACI L4 –L7 Service Insertion Overview
• F5 Device Package Release 1.1.0 Details and Integration with
Cisco ACI
• Workload Migration from Traditional Networks to Cisco ACI
• F5 BIG-IQ Integration with Cisco ACI
© F5 Networks, Inc 2
How Are We Doing?
How much IT will You need ?
But, need this?
4
The on-going “IT pain”
• Falling IT Budgets
5
What
Happen
ed
?
• Separation of IT areas / buying-
centers / silos preventing IT to
move at the speed demanded by
the business
Apps + Infrastructure
On-Premises + Cloud
IP Addressing
IP Address, VLAN, VRF
Application Specific Connectivity
Enable Connectivity
(The Network)
© F5 Networks, Inc 10
Network-Centric to application-centric
Two types of language
NETWORK LANGUAGE APPLICATION LANGUAGE
© F5 Networks, Inc 11
Application Policy Model and Instantiation
Application
Client
Application policy model: Defines the
application requirements (application Storage Storage
network profile)
Web Tier App Tier DB Tier
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
© F5 Networks, Inc 12
ACI understands and speaks APPLICATION Needs
WEB APP DB
APPLICATION
WAN ADC from Web Connect to App
REQUIREMENTS
Firewall Connect to DB High Priority
APIC
CONTROLLER NEXUS
POLICY 9500 and 9300
MODEL
INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PRICE PERFORMANCE PORT DENSITY PROGRAMMABILITY POWER EFFICIENCY
OPTIMIZED NX-OS
ACI
>_
>_
© F5 Networks, Inc 14
F5 Synthesis Overview
Impact on Data Center Architecture: Applications
MICRO-ARCHITECTURES API DOMINANCE
Each service is isolated and requires its own: Proxies are used in emerging API-centric architecture
• Load balancing • API versioning
• Authentication / authorization • Client-based steering
• Security • API Load balancing
• Layer 7 Services • Metering & billing
• May be API-based, expanding services required • API key management
More applications needing services More intelligence needed in services
© F5 Networks, Inc 16
High-Performance Services Fabric
© F5 Networks, Inc 18
F5 and Cisco ACI Integration – Latest Addition
Announcing APIC and BIG-IQ Integration Early Availability
BIG-IQ
F5 Synthesis Fabric
ACI Fabric
Virtual Edition Appliance Chassis
BIG-IP
Customers have choice to leverage Cisco APIC to BIG-IP or through BIG-IQ Integration Models
© F5 Networks, Inc 19
Choosing F5 BIG-IP for Cisco ACI
Supports 11.4.1 and above, Platform Independent
Good, Better, Best Platforms
1600 series* 2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800
Configure Network to
Router insert Firewall
Configure firewall
network parameters Service insertion
FW
takes days
Configure firewall rules as
required by the application
Network configuration
Router is time consuming
and error prone
LB Configure Load Balancer
Network Parameters
Difficult to track
Switch configuration on
Configure Router to steer
vFW services
traffic to/from Load Balancer
Server
Configure Load Balancer as
Service Insertion In traditional Networks required by the application
© F5 Networks, Inc 22
APIC L4 – L7 Service Integration
Traditional F/W
3-Tier WEB ADC APP DB
ADC WEB WEB WEB APP APP APP DB DB DB
Application
TENANT (HR)
APPLICATION
NETWORK PROFILE
NETWORKING POLICY
CONNECTIVITY FOR THE TENANT L2-L3
SECURITY POLICY Contract – services between the WEB and APP EPG (web graph, HTTP graph)
(POLICY DECISION IS DONE HERE) Ex: APP is a provider and WEB is the consumer
FILTERS, QOS, TRAFFIC STEERING Define services within a contract: FW, ADC in this example ADC defined
TROUBLESHOOTING POLICY
SPAN, ERSPAN ETC
MONITORING POLICY
EVENTS, SNMP
L4-L7 SERVICES POLICY Service Graph (Ex: WEB graph utilizes L7 SLB)
DEFINE L4-L7 SERVICE POLICY Logical Device Cluster
© F5 Networks, Inc 23
F5 Device Package: Definition
APIC requires a Device Package to communicate with service
devices.
