Simplify, scale, and extend cloud networking with cisco nexus 1000 v

Simplify, Scale, and Extend Cloud Networking with

Cisco Nexus 1000V

Han Yang, Cisco Systems, Inc

PHC6409

#PHC6409

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Agenda

Unified Fabric Integrating Physical and Virtual Networking

Introduction to Cisco Virtual Machine Networking

Simplify, Scale, and Extend VXLAN

Virtualized Network Services with Cisco vPath

Secure Hybrid Cloud with Nexus 1000V InterCloud

Physical and Virtual Infrastructure Orchestration

Summary


Architect Design Where

Can We

Put It?

Procure Install Configure Secure Is It

Ready?

Manual

From Weeks to Automated

Self-Service Provisioning

• Faster application deployment is being demanded

• Deploying applications requires acquiring and configuring physical and

virtual infrastructures

• Need Network Agility with best in class network service and SLA


VIRTUAL

PHYSICAL CLOUD

Consistency, Reduce Risk, Rapid Deployment

Consistent Nexus Experience

Intra-tenant

Security

Inter-tenant

Security

Application

Acceleration

Routing and

Gateways

Web-app

Firewall

Load

Balancer


CLOUD NETWORK SERVICES

WAN

Router Switches

Servers

ASA 1000V

Cloud Firewall

PHYSICAL INFRASTRUCTURE

Cisco Virtual

Security

Gateway

vWAAS

Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)

Nexus 1000V vPath Enhanced VXLAN

Nexus 1000V

• Distributed switch

• NX-OS consistency

VSG

• VM-level controls

• Zone- based FW

ASA 1000V

• Edge firewall, VPN

• Protocol Inspection

vWAAS

• WAN optimization

• Application traffic

CSR 1000V (Cloud Router)

• WAN L3 gateway

• Routing and VPN

Ecosystem Services

• Citrix NetScaler VPX virtual ADC

• Imperva Web App. Firewall

Cloud

Services

Router

1000V

Imperva

SecureSphere

WAF Citrix

NetScaler

1000V

Network

Analysis

Module

(vNAM)

Full Portfolio of Best in Class Virtualized Network Service

*KVM in beta, Xen prototype


Across Hypervisors and Orchestration Tools

Physical Network

vSphere Hyper-V XenServer

Unified Fabric (Nexus 2000 – 7000)

UCS Computing Platform

Hypervisor KVM

vCloud Director/ Automation

Center

System Center

Citrix CloudPlatform

Cloud Portal

and Orchestration

Storage Platform

CIAC/ OpenStack/

Partners

Virtual Network

Infrastructure

L4-7

L2-3

vPath

Nexus 1000V

Cloud Network Services WAAS NAM ASA 1000V NetScaler Partners VSG


Nexus 1010/1110 Virtual Appliance

vWAAS VSG VSM

NAM VSG

Primary

Secondary

VSM

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

vPath: Virtual Service Data-path

VXLAN: Scalable Segmentation

VSG: Virtual Security Gateway

vWAAS: Virtual WAAS

ASA 1000V: Tenant-edge security

Virtual Service Blades Virtual Supervisor Module (VSM)

Network Analysis Module (NAM)

Virtual Security Gateway (VSG)

Data Center Network Manager (DCNM)

VEM-2

Win Server 2012

vPath VXLAN

ASA 1000V

NAM VSG VSM

L3 C

on

nec

tivit

y

VEM-3

Open Source Hyp

vPath VXLAN

VEM-1

VMware ESX

vPath VXLAN


Nexus 1000V Advanced Edition Nexus 1000V Essential Edition

Freemium Pricing Model Offers Flexibility for Customers to Deploy Cisco Virtual Data Center

No-Cost Version $695 per CPU MSRP

The world’s most advanced

virtual switch

• Full Layer-2 Feature Set

• Security, QoS Policies

• VXLAN virtual overlays

• Full monitoring and management

capabilities

• vPath enabled Virtual Services

Adds Cisco value-add features for

DC and Cloud

• All Feature of Essential Edition

• VSG firewall bundled (previously

sold separately)

• VXLAN to VLAN Gateway

• Support for Cisco TrustSec SGA

policies

• Platform for other Cisco DC

Extensions in the Future


N1KV Release 2.x N1KV Release 1.X

Free Upgrade to Advanced Edition

N1KV Licenses

Bought and Deployed

N1KV—Advanced Edition:

No Cost

Use Existing Licenses

VSG License*:

No Cost

Existing Cisco TAC Support

Contract Will Include Cisco

VSG Support

*Contact Cisco Representative

for Free VSG licenses

Free

Upgrade to

Release 2.x

Advanced

+

Cisco Confidential 10 © 2013 Cisco and/or its affiliates. All rights reserved.


