Cisco ACI & F5 Integrate to Transform the Data Center

F5 BIG-IP and Cisco ACI Integration
Network Service Orchestration and Insertion
Jeffrey Wong - Solution Architect
F5 Networks
February, 2015

© F5 Networks, Inc 2
Agenda
• State of IT
• ACI Overview
• F5 Synthesis Overview
• ACI L4 –L7 Service Insertion Overview
• F5 Device Package Release 1.1.0 Details and Integration with
Cisco ACI
• Workload Migration from Traditional Networks to Cisco ACI
• F5 BIG-IQ Integration with Cisco ACI

?
IT impedes growth IT spends too muchor,
Deploy this Much?
But, need this?
Deploy this Much?
But, need this?
4
How much IT will You need ?
What if IT was On-Demand? Would that be “Cloud” ?

The on-going “IT pain”
• High cost, heterogeneous systems
• Redundant functionality
• Lack of agility to innovate
• Slow time to market
• Rising maintenance costs
• Rising regulatory and compliance costs,
multiplied by:
• Heterogeneous systems
• Geographic expansion / local laws
• Falling IT Budgets
5

• Separation of IT areas / buying-
centers / silos preventing IT to
move at the speed demanded by
the business
• Focus changed from
Consolidation to Automation
• Business owners and Apps
Developers started to go straight
to public cloud to meet agility and
demand. Security and Data
Sovereignty arise.
• Operations become further
relevant. Shift from “what it does
/ how it works” to “how to use /
how to consume it”.
DevOps

Application Oriented Policy = Operational Simplicity
Introducing: Application Centric Infrastructure (ACI)
Apps + Infrastructure
Physical + Virtual + ContainersOpen + Secure
On-Premises + Cloud

Control & Audit Connectivity
(Security – Firewall, ACL, …)
IP Address, VLAN, VRF
Enable Connectivity
(The Network)
Application Requirements
IP Addressing
Application Requirements
Application Specific Connectivity
Dynamic provisioning of
connectivity explicitly defined for
the application
Application RequirementsApplication Requirements
Redirect and Load Balance Connectivity
IP Address, VLAN, VRF
ACI directly maps the application
connectivity requirements onto the
network and services fabric
Why Networks are Complex
Overloaded Network Constructs

Network-Centric to application-centric
Two types of language
NETWORK LANGUAGE
• VLAN
• IP Address
• Subnets
• Firewalls
• Quality of Service
• Load Balancer
• Access Lists
APPLICATION LANGUAGE
• Application Tier Policy and
Dependencies
• Security Requirements
• Service Level Agreement
• Application Performance
• Compliance
• Geo Dependencies
• Etc.

Application Policy Model and Instantiation
All forwarding in the fabric is managed through the application network profile
• IP addresses are fully portable anywhere within the fabric
• Security and forwarding are fully decoupled from any physical or virtual network attributes
• Devices autonomously update the state of the network based on configured policy requirements
DB Tier
Storage Storage
Application
Client
Web Tier App Tier
Application policy model: Defines the
application requirements (application
network profile)
Policy instantiation: Each device
dynamically instantiates the required
changes based on the policies
VM VMVM
10.2.4.7
VM
10.9.3.37
VM
10.32.3.7
VMVM
APIC

WAN
Firewall
ADC from Web
Connect to DB
Connect to App
High Priority
APPLICATION
REQUIREMENTS
WEB APP DB
DBWEB APP
F/W
ADC ADC
ACI understands and speaks APPLICATION Needs
DIRECTLY MAP TO ACI NETWORK PROFILES
NETWORK
REQUIREMENTS

OPEN RESTFUL APIS
CENTRALIZED POLICY MODEL
OPEN SOURCE
CONTROLLER
APIC
ACI building blocks
next generation nexus—TRADITIONAL NETWORKS
POLICY MODEL
ACI
>_>_
50% SIMPLER
CODE BASE
FUTURE PROOF
UPGRADABLE
TO ACI
PROGRAMMABILITY
AND AUTOMATION
NETWORK
VIRTUALIZATION
SUPPORT
RESILIENCY:
IN SERVICE PATCHING,
UPGRADE, FAST RESTART
ACI BUILDING BLOCKS
FUTURE PROOF—SOFTWARE UPGRADABLE TO ACI
NEXUS 9500 and 9300
INNOVATIONS IN SOFTWARE HARDWARE AND SYSTEM DESIGN
PRICE POWER EFFICIENCYPROGRAMMABILITYPORT DENSITYPERFORMANCE
OPTIMIZED NX-OS

Impact on Data Center Architecture: Applications
MICRO-ARCHITECTURES
Each service is isolated and requires its own:
• Load balancing
• Authentication / authorization
• Security
• Layer 7 Services
• May be API-based, expanding services required
API DOMINANCE
Proxies are used in emerging API-centric architecture
• API versioning
• Client-based steering
• API Load balancing
• Metering & billing
• API key management
More applications needing services
Service A Service C
Service B Service D
More intelligence needed in services
API v1
API v2

High-Performance Services Fabric
Network [Physical • Overlay • SDN]
Virtual Edition ChassisAppliance
Data Plane
Programmability (iRules / iApps / iControl)
Control Plane Management Plane

F5 and Cisco ACI Joint Solution Benefits
ACI Fabric
Programmability (iRules / iApps / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
F5 DEVICE PACKAGE
FOR APIC • Preserves richness
of F5 Synthesis offering.
Ease of integration due to
rich programmability
• Existing F5 Physical and
Virtual appliances,
topologies integrate
seamlessly with Cisco
ACI
• Maintains operational best
practices & offers faster
provisioning of workflows
• Automated L4-L7
application service
insertion
• Accelerated
application
deployments with
scalableL4-L7
services
• Application agility &
significant reduction in
operating costs

F5 and Cisco ACI Integration – Latest Addition
Announcing APIC and BIG-IQ Integration Early Availability
BIG-IQ
APIC to BIG-IP Integration Model Phase 1
(Shipping)
APIC to BIG-IQ Integration Model Phase 2
(Early Availability Now, FCS Q2 CY15)
BIG-IP
Customers have choice to leverage Cisco APIC to BIG-IP or through BIG-IQ Integration Models
ACI Fabric
F5SynthesisFabric

Choosing F5 BIG-IP for Cisco ACI
Supports 11.4.1 and above, Platform Independent
4000 series 10000 Series5000 Series 7000 Series
Good, Better, Best Platforms
11000 Series
5Gbps3Gbps1Gbps200M25M
VIPRION 2400
VIPRION 4480 VIPRION 4800
F5 physical ADCs
High-performance with specialized and
dedicated hardware
Physical ADC is best for:
• Fastest performance
• Highest scale
• SSL offload, compression, and DoS mitigation
• An all F5 solution: integrated HW+SW
• Edge and front door services
• Purpose-built isolation for application delivery
workloads
Physical + virtual =
hybrid ADC infrastructure
Ultimate flexibility and performance
Hybrid ADC is best for:
• Transitioning from physical to
virtual and private data center to
cloud
• Cloud bursting
• Splitting large workloads
• Tiered levels of service
F5 virtual editions
Provide flexible deployment options for
virtual environments and the cloud
Virtual ADC is best for:
• Accelerated deployment
• Maximizing data center efficiency
• Private and public cloud deployments
• Application or tenant-based pods
• Keeping security close to the app
• Lab, test, and QA deployments
Physical HybridVirtual
2000 series*
10Gbps
VIPRION 2200
1600 series*

ACI L4 –L7 Service Insertion
Overview

Traditional Network Service Insertion
Challenges
Configure firewall rules as
required by the application
Configure Network to
insert Firewall
Configure firewall
network parameters
Configure Load Balancer as
required by the application
Configure Load Balancer
Network Parameters
Configure Router to steer
traffic to/from Load Balancer
Service insertion
takes days
Network configuration
is time consuming
and error prone
Difficult to track
configuration on
services
Service Insertion In traditional Networks
Server
vFW
Switch
Router
FW
Router
LB

