Service Manager Mode
Transcript of Service Manager Mode
4 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI Solution Overview
5 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Customer Acceptance Continues $2.2B Run Rate for Cisco SDN Solutions
13,700+ 50+ 7,200+ Nexus 9K and Nexus 3K
Customers Globally Ecosystem Partners
ACI-Ready Customers
NEW ECOSYSTEM
6 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
* Cisco Global IT Impact Survey
Applications Are Changing
Type Consumption Delivery
78% The network is even more critical to delivering applications than a year ago*
Big Data, Distributed
Apps, Mobile
Cloud–public, Private, Hybrid
Anywhere, Anytime, Any
Device
7 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Insieme Networks Vision
1
2
3
8 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Foundation of ACI or Nexus 9000
SW Overlay Apps
Hypervisor and/or Container
Bare Metal
Orchestration/Automation
ACI
9 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automation and Programmability
Centralized Provisioning and Visibility
Simplification / Abstraction
App Agility
ACI
10 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Different Teams–Different Languages
Application Language
Network Language
Security – SLA – Dependency – Performance – Compliance – Tenants –
Geo-dependency
VLAN – IP Addressing – Subnet – Firewalls – QoS –ACL – Load Balancer
11 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Service Profile
Network Policy
Storage Policy
Compute Policy
SIM Cards and Application Profiles SIM Card
Identity for a Phone Service Profile
Identity for Compute Application Profile
Identity for the Network
12 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Security Everywhere 9
Analytics Everywhere 10
8 Policy Everywhere
Policy-Driven Integrated Infrastructure Answers Customers’ Request
1
Modernize Infrastructure: Open and Programmable
Network / L4-7 Compute Storage Security
Data Center
5
Move Data and Workloads Securely
6
Self-Service Portal (IT as a Service)
7
Extend Policy Model
2
Automate and Simplify
POLICY
3
Build Your Hybrid Cloud
Private Cloud Stack
Integrated Infrastructure
4
Choose any Other Cloud
Managed
Public
Private
13 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Hybrid Cloud Orchestration
14 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
CliQr CloudCenter: Any App, Any Cloud, One Platform
Private Clouds
Datacenters
Public Clouds
Model
Manage
Deploy
Profile
NFS
15 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Working Together: End-to-End Orchestration Business (ITSM)
Prime Service Catalog, ServiceNow, Custom Development (DevOps)
CliQr, Jenkins
Application-Centric Lifecycle Management
Model Benchmark Deploy Manage
Application Profiles
UCS Director ACI
Nexus Switching Storage UCS
Datacenter Private Cloud Public Cloud Profile Profile
Hyper-V
16 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Cisco Tetration Analytics™
17 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Tetration: Real-Time Analytics
Long-term Forensics and Auditing Application
Dependency Mapping
Automated Whitelist Policy Generation
Policy Compliance and Auditability
Policy Simulation and Impact Assessment
Forensics (example: flow search and flow anomaly)
Real-time analytics: <= 10 Minute Actionable Insight
Pervasive Sensors: Network and Host
NX-OS
18 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Automate the Migration to ACI or CliQr
App Level Policy Enforcement / Visibility
Self-documenting Network
Real-time Change Notification
Real Time
Data Network Policy
App Policy Tetration
19 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Insieme Networks Vision
1
2
3
20 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
ACI L4-L7 Integration
21 © 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
§ Freedom to decide the best solution for the data center
§ Promote openness with Open APIs and Integrations
§ Provide multiple ACI’s operational modes for different use cases: § Service Policy Mode (managed mode): full integration with device package § Network Policy Mode (unmanaged mode): no device package § Service Manager Mode (partially managed mode/hybrid mode):
integration with device package and the presence of a service device controller
ACI L4-7 Services & Flexibility
L4-L7 Service Automation – Support for All Devices Any Device and Cluster Manager Support
Cisco Confidential
L4-7 Services
ACI Services Graph
L4-7 Service Automation
Full L4-L7 Centralized Service Automation (With Device Package)
Large Ecosystem and Investment Protection
L4- L7 Device Package
Service Policy Mode
No Device Package
Service Cluster Manager
Centralized Network Automation (With NO Device Package)
Support for L4-L7 Cluster Managers
Network Policy Mode
Full L4-L7 Automation with Operational Flexibility
(With Device Package)
Large Ecosystem and Investment Protection
L4- L7 Device Package
Service Cluster Manager
Service Manager Mode
23 © 2016 Cisco and/or its affiliates. All rights reserved.
• L4-L7 services managed through APIC & service device controller
• Full L2-L3 network configuration and automation of service devices through APIC
• Nuanced L4-L7 feature configuration through a specialized service device controller
• Different Flavors of device package and deployments: • Allows DP developer to customize & manage subset of L4-L7 features through APIC
• Allows you to preserve your administrative boundaries
• Allows L4-7 analytics by native manager
• Enhances security features/devices, WAF, IPS, IDS, etc...
• Target Customers: Customers who want to automate the network and maintain customization of service device policies without depending on potential DP limitation
Value Proposition for Service Manager Mode
Traditional Network Service Insertion Challenges
Configure Router to steer traffic to/from Load Balancer
Configure Network to insert Firewall
Configure firewall rules as required by the application
Configure vFW to protect Virtualized App Tier
Configure Load Balancer as required by the application
Configure Switches for L2 connectivity
Service insertion takes days
Network configuration is time consuming and error prone
Difficult to track configuration on services
Service Insertion In traditional Networks
vFW
LB
FW
Router
Router
Switch
User
F5 BIG-IP
Virtual Edition Appliance Chassis
Building blocks of ACI
Application Centric Infrastructure Building Blocks
CONTROLLER POLICY MODEL NEXUS 9300 AND 9500
APPLICATION NETWORK PROFILE
Traditional 3-Tier Application
FW ADC WEB ACC APP DB
Policy Model Extended to L4-L7
• Application è 3 tier application (WEB-APP-DB) è This may use ADC, FW services • End point Group (EPG) è Grouping of application Components • Policy model è Define QOS, Security, Network, L4-L7 etc. to be applied to EPG
Moving ADC parameters from vendor device to ACI is not the solution!
