Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Remote Desktop Services wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Universal Plug and Play wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
Power over Ethernet wikipedia , lookup
Peer-to-peer wikipedia , lookup
F5 Demystifying Network Service Orchestration and Insertion in Application Centric and Programmable Network Architectures Pier-Luc Charbonneau, CCIE #23414 Field Systems Engineer, F5 Networks May, 2015 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 High-Performance Services Fabric Programmability (iRules / iApps / iControl) Data Plane Virtual Edition © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc Network Control Plane Appliance Management Plane Chassis [Physical • Overlay • SDN] 3 3 Understand F5 Components BIG-IP Virtual Edition Appliance Chassis LTM BIG-IP is the name of the platform produced by F5. It provide Application Delivery Controller (ADC) functionality. F5 BIG-IP offers virtual, appliance or chassis form factor LTM is the Local Traffic Manager, it is a licensed software module run inside a F5 BIG-IP. LTM handles server load balancing function. In the 1st release, F5 integrate LTM into ACI Virtual Server is the traffic management object on the BIG-IP system that represented by an IP address and a service. VIP is configured in the virtual server © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 4 4 Understand F5 Components iApps iApps is a user-customized framework for deploying applications, providing a flexible way to automate tasks and templatize functionality on F5 gear. iApp can be F5 verified or customer defined. iApp is based on APL (Application Presentation Language) iRules iRules is a highly customized, Tcl-based scripting language that allows programmatic access to traffic on the wire. You can apply an iRules to an existing virtual server to inspect / analyze / modify / route / manipulate the traffic BIG-IQ is an intelligent framework for managing application services © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 5 5 Traditional Network Service Insertion Challenges Router Configure Network to insert Firewall FW Configure firewall network parameters Configure firewall rules as required by the application Router LB Configure Load Balancer Network Parameters Switch Configure Router to steer traffic to/from Load Balancer vFW Server Service Insertion In traditional Networks © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc Service insertion takes days Network configuration is time consuming and error prone Difficult to track configuration on services Configure Load Balancer as required by the application 6 6 Impact on Data Center Architecture: Applications MICRO-ARCHITECTURES API DOMINANCE Each service is isolated and requires its own: Proxies are used in emerging API-centric architectures for: • • • • • Load balancing Authentication / authorization Security Layer 7 Services May be API-based, expanding services required More applications needing services • • • • • API versioning Client-based steering API Load balancing Metering & billing API key management More intelligence needed in services Service A Service C API v1 Service B Service D API v2 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 7 7 Application Centric Infrastructure (ACI) Using the Language of Application in the Network • Application Agility – Any where, F5 DEVICE PACKAGE FOR APIC Any time, Physical and Virtual • Rapid Deployment of Applications with Scale and Security • Application-centricity to Visibility and Troubleshooting • Open Source Application Policies DB HYPERVISOR WEB PHYSICAL NETWORKING WEB HYPERVISORS AND VIRTUAL NETWORKING HYPERVISOR WEB COMPUTE HYPERVISOR APP DB DB through Open APIs WEB APP WEB L4–L7 SERVICES STORAGE • Common Operational Model MULTI DC WAN & CLOUD ACI slide Source: Cisco BIG-IP PHYSICAL AND/OR VIRTUAL © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 8 8 How does ACI accelerate applications deployment? Application Centric Infrastructure Building Blocks Physical + Virtual Traditional 3-Tier Application FW ADC WEB ACC APP DB APPLICATION NETWORK PROFILE CONTROLLER POLICY MODEL NEXUS 9300 AND 9500 F5 BIG-IP Policy extended to L4-L7 Building blocks of ACI Application: 3 tier application (WEB-APP-DB) This may use ADC, FW services End point Group (EPG): Grouping of application Components Application Policy model: Define QOS, Security, Network, L4-L7 etc. to be applied to EPG © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 9 9 F5 and Cisco ACI Joint Solution Benefits • Automated L4-L7 F5 DEVICE PACKAGE FOR APIC • Preserves richness of F5 Synthesis offering. Ease