Enabling Application Defined Networking with F5 Synthesis and Cisco Application Centric Infrastructure Dean Houari, Regional Solution Architect, F5 Networks March 2015
F5 and Cisco ACI Joint Solution Benefits Automated L4-L7 application service insertion F5 DEVICE PACKAGE FOR APIC Preserves richness of F5 Synthesis offering. Ease of integration due to rich programmability Accelerated application deployments with scalablel4-l7 services ACI Fabric Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI Application agility & significant reduction in operating costs Programmability (irules / iapps / icontrol) Data Plane Control Plane Management Plane F5 Synthesis Fabric Maintains operational best practices & offers faster provisioning of workflows Virtual Edition Appliance Chassis F5 Networks, Inc 2
F5 and Cisco ACI Integration Latest Addition Announcing APIC and BIG-IQ Integration Early Availability ACI Fabric BIG-IQ Virtual Edition Appliance Chassis BIG-IP F5 Synthesis Fabric APIC to BIG-IP Integration Model Phase 1 (Shipping) APIC to BIG-IQ Integration Model Phase 2 (Early Availability Jan 15, FCS Q2 CY15) Customers have choice to leverage Cisco APIC to BIG-IP or through BIG-IQ Integration Models F5 Networks, Inc 3
Choosing F5 BIG-IP for Cisco ACI Supports 11.4.1 and above, Platform Independent Good, Better, Best Platforms 25M 200M 1Gbps 3Gbps 5Gbps 10Gbps VIPRION 2200 VIPRION 2400 1600 series* 2000 series* 4000 series 5000 Series 7000 Series 10000 Series 11000 Series VIPRION 4480 VIPRION 4800 Virtual Physical Hybrid F5 virtual editions Provide flexible deployment options for virtual environments and the cloud Virtual ADC is best for: Accelerated deployment Maximizing data center efficiency Private and public cloud deployments Application or tenant-based pods Keeping security close to the app Lab, test, and QA deployments F5 physical ADCs High-performance with specialized and dedicated hardware Physical ADC is best for: Fastest performance Highest scale SSL offload, compression, and DoS mitigation An all F5 solution: integrated HW+SW Edge and front door services Purpose-built isolation for application delivery workloads Physical + virtual = hybrid ADC infrastructure Ultimate flexibility and performance Hybrid ADC is best for: Transitioning from physical to virtual and private data center to cloud Cloud bursting Splitting large workloads Tiered levels of service F5 Networks, Inc 4
ACI L4 L7 Service Insertion Overview
Traditional Network Service Insertion Challenges Router Configure Network to insert Firewall FW Configure firewall network parameters Service insertion takes days vfw Router Switch LB Configure firewall rules as required by the application Configure Load Balancer Network Parameters Configure Router to steer traffic to/from Load Balancer Network configuration is time consuming and error prone Difficult to track configuration on services Server Service Insertion In traditional Networks Configure Load Balancer as required by the application F5 Networks, Inc 6
APIC L4 L7 Service Integration TENANT (HR) Traditional 3-Tier Application F/W ADC WEB WEB WEB WEB ADC APP APP APP APP DB DB DB DB APPLICATION NETWORK PROFILE APPLICATION PROFILE (3 TIER APP) EPGS ARE DEFINED HERE endpoint Group (EPG) collection of bare metal servers, VMs, vnic Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG NETWORKING POLICY CONNECTIVITY FOR THE TENANT L2-L3 SECURITY POLICY (POLICY DECISION IS DONE HERE) FILTERS, QOS, TRAFFIC STEERING Contract services between the WEB and APP EPG (web graph, HTTP graph) Ex: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined TROUBLESHOOTING POLICY SPAN, ERSPAN ETC MONITORING POLICY EVENTS, SNMP L4-L7 SERVICES POLICY DEFINE L4-L7 SERVICE POLICY Service Graph (Ex: WEB graph utilizes L7 SLB) Logical Device Cluster F5 Networks, Inc 7
Distributed Management Information Tree (dmit) Objects within APIC are structured in tree-based hierarchy Objects referred to as managed objects (MO) Packages identify the functional area e.g., fabric = physical fabric, ADC= F5 BigIP etc.. Every object has a parent, with exception of top:root (top of tree) Relationships exist between objects using Distinguished Name or DN. F5 Networks, Inc Cisco Public 8
F5 Device Package: Definition APIC requires a Device Package to communicate with service devices. A Device Package is a zip file containing two parts: Device Specification (xml): The configuration of the APIC is represented as an object model consisting of a large number of Managed Objects (MOs). A Device type is defined by a tree of MOs with a Meta Device (MDev) at the root. Configuration through UI or North Bound APIs APIC EPG level L4-L7 config Service Graph Function Node level L4-L7 config DeviceScript (py): The integration between the APIC and a Device is performed by a DeviceScript, which maps APIC events function calls defined in Device Script Python Device Script Device Package icontrol / SouthBound API BIG-IP Physical or VE Device Specification <dev type= f5 > <service type= slb > <param name= vip > <dev ident= 210.1.1.1 <validator= ip <hidden= no > <locked= yes > F5 Networks, Inc 9
Logical Device Cluster / Concrete Device: Definition Logical Interfaces Map to concrete devices interfaces Tenant admin connects concrete Device to the fabric and assigns management IP. Tenant admin registers device with APIC. APIC validates device using device specs from device package Concrete Device Concrete Device Logical Device Cluster Represents service device (physical or virtual), for example an ADC or FW Represents a cluster of 2 devices that operate in active/standby mode for instance FCS : Supporting device clusters with maximum of two concrete device in active-standby mode F5 Networks, Inc 10
Service Graph: Definition Abstract graph concept mapping to Service Graph Consumes Functions rendered on the same device Service Graph: web-application Provides EXT EXT EXT EXT Func: Firewall Func: SSL offload Func: Load Balancing WEB WEB WEB WEB EPG - EXT Terminals Connectors Terminals EPG - WEB Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp * SSL params Ipaddress <vip> port 80 Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin Service graph is an ordered set of functions between a set of terminals e-g; Firewall Function, Load balancer Function A function has one or more connectors Network connectivity like VLAN/VNID tag is assigned to these connectors A function within a graph may require one or more parameters Parameters can be scoped by an EPG or an application profile or tenant context Parameter values can be locked from further changes F5 Networks, Inc 11
Application Construct F5 Service Insertion Consume Provide Web Farm provide services to External Users; Policy Contract defines relationship between Web Farm and Users EPG EXT Ext Users EPG WEB Web Server Users assign to EPG EXT Web Farm assign to EPG WEB Users accessing the Web Servers start stage 1.. stage N end graph Service Graph Insertion at the Policy Contract Subject level inst inst. inst inst Node Service Graph contains Function Nodes, Virtual Server is a Function Node firewall ADC: Virtual Server Logical Device Cluster Concrete Device Concrete Device F5 BIG-IPs are Concrete Devices belong to a Logical Device Cluster that enables ADC as a Function Node within a Service Graph F5 Networks, Inc 12
Goals of APIC Service Insertion and Automation Configure and Manage VLAN allocation for service insertion Configure the network to redirect traffic through service device Configure network and service function parameters on service device F5 Networks, Inc 13
Topology Consistency Core/Aggregation/Access model with 1 ARM or Inline deployment i For Your Reference Active Standby Active Standby External Internal External Internal Users can transition to Cisco ACI seamlessly from BIG-IP 1-ARM or Inline deployment from traditional network model External/ Internal External/ Internal Blue PO: passing external VLAN Orange PO: passing internal VLAN F5 Networks, Inc 14
Cisco ACI Architecture BIG-IP 1 ARM and Inline + HA BIG-IP connects to any ileaf in ACI topology independent of ileaf location External / Internal External / Internal Internal External Internal External Active Standby Active Standby 1 ARM mode + HA pair Inline mode + HA pair F5 Networks, Inc 15
F5 Device Package Release 1.1.0 Details
F5 and Cisco ACI Integration Models ACI Fabric BIG-IQ Virtual Edition Appliance Chassis BIG-IP F5 Synthesis Fabric APIC to BIG-IP Integration Model APIC to BIG-IQ Integration Model F5 Networks, Inc 17
F5 ACI Device Package 1.1.0 is now Released! Supports ACI FCS+3 version 1.0(2m) vcmp support (New with 1.1.0) Dynamic endpoint attach and detach (New with 1.1.0) Supports any BIG-IP LTM physical and virtual form factor running version 11.4.1 and above Device package can be downloaded from downloads.f5.com at no cost Does not require any new module installation on the BIG-IP Can leverage BIG-IQ as device management irules (custom defined) that reside in common partition can be called by APIC BIG-IP is licensed and OOB management configured prior to APIC integration Supports Active / Standby High Availability model per APIC logical device cluster F5 Networks, Inc 18
