Cisco Aci Vmdc
-
Upload
faisal-abdul-gaffoor -
Category
Documents
-
view
64 -
download
8
description
Transcript of Cisco Aci Vmdc
-
Unleash the power of Cisco ACI and F5 Synthesis for accelerated application deployments
Paolo Pio Product Manager @ Cisco
Nicolas Mnant Solution Architect @ F5
-
F5 Agility 2014 2F5 Agility 2014 2
Ciscos Application Centric Infrastructure (ACI) and F5 Synthesis are focused on efficiently delivering applications by taking a fabric-based approach to networking and services architectures. Cisco ACI is designed to translate application requirements into services required for successfully deploying applications in a simplified and automated fashion.
In this session, youll learn how F5 and Cisco technologies integrate and collaborate to enable IT to execute on its strategic mission. Learn how:
Cisco ACI and F5 Synthesis SDAS can accelerate application deployment
Cisco ACI translates application requirements into network services by taking advantage of F5 SDAS architectural components
Assure the performance, security and reliability of applications by taking advantage of application-centric network services
Abstract
For YourReference
-
F5 Agility 2014 3F5 Agility 2014 3
F5 Synthesis Software Defined Application Services (SDAS) Overview
Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion
F5 BIG-IP and Cisco ACI Integration Topologies Terminologies How does F5 BIG-IP integrate with Cisco ACI? L4 SLB workflow
Key Takeaways
Q&A
Agenda
-
F5 Synthesis Overview
-
Applications Impact on Data Center Architecture
MICRO-ARCHITECTURES
Each service is isolated and requires its own: Load balancing Authentication / authorization Security Layer 7 Services May be API-based, expanding
services requiredMore applications needing services
API DOMINANCE
Proxies are used in emerging API-centric architectures for: API versioning Client-based steering API Load balancing Metering & billing API key management
More intelligence needed in services
Service A Service C
Service B Service D
API v1
API v2
-
F5 Agility 2014 6F5 Agility 2014 6
Evolution in Application Environment
F5 VISION
Applicationswithout constraints
SDN and Private Cloud
Software Defined Data Centers
Cloud and DevOps
Cloud SLA and controlprivate network agility
Accelerate time to market
Agile Development
Rapid deploymentnetwork and operations velocity
Speed, customer-driven, and quality of app development
Failed to Address:L47 device sprawl and application awareness
-
F5 Agility 2014 7F5 Agility 2014 7
High-Performance Services Fabric
Network [Physical Overlay SDN]
Virtual Edition Chassis Appliance
Data Plane
Programmability (iRule / iApp / iControl)
Control Plane Management Plane
-
F5 Agility 2014 8F5 Agility 2014 8
High-Performance Services Fabric
Simplified Business Models
New licensing models Easy to procure Save by purchasing bundles
f5 Synthesis
-
F5 Agility 2014 9F5 Agility 2014 9
F5 DEVICE PACKAGE FOR APIC
Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP Preserves richness of F5 Synthesis offering through policy abstraction
Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 HW/SW, topologies integrate seamlessly with Cisco ACI
Application agility using policy driven application delivery approach to significantly reduce operating costs - provisioning workflows is efficient and faster while maintaining operational best practices across multiple teams
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Virtual Edition Chassis Appliance
Data PlaneProgrammability (iRule / iApp / iControl)
Control Plane Management Plane
F5 SYNTHESIS FABRIC
APIC
-
Cisco Application Centric Infrastructure (ACI)
-
F5 Agility 2014 11F5 Agility 2014 11
Lacks application agility -requires provisioning across different layers by different organizations
Time to operationalize purchased assets is longer due to inefficient provisioning
Longer time to deploy Applications with scale and security
Harder to achieve application elasticity
Application Provisioning in Todays Data Centers
TENANT (HR) TENANT (FINANCE)
