Service Manager Mode

4 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential

ACI Solution Overview


Customer Acceptance Continues $2.2B Run Rate for Cisco SDN Solutions

13,700+ 50+ 7,200+ Nexus 9K and Nexus 3K

Customers Globally Ecosystem Partners

ACI-Ready Customers

NEW ECOSYSTEM


* Cisco Global IT Impact Survey

Applications Are Changing

Type Consumption Delivery

78% The network is even more critical to delivering applications than a year ago*

Big Data, Distributed

Apps, Mobile

Cloud–public, Private, Hybrid

Anywhere, Anytime, Any

Device


Insieme Networks Vision

1

2

3


Foundation of ACI or Nexus 9000

SW Overlay Apps

Hypervisor and/or Container

Bare Metal

Orchestration/Automation

ACI


Automation and Programmability

Centralized Provisioning and Visibility

Simplification / Abstraction

App Agility

ACI


Different Teams–Different Languages

Application Language

Network Language

Security – SLA – Dependency – Performance – Compliance – Tenants –

Geo-dependency

VLAN – IP Addressing – Subnet – Firewalls – QoS –ACL – Load Balancer


Service Profile

Network Policy

Storage Policy

Compute Policy

SIM Cards and Application Profiles SIM Card

Identity for a Phone Service Profile

Identity for Compute Application Profile

Identity for the Network


Security Everywhere 9

Analytics Everywhere 10

8 Policy Everywhere

Policy-Driven Integrated Infrastructure Answers Customers’ Request

1

Modernize Infrastructure: Open and Programmable

Network / L4-7 Compute Storage Security

Data Center

5

Move Data and Workloads Securely

6

Self-Service Portal (IT as a Service)

7

Extend Policy Model

2

Automate and Simplify

POLICY

3

Build Your Hybrid Cloud

Private Cloud Stack

Integrated Infrastructure

4

Choose any Other Cloud

Managed

Public

Private


Hybrid Cloud Orchestration


CliQr CloudCenter: Any App, Any Cloud, One Platform

Private Clouds

Datacenters

Public Clouds

Model

Manage

Deploy

Profile

NFS


Working Together: End-to-End Orchestration Business (ITSM)

Prime Service Catalog, ServiceNow, Custom Development (DevOps)

CliQr, Jenkins

Application-Centric Lifecycle Management

Model Benchmark Deploy Manage

Application Profiles

UCS Director ACI

Nexus Switching Storage UCS

Datacenter Private Cloud Public Cloud Profile Profile

Hyper-V


Cisco Tetration Analytics™


Tetration: Real-Time Analytics

Long-term Forensics and Auditing Application

Dependency Mapping

Automated Whitelist Policy Generation

Policy Compliance and Auditability

Policy Simulation and Impact Assessment

Forensics (example: flow search and flow anomaly)

Real-time analytics: <= 10 Minute Actionable Insight

Pervasive Sensors: Network and Host

NX-OS


Automate the Migration to ACI or CliQr

App Level Policy Enforcement / Visibility

Self-documenting Network

Real-time Change Notification

Real Time

Data Network Policy

App Policy Tetration


Insieme Networks Vision

1

2

3


ACI L4-L7 Integration

21 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21

§  Freedom to decide the best solution for the data center

§  Promote openness with Open APIs and Integrations

§  Provide multiple ACI’s operational modes for different use cases: §  Service Policy Mode (managed mode): full integration with device package §  Network Policy Mode (unmanaged mode): no device package §  Service Manager Mode (partially managed mode/hybrid mode):

integration with device package and the presence of a service device controller

ACI L4-7 Services & Flexibility

L4-L7 Service Automation – Support for All Devices Any Device and Cluster Manager Support

Cisco Confidential

L4-7 Services

ACI Services Graph

L4-7 Service Automation

Full L4-L7 Centralized Service Automation (With Device Package)

Large Ecosystem and Investment Protection

L4- L7 Device Package

Service Policy Mode

No Device Package

Service Cluster Manager

Centralized Network Automation (With NO Device Package)

Support for L4-L7 Cluster Managers

Network Policy Mode

Full L4-L7 Automation with Operational Flexibility

(With Device Package)

Large Ecosystem and Investment Protection

L4- L7 Device Package

Service Cluster Manager

Service Manager Mode

23 © 2016 Cisco and/or its affiliates. All rights reserved.

•  L4-L7 services managed through APIC & service device controller

•  Full L2-L3 network configuration and automation of service devices through APIC

•  Nuanced L4-L7 feature configuration through a specialized service device controller

•  Different Flavors of device package and deployments: •  Allows DP developer to customize & manage subset of L4-L7 features through APIC

•  Allows you to preserve your administrative boundaries

•  Allows L4-7 analytics by native manager

•  Enhances security features/devices, WAF, IPS, IDS, etc...

•  Target Customers: Customers who want to automate the network and maintain customization of service device policies without depending on potential DP limitation

Value Proposition for Service Manager Mode

Traditional Network Service Insertion Challenges

Configure Router to steer traffic to/from Load Balancer

Configure Network to insert Firewall

Configure firewall rules as required by the application

Configure vFW to protect Virtualized App Tier

Configure Load Balancer as required by the application

Configure Switches for L2 connectivity

Service insertion takes days

Network configuration is time consuming and error prone

Difficult to track configuration on services

Service Insertion In traditional Networks

vFW

LB

FW

Router

Router

Switch

User

F5 BIG-IP

Virtual Edition Appliance Chassis

Building blocks of ACI

Application Centric Infrastructure Building Blocks

CONTROLLER POLICY MODEL NEXUS 9300 AND 9500

APPLICATION NETWORK PROFILE

Traditional 3-Tier Application

FW ADC WEB ACC APP DB

Policy Model Extended to L4-L7

•  Application è 3 tier application (WEB-APP-DB) è This may use ADC, FW services •  End point Group (EPG) è Grouping of application Components •  Policy model è Define QOS, Security, Network, L4-L7 etc. to be applied to EPG

Moving ADC parameters from vendor device to ACI is not the solution!

