Ravi Balakrishnan Senior Marketing Manager, … the power of Cisco ACI and F5 Synthesis for...
Transcript of Ravi Balakrishnan Senior Marketing Manager, … the power of Cisco ACI and F5 Synthesis for...
Unleash the power of Cisco ACI and F5 Synthesis for Accelerated Application deployments
Ravi Balakrishnan
Senior Marketing Manager, Cisco Systems
© F5 Networks, Inc Confidential Under NDA only 2
Cisco – F5 Solutions Outline
Cisco ACI + F5
Integration
Overview
Cisco Nexus 7000 +
F5 LTM Design
Overview
Cisco and F5 Areas
of Partnership and
Integration
Cisco SourceFire
NGIPS + F5 LTM
integration
© F5 Networks, Inc Confidential Under NDA only 3
• Deep technology integrations across all L2-L7 network services
• Simplified data center and cloud rollouts
• Comprehensive application-centric policy framework and enforcement
• Intelligent services orchestration
• High Performance application delivery and security Fabric
• Extensible platform supporting future service growth and needs
• Accelerated application deployments
F5 and Cisco are now Partners! Cisco - Leader in Networking and F5 - Leader in ADC partnering to provide:
Cisco ACI Launch Nov’13
© F5 Networks, Inc Confidential Under NDA only 4
F5 and Cisco Partnership
Partnering to integrate F5 Synthesis architectural framework into the Cisco (ACI) Sharing a common vision for simplifying networking end to end by taking an application-centric policy-driven approach
Joint testing for VMDC2.3 for traditional data center deployments
F5 LTM tested with Nexus 7000. ACE customers can migrate to F5 utilizing VMDC2.3 guidance
Exploring additional opportunities to bring joint solutions to Data Center customers
Discussions underway to integrate RISE (Nexus 7000) and vPATH (Nexus 1KV) technologies
Partnering to integrate F5 LTM with Cisco sourceFire NGIPS
F5 and Cisco Sourcefire enhance security posture and improved operational efficiency
Application Centric Infrastructure (ACI) Vision
Rapid Deployment of Applications onto
Networks with Scale, Security and Full Visibility
ACI
APPLICATION CENTRIC
POLICY CONTROLLER NEXUS 9500 AND 9300
© F5 Networks, Inc Confidential Under NDA only 6
The Benefit of Application Centric Policy
• Application Centric Infrastructure (ACI) allows the entire infrastructure to take commands in a business-relevant language.
• Policy = The Business-Relevant Commands that Drive Infrastructure Automation
“Let my app servers talk
to my web servers.”
1. “Figure out where app lives in physical net”
2. “Trunk VLAN 112 to switch 22.”
3. “Add route….”
4. “Plumb ports 7-12…”
5. “Configure ACL…”
6. “Apply QoS…”
7. Repeat every time app moves or needs more capacity
ACI Process Existing Process
DB APP ADC
WEB F/W
ADC
Physical Networking
L4–L7 Services
Multi DC WAN + Cloud
Compute Storage Hypervisors and Virtual Networking
APIC
APPLICATION CENTRIC POLICY MODEL
APIC
FASTER APP AVAILABILITY SIMPLIFIED OPERATIONAL PROCESSES + AUTOMATION
ARCHITECT DESIGN COMPUTE Service
Request STORAGE SECURITY NETWORK
Cisco Confidential 8
Application
Available
TIME
APP F/W L/B WEB L/B DB APP F/W ADC WEB ADC DB
POLICY AUTOMATION APPLICATION POLICY LANGUAGE COMMON POLICY FRAMEWORK AND
PLATFORM FOR ALL IT TEAMS
APIC
APPLICATION
COMPUTE NETWORK
CLOUD
STORAGE SECURITY
Business
Agility
© F5 Networks, Inc Confidential Under NDA only 9
F5 DEVICE PACKAGE FOR APIC
F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Programmability (iRule / iApp / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
• Automated layer 4-7 application service insertion, policy updates, and optimization within the ACI-enabled fabric with BIG-IP -Preserves richness of F5 Synthesis offering through policy abstraction offering investment protection
• Accelerated application deployments with reliability, security and consistent scalable network and L4-L7 services - Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI
• Application agility using policy driven application delivery approach to significantly reduce operating costs - Provisioning workflows is efficient and faster while maintaining operational best practices across multiple IT teams
© F5 Networks, Inc Confidential Under NDA only 10
• Lacks application agility - requires provisioning across different layers by different organizations
• Time to operationalize purchased assets is longer due to inefficient provisioning
• Longer time to deploy Applications with scale and security
• Harder to achieve application elasticity
Application Provisioning in Today’s Data Centers
TENANT (HR) TENANT (FINANCE)
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
App x
App y
App z
App p
App q
App r
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
NETWORK CONNECTIVITY
L4-L7
COMPUTE + VM
STORAGE
© F5 Networks, Inc Confidential Under NDA only 11
Configure firewall rules as
required by the application
Configure Network to insert Firewall
Configure firewall network
parameters
Configure Load Balancer as
required by the application
Configure Load Balancer
Network Parameters
Configure Router to steer
traffic to/from Load Balancer
Challenges with Network Service Insertion
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
Server
vFW
Switch
Router
FW
Router
LB
© F5 Networks, Inc Confidential Under NDA only 12
F5 DEVICE PACKAGE FOR APIC
• Application Agility – Any where, Any time, Physical and Virtual
• Rapid Deployment of Applications with Scale and Security
• Application-centricity to Visibility and Troubleshooting
• Open Source Application Policies
• Common Operational Model through Open APIs
ACI slide Source: Cisco
Acentric infrastructure USING the language of apps in the network
DB DB HYPERVISOR HYPERVISOR HYPERVISOR
DB
WEB WEB WEB APP WEB APP WEB
PHYSICAL NETWORKING
HYPERVISORS AND VIRTUAL NETWORKING
COMPUTE L4–L7 SERVICES
STORAGE MULTI DC WAN & CLOUD
BIG-IP PHYSICAL AND/OR VIRTUAL
ACI Fabric
Non-Blocking Penalty Free Overlay
App DB Web
Outside
(Tenant VRF)
QoS
Filter
QoS
Service
QoS
Filter
Application Policy
Infrastructure Controller
APIC
• Extend the principle of Cisco UCS® Manager
service profiles to the entire fabric
• Network profile: stateless definition of
application requirements
Application tiers
Connectivity policies
Layer 4 – 7 services
XML/JSON schema
• Fully abstracted from the infrastructure
implementation
Removes dependencies of the infrastructure
Portable across different data center fabrics
## Network Profile: Defines Application Level Metadata (Pseudo Code Example)
<Network-Profile = Production_Web>
<App-Tier = Web>
<Connected-To = Application_Client>
<Connection-Policy = Secure_Firewall_External>
<Connected-To = Application_Tier>
<Connection-Policy = Secure_Firewall_Internal & High_Priority>
. . .
<App-Tier = DataBase>
<Connected-To = Storage>
<Connection-Policy = NFS_TCP & High_BW_Low_Latency>
. . .
App Tier DB Tier
Storage Storage
Web Tier
Application
The network profile fully describes the application connectivity requirements
• Elastic service insertion architecture for
physical and virtual services
• Helps enable administrative separation
between application tier policy and service
definition
• APIC as central point of network control with
policy coordination
• Automation of service bring-up / tear-down
through programmable interface
• Supports existing operational model when
integrated with existing services
• Service enforcement guaranteed, regardless of
endpoint location
• N+1 scale of cluster capable service nodes
Web Server
App Tier
A
Web
Server Web Server
App Tier
B
App
Server
Chain
“Security 5”
Policy Redirection
Application
Admin
Service
Admin
Se
rvic
e
Gra
ph
begin end Stage 1 …..
Stage N
Pro
vid
ers
inst
inst
…
Firewall
inst
inst
…
Load Balancer
……..
Se
rvic
e P
rofi
le
“Security 5” Chain Defined
© F5 Networks, Inc Confidential Under NDA only 16
F5 Device Package
Device Package contains
Configuration Model (XML File)
Python Scripts
BIG-IP
Script Engine
Python Scripts
APIC Script Interface
APIC Script Interface
APIC– Policy Manager
Configuration Model (XML File)
Policy Engine
Service Automation Through Device Package – ACI + F5 Deployment
Provider Administrator can upload a Device Package
APIC provides extendable policy model through Device Package
Device Package contains XML file defining Device Configuration Model
Device scripts translates APIC API callouts to device specific callouts
F5 has rich programmability foundation - easier to integrate with Cisco APIC
© F5 Networks, Inc Confidential Under NDA only 17
Device Specification
• Is an XML file that defines
• Functions provided by a device – Like Load Balancing, Content-Switching, SSL termination etc
• Parameters required for configuring each use case ex: L4 SLB
• Interfaces and Network connectivity information for each function within the use case
Understanding Device Package A Device Package is a zip file containing two parts
Device Script
• The integration between the Cisco APIC and a Device is performed by a Device Script (in Python)
• Cisco APIC programs the BIG-IP by invoking function calls defined in the device package.