APIC L4 – L7 Service Integration
APPLICATION
NETWORK PROFILE
Traditional
3-Tier
Application
WEB
WEB WEB WEB
APP
APP APP APP
DB
DB DB DB
F/W
ADC
ADC
TENANT (HR)
NETWORKING POLICY
CONNECTIVITY FOR THE TENANT L2-L3
TROUBLESHOOTING POLICY
SPAN, ERSPAN ETC
MONITORING POLICY
EVENTS, SNMP
APPLICATION PROFILE (3 TIER APP)
EPGS ARE DEFINED HERE
endpoint Group (EPG) – collection of bare metal servers, VMs, vNIC
Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG
Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG
SECURITY POLICY
(POLICY DECISION IS DONE HERE)
FILTERS, QOS, TRAFFIC STEERING
Contract – services between the WEB and APP EPG (web graph, HTTP graph)
Ex: APP is a provider and WEB is the consumer
Define services within a contract: FW, ADC in this example ADC defined
L4-L7 SERVICES POLICY
DEFINE L4-L7 SERVICE POLICY
Service Graph (Ex: WEB graph utilizes L7 SLB)
Logical Device Cluster

F5 Device Package: Definition
APIC requires a Device Package to communicate with service
devices.
A Device Package is a zip file containing two parts:
Device Specification (xml): The configuration of
the APIC is represented as an object model
consisting of a large number of Managed Objects
(MOs). A Device type is defined by a tree of MOs
with a Meta Device (MDev) at the root.
DeviceScript (py): The integration between
the APIC and a Device is performed by a
DeviceScript, which maps APIC events
function calls defined in Device Script
Device Script
APIC
Configuration
through UI or
North Bound
APIs
Device
Package
BIG-IP
Physical or VE
EPG level L4-L7 config
Service Graph Function
Node level L4-L7 config
Python
iControl /
SouthBound
API
Device Specification
<dev type= “f5”>
<service type= “slb”>
<param name= “vip”>
<dev ident=“210.1.1.1”
<validator=“ip”
<hidden=“no”>
<locked=“yes”>

Service Graph: Definition
Abstract graph concept mapping to Service Graph
• Service graph is an ordered set of functions between
a set of terminals e-g; Firewall Function, Load balancer
Function
• A function has one or more connectors
• Network connectivity like VLAN/VNID tag is assigned
to these connectors
Functions rendered on the same device
• A function within a graph may require one or more
parameters
• Parameters can be scoped by an EPG or an application
profile or tenant context
• Parameter values can be locked from further changes
Service Graph: “web-application”
Func:
SSL offload
Func:
Load Balancing
Func:
Firewall
Connectors TerminalsTerminals
Firewall params
Permit ip tcp * dest-ip <vip> dest-port 80
Deny ip udp *
SSL params
Ipaddress <vip> port 80
Load-Balancing params
virtual-ip <vip> port 80
Lb-aglorithm: round-robin
EXT
EXT EXT EXT
EPG - EXT
WEB
WEB WEB WEB
EPG - WEB
Consumes Provides

F5 Service Insertion
Ext
Users
EPG EXT
Web
Server
EPG WEB
Application
Construct
Node
inst
inst
…
firewall
inst
inst
…
ADC: Virtual Server
graph
….
start end
stage
1 ….. stage
N
Concrete Device Concrete Device
Logical Device Cluster
ProvideConsume
Web Farm provide services to External Users;
Policy Contract defines relationship between
Web Farm and Users
Users assign to EPG EXT
Web Farm assign to EPG WEB
Users accessing the Web Servers
Service Graph Insertion at the
Policy Contract Subject level
Service Graph contains Function Nodes,
Virtual Server is a Function Node
F5 BIG-IPs are Concrete Devices belong to a
Logical Device Cluster that enables ADC as a
Function Node within a Service Graph

F5 Device Package Release 1.1.0
Details and Integration Cisco ACI

F5 and Cisco ACI Integration Models
BIG-IQ
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
BIG-IP
ACI Fabric
F5SynthesisFabric

F5 ACI Device Package 1.1.0 is now Released!
Supports ACI FCS+3 version 1.0(2m)
• vCMP support (New with 1.1.0)
• Dynamic endpoint attach and detach (New with 1.1.0)
• Supports any BIG-IP LTM physical and virtual form factor running version 11.4.1 and
above
• Device package can be downloaded from downloads.f5.com at no cost
• Does not require any new module installation on the BIG-IP
• Can leverage BIG-IQ as device management
• iRules (custom defined) that reside in common partition can be called by APIC
• BIG-IP is licensed and OOB management configured prior to APIC integration
• Supports Active / Standby High Availability model per APIC logical device cluster

F5 Device Package 1.1.0 Supported Functions
Functions
• Virtual Server
 Layer 4 Server Load balancing
 Layer 4 SLB with SSL offload
 Layer 7 Server Load balancing
 Layer 7 SLB with SSL offload
• Microsoft SharePoint
Parameters under Virtual Server
• Configuring Global and Tenant Self IP addresses
• Configuring Global and Tenant static routes
• Device Counters
• Server Pools
• TCP Optimizations (WAN/LAN/Mobile)
• HTTP optimization
• HTTP Security (Application protocol security)
• TCP connection multiplexing (One Connect)
• Validators and Creation of tenant OneConnect
profiles
• iRules
• Validators and Creation of tenant acceleration
profiles
• SNAT Pool management
More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases
ce Package 1.1.0 continue to support the same L4 – L7 service functions as 1.0.0 with additional support of vCMP and dynamic endpoint attach/de

F5 Device Package 1.1.0: vCMP Guests Support
In release 1.1.0; in vCMP
HA configuration, both
vCMP guests must reside
on the same vCMP host
vCMP (Virtual Clustered Multiprocessing) is F5 purposed built hypervisor, allow
multiple virtual ADC instances, called vCMP guests, reside on the same vCMP host
Using vCMP guests as
L4-L7 Devices when
creating Logical Device
Cluster
vCMP guest 1 and 2
mgmt. IP
vCMP host mgmt.
IP

F5 Device Package 1.1.0: Dynamic endpoint attach/detach
Pool members, which consider endpoint in ACI fabric, once “attached to” OR
“detach from” an EPG; APIC will send notification to BIG-IP to add or remove this
pool member
Eable Attachement
Notification
Internal Connector, which
tied to the provider EPG,
assign to the WEB servers =
pool members in F5 LTM
Pool
Under Graph Template,
function node ADC has
two logical interfaces:
external and internal

BIG-IP Pool has no
pool members
vCMP host mgmt. IP under
device config as well
No need to define pool
members when adding
configurable parameters to
the service graph template

After receiving attach
notification from APIC, BIG-
IP add members to pool
Same for endpoint detach
Assign provider
EPG (Web) to
the servers

Terminology: APIC Tenant Single Context / BIG-IP Partition
A function node identifies a set of
network service functions that
are required by an application
Tenant is a container for
policies (filters, contracts,
bridge domains and
application profiles)
BIG-IP partition is
equivalent to a single
context ACI tenant
BIG-IP Virtual Server is
equivalent to service graph
function node

Device Package Feature: Referencing iRules
APIC can reference
iRules that resides in
BIG-IP Common
partition
BIG-IP is responsible for
iRules management,
including creation /
modification / validation

F5 supports TRUE Multiple Graph Multiple Tenancy
• Multiple Virtual Servers for different
applications in the different BIG-IP
partitions/APIC Tenants, sharing the
same device
• Partition created by APIC inside BIG-IP
is prefixed by the apic,”_” tenant-id to
represent the partition in F5 (for ex :
apic_5437)
• F5 demonstrate true multi-tenancy
using different partitions for each tenant
in APIC
• Each partition has been assigned
individual route domain for L3
separation
• Virtual Servers created by APIC inside
BIG-IP is prefixed by the apic,”_”
tenant_id”_”graph (for ex :
apic_5437_3456)
Client EPG
App
EPG 1Virtual
Server 1
APIC partition:
apic7890
Route Domain N
Virtual
Server 2
App
EPG 2
Tenant N
Client EPG
App
EPG 1Virtual
Server 1
APIC partition:
apic2345
Route Domain B
Virtual
Server 2
App
EPG 2
App EPG 1
Virtual Server 1
APIC partition:
apic1234
Route Domain A
Virtual Server 2 App EPG 2
Tenant B
Tenant A
Single BIG-IP physical
Client EPG

