Upload
lamliem
View
230
Download
0
Embed Size (px)
Citation preview
Gert Wolfis
F5 EMEA Cloud SE
October 2016
Service Insertion with ACI using F5 iWorkflow
Agenda
• F5 and Cisco ACI Joint Solution
• Cisco ACI L4 –L7 Service Insertion Overview
• F5 and Cisco ACI Integration Models
• F5 BIG-IP Integrate with Cisco ACI as Unmanaged Device
• F5 iWorkflow and Cisco ACI Integration Update
F5 and Cisco ACI Joint Solution
© F5 Networks, Inc 4
Applications Deployment is Difficult Traditional Network Service Insertion Challenges
Configure Router to steer traffic
to/from Load Balancer
Configure Network to insert Firewall
Configure firewall rules as
required by the application
Configure vFW to protect
Virtualized App Tier
Configure Load Balancer as
required by the application
Configure Switches for L2
connectivity
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
vFW
LB
FW
Router
Router
Switch
User
© F5 Networks, Inc 5
F5 BIG-IP
Virtual Edition Appliance Chassis
Building blocks of ACI
How does ACI accelerate Application Deployments?
Application Centric Infrastructure Building Blocks
CONTROLLER POLICY MODEL NEXUS 9300 AND 9500
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
FW ADC
WEB ACC APP DB
Policy Model Extended to L4-L7
• Application 3 tier application (WEB-APP-DB) This may use ADC, FW services
• End point Group (EPG) Grouping of application Components
• Policy model Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
© F5 Networks, Inc 6
What does L4-L7 Services in ACI mean?
Moving ADC parameters from vendor device to ACI is not the solution!
Cisco ACI L4 – L7 Service Insertion Overview
F5 and Cisco ACI Joint Benefits
• Automated L4-L7 application service insertion
ACI Fabric
Programmability (iRules / iApps / iControl)
Data Plane Control Plane Management Plane
F5 Synthesis Fabric
Virtual Edition Appliance Chassis
F5 DEVICE PACKAGE FOR APIC
• Preserves richness of F5 Synthesis offering. Ease of integration due to rich programmability
• Existing F5 Physical and Virtual appliances, topologies integrate seamlessly with Cisco ACI
• Maintains operational best practices & offers faster provisioning of workflows
• Accelerated application deployments with scalable L4-L7 services
• Application agility & significant reduction in operating costs
© F5 Networks, Inc 9
ACI Service Automation thru Device Package
F5 Device Package
Device Package contains
Configuration Model (XML File)
Python Scripts
BIG-IP
Script Engine
Python Scripts
APIC Script Interface
APIC Script Interface
APIC– Policy Manager
Configuration Model (XML File)
Policy Engine
Provider Administrator can upload a Device Package
APIC provides extendable policy model through Device Package
Device Package contains XML file defining Device Configuration Model
Device scripts translates APIC API callouts to device specific callouts
F5 has rich programmability foundation - easier to integrate with Cisco APIC
© F5 Networks, Inc 11
F5 Service Insertion
Ext
Users
EPG EXT Web
Server
EPG WEB
Ap
plica
tio
n
Co
nstr
uct
Node
inst
inst
…
firewall
inst
inst
…
ADC: Virtual Server
graph
….
start end stage
1 ….. stage
N
Concrete Device Concrete Device
Logical Device Cluster
Provide Consume Web Farm provide services to External Users; Policy Contract defines relationship between Web Farm and Users
Users assign to EPG EXT Web Farm assign to EPG WEB Users accessing the Web Servers
Service Graph Insertion at the Policy Contract Subject level
Service Graph contains Function Nodes, Virtual Server is a Function Node
F5 BIG-IPs are Concrete Devices belong to a Logical Device Cluster that enables ADC as a Function Node within a Service Graph
F5 and Cisco ACI Integration Models
© F5 Networks, Inc 13
F5 and Cisco ACI Integration Models
ACI Fabric
BIG-IP
EPG mode – NOT using service graph
OPTION A1
Virtual Edition Appliance Chassis
BIG-IP
Service Insertion using F5 Static device package
OPTION B
Unmanaged mode – USING service graph
OPTION A2
BIG-IP NOT managed by APIC
Service Insertion using F5 iWorkflow Dynamic device package
OPTION C
iWorkflow
*-F5 direction for Cisco ACI L4-L7 Service Insertion
F5 BIG-IP Integrate with Cisco ACI as Unmanaged Device
© F5 Networks, Inc 15
F5 and Cisco ACI Integration Models
ACI Fabric
BIG-IP
EPG mode – NOT using service graph
OPTION A1
Virtual Edition Appliance Chassis
BIG-IP
Service Insertion using F5 Static device package
OPTION B
Unmanaged mode – USING service graph
OPTION A2
BIG-IP NOT managed by APIC
Service Insertion using F5 iWorkflow Dynamic device package
OPTION C
iWorkflow
EPG/Unmanaged Mode (Option A1 and A2) •Define connectivity to ACI Fabric
•No Service Insertion
•No device package
•BIG-IP device is not provisioned/managed through APIC
© F5 Networks, Inc 16
Difference between EPG and Unmanaged Mode
EPG Mode
(Option A1)
Unmanaged Mode
(Option A2)
No service graph representation
• Manual binding of VLAN’s, binding contracts to
EPG’s
Service graph representation
• Automatic binding of VLAN’s and contracts
Manual configuration to steer traffic
• One Application tier -> Chain of L4-L7 service
devices -> To another application tier
Automatically steer traffic
• One application tier -> Chain of L4-L7 service
devices -> To another application tier
EPG C1 EPG C2 EPG CONTRACT EPG
Service Graph
EPG Mode (2 Contracts ) Unmanaged Mode (1 Contract )
© F5 Networks, Inc 17
Why Choose Option A (EPG / Unmanaged)?