Dynamic Device Package for ACI L4-L7 Service Insertion • True alignment in Cisco ACI vision, where application
requirements are built into ACI L4-L7 service functions
• Using F5 iWorkflow and iApps technologies, administrators can customize L4-L7 parameters exposed into ACI
• ACI L4-L7 service insertion benefits: dynamic VLAN management, automatic traffic redirection, dynamic endpoints attach/detach
• Highly programmable solution that focus on workflow automation and orchestration
iWorkflow iApps
ACI Fabric BIG-IP
EPG mode – NOT using service graph
OPTION A1
Virtual Edition Appliance Chassis
BIG-IP
Service Insertion using F5 Static device package
OPTION B
Unmanaged mode – USING service graph
OPTION A2
BIG-IP NOT managed by APIC
Service Insertion using F5 iWorkflow Dynamic device package OPTION C
iWorkflow
*-F5 direction for Cisco ACI L4-L7 Service Insertion
ACI Fabric BIG-IP
EPG mode – NOT using service graph
OPTION A1
Virtual Edition Appliance Chassis
BIG-IP
Service Insertion using F5 Static device package
OPTION B
Unmanaged mode – USING service graph
OPTION A2
BIG-IP NOT managed by APIC
Service Insertion using F5 iWorkflow Dynamic device package OPTION C
iWorkflow
EPG/Unmanaged Mode (Option A1 and A2) • Define connectivity to ACI Fabric • No Service Insertion
• No device package • BIG-IP device is not provisioned/managed through APIC
What am I missing out not using ACI service insertion?
• ACI deployment in phases, L4-L7 integration at later time • Attached F5 BIG-IP as you do today, continue with existing model • No feature parity • ACI goes into production tomorrow, just thought of L4-L7 today
• L4-L7 Automation and Orchestration: agility and consistency • Automatic service chaining and VLAN management • Dynamic endpoints attach and detach • End-to-end L2-L7 application requirements build into ACI policy • Not taking full advantage of SDN programmability potential • Business as usual: highly complex and error prone
© F5 Networks, Inc 35
vCMP HA – Chassis Manager iWorkflow HA – Device Manager
vCMP Host 1 vCMP Host 2
HA between vCMP Guests
vCMP Guests vCMP Guests
Active Standby
Active Active
iWorkflowiWorkflowiWorkflow
Active
MGMT
© F5 Networks, Inc 36
ATTACH NOTIFY
EPG (APIC)
BIG-IP Pool ADDED
Device Package
ATTACH MEMBER
ACI
End Point Group (EPG)
End Point – Belongs to a EPG
BIG-IP
Pool
Node – Member of Pool
Same process followed for deleting a endpoint from the EPG -> Detach notification
EndPoint
TRUE
Client EPG
App EPG 1 Virtual
Server 1
APIC partition: apic7890
Route Domain N
Virtual Server 2
App EPG 2
Tenant N
Client EPG
App EPG 1 Virtual
Server 1
APIC partition: apic2345
Route Domain B
Virtual Server 2
App EPG 2 App EPG 1
Virtual Server 1
APIC partition: apic1234
Route Domain A
Virtual Server 2 App EPG 2
Tenant B
Tenant A
Single BIG-IP physical
Client EPG
ACI Fabric Virtual Edition Appliance Chassis
DynamicDevice
Package
1. Import iApps template into BIG-IP 2. BIG-IP expose iApps to iWorkflow during device discovery by iWorkflow 3. In iWorkflow Cloud Catalog, Admin create application template based on iApps 4. iWorkflow create custom device package based on Catalog 5. Admin import BIG-IQ device package to APIC 6. When graph is deployed, APIC sends iApps config to iWorkflow, iWorkflow deploy iApps
virtual server on BIG-IP
F5 Synthesis Fabric
DynamicDevice
Package F5 iApps Config {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': {(5, 'DestinationNetmask', 'Netmask1'): {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': '255.255.255.255'}, (5, 'DestinationPort', 'port1'): {'state': 1, 'transaction': 0, 'ackedState': 0, 'value': '80'
True Application Centric Approach align with Cisco ACI Vision
F5 iWorkflow can templatize F5 Virtual Server configuration using iApps based
on Application specific requirements
F5 Virtual Server Template is shown in ACI as L4-L7 Service Function, only Tenant
Editable parameters are exposed in ACI
Full Feature F5 Virtual Server deployed in BIG-IP thru ACI by iWorkflow that based
on application specific requirements
Custom Default
Tenant Editable
F5 Default
F5 iWorkflow focus on Workflow Automation in Applications Deployment
iWorkflow Cisco ACI F5 BIG-IP
Configure customized catalog • Virtual Server address: Tenant editable ‘True’ • Virtual server port: 443 • Client SSL certificates
The iApp will create two virtual servers • VS1 listening on port 80: http profile and redirect
iRule("_sys_https_redirect") assigned • VS2 listening on port 443: http profile, client SSL
offload profile, pool assigned • Request to port 80 will be redirected to port 443
Deploy a graph using APIC • Only tenant editable parameters visible
in APIC (Virtual Server address and SSL certs – no Port)
Check out the demo video F5 Cisco Alliance YouTube Channel https://www.youtube.com/channel/UCMVCViZleXSquHTQkqwg04Q