Cisco ACI integration with F5
Big-IP Appliances
Jan Van den Broeck
Systems Engineer – Data Center
CCIE #18985
javanden@cisco.com
Agenda
§
Cisco and F5 partnership
§
Cisco ACI and F5 Big-IP Integration
§
ACI and F5 Customer Quotes and Competitive Differentiations
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
Cisco and F5 are now partners
Announcement at Cisco ACI launch in November
2013
Cisco and F5 partnering to provide:
•
Deep technology integrations across L2-L7 network
services to accelerate application deployments
•
Simplified data center and cloud rollouts
•
Comprehensive application-centric policy framework
and enforcement
•
Intelligent services orchestration
•
High Performance application delivery
and secure Fabric
•
Extensible platform supporting future service growth
and needs
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Challenges with Network Service Insertion
Configure Network to insert
Firewall
Router
Configure firewall network
parameters
Firewall
Configure firewall rules as
required by the application
Router
Load
Balancer
Configure Load Balancer
Network Parameters
Switch
Configure Router to steer
traffic to/from Load Balancer
Virtual Firewall
Server
Service Insertion In traditional Networks
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Service insertion
takes days
Network configuration
is time consuming
and error prone
Difficult to track
configuration on
services
Configure Load Balancer as
required by the application
Cisco Confidential
4
From today’s model to a Policy Driven Fabric
The policy driven fabric model first
abstracts network constructs,
removing complexity, then drives
infrastructure based on application
needs.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
App 1
App 2
App 3
App 1
Complexity
App 2
App 3
Network
Cisco Confidential
5
Policy Driven Fabric
Web
App
DB
App 1
Web
App
App
2
DB
App 3
Web
App
DB
Network
Rather than looking at the applications as individual network end-points, policy
is driven viewing the application as a whole; the grouping of end-points and
connectivity policies that makes up an application or service.
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
6
Application Network Profile
Web
Outside
(Tenant VRF)
App
DB
QoS
QoS
QoS
Filter
Load Balance
Filter
Stateless
ACI Fabric
APIC
Application Policy
Infrastructure Controller
Non-Blocking Penalty Free Overlay
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
IP fabric with
integrated overlay
ACI Spine Nodes
IP unnumbered 40G fabric
VTEP
VXLAN
Loopback and VTEP IP addresses
allocated from “infra VRF” through
DHCP from APIC and advertised
throug IS IS
IP
Payload
ACI Leaf Nodes
VTEP
VTEP
VTEP
VTEP
VTEP
VTEP
ACI Controller
APIC
• ACI Fabric provides:
APIC Cluster
APIC
APIC
‒
Simplified Architecture
‒
Zero-touch-deployment
‒
Integrated overlay – Decoupling Identity from Location providing any workload anywhere
‒
Auto bind the overlay tunnels
‒
Innovative Load Balancing : Flowlet Switching
‒
Fast Restoration
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
Universe ..
Tenant A
Tenant B
App Profile
App Profile
Web
Tier
App
Tier
DB
Tier
APPLICATION
Application Admin
External Zone
EPG
EPG
DMZ
Security Admin
Trusted
Zone
DB
Tier
SECURITY
Network Admin
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
9
Any workload
Virtual / Bare Metal / Container
APIC
Network
Admin
APIC
ACI Fabric
• Integrated gateway for VLAN,
VxLAN, and NVGRE networks from
virtual to physical to container
VLAN
VXLAN
• Normalization for NVGRE, VXLAN,
and VLAN networks
ESX
VMware
• Customer not restricted by a choice
of hypervisor
VMware
Microsoft
• Fabric is ready for ANY workload
Red Hat
Docker
Application
Admin
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VLAN
NVGRE
Hyper-V
Microsoft
VLAN
VXLAN
KVM
Red Hat
VLAN
VXLAN
VLAN
Container
Docker
PHYSICAL
SERVER
Application
Management
Cisco Confidential
10
ACI : Open APIs with a Large Ecosystem
Automation
Hypervisor
Management
Enterprise
Monitoring
Systems
Management
Orchestration
Frameworks
OVM
NORTHBOUND
PROGRAMMABILITY
LAYER
REST API
APIC
Fabric-attached Device API
L4-7 Orchestration Scripting API
SOUTHBOUND
PROGRAMMABILITY
LAYER
APIC SUPPORTS A RICH ECOSYSTEM BUILT AROUND OPEN NORTHBOUND AND
SOUTHBOUND APIS
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
11
• Elastic service insertion architecture for
physical and virtual services
Application
Admin
Web
App
Server
Server
Server
…..
inst
inst
……..
…
Service
Admin
Stage N
inst
inst
Firewall
Load Balancer
end
Service Profile
Stage 1
…
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
begin
Service
Graph
“Load Balancing” Chain Defined
• Automation of service bring-up/tear-down
through programmable interface
• Service enforcement guaranteed, regardless
of endpoint location
App Tier
B
Web
Web
Server
• APIC as central point of network control with
policy coordination
• Supports existing operational model when
integrated with existing services
Policy Redirection
Providers
• Helps enable administrative separation
between application tier policy and service
definition
App Tier
A
Cisco Confidential
12
Device Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
• Service automation requires a vendor device
package. It is a zip file containing
• Device specification (XML file)
APIC – Policy Element
Device Model
• Device scripts (Python)
APIC
• APIC interfaces with the device using device
Python scripts
• APIC uses the device configuration model
provided in the package to pass appropriate
configurations to the device scripts
• Device script handlers interface with the
device using its REST or CLI interface
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
APIC Script Interface
Device-Specific Python Scripts
Device Interface: REST/CLI
Script Engine
APIC Node
Service Device
Cisco Confidential
13
Understanding Device Package
A device package is a zip file with two components:
Device Specification
• XML file that defines
• Functions provided by a device - Load
Balancing, Content-Switching, SSL
termination
• Parameters required for configuring each
use case – i.e. L4 SLB
• Interfaces and Network connectivity
information for each function within the use
case
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Device Script
• The integration between the Cisco APIC
and a Device is performed by
a Device Script (in Python)
• Cisco APIC programs the BIG-IP by
invoking function calls defined in the device
package.
Cisco Confidential
14
F5 Device Package 1.0.0 Supported Functions at FCS
Functions
•Virtual Server
Ø Layer 4 Server Load balancing
Ø Layer 4 SLB with SSL offload
Ø Layer 7 Server Load balancing
Ø Layer 7 SLB with SSL offload
•Microsoft SharePoint
Parameters under Virtual Server
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Device Counters
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect
profiles
• iRules
• Validators and Creation of tenant acceleration
profiles
• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
15
ACI + F5 – Using the Language of Applications in the Network
F5 DEVICE PACKAGE
FOR APIC
Application Agility – Any where,
Any time, Physical and Virtual
Rapid Deployment of Applications with
Scale and Security
Application-centricity to Visibility and
Troubleshooting
DB
Open Source Application Policies
Common Operational Model through
Open APIs
HYPERVISOR
WEB
PHYSICAL
NETWORKING
WEB
HYPERVISORS
AND VIRTUAL
NETWORKING
HYPERVISOR
WEB
COMPUTE
DB
HYPERVISOR
APP
DB
WEB APP WEB
L4–L7
SERVICES
STORAGE
MULTI DC
WAN &
CLOUD
BIG-IP
PHYSICAL AND/OR VIRTUAL
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
F5 extends APIC multi-tenancy to the application layer
Tenant (HR)
Tenant (SALES)
Tenant (Finance)
App X
L4-L7 services:
WEB graph uses L4 SLB
Attach service graph to
contract between EPGS
App P
L4-L7 services:
HTTP graph uses L4 SLB
Attach service graph to
contract between EPGS
App M
L4-L7 services:
HTTP graph uses L4 SLB
Attach service graph to
contract between EPGS
App Y
App Q
App N
App Z
App R
App O
BIG-IP (Physical or Virtual)
• Single BIG-IP instance supports “TRUE” Multi Tenancy with Traffic Isolation
• Supports single or multi tenants with single or multi graph scenarios