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
App x
App y
App z
App p
App q
App r
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
-
Configure firewall rules as required by the application
Configure Network to insert Firewall
Configure firewall network parameters
Configure Load Balancer as required by the application
Configure Load Balancer Network Parameters
Configure Router to steer traffic to/from Load Balancer
Traditional Network Service InsertionChallenges
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
Server
vFW
Switch
Router
FW
Router
LB
-
Rapid Deployment of Applications with Scale and Security
Application-centricity to Visibility and Troubleshooting
Application Agility Any where, Any time, Physical and Virtual
Open Source Application Policies
Common Operational Model through Open APIs
Application Centric InfrastructureUsing the Language of Apps in the Network
Physical Networking
L4L7Services
Multi DC WAN & Cloud
Compute StorageHypervisors and Virtual Networking
F5 Device package for APIC
BIG-IPPhysical and or Virtual
-
AGILITY: Any application, anywhere Physical and Virtualcommon application network profile
14
CONNECTIVITY POLICY
SECURITY POLICIES
QOSBANDWIDTH
RESERVATION AVAILABILITY
APPLICATION L4-L7
SERVICES
STORAGE AND COMPUTE
APPLICATION NETWORK PROFILE
SLA
QoS
Security
LoadBalancing
WEB
WEB WEB WEB
APP
APP APP APP
DB
DB DB DB
F/WADC ADC
Extensible Scripting Model
DB DBDB
WEB WEB WEB APP WEB APP WEB
HYPERVISOR HYPERVISOR HYPERVISOR
APPLICATION NETWORK PROFILE
Traditional3-TierApplication
-
F5 Agility 2014 15F5 Agility 2014 15
Goals of APIC Service Insertion and Automation
Configure and Manage VLAN allocation for service insertion
Configure the network to redirect traffic through service device
Configure network and service function parameters on service device
-
F5 Agility 2014 16F5 Agility 2014 16
Service Graph: web-application
Service graph is an ordered set of functions between a set of terminals A Service Graph can be defined through GUI,
CLI or through APIC API
A function has one or more connectors Network connectivity like VLAN tag is assigned
to these connectors
Service Graph Definition
16
Func: SSL offload
Func: Load Balancing
Func: Firewall
Connectors TerminalsTerminals
Functions rendered on the same device
Firewall paramsPermit ip tcp * dest-ip dest-port 80Deny ip udp *
SSL paramsIpaddress port 80
Load-Balancing paramsvirtual-ip port 80 Lb-aglorithm: round-robin
A function within a graph may require one or more parameters Parameters can be scoped by an EPG or an application
profile or tenant context Parameters could also be assigned at the time of defining
a service graph. Parameter values can be locked from further changes
-
F5 Agility 2014 17F5 Agility 2014 17
Application Policy Example
17
dB ContractMSSQL: Accept
MySQL: Accept
HTTP: Accept, Count
Contract
APP
APP APP APP
DB
DB DB DB
Consumes Provides
EPG - APP EPG - DB
FilterNamed collection of L4 port ranges HTTP = [80, 443] MSSQL = [1433-1434] MySQL = [3306, 25565] DNS = [53, 953, 1337, 5353]
ActionWhat action or actions to take on packet Accept Service Insert
-
F5 Agility 2014 18F5 Agility 2014 18
APIC L4 L7 Service Integration
APPLICATION NETWORK PROFILE
Traditional3-TierApplication
WEBWEB WEB WEB
APPAPP APP APP
DBDB DB DB
F/WADC ADCTENANT (HR)
NETWORKING POLICY(CONNECTIVITY FOR THE TENANT L2-L3)
TROUBLESHOOTING POLICYSPAN, ERSPAN ETC
MONITORING POLICY(EVENTS, SNMP ETC)
APPLICATION PROFILE (3 TIER APP)EPGS ARE DEFINED HERE
End Point Group (EPG) collection of bare metal servers, VMs, vNICEx: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPGEx: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
SECURITY POLICY (POLICY DECISION IS DONE HERE)
FILTERS WHICH EPG CAN TALK TO WHICH OTHER EPGTRAFFIC STEERING WHICH EPGS NEEDS SERVICE
SERVICES
Contract services between the WEB and APP EPG (web graph, HTTP graph) Graph can be single graph or muti graphEx: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined
L4-L7 SERVICES POLICY(CREATION OF A GRAPH IS DONE HERE)