F5 BIG-IP + Cisco ACI Integration Options
Cisco ACI + F5 BIG-IP without
service insertion (using EPG)
Cisco ACI + F5 BIG-IP Integration
using L4 – L7 service insertion
using service graph
Mixed Mode: same BIG-IP
connects to ACI fabric with
and without L4-L7 service
insertion
All the above Integration Options support 1-Arm / Inline; Physical / Virtual in HA
deployment
Contract Contract
Ext
EPG
Web
EPG
BIG-IP
EPG
BIG-IP phy
link to ACI
fabric
ACI Fabric
Contract with L4-L7
Service Insertion
Ext
EPG
Web
EPG
BIG-IP phy
link to ACI
fabric
No BIG-IP
EPG required
ACI Fabric
Contract
APIC
partition
Contract with L4-L7
Service Insertion
APIC
partition
Common or
BIG-IP
partition
ACI Fabric
Common or BIG-IP
partition

Workload Migration from
Traditional Networks to Cisco ACI

Migration: Physical Topology
BIG-IP Platform
VIP Traditional VIP ACI
Traditional Network
ACI Fabric
F5 DEVICE PACKAGE
FOR APIC
CISCO ACE
CBA
WEB
BIG-IP PlatformBIG-IP Platform

Migration: Approach
VIP Traditional ACI VIP
CBA
Step 1:
• Bring up BIG-IP in ACI fabric
• Create Application Server
• ACI L4-L7 service insertion with BIG-IP
VIP Traditional ACI VIP
CBA Step 2:
• Add ACI VIP to Traditional Pool
ACI
VIP
WEB
WEB
C BAACI
VIP
WEB
C BA
WEB
Step 3:
• Move Servers
Step 4:
• Update DNS or GTM
• Remove ACI VIP From Traditional Pool
VIP Traditional
VIP Traditional
ACI VIP
ACI VIP
Clients
access
Traditional
Network VIP
Expanding
workload to
ACI fabric
Moving
workload from
traditional
network to
ACI
Completing
workload
migration to ACI
Clients now
access ACI VIP

Migration: Logical Diagram
Client
Traditional
Network
VIP
DNS
1
4
2
Server
(Node)
Server Pool
ACI
VIP
3
Server
(Node)
Server
(LTM #2 VIP)
Server
(Node)
Server Pool
Server
(Node)
5
Client
DNS
1
2
ACI
VIP
Server
(Node)
Server Pool
Server
(Node)
Server
(Node)
3
Wiki.mycorp.com = Traditional VIP
Wiki.mycorp.com = ACI VIP
F5 & Cisco Joint Whitepaper:
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-c07-733816.pdf

F5 BIG-IQ Integration with Cisco ACI

F5 and Cisco ACI Integration Models
BIG-IQ
APIC to BIG-IP Integration Model
APIC to BIG-IQ Integration Model
BIG-IP
ACI Fabric
F5SynthesisFabric

F5 is Industry Leader in Application Delivery
How can we provide full set of F5 functionality to ACI
environment that is “application” focused?
F5 has an
extensive
library of iApps
for deploying
applications

What are iApps?
An iApps is an application-centric configuration template:
• User answers a few questions about deploying an application
• iApps translates answers into a set of configuration options
• iApps can touch almost all BIG-IP functionality
• iRules, profiles, monitors, security policies, and much more …
• There are many F5-provided iApps:
• HTTP, Sharepoint, Exchange, VMware View, …
• Users can build their own iApps

