WIXLIB

ServiceInsertionwith ACIusing F5iWorkflowGert WolfisF5 EMEA Cloud SEOctober 2016

Agenda F5 and Cisco ACI Joint Solution Cisco ACI L4 –L7 Service Insertion Overview F5 and Cisco ACI Integration Models F5 BIG-IP Integrate with Cisco ACI as Unmanaged Device F5 iWorkflow and Cisco ACI Integration Update

F5 andCisco ACIJointSolution

Applications Deployment is DifficultTraditional Network Service Insertion ChallengesConfigure Network toinsert FirewallRouterUserConfigure firewall rules asrequired by the applicationFWConfigure Router to steer trafficto/from Load BalancerRouterLBConfigure Load Balancer asrequired by the applicationSwitchvFWConfigure Switches for L2connectivityService insertiontakes daysNetwork configurationis time consumingand error proneDifficult to trackconfiguration onservicesConfigure vFW to protectVirtualized App TierService Insertion In traditional Networks F5 Networks, Inc4

How does ACI accelerate Application Deployments?Application Centric Infrastructure Building APPLICATIONNETWORK PROFILECONTROLLERVirtual EditionPOLICY MODELNEXUS 9300 AND 9500ApplianceChassisF5 BIG-IPPolicy Model Extended to L4-L7Building blocks of ACI Application 3 tier application (WEB-APP-DB) This may use ADC, FW servicesEnd point Group (EPG) Grouping of application ComponentsPolicy model Define QOS, Security, Network, L4-L7 etc. to be applied to EPG F5 Networks, Inc5

What does L4-L7 Services in ACI mean?Moving ADC parametersfrom vendor device toACI is not the solution! F5 Networks, Inc6

Cisco ACIL4 – L7ServiceInsertionOverview

F5 and Cisco ACI Joint Benefits Automated L4-L7application serviceinsertion F5 DEVICE PACKAGEFOR APICAcceleratedapplicationdeployments withscalable L4-L7services Preserves richnessof F5 Synthesis offering.Ease of integration due torich programmability Existing F5 Physical andVirtual appliances,topologies integrateseamlessly with Cisco ACI Maintains operational bestpractices & offers fasterprovisioning of workflowsACI FabricProgrammability (iRules / iApps / iControl) Application agility &significant reduction inoperating costsData PlaneControl PlaneManagement PlaneF5 Synthesis FabricVirtual EditionApplianceChassis

ACI Service Automation thru Device PackageF5 Device PackageDevice Package containsPolicyEngineConfiguration Model (XML File)Python ScriptsAPIC– Policy ManagerConfiguration Model (XML File)Script EngineAPIC Script InterfacePython ScriptsAPIC Script InterfaceAPIC provides extendable policy modelthrough Device PackageDevice Package contains XML file definingDevice Configuration ModelProvider Administrator can upload a DevicePackageDevice scripts translates APIC API callouts todevice specific calloutsBIG-IPF5 has rich programmability foundation - easier to integrate with Cisco APIC F5 Networks, Inc9

F5 Service InsertionConsumeWeb Farm provide services to External Users;Policy Contract defines relationship betweenWeb Farm and UsersProvideEPG EXTEPG WEBExtUsersWebServerstage1 .instinstfirewallstageNendgraph .NodeinstService Graph contains Function Nodes,Virtual Server is a Function NodeADC: Virtual ServerLogical Device ClusterConcrete Device F5 Networks, IncService Graph Insertion at thePolicy Contract Subject levelinst ApplicationConstructstartUsers assign to EPG EXTWeb Farm assign to EPG WEBUsers accessing the Web ServersConcrete DeviceF5 BIG-IPs are Concrete Devices belong to aLogical Device Cluster that enables ADC as aFunction Node within a Service Graph11

F5 andCisco ACIIntegrationModels

F5 and Cisco ACI Integration ModelsiWorkflowBIG-IP NOT managed by APICACI FabricVirtual EditionBIG-IPChassisBIG-IPOPTION A1EPG mode – NOT using service graphOPTION A2Unmanaged mode – USING service graph F5 Networks, IncApplianceOPTION BService Insertion using F5 Static device packageOPTION CService Insertion using F5 iWorkflow Dynamic device package*-F5 direction for Cisco ACI L4-L7 Service Insertion13