A Device Package is a zip file containing two parts:
Device Specification (xml): The configuration of DeviceScript (py): The integration between
the APIC is represented as an object model the APIC and a Device is performed by a
consisting of a large number of Managed Objects DeviceScript, which maps APIC events
(MOs). A Device type is defined by a tree of MOs function calls defined in Device Script
with a Meta Device (MDev) at the root. Device Script
iControl /
EPG level L4-L7 config SouthBound
Configuration
through UI or Python API
APIC
North Bound Service Graph Function Device BIG-IP
APIs Node level L4-L7 config Package Physical or VE
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
© F5 Networks, Inc 24
Service Graph: Definition
Abstract graph concept mapping to Service Graph
Functions rendered on the same device
Consumes Service Graph: “web-application” Provides
EXT WEB
Func: Func: Func:
EXT EXT EXT Firewall SSL offload Load Balancing WEB WEB WEB
• Service graph is an ordered set of functions between • A function within a graph may require one or more
a set of terminals e-g; Firewall Function, Load balancer parameters
Function • Parameters can be scoped by an EPG or an application
profile or tenant context
• A function has one or more connectors • Parameter values can be locked from further changes
• Network connectivity like VLAN/VNID tag is assigned
to these connectors
© F5 Networks, Inc 25
F5 Service Insertion
Web Farm provide services to External Users;
Consume Provide Policy Contract defines relationship between
Web Farm and Users
start
stage
1 ….. stage
N
end
graph Service Graph Insertion at the
Policy Contract Subject level
Application
Construct
inst inst
…
© F5 Networks, Inc 26
F5 Device Package Release 1.1.0
Details and Integration Cisco ACI
F5 and Cisco ACI Integration Models
BIG-IQ
F5 Synthesis Fabric
ACI Fabric
Virtual Edition Appliance Chassis
BIG-IP
© F5 Networks, Inc 28
F5 ACI Device Package 1.1.0 is now Released!
Supports ACI FCS+3 version 1.0(2m)
• vCMP support (New with 1.1.0)
• Dynamic endpoint attach and detach (New with 1.1.0)
• Supports any BIG-IP LTM physical and virtual form factor running version 11.4.1 and
above
• Device package can be downloaded from downloads.f5.com at no cost
• Does not require any new module installation on the BIG-IP
• Can leverage BIG-IQ as device management
• iRules (custom defined) that reside in common partition can be called by APIC
• BIG-IP is licensed and OOB management configured prior to APIC integration
• Supports Active / Standby High Availability model per APIC logical device cluster
© F5 Networks, Inc 29
F5 Device Package 1.1.0 Supported Functions
ce Package 1.1.0 continue to support the same L4 – L7 service functions as 1.0.0 with additional support of vCMP and dynamic endpoint attach/de
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
© F5 Networks, Inc 30
F5 Device Package 1.1.0: vCMP Guests Support
vCMP (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow
multiple virtual ADC instances, called vCMP guests, reside on the same vCMP host
In release 1.1.0; in vCMP
HA configuration, both
vCMP guests must reside
on the same vCMP host
© F5 Networks, Inc 31
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
Pool members, which consider endpoint in ACI fabric, once “attached to” OR
“detach from” an EPG; APIC will send notification to BIG-IP to add or remove this
pool member
Eable Attachement
Notification
© F5 Networks, Inc 32
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
© F5 Networks, Inc 33
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
BIG-IP partition is
equivalent to a single
context ACI tenant