What am I missing out not using ACI service insertion?
• ACI deployment in phases, L4-L7 integration at later time
• Attached F5 BIG-IP as you do today, continue with existing model
• No feature parity
• ACI goes into production tomorrow, just thought of L4-L7 today
• L4-L7 Automation and Orchestration: agility and consistency
• Automatic service chaining and VLAN management
• Dynamic endpoints attach and detach
• End-to-end L2-L7 application requirements build into ACI policy
• Not taking full advantage of SDN programmability potential
• Business as usual: highly complex and error prone
F5 iWorkflow and Cisco ACI Integration Update
© F5 Networks, Inc 19
F5 and Cisco ACI Integration Models
ACI Fabric
BIG-IP
EPG mode – NOT using service graph
OPTION A1
Virtual Edition Appliance Chassis
BIG-IP
Service Insertion using F5 Static device package
OPTION B
Unmanaged mode – USING service graph
OPTION A2
BIG-IP NOT managed by APIC
Service Insertion using F5 iWorkflow Dynamic device package
OPTION C
iWorkflow
*-F5 direction for Cisco ACI L4-L7 Service Insertion
© F5 Networks, Inc 20
Differences - Option B and Option C
Option B Option C
F5 Static device package
• Obtained from http://downloads.f5.com
• Fixed set of BIG-IP parameters configurable
• Does not support adding more feature
functionality on BIG-IP than present in basic
load balancing device package
F5 Dynamic device package
• Generated from the F5 iWorkflow
• Customized set of BIG-IP parameters configurable
• Through the iApps there is support to add as
many features to the BIG-IP as the iApps can
support
Not based on iApps templates Based on iApps templates
LTM module support LTM/ASM/AFM/APM modules can be supported
© F5 Networks, Inc 21
F5 iWorkflow 2.0.0 with Cisco ACI Dynamic Device Package for ACI L4-L7 Service Insertion
• True alignment in Cisco ACI vision, where application requirements are built into ACI L4-L7 service functions
• Using F5 iWorkflow and iApps technologies, administrators can customize L4-L7 parameters exposed into ACI
• ACI L4-L7 service insertion benefits: dynamic VLAN management, automatic traffic redirection, dynamic endpoints attach/detach
• Highly programmable solution that focus on workflow automation and orchestration
iWorkflow iApps
iApps Automated Deployments
© F5 Networks, Inc 23
What are iApps?
An iApps is an application-centric configuration template:
• User answers a few questions about deploying an application
• iApps translates answers into a set of configuration options
• iApps can touch almost all BIG-IP functionality
• iRules, profiles, monitors, security policies, and much more …
• There are many F5-provided iApps:
• HTTP, Sharepoint, Exchange, VMware View, …
• Users can build their own iApps
© F5 Networks, Inc 24
Object Based Networking SDAS: Application Based Networking
EXCHANGE ORACLE WWW.EXAMPLE.COM WWW.INTRANET.COM VIRTUAL SERVERS
POOLS MONITORS PROFILES POLICES iRULES
ftp Profile
HTTP Profile 1
HTTP Profile 2
ftp Profile
SSL Profile 1
SSL Profile 2
email VS
vpn VS
intra VS
.com VS
email Pool
vpn Pool
intra Pool
.www VS
OWA Monitor
HTTP Monitor 1
HTTP Monitor 1
Oracle Monitor
POP3 Monitor
OWA Accel
SSO
intra sccess
HTTP Redirect
OWA Append
Weak Encrypt Redirect
Content Type Redirect
HTTP Throttle
© F5 Networks, Inc 25
iWorkflow creates a catalog of iApp Templates
ORACLE
SSL Profile 2
vpn VS
vpn Pool
Oracle Monitor
Weak Encrypt Redirect
WWW.EXAMPLE.COM
HTTP Profile 1
www Pool
.com VS
HTTP Monitor 1
Content Type Redirect
WWW.INTRANET.COM
HTTP Profile 2
ftp Profile
intra VS
intra Pool
HTTP Profile 2
intra access
HTTP Throttle
EXCHANGE
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Auto generated
Private or Public
Cloud
Data
Centers iWorkflow
© F5 Networks, Inc 26
iWorkflow creates a catalog of iApp Templates (2)
© F5 Networks, Inc 27
An Easy Button
Use F5-developed iApps to
rapidly deploy popular
applications with verified and
supported configurations.
Standards Enforcement
iApps with strict updates,
enforce standards, reducing
training and operational risk.
App Orchestration
Standardize your unique
application deployments
using iApps, iControl and
iWorkflow.
A Single View App
Manage all application
components in one place.
An App Lifecycle Tool
Unlike other template/wizard
strategies, iApps are fully re-
entrant, can manage the full
lifecycle of the application.
iApps provide different values depending on Application and Organization.
iWorkflow in Practise
© F5 Networks, Inc 29
Deploy F5 iWorkflow Dynamic Device Package in ACI
ACI Fabric Virtual Edition Appliance Chassis
DynamicDevice
Package
1. Import iApps template into BIG-IP
2. BIG-IP expose iApps to iWorkflow during device discovery by iWorkflow
3. In iWorkflow Cloud Catalog, Admin create application template based on iApps
4. iWorkflow create custom device package based on Catalog
5. Admin import BIG-IQ device package to APIC
6. When graph is deployed, APIC sends iApps config to iWorkflow, iWorkflow deploy iApps virtual
server on BIG-IP
F5
Syn
the
sis
Fa
bric
DynamicDevice
Package
F5 iApps
Config {'state': 1, 'transaction':
0, 'ackedState': 0, 'value':
{(5, 'DestinationNetmask',
'Netmask1'): {'state': 1,
'transaction': 0,
'ackedState': 0, 'value':
'255.255.255.255'}, (5,
'DestinationPort', 'port1'):
{'state': 1, 'transaction':
0, 'ackedState': 0, 'value':
'80'
© F5 Networks, Inc 30
F5 iWorkflow Device Package Supported Features
Operational
• Supports any BIG-IP physical and virtual form factor running
• Does not require any new module installation on the BIG-IP
• BIG-IP is licensed and OOB management configured prior to APIC integration
• Supports BIG-IP Active / Standby High Availability model per APIC logical device cluster
Features
• Chassis Manager - vCMP (Virtualized Clustered Multiprocessing) HA
• Pre-requisite: vCMP guests already deployed
• Allow user to specify unique vCMP host for each vCMP guest
• vCMP guests - Active / Standby
• Supports Dynamic endpoint attach and detach notifications
• True multi- tenancy
• Tenant + VRF on ACI => Partition + Route Domain on BIG-IP
• Service Graph on ACI => Virtual Server on the BIG-IP
• Device Package dynamically generated by iWorkflow
• Device Manager – F5 iWorkflow HA
• Pre-requisite: iWorkflow already in HA (Active/Active/Active)
• Allow user to specify 3 iWorkflow through APIC
• Support iWorkflow validated workflows using iApps
© F5 Networks, Inc 31
iWorkflow HA – Device Manager – Workflow
Create Device Manager
Type
1
Create Device Manager
2
Associate Device Manager
to Cluster inside LDev
Cluster
3
© F5 Networks, Inc 32
Deploy F5 Virtual Server using iApps in ACI using iWorkflow True Application Centric Approach align with Cisco ACI Vision
F5 iWorkflow can templatize F5 Virtual Server configuration using iApps based
on Application specific requirements
F5 Virtual Server Template is shown in ACI as L4-L7 Service Function, only Tenant
Editable parameters are exposed in ACI
Full Feature F5 Virtual Server deployed in BIG-IP thru ACI by iWorkflow that based on
application specific requirements
Custom Default
Tenant Editable
F5 Default
F5 iWorkflow focus on Workflow Automation in Applications Deployment
iWorkflow Cisco ACI F5 BIG-IP
© F5 Networks, Inc 33
• Multiple Virtual Servers for different applications in the different BIG-IP partitions/APIC Tenants, sharing the same device
• Partition created by APIC inside BIG-IP is prefixed by the apic,”_” tenant-id to represent the partition in F5 (for ex : apic_5437)
• F5 demonstrate true multi-tenancy using different partitions for each tenant in APIC
• Each partition has been assigned individual route domain for L3 separation
• Virtual Servers created by APIC inside BIG-IP is prefixed by the apic,”_” tenant_id”_”graph (for ex : apic_5437_3456)
F5 supports TRUE Multiple Graph Multiple Tenancy
Client EPG
App EPG 1 Virtual
Server 1
APIC partition: apic7890
Route Domain N
Virtual Server 2
App EPG 2
Tenant N
Client EPG
App EPG 1 Virtual
Server 1
APIC partition: apic2345
Route Domain B
Virtual Server 2
App EPG 2
App EPG 1 Virtual Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2 App EPG 2
Tenant B
Tenant A
Single BIG-IP physical
Client EPG
© F5 Networks, Inc 35
F5 iWorkflow Software Compatibility Matrix
https://support.f5.com/kb/en-us/solutions/public/k/11/sol11198324.html
F5 iWorkflow 2.0.1
F5 BIG-IP Release Compatibility
12.1.1 Supported
12.0.0 Supported
11.6.0 HF6 Supported
11.5.4.HF1 Supported
11.5.3 HF2 Supported
Cisco APIC Release Compatibility
1.2(3h) Supported