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Benefits of using F5 Device Package
F5 Synthesis value proposition is preserved
in Cisco ACI
Flexibility in rolling out L4-L7 services on F5 fabric
with APIC
• Cisco ACI allows F5 to bring the value to ACI instead
•
of normalizing across vendors
• Customer can leverage existing investments
• F5 has rich programmability foundation
- easier to integrate with Cisco APIC
F5 is a seamlessly integrated with Cisco ACI
• preserves existing BIG-IP deployment topologies
and L2-L3 interoperability – no network redesign
• no HW upgrades needed on BIG-IP - no net new $$$
spending
• F5 device pkg preserves multi tenancy within
APIC – provides true traffic isolation per tenant
through the ACI
•
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
F5 iControl/TMSH or iAPP Config on Physical and/or Virtual
– broad customer environments (future phase)
• F5 Application policy framework aligns seamless
with APIC policy framework - F5 device package uses Use
case model leveraging existing iAPP knowledge
• Accelerated application deployments - Provides
true application centric solution using profile
based approach
Portfolio of services – combining application
delivery and security
•
Extensible to other L4-L7 services to address application
requirements - GTM, AAM, AFM, APM, ASM
Deep application performance visibility (future)
•
Extensive application health score data – Device package
can integrate applications health score
data from BIG IP
Cisco Confidential
18
F5 BIG-IP Platform Options for Nexus 9K/ACI deployments
Unique
Application
Delivery
Architecture:
TMOS is the
implementation of
software on hardware,
which includes
physical, virtual and
hybrid deployments for
complete Application
Delivery flexibility
Good, Better, Best Platforms
25M
4000 series
200M
1Gbps
5000 Series
Virtual
Choose
Your
Platforms
3Gbps
7000 Series
5Gbps
10000 Series
10Gbps
11000 Series
Physical
F5 virtual editions
F5 physical ADCs
Provide flexible deployment options for
virtual environments and the cloud
High-performance with specialized and
dedicated hardware
Virtual ADC is best for:
Physical ADC is best for:
•Accelerated deployment
•Maximizing data center efficiency
•Private and public cloud deployments
•Application or tenant-based pods
•Keeping security close to the app
•Lab, test, and QA deployments
•Fastest performance
•Highest scale
•SSL offload, compression, and accelerated
DoS mitigation
•An all F5 solution: integrated HW+SW
•Edge and front door services
•Purpose-built isolation for
application delivery workloads
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
VIPRION 2400
VIPRION 4480
VIPRION 4800
Hybrid
Physical + virtual =
hybrid ADC infrastructure
Ultimate flexibility and performance
Hybrid ADC is best for:
•Transitioning from physical to virtual
and private data center to cloud
•Cloud bursting
•Splitting large workloads
•Tiered levels of service
Cisco Confidential
19
ACI + F5 – Efficient and Accelerated Application Deployment
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
20
F5 + Cisco Nexus 9000/ACI Deployment Scenarios
Physical/Virtual
1.
Nexus 9500 + Nexus 9300 or Nexus
3K Standalone designs
• Insert F5 10G or 40 – Traditional
data center deployment model
Nexus 9500
standalone
Physical and/or
Virtual
Nexus 9300
Nexus 9300
2.
Cisco ACI - Nexus 9K + APIC
• Customer can take full advantage of
ACI with F5 device package
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
ACI
Nexus 9300
Nexus 9500
Nexus 9300
Cisco Confidential
21
Cisco ACI + F5 Additional Resources
§
APIC integration with F5 device package demo
§
ACI and F5 solution brief, whitepapers and design guides
© 2013-2014 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
Thank you.
In Collaboration with