F5 Device Package 1.1.0 Supported Functions Device Package 1.1.0 continue to support the same L4 L7 service functions as 1.0.0 with additional support of vcmp and dynamic endpoint attach/detach Functions Virtual Server Layer 4 Server Load balancing Layer 4 SLB with SSL offload Layer 7 Server Load balancing Layer 7 SLB with SSL offload Microsoft SharePoint Parameters under Virtual Server Configuring Global and Tenant Self IP addresses Configuring Global and Tenant static routes Device Counters Server Pools TCP Optimizations (WAN/LAN/Mobile) HTTP optimization HTTP Security (Application protocol security) TCP connection multiplexing (One Connect) Validators and Creation of tenant OneConnect profiles irules Validators and Creation of tenant acceleration profiles SNAT Pool management More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases F5 Networks, Inc 19
F5 Device Package 1.1.0: vcmp Guests Support In release 1.1.0; in vcmp HA configuration, both vcmp guests must reside on the same vcmp host vcmp (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow multiple virtual ADC instances, called vcmp guests, reside on the same vcmp host Using vcmp guests as L4- L7 Devices when creating Logical Device Cluster vcmp guest 1 and 2 mgmt. IP vcmp host mgmt. IP F5 Networks, Inc 20
F5 Device Package 1.1.0: Dynamic endpoint attach/detach Pool members, which are considered as endpoint in ACI fabric, once attached to OR detach from an EPG; APIC will send notification to BIG-IP to add or remove this pool member Internal Connector, which tied to the provider EPG, assign to the WEB servers = pool members in F5 LTM Pool Eable Attachement Notification Under Graph Template, function node ADC has two logical interfaces: external and internal F5 Networks, Inc 21
F5 Device Package 1.1.0: Dynamic endpoint attach/detach Assign provider EPG (Web) to the servers After receiving attach notification from APIC, BIG-IP add members to pool Same for endpoint detach F5 Networks, Inc 22
F5 BIG-IP LTM Integration with Cisco ACI Using Device Package 1.1.0 and ACI 1.0(2m)
Terminology: APIC Tenant Single Context / BIG-IP Partition Tenant is a container for policies (filters, contracts, bridge domains and application profiles) BIG-IP partition is equivalent to a single context ACI tenant A function node identifies a set of network service functions that are required by an application BIG-IP Virtual Server is equivalent to service graph function node F5 Networks, Inc 24
Terminology: APIC Service Graph Config pushed to BIG-IP APIC Service Graph Function Node Config Parameters, for example, webpool, will be pushed from APIC to BIG-IP In this example, BIG-IP populates Pool configuration from APIC. F5 Networks, Inc 25
Device Package Feature: Referencing irules APIC can reference irules that resides in BIG-IP Common partition BIG-IP is responsible for irules management, including creation / modification / validation F5 Networks, Inc 26
Mixed Mode Support Client EPG Contract: Including L4-L7 services Server EPG Client EPG Contract BIG-IP Ext EPG BIG-IP Int EPG Contract Server EPG APIC APIC Partition Configuration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition. BIG-IP created Partition: User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iapp and irules in this scenario. Common Partition User can define custom irules under Common partition and they can be called by APIC, BIG-IP Physical or Virtual F5 Networks, Inc 27
APIC to BIG-IP Integration Model Leveraging BIG-IQ as device management APIC Manage APIC generated BIG-IP partition Virtual Server provisioning and configuration BIG-IQ Framework Device Package BIG-IP Devices F5 Networks, Inc 28
Monitoring: Device Health Score Device Health Score indicates BIG-IP health base on internal BIG-IP algorithm F5 Networks, Inc 29
Monitoring: Service Health Score Service Health Score indicates virtual server health base on internal / external interfaces state, plus pool availability F5 Networks, Inc 30
Troubleshooting: APIC Faults / Visore / debug.log / LTM log https://<apic>/visore.html APIC Faults /data/devicescript/f5.bigip.1.1.0/logs/debug.log /var/log/* F5 Networks, Inc 31
Automation: REST API APIC is based on a hierarchical object model. EVERYTHING is represented as an object and every object can be manipulated via REST. REST operations: POST, GET, DELETE Support for JSON and XML Format: https://host[:port]/api/{mo class}/{dn classname}.{json/xml}[?options] /api/ Specifies that the message is directed to the API. mo class Specifies whether the target of the operation is a managed object (MO) or an object class. Dn Specifies the distinguished name (DN) of the targeted MO. classname Specifies the name of the targeted class. This name is a concatenation of the package name of the object queried and the name of the class queried in the context of the corresponding package. For example, the class aaa:user results in a classname of aaauser in the URI. json xml Specifies whether the encoding format of the command or response HTML body is JSON or XML. F5 Networks, Inc 32
Workload Migration from Traditional Networks to Cisco ACI
Migration: Physical Topology Traditional Network F5 DEVICE PACKAGE FOR APIC BIG-IP Platform CISCO ACE ACI Fabric VIP Traditional VIP ACI BIG-IP Platform BIG-IP Platform A B C WEB F5 Networks, Inc 34