VM VM VM VM VM

Add More Pods to Scale

VM VM

Utilize All Links in

Port Channel with UDP

Logical Network Spanning

Across Layer 3


• Ethernet in IP overlay network

Entire L2 frame encapsulated in UDP

50 bytes of overhead

• Include 24 bit VXLAN Identifier

16 M logical networks

Mapped into local bridge domains

• VXLAN can cross Layer 3

• Tunnel between VEMs

VMs do NOT see VXLAN ID

• IP multicast used for L2 broadcast/multicast, unknown unicast

• Technology submitted to IETF for standardization

With VMware, Citrix, Red Hat, and others

UDP Port 4789 assigned to VXLAN

Outer

MAC

DA

Outer

MAC

SA

Outer

802.1Q

Outer

IP DA

Outer

IP SA

Outer

UDP

VXLAN

ID (24

bits)

Inner

MAC

DA

Inner

MAC

SA

Optional

Inner

802.1Q

Original

Ethernet

Payload

CRC

VXLAN Encapsulation

Ethernet Frame


VEM 1 VEM 2

Forwarding mechanisms similar to Layer 2 bridge: Flood & Learn

VEM learns VM’s Source (MAC, Host VXLAN IP) tuple

Broadcast, Multicast, and Unknown Unicast Traffic

VM broadcast & unknown unicast traffic are sent as multicast

Unicast Traffic

Unicast packets are encapsulated and sent directly (not via multicast) to destination host VXLAN IP (Destination VEM)

VM VM VM VM


No Multicast Needed

SHIPPING

VM VM VM VM VM VM

Broadcast / unknown

unicast

VEM performs replication and encapsulation


Unknown Unicast Flood Prevented

SHIPPING

VEM IP / MAC Table

5000 [a.a.a]

VXLAN IP/MAC

VEM IP / MAC Table

5000

VXLAN IP/MAC

VSM IP / MAC Table

5000

VXLAN IP/MAC

Nexus® 1000V VSM

Data Center

Network

10.10.10.10

VM 1

[a.a.a]

VM 2

[b.b.b]

VM 3

[c.c.c]

VM 4

[d.d.d]

20.20.20.20

[b.b.b]

[c.c.c]

[d.d.d]

[a.a.a]

[b.b.b]

[c.c.c]

[d.d.d]

[a.a.a]

[b.b.b]

[c.c.c]

[d.d.d]

VSM learns VXLAN / MAC

VSM distributes

VXLAN / MAC

VM (M)

Send unicast to MAC X

Malicious VM in

VXLAN 5000

MAC X not found in table.

Packet Dropped.


VSM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

PREVIEW

No ARP Broadcast

VEM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

Data Center

Network

10.10.10.10

VM 1

[192.1.1.1, a.a.a]

20.20.20.20

In this mode VEM learns

VXLAN / IP / MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

VEM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

VM 2

[192.1.1.1, b.b.b]

VM 3

[192.1.1.1, c.c.c]

VSM distributes

VXLAN / MAC

VM 3 ARP request for 192.1.1.1

192.1.1.1 found in

VXLAN 5000 VEM ARP reply with

VM1’s MAC a.a.a

Nexus® 1000V VSM

VSM learns

VXLAN / IP / MAC


VXLAN

(multicast

mode)

Enhanced

VXLAN

(unicast mode)