of integration due to rich programmability application service insertion • Accelerated application deployments with scalableL4-L7 services • Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI ACI Fabric Programmability (iRules / iApps / iControl) • Application agility & significant reduction in operating costs Data Plane © F5 Networks, Inc Management Plane • Maintains operational best practices & offers faster provisioning of workflows F5 Synthesis Fabric Virtual Edition © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential Control Plane Appliance Chassis 10 10 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 ACI Service Automation thru Device Package F5 Device Package Policy Engine Device Package contains Configuration Model (XML File) Python Scripts APIC– Policy Manager Configuration Model (XML File) Script Engine APIC Script Interface Python Scripts APIC Script Interface APIC provides extendable policy model through Device Package Device Package contains XML file defining Device Configuration Model Provider Administrator can upload a Device Package Device scripts translates APIC API callouts to device specific callouts BIG-IP F5 has rich programmability foundation - easier to integrate with Cisco APIC © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 12 12 APIC L4 – L7 Service Integration Traditional 3-Tier Application F/W ADC WEB ADC WEB WEB WEB APP APP APP APP DB DB DB DB TENANT (HR) APPLICATION NETWORK PROFILE APPLICATION PROFILE (3 TIER APP) EPGS ARE DEFINED HERE endpoint Group (EPG) – collection of bare metal servers, VMs, vNIC Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG NETWORKING POLICY CONNECTIVITY FOR THE TENANT L2-L3 SECURITY POLICY (POLICY DECISION IS DONE HERE) FILTERS, QOS, TRAFFIC STEERING Contract – services between the WEB and APP EPG (web graph, HTTP graph) Ex: APP is a provider and WEB is the consumer Define services within a contract: FW, ADC in this example ADC defined TROUBLESHOOTING POLICY SPAN, ERSPAN ETC MONITORING POLICY EVENTS, SNMP L4-L7 SERVICES POLICY DEFINE L4-L7 SERVICE POLICY © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc Service Graph (Ex: WEB graph utilizes L7 SLB) Logical Device Cluster 13 13 F5 Device Package: Definition APIC requires a Device Package to communicate with service devices. A Device Package is a zip file containing two parts: Device Specification (xml): The configuration of the APIC is represented as an object model consisting of a large number of Managed Objects (MOs). A Device type is defined by a tree of MOs with a Meta Device (MDev) at the root. Configuration through UI or North Bound APIs EPG level L4-L7 config APIC © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc Service Graph Function Node level L4-L7 config DeviceScript (py): The integration between the APIC and a Device is performed by a DeviceScript, which maps APIC events function calls defined in Device Script Device Script Python Device Package Device Specification <dev type= “f5”> <service type= “slb”> <param name= “vip”> <dev ident=“210.1.1.1” <validator=“ip” <hidden=“no”> <locked=“yes”> iControl / SouthBound API BIG-IP Physical or VE 14 14 Logical Device Cluster / Concrete Device: Definition Logical Interfaces Map to concrete devices interfaces Tenant admin connects concrete Device to the fabric and assigns management IP. Tenant admin registers device with APIC. APIC validates device using device specs from device package Concrete Device Concrete Device Logical Device Cluster Represents service device (physical or virtual), for example an ADC or FW Represents a cluster of 2 devices that operate in active/standby mode for instance FCS : Supporting device clusters with maximum of two concrete device in active-standby mode © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 15 15 Service Graph: Definition Abstract graph concept mapping to Service Graph Functions rendered on the same device EXT EXT EXT Provides Service Graph: “web-application” Consumes Func: Firewall EXT Func: SSL offload WEB Func: Load Balancing WEB WEB WEB EPG - WEB EPG - EXT Terminals Firewall params Permit ip tcp * dest-ip <vip> dest-port 80 Deny ip udp * Connectors Terminals SSL params Ipaddress <vip> port 80 • • Service graph is an ordered set of functions between a set of terminals e-g; Firewall Function, Load balancer Function • • A function has one or more connectors • Network connectivity like VLAN/VNID tag is assigned to these connectors © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc • Load-Balancing params virtual-ip <vip> port 80 Lb-aglorithm: round-robin A function within a graph may require one or more parameters Parameters can be scoped by an EPG or an application profile or tenant context Parameter values can be locked from further changes 16 16 F5 Service Insertion Consume Web Farm provide services to External Users; Policy Contract defines relationship between Web Farm and Users Provide EPG EXT EPG WEB Ext Users Web Server stage 1 ….. inst inst firewall stage N end graph …. Node inst Service Graph contains Function Nodes, Virtual Server is a Function Node ADC: Virtual Server Logical Device Cluster Concrete Device © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc Service Graph Insertion at the Policy Contract Subject level inst … … Application Construct start Users assign to EPG EXT Web Farm assign to EPG WEB Users accessing the Web Servers Concrete Device F5 BIG-IPs are Concrete Devices belong to a Logical Device Cluster that enables ADC as a Function Node within a Service Graph 17 17 Goals of APIC Service Insertion and Automation Configure and Manage VLAN allocation for service insertion Configure the network to redirect traffic through service device Configure network and service function parameters on service device © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 18 18 Topology Consistency Core/Aggregation/Access model with 1 ARM or Inline deployment Active External Internal Standby External Active Internal Users can transition to Cisco ACI seamlessly from BIG-IP 1ARM or Inline deployment from traditional network model External/ Internal i For Your Reference Standby External/ Internal Blue PO: passing external VLAN Orange PO: passing internal VLAN © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 19 19 Cisco ACI Architecture BIG-IP 1 ARM and Inline + HA BIG-IP connects to any iLeaf in ACI topology independent of iLeaf location External / Internal Active 1 ARM mode + HA pair © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc External / Internal Standby Internal External Active Internal External Standby Inline mode + HA pair 20 20 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21 F5 and Cisco ACI Integration Models BIG-IQ Virtual Edition Appliance Chassis F5 Synthesis Fabric ACI Fabric BIG-IP APIC to BIG-IP Integration Model APIC to BIG-IQ Integration Model © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 22 22 F5 Device Package 1.1.0 Supported Functions Device Package 1.1.0 continue to support the same L4 – L7 service functions as 1.0.0 with additional support of vCMP and dynamic endpoint attach/detach Functions • Virtual Server Layer 4 Server Load balancing Layer 4 SLB with SSL offload Layer 7 Server Load balancing Layer 7 SLB with SSL offload • Microsoft SharePoint Parameters under Virtual Server • Configuring Global and Tenant Self IP addresses • Configuring Global and Tenant static routes • Device Counters • Server Pools • TCP Optimizations (WAN/LAN/Mobile) • HTTP optimization • HTTP Security (Application protocol security) • TCP connection multiplexing (One Connect) • Validators and Creation of tenant OneConnect profiles • iRules • Validators and Creation of tenant acceleration profiles • SNAT Pool management More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 23 23 F5 Device Package 1.1.0: vCMP Guests Support vCMP (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow multiple virtual ADC instances, called vCMP guests, reside on the same vCMP host In release 1.1.0; in vCMP HA configuration, both vCMP guests must reside on the same vCMP host Using vCMP guests as L4L7 Devices when creating Logical Device Cluster vCMP guest 1 and 2 mgmt. IP vCMP host mgmt. IP © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 24 24 F5 Device Package 1.1.0: vCMP Guests Support vCMP and HA configuration under Concrete Devices specific configurable parameters vCMP guest 1 and 2 host name vCMP guests HA parameters vCMP host mgmt. IP under device config as well © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 25 25 F5 Device Package 1.1.0: Dynamic endpoint attach/detach Pool members, which consider endpoint in ACI fabric, once “attached to” OR “detach from” an EPG; APIC will send notification to BIG-IP to add or remove this pool member Internal Connector, which tied to the provider EPG, assign to the WEB servers = pool members in F5 LTM Pool Eable Attachement Notification Under Graph Template, function node ADC has two logical interfaces: external and internal © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 26 26 F5 Device Package 1.1.0: Dynamic endpoint attach/detach No need to define pool members when adding configurable parameters to the service graph template vCMP host mgmt. IP under device config as well BIG-IP Pool has no pool members © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 27 27 F5 Device Package 1.1.0: Dynamic endpoint attach/detach Assign provider EPG (Web) to the servers © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc After receiving attach notification from APIC, BIGIP add members to pool Same for endpoint detach 28 28 F5 Device Package with Cisco APIC Cisco APIC automates insertion and provisioning of L4-L7 services • SSL offload • Server load balancing (SLB) ( L4 & L7) • vCMP support • Dynamic End point Addition Services rendered by service appliances perform one or more service functions • Application delivery controllers (ADCs) • Physical and Virtual devices • Firewall (in future) BIG-IQ EM BIG-IQ Device BIG-IQ ADC BIG-IQ Cloud BIG-IQ Security Orchestration Platform Plug-ins BIG-IQ BIG-IP local Traffic Manager (Ltm) BIG-IP Global Traffic Manager (GTM) BIG-IP Application Acceleration Manager (AAM) BIG-IP Application Security Manager (ASM) BIG-IP Advanced Firewall Manager (AFM) BIG-IP Access Policy Manager (APM) BIG-IP Carrier Grade NAT (CGNAT) BIG-IP Policy Enforcemen t Manager (PEM) iRules, iApps,iControl TMOS F5 Device Package foundation lends itself to easily extend integration for services beyond ADC © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 29 29 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30 Terminology: APIC Tenant Single Context / BIG-IP Partition Tenant is a container for policies (filters, contracts, bridge domains and application profiles) BIG-IP partition is equivalent to a single context ACI tenant A function node identifies a set of network service functions that are required by an application BIG-IP Virtual Server is equivalent to service graph function node © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 31 31 Terminology: APIC Service Graph Config pushed to BIG-IP APIC Service Graph Function Node Config Parameters, for example, webPool, will be pushed from APIC to BIG-IP In this example, BIG-IP populates Pool configuration from APIC. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 32 32 Device Package Feature: Referencing iRules APIC can reference iRules that resides in BIG-IP Common partition BIG-IP is responsible for iRules management, including creation / modification / validation © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 33 33 F5 supports TRUE Multiple Graph Multiple Tenancy • Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device • Partition created by APIC inside BIG- IP is prefixed by the apic,”_” tenant-id to represent the partition in F5 (for ex : apic_5437) • F5 demonstrate true multi-tenancy Tenant N Route Domain N Tenant B Client EPG Tenant A Client EPG using different partitions for each tenant in APIC • Each partition has been assigned individual route domain for L3 separation APIC partition: apic7890 App EPG 1 Virtual APIC partition: apic2345 Server 1 Route Domain B VirtualVirtual APIC partition: 2 ServerServer 1 apic1234 App App EPG 1EPG 2 Route Domain A App EPG 2 Virtual Virtual Server 1 App EPG 1 Virtual Server 2 App EPG 2 Server 2 Client EPG • Virtual Servers created by APIC inside BIG-IP is prefixed by the apic,”_” tenant_id”_”graph (for ex : © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential apic_5437_3456) © F5 Networks, Inc Single BIG-IP physical 34 34 Mixed Mode Support Client EPG APIC Contract: Including L4-L7 services Server EPG Client EPG Contract BIG-IP Ext EPG BIG-IP Int EPG Contract Server EPG APIC Partition BIG-IP created Partition: Configuration pushed and populated by APIC. User does not modify this partition. APIC will perform L4-L7 service insertion on this partition. User can continue to use partition created by BIG-IP, they appeared as separate EPG to APIC. Network functionality will be managed by APIC through the Fabric, where L4-L7 will be managed by BIG-IP. User can continue to use custom iApp and iRules in this scenario. Common Partition User can define custom iRules under Common partition and they can be called by APIC, BIG-IP Physical or Virtual © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 35 35 F5 BIG-IP + Cisco ACI Integration Options ACI Fabric ACI Fabric Contract Contract Contract with L4-L7 Service Insertion Contract Ext EPG ACI Fabric Web EPG Ext EPG Web EPG BIG-IP EPG BIG-IP phy link to ACI fabric Common or BIG-IP partition Cisco ACI + F5 BIG-IP without service insertion (using EPG) Contract with L4-L7 Service Insertion BIG-IP phy link to ACI fabric No BIG-IP EPG required APIC partition Cisco ACI + F5 BIG-IP Integration using L4 – L7 service insertion using service graph Common or BIG-IP partition APIC partition Mixed Mode: same BIG-IP connects to ACI fabric with and without L4-L7 service insertion All the above Integration Options support 1-Arm / Inline; Physical / Virtual in HA deployment © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 36 36 APIC to BIG-IP Integration Model Leveraging BIG-IQ as device management • APIC BIG-IQ Framework • Manage APIC generated BIG-IP partition Virtual Server provisioning and configuration Device Package BIG-IP Devices © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 37 37 Monitoring: Device Health Score Device Health Score indicates BIG-IP health base on internal BIG-IP algorithm © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 38 38 Monitoring: Service Health Score Service Health Score indicates virtual server health base on internal / external interfaces state, plus pool availability © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 39 39 Troubleshooting: APIC Faults / Visore / debug.log / LTM log https://<APIC>/visore.html APIC Faults /data/devicescript/F5.BIGIP.1.1.0/logs/debug.log © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc /var/log/* 40 40 Automation: REST API • APIC is based on a hierarchical object model. EVERYTHING is represented as an object and every object can be manipulated via REST. • REST operations: POST, GET, DELETE • Support for JSON and XML Format: https://host[:port]/api/{mo|class}/{dn|className}.{json/xml}[?options] • /api/ —Specifies that the message is directed to the API. • mo | class —Specifies whether the target of the operation is a managed object (MO) or an object class. • Dn —Specifies the distinguished name (DN) of the targeted MO. • className —Specifies the name of the targeted class. This name is a concatenation of the package name of the object queried and the name of the class queried in the context of the corresponding package. For example, the class aaa:User results in a className of aaaUser in the URI. • json | xml —Specifies whether the encoding format of the command or response HTML body is JSON or XML. © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 41 41 Example: Create Logical Device Cluster All APIC operation can be represented in XML or JSON format APIC REST API accepts HTTPS messages that contain JSON or XML documents. User can use any programming language, like python, to automate APIC operations REST XML REST JSON HTTP Method: POST HTTP Method: POST Request URL: https://apic1/api/mo/uni.xml Request URL: https://apic1/api/mo/uni.json Payload: Payload: <vnsLDevVip contextAware="multi-Context" devtype="VIRTUAL" dn="uni/tn-SEA/lDevVip-F5ve" funcType="GoTo" mode="legacy-Mode" name="F5ve"> <vnsRsMDevAtt tDn="uni/infra/mDev-F5-BIGIP-1.1.0"/> <vnsCCred name="username" value="admin"/> <vnsCCredSecret name="password"/> <vnsRsALDevToDomP tDn="uni/vmmp-VMware/dom-vcenter"/> <vnsCMgmt host="172.31.21.46" name="" port="443"/> <vnsCDev devCtxLbl="" name="F5ve_Device_2" vcenterName="vcenter" vmName="BIG-IP-VE-2"> © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc { "totalCount": "1", "imdata": [ { "vnsLDevVip": { "attributes": { "contextAware": "multi-Context", "devtype": "VIRTUAL", "dn": "uni/tn-SEA/lDevVip-F5ve", "funcType": "GoTo", "mode": "legacy-Mode", "name": "F5ve" }, 42 42 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 F5 and Cisco ACI Integration Models BIG-IQ Virtual Edition Appliance Chassis F5 Synthesis Fabric ACI Fabric BIG-IP APIC to BIG-IP Integration Model APIC to BIG-IQ Integration Model © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 44 44 F5 is Industry Leader in Application Delivery How can we provide full set of F5 functionality to ACI environment that is “application” focused? F5 has an extensive library of iApps for deploying applications © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 45 45 What are iApps? An iApps is an application-centric configuration template: • User answers a few questions about deploying an application • iApps translates answers into a set of configuration options • iApps can touch almost all BIG-IP functionality • iRules, profiles, monitors, security policies, and much more … • There are many F5-provided iApps: • HTTP, Sharepoint, Exchange, VMware View, … • Users can build their own iApps © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 46 46 Using BIG-IQ to bring iApps to APIC F5 Device Package Release 1.1.0 Deployment Model 1 downloads.f5.com Device Device Package Package 2 3 ACI Fabric BIG-IP integration with APIC 1 - Download device package from F5 2 - Admin import device package to APIC 3 - APIC sends config to BIG-IP directly © F5 Networks, Inc 2 BIG-IQ BIG-IQ Device Device Package Package F5 Synthesis Fabric iApps F5 Device Config Configuration {'state': 1, 1, 'transaction': 'transaction': 0, 0, {'state': 'ackedState': 0, 0, 'value': 'value': {(5, {(5, 'ackedState': 'DestinationNetmask', 'DestinationNetmask', 'Netmask1'): {'state': {'state': 1, 1, 'Netmask1'): 'transaction': 0, 0, 'transaction': 'ackedState': 0, 0, 'value': 'value': 'ackedState': '255.255.255.255'}, (5, (5, '255.255.255.255'}, 'DestinationPort', 'port1'): 'port1'): 'DestinationPort', {'state': 1, 1, 'transaction': 'transaction': 0, 0, {'state': 'ackedState': 0, 0, 'value': 'value': '80' '80' 'ackedState': © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential BIG-IQ Integration with Cisco ACI 4a 4b 1 3 Virtual Edition Appliance Chassis BIG-IQ integration with APIC 1 - BIG-IP expose iApps to BIG-IQ 2 - BIG-IQ create custom device package 3 - Admin import BIG-IQ device package to APIC 4a - APIC sends iApp config to BIG-IQ -> BIG-IP 4b - APIC sends Device config to BIG-IP 47 47 Deploying HTTP using APIC -> BIG-IP model To deploy L7 SLB service graph, admin configure “HTTP” under device config, two parameters can be configured Admin can assigned one iRules under the Device Config Under Function Config, which is the virtual server specific config, Admin can reference HTTP profile and the iRule specified in the Device Config © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 48 48 Deploying HTTP using APIC -> BIG-IQ model Admin use BIG-IQ Cloud -> Catalog; create a new template based on iAppps “f5.http” Admin can decide default values for each parameters, as well as if this parameter is “tenant editable” or not Base on this new template, BIG-IQ create an updated device package that has “HTTP-F5” as function device Admin update device package on APIC, HTTP-F5 device function now available in service graph template, based on the application requirements defined by Admin Admin can add more iRules by editing the iApps © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 49 49 Deploying Microsoft SharePoint using APIC -> BIG-IP model Admin create service graph template using Microsoft-SharePoint as device function Admin must have iApps “f5.Microsoft_sharepoint_2010_2013.v.1.0.0” already installed in the BIG-IP Admin can configure SharePoint virtual server, parameters available are: FQDN, member and VIP © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 50 50 Deploying Microsoft SharePoint using APIC -> BIG-IQ model Similar to the HTTP deployment, Admin use BIG-IQ to create a new template. Admin can use any F5 Microsoft sharepoint iApps that is available in the BIG-IP © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc More customization available, like SSL offload Deploying this new template is same as HTTP model 51 51 Reference Material i For Your Reference • F5 and Cisco ACI Solution Overview http://www.f5.com/pdf/solution-center/cisco-aci-overview.pdf • F5 SDAS and Cisco ACI Solution Brief http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html • Cisco Application Policy Infrastructure Controller (APIC) http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controllerapic/index.html • F5 BIG-IP LTM and Cisco ACI Integration white paper http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/whitepaper-c11-732413.pdf • Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/BIG-IP-LTM/CiscoVMDCwithF5_BIGIP_LTM_WhitePaper.pdf • F5 BIG-IP: Workload Migration from Traditional Networks to Cisco Application Centric Infrastructure http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guidec07-733816.pdf • Follow us on Twitter @f5Networks Official F5 Networks Channel © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 52 52 DevCentral F5 User Community Over 180,000 Members in 191 Countries and Growing! References • Wikis • API/SDK Documentation Resources • Sample Code • Tech Tips • Forums • Podcasts • Blogs • Technical Articles Tools and Frameworks • iRule Editor • iControl SDK • .NET, Java, Python, Powershell, .. • VMware vSphere Management Plug-in • Microsoft SCOM Monitoring Pack © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © F5 Networks, Inc 53 53 Key Takeaways • F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application Centric Infrastructure • How Cisco ACI solves network services insertion challenges • How F5 BIG-IP LTM integrates into Cisco ACI architecture • Key benefits of BIG-IP / ACI model: Multi-Tenancy, Multi-Graph Support Use Case Focus Automation Ready Application level visibility and monitoring • F5 iApps Integration with Cisco ACI using BIG-IQ bringing application requirements to ACI policy If I can be of further assistance please contact me: Pier-Luc Charbonneau ([email protected]) © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 54 Thank you.