F5 BIG-IPIntegratewith CiscoACI asUnmanagedDevice

F5 and Cisco ACI Integration ModelsiWorkflowBIG-IP NOT managed by APICACI FabricVirtual EditionBIG-IPChassisBIG-IPOPTION A1EPG mode – NOT using service graphOPTION A2Unmanaged mode – USING service graph F5 Networks, IncApplianceOPTION BEPG/UnmanagedModeA1 andA2)Service Insertion usingF5 (OptionStatic devicepackage Define connectivity to ACI Fabric No Service Insertion No device package OPTION C BIG-IPdevice isusingnot provisioned/managedthroughAPICServiceInsertionF5 iWorkflow Dynamicdevicepackage15

Difference between EPG and Unmanaged ModeEPG Mode(Option A1)Unmanaged Mode(Option A2)No service graph representation Manual binding of VLAN’s, binding contracts toEPG’sService graph representation Automatic binding of VLAN’s and contractsManual configuration to steer traffic One Application tier - Chain of L4-L7 servicedevices - To another application tierAutomatically steer traffic One application tier - Chain of L4-L7 servicedevices - To another application tierEPGC1C2EPGEPGCONTRACTEPGService GraphEPG Mode (2 Contracts ) F5 Networks, IncUnmanaged Mode (1 Contract )16

Why Choose Option A (EPG / Unmanaged)? ACI deployment in phases, L4-L7 integration at later timeAttached F5 BIG-IP as you do today, continue with existing modelNo feature parityACI goes into production tomorrow, just thought of L4-L7 todayWhat am I missing out not using ACI service insertion? F5 Networks, IncL4-L7 Automation and Orchestration: agility and consistencyAutomatic service chaining and VLAN managementDynamic endpoints attach and detachEnd-to-end L2-L7 application requirements build into ACI policyNot taking full advantage of SDN programmability potentialBusiness as usual: highly complex and error prone17

F5iWorkflowand CiscoACIIntegrationUpdate

F5 and Cisco ACI Integration ModelsiWorkflowBIG-IP NOT managed by APICACI FabricVirtual EditionBIG-IPChassisBIG-IPOPTION A1EPG mode – NOT using service graphOPTION A2Unmanaged mode – USING service graph F5 Networks, IncApplianceOPTION BService Insertion using F5 Static device packageOPTION CService Insertion using F5 iWorkflow Dynamic device package*-F5 direction for Cisco ACI L4-L7 Service Insertion19

Differences - Option B and Option COption BOption CF5 Static device package Obtained from http://downloads.f5.com Fixed set of BIG-IP parameters configurable Does not support adding more featurefunctionality on BIG-IP than present in basicload balancing device packageF5 Dynamic device package Generated from the F5 iWorkflow Customized set of BIG-IP parameters configurable Through the iApps there is support to add asmany features to the BIG-IP as the iApps cansupportNot based on iApps templatesBased on iApps templatesLTM module supportLTM/ASM/AFM/APM modules can be supported F5 Networks, Inc20

F5 iWorkflow 2.0.0 with Cisco ACIDynamic Device Package for ACI L4-L7 Service Insertion True alignment in Cisco ACI vision, where application requirementsare built into ACI L4-L7 service functions Using F5 iWorkflow and iApps technologies, administrators cancustomize L4-L7 parameters exposed into ACI ACI L4-L7 service insertion benefits: dynamic VLAN management,automatic traffic redirection, dynamic endpoints attach/detach Highly programmable solution that focus on workflow automationand orchestrationiWorkflow F5 Networks, InciApps21

iAppsAutomatedDeployments

What are iApps?An iApps is an application-centric configuration template: User answers a few questions about deploying an application iApps translates answers into a set of configuration options iApps can touch almost all BIG-IP functionality There are many F5-provided iApps: F5 Networks, InciRules, profiles, monitors, security policies, and much more HTTP, Sharepoint, Exchange, VMware View, Users can build their own iApps23

