cisco aci integration with f5 big-ip...
Post on 09-Jul-2018
245 Views
Preview:
TRANSCRIPT
Cisco ACI integration with F5 Big-IP Appliances
Jan Van den Broeck Systems Engineer – Data Center CCIE #18985
javanden@cisco.com
Cisco Confidential 2 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ Cisco and F5 partnership
§ Cisco ACI and F5 Big-IP Integration
§ ACI and F5 Customer Quotes and Competitive Differentiations
Agenda
Cisco Confidential 3 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco and F5 are now partners
Announcement at Cisco ACI launch in November 2013
Cisco and F5 partnering to provide:
• Deep technology integrations across L2-L7 network services to accelerate application deployments
• Simplified data center and cloud rollouts
• Comprehensive application-centric policy framework and enforcement
• Intelligent services orchestration
• High Performance application delivery and secure Fabric
• Extensible platform supporting future service growth and needs
Cisco Confidential 4 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Configure firewall rules as required by the application
Configure Network to insert Firewall
Configure firewall network parameters
Configure Load Balancer as required by the application
Configure Load Balancer Network Parameters
Configure Router to steer traffic to/from Load Balancer
Challenges with Network Service Insertion
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks Server
Virtual Firewall
Switch
Router
Firewall
Router
Load Balancer
Cisco Confidential 5 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
From today’s model to a Policy Driven Fabric
Network
App 2 App 1 App 3
The policy driven fabric model first abstracts network constructs,
removing complexity, then drives infrastructure based on application
needs. Network
App 2 App 1 App 3 Complexity
Cisco Confidential 6 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Policy Driven Fabric
Network
App 2 App 1 App 3 Web App DB Web App DB Web App DB
Rather than looking at the applications as individual network end-points, policy is driven viewing the application as a whole; the grouping of end-points and
connectivity policies that makes up an application or service.
Cisco Confidential 7 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Stateless ACI Fabric
Non-Blocking Penalty Free Overlay
App DB Web
Outside (Tenant VRF)
QoS
Filter
QoS
Load Balance
QoS
Filter
Application Policy Infrastructure Controller
APIC
Application Network Profile
Cisco Confidential 8 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI Spine Nodes
ACI Leaf Nodes
• ACI Fabric provides: ‒ Simplified Architecture
‒ Zero-touch-deployment
‒ Integrated overlay – Decoupling Identity from Location providing any workload anywhere
‒ Auto bind the overlay tunnels
‒ Innovative Load Balancing : Flowlet Switching
‒ Fast Restoration
IP fabric with integrated overlay
ACI Controller
APIC Cluster APIC APIC APIC
Loopback and VTEP IP addresses allocated from “infra VRF” through DHCP from APIC and advertised
throug IS IS
IP unnumbered 40G fabric
VTEP VTEP VTEP VTEP VTEP VTEP
Payload IP VXLAN VTEP
Cisco Confidential 9 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
APPLICATION
SECURITY
Web Tier
App Tier
DB Tier
Trusted Zone DB
Tier DMZ
External Zone Application Admin
Security Admin
Network Admin
Universe ..