Dynamic Device Package for ACI L4-L7 Service Insertion •  True alignment in Cisco ACI vision, where application

requirements are built into ACI L4-L7 service functions

•  Using F5 iWorkflow and iApps technologies, administrators can customize L4-L7 parameters exposed into ACI

•  ACI L4-L7 service insertion benefits: dynamic VLAN management, automatic traffic redirection, dynamic endpoints attach/detach

•  Highly programmable solution that focus on workflow automation and orchestration

iWorkflow iApps

ACI Fabric BIG-IP

EPG mode – NOT using service graph

OPTION A1


BIG-IP

Service Insertion using F5 Static device package

OPTION B

Unmanaged mode – USING service graph

OPTION A2

BIG-IP NOT managed by APIC

Service Insertion using F5 iWorkflow Dynamic device package OPTION C

iWorkflow

*-F5 direction for Cisco ACI L4-L7 Service Insertion

ACI Fabric BIG-IP

EPG mode – NOT using service graph

OPTION A1


BIG-IP

Service Insertion using F5 Static device package

OPTION B

Unmanaged mode – USING service graph

OPTION A2

BIG-IP NOT managed by APIC

Service Insertion using F5 iWorkflow Dynamic device package OPTION C

iWorkflow

EPG/Unmanaged Mode (Option A1 and A2) • Define connectivity to ACI Fabric • No Service Insertion

• No device package • BIG-IP device is not provisioned/managed through APIC

What am I missing out not using ACI service insertion?

•  ACI deployment in phases, L4-L7 integration at later time •  Attached F5 BIG-IP as you do today, continue with existing model •  No feature parity •  ACI goes into production tomorrow, just thought of L4-L7 today

•  L4-L7 Automation and Orchestration: agility and consistency •  Automatic service chaining and VLAN management •  Dynamic endpoints attach and detach •  End-to-end L2-L7 application requirements build into ACI policy •  Not taking full advantage of SDN programmability potential •  Business as usual: highly complex and error prone

© F5 Networks, Inc 35

vCMP HA – Chassis Manager iWorkflow HA – Device Manager

vCMP Host 1 vCMP Host 2

HA between vCMP Guests

vCMP Guests vCMP Guests

Active Standby

Active Active

iWorkflowiWorkflowiWorkflow

Active

MGMT

© F5 Networks, Inc 36

ATTACH NOTIFY

EPG (APIC)

BIG-IP Pool ADDED

Device Package

ATTACH MEMBER

ACI

End Point Group (EPG)

End Point – Belongs to a EPG

BIG-IP

Pool

Node – Member of Pool

Same process followed for deleting a endpoint from the EPG -> Detach notification

EndPoint

TRUE

Client EPG

App EPG 1 Virtual

Server 1

APIC partition: apic7890

Route Domain N

Virtual Server 2

App EPG 2

Tenant N

Client EPG

App EPG 1 Virtual

Server 1


Route Domain B

Virtual Server 2

App EPG 2 App EPG 1

Virtual Server 1


Route Domain A

Virtual Server 2 App EPG 2

Tenant B

Tenant A

Single BIG-IP physical

Client EPG

ACI Fabric Virtual Edition Appliance Chassis

DynamicDevice

Package

1.  Import iApps template into BIG-IP 2.  BIG-IP expose iApps to iWorkflow during device discovery by iWorkflow 3.  In iWorkflow Cloud Catalog, Admin create application template based on iApps 4.  iWorkflow create custom device package based on Catalog 5.  Admin import BIG-IQ device package to APIC 6.  When graph is deployed, APIC sends iApps config to iWorkflow, iWorkflow deploy iApps

virtual server on BIG-IP

F5 Synthesis Fabric

DynamicDevice

Package F5 iApps Config {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': {(5, 'DestinationNetmask', 'Netmask1'): {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': '255.255.255.255'}, (5, 'DestinationPort', 'port1'): {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': '80'

True Application Centric Approach align with Cisco ACI Vision

F5 iWorkflow can templatize F5 Virtual Server configuration using iApps based

on Application specific requirements

F5 Virtual Server Template is shown in ACI as L4-L7 Service Function, only Tenant

Editable parameters are exposed in ACI

Full Feature F5 Virtual Server deployed in BIG-IP thru ACI by iWorkflow that based

on application specific requirements

Custom Default

Tenant Editable

F5 Default

F5 iWorkflow focus on Workflow Automation in Applications Deployment

iWorkflow Cisco ACI F5 BIG-IP

Configure customized catalog •  Virtual Server address: Tenant editable ‘True’ •  Virtual server port: 443 •  Client SSL certificates

The iApp will create two virtual servers •  VS1 listening on port 80: http profile and redirect

iRule("_sys_https_redirect") assigned •  VS2 listening on port 443: http profile, client SSL

offload profile, pool assigned •  Request to port 80 will be redirected to port 443

Deploy a graph using APIC •  Only tenant editable parameters visible

in APIC (Virtual Server address and SSL certs – no Port)

Check out the demo video F5 Cisco Alliance YouTube Channel https://www.youtube.com/channel/UCMVCViZleXSquHTQkqwg04Q

Service Manager Mode

Documents

Transcript of Service Manager Mode