Your SlideShare is downloading. ×
ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

ASBIS: Virtualization Aware Networking - Cisco Nexus 1000V

1,619
views

Published on

Published in: Technology

0 Comments
5 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,619
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
5
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Bullet1: vMotion moves VMs across physical ports—the network policy must follow From a network perspective, one would like to have a security policy that is attached to the virtual machine as it moves.  Unfortunately, today’s tools only allow for network policy to be attached to the physical server.  In fact, VMware has a tool called DRS, or Dynamic Resource Scheduler, that automatically migrates the VM depending on CPU and memory loads. Regardless of the time of day, network administrators need to know what the VMs are doing.  What they really need is mobile security policy attached to the VM   Bullet2: Impossible to view or apply network policy to locally switched traffic The second issue with server virtualization is the virtual switch inside the hypervisor that switches packets between virtual machines.  It is actually fairly difficult to see which VM is actually talking to other VMs inside the server.  Customers are demanding troubleshooting and debugging capabilities inside the server.   Bullet3: Need collaboration between network and server admin There is muddled ownership of the virtual switch.  Nowadays, server admins manage the virtual switch, and they need constant communication with their nework administrator to configure the virtual switch. On one hand, Server admins want their network team to configure the virtual network. On the other hand, network admins are demanding network tools to configure the virtual switch and they want visibility down to the virtual machine. Nexus 1000V overcomes these three server virtualization issues, and accelerates datