Date post: | 16-Jul-2015 |
Category: |
Technology |
Upload: | soumen-chatterjee |
View: | 52 times |
Download: | 2 times |
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Cisco Virtualized Network Services: Ready for Your Cloud
Soumen ChatterjeeProduct Manager, Data Center Group
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Virtual Appliance Nexus 1010
vWAAS VSG VSM NAM
NAM
VSG
VSG
Primary
Secondary
VSM
VSM
2
L3
Con
nectivity
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
vPath: Virtual Service Data-path
VXLAN: Scalable Segmentation
VSG: Virtual Security Gateway
vWAAS: Virtual WAAS
ASA 1000V: Tenant-edge security
Virtual Service Blades
Virtual Supervisor Module (VSM)
Network Analysis Module (NAM)
Virtual Security Gateway (VSG)
Data Center Network Manager (DCNM)
VEM-2
vPath
Win Server 2012
VXLAN
VEM-1
vPath
VMware ESX
VXLAN
ASA 1000V
VXLAN
• 16M address space for LAN segments
• Network Virtualization (Mac-over-UDP)
vPath
• Service Binding (Traffic Steering)
• Fast-Path Offload
VEM-3
vPath
Open Source Hyp
VXLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
External / multi-tenant edge deploymentZone based segmentation of VMs
Virtual Security Gateway ASA 1000V
Hypervisor Nexus 1000VVirtual Network Mgmt
Ctr (VNMC)
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Virtual Network
Management Center
(VNMC)
VM context aware rulesContext aware Security
Establish zones of trustZone based Controls
Policies follow vMotionDynamic, Agile
Efficient, Fast, Scale-out SW(with vPath intelligence)
Best-in-class
Architecture
Security team manages securityNon-Disruptive
Operations
Central mgmt, scalable deployment,
multi-tenancy
Policy Based
Administration
Virtual Security
Gateway
(VSG)
XML API, security profilesDesigned for Automation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Virtual Security Gateway for Nexus 1000VContext-based, Virtualization-aware, Multi-tenant, Workload Segmentation for Data Centers and Clouds
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
VNMC
Log/Audit
VSG(active)
Secure Segmentation
(VLAN agnostic)
Efficient Deployment
(secure multiple hosts)
Transparent Insertion
(topology agnostic)High Availability
Dynamic policy-based
provisioning
Mobility aware
(policies follow vMotion)
VSG(Stand-by)
VNMC: Virtual Network Management Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Secure zoning of 3-Tier Application Workload
Web
ServerWeb
Server
App
ServerApp
Server
DB
serverDB
server
Port 80 (HTTP)
and 443 (HTTPS)
of Web Servers
open
Only Port 22 (SSH)
of App Servers open
All other traffic
denied
Only Permit Web Servers access to
App servers via HTTP/HTTPS
Only Permit App servers
access to DB servers
Tenant_A
Web
ServerWeb
Server
App
ServerApp
Server
DB
serverDB
server
Tenant_B
ASA Firewall for
Inter-tenant Edge Control
(VLAN based)
VSG for secure
zoningVSG for secure
zoning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
Source
Condition
Destination
ConditionAction
Rule
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
Attribute Type
Network
VM
User Defined
vZone
VM Attributes
Instance Name
Guest OS full name
Guest OS Host name
Parent App Name
Cluster Name
Hypervisor Name
Resource-pool
Port Profile Name
Zone Name
Network Attributes
IP Address
Network Port
ACE: Access Control Entry
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Security Management
• Visibility
• Event correlation, syslog, centralized
authentication
• Forensics
• Anomaly detection
• Compliance
Infrastructure Security
• Infrastructure Security features
are enabled to protect device,
traffic plane and control plane
• 802.1ae and vPC provides
internal/external separation
Services
• IPS/IDS provide traffic analysis
and forensics
• Network Analysis provide traffic
monitoring and data analysis
• Server load balancing masks
servers and applications
Services
• Initial filter for DC ingress and
egress traffic. Virtual Context
used to split polices for server-
to-server filtering
• Additional firewall services for
server farm specific protection
UCSVirtual
Access
Storage
Access
Services
Aggregation
Core
Data security
authenticate &
access control
Virtual Firewall
Real-time Monitoring
Firewall Rules
ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP,
DHCP snooping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Public/Shared
VRF
vPath
Protected VRF(control point)
Nexus
1000v VSG
ASA Context
(per tenant)
Public Zone (DMZ) Protected FE Zone 1 Zone 2 Zone 3
Sub-Zone
W
Sub-Zone
X
Sub-Zone
Y
Sub-Zone
Z
Private
(Tenant VRF)Less Trusted Zones
Front-end Zones Back-end Zones
Front-end Tenant Perimeter
Back-end Tenant Perimeter
Back-end ManagementPerimeter
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
•Virtual ASA provides consistent ASA feature set to
secure the tenant edge
•VSG complements Virtual ASA to secure intra-
tenant VM-to-VM traffic
•Solution provides:
Increase flexibility and operational efficiency
via vPath (Nexus1000V)
Dynamic, context-aware, multi-tenant
management via VNMC
Tenant BTenant A
VDC
vApp
vApp
vSphere
Nexus 1000V
vPath
VDC
Virtual Network Management Center (VNMC) VMware vCenter
VSGVSG
VSG
VSG
ASA 1000V ASA 1000V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IPSec VPN (Site-to-Site)
NAT
DHCP
Default Gateway
Static Routing
Stateful Inspection
IP Audit
Built using ASA technology
Support for VXLAN
Multi-tenant management
via VNMC
Inter-operability with VSG
via Service Chaining
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Cloud-ready WAN Optimization
ESX ESXi Hypervisor w/Nexus 1000
UCS /x86 Servers
Virtual WAAS “Appliances”
vPath
Virtual WAAS
on Nexus 1000V with vPath
FEATURES
Allows Agile, Elastic, & Multi Tenant Deployment
Supports DRE Cache in SAN
Policy-based Provisioning w/ Nexus 1000V
Extends WAAS Solution Portfolio
BUSINESS BENEFITS
Business Agility with on-demand orchestration
Lower operational cost, reduced migration risk
Fault-tolerance with VM mobility awareness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
WAN or Internet
UCS Compute/Virtualized Servers
Nexus 2K/5K
UCS Compute/Physical servers
WCCP
VMware ESXi Server
UCS /x86 Server
Stand-alone
• Traditional WAN Edge Deployment at Branch and DC
Gradual migration from Physical to Virtual
Multi-tenancy support
vPath-integrated
Re-direction using vPath @VM level
Elastic provisioning
Multi-tenancy support
1
2
VMware ESXi Server
Nexus 1000V
VMware ESXi
VMware ESXi Server
Nexus 1000V
UCS /x86 Server
vPATH
vPATH
vPATH
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Nexus 1000V
• Distributed switch
• NX-OS consistency
VSG
• VM-level controls
• Zone-based FW
ASA 1000V
• Edge firewall, VPN
• Protocol Inspection
vWAAS
• WAN optimization
• Application traffic
Multi-Hypervisor
WAN
RouterSwitches
Servers
Tenant A
ASA
1000V
Zone BZone A
Nexus 1000VvPath
Physical Infrastructure
Virtualized/CloudData Center
vWAAS
VSG
VXLAN
CSR 1000V(Cloud Router)
• WAN L3 gateway
• Routing and VPN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
DC
ASR
Branch
ISR
Enterprise B
Enterprise A
Branch
ISR
Tenant A
WAN
Router
Switches
Servers
Tenant B
CSR 1000V
Physical Infrastructure
Virtual Infrastructure
Cloud Provider’s Data Center
CSR 1000V
Enterprise Use Cases
• Secure VPN Gateway
• L3 Extension
• Tenant Firewall
Cloud Provider Use Cases
• Secure VPN Gateway
• MPLS Extension
• Tenant Firewall
MPLS
Internet
Can be deployed by Enterprises or Cloud Providers
ASA 1000V
ASA 1000V