Service Graph (Ex: WEB graph utilizes L4 SLB)Device cluster
-
F5 BIG-IP Integration with
Cisco ACI
-
Topology ConsistencyCore/Aggregation/Access model 1 ARM mode + HA pair
Active Standby
Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone
Active Standby
Users can transition to Cisco ACI seamlessly from BIG-IP 1 ARM + HA topologies within
Nexus 7000 and Nexus 9000 standalone
deployment
For YourReference
-
Topology ConsistencyCore/Aggregation/Access model 2 ARM mode + HA pair
Active Standby
Nexus 7000 / Nexus 5000 / Nexus 2000 Nexus 9000 Standalone
Active Standby
Users can transition to Cisco ACI seamlessly from BIG-IP 2 ARM + HA topologies within
Nexus 7000 and Nexus 9000 standalone
deployment
For YourReference
-
Cisco ACI ArchitectureBIG-IP 1 ARM and 2 ARM + HA
APIC
Active Standby
APIC
Active Standby
External ExternalInternal InternalExternal / InternalExternal / Internal
1 ARM mode + HA pair 2 ARM mode + HA pair
BIG-IP connects to any iLeaf in ACI topology independent of iLeaf
location
-
F5 Agility 2014 23F5 Agility 2014 23
APIC
Service Automation Through Device Package
Configuration Model (XML File)
Python Scripts
Script Engine
Python Scripts
APIC Script Interface
APIC Script Interface
APIC Policy Manager
Configuration Model
PolicyEngine
Provider Administrator can upload a Device Package
APIC provides extendable policy model through Device Package
Device Package contains XML file defining DeviceConfiguration Model
Device scripts translates APIC API callouts to device specific callouts
Open DevicePackage
-
F5 Agility 2014 24F5 Agility 2014 24
APIC
Understanding Device Package
Device Specification
Is an XML file that definesFunctions provided by a device Like Load Balancing, Content-Switching, SSL termination etcParameters required for configuring each functionInterfaces and Network connectivity information for each function
APIC requires a Device Package to configure and monitor a service devices. A device package manages a class of service devices
A Device Package is a zip file containing two parts
Device Script
The integration between the APIC and a Device is performed by a Device Script
APIC events are mapped to function calls defined in Device Script
24
XML / REST API
Device Package
BIG-IP Physical or
VE
EPG level L4-L7 config
Service Graph Function Node level
L4-L7 config
Python iControl
-
Device Package: Function ProfilesFunction Profiles are XML schema and function very much like iApp, user can define new function profiles where it can be imported to the service graph
Function Profiles can be: WebProfile HTTPS Application-1Click to configure L4-
L7 Service Node Configurations
-
F5 Agility 2014 26F5 Agility 2014 26
Cisco APIC and F5 APIs are open, user can defined its own device package, for example, adding other F5 modules like Access Policy Manager (APM) or Application Security Manager (ASM), and have it incorporated with F5 LTMdevice package in the same service graph.
Device Package: User Defined (Future)
To Consumer EPG F5 BIG-IP
ASMF5 BIG-IP
LTM
To Provider EPG
User Defined Device Package
F5 Provided Device Package
-
F5 Agility 2014 27F5 Agility 2014 27
Use cases
27
Functions
Virtual Server Layer 4 Server Load balancing
Layer 4 SLB with SSL offload Layer 7 Server Load balancing
Layer 7 SLB with SSL offload Microsoft SharePoint
Parameters under Virtual Server Configuring Global and Tenant Self IP addresses Configuring Global and Tenant static routes Device Counters Server Pools TCP Optimizations (WAN/LAN/Mobile) HTTP optimization HTTP Security (Application protocol security) TCP connection multiplexing (One Connect) Validators and Creation of tenant OneConnect
profiles iRules Validators and Creation of tenant acceleration
profiles SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
-
F5 Agility 2014 28F5 Agility 2014 28
F5 SDAS and Cisco ACI Solution Briefhttp://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html
F5 BIG-IP LTM and Cisco ACI Integration white paper Coming Soon !
Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) Coming Soon !
Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel
Reference Material
28
For YourReference
-
F5 Agility 2014 29F5 Agility 2014 29
F5 Software Defined Application Services (SDAS) vision perfectly aligns with Ciscos Application Centric Infrastructure
How Cisco ACI solves network services insertion challenges
F5 BIG-IP automated integration into Cisco APIC
Cisco ACI integration into existing F5 BIG-IP LTM deployments
Key benefits of BIG-IP / ACI model: Multi-Tenancy, Multi-Graph Support Use Case Focus Automation Ready Application level visibility and monitoring
Key Takeaways
-
30
-
Tenancy Model
31
-
F5 Agility 2014 32F5 Agility 2014 32
A function node identifies a set of network service functions that are required by an application
Terminology: APIC Tenant / BIG-IP Partition
Tenant is a container for policies, where the primary elements that the tenant contains are: filters, contracts, bridge domains and application profiles that contain EPGs
An ACI tenant will be represented as a partition within BIG-IP
A function node within a service graph will be represented as a Virtual Server within BIG-IP
-
F5 Agility 2014 33F5 Agility 2014 33
Multiple Virtual Servers for different applications in the same BIG-IP partition/APIC Tenant, sharing the same device
Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC and partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy
Multiple Graph Single Tenant
Client EPG
App EPG 1Virtual Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2App EPG
2
Single BIG-IP physical / virtual
instance
-
F5 Agility 2014 34F5 Agility 2014 34
Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device
Virtual Servers created by APIC inside BIG-IP is prefixed by the APIC partition number, Since routing domain tied to partition, F5 demonstrate true multi-tenancy
Scalability is based on BIG-IPAPIC : 64k tenantsBIG-IP : 128 partitions
F5 supports TRUEMultiple Graph Multiple Tenancy
Client EPG
App EPG 1Virtual
Server 1
APIC partition: apic7890
Route Domain N
Virtual Server 2
App EPG 2
Tenant N
Client EPG
App EPG 1Virtual
Server 1
APIC partition: apic2345
Route Domain B
Virtual Server 2
App EPG 2
App EPG 1Virtual
Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2
App EPG 2
Tenant B
Tenant A
Single BIG-IP physical / virtual instance
Client EPG
-
F5 Agility 2014 35F5 Agility 2014 35
Terminology: APIC Service Graph Config / BIG-IP LTM Config
APIC Service Graph Function Node Config Parameters, for example, web pool, will be pushed from APIC to BIG-IP
In this example, BIG-IP populates Pools configuration from APIC.Parameters that are optimized for L4 SLB (similar to iApp) will be pre-configured and automatically populated in BIG-IP
-
F5 Agility 2014 36F5 Agility 2014 36
Mixed Mode Support
Common PartitionUser can define custom iRules under Common partition and they can be called by APIC,
APIC PartitionConfiguration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition.
BIG-IP created Partition: User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iApp and iRules in this scenario.
APIC
BIG-IP Physical or Virtual
ClientEPG
ServerEPG
Contract:Including L4-L7
servicesClientEPG
ServerEPGContract
BIG-IPExt
EPG
BIG-IPInt
EPGContract
-
F5 Agility 2014 37F5 Agility 2014 37
APIC can provide EPG level atomic counters on the Function Node (F5 BIG-IP)
Monitoring
User will continue to use BIG-IP to monitor LTM specific monitors as before
-
F5 Agility 2014 38F5 Agility 2014 38
Bring it all together: Multi-Tenant/Multi-Graph SLB use case
38
InternetInternet
Client IP172.16.1.10 10.10.1.2:80
10.10.1.3:8010.10.1.4:80
10.10.1.210.10.1.310.10.1.4
Tenant A10.10.1.2:8010.10.1.3:8010.10.1.4:80
10.10.1.210.10.1.310.10.1.4
Tenant B Client IP173.17.1.10
EPG Web
EPG App
EPG Web
EPG App
1 4 4 1
2
3 3
2
-
Workflow: Multi-Tenant / Multi-Graph L4 SLB use case
1. Install F5 device package
2. Create logical device cluster
3. Add concrete devices (BIG-IP physical or virtual) to device cluster
4. Map logical interfaces (external and internal) to physical interfaces
5. Export device cluster to other tenants (multi-tenancy)
6. Create service graph (1) using F5 BIG-IP as function node
7. Create service graph (2) using the same BIG-IP as function node (multi-graph)
8. Assign service graph to contracts
* Prior to integrate F5 BIG-IP into ACI, user should configure tenants (application profiles / networking / security policies) and VM Networking (if necessary)
Steps to integrate F5 BIG-IP into ACI: