Post on 09-Mar-2015
© 2009 Cisco. Confidential. 1
Yann Bouillon
DC Technical Marketing Engineer
Virtual Switching with Nexus 1000V
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2
Server Virtualization Issues
1. vMotion moves VMs across physical ports—the network policy must follow vMotion
2. Must view or apply network/security policy to locally switched traffic
3. Need to maintain segregation of duties while ensuring non-disruptive operations
PortGroup
Server Admin
Network Admin
Security
Admin
© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4
Cisco Nexus 1000V
vSphere
Nexus
1000V
Nexus 1000V
VM VM VM VM
Industry’s most advanced software switch for
VMware vSphere
Built on Cisco NX-OS
Compatible with all switches
Compatible with all servers on the VMware
Hardware Compatibility List
Winner of VMworld Best in Show 2008 and
Cisco Most Innovative Product of 2009
© 2009 Cisco. Confidential. 5
L2
M
O
D
E
L3
M
O
D
E
…
ESX ESX ESX
VSM-1
VSM-2
VEM-1
VEM-2
VEM-N
Nexus 1000V Architecture
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Linecard-N
…
Modular Switch
Nexus 1010
VSM-
A1
VSM-
A4
VSM-
B1
VSM-
B4
Virtual Appliance
B
A
C
K
P
L
A
N
E
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
• 200+ vEth ports per VEM
• 64 VEMs per 1000V
• 2K vEths per 1000V
• Multiple 1000Vs can be
created per vCenter
© 2009 Cisco. Confidential. 6
…
ESX ESX
Embedding Intelligence for Virtual ServicesvPath – Virtual Service Datapath
L2
M
O
D
E
L3
M
O
D
E
VEM-1 VEM-2vPath vPath
vPath: Virtual Service Datapath
VSG: Virtual Security Gateway for 1000V
vWAAS: Virtual WAAS
Nexus 1010Virtual Appliance
vWAAS VSG VSM…
VSM-1 VSM-4
…VSM-1 VSM-4
© 2009 Cisco. Confidential. 7
…
ESX ESX
Nexus 1010 – hosting platform for services
L2
M
O
D
E
L3
M
O
D
E
VEM-1 VEM-2vPath vPath
NAM
NAM
VSG
VSG
vPath: Virtual Service Datapath
VSG: Virtual Security Gateway for 1000V
vWAAS: Virtual WAAS
Nexus 1010Virtual Appliance
vWAAS VSG VSM…
VSM-1 VSM-4
…VSM-1 VSM-4
*VSG on 1010 target: 2Q CY11
© 2009 Cisco. Confidential. 888
Why 1000V?
Feature & operational consistencyNX-OS across physical and virtual networks (Nexus
7K/5K/2K/1KV)
Cisco CLI experience
Standards based, IEEE 802.1Q
Advanced NX-OS switching featuresSecurity, QoS, Monitoring, Management, …
Non-disruptive administration Network team manages virtual network, creates port profiles
Server team assigns port profiles to VMs
Intelligent integration with virtual services (vPath)Transparent insertion (topology agnostic)
Efficient deployment – no need to deploy on every host
Dynamic policy-based operation
Performance acceleration
Nexus 1000V Differentiators
vSphere
Nexus
1000V
VEM
Nexus 1000V
VSM
VM VM VM VM
© 2009 Cisco. Confidential. 9
Cisco Nexus 1000V
Nexus 1000V VSMvCenter
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
Port Profiles
WEB Apps
HR
DB
DMZ
VM Connection Policy
• Defined by network Admin
• Applied in Virtual Center
• Linked to VM UUID
Faster VM Deployment
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
© 2009 Cisco. Confidential. 10
Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
Property Mobility
• VMotion for the network
• Ensures VM security
• Maintains connection state
VMs Need to Move
• VMotion
• DRS
• SW Upgrade/Patch
• Hardware Failure
vCenter
Richer Network Services
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VMVM VM VM VM
© 2009 Cisco. Confidential. 11
Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
vCenter
Network Admin Benefits
• Unifies network mgmt and ops
• Improves operational security
• Enhances VM network features
• Ensures policy persistence
• Enables VM-level visibility
VI Admin Benefits
• Maintains existing VM mgmt
• Reduces deployment time
• Improves scalability
• Reduces operational workload
• Enables VM-level visibility
Increased Operational Efficiency
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
© 2009 Cisco. Confidential. 12
Advanced Features of the Nexus 1000V
Switching L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)
IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ
Security Policy Mobility, Private VLANs w/ local PVLAN Enforcement
Access Control Lists (L2–4 w/ Redirect), Port Security
Dynamic ARP inspection, IP Source Guard, DHCP Snooping
Provisioning Automated vSwitch Config, Port Profiles, Virtual Center Integration
Optimized NIC Teaming with Virtual Port Channel – Host Mode
Visibility VMotion Tracking, NetFlow v.9 w/ NDE, CDP v.2
VM-Level Interface Statistics
SPAN & ERSPAN (policy-based)
Management Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks
Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)
Hitless upgrade, SW Installer
Network Services Virtual Services Datapath (vPath) support for traffic steering & fast-path
off-load [leveraged by Virtual Security Gateway (VSG) and vWAAS]
© 2009 Cisco. Confidential. 13
VblocksImagine:
30 racks reduced down to 3 racks
Provisioning applications in hours
instead of weeks
Secure
Multi-tenancyImagine:
Securely sharing servers between
multiple users/groups without
having to add another server
Nexus 1000V in Cisco Validated Solutions
Cisco’s network-centric virtualized data center is best positioned to enable the journey to the networked cloud
FlexpodImagine:
Predesigned, validated, Flexible
infrastructure that can grow and
scale to meet cloud computing
requirements
Virtual
DesktopImagine:
Over 4000 desktops in a single rack!
Savings up to 60+% per PC per year
Significant savings in operations
1000V
R
1000V
R
1000V
R
1000V
R
© 2009 Cisco. Confidential. 15
Flexible Deployment Options
All servers on VMware Compatibility List
All switches, including all Cisco switches
1G & 10G NICs
© 2009 Cisco. Confidential. 16
Collaborative Deployment Model
Deploying the Nexus 1000V
1. VMW vCenter & Cisco Nexus 1000V relationship established
2. Network Admin configures Nexus 1000V to support new ESX hosts
3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter
Nexus 1000V VSMvCenter
1.
3. vSphere
Nexus
1000V
VEM
2.
© 2009 Cisco. Confidential. 17
Collaborative Deployment Model
Deploying the Nexus 1000V
1. VMW vCenter & Cisco Nexus 1000V relationship established
2. Network Admin configures Nexus 1000V to support new ESX hosts
3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter
4. Repeat step three to add another host and extend the switch configuration Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
vCenter4.
© 2009 Cisco. Confidential. 18
Enabling Policy
Policy Based VM Connectivity
1. Nexus 1000V automatically enables port groups in VMware vCenter
2. Server Admin uses vCenter to assign vnic policy from available port groups
3. Nexus 1000V automatically enables VM connectivity at VM power-on
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vCenter
1.
Defined Policies
WEB Apps
HR
DB
DMZ
WEB Apps:PVLAN 108, Isolated
Security Policy = Port 80 and 443
Rate Limit = 100 Mbps
QoS Priority = Medium
Remote Port Mirror = Yes
2.
3.
VM VM VM VM
© 2009 Cisco. Confidential. 19
Port Profile: Network Admin View
n1000v# show port-profile name WebProfile
port-profile WebProfile
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebProfile
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
Support Commands Include:
Port management
VLAN
PVLAN
Port-channel
ACL
Netflow
Port Security
QoS
© 2009 Cisco. Confidential. 22
VSM on Nexus 1010VSM on Virtual Machine
Nexus 1010: VSM on an Appliance
vSphere
1000V
VEM
Server
VM VM VM
vSphere
Cisco Nexus 1010
Server
VM VM VM VM
1000V
VEM
1000V
VSM x 1
1000V
VSM x 4
© 2009 Cisco. Confidential. 23
Feature Comparison
VSM on Virtual Machine VSM on Nexus 1010
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
Installation like a standard Cisco switch
Network Team manages the switch hardware
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
© 2009 Cisco. Confidential. 24
NAM Virtual Blade on Nexus 1010Optimize Application Performance and Network Resources
Application Performance Monitoring
Traffic Analysis and Reporting
Applications, Host, Conversations, VLAN, QoS, etc.
Per-application, per-user traffic analysis
View VM-level Interface Statistics
Packet Capture and Decodes
Historical Reporting and Trending
ERSPAN
Nexus 1000V
VSM
vSphere
Nexus
1000V
VEM
vCenter
NetFlow
NAM
Virtual
Blade on
Nexus
1010
VM VM VM VM
© 2009 Cisco. Confidential. 262626
New in Nexus 1000V
Cisco vPath
Class-Based Weighted Fair Queuing
LACP Offload to VEM
Network State Tracking
Policy Based ERSPAN
Restricting Port Profile Visibility in vCenter Server
Increased Scalability
Other Features
Version 4.2(1)SV1(4)
© 2009 Cisco. Confidential. 2727
Cisco vPath
Integrated into Virtual Ethernet Module with
Intelligent Traffic Steering
Decision Caching
Performance Acceleration
Integrated policy with Port Profile and Security Profile
Supports Virtual Service Nodes
Virtual Security Gateway
Virtual WAAS
For Virtual Network Services
Nexus 1000V VEM
vPath
© 2009 Cisco. Confidential. 282828
Class-Based Weighted Fair Queuing on Nexus 1000V
Provide bandwidth guarantee for up to 64 total queues on uplinks
User defined Queues
8 Predefined traffic classes
For VMware and N1KV protocol traffic
Queuing configured via MQC
20%
30%
15%
5%
15%
15%
vMotion
VM_Platinum
VM_Gold
Default
ESX_Mgmt
N1K_Control, N1K_Packet
VM VM VMVMK NIC
vMotion
© 2009 Cisco. Confidential. 29
Configure up to 56 custom queuing classes of VM, vApp data and other traffic
Each queue can have a queue limit (# of packets)
Queuing is done per physical uplink outbound
8 predefined protocol classes:
vMotion
FT-Logging
iSCSI
NFS
ESX Management
N1K Control
N1K Packet
N1K Management
Class-Based Weighted Fair Queuing on Nexus 1000V
© 2009 Cisco. Confidential. 30
LACP Offload to VEM LACP is traditionally a control
plane protocol run on the supervisor of a switch (VSM on N1KV)
When VSM is down or disconnected, VEM operates in headless mode, without ability of LACP control plane operations
LACP can not be run on a single link between a VEM and the upstream network
LACP Offload solves this problem by offloading all LACP operations to the VEM
Makes data plane more robust and helps in FCoE deployments where VSM is behind VEM
Nexus 1000V VSM
Nexus 1000V VEM
Control
Plane
Data
Plane
LACP PDU
© 2009 Cisco. Confidential. 31
Network State Tracking
Detect upstream Layer 2 network connectivity failure
Automatically fail over to surviving connections for vPC Host Mode port channel
Makes use of Network Tracking packet to probe interfaces on other Sub-Groups
VM VM VM VM
Sub-Group 0 Sub-Group 1
Data Center
Network
MAC A MAC B
© 2009 Cisco. Confidential. 323232
Increase DMZ Visibility with ERSPAN
ERSPAN allows VM traffic to be mirrored to traffic analyzer
Mirrored traffic can traverse through Layer 3 Network
Visibility through centralized L4-7 services
Firewall
Intrusion Detection System
Port Mirroring
Intrusion
Detection
Firewall
VM VM VM VM
© 2009 Cisco. Confidential. 333333
Policy Based ERSPAN
ERSPAN all interfaces with same policy
Troubleshoot applications in the cloud
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM
VM
VM
VM
VM VM VMVM