© F5 Networks, Inc Confidential Under NDA only 18
F5 Use cases – Target for APIC FCS
Virtual Server
• Function Profiles
• Layer 4 Server Load balancing with SSL Off load
• Layer 7 Server Load balancing with SSL off load
• HTTP SLB
• FTP SLB
• SMTP SLB
• Microsoft SharePoint
Parameters/Folders under each function
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect profiles
• iRules
• Validators and Creation of tenant acceleration profiles
• SNAT Pool management
More than 80% of F5 customers use L4 SLB / L7 SLB with SSL off load, MSFT SharePoint hence 1st release targets these use cases
© F5 Networks, Inc Confidential Under NDA only 19
Defining Policy Model for an Application in a Tenant - APIC
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
WEB WEB WEB WEB
APP APP APP APP
DB DB DB DB
F/W ADC
ADC
TENANT (HR)
NETWORKING POLICY (CONNECTIVITY FOR THE TENANT L2-L3)
TROUBLESHOOTING POLICY SPAN, ERSPAN ETC
MONITORING POLICY (EVENTS, SNMP ETC)
APPLICATION PROFILE (3 TIER APP) EPGS ARE DEFINED HERE
End Point Group (EPG) – collection of bare metal servers, VMs, vNIC Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
SECURITY POLICY (DEPLOYMENT OF A GRAPH IS DONE HERE)
FILTERS – WHICH EPG CAN TALK TO WHICH OTHER EPG
Contract – services between the WEB and APP EPG (web graph, HTTP graph) Graph can be single graph or muti graph Ex: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined
L4-L7 SERVICES POLICY (CREATION OF A GRAPH IS DONE HERE)
Service Graph (Ex: WEB graph utilizes L4 SLB) Device cluster
© F5 Networks, Inc Confidential Under NDA only 20
BIG-IP (Physical or Virtual)
• Single BIG-IP instance supports “TRUE” Multi Tenancy with Traffic Isolation
• Supports single or multi tenants with single or multi graph scenarios
Where does F5 fit in the Application Policy – Multi Tenants?
Tenant (HR) Tenant (SALES) Tenant (Finance)
App X
L4-L7 services: WEB graph uses L4 SLB
Attach service graph to contract between EPGS
App Y
App Z
App P
L4-L7 services: HTTP graph uses L4 SLB
Attach service graph to contract between EPGS
App Q
App R
App M
L4-L7 services: HTTP graph uses L4 SLB
Attach service graph to contract between EPGS
App N
App O
© F5 Networks, Inc Confidential Under NDA only 21
F5 Synthesis value proposition is preserved in Cisco ACI
• Cisco ACI allows F5 to bring the value to ACI instead of normalizing across vendors
F5 is a seamlessly integrated with Cisco ACI
• Preserves existing BIG-IP deployment topologies and L2-L3 interoperability – no network redesign
• No HW upgrades needed on BIG-IP - no net new $$$ spending
Benefits of using F5 Device Package
Flexibility in rolling out L4-L7 services on F5 fabric with APIC
• F5 Application policy framework aligns seamless with APIC policy framework
• Accelerated application deployments - Provides true application centric solution using profile based approach
Portfolio of services – combining application delivery and security
• Extensible to other L4-L7 services to address application requirements - GTM, AAM, AFM, APM, ASM
Deep application performance visibility (future)
• Extensive application health score data – Device package can integrate applications health score data from BIG IP
10-20% Compute and
Storage
Optimization
58%
Reduce
Network
Provisioning
21%
Reduce
Management
Costs
45%
Reduce Power
and Cooling
Costs
25%
CAPEX
Reduction
“Cisco’s open* standards approach makes
ACI even stronger. We conducted testing on
ACI … it fully delivered everything we
expected, and proved to be quite stable and
mature.”
Nik Weidenbacher
Principal Engineer, SunGard
“Cisco ACI is an open*, future-proofed data
center architecture that can continue to grow
as we enhance client services.”
Chuck Crane
Network and Security Architect, Axciom
(Transitioning from AWS to Private Cloud)
“This will enable Telstra to deliver service
agility, security and performance that our
customers expect from an enterprise grade
cloud.”
Erez Yarkoni
Executive Director, Telstra
Greater
Business Agility
Lower Capital
Expenses
Reduced Costs/
Complexity
Lower Operating
Cost
Resource Optimization
Source: Cisco IT * 4/2014 Cisco announced Opflex a standards track southbound protocol for integration of ACI with a broad
ecosystem of L4-7 Services. Opflex was coauthored by: Microsoft, Citrix, IBM, and Sungard Availability Services
ACI Delivering Business Outcomes Lower
Costs/TCO