Cisco - Global Home Page - Nexus 1000V in Context of SDN · Neutron Service • Core + Extension...

Nexus 1000V in Context of SDN

Martin Divis, CSE, [email protected]

Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public

Why Cisco Nexus 1000V Losing the Edge Host Host Host Host

The rest of the network…

vSwitch vSwitch vSwitch vSwitch Server Admin manages

virtual switching !

Unsupervised VM to VM communication VMs on the wrong VLANs

Server Admin

Network Admin No Network visibility or control No policy and vlan control


Why Cisco Nexus 1000V Finding it back ! Host Host Host Host

Server Admin freed from managing network

Nexus 1000V Distributed virtual switch

Server Admin

Network Admin Virtual switching managed by Network Admin Full network policy control, visibility


Hypervisor Hypervisor Hypervisor

VEM-N VEM-1 VEM-2

Modular Switch

… Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Bac

k P

lane

Cisco Nexus 1000V Overview

VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module

VSM1

VSM2

Virtual Appliance Network Admin

Server Admin


Why Not Configure Virtual Ports?

6

§ Too many ports, and they move too fast § Network admin needs sanity § Server admin needs freedom

–  To deploy and move virtual machines –  To deploy and move physical hosts

switch # int gi1/0/35 switchport mode access switchport access vlan 23 etc…




Source: http://images.webmagic.com/klov.com/screens/S/wSpace_Invaders.png


Cisco Nexus 1000V Architecture

Virtual Service Data Path (vPath)

•  Service chaining (traffic steering)

•  Fast-path offload

•  VXLAN aware

Virtual Extensible LAN (VXLAN)

Scaling LAN segments DC-wide VM Mobility

•  LAN segment across Layer 3

•  Works with existing network infrastructure

•  16 million segments

Embedding intelligence for virtual services

Nexus 1000V vPath VXLAN

Hypervisor ESX, Hyper-V

Nexus 1000V vPath VXLAN

Hypervisor KVM, Xen

* To be released in CY13

Ethernet/IP Network Fabric

Cisco vWAAS N1KV VSM ASA 1000V Cisco VSG Citrix VPX* CSR1000V Imperva WAF*

Virtual Appliance


vPath – Service Chaining

§  Service Path defines the service chain – an ordered list of service profiles (e.g. security profile, edge profile, slb profile etc.)

§  Traffic Selector rules are used to configure Service Table in vPath

§  An endpoint VM is associated with Service Path via Port-Profile Binding

Nexus 1000V vPath

123


VxLAN Deep Dive – Overlays Why Overlays?

Flexible Overlay Virtual Network •  Mobility

•  Track end-point attach at edges •  Scale

•  Reduce core state •  Distribute and partition state to

network edge •  Flexibility/Programmability

•  Reduced number of touch points

Robust Underlay/Fabric •  High Capacity Resilient Fabric •  Intelligent Packet Handling •  Programmable & Manageable


Ethernet Header Payload FCS

Outer IP

Outer UDP VXLAN Outer

Ethernet Inner

Ethernet Payload New FCS

Segment ID

1

Reserved Reserved Flags

Rsvd Rsvd

8 Bytes

1 Byte Outer UDP Destination Port = VXLAN (originally 8472, recently updated to 4789) Outer UDP Source Port = Hash of Inner Frame Headers (optional)

VxLAN Deep Dive – Overview Virtual eXtensible LAN (VXLAN)

•  Virtual eXtensible LAN (VXLAN) is a Layer 2 overlay scheme over a Layer 3 network. •  A 24-bit VXLAN Segment ID or VXLAN Network Identifier (VNI) is included in the

encapsulation to provide up to 16M VXLAN segments for traffic isolation/segmentation, in contrast to the 4K segments achievable with VLANs. •  Each of these segments represents a unique Layer 2 broadcast domain, and can be

administered in such a way that it can uniquely identify a given tenant’s address space or subnet…


VxLAN Deep Dive – Overview VTEP – Handling of Multi-Destination Traffic

•  Since a control/signaling protocol has not been defined, emulation of Multi-Destination traffic (Broadcast, Multicast, Unknown Unicast) is handled through the VXLAN IP underlay through the use of segment control multicast groups…

VTEP-1

End System A MAC-A IP-A

VTEP-2

End System B MAC-B IP-B

Mcast Group

IP Network VTEP 1 IP-1

VTEP 2 IP-2

VTEP-3

End System End System

VTEP 3 IP-3

Note: VxLAN 1.1 added control/signaling mechanism via centralized agent, in case of Nexus1000V, it is VSM

VTEP – implemented in software or hardware. Required for VxLAN gateway.


VxLAN implementations today

§ Nexus 1000V (L2) – network virtualization in server virtualization context –  vCenter, Hyper-V, KVM, OpenStack

§ Nexus 3100 (L2), 5600 (L2, L3), 9000 (L2, L3) - gateway § Cisco ASR 1000(L2, L3), 9000 (L2, L3) - gateway §  VMware vShield & DVS (L2) §  VMware NSX (L2, L3)

–  alternatively can use STT –  can use limited number of switch models for HW gateway (L2)

§ Many other chipset & HW vendors (L2)

12


REST API

HTTP Programmability

Open RPC API – Extensible to support REST

{ "1": { "url": "/api/vlan/1", "properties": { "id": 1, "state": "active", "name": "default", "shutdown": false } }, "5": { "url": "/api/vlan/5", "properties": { "id": 5, "state": "active", "name": "dbs", "shutdown": false } } }

HTTP GET http://192.168.133.131/api/vlan


Nexus 1000v REST API Services

§  VLAN, VXLAN §  Port-Profiles §  Virtual Service Nodes, vPath §  Span Ports § User access § Hypervisor dependent operations, mostly read only

–  License –  Connectivity –  vNIC, uplinks, port-profiles –  Inventory

14


Warning, warning, warning

§ Nexus 1000v available for: –  vSphere –  Hyper-V –  KVM

§  And while features and CLI is almost the same for all platforms... ...REST API is totaly different

15


OpenStack Neutron Architecture

Neutron Server

REST API

Neutron Core plugins

ML2

Cis

co (N

exus

, N

1Kv)

OV

S

Mor

e ve

ndor

pl

ugin

s

Neutron Service plugins

•  Core + Extension REST API’s

•  Message Queue for communicating with Neutron Agents

•  Core and Service Plugins

•  Different vendor core plugins

•  Different network technology support

•  ML2 plugin with Type and Mechanism Drivers

•  Service plugins with backend drivers

Core API Network Port Subnet

Resource and Attribute Extension API ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….

DHCP Agent

L3 Agent

Message Queue

IPTables on Network

Node

L2 Agent OVS on Compute

Node

Load

Bal

ance

r

Fire

wal

l

VP

N

HA

Pro

xy

IPTa

bles

Ope

nSw

an

L3 S

ervi

ces

Futu

res

Type Drivers Mechanism Drivers

VLA

N

GR

E

VX

LAN

Cis

co N

exus

OV

S

Ope

nDay

Ligh

t

AP

IC

Southbound interfaces

Mor

e ve

ndor

dr

iver

s

16


VMs on Compute Node

N1Kv VEM

Compute Nodes

Neutron Cisco Nexus1000v Plugin (KVM) Neutron N1Kv specific API extensions usage – neutron network-‐profile-‐create PROFILE_NAME vlan -‐-‐segment_range 400-‐499 neutron net-‐create NETWORK_NAME -‐-‐n1kv:profile_id PROFILE_ID neutron policy-‐profile-‐list neutron port-‐create NETWORK_NAME -‐-‐n1kv:profile_id PROFILE_ID

17

Neutron Server

Neutron Core plugin (Cisco)

Cisco N1Kv Plugin

N1Kv VSM

Benefits:

§  Network Profiles – VLAN, VXLAN (multicast/unicast), Trunk

§  Policy Profiles – ACLs, QoS

§  VXLAN Gateway Service VM

Network Profile (admin)

REST API

Nova Policy Profile defined in VSM (periodic polling)

Policy Profile

Network Profile:Network Segment Pool Policy Profile:Port Profile,

VM VM

Prosíme, ohodnoťte tuto přednášku

•  Děkujeme

Cisco - Global Home Page - Nexus 1000V in Context of SDN · Neutron Service • Core + Extension...

Documents

Transcript of Cisco - Global Home Page - Nexus 1000V in Context of SDN · Neutron Service • Core + Extension...