Migration: Approach Clients access Traditional Network VIP VIP Traditional A WEB B ACI VIP C Step 1: Bring up BIG-IP in ACI fabric Create Application Server ACI L4-L7 service insertion with BIG-IP Expanding workload to ACI fabric VIP Traditional ACI VIP A B ACI C Step 2: VIP WEB Add ACI VIP to Traditional Pool Moving workload from traditional network to ACI VIP Traditional ACI VIP WEB ACI VIP C A B Step 3: Move Servers Completing workload migration to ACI Clients now access ACI VIP VIP Traditional ACI VIP C A WEB B Step 4: Update DNS or GTM Remove ACI VIP From Traditional Pool F5 Networks, Inc 35
F5 BIG-IQ Integration with Cisco ACI
F5 and Cisco ACI Integration Models ACI Fabric BIG-IQ Virtual Edition Appliance Chassis BIG-IP F5 Synthesis Fabric APIC to BIG-IP Integration Model APIC to BIG-IQ Integration Model F5 Networks, Inc 37
F5 is Industry Leader in Application Delivery How can we provide full set of F5 functionality to ACI environment that is application focused? F5 has an extensive library of iapps for deploying applications F5 Networks, Inc 38
What are iapps? An iapps is an application-centric configuration template: User answers a few questions about deploying an application iapps translates answers into a set of configuration options iapps can touch almost all BIG-IP functionality irules, profiles, monitors, security policies, and much more There are many F5-provided iapps: HTTP, Sharepoint, Exchange, VMware View, Users can build their own iapps F5 Networks, Inc 39
Using BIG-IQ to bring iapps to APIC F5 Device Package Release 1.1.0 Deployment Model BIG-IQ Integration with Cisco ACI downloads.f5.com 1 Device Package 2 F5 Configuration Device iapps {'state': 1, 'transaction': 0, 'ackedstate': 0, 'value': {(5, 'DestinationNetmask', 'Netmask1'): {'state': 1, 'transaction': 0, 'ackedstate': 0, 'value': '255.255.255.255'}, (5, 'DestinationPort', 'port1'): {'state': 1, 'transaction': 0, 'ackedstate': 0, 'value': '80' 3 BIG-IQ Device Package 3 4a 2 4b 1 F5 Synthesis Fabric ACI Fabric Virtual Edition Appliance Chassis BIG-IP integration with APIC 1 - Download device package from F5 2 - Admin import device package to APIC 3 - APIC sends config to BIG-IP directly BIG-IQ integration with APIC 1 - BIG-IP expose iapps to BIG-IQ 2 - BIG-IQ create custom device package 3 - Admin import BIG-IQ device package to APIC 4a - APIC sends iapp config to BIG-IQ -> BIG-IP 4b - APIC sends Device config to BIG-IP F5 Networks, Inc 40
Deploying Microsoft SharePoint using APIC -> BIG-IQ model Similar to the HTTP deployment, Admin use BIG- IQ to create a new template. Admin can use any F5 Microsoft sharepoint iapps that is available in the BIG-IP More customization available, like SSL offload Deploying this new template is same as HTTP model F5 Networks, Inc 41
Demo: Release 1.1.0 APIC to BIG-IP Installation Workflow
F5 ACI Integration Demo Physical Topology Mgmt 1/19 1/20 External 2.1 Internal 2.2 Mgmt BIG-IP vcmp Host Mgmt VMware- DVS vcmp guest vcmp guest VIP: 10.10.10.10 Client Web Servers F5 Networks, Inc 43
F5 ACI Demo Workflow Import Device Package Create Logical Device Cluster Add Concrete Device Create Service Graph Attach Service Graph to Contract BIG-IP config Step 1: Upload Device package Step 2: Create Device Cluster in Tenant common (for Multi-tenancy) Step 3: Create Two Concrete devices using F5 BIG-IP vcmp guests (High Availability) Step 4: Export the logical device cluster to Tenant SEA Step 5: Create L4-L7 Service Graph Template: Single Node, ADC inline mode for HTTP Step 6: Apply Service Graph Template to EPG, assign to a contract, configure L4-L7 service graph parameters Step 7: Dynamic attach web servers to EPG Web, new pool members are configured in BIG-IP thru APIC Step 8: Send traffic from Client VM to the VIP (Listener) on BIG-IP LTM Step 9: Verify Client is reaching the VIP and BIG-IP load balance between web servers Step 10: Remove one web server from EPG Web Step 11: Verify BIG-IP pool monitor is working, then APIC send detach notification to BIG-IP, removing web server from pool F5 Networks, Inc 44
Reference Material F5 and Cisco ACI Solution Overview http://www.f5.com/pdf/solution-center/cisco-aci-overview.pdf i For Your Reference F5 SDAS and Cisco ACI Solution Brief http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controllerapic/index.html F5 BIG-IP LTM and Cisco ACI Integration white paper http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/whitepaper-c11-732413.pdf Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) http://www.cisco.com/c/dam/en/us/td/docs/solutions/enterprise/data_center/vmdc/big-ip-ltm/ciscovmdcwithf5_big- IP_LTM_WhitePaper.pdf Follow us on Twitter @f5networks Official F5 Networks Channel F5 Networks, Inc 45