Enhanced

VXLAN

MAC

Distribution

Enhanced

VXLAN

ARP

Termination

Broadcast /

Multicast

Multicast

Encapsulation

Replication

plus

Unicast Encap

Replication

plus

Unicast Encap

Replication

plus

Unicast Encap

Unknown

Unicast

Multicast

Encapsulation

Replication

plus

Unicast Encap

Drop Drop

Known Unicast Unicast

Encapsulation Unicast Encap Unicast Encap Unicast Encap

ARP Multicast

Encapsulation

Replication

plus

Unicast Encap

Replication

plus

Unicast Encap

VEM ARP

Reply

VXLAN Mode

Packet


VM Data Center

Network

Physical Firewall

Bare Metal Servers

Router

Gateway

Gateway

Gateway

Overlay: Instant Provisioning

• Overlay needs gateway to access physical network

• Physical network to support overlay traffic pattern

Overlay

WAN


VXLAN to

VLAN

Gateway

VXLAN to

VLAN

Gateway

Hosted on local hypervisor as virtual machine connected to Virtual Ethernet Module

Managed as a module from VSM

Active/Standby VXLAN Gateway

Integrated with OpenStack

Scale: 4 VXLAN Gateway per VSM 2k Active VXLAN 2k Active VLAN

SHIPPING


L2 Domain C L2 Domain B L2 Domain A

LAYER 3

Web

VM

VXLAN

Gateway VXLAN

Gateway

VXLAN

Gateway VXLAN

Gateway Bare Metal

DB Server

VXLAN 5500

ASA

5500

VLAN 100

VLAN 200

L2 Domain A L2 Domain B L2 Domain C



Nexus 1000V (Dist. Virtual Switch)

VSG (Zone-based FW)

ASA 1000V (Cloud FW)

vWAAS (WAN Optimization)

CSR 1000V (Cloud Router)

vNAM (Network Analytics)

Partner Services

• Distributed switch • NX-OS

consistency

• VM-level controls • Zone-based FW

• Edge firewall, VPN

• Protocol Inspection

• WAN optimization • Application traffic

• WAN L3 gateway • Routing and VPN

• App Visibility (L2-L7)

• Overlay Intelligence (OTV, VXLAN, FP**)

• Citrix NetScaler 1000V virtual ADC

• Imperva Web App. FW

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

• A complete Layer 4 through 7 virtual service portfolio

• Best-in-class service insertion technology with vPath

• Built for all major hypervisor platforms

Cisco Cloud Network Services (CNS)

Citrix

NetScaler

1000V

Prime virtual

NAM

Imperva

SecureSphere

WAF

Virtual

Security

Gateway

ASA

1000V

Virtual

WAAS

CloudServices

Router 1000V


10G and

SSL Ready

VSM = Virtual Supervisor Module

DCNM = Data Center Mgt. Center * 2H CY13

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

• Dedicated Cloud Services appliance

• Flexible, on-demand allocation of resources

• Allows policy management by network teams


Citrix

NetScaler

1000V

Prime virtual

NAM

Imperva

SecureSphere

WAF

Virtual

Security

Gateway

Nexus 1110 Cloud Services Platform

VSM VSM DCNM*


VSM = Virtual Supervisor Module

DCNM = Data Center Mgt. Center * 2H CY13

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

• Citrix Best-in-Class virtual application delivery

controller (vADC)

• Sold and supported by Cisco (Q3)

• Integrated with Nexus 1100, vPath


Citrix

NetScaler

1000V

Prime virtual

NAM

Imperva

SecureSphere

WAF

Virtual

Security

Gateway

Nexus 1110 Cloud Services Platform

VSM VSM DCNM*

Citrix

NetScaler

1000V


Virtualized/Cloud Data Center

Application Services

Nexus 1000V

VSG

Tenant-A

Tenant-B

Tenant-C

Application Services

INSTRUMENTATION FLEXIBILITY Increased Agility

ANALYTICS Optimized Network Resources

PROGRAMMABILITY Enhanced Operational Efficiency

AWARENESS Improved Application Performance

Maintain Consistency Across Physical and Virtual Environments

OS

APP

Virtual

NAM OS

APP

OS

APP

OS

APP

OS

APP

Virtual Network Analysis Module (vNAM)— Track Workload Performance and Resource Usage


• Stops Web attacks that lead to compromise and downtime

• Easy to deploy and manage via N1110

Integrated with Cisco Cloud Services Portfolio

SecureSphere WAF

on Cisco Nexus 1110

HTTP

HTTPS

SQL Injection

XSS

Site Scraping

Web Fraud

Web Servers

Most Widely Deployed WAF in the World

Firewall Internet Hacker

and Bots


Intelligent Policy-based Traffic Steering Through Multiple Network Services

DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Client Initiates Flow to Web Server (VIP as Server IP)