Tenant A Tenant B
App Profile App Profile
EPG EPG
Cisco Confidential 10 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Integrated gateway for VLAN, VxLAN, and NVGRE networks from virtual to physical to container
• Normalization for NVGRE, VXLAN, and VLAN networks
• Customer not restricted by a choice of hypervisor
• Fabric is ready for ANY workload
Any workload Virtual / Bare Metal / Container
Network Admin
Application Admin
PHYSICAL SERVER
VLAN VXLAN
VLAN NVGRE
VLAN VXLAN
VLAN
Application Management
ACI Fabric
APIC
APIC
VMware Microsoft
Red Hat Docker
ESX VMware
Hyper-V Microsoft
KVM Red Hat
Container Docker
VLAN VXLAN
Cisco Confidential 11 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI : Open APIs with a Large Ecosystem
REST API
NORTHBOUND PROGRAMMABILITY LAYER
Automation Enterprise Monitoring
Systems Management
Orchestration Frameworks
APIC SUPPORTS A RICH ECOSYSTEM BUILT AROUND OPEN NORTHBOUND AND SOUTHBOUND APIS
SOUTHBOUND PROGRAMMABILITY LAYER
Fabric-attached Device API L4-7 Orchestration Scripting API
OVM
Hypervisor Management
APIC
Cisco Confidential 12 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Elastic service insertion architecture for physical and virtual services
• Helps enable administrative separation between application tier policy and service definition
• APIC as central point of network control with policy coordination
• Automation of service bring-up/tear-down through programmable interface
• Supports existing operational model when integrated with existing services
• Service enforcement guaranteed, regardless of endpoint location
Web Server
App Tier A
Web Server
Web Server
App Tier B
App Server
Policy Redirection
Application Admin
Service Admin
Ser
vice
G
raph
begin end Stage 1 …..
Stage N
Pro
vide
rs inst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Ser
vice
Pro
file
“Load Balancing” Chain Defined
Cisco Confidential 13 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
• Service automation requires a vendor device package. It is a zip file containing
• Device specification (XML file)
• Device scripts (Python)
• APIC interfaces with the device using device Python scripts
• APIC uses the device configuration model provided in the package to pass appropriate configurations to the device scripts
• Device script handlers interface with the device using its REST or CLI interface
Device Package Device Specification <dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”>
APIC – Policy Element Device Model
Device-Specific Python Scripts
APIC Script Interface
Script Engine
APIC Node
Device Interface: REST/CLI
Service Device
APIC
Cisco Confidential 14 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
Understanding Device Package
Device Specification
• XML file that defines • Functions provided by a device - Load
Balancing, Content-Switching, SSL termination
• Parameters required for configuring each use case – i.e. L4 SLB
• Interfaces and Network connectivity information for each function within the use case
Device Script • The integration between the Cisco APIC
and a Device is performed by a Device Script (in Python)
• Cisco APIC programs the BIG-IP by invoking function calls defined in the device package.
A device package is a zip file with two components:
Cisco Confidential 15 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
F5 Device Package 1.0.0 Supported Functions at FCS
Functions • Virtual Server Ø Layer 4 Server Load balancing Ø Layer 4 SLB with SSL offload Ø Layer 7 Server Load balancing Ø Layer 7 SLB with SSL offload
• Microsoft SharePoint
Parameters under Virtual Server • Configuring Global and Tenant Self IP addresses • Configuring Global and Tenant static routes • Device Counters • Server Pools • TCP Optimizations (WAN/LAN/Mobile) • HTTP optimization • HTTP Security (Application protocol security) • TCP connection multiplexing (One Connect) • Validators and Creation of tenant OneConnect
profiles • iRules • Validators and Creation of tenant acceleration
profiles • SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
Cisco Confidential 16 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI + F5 – Using the Language of Applications in the Network
Application Agility – Any where, Any time, Physical and Virtual
Rapid Deployment of Applications with Scale and Security
Application-centricity to Visibility and Troubleshooting
Open Source Application Policies
Common Operational Model through Open APIs
F5 DEVICE PACKAGE FOR APIC
DB DB HYPERVISOR HYPERVISOR HYPERVISOR
DB
WEB WEB WEB APP WEB APP WEB