VM
VM VM VM
Intrusion
Detection
© 2009 Cisco. Confidential. 34
Restricting Port Profile Visibility in vCenter Server Based on vCenter Server users and user groups, Port
Profiles can be configured to restrict access
Prevent server administrators from large list of Port Groups
Restrict access to sensitive Port Profiles to only privileged administrators
Must define access on vCenter
Must enable new feature on VSM:feature port-profile-role
Configure and assign visibility:Example:
port-profile-role adminUser
description adminOnly
user jsmith
port-profile allaccess2
assign port-profile-role adminUser
© 2009 Cisco. Confidential. 353535
Increased Scalability
64 VEMs per VSM
2048 Active VLANs per VSM
2048 vEths per VSM
2048 Port-Profiles per VSM
4K Mac Addresses per VLAN
16K Mac Address Table per VEM
Red Italicized Indicate Increased Scalability
© 2009 Cisco. Confidential. 363636
Other Features
Updated Installer
Installs L2 or L3 communications between VSM and VEM
Configures active/standby VSM for HA
Access Control List on the VSM management interface
Ephemeral Port Binding
Port ID is set and released upon VM power on/off
Support virtual desktop deployments
Hardware iSCSI Multipathing
Leverage NIC based iSCSI multipathing
© 2009 Cisco. Confidential. 383838
Virtualizing the DMZMapping the Roles and Responsibilities
Separation of duties for virtualization, security, and network administrators
Implement existing policies and procedures
Identical tools for physical network: Minimize miscommunication
n1000v# show port-profile name WebProfile
port-profile WebProfile
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebProfile
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
© 2009 Cisco. Confidential. 393939
DMZ with Virtual and Physical ServersMaintaining Isolation and Protection with Private VLAN
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
VM VM VM VM VM
Private VLAN
Community
Identical tools for physical and virtual machine network: Minimize miscommunication
Less time for accurate configuration where mistakes are costly
© 2009 Cisco. Confidential. 404040
Virtualize the DMZ
Restrict production VM access to sensitive parts of data center
Segregate Traffic To/From Web Server
Protect Management Traffic
Protect Servers
Access Control List
vSphere
VMKernel
FTP WWW
dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-server
dcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp any
dcvsm(config-acl)# permit ip any any
VM
© 2009 Cisco. Confidential. 414141
Increase DMZ Visibility with ERSPAN
ERSPAN allows VM traffic to be mirrored to traffic analyzer
Mirrored traffic can traverse through Layer 3 Network
Visibility through centralized L4-7 services
Firewall
Intrusion Detection System
Port Mirroring
Intrusion
Detection
Firewall
VM VM VM VM
© 2009 Cisco. Confidential. 424242
Increase DMZ Visibility with NetFlow
NetFlow allows network statistics to be exported
Anomaly detection
Across virtual to physical servers
Distributed network application monitoring
Both physical and virtual application
Network planning
Assist with growth and scaling of data center
Network Statistics
vSphere
VM VM VM VM
Network
Analysis
© 2009 Cisco. Confidential. 434343
Recommendations for Securing Virtualized DMZ*
1. Consistent security in physical and virtual environment
2. Secure the hypervisor using VMware recommendations
3. Limit VMs with different security affinities on same server
4. Limit connectivity Service Console and VMKernel
5. Secure VM-to-VM traffic flows
6. Use monitoring tools to increase visibility of VM traffic
7. Document virtual and physical network connections
8. Clear separation of roles and responsibilities
9. Enforce clearly defined change management controls
10. Perform ongoing auditing and monitoring
Nexus 1000V Secures Virtualized DMZ
*http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf
© 2009 Cisco. Confidential. 44
Summary
Version 4.2(1)SV1(4) provides updated Nexus 1000V capabilities
Virtualized network services with Cisco vPath
Numerous features preparing cloud deployment
Enhanced scalability and stability
Are you ready for the cloud?