Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Presentation Deck - Cisco Connect Toronto 2015
Document related concepts
Remote Desktop Services wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Universal Plug and Play wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Power over Ethernet wikipedia , lookup
Peer-to-peer wikipedia , lookup
Transcript
F5 Demystifying Network Service Orchestration and
Insertion in Application Centric and Programmable
Network Architectures
Pier-Luc Charbonneau, CCIE #23414
Field Systems Engineer, F5 Networks
May, 2015
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2
High-Performance Services Fabric
Programmability (iRules / iApps / iControl)
Data Plane
Virtual Edition
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
Network
Control Plane
Appliance
Management Plane
Chassis
[Physical • Overlay • SDN]
3
3
Understand F5 Components
BIG-IP
Virtual Edition
Appliance
Chassis
LTM
BIG-IP is the name of the platform produced by
F5. It provide Application Delivery Controller
(ADC) functionality. F5 BIG-IP offers virtual,
appliance or chassis form factor
LTM is the Local Traffic Manager, it is a licensed
software module run inside a F5 BIG-IP. LTM
handles server load balancing function. In the 1st
release, F5 integrate LTM into ACI
Virtual Server is the traffic management object on
the BIG-IP system that represented by an IP
address and a service. VIP is configured in the
virtual server
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
4
4
Understand F5 Components
iApps
iApps is a user-customized framework for deploying applications,
providing a flexible way to automate tasks and templatize functionality
on F5 gear. iApp can be F5 verified or customer defined. iApp is
based on APL (Application Presentation Language)
iRules
iRules is a highly customized, Tcl-based scripting language that
allows programmatic access to traffic on the wire. You can apply an
iRules to an existing virtual server to inspect / analyze / modify /
route / manipulate the traffic
BIG-IQ is an intelligent framework for managing
application services
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
5
5
Traditional Network Service Insertion
Challenges
Router
Configure Network to
insert Firewall
FW
Configure firewall
network parameters
Configure firewall rules as
required by the application
Router
LB
Configure Load Balancer
Network Parameters
Switch
Configure Router to steer
traffic to/from Load Balancer
vFW
Server
Service Insertion In traditional Networks
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
Service insertion
takes days
Network configuration
is time consuming
and error prone
Difficult to track
configuration on
services
Configure Load Balancer as
required by the application
6
6
Impact on Data Center Architecture: Applications
MICRO-ARCHITECTURES
API DOMINANCE
Each service is isolated and requires its own:
Proxies are used in emerging
API-centric architectures for:
•
•
•
•
•
Load balancing
Authentication / authorization
Security
Layer 7 Services
May be API-based, expanding services required
More applications needing services
•
•
•
•
•
API versioning
Client-based steering
API Load balancing
Metering & billing
API key management
More intelligence needed in services
Service A
Service C
API v1
Service B
Service D
API v2
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
7
7
Application Centric Infrastructure (ACI)
Using the Language of Application in the Network
• Application Agility – Any where,
F5 DEVICE PACKAGE
FOR APIC
Any time, Physical and Virtual
• Rapid Deployment of Applications
with Scale and Security
• Application-centricity to Visibility and
Troubleshooting
• Open Source Application Policies
DB
HYPERVISOR
WEB
PHYSICAL
NETWORKING
WEB
HYPERVISORS
AND VIRTUAL
NETWORKING
HYPERVISOR
WEB
COMPUTE
HYPERVISOR
APP
DB
DB
through Open APIs
WEB APP WEB
L4–L7
SERVICES
STORAGE
• Common Operational Model
MULTI DC
WAN &
CLOUD
ACI slide Source: Cisco
BIG-IP
PHYSICAL AND/OR VIRTUAL
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
8
8
How does ACI accelerate applications deployment?
Application Centric Infrastructure Building Blocks
Physical + Virtual
Traditional
3-Tier
Application
FW
ADC
WEB
ACC
APP
DB
APPLICATION
NETWORK PROFILE
CONTROLLER
POLICY MODEL
NEXUS 9300 AND 9500
F5 BIG-IP
Policy extended to L4-L7
Building blocks of ACI
Application: 3 tier application (WEB-APP-DB) This may use ADC, FW services
End point Group (EPG): Grouping of application Components
Application Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
9
9
F5 and Cisco ACI Joint Solution Benefits
• Automated L4-L7
F5 DEVICE PACKAGE
FOR APIC
• Preserves richness
of F5 Synthesis offering.
Ease of integration due to
rich programmability
application service
insertion
• Accelerated
application
deployments with
scalableL4-L7
services
• Existing F5 Physical and
Virtual appliances,
topologies integrate
seamlessly with Cisco
ACI
ACI Fabric
Programmability (iRules / iApps / iControl)
• Application agility &
significant reduction in
operating costs
Data Plane
© F5 Networks, Inc
Management Plane
• Maintains operational best
practices & offers faster
provisioning of workflows
F5 Synthesis Fabric
Virtual Edition
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Control Plane
Appliance
Chassis
10
10
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
11
ACI Service Automation thru Device Package
F5 Device Package
Policy
Engine
Device Package contains
Configuration Model (XML File)
Python Scripts
APIC– Policy Manager
Configuration Model (XML File)
Script Engine
APIC Script Interface
Python Scripts
APIC Script Interface
APIC provides extendable policy
model through Device Package
Device Package contains XML file
defining Device Configuration Model
Provider Administrator can upload a
Device Package
Device scripts translates APIC API
callouts to device specific callouts
BIG-IP
F5 has rich programmability foundation - easier to integrate with Cisco APIC
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
12
12
APIC L4 – L7 Service Integration
Traditional
3-Tier
Application
F/W
ADC
WEB
ADC
WEB WEB WEB
APP
APP
APP
APP
DB
DB
DB
DB
TENANT (HR)
APPLICATION
NETWORK PROFILE
APPLICATION PROFILE (3 TIER APP)
EPGS ARE DEFINED HERE
endpoint Group (EPG) – collection of bare metal servers, VMs, vNIC
Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG
Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
NETWORKING POLICY
CONNECTIVITY FOR THE TENANT L2-L3
SECURITY POLICY
(POLICY DECISION IS DONE HERE)
FILTERS, QOS, TRAFFIC STEERING
Contract – services between the WEB and APP EPG (web graph, HTTP graph)
Ex: APP is a provider and WEB is the consumer
Define services within a contract: FW, ADC in this example ADC defined
TROUBLESHOOTING POLICY
SPAN, ERSPAN ETC
MONITORING POLICY
EVENTS, SNMP
L4-L7 SERVICES POLICY
DEFINE L4-L7 SERVICE POLICY
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
Service Graph (Ex: WEB graph utilizes L7 SLB)
Logical Device Cluster
13
13
F5 Device Package: Definition
APIC requires a Device Package to communicate with service
devices.
A Device Package is a zip file containing two parts:
Device Specification (xml): The configuration of
the APIC is represented as an object model
consisting of a large number of Managed Objects
(MOs). A Device type is defined by a tree of MOs
with a Meta Device (MDev) at the root.
Configuration
through UI or
North Bound
APIs
EPG level L4-L7 config
APIC
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
Service Graph Function
Node level L4-L7 config
DeviceScript (py): The integration between
the APIC and a Device is performed by a
DeviceScript, which maps APIC events
function calls defined in Device Script
Device Script
Python
Device
Package
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>
iControl /
SouthBound
API
BIG-IP
Physical or VE
14
14
Logical Device Cluster / Concrete Device: Definition
Logical Interfaces
Map to concrete devices interfaces
Tenant admin connects concrete Device to the
fabric and assigns management IP.
Tenant admin registers device with APIC. APIC
validates device using device specs from device
package
Concrete Device
Concrete Device
Logical Device
Cluster
Represents service device (physical or virtual),
for example an ADC or FW
Represents a cluster of 2 devices that operate in
active/standby mode for instance
FCS : Supporting device clusters with maximum of two concrete device in active-standby mode
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
15
15
Service Graph: Definition
Abstract graph concept mapping to Service Graph
Functions rendered on the same device
EXT
EXT
EXT
Provides
Service Graph: “web-application”
Consumes
Func:
Firewall
EXT
Func:
SSL offload
WEB
Func:
Load Balancing
WEB WEB WEB
EPG - WEB
EPG - EXT
Terminals
Firewall params
Permit ip tcp * dest-ip <vip> dest-port 80
Deny ip udp *
Connectors
Terminals
SSL params
Ipaddress <vip> port 80
•
•
Service graph is an ordered set of functions between
a set of terminals e-g; Firewall Function, Load balancer
Function
•
•
A function has one or more connectors
•
Network connectivity like VLAN/VNID tag is assigned
to these connectors
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
•
Load-Balancing params
virtual-ip <vip> port 80
Lb-aglorithm: round-robin
A function within a graph may require one or more
parameters
Parameters can be scoped by an EPG or an application
profile or tenant context
Parameter values can be locked from further changes
16
16
F5 Service Insertion
Consume
Web Farm provide services to External Users;
Policy Contract defines relationship between
Web Farm and Users
Provide
EPG EXT
EPG WEB
Ext
Users
Web
Server
stage
1
…..
inst
inst
firewall
stage
N
end
graph
….
Node
inst
Service Graph contains Function Nodes,
Virtual Server is a Function Node
ADC: Virtual Server
Logical Device Cluster
Concrete Device
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
Service Graph Insertion at the
Policy Contract Subject level
inst
…
…
Application
Construct
start
Users assign to EPG EXT
Web Farm assign to EPG WEB
Users accessing the Web Servers
Concrete Device
F5 BIG-IPs are Concrete Devices belong to a
Logical Device Cluster that enables ADC as a
Function Node within a Service Graph
17
17
Goals of APIC Service Insertion and Automation
Configure and Manage VLAN allocation for service insertion
Configure the network to redirect traffic through service device
Configure network and service function parameters on service device
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
18
18
Topology Consistency
Core/Aggregation/Access model with 1 ARM or Inline deployment
Active
External
Internal
Standby
External
Active
Internal
Users can
transition to
Cisco ACI
seamlessly
from BIG-IP 1ARM or Inline
deployment
from traditional
network model
External/
Internal
i
For Your
Reference
Standby
External/
Internal
Blue PO: passing external VLAN
Orange PO: passing internal VLAN
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
19
19
Cisco ACI Architecture
BIG-IP 1 ARM and Inline + HA
BIG-IP
connects to any
iLeaf in ACI
topology
independent of
iLeaf location
External /
Internal
Active
1 ARM mode + HA pair
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
External /
Internal
Standby
Internal
External
Active
Internal
External
Standby
Inline mode + HA pair
20
20
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
21
F5 and Cisco ACI Integration Models
BIG-IQ
Virtual Edition
Appliance
Chassis
F5 Synthesis Fabric
ACI Fabric
BIG-IP
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
22
22
F5 Device Package 1.1.0 Supported Functions
Device Package 1.1.0 continue to support the same L4 – L7 service functions as 1.0.0 with additional support of vCMP and dynamic endpoint attach/detach
Functions
• Virtual Server
Layer 4 Server Load balancing
Layer 4 SLB with SSL offload
Layer 7 Server Load balancing
Layer 7 SLB with SSL offload
• Microsoft SharePoint
Parameters under Virtual Server
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Device Counters
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect
profiles
• iRules
• Validators and Creation of tenant acceleration
profiles
• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
23
23
F5 Device Package 1.1.0: vCMP Guests Support
vCMP (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow multiple
virtual ADC instances, called vCMP guests, reside on the same vCMP host
In release 1.1.0; in vCMP
HA configuration, both
vCMP guests must reside
on the same vCMP host
Using vCMP guests as L4L7 Devices when creating
Logical Device Cluster
vCMP guest 1 and 2
mgmt. IP
vCMP host mgmt.
IP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
24
24
F5 Device Package 1.1.0: vCMP Guests Support
vCMP and HA configuration under Concrete Devices specific configurable parameters
vCMP guest
1 and 2 host
name
vCMP guests
HA parameters
vCMP host
mgmt. IP
under device
config as well
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
25
25
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
Pool members, which consider endpoint in ACI fabric, once “attached to” OR “detach
from” an EPG; APIC will send notification to BIG-IP to add or remove this pool member
Internal Connector, which
tied to the provider EPG,
assign to the WEB servers =
pool members in F5 LTM
Pool
Eable Attachement
Notification
Under Graph Template,
function node ADC has
two logical interfaces:
external and internal
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
26
26
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
No need to define pool
members when adding
configurable parameters to
the service graph template
vCMP host mgmt. IP under
device config as well
BIG-IP Pool has no
pool members
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
27
27
F5 Device Package 1.1.0: Dynamic endpoint attach/detach
Assign provider
EPG (Web) to
the servers
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
After receiving attach
notification from APIC, BIGIP add members to pool
Same for endpoint detach
28
28
F5 Device Package with Cisco APIC
Cisco APIC automates insertion
and provisioning of L4-L7 services
• SSL offload
• Server load balancing (SLB) ( L4 & L7)
• vCMP support
• Dynamic End point Addition
Services rendered by service appliances
perform one or more service functions
• Application delivery controllers (ADCs)
• Physical and Virtual devices
• Firewall (in future)
BIG-IQ
EM
BIG-IQ
Device
BIG-IQ
ADC
BIG-IQ
Cloud
BIG-IQ
Security
Orchestration Platform Plug-ins
BIG-IQ
BIG-IP
local
Traffic
Manager
(Ltm)
BIG-IP
Global
Traffic
Manager
(GTM)
BIG-IP
Application
Acceleration
Manager
(AAM)
BIG-IP
Application
Security
Manager
(ASM)
BIG-IP
Advanced
Firewall
Manager
(AFM)
BIG-IP
Access
Policy
Manager
(APM)
BIG-IP
Carrier
Grade NAT
(CGNAT)
BIG-IP
Policy
Enforcemen
t
Manager
(PEM)
iRules, iApps,iControl
TMOS
F5 Device Package foundation lends
itself to easily extend integration for
services beyond ADC
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
29
29
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
30
Terminology: APIC Tenant Single Context / BIG-IP Partition
Tenant is a container for
policies (filters, contracts,
bridge domains and
application profiles)
BIG-IP partition is
equivalent to a single
context ACI tenant
A function node identifies a set of
network service functions that
are required by an application
BIG-IP Virtual Server is equivalent to
service graph function node
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
31
31
Terminology: APIC Service Graph Config pushed to BIG-IP
APIC Service Graph Function
Node Config Parameters, for
example, webPool, will be
pushed from APIC to BIG-IP
In this example, BIG-IP
populates Pool configuration
from APIC.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
32
32
Device Package Feature: Referencing iRules
APIC can reference
iRules that resides in
BIG-IP Common
partition
BIG-IP is responsible for
iRules management,
including creation /
modification / validation
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
33
33
F5 supports TRUE Multiple Graph Multiple Tenancy
• Multiple Virtual Servers for different
applications in the different BIG-IP
partitions/APIC Tenants, sharing the
same device
• Partition created by APIC inside BIG-
IP is prefixed by the apic,”_” tenant-id
to represent the partition in F5 (for ex :
apic_5437)
• F5 demonstrate true multi-tenancy
Tenant N
Route Domain N
Tenant B
Client EPG
Tenant A
Client EPG
using different partitions for each
tenant in APIC
• Each partition has been assigned
individual route domain for L3
separation
APIC partition:
apic7890
App
EPG 1
Virtual
APIC partition:
apic2345
Server 1
Route Domain B
VirtualVirtual
APIC partition:
2
ServerServer
1
apic1234
App App
EPG 1EPG 2
Route Domain A
App
EPG 2
Virtual
Virtual Server
1
App EPG 1
Virtual Server 2
App EPG 2
Server 2
Client EPG
• Virtual Servers created by APIC inside
BIG-IP is prefixed by the apic,”_”
tenant_id”_”graph (for ex :
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
apic_5437_3456)
© F5 Networks, Inc
Single BIG-IP physical
34
34
Mixed Mode Support
Client
EPG
APIC
Contract:
Including L4-L7
services
Server
EPG
Client
EPG
Contract
BIG-IP
Ext
EPG
BIG-IP
Int
EPG
Contract
Server
EPG
APIC Partition
BIG-IP created Partition:
Configuration pushed and populated by
APIC. User does not modify this
partition. APIC will perform L4-L7
service insertion on this partition.
User can continue to use partition created by BIG-IP, they
appeared as separate EPG to APIC. Network functionality will be
managed by APIC through the Fabric, where L4-L7 will be
managed by BIG-IP. User can continue to use custom iApp and
iRules in this scenario.
Common Partition
User can define custom iRules under Common partition and they can be called by APIC,
BIG-IP Physical or Virtual
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
35
35
F5 BIG-IP + Cisco ACI Integration Options
ACI Fabric
ACI Fabric
Contract
Contract
Contract with L4-L7
Service Insertion
Contract
Ext
EPG
ACI Fabric
Web
EPG
Ext
EPG
Web
EPG
BIG-IP
EPG
BIG-IP phy
link to ACI
fabric
Common or BIG-IP
partition
Cisco ACI + F5 BIG-IP
without service insertion
(using EPG)
Contract with L4-L7
Service Insertion
BIG-IP phy
link to ACI
fabric
No BIG-IP
EPG required
APIC
partition
Cisco ACI + F5 BIG-IP
Integration using L4 – L7
service insertion using service
graph
Common or
BIG-IP
partition
APIC
partition
Mixed Mode: same BIG-IP
connects to ACI fabric with
and without L4-L7 service
insertion
All the above Integration Options support 1-Arm / Inline; Physical / Virtual in HA
deployment
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
36
36
APIC to BIG-IP Integration Model
Leveraging BIG-IQ as device management
•
APIC
BIG-IQ Framework
•
Manage APIC generated
BIG-IP partition
Virtual Server
provisioning and
configuration
Device Package
BIG-IP Devices
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
37
37
Monitoring: Device Health Score
Device Health Score indicates BIG-IP health base on internal BIG-IP
algorithm
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
38
38
Monitoring: Service Health Score
Service Health Score indicates virtual server health base on internal / external
interfaces state, plus pool availability
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
39
39
Troubleshooting:
APIC Faults / Visore / debug.log / LTM log
https://<APIC>/visore.html
APIC Faults
/data/devicescript/F5.BIGIP.1.1.0/logs/debug.log
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
/var/log/*
40
40
Automation: REST API
• APIC is based on a hierarchical object model. EVERYTHING is represented as an object
and every object can be manipulated via REST.
• REST operations: POST, GET, DELETE
• Support for JSON and XML
Format: https://host[:port]/api/{mo|class}/{dn|className}.{json/xml}[?options]
• /api/ —Specifies that the message is directed to the API.
• mo | class —Specifies whether the target of the operation is a managed object (MO) or an
object class.
• Dn —Specifies the distinguished name (DN) of the targeted MO.
• className —Specifies the name of the targeted class. This name is a concatenation of the
package name of the object queried and the name of the class queried in the context of the
corresponding package. For example, the class aaa:User results in a className of aaaUser in
the URI.
• json | xml —Specifies whether the encoding format of the command or response HTML body is
JSON or XML.
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
41
41
Example: Create Logical Device Cluster
All APIC operation can be represented in XML or JSON format
APIC REST API accepts HTTPS messages that contain JSON or XML documents.
User can use any programming language, like python, to automate APIC operations
REST XML
REST JSON
HTTP Method: POST
HTTP Method: POST
Request URL:
https://apic1/api/mo/uni.xml
Request URL:
https://apic1/api/mo/uni.json
Payload:
Payload:
<vnsLDevVip contextAware="multi-Context"
devtype="VIRTUAL" dn="uni/tn-SEA/lDevVip-F5ve"
funcType="GoTo" mode="legacy-Mode" name="F5ve">
<vnsRsMDevAtt tDn="uni/infra/mDev-F5-BIGIP-1.1.0"/>
<vnsCCred name="username" value="admin"/>
<vnsCCredSecret name="password"/>
<vnsRsALDevToDomP tDn="uni/vmmp-VMware/dom-vcenter"/>
<vnsCMgmt host="172.31.21.46" name="" port="443"/>
<vnsCDev devCtxLbl="" name="F5ve_Device_2"
vcenterName="vcenter" vmName="BIG-IP-VE-2">
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
{
"totalCount": "1",
"imdata": [
{
"vnsLDevVip": {
"attributes": {
"contextAware": "multi-Context",
"devtype": "VIRTUAL",
"dn": "uni/tn-SEA/lDevVip-F5ve",
"funcType": "GoTo",
"mode": "legacy-Mode",
"name": "F5ve"
},
42
42
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
43
F5 and Cisco ACI Integration Models
BIG-IQ
Virtual Edition
Appliance
Chassis
F5 Synthesis Fabric
ACI Fabric
BIG-IP
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
44
44
F5 is Industry Leader in Application Delivery
How can we provide full set of F5 functionality to ACI
environment that is “application” focused?
F5 has an
extensive
library of iApps
for deploying
applications
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
45
45
What are iApps?
An iApps is an application-centric configuration template:
•
User answers a few questions about deploying an application
•
iApps translates answers into a set of configuration options
•
iApps can touch almost all BIG-IP functionality
• iRules, profiles, monitors, security policies, and much more …
•
There are many F5-provided iApps:
• HTTP, Sharepoint, Exchange, VMware View, …
•
Users can build their own iApps
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
46
46
Using BIG-IQ to bring iApps to APIC
F5 Device Package Release
1.1.0 Deployment Model
1
downloads.f5.com
Device
Device
Package
Package
2
3
ACI Fabric
BIG-IP integration with APIC
1 - Download device package from F5
2 - Admin import device package to APIC
3 - APIC sends config to BIG-IP directly
© F5 Networks, Inc
2
BIG-IQ
BIG-IQ
Device
Device
Package
Package
F5 Synthesis Fabric
iApps
F5 Device
Config
Configuration
{'state': 1,
1, 'transaction':
'transaction': 0,
0,
{'state':
'ackedState': 0,
0, 'value':
'value': {(5,
{(5,
'ackedState':
'DestinationNetmask',
'DestinationNetmask',
'Netmask1'): {'state':
{'state': 1,
1,
'Netmask1'):
'transaction': 0,
0,
'transaction':
'ackedState': 0,
0, 'value':
'value':
'ackedState':
'255.255.255.255'}, (5,
(5,
'255.255.255.255'},
'DestinationPort', 'port1'):
'port1'):
'DestinationPort',
{'state': 1,
1, 'transaction':
'transaction': 0,
0,
{'state':
'ackedState': 0,
0, 'value':
'value': '80'
'80'
'ackedState':
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BIG-IQ Integration with Cisco ACI
4a
4b
1
3
Virtual Edition
Appliance
Chassis
BIG-IQ integration with APIC
1 - BIG-IP expose iApps to BIG-IQ
2 - BIG-IQ create custom device package
3 - Admin import BIG-IQ device package to APIC
4a - APIC sends iApp config to BIG-IQ -> BIG-IP
4b - APIC sends Device config to BIG-IP
47
47
Deploying HTTP using APIC -> BIG-IP model
To deploy L7 SLB service graph,
admin configure “HTTP” under
device config, two parameters can
be configured
Admin can assigned one
iRules under the Device Config
Under Function Config, which is the
virtual server specific config, Admin can
reference HTTP profile and the iRule
specified in the Device Config
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
48
48
Deploying HTTP using APIC -> BIG-IQ model
Admin use BIG-IQ Cloud -> Catalog; create a new template based on iAppps “f5.http”
Admin can decide default values for each parameters, as well as if this parameter is
“tenant editable” or not
Base on this new template, BIG-IQ create an updated device package that has “HTTP-F5”
as function device
Admin update device package on APIC, HTTP-F5 device function now available in service
graph template, based on the application requirements defined by Admin
Admin can add more iRules by editing the iApps
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
49
49
Deploying Microsoft SharePoint using APIC -> BIG-IP
model
Admin create service graph template using
Microsoft-SharePoint as device function
Admin must have iApps
“f5.Microsoft_sharepoint_2010_2013.v.1.0.0”
already installed in the BIG-IP
Admin can configure SharePoint
virtual server, parameters available
are: FQDN, member and VIP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
50
50
Deploying Microsoft SharePoint using APIC -> BIG-IQ
model
Similar to the HTTP deployment, Admin use BIG-IQ
to create a new template. Admin can use any F5
Microsoft sharepoint iApps that is available in the
BIG-IP
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
More customization available, like SSL offload
Deploying this new template is same as HTTP model
51
51
Reference Material
i
For Your
Reference
• F5 and Cisco ACI Solution Overview
http://www.f5.com/pdf/solution-center/cisco-aci-overview.pdf
• F5 SDAS and Cisco ACI Solution Brief
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
• Cisco Application Policy Infrastructure Controller (APIC)
http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controllerapic/index.html
• F5 BIG-IP LTM and Cisco ACI Integration white paper
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/whitepaper-c11-732413.pdf
• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone)
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/BIG-IP-LTM/CiscoVMDCwithF5_BIGIP_LTM_WhitePaper.pdf
• F5 BIG-IP: Workload Migration from Traditional Networks to Cisco Application Centric Infrastructure
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guidec07-733816.pdf
• Follow us on Twitter @f5Networks Official F5 Networks Channel
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
52
52
DevCentral F5 User Community
Over 180,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
• Technical Articles
Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python, Powershell, ..
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring Pack
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
© F5 Networks, Inc
53
53
Key Takeaways
• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application
Centric Infrastructure
• How Cisco ACI solves network services insertion challenges
• How F5 BIG-IP LTM integrates into Cisco ACI architecture
• Key benefits of BIG-IP / ACI model:
Multi-Tenancy, Multi-Graph Support
Use Case Focus
Automation Ready
Application level visibility and monitoring
• F5 iApps Integration with Cisco ACI using BIG-IQ bringing application requirements to ACI policy
If I can be of further assistance please contact me:
Pier-Luc Charbonneau ([email protected])
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
54
Thank you.
