Upload
donhan
View
224
Download
2
Embed Size (px)
Citation preview
The power of Cisco ACI and F5 Synthesis for accelerated application deployments
Roman Borovits
System Engineer DACH
© F5 Networks, Inc 3
• Today’ challenges for application agility
• F5 Synthesis – Software Defined Application Services (SDAS) Overview
• Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion
• F5 and Cisco ACI Integration
• Key Takeaways
• Q&A
Agenda
IT doesn’t matter (Nicholas G. Carr, Harvard Business Review R0305B)
© F5 Networks, Inc 5
Automation
Source: Redwood Software survey, October 2012
Cost savings
Time savings
80% 62% 54%
Improved SLA delivery to the
business
Reported benefits of automation to the IT process:
80% of enterprises that have implemented process automation have experienced time savings; 69% claim improved productivity.
© F5 Networks, Inc 6
High-Performance Services Fabric
Network [Physical • Overlay • SDN – NVGRE - SCVMM]
Chassis Appliance
Data Plane
Programmability (iRule / iApp / iControl)
Control Plane Management Plane
Virtual Edition
DEVOPS
© F5 Networks, Inc 7
F5 Synthesis Drives Shift to Software Defined Data Center
Traditional Environment SOFTWARE-DEFINED DATACENTER
ARCHITECTURE BECAME “FABRIC” WITH HIGH PROGRAMMABILITY AND SCALABILITY
IMPROVE COST EFFICIENCY
SILO APPROACH BY APPLICATIONS COST UN-EFFICIENCY NO PROGRAMMABILITY, SCALABILITY
© F5 Networks, Inc 9
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Programmability (iRule / iApp / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP
F5 DEVICE PACKAGE FOR APIC
• Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection
• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services
• Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI
• Application agility using policy driven application delivery approach to significantly reduce operating costs
• Provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams
F5 integration with Cisco Application Centric Infrastructure (ACI)
AGILITY: Any application, anywhere – Physical and Virtual
common application network profile
11
CONNECTIVITY POLICY
SECURITY POLICIES
QOS BANDWIDTH
RESERVATION AVAILABILITY
APPLICATION L4-L7
SERVICES
STORAGE AND COMPUTE
APPLICATION NETWORK PROFILE
SLA
QoS
Security
Load Balancing
WEB
WEB WEB WEB
APP
APP APP APP
DB
DB DB DB
F/W ADC
ADC
Extensible Scripting Model
DB DB DB
WEB WEB WEB APP WEB APP WEB
HYPERVISOR HYPERVISOR HYPERVISOR
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
© F5 Networks, Inc 12
Service Graph: “web-application”
• Service graph is an ordered set of functions between a set of terminals
• A Service Graph can be defined through GUI, CLI or through APIC API
• A function has one or more connectors
• Network connectivity like VLAN tag is assigned to these connectors
Service Graph Definition
12
Func: SSL offload
Func: Load Balancing
Func: Firewall
Connectors Terminals Terminals
Functions rendered on the same device
Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp *
SSL params Ipaddress <vip> port 80
Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin
• A function within a graph may require one or more parameters
– Parameters can be scoped by an EPG or an application profile or tenant context
– Parameters could also be assigned at the time of defining a service graph. Parameter values can be locked from further changes
© F5 Networks, Inc 13
APIC
Service Automation Through Device Package
Configuration Model (XML File)
Python Scripts
Script Engine
Python Scripts
APIC Script Interface
APIC Script Interface
APIC– Policy Manager
Configuration Model
Policy Engine
Provider Administrator can upload a Device Package
APIC provides extendable policy model through Device Package
Device Package contains XML file defining Device Configuration Model
Device scripts translates APIC API callouts to device specific callouts
Open DevicePackage
© F5 Networks, Inc 14
14
© F5 Networks, Inc 15
APIC
Understanding Device Package
Device Specification
• Is an XML file that defines
• Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc
• Parameters required for configuring each function
• Interfaces and Network connectivity information for each function
APIC requires a Device Package to configure and monitor a service devices. A device package
manages a class of service devices
A Device Package is a zip file containing two parts
Device Script
• The integration between the APIC and a Device is performed by a Device Script
• APIC events are mapped to function calls defined in Device Script
15
XML / REST API
Device Package
BIG-IP Physical or
VE
EPG level L4-L7 config
Service Graph Function Node level
L4-L7 config
Python iControl
© F5 Networks, Inc 16
APIC Service Graph Config / F5 ADC (LTM) Config
APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP
In this example, BIG-IP populates Pools configuration from APIC.
Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP
© F5 Networks, Inc 17
A function node identifies a set of network service functions that are required by an application
APIC Tenant / F5 ADC (LTM) Partition
Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs
An ACI tenant will be represented as a partition within BIG-IP
A function node within a service graph will be represented as a Virtual Server within BIG-IP
© F5 Networks, Inc 18
Use cases
18
Functions
• Virtual Server • Layer 4 Server Load balancing
• Layer 4 SLB with SSL offload
• Layer 7 Server Load balancing
• Layer 7 SLB with SSL offload
• Microsoft SharePoint
Parameters under Virtual Server
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Device Counters
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect profiles
• iRules
• Validators and Creation of tenant acceleration profiles
• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
© F5 Networks, Inc 19
Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM – VPN SSL solution) or Application Security Manager (ASM – WAF solution), and have it incorporated with F5 Local Traffic Manager (LTM – ADC solution)device package in the same service graph.
Device Package: User Defined (Future)
19
To Consumer EPG
F5 BIG-IP ASM
F5 BIG-IP LTM
To Provider EPG
User Defined
Device Package
F5 Provided
Device Package
© F5 Networks, Inc 20
Demo Video
© F5 Networks, Inc 21
• F5 SDAS and Cisco ACI Solution Brief http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
• Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html
• Automate Application Deployment with F5 Local Traffic Manager and Cisco Application Centric Infrastructure http://tools.cisco.com/search/results/display?url=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fcollateral%2fdata-center-virtualization%2fapplication-centric-infrastructure%2fwhite-paper-c11-732413.pdf&pos=4&query=f5+Cisco+ACI+Integration+white+paper
• F5 BIG-IP LTM and Nexus 9000 http://ri.search.yahoo.com/_ylt=A9mSs2aMnAlUfB0AR04zCQx.;_ylu=X3oDMTE0MmhtMWJtBHNlYwNzcgRwb3MDMQRjb2xvA2lyMgR2dGlkA1ZJUERFMDVfMQ--/RV=2/RE=1409944844/RO=10/RU=http%3a%2f%2fwww.cisco.com%2fc%2fdam%2fen%2fus%2fsolutions%2fcollateral%2fdata-center-virtualization%2fapplication-centric-infrastructure%2fsolution-overview-c22-732522.pdf/RK=0/RS=cT30NyClam50D8fRBZ0JL3pY0iY-
• Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel
Reference Material
21
For Your Reference
© F5 Networks, Inc 22
• Cisco and F5 extending partnership across the board from Service Provider and Security to Next-gen Data Centers
• Cisco ACI and F5 solves traditional network service insertion challenges through automated ACI policy model and F5 device package
• Application provisioning and configuration is made simple and agile through ACI policy model, F5 use-case driven device package approach and open Northbound APIs
• Key benefits of F5 / ACI model:
• Multi-Tenancy, separate Route-domain/L3 and Multi-Graph Support
• Use Case Focus
• Application level visibility and monitoring
Summary
“Every morning in Africa, a gazelle wakes up, it knows it must outrun the fastest lion or it will be killed.
Every morning in Africa, a lion wakes up. It knows it must
run faster than the slowest gazelle, or it will starve.
It doesn't matter whether you're the lion or a gazelle-when the sun comes up, you'd better be running.”
- Christopher McDougall
24