Since the FCS of F5 device package for Cisco APIC last month, we have seen a lot of interest and excitement from customers and the field alike, to understand how the combined open ecosystem value between Cisco ACI and F5 BIG-IP gets enabled. One of the critical components from F5 for this solution is F5 device package, which serves abstracting the L4-L7 service device in a way to allow the Cisco APIC to automate and provision a network service that attaches to the ACI fabric.

As described in a previous article Accelerate and automate your application deployments with Cisco ACI and F5, traditional network service insertion imposes challenges with L4-L7 service device configuration, which is time-consuming, error prone and very difficult to track and how F5 and Cisco ACI addresses those challenges through service automation.

The concept of Service graph

In addition to network service device configuration, deployments come with the need for subjecting traffic to flow through a sequence of L4-L7 service instances depending on the policies configured. In other words, there is also a need for representing this sequence or chain of L4-L7 service functions for easier service provisioning.

Cisco APIC provides the user with the ability to define a service graph with a chain of service functions such as Web application Firewall (WAF), Load balancer or network firewall including the sequence with which the service functions need to be applied. The graph defines these functions based on a user-defined policy for a particular application. One or more service appliances might be needed to render the services required by the service graph.

Device Package

Cisco APIC offers a centralized touch point for configuration management and automation of L4-L7 services, while the F5 device package makes that possible so APIC can interface with the service appliances (Physical or virtual) using southbound APIs. For example, in order to allow configuration of L4-L7 services on BIG-IP by Cisco APIC, the F5 device package would need to contain the XML schema of the F5 device model which defines parameters such as software version, SSL termination, Layer 4 SLB, network connectivity details, etc. It also includes a python script that maps APIC events to function calls for F5 BIG-IP LTM.

Nuts and bolts of a Device Package

The F5 device package – which is engineered to define, configure and monitor BIG-IP - allows customers to add, modify, remove, and monitor any F5 BIG-IP LTM services using Cisco APIC.

A device package is a zip file containing two important files:

• Device Specification
• Device Script

Device Specification

The Device specification is an XML file that provides a hierarchical description of the device, including the configuration of each function, and is mapped to a set of managed objects on the APIC. The Device specification defines the following:

• Model: Model of the device - (BIG-IP LTM)
• Vendor: Vendor of the device - (F5)
• Version: Software version of the device - (1.0.1)
• Functions provided by a device, such as L4-7 load balancing, Microsoft Sharepoint, and SSL termination
• Device configuration parameters
• Interfaces and network connectivity information for each function
• Configuration parameters for each function

Device Script

The Device script, written in Python, manages communication between the APIC and the F5 device. It defines the mapping between Cisco APIC events and the function calls representing F5 device interactions, and converts a generic API to F5 device-specific calls. This is where the device script written in Python comes into picture. When a tenant admin uploads a device package to APIC, the APIC creates a hierarchy of managed objects representing the device and validates the device script.

Device Package integration workflow with Cisco APIC

In order to manage BIG-IP LTM service node through APIC, the tenant administrator must explicitly register the BIG-IP LTM. Device registration occurs when admin adds a new device to the network; the registration process informs the APIC of the device type, management, interfaces, and credentials so that the APIC can add the device to the fabric.

Fig.1 shows the high level workflow

Figure 1 – Device Package integration Workflow

• The tenant admin uploads the F5 device package to Cisco APIC using northbound APIs or the APIC user interface.
• The package upload operation installs the F5 device package in the Cisco APIC repository or managed object data model
• Tenant admin must also define the out-of-band management connectivity of BIG-IP LTM along with credentials.
• If the network needs traffic steering through F5 BIG-IP, the tenant administrator configures the service graph under the Layer 4-7 profile for tenant and adds service functions predefined in the F5 device package using device modification and service modification python function calls.
• The device package sends iControl calls (southbound integration) to configure required service graph parameters on F5 BIG-IP LTM using management connectivity established prior to uploading the device package

F5 BIG-IP LTM Device Package Version 1.0.1

Below is a list of key functionalities and attributes of the F5 BIG-IP LTM device package version 1.0.1

• Supports any BIG-IP LTM physical and virtual form factor running version 11.4.1 and above.
• Does not require any new module installation on the F5 BIG-IP LTM
• BIG-IQ integration with BIG-IP can co-exist with APIC – BIG-IP integration
• iRules (both F5 verified and custom defined) that resides in common partition can be referenced by Cisco APIC
• BIG-IP is licensed and OOB management configured prior to APIC integration
• Supports Active / Standby High Availability model
• Supports Multi-tenancy where every APIC tenant is represented by separate BIG-IP partition prefixed with “apic_paritition_number”
• L3/VRF separation through route domains in each BIG-IP partition
• Virtual server configuration (including but not limited to) pools, Self IPs, interfaces, VLANs, VIPs, algorithms etc are configured through Cisco APIC using service graph
• BIG-IP LTM-VE is integrated through Virtual infrastructure where vNIC placement is automated through Cisco APIC

The F5 Device Package for Cisco Application Policy Infrastructure Controller ™ (APIC) is now available. To download at no cost, please go to https://downloads.f5.com/esd/productlines.jsp

Further Resources:

F5 and Cisco ACI Solution Blog on Dev central https://devcentral.f5.com/s/articles/accelerate-and-automate-your-application-deployments-with-cisco...

Cisco Alliance page - https://f5.com/partners/product-technology-alliances/cisco

Cisco page on DevCentral - https://devcentral.f5.com/s/cisco

Cisco Blog on Device Package – http://blogs.cisco.com/datacenter/f5-device-package-for-cisco-apic-goes-fcs/

Technical Solution White paper -http://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric...

Device Package integration demo - https://www.youtube.com/watch?v=5Nw2vtid7Zs