Client › LB-VIP 1

1

NS1000V load balance web request, selects Web Server 1 (Client › S1) 2

2

Based on policy, vPath redirect traffic to service chain, starting with zone-based firewall, VSG

3

3

Traffic returns to Virtual Ethernet Module ready for next network service 4

4

WAF inspects packets for web attacks; prevents attack and generate alerts

5

5

vPath Forwards packet to Web Server VM 6

6

Cisco

vPath

7

8

Cisco

vPath

Policy-Based Service Chaining Through Multiple Network Services Database tier security policy 7 Sent to database 8


• Service chaining with vPath and non-vPath network services

• Virtual and physical network services

• Any network service can now be distributed, not just firewalls

• Submitted to IETF for standardization*

• Supporting Multiple hypervisors

Any Hypervisor

VM

vPath

vPath

Virtualized Network Service

Non vPath

Virtualized Network Service

vPath

Physical Network Service

Non vPath

Physical Network Service

Nexus 1000V

vPath

*http://tools.ietf.org/html/draft-quinn-nsh-00

http://tools.ietf.org/html/draft-quinn-nsh-00









Enterprise

Use Cases

• Secure

multipoint VPN

Gateway

• L3 Extension

• VXLAN

Gateway

Cloud Provider

Use Cases

• Secure VPN

Gateway

• MPLS Extension

Enterprise A

DC

ASR Branch

ISR

Servers

Virtual Infrastructure

Cloud Provider’s Data Center

Can be Deployed by Enterprises or Cloud Providers

Tenant A

Tenant B

CSR

1000V

CSR

1000V

Physical Infrastructure

Switches WAN

Router

Internet

MPLS

Branch

ISR

Enterprise B



Complex Use,

Lack of Visibility

and Flexibility

Security: Workload Security,

Connection Security

Transparent

Migration Between

On-Prem and

Cloud

Reinventing It –

New Techniques

for Every Cloud

VM

VM

Enterprise Data Center Public Cloud

Hybrid Cloud

VPC

VM

VM


Program

Unique

APIs

Convert

Image Format

Reconfigure

Application

Insert Custom

Tools

Recreate

Services

Validate

Operations Onboard

New Monitoring

Use Cloud

Provisioning

Identify New

Security

Translate

Policies

Enterprise Apps and Network Services—on the Public Cloud

Enterprise Cloud

VM VM VM VM

Provider Cloud

Nexus 1000V InterCloud

VM VM VM VM L2 Services

Routing

Optimization

Firewalls IDS

ENTERPRISE VISIBILITY

ENTERPRISE CONTROL

ENTERPRISE SECURITY

PROVIDER RESOURCES

PROVIDER EASE OF BUSINESS

PROVIDER VALUE

Centralized

VM Migration and

Management


Enterprise Apps and Network Services—on the Public Cloud

Program

Unique

APIs

Convert

Image Format

Reconfigure

Application

Insert Custom

Tools

Recreate

Services

Validate

Operations Onboard

New Monitoring

Use Cloud

Provisioning

Identify New

Security

Translate

Policies

Enterprise Cloud

VM VM VM VM

Provider Cloud

Nexus 1000V InterCloud

VM VM VM VM L2 Services

Routing

Optimization

Firewalls IDS Centralized

VM Migration and

Management

• All data in motion is cryptographically isolated and encrypted:

Enterprise to Cloud and VM to VM within Cloud

• Enterprise owns the keys


Private

Cloud

Policy manager

Resource manager

Service registry

VM Manager

Cloud Provider Manager

Cisco Prime Network Services Controller

(Management Layer)

(Integration via Northbound API)

(Workloads moved via InterCloud)