© F5 Networks, Inc 36
F5 supports TRUE Multiple Graph Multiple Tenancy
• Multiple Virtual Servers for different
applications in the different BIG-IP
partitions/APIC Tenants, sharing the Tenant N APIC partition:
apic7890
same device Route Domain N
BIG-IP
EPG BIG-IP phy
link to ACI
BIG-IP phy fabric
link to ACI No BIG-IP
fabric EPG required
All the above Integration Options support 1-Arm / Inline; Physical / Virtual in HA
deployment
© F5 Networks, Inc 38
Workload Migration from
Traditional Networks to Cisco ACI
Migration: Physical Topology
Traditional Network F5 DEVICE PACKAGE
FOR APIC
BIG-IP Platform
CISCO ACE
ACI Fabric
A B C
WEB
© F5 Networks, Inc 40
Migration: Approach
VIP Traditional ACI VIP
Clients Step 1:
access A B C • Bring up BIG-IP in ACI fabric
Traditional • Create Application Server
WEB
Network VIP
• ACI L4-L7 service insertion with BIG-IP
VIP Traditional ACI VIP
Expanding
A B ACI C Step 2:
workload to VIP
ACI fabric • Add ACI VIP to Traditional Pool
WEB
2 Traditional 3 5
ACI
Client Network Server Server
VIP
VIP (Node) (Node)
4
1
Server
(LTM #2 VIP)
DNS
2 3
ACI
Client Server
VIP (Node)
1
Server
(Node)
DNS
© F5 Networks, Inc 42
F5 BIG-IQ Integration with Cisco ACI
F5 and Cisco ACI Integration Models
BIG-IQ
F5 Synthesis Fabric
ACI Fabric
Virtual Edition Appliance Chassis
BIG-IP
© F5 Networks, Inc 44
F5 is Industry Leader in Application Delivery
How can we provide full set of F5 functionality to ACI
environment that is “application” focused?
F5 has an
extensive
library of iApps
for deploying
applications
© F5 Networks, Inc 45
What are iApps?
© F5 Networks, Inc 46
Using BIG-IQ to bring iApps to APIC
F5 Device Package Release
BIG-IQ Integration with Cisco ACI
1.1.0 Deployment Model
1 Device
Device
Package
Package 2 3 BIG-IQ
BIG-IQ
Device
Device
2
downloads.f5.com F5 iApps
Device Package
Package
F5 Synthesis Fabric
Config
Configuration
{'state': 1,
{'state': 1, 'transaction':
'transaction': 0,
0,
'ackedState': 0,
'ackedState': 0, 'value':
'value': {(5,
'DestinationNetmask',
'DestinationNetmask',
{(5, 4a
'Netmask1'): {'state':
'Netmask1'): {'state': 1,
1,
'transaction': 0,
'transaction': 0,
'ackedState': 0,
'ackedState': 0, 'value':
'value':
'255.255.255.255'}, (5,
'255.255.255.255'}, (5,
4b
1
'DestinationPort', 'port1'):
'DestinationPort', 'port1'):
{'state': 1,
{'state': 1, 'transaction':
'transaction': 0,
0,
'ackedState': 0,
'ackedState': 0, 'value':
'value': '80'
'80'
• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone)
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/BIG-IP-LTM/CiscoVMDCwithF5_BIG-
IP_LTM_WhitePaper.pdf
• F5 BIG-IP: Workload Migration from Traditional Networks to Cisco Application Centric Infrastructure
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-
c07-733816.pdf
• Follow us on Twitter @f5Networks Official F5 Networks Channel
© F5 Networks, Inc 48
DevCentral F5 User Community
Over 180,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
© F5 Networks, Inc 49
Key Takeaways
• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application
Centric Infrastructure
• How Cisco ACI solves network services insertion challenges
• How F5 BIG-IP LTM integrates into Cisco ACI architecture
• Key benefits of BIG-IP / ACI model:
Multi-Tenancy, Multi-Graph Support
Use Case Focus
Automation Ready
Application level visibility and monitoring
• F5 iApps Integration with Cisco ACI using BIG-IQ bringing application requirements to ACI policy
• Date: 18 – 20 March
• Booth: Stand P1
• You can also attend one of our Theatre sessions to learn more:
• Wednesday 18 Mar 11:50 AM - 12:20 PM – Partner Theatre 1
• Thursday 19 Mar 12:20 PM - 12:50 PM – Partner Theatre 2