Using BIG-IQ to bring iApps to APIC
ACI Fabric Virtual Edition Appliance Chassis
BIG-IQ
Device
Package
Device
Package
F5 Device Package Release
1.1.0 Deployment Model
BIG-IQ Integration with Cisco ACI
1
2
4a
BIG-IQ integration with APIC
1 - BIG-IP expose iApps to BIG-IQ
2 - BIG-IQ create custom device package
3 - Admin import BIG-IQ device package to APIC
4a - APIC sends iApp config to BIG-IQ -> BIG-IP
4b - APIC sends Device config to BIG-IP
BIG-IP integration with APIC
1 - Download device package from F5
2 - Admin import device package to APIC
3 - APIC sends config to BIG-IP directly
downloads.f5.com
3
32
4b
1
F5SynthesisFabric
Device
Package
F5
Configuration
{'state': 1, 'transaction': 0,
'ackedState': 0, 'value': {(5,
'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0,
'ackedState': 0, 'value':
'255.255.255.255'}, (5,
'DestinationPort', 'port1'):
'ackedState': 0, 'value': '80'
BIG-IQ
Device
PackageF5 iApps
Config
'transaction': 0,
'255.255.255.255'}, (5,
F5 Device
Config
'transaction': 0,
'255.255.255.255'}, (5,

Reference Material
• F5 and Cisco ACI Solution Overview
http://www.f5.com/pdf/solution-center/cisco-aci-overview.pdf
• F5 SDAS and Cisco ACI Solution Brief
http://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solution-brief-c22-730004.html
• Cisco Application Policy Infrastructure Controller (APIC)
http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-
apic/index.html
• F5 BIG-IP LTM and Cisco ACI Integration white paper
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-
paper-c11-732413.pdf
• Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone)
http://www.cisco.com/c/dam/en/us/td/docs/solutions/Enterprise/Data_Center/VMDC/BIG-IP-LTM/CiscoVMDCwithF5_BIG-
IP_LTM_WhitePaper.pdf
• F5 BIG-IP: Workload Migration from Traditional Networks to Cisco Application Centric Infrastructure
http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/guide-
c07-733816.pdf
• Follow us on Twitter @f5Networks  Official F5 Networks Channel
For Your
Referencei

DevCentral F5 User Community
Over 180,000 Members in 191 Countries and Growing!
References
• Wikis
• API/SDK Documentation
Resources
• Sample Code
• Tech Tips
• Forums
• Podcasts
• Blogs
Tools and Frameworks
• iRule Editor
• iControl SDK
• .NET, Java, Python,
Powershell, ...
• VMware vSphere Management
Plug-in
• Microsoft SCOM Monitoring Pack

Key Takeaways
If I can be of further assistance please contact me:
Jeffrey Wong (j.wong@f5.com)
• F5 Software Defined Application Services (SDAS) vision perfectly aligns with Cisco’s Application
Centric Infrastructure
• How Cisco ACI solves network services insertion challenges
• How F5 BIG-IP LTM integrates into Cisco ACI architecture
• Key benefits of BIG-IP / ACI model:
 Multi-Tenancy, Multi-Graph Support
 Use Case Focus
 Automation Ready
 Application level visibility and monitoring
• F5 iApps Integration with Cisco ACI using BIG-IQ bringing application requirements to ACI policy

Visit F5 at Cisco Live 2015 in Melbourne
• Date: 18 – 20 March
• Booth: Stand P1
• You can also attend one of our Theatre sessions to learn more:
• Wednesday 18 Mar 11:50 AM - 12:20 PM – Partner Theatre 1
• Thursday 19 Mar 12:20 PM - 12:50 PM – Partner Theatre 2

Cisco ACI & F5 Integrate to Transform the Data Center

Cisco ACI & F5 Integrate to Transform the Data Center

More Related Content

What's hot (20)

Viewers also liked (20)

Similar to Cisco ACI & F5 Integrate to Transform the Data Center (20)

Recently uploaded (20)

Cisco ACI & F5 Integrate to Transform the Data Center

Editor's Notes