Cisco Intelligent Automation for Cloud

Cisco Cloud Portal

Orchestrator manages

workflow across multiple

cloud environments

User requests cloud

services via end-user portal

Cisco Process Orchestrator

InterCloud + Cisco Intelligent Automation for Cloud

Nexus 1000V (Platform Layer) VM

VM

VM N1KV switching

firewall, routing

crypto secure

Tenant B



Bundled Functions are Modular and

Simplified for Scale and Automation

Virtual

Fabrics

Optimized

Network

Fabric

Management

Workload

Automation

Innovative Building Blocks


Virtual

Machines

N1K

Auto-config Triggers

VDP

DHCP/ARP-ND

Data Packet Driven

Programmatic

Orchestration Stack

Network and Services

Orchestration

Compute and Storage

Orchestration

Cisco Prime DCNM

Physical

Machines


Cisco Prime DCNM

Configuration

Profiles

OpenStack

vCloud Director

Cisco N1kV DVS

1

a

a

2

b

Create Tenant

Network Communicate

Tenant Network

to Fabric

New VM gets

created in Red

Network Instantiates

Red network

Tenant

Network

a b 2 1

Vrf x

Interface

bdi

b

Network

Services

Security Storage

(Future)

Compute

(Future)

Network

Infra

stru

ctu

re E

lem

en

ts

UNIFIED API - UNIFIED INFORMATION MODEL (RESTFUL XML/JSON API)

Open APIs, Open Source, Open Standards

COMMON POLICY DRIVEN OPERATIONAL MODEL

Hypervisor Network Services

ASA

Network Management, Automation, Orchestration

Efficiency Scale Optimization Telemetry Application

Awareness

Nexus 1000V Fits within Application Centric Infrastructure



Blade Server Managers Storage APIs Network API/CLI SCVMM vCenter RM

Physical Infrastructure Virtual Infrastructure

API to Cisco UCSM

Enterprise Systems Integration

LDAP, CMDB,

Metering DB • Single, unified product

built from the ground up

• Modular architecture

• Extensibility through APIs

• Deployed as an on-

premise virtual

appliance(s)

Cloupia Network Services

Agent

Virtual

Infrastructure

Management

Provides: • Policy-driven

• Self-service infrastructure

• Lifecycle management Cisco Cloupia

Multi-tenant Infrastructure Management Platform

Mobile

Platform

IT Admins IT Operations End Users

Cloupia Provides Unified, Centralized Management of Physical and Virtualization Infrastructure in Private and Hybrid Clouds

VMware Hyper-V KVM

Other

Providers

Savvis VPDC,

Terremark

Amazon, Entel,

Rackspace

Self Service Catalog

Admin Console

Dashboard

Cisco UCS Cisco Nexus


VM VM VM VM

Nexus 1000V VEM

VMware

Nexus 1000V VSM

VM VM VM VM

Nexus 1000V VEM

VMware

SSH

• Install BareMetal ESXi

• Download and Install VEM using

Cloupia Script

• Configure/Un-Configure Port-Profiles,

VLAN, ACL, VXLAN vCenter Server

Server

UCS Director Integrated Multi-tenant Cloud Platform

CNSA

Server


• Single-click

provisioning

• Intelligent resource

allocation

• Automated,

controlled delivery

End-to-End Operations and Provisioning

Result: Improved time to market

Minutes


Accelerating Application Deployment Requires Physical, Virtual, and Cloud Infrastructure Automation

Cisco Provides Consistent Layer 2-7 Networking for Physical,

Virtual, and Cloud Deployments: Design Once, Run Everywhere

vPath 3 for Standardized Service Chaining for

Virtual and Physical Network Services

Orchestration Tool of Your Choice: vCD, SCVMM,

OpenStack, CloudStack, UCS Director, and More

Supports Multiple Hypervisors: vSphere, Hyper-V, KVM

Single Network for Physical, Virtual, and Cloud—

Consistent Operational Model and Troubleshooting, especially with ACI

Thank you.

46

Other VMware Activities Related to This Session

HOL:

HOL-PRT-1305

Cisco - Enhanced VXLAN Networking in vCloud Director

Group Discussions:

PHC1001-GD

vCHS Networking with Greg Herzog

PHC6409

THANK YOU

Simplify, Scale, and Extend Cloud Networking with

Cisco Nexus 1000V

Han Yang, Cisco Systems, Inc

PHC6409

#PHC6409

Date post:	15-May-2015
Category:	Technology
Upload:	cisco-data-center-sdn
View:	1,847 times
Download:	5 times