PHYSICAL NETWORKING
HYPERVISORS AND VIRTUAL NETWORKING
COMPUTE L4–L7 SERVICES
STORAGE MULTI DC WAN & CLOUD
BIG-IP PHYSICAL AND/OR VIRTUAL
Cisco Confidential 17 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
BIG-IP (Physical or Virtual)
• Single BIG-IP instance supports “TRUE” Multi Tenancy with Traffic Isolation • Supports single or multi tenants with single or multi graph scenarios
F5 extends APIC multi-tenancy to the application layer
Tenant (HR) Tenant (SALES) Tenant (Finance)
App X L4-L7 services: WEB graph uses L4 SLB Attach service graph to contract between EPGS
App Y
App Z
App P L4-L7 services: HTTP graph uses L4 SLB Attach service graph to contract between EPGS
App Q
App R
App M L4-L7 services: HTTP graph uses L4 SLB Attach service graph to contract between EPGS
App N
App O
Cisco Confidential 18 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
F5 Synthesis value proposition is preserved in Cisco ACI • Cisco ACI allows F5 to bring the value to ACI instead
of normalizing across vendors • Customer can leverage existing investments • F5 has rich programmability foundation
- easier to integrate with Cisco APIC
F5 is a seamlessly integrated with Cisco ACI • preserves existing BIG-IP deployment topologies
and L2-L3 interoperability – no network redesign • no HW upgrades needed on BIG-IP - no net new $$$
spending • F5 device pkg preserves multi tenancy within
APIC – provides true traffic isolation per tenant through the ACI
•
Benefits of using F5 Device Package
Flexibility in rolling out L4-L7 services on F5 fabric with APIC • F5 iControl/TMSH or iAPP Config on Physical and/or Virtual
– broad customer environments (future phase) • F5 Application policy framework aligns seamless
with APIC policy framework - F5 device package uses Use case model leveraging existing iAPP knowledge
• Accelerated application deployments - Provides true application centric solution using profile based approach
Portfolio of services – combining application delivery and security • Extensible to other L4-L7 services to address application
requirements - GTM, AAM, AFM, APM, ASM
Deep application performance visibility (future) • Extensive application health score data – Device package
can integrate applications health score data from BIG IP
Cisco Confidential 19 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
4000 series 10000 Series
5000 Series 7000 Series
Good, Better, Best Platforms
11000 Series
F5 BIG-IP Platform Options for Nexus 9K/ACI deployments
5Gbps
3Gbps
1Gbps
200M
25M
VIPRION 2400
VIPRION 4480 VIPRION 4800
Choose Your
Platforms
F5 physical ADCs High-performance with specialized and dedicated hardware
Physical ADC is best for: • Fastest performance • Highest scale • SSL offload, compression, and accelerated DoS mitigation • An all F5 solution: integrated HW+SW • Edge and front door services • Purpose-built isolation for application delivery workloads
Physical + virtual = hybrid ADC infrastructure Ultimate flexibility and performance
Hybrid ADC is best for: • Transitioning from physical to virtual and private data center to cloud • Cloud bursting • Splitting large workloads • Tiered levels of service
F5 virtual editions Provide flexible deployment options for virtual environments and the cloud
Virtual ADC is best for: • Accelerated deployment • Maximizing data center efficiency • Private and public cloud deployments • Application or tenant-based pods • Keeping security close to the app • Lab, test, and QA deployments
Physical Hybrid Virtual
Unique Application Delivery Architecture: TMOS is the implementation of software on hardware, which includes physical, virtual and hybrid deployments for complete Application Delivery flexibility
10Gbps
Cisco Confidential 20 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI + F5 – Efficient and Accelerated Application Deployment
Cisco Confidential 21 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
1. Nexus 9500 + Nexus 9300 or Nexus 3K Standalone designs • Insert F5 10G or 40 – Traditional
data center deployment model
2. Cisco ACI - Nexus 9K + APIC • Customer can take full advantage of
ACI with F5 device package
F5 + Cisco Nexus 9000/ACI Deployment Scenarios
standalone
ACI
Nexus 9500
Nexus 9300
Nexus 9500
Nexus 9300
Physical/Virtual
Nexus 9300
Nexus 9300
Physical and/or Virtual
Cisco Confidential 22 © 2013-2014 Cisco and/or its affiliates. All rights reserved.
§ APIC integration with F5 device package demo § ACI and F5 solution brief, whitepapers and design guides
Cisco ACI + F5 Additional Resources
top related