Unleash the power of

Cisco ACI and F5

Synthesis for accelerated
application deployments
Paolo Pio Product Manager @ Cisco
Nicolas Mnant Solution Architect @ F5

Abstract
Ciscos Application Centric Infrastructure (ACI) and F5 Synthesis are focused on efficiently delivering
applications by taking a fabric-based approach to networking and services architectures. Cisco ACI is
designed to translate application requirements into services required for successfully deploying
applications in a simplified and automated fashion.
In this session, youll learn how F5 and Cisco technologies integrate and collaborate to enable IT to
execute on its strategic mission. Learn how:
Cisco ACI and F5 Synthesis SDAS can accelerate application deployment
Cisco ACI translates application requirements into network services by taking advantage of F5 SDAS
architectural components
Assure the performance, security and reliability of applications by taking advantage of applicationcentric network services
For Your
Reference

F5 Agility 2014

Agenda
F5 Synthesis Software Defined Application Services (SDAS) Overview
Cisco Application Centric Infrastructure (ACI) L4-7 Services Insertion
F5 BIG-IP and Cisco ACI Integration

Topologies
Terminologies
How does F5 BIG-IP integrate with Cisco ACI?
L4 SLB workflow

Key Takeaways
Q&A

F5 Agility 2014

F5 Synthesis
Overview

Applications
Impact on Data Center Architecture
MICRO-ARCHITECTURES

API DOMINANCE

Each service is isolated and requires

its own:

Proxies are used in emerging

API-centric architectures for:

Load balancing
Authentication / authorization
Security
Layer 7 Services
May be API-based, expanding
services required
More applications needing services

Service A

Service C

Service B

Service D

API versioning
Client-based steering
API Load balancing
Metering & billing
API key management
More intelligence needed in services

API v1

API v2

Evolution in Application Environment

F5 VISION
Agile
Development

Cloud and
DevOps

SDN and
Private Cloud

Speed, customerdriven, and quality of

app development

Accelerate time
to market

Software Defined
Data Centers

Applications
without constraints
Failed to Address:

Rapid deployment
network and operations
velocity

F5 Agility 2014

Cloud SLA and control

private network agility

L47 device sprawl and

application awareness

High-Performance Services Fabric

Programmability (iRule / iApp / iControl)

Data Plane

Virtual Edition

Network
F5 Agility 2014

Control Plane

Appliance

Management Plane

Chassis

[Physical Overlay SDN]

7

f5 Synthesis
High-Performance Services
Fabric

Simplified
Business Models
New licensing models
Easy to procure
Save by purchasing bundles

F5 Agility 2014

F5 and Cisco ACI Joint Solution Benefits

Automated layer 4-7 application service
insertion, policy updates, and optimization
within the ACI-enabled fabric with BIG-IP
Preserves richness of F5 Synthesis offering
through policy abstraction

F5 DEVICE PACKAGE
FOR APIC

APIC

Accelerated application deployments with

reliability, security and consistent scalable
network and L4-L7 services - Existing F5
HW/SW, topologies integrate seamlessly with
Cisco ACI

ACI Fabric

Programmability (iRule / iApp / iControl)

Management Plane
Control Plane
Data Plane
F5 SYNTHESIS FABRIC

Virtual Edition

F5 Agility 2014

Appliance

Chassis

Application agility using policy driven application

delivery approach to significantly reduce
operating costs - provisioning workflows is
efficient and faster while maintaining
operational best practices across multiple
teams
9

Cisco Application Centric

Infrastructure (ACI)

Application Provisioning in Todays Data Centers

App x

App y

App z

TENANT (HR)

TENANT (FINANCE)

L4-L7

L4-L7

NETWORK CONNECTIVITY
COMPUTE + VM

NETWORK CONNECTIVITY
COMPUTE + VM

STORAGE

STORAGE

L4-L7

L4-L7

NETWORK CONNECTIVITY

App q

COMPUTE + VM

STORAGE

STORAGE

L4-L7

L4-L7

NETWORK CONNECTIVITY
COMPUTE + VM

App r

Time to operationalize
purchased assets is longer
due to inefficient provisioning

NETWORK CONNECTIVITY

COMPUTE + VM

STORAGE

F5 Agility 2014

App p

Lacks application agility requires provisioning across

different layers by different
organizations

NETWORK CONNECTIVITY
COMPUTE + VM
STORAGE

Longer time to deploy

Applications with scale
and security
Harder to achieve
application elasticity
11

Traditional Network Service Insertion

Challenges
Router

Configure Network to
insert Firewall

FW

Configure firewall
network parameters
Configure firewall rules as
required by the application

Router
LB

Configure Load Balancer

Network Parameters

Switch

Configure Router to steer

traffic to/from Load Balancer

vFW

Server

Service Insertion In traditional Networks

Configure Load Balancer as

required by the application

Service insertion
takes days
Network configuration
is time consuming
and error prone
Difficult to track
configuration on
services

