Cisco Data Center 3.0 Update · Cloud Computing model in a Data Center Silo Silo Silo Applications...

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 1

Cisco Data Center 3.0 UpdateVirtual Experience Infrastructure


IT Resources and Services that Are Abstracted from the Underlying Infrastructure and Provided “On Demand” and “At Scale” in aMultitenant and Elastic Environment

Cloud ComputingDefinition and Components

A Style of Computing Where Massively Scalable IT-Enabled Capabilities Are Delivered “As a Service” to Multiple External Customers Using Internet Technologies

Source: Gartner “Defining and Describing an Emerging Phenomenon,” June 2008.

Anywhere, Anyone, Any Service


Build Point Solutions Build Infrastructure Offering

Cloud Computing model in a Data Center

SiloSilo SiloSilo SiloSilo

ApplicationsApplications

ServersServers

NetworkNetwork

StorageStorage

Ethernet, FC, Ip

Ma

nu

al

Ma

nu

al

Project-

based

Vertical

solutions

Virtualization-Aware Network

Au

tom

atio

nA

uto

ma

tion

Applications

IT Service

Holistic Solution

Virtualized Shared Resource PoolVirtualized Shared Resource Pool

StorageStorage

Cisco UCSCisco UCS

Cisco NexusCisco Nexus

IT as a Service Model …


� Fewer adapters and switches needed� Lower CAPEX, power, administration costs,

fewer maintenance and support contracts

� Fewer points of management� Coordinated, consistent policy control� Less HW and SW to buy and support

5 Key Differentiators Improve TCO

Unified Management1

A1-1

A2-1

B1

B2

C D

Additional Central Management Server(s)

A1-2

A2-2

Single Domain of Management

Single Domain of Management

A: UCS Manager

StorageCompute

Network


• Unified Management Domain

•Automatic discovery

•Dynamic Provisioning

• Building Block for Dynamic Data Center

• Simplify management of infrastructure for ESX clusters and datacenters

• One-click configuration of LAN, SAN and firmware parameters

XML APITraditional

APIs

Service Profile: HR-App1Network: HR-VLANNetwork QoS: HighMAC: 08:00:69:02:01:FC-EWWN: 5080020000075740-3BIOS: Version 1.03Boot Order: SAN, LAN

OS

App

Firmware

Network

� Same HW dynamically deployed as different servers� Faster deployment and redeployment

5 Key Differentiators Improve TCOService Profiles & Dynamic Provisioning2


�Buy fewer spares


Service Profiles & Dynamic Provisioning2

Total Servers: 18

Blade

Blade

Blade

Blade

Blade

Blade

Blade

Blade

Web Servers

Blade

Blade

Blade

Blade

Blade

Oracle RAC

Blade

Blade

Blade

Blade

Blade

VMware

Blade

Blade

Blade

Blade

Web Servers

Blade

Blade

Blade

Oracle RAC

Blade

Blade

Blade

VMware

HA Spare

BurstCapacity

Blade

Blade

Blade

Total Servers: 14

Blade

Hot SpareBurst Capacity SpareNormal use

With Service Profiles:•Abstracted resources configured and provisioned as needed •Availability and burst capacity delivered with fewer spares

Without Service Profiles:•Silos individually provisioned for peak demand and failures•Spare idle servers require application specific HW & Firmware Image configurations


� Fewer CPU’s and servers needed� Allows use of lower cost memory

components


Extended Memory Technology3

NOTE: DDR3 10600 memory pricing as of 9/29/09

� 70%-80% Lower mainstream memory costs

� Unmatched High End Capacity

� Industry Standard DDR3

384GB

192GB

144GB

96GB

48GB

Not Available

$40,620

$60,720

$10,992

$8,240

$30,510

$5,760

$20,310 Cisco

Competitors$2,808

$2,760


� Fewer adapters and switches needed� Lower CAPEX, power, administration costs,

fewer maintenance and support contracts


Unified Fabric and Fabric Extenders4

Servers

FC HBA 10GbE Adapter

Single CNA

Chassis

UCS Legacy

+

2 Fabric Extenders

2 Management Modules2-8 Chassis Fabric Switches

Rack and Row

Fewer EOR Ports required

Greater number of TOR and/or EOR switch ports required

Separate FC+Enetfabrics

2 Fabric Interconnects


� Increased system performance and I/O flexibility yields higher consolidation ratios

� Fewer adapters and switches needed

5 Key Differentiators Decrease TCOVN Link – Virtual Interface Card5

PCIe x16

10GbE/FCoE

User Definable

vNICs

Eth

0

FC

1

QP

2

FC

3

Eth

127

UCS TCO Inputs:•Higher server consolidation ratios:

• When combined with larger memory servers to support larger quantities of virtual machines per physical server

• Positive impact on overall server system performance via pass-through switching (hypervisorbypass) enacted in hardware vs. software

• More difficult to quantify•VN Link

• Supports Service Profiles and Dynamic Provisioning. Contributes to assumptions for lower System Administration burden for UCS

• More difficult to quantify


What does it all have to do with Virtual Machines?

To IOM 1

To IOM 2

• Ports tagged/untagged just like fex ports

• Appear as virtual ports on top-level bridge (6100)

VM1

VM2

VM3

VM4

�Vntag part: nothing

�Now connect each Palo Port to Virt Machine

�Now: VN-Link! (VM-specific ports on 6100)


Virtual eXperience Infrastructure


Total Cost of Ownership

Data SecurityBusiness Agility & Continuity

Platforms

Desktop Virtualization Services

Business Imperatives

Virtualized End-to-End System

Switching

Security

Application

Networking

Storage

Part

ner

Ecosyste

m

VirtualizedCollaborativeWorkspace

Virtualized Data

Center

Virtualization Experience InfrastructureNew Business and Technical Architecture Approach

User Experience

Rich Media

Performance Acceleration

Security

Mobility Policy Location

AwarenessHigh

AvailabilityEnergy

Efficiency

Virtualization Aware

Network

End Points

Cisco and Ecosystem Partners

Unified Computing

Unified Communications

Location Video Streaming

Manag

em

ent

and P

olic

y

Applications


Design Validation and Best-Practices SharingCommitted to Your Success

http://www.cisco.com/go/vdihttp://www.cisco.com/go/dcdesignzonehttp://www.cisco.com/go/optimizemyapp

Best-practices design zone

Application certification

Operational best practices

Cisco® IT shared experiences

More…


Cisco Desktop Virtualization Solution

Clients

Cisco UCS Platform

Virtualized Data Center

Cisco

WAAS

Cisco ACE

Desktop O/S

Cisco ASA

Cisco

MDS9000

Family

App App Data

Storage

Unified Network Services

Unified Computing

Unified Fabric

CiscoNexus

WAN

Partner Solution Elements

Cisco Data Center Business Advantage Framework

VDI Broker

� 60% greater density of virtual desktops per server blade

� 1/3 cost of networking infrastructure

� UCS Service Profiles

� Bandwidth optimization and Rich Media acceleration

� Over 20% savings per seat* vs. competitors


VDI OverviewBusiness Drivers

� Capital Expenditures (CAPEX)

Lengthened desktop hardware refresh cycles

Reduced desktop hardware capital expenses

Reduced desktop software license

� Operational Expenditures (OPEX)

Reduced desktop software maintenance and operational expenses

Lower desktop power consumption

Self-service desktop fault resolution

� Capabilities

Disaster Recovery (DR)

Improved desktop and data security/protection

Improved user mobility

� Externalization

Increased numbers of contractor, outsourcer, or partner desktops to support


Terminal ServicesApplication Streaming

Virtual Desktop Streaming Remote Virtual Desktop

Server Hosted ComputingClient Hosted Computing

O/S

Deskto

pA

pp

licati

on

Presentation Server

Display Data

OS

AppApp

Server

AppOS

App

Main OS

Guest OS

Guest App

Hypervisor

Apps

OS

Apps

OS

Apps

OSApp

Server

SynchronizedDesktop

OS

OS

Apps

OSApps

OSApps

OSApps

OS

VDI OverviewVirtual Desktop Models

Display Data


VDI TechnologyRemote Virtual Desktop Architecture

VirtualDesktop

Call Control

Content Delivery ACNS/CDS

MediaServices

PresentationServer

Desktop

ICA/RDP

Enterprise Data Center

SIP/SCCP/MGCP

Connection Broker

Windows DirectoryPrint

HTTP(S)

RTSPHTTP

SIP/MGCP

SMB

WAN Acceleration

IPP

NFSiSCSI

FC

CIFS

Desktop

File

Web Application

RDP

Storage


VDI Server ComputeUnified Computing System UCS 5108

� Blade

Two Intel Xeon 5500 series 2.93 GHz quad core processors

Two optional SAS hard drives

Hot pluggable blades and hard disk drive support

½ width - up to 96 GB RAM and one dual port 10Gb/CNA

full width up to 384 GB and two dual port 10GE/CNAs (future)

Two 73 GB SAS 15K RPM SFF HDD hot plug

� Chassis

8 ½ width blades or 4 full blades

2 Fabric Extenders

Up to 8 (2x4) 10 Gb converged I/O uplinks

� Fabric Interconnect

Deployed in pairs

6120 - Up to 20 access ports

6140 – Up to 40 access ports

Fixed and modular uplink ports

Compute ChassisCompute Chassis

Enclosure

Compute Node(Half slot)

X

x86 Computer

X

A A

G G G

Compute Node(Full slot)

X

x86 Computer

X X X

GG G G

G

C ICI

M P PB B

SS

G G

RR

California Manager

Fabric ExtenderFabric Extender

Adapter Adapter Adapter

LAN SANSAN MGMT

Fabric Interconnect

FabricInterconnect


slot 1

slot 2

slot 3

slot 4

slot 5

slot 6

slot 7

slot 8

slot 1

slot 2

slot 3

slot 4

slot 5

slot 6

slot 7

slot 8

slot 1

slot 2

slot 3

slot 4

slot 5

slot 6

slot 7

slot 8

slot 1

slot 2

slot 3

slot 4

slot 5

slot 6

slot 7

slot 8

VDI Server ComputeUCS Virtual Desktop Density (1/2 Blade)

Uplink(s) Per FEX

Desktops Per 96 GB

B200 Blade

Desktops Per 8 Blade

Chassis

UCS-6120 Max No. of

Chassis

UCS-6120Desktops

Per System

UCS-6140 Max No. of

Chassis

UCS-6140 Desktops

Per System

1 160 1280 20 25,600 40 51,200

2 160 1280 10 12,800 20 25,600

4 160 1280 5 6,400 10 12,800

Fabric Extenders

Fabric Interconnects

Unified Compute Chassis


VDI Server ComputeCPU Capacity Planning

� % Processor Time average 5% on 2 GHz core

� Requires 100 MHz per desktop

� 100 desktops require 10 GHz processing

� Add 10% to 25% overhead for virtualization, display protocol, and buffer for spike

� 100 desktops achieved on ~4 cores to achieve 12 GHz

� ESX 3.5 limits apply


VDI Server ComputeMemory Capacity Planning

� Vmware ESX Transparent Page Sharing to share master copy of memory pages among virtual machines

� WinXP desktops commonly need 254 MB RAM

� Memory optimizations yield 175 MB per desktop

� 100 desktops tops require 17.5 GB min and ~ 25 GB peak

� Recommend provisioning 512 MB desktops

Application/OS Optimized Memory Use

Windows XP 125 MB

Microsoft Word 15 MB

Microsoft Excel 15 MB

MSFT Powerpoint 10 MB

Microsoft Outlook 10 MB

Total 175 MB


VDI Server ComputeESX 3.5 and vSphere 4 Planning

Capacity ESX 3.5 Limits

vSphere 4Limits

Number of virtual CPUs per host 192 512

Number of VMs per host 170 320

CPUs per core for workload 20* 20*

Size of RAM per server 256 GB 1 TB

Number VMs managed per vCenterServer instance

2000 3000 (64-bit)

Number of hosts per vCenter server 200 300 (64-bit)

Number of NAS datastores per cluster (NFS)

8 / 32 (Default / Advanced)

8 / 64 (Default / Advanced)

Number of VMFS datastores per server (FC/iSCSI)

256 256

VMs per VMFS datastore 32 64

Hosts per HA/DRS cluster 32 32


VXI Compute Bundles

1. VXI Base Compute Bundle: 300+ Hosted VM-Based Desktops

� Expandable in 100 desktop increments to 700+ Hosted VM-Based Desktops through additional Ala a Carte desktop nodes in remaining chassis slots

2. VXI Scale Compute Bundle: 400+ Hosted VM-Based Desktops

Notes:

� Cisco will provide design guidelines for a number of different storage architectures

� SI / Channel partners will be bundling specific vendors solutions (software, etc) into the solution offering.

Compute Infrastructure Package


VXI Base Compute Bundle (Entry-Level)

Support for 300+ Hosted VM-Based Desktops, Scale to 700+ / App virtualization (win 7 32bit)

High Level BOM Includes:

� Dual UCS 6120 Fabric Interconnects� Two UCS 5100 Series Chassis� Two Management Nodes

– B200 M2 w/ 48 GB� Three Desktop Blades

– B250 M2 w/ 192 GB

B250 M2 Additional desktop blades can be added

A la carte to the four remaining slots. Each

individual blade can support over 100+ VMs

(Win 7 32 bit)

B200 M2 w/48

B200 M2 w/48

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192


VXI Scale Compute BundleAdds Capacity for an Additional 400+ Hosted VM-Based Desktops /

## App Virtualization

B250 M2 w/ 192GB

B250 M2 w/ 192GB

B250 M2 w/ 192GB

B250 M2 w/ 192GB

Includes:1 Chassis

4 x B250 M2 with 192 GB of memory

Xeon 5670 Hex Core processor

Virtual Interface Card2 redundant FEX modules3 Power supplies (N+1)


Sample Deployment: VXI Base Compute Bundle + 2 VXI Scale Compute Bundles

Support for up to 1,500+ Hosted VM-Based Desktops

2 Scale Bundles to add 800 VM

desktops / ## App Virts

Base Bundle +

4 X B250-M2 Blades

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192

B200 M2 w/48

B200 M2 w/48

B250 M2 w/ 192

B250 M2 w/ 192

B250 M2 w/ 192


VDI Server NetworkLAN only and Converged I/O

The POD Concept: Separate from application environments Modular physical, network and compute infrastructurePredictable and repeatable scalabilityCampus security best practices

The POD Concept: Separate from application environments Modular physical, network and compute infrastructurePredictable and repeatable scalabilityCampus security best practices

PODPODPODPODPODPOD

Core

Aggregation

Access

Virtual Access

POD Core

SAN FabricStorage Storage ArraysArrays

SANEdge

B

SANEdge

A

LAN FabricCore

Aggregation

Access

Virtual Access

LANAccess

Fabric AFabric A Fabric BFabric B

Unified Compute System Unified Compute System

Virtual Desktop with NAS�Single Fabric

�Fabric Interconnect: 10GE attached▪End-host Mode

�Interconnect Connectivity Point▪L3/L2 Boundary in all cases▪Nexus 7000 & Catalyst 6500

Virtual Desktop with Converged I/O�Dual Fabrics

�Fabric Interconnect: 4G FC attached▪NPV Mode

�Interconnect Connectivity Point▪SAN Core; or▪SAN Edge for more Scalability


IP Source Guard

Dynamic ARPInspection

DHCPSnooping

Port Security

VDI Server NetworkClient Campus Security

� Port Security prevents CAM attacks, DHCP Starvation attacks and spanning tree loop mitigation

� DHCP Snooping prevents Rogue DHCP Server attacks

� Dynamic ARP Inspection prevents current ARP attacks

� IP Source Guard prevents IP/MAC Spoofing and a wide variety of TCP/UDP splicing and DoS attacks

00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc00:0e:00:bb:bb:ddetc.

132,000 Bogus MACs

Switch Acts Like

a Hub

DHCP Server

X

“Use this IP Address !”

Email Server

Man in the Middle

“Your Email Passwd Is

‘joecisco’ !”


VMW ESXVMW ESXVMW ESX

VM#1

VMVM#1#1

VM #4

VM VM #4#4

VM #3

VM VM #3#3

ServerServer

VM #2

VM VM #2#2

Nexus 1000VNexus 1000VNexus 1000V

NICNICNIC NICNICNIC

LAN

Nexus 1000V

Nexus Nexus 1000V1000V

Security and Automation: Cisco software switch for VMware platform - Nexus 1000V

Virtualize at Network Scale

On Premise Data Center

Policy Based VM ConnectivityPolicy Based VM Policy Based VM ConnectivityConnectivity

Non-Disruptive Operational ModelNonNon--Disruptive Disruptive Operational ModelOperational Model

Mobility of Network & Security Properties

Mobility of Network & Mobility of Network & Security PropertiesSecurity Properties

Virtualizing the Network DomainVirtualizingVirtualizing the Network Domainthe Network Domain

Nexus 1000v100+ customers worldwide in first 90 days.


Policy Based VM Connectivity

Enabling PolicyEnabling Policy

1. Nexus 1000V automatically enables port groups in Virtual Center

2. Server Admin uses Virtual Center to assign vnic policy from available port groups

3. Nexus 1000V automatically enables VM connectivity at VM power-on

1. 1.

Virtual CenterVirtual Center


Server 1Server 1

Nexus 1000 -VEMNexus 1000 Nexus 1000 --VEMVEM

Nexus 1000V

VSM

Nexus 1000VNexus 1000V

VSMVSM

VM #1

VM VM #1#1

VM #4

VM VM #4#4

VM #3

VM VM #3#3

VM #2

VM VM #2#2

Available Port Groups

WEB AppsWEB Apps HRHR

DBDB ComplianceCompliance

WEB Apps:WEB Apps:••PVLAN 108, IsolatedPVLAN 108, Isolated

••Security Policy = Port 80 & 443 Security Policy = Port 80 & 443 ••Rate Limit = 100 MbpsRate Limit = 100 Mbps••QoSQoS Priority = MediumPriority = Medium

••Remote Port Mirror = YesRemote Port Mirror = Yes

2. 2.

3.3.




Server 2Server 2


Nexus 1000V

VSM


VSMVSM


Server 1Server 1

Nexus 1000V -VEMNexus 1000V Nexus 1000V --VEMVEMNexus 1000V DVSNexus 1000V DVSNexus 1000V DVS

VM #5

VM VM #5#5

VM #8

VM VM #8#8

VM #7

VM VM #7#7

VM #6

VM VM #6#6

Mobility of Security & Network PropertiesFollowing your Following your VMsVMs aroundaround

1. Virtual Center kicks off a Vmotion (manual/DRS) &

notifies Nexus 1000V

2. During VM replication, Nexus 1000V copies VM

port state to new host

VM #1

VM VM #1#1

VM #4

VM VM #4#4

VM #3

VM VM #3#3

VM #2

VM VM #2#2

VM #1VM VM #1#1

VMotionVMotion NotificationNotification••Current: VM1 on Server 1Current: VM1 on Server 1

••New: VM1 on Server 2New: VM1 on Server 2

1. 1.

Network PersistenceNetwork Persistence••VM port VM port configconfig, state, state

••VM monitoring statisticsVM monitoring statistics

2. 2. Mobile Properties Include:

• Port Policy

• Interface State & Counters

• Flow Statistics

• Remote Port Mirror Session




Server 2Server 2


Nexus 1000V

VSM


VSMVSM


Server 1Server 1

Nexus 1000V -VEMNexus 1000V Nexus 1000V --VEMVEMNexus 1000V DVSNexus 1000V DVSNexus 1000V DVS

VM #5

VM VM #5#5

VM #8

VM VM #8#8

VM #7

VM VM #7#7

VM #6

VM VM #6#6

Mobility of Security & Network PropertiesFollowing your Following your VMsVMs aroundaround

1. Virtual Center kicks off a Vmotion (manual/DRS) &

notifies Nexus 1000V

2. During VM replication, Nexus 1000V copies VM

port state to new host

3. Once VMotion completes, port on new ESX host is brought up & VM’s MAC address is announced to

the network

VM #4

VM VM #4#4

VM #3

VM VM #3#3

VM #2

VM VM #2#2

VM #1VM VM #1#1

VM #1

VM VM #1#1

Network UpdateNetwork Update••ARP for VM1 sent to ARP for VM1 sent to

networknetwork••Flows to VM1 MAC Flows to VM1 MAC

redirected to Server 2redirected to Server 2

3. 3.


VN-LinkComplimentary Models for Evolving Requirements

UCS VIC

(Hardware Based)

UCS VICUCS VIC

(Hardware Based)(Hardware Based)

Cisco Nexus 1000V

(Software Based)

Cisco Nexus 1000VCisco Nexus 1000V

(Software Based)(Software Based)

VMW ESX

VM#1

VM #4

VM #3

ServerVM #2

Nexus 1000V

NIC NIC

LAN

Nexus1000V

Policy-Based VM Connectivity

Non-DisruptiveOperational Model

Mobility of Network and Security Properties

VMW ESX

VM #4

VM #3

California Blade

VM #2

VM #1

UCS VIC

California Switch

Pass Through Switch


Virtual Security Gateway


Virtual Firewall:What Problem is Being Solved

App

OS

App

OS

App

OS

App

OS

VM-to-VM traffic VM-to-VM traffic

Control inter-VM trafficAddress new blind spot

Enable Dynamic Provisioning

Mobility Transparent Enforcement

VLAN-agnostic OperationPolicy based

Administrative SegregationServer • Network • Security


VMWarevCenter

VSM

Virtual Security Gateway (VSG) System Architecture

VMWarevCenter

VSM

VN-Management Center

Policy,VN Service Profiles

Port ProfilesInteractions

VMAttributes

VN-ServiceAgent

VN-ServiceAgent

VSNVSNVSNVSN

VSGVSG

ESXESXESXESX VEM vPathvPath

� Attribute-based policies

– Network & VM attributes (from vCenter and custom)

� Multi-tenant aware policy composition, authoring and dynamic provisioning

� Performance driven – distributed enforcement

Packets

Port Profile –VNService Profile Binding


Distributed VSG ArchitectureHighly scalable

VM #7

VM VM

#7#7

Zone 1 Zone 2

VSG

VEM

Flow Lookup Service Lookup

vPath VEM

Flow Lookup Service Lookup

vPath

VM #3

VM VM

#3#3

VM #11

VM VM

#11#11

Zone 3

� VSG (VM) instance can be on any host

� Does NOT require VSG per host

� Host’s compute resources devoted to VMs

� No VLAN stitching

� Fast-path (vPath) in every host’s Nexus 1000V switch

� Highly scalable

� VM mobility is supported by design

� High availability (active-standby) deployment

VM #1

VM VM

#1#1VM #2

VM VM

#2#2VM #6

VM VM

#6#6

Zone 3

VM #12

VM VM

#12#12


Trusted Zones

HR ZoneFinance Zone

QA ZoneDev Zone

VDI Zone

VSG

Zoning Classification• Based upon network attributes• Based upon custom attributes – Tag VM through port-profile/vn-service-profile• Based upon VM attributes

Security Support• Interior Security: Zone-to-Zone and within-Zone• Exterior Security: External-to-Zone

Virtual Machine(s) can belong in multiple zones

Tenant A


Example: 3-tier Server Zones

WebServer

WebWeb

ServerServerWebServer

WebWeb

ServerServer

Permit Only Port 80(HTTP) of Web

Servers

Permit Only Port 22 (SSH) to application

servers

Only Permit Web servers access to Application servers

Policy – Content Hosting

WebClient

WebWeb

ClientClient

Web-zone

DBserver

DBDB

serverserverDBserver

DBDB

serverserver

Database-zone

AppServer

AppApp

ServerServerAppServer

AppApp

ServerServer

Application-zone

Only Permit Application servers access to Database servers

Block all external access to database

servers

• Beta 1 release has CLI ONLY• Beta 2 and FCS will be through GUI Tool �� VN-MC


zone web-zonecondition 1 vm.custom.app-type eq web


WebServer

WebWeb


WebWeb

ServerServer



Web-zone

DBserver

DBDB


DBDB

serverserver

Database-zone

AppServer

AppApp


AppApp

ServerServer

Application-zone


Defining Zones

zone application-zonecondition 1 vm.custom.app-type eq application

zone database-zonecondition 1 vm.custom.app-type eq database



WebServer

WebWeb


WebWeb

ServerServer



Web-zone

DBserver

DBDB


DBDB

serverserver

Database-zone

AppServer

AppApp


AppApp

ServerServer

Application-zone


Creating Rules

Permit Only Port 80(HTTP) of Web Servers

rule web-http-rulecondition 1 dst.zone.name eq web-zone condition 2 dst.net.port eq 80 action 1 permit

rule application-ssh-rulecondition 1 dst.zone.name eq application-zone condition 2 dst.net.port eq 22 action 1 permit

Permit Only Port 22 (SSH) to application servers

Default is set to “Deny”

Block all external access to database servers



WebServer

WebWeb


WebWeb

ServerServer



Web-zone

DBserver

DBDB


DBDB

serverserver

Database-zone

AppServer

AppApp


AppApp

ServerServer

Application-zone


Creating Rules

Permit bi-directional traffic between web and application servers

rule web-to-application-rulecondition 1 src.zone.name eq web-zone condition 2 dst.zone.name eq application-zone action 1 permit

rule application-to-web-rulecondition 1 src.zone.name eq application-zone condition 2 dst.zone.name eq web-zone action 1 permit

Permit bi-directional traffic between application and database servers

rule application-to-database-rulecondition 1 src.zone.name eq application-zone condition 2 dst.zone.name eq database-zone action 1 permit

rule database-to-application-rulecondition 1 src.zone.name eq database-zone condition 2 dst.zone.name eq application-zone action 1 permit



WebServer

WebWeb


WebWeb

ServerServer



Web-zone

DBserver

DBDB


DBDB

serverserver

Database-zone

AppServer

AppApp


AppApp

ServerServer

Application-zone


Defining Policy

policy content-host-policyrule web-http-rule order 10 rule application-ssh-rule order 20rule web-to-application-rule order 30 rule application-to-web-rule order 40 rule application-to-database-rule order 50 rule database-to-application-rule order 60


VSG VM-to-VM Traffic Flow 1st packet

� For the 1st packet within a network session, although the traffic redirection scheme is different, but the packet flow is similar.

� Traffic redirection bases on Port-profile-to-VSG binding and flow entry lookup in the Service Data Path (SDP)

� Processing of internet � VMs and Inter-VMs traffic are normalized. Different firewall policies will be applied to these traffic strictly based on source/destination attributes defined in the policy

VM #1

VM VM

#1#1

VM #8

VM VM

#8#8VM #7

VM VM

#7#7VM #6

VM VM

#6#6VM #4

VM VM

#4#4VM #3

VM VM

#3#3VM #2

VM VM

#2#2VM #5

VM VM

#5#5

Web servers Servers App

Nexus 1000 DVS

Service Data Path12 3 4 56

VSG


VSG VM-to-VM Traffic Flow2nd and subsequent packets

� After VSG has done the policy evaluation against the first packet of a network section, a flow-entry cache is established in SDP, which off-loads the processing of the rest of packets to SDP

� The flow-lookup done in SDP would be able to identify the current state of the flow, thus SDP can process the subsequent packets based on the actions stored at the flow entry

VM #1

VM VM

#1#1

VM #8

VM VM

#8#8VM #7

VM VM

#7#7VM #6

VM VM

#6#6VM #4

VM VM

#4#4VM #3

VM VM

#3#3VM #2

VM VM

#2#2VM #5

VM VM

#5#5

Web Servers App Servers

Nexus 1000 DVS

Service Data Path1 2 34

VSG


Virtual Network Manager Center (VN-MC)Policy-based, Programmatic Management Architecture

VSNVSG

VSNVSG

VSNVSG

PolicyRepository

Cloud Service Portal

Cloud Service Portal

3rd Party Orchestrator

3rd Party Orchestrator

Cisco Management Tools

Cisco Management Tools

vCentervCenter

Nexus 1000V VSM

� Policy driven provisioning

� Stateless configuration model

� Role-based administration

� Natively API driven for interaction with external mgmt stations

� Consistent management across traditional services and VSGs

X M L A P I

X M L A P I

XM

L

AP

IXM

L A

PI


VN-MC Zone Configuration

Definition for custom attribute defined for a zone


Q & A

Cisco Data Center 3.0 Update · Cloud Computing model in a Data Center Silo Silo Silo Applications...

Documents

Transcript of Cisco Data Center 3.0 Update · Cloud Computing model in a Data Center Silo Silo Silo Applications...