SDAS: Application Based NetworkingObject Based SWWW.EXAMPLE.COMPROFILESPOLICES WWW.INTRANET.COMiRULESemail VSemail PoolOWA Monitorftp ProfileOWA AccelHTTP Redirectvpn VSvpn PoolHTTP Monitor 1HTTP Profile 1SSOOWA Appendintra VSintra PoolHTTP Monitor 1HTTP Profile 2intra sccessWeak Encrypt Redirect.com VS.www VSOracle Monitorftp ProfileContent Type RedirectPOP3 MonitorSSL Profile 1HTTP ThrottleSSL Profile 2 F5 Networks, Inc24

iWorkflow creates a catalog of iApp TemplatesORACLEEXCHANGE WWW.EXAMPLE.COMWWW.INTRANET.COMvpn VSAuto generated.com VSvpn PoolAuto generatedwww PoolOracle MonitorAuto generatedHTTP Monitor 1HTTP Profile 2SSL Profile 2Auto generatedHTTP Profile 1Private or PublicCloudHTTP Profile 2Weak Encrypt RedirectAuto generatedContent Type RedirectiWorkflowintra VSDataCentersintra Poolftp ProfileAuto generatedintra accessAuto generatedHTTP ThrottleAuto generatedAuto generatedAuto generated F5 Networks, Inc25

iWorkflow creates a catalog of iApp Templates (2) F5 Networks, Inc26

iApps provide different values depending on Applicationand Organization.An App Lifecycle ToolA Single View AppManage all applicationcomponents in one place.Unlike other template/wizardstrategies, iApps are fully reentrant, can manage the fulllifecycle of the application.App OrchestrationStandardize your uniqueapplication deploymentsusing iApps, iControl andiWorkflow.An Easy ButtonUse F5-developed iApps torapidly deploy popularapplications with verified andsupported configurations. F5 Networks, IncStandards EnforcementiApps with strict updates,enforce standards, reducingtraining and operational risk.27

iWorkflow inPractise

Deploy F5 iWorkflow Dynamic Device Package in ACI1.2.3.4.5.6.Import iApps template into BIG-IPBIG-IP expose iApps to iWorkflow during device discovery by iWorkflowIn iWorkflow Cloud Catalog, Admin create application template based on iAppsiWorkflow create custom device package based on CatalogAdmin import BIG-IQ device package to APICWhen graph is deployed, APIC sends iApps config to iWorkflow, iWorkflow deploy iApps virtualserver on BIG-IPF5 iAppsConfigACI Fabric F5 Networks, IncVirtual EditionApplianceChassisF5 Synthesis Fabric{'state': 1, 'transaction':0, 'ackedState': 0, 'value':{(5, 'DestinationNetmask','Netmask1'): {'state': 1,'transaction': 0,'ackedState': 0, 'value':'255.255.255.255'}, (5,'DestinationPort', 'port1'):{'state': 1, 'transaction':0, 'ackedState': 0, 'value':'80'DynamicDevicePackage29

F5 iWorkflow Device Package Supported FeaturesOperationalFeatures Supports any BIG-IP physicaland virtual form factorrunning Chassis Manager - vCMP (Virtualized Clustered Multiprocessing) HA Does not require any newmodule installation on theBIG-IP BIG-IP is licensed and OOBmanagement configured priorto APIC integration Supports BIG-IP Active /Standby High Availabilitymodel per APIC logical devicecluster Pre-requisite: vCMP guests already deployed Allow user to specify unique vCMP host for each vCMP guest vCMP guests - Active / Standby Supports Dynamic endpoint attach and detach notifications True multi- tenancy Tenant VRF on ACI Partition Route Domain on BIG-IP Service Graph on ACI Virtual Server on the BIG-IP Device Package dynamically generated by iWorkflow Device Manager – F5 iWorkflow HA Pre-requisite: iWorkflow already in HA (Active/Active/Active) Allow user to specify 3 iWorkflow through APIC Support iWorkflow validated workflows using iApps F5 Networks, Inc30

iWorkflow HA – Device Manager – Workflow12Create Device ManagerTypeCreate Device Manager F5 Networks, Inc3Associate Device Managerto Cluster inside LDevCluster31

Deploy F5 Virtual Server using iApps in ACI using iWorkflowTrue Application Centric Approach align with Cisco ACI VisionF5 iWorkflow can templatize F5 VirtualServer configuration using iApps basedon Application specific requirementsiWorkflowF5 Virtual Server Template is shown in ACIas L4-L7 Service Function, only TenantEditable parameters are exposed in ACICisco ACIFull Feature F5 Virtual Server deployed inBIG-IP thru ACI by iWorkflow that based onapplication specific requirementsF5 BIG-IPCustomDefaultTenantEditableF5 iWorkflow focus on Workflow Automation in Applications DeploymentF5Default F5 Networks, Inc32