Application Centric Infrastructure

Using the Language of Apps in the Network
F5 Device package
for APIC

Application Agility Any where, Any

time, Physical and Virtual
Rapid Deployment of Applications
with Scale and Security
Application-centricity to Visibility
and Troubleshooting
Open Source Application Policies

Physical
Networking

Hypervisors
and Virtual
Networking

Compute

L4L7
Services

Storage

Multi DC
WAN & Cloud

BIG-IP
Physical and or Virtual

Common Operational Model

through Open APIs

AGILITY: Any application, anywhere Physical and Virtual

common application network profile

Traditional
3-Tier
Application

F/W
ADC

WEB

APP

ADC

WEB WEB WEB

APP APP APP

DB
DB

DB

DB

SLA
Extensible Scripting Model
QoS

APPLICATION
NETWORK PROFILE

CONNECTIVITY
POLICY

DB

QOS
BANDWIDTH
RESERVATION
AVAILABILITY

Security
SECURITY
POLICIES

Load
Balancing
APPLICATION
NETWORK PROFILE

HYPERVISOR

WEB

WEB

HYPERVISOR

WEB

HYPERVISOR

APP

14

WEB APP WEB

DB

APPLICATION
L4-L7
SERVICES

DB

STORAGE AND
COMPUTE

Goals of APIC Service Insertion and Automation

Configure and Manage VLAN allocation for service insertion

Configure the network to redirect traffic through service device

Configure network and service function parameters on service device

F5 Agility 2014

15

Service Graph Definition

Functions rendered on the same device

Service Graph: web-application

Func:
Firewall
Terminals
Firewall params
Permit ip tcp * dest-ip <vip> dest-port 80
Deny ip udp *

Func:
SSL offload
Connectors

A Service Graph can be defined through GUI,

CLI or through APIC API

A function has one or more connectors

Network connectivity like VLAN tag is assigned
to these connectors
16

F5 Agility 2014

Terminals

SSL params
Ipaddress <vip> port 80

Service graph is an ordered set of functions between

a set of terminals

Func:
Load Balancing

Load-Balancing params
virtual-ip <vip> port 80
Lb-aglorithm: round-robin

A function within a graph may require one or more

parameters
Parameters can be scoped by an EPG or an application
profile or tenant context
Parameters could also be assigned at the time of defining
a service graph. Parameter values can be locked from
further changes

16

Application Policy Example

dB Contract
APP
APP APP APP

EPG - APP

Consumes

MSSQL: Accept
MySQL: Accept
HTTP: Accept, Count

Provides

DB
DB

DB

DB

EPG - DB

Contract

Filter

Named collection of L4 port ranges

HTTP = [80, 443]
MSSQL = [1433-1434]
MySQL = [3306, 25565]
DNS = [53, 953, 1337, 5353]

17

F5 Agility 2014

Action

What action or actions to take on packet

Accept
Service Insert

17

APIC L4 L7 Service Integration

TENANT (HR)

Traditional
3-Tier
Application

F/W
ADC

WEB

ADC

WEB WEB WEB

APP
APP

APP

APP

DB
DB

DB

DB

APPLICATION
NETWORK PROFILE

APPLICATION PROFILE (3 TIER APP)

EPGS ARE DEFINED HERE

End Point Group (EPG) collection of bare metal servers, VMs, vNIC
Ex: WEB EPG - all web servers (bare metal or VMs) are grouped into this EPG
Ex: APP EPG - all APP servers (bare metal or VMs) are grouped into this EPG

NETWORKING POLICY

(CONNECTIVITY FOR THE TENANT L2-L3)

SECURITY POLICY

(POLICY DECISION IS DONE HERE)

FILTERS WHICH EPG CAN TALK TO WHICH OTHER EPG
TRAFFIC STEERING WHICH EPGS NEEDS SERVICE
SERVICES

Contract services between the WEB and APP EPG (web graph, HTTP graph)
Graph can be single graph or muti graph
Ex: APP is a provider and WEB is the consumer
Define services within a contract: FW, ADC in this example ADC defined

TROUBLESHOOTING POLICY
SPAN, ERSPAN ETC

MONITORING POLICY
(EVENTS, SNMP ETC)

L4-L7 SERVICES POLICY

(CREATION OF A GRAPH IS DONE HERE)

F5 Agility 2014

Service Graph (Ex: WEB graph utilizes L4 SLB)

Device cluster

18

F5 BIG-IP
Integration with
Cisco ACI

Topology Consistency
Core/Aggregation/Access model 1 ARM mode + HA pair

For Your
Reference

Users can transition to

Cisco ACI seamlessly
from BIG-IP 1 ARM +
HA topologies within
Nexus 7000 and Nexus
9000 standalone
deployment
Standby

Active
Active

Standby

Nexus 7000 / Nexus 5000 / Nexus 2000

Nexus 9000 Standalone

Topology Consistency
Core/Aggregation/Access model 2 ARM mode + HA pair

Active

Standby

Standby

Active

Users can transition to

Cisco ACI seamlessly
from BIG-IP 2 ARM +
HA topologies within
Nexus 7000 and Nexus
9000 standalone
deployment

Nexus 7000 / Nexus 5000 / Nexus 2000

For Your
Reference

Nexus 9000 Standalone

Cisco ACI Architecture

BIG-IP 1 ARM and 2 ARM + HA
APIC

External /
Internal

Active

1 ARM mode + HA pair

BIG-IP connects to any iLeaf in ACI

topology independent of iLeaf
location

External /
Internal

Standby

APIC

External

Internal

Active

External

Standby

2 ARM mode + HA pair

Internal

Service Automation Through Device Package

Open DevicePackage

APIC

Configuration Model (XML File)

Policy
Engine

APIC provides extendable policy model through

Device Package

Python Scripts

APIC Policy Manager

Configuration Model

Device Package contains XML file defining Device

Configuration Model
Provider Administrator can upload a Device Package

Script Engine
APIC Script Interface
Python Scripts
APIC Script Interface

F5 Agility 2014

Device scripts translates APIC API callouts to device

specific callouts

23

Understanding Device Package

APIC requires a Device Package to configure and monitor a service devices. A device
package manages a class of service devices
A Device Package is a zip file containing two parts
Device Specification

Device Script

Is an XML file that defines

The integration between the APIC and a Device is

performed by a Device Script

Functions provided by a device Like Load Balancing,

Content-Switching, SSL termination etc
Parameters required for configuring each function
Interfaces and Network connectivity information for each
function
EPG level L4-L7 config
XML / REST
API

24

F5 Agility 2014

APIC

Service Graph
Function Node level
L4-L7 config

APIC events are mapped to function calls defined

in Device Script

iControl

Python
Device
Package

BIG-IP
Physical or
VE

24

Device Package: Function Profiles

Function Profiles are XML schema and function very much like iApp, user
can define new function profiles where it can be imported to the service graph
Function Profiles can be:

Click to configure L4L7 Service Node

Configurations

WebProfile
HTTPS
Application-1

Device Package: User Defined (Future)

Cisco APIC and F5 APIs are open, user can defined its own device package,
for example, adding other F5 modules like Access Policy Manager (APM) or
Application Security Manager (ASM), and have it incorporated with F5 LTM
device package in the same service graph.
User Defined
Device Package

To Consumer
EPG

F5 Agility 2014

F5 BIG-IP
ASM

F5 Provided
Device Package

F5 BIG-IP
LTM

To Provider
EPG

26

Use cases
Functions
Virtual Server
Layer 4 Server Load balancing

Layer 4 SLB with SSL offload

Layer 7 Server Load balancing

Layer 7 SLB with SSL offload

Microsoft SharePoint

Parameters under Virtual Server

Configuring Global and Tenant Self IP addresses
Configuring Global and Tenant static routes
Device Counters
Server Pools
TCP Optimizations (WAN/LAN/Mobile)
HTTP optimization
HTTP Security (Application protocol security)
TCP connection multiplexing (One Connect)
Validators and Creation of tenant OneConnect
profiles
iRules
Validators and Creation of tenant acceleration
profiles
SNAT Pool management

More than 80% of F5 customers use the L4 SLB / L7 SLB / MSFT SharePoint / SSL offload hence 1st release targets these use cases

27

F5 Agility 2014

27

Reference Material

For Your
Reference

F5 SDAS and Cisco ACI Solution Briefhttp://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/unified-fabric/solutionbrief-c22-730004.html

Cisco Application Policy Infrastructure Controller (APIC)
http://www.cisco.com/c/en/us/products/cloud-systems-management/application-policy-infrastructure-controller-apic/index.html

F5 BIG-IP LTM and Cisco ACI Integration white paper Coming Soon !

Cisco Validated Design (CVD) on F5 BIG-IP LTM and Nexus 9000 (Standalone) Coming Soon !

Follow us on Twitter @CiscoDC -> Official Cisco Channel, @f5Networks Official F5 Networks Channel

28

F5 Agility 2014

28

Key Takeaways
F5 Software Defined Application Services (SDAS) vision perfectly aligns
with Ciscos Application Centric Infrastructure
How Cisco ACI solves network services insertion challenges
F5 BIG-IP automated integration into Cisco APIC
Cisco ACI integration into existing F5 BIG-IP LTM deployments
Key benefits of BIG-IP / ACI model:

F5 Agility 2014

Multi-Tenancy, Multi-Graph Support

Use Case Focus
Automation Ready
Application level visibility and monitoring
29

30

Tenancy Model

31

Terminology: APIC Tenant / BIG-IP Partition

Tenant is a container for
policies, where the primary
elements that the tenant
contains are: filters, contracts,
bridge domains and application
profiles that contain EPGs
An ACI tenant will be
represented as a partition
within BIG-IP

A function node identifies a set of

network service functions that are
required by an application
A function node within a service
graph will be represented as a
Virtual Server within BIG-IP

F5 Agility 2014

32

Multiple Graph
Single Tenant
Multiple Virtual Servers for
different applications in the
same BIG-IP partition/APIC
Tenant, sharing the same
device

APIC partition:
apic1234
Route Domain A

Virtual Server 1

App EPG
1

Virtual Server 2

App EPG
2

Client EPG

Single BIG-IP
physical / virtual
instance

Virtual Servers created by APIC

inside BIG-IP is prefixed by the
APIC and partition number,
Since routing domain tied to
partition, F5 demonstrate true
multi-tenancy

F5 Agility 2014

33

F5 supports TRUE
Multiple Graph
Multiple Tenancy
Multiple Virtual Servers for
different applications in the
different BIG-IP
partitions/APIC Tenants,
sharing the same device

Tenant N

Route Domain N

Tenant B

Client EPG

Tenant A
Client EPG

Virtual Servers created by

APIC inside BIG-IP is prefixed
by the APIC partition number,
Since routing domain tied to
partition, F5 demonstrate true
multi-tenancy
Scalability is based on BIG-IP
APIC : 64k tenants
BIG-IP : 128 partitions
F5 Agility 2014

APIC partition:
apic7890

App
EPG 1

Virtual
APIC partition:
Server 1
apic2345
Route Domain B

VirtualVirtual
APIC partition:
Server
2
apic1234
Server
1

App App
2
EPG EPG
1

Route Domain A

Virtual
Virtual
Server
2
Server
1

App App
EPG 1
EPG 2

Client EPG

Virtual
Server 2

App
EPG 2

Single BIG-IP physical /

virtual instance
34

Terminology: APIC Service Graph Config / BIG-IP LTM Config

APIC Service Graph Function Node Config

Parameters, for example, web pool, will be
pushed from APIC to BIG-IP
In this example, BIG-IP populates Pools
configuration from APIC.
Parameters that are optimized for L4 SLB
(similar to iApp) will be pre-configured and
automatically populated in BIG-IP

F5 Agility 2014

35

Mixed Mode Support

Client
EPG

APIC

Contract:
Including L4-L7
services

Server
EPG

Client
EPG

Contract

BIG-IP
Ext
EPG

BIG-IP
Int
EPG

Contract

Server
EPG

APIC Partition

BIG-IP created Partition:

Configuration pushed and populated

by APIC. User does not modify this
partition. APIC will perform L4-L7
service insertion on this partition.

User can continue to use partition created by BIG-IP, they

appeared as separate EPG to APIC. Network functionality will
be managed by APIC through the Fabric, where L4-L7 will be
managed by BIG-IP. User can continue to use custom iApp and
iRules in this scenario.

Common Partition
User can define custom iRules under Common partition and they can be called by APIC,

BIG-IP Physical or Virtual

F5 Agility 2014

36

Monitoring
APIC can provide EPG level
atomic counters on the Function
Node (F5 BIG-IP)

User will continue to use

BIG-IP to monitor LTM
specific monitors as before

F5 Agility 2014

37

Bring it all together: Multi-Tenant/Multi-Graph SLB use case

4 4

Internet

Internet
EPG
Web

EPG
App

EPG
Web

EPG
App

2
3
Client IP
172.16.1.10

38

F5 Agility 2014

Tenant A
10.10.1.2:80 10.10.1.2
10.10.1.3:80 10.10.1.3
10.10.1.4:80 10.10.1.4

3
Tenant B
10.10.1.2:80 10.10.1.2
10.10.1.3:80 10.10.1.3
10.10.1.4:80 10.10.1.4

Client IP
173.17.1.10

38

Workflow: Multi-Tenant / Multi-Graph L4 SLB use case

Steps to integrate F5 BIG-IP into ACI:
1. Install F5 device package
2. Create logical device cluster
3. Add concrete devices (BIG-IP physical or virtual) to device cluster
4. Map logical interfaces (external and internal) to physical interfaces
5. Export device cluster to other tenants (multi-tenancy)
6. Create service graph (1) using F5 BIG-IP as function node
7. Create service graph (2) using the same BIG-IP as function node (multi-graph)
8. Assign service graph to contracts
* Prior to integrate F5 BIG-IP into ACI, user should configure tenants (application profiles / networking / security policies) and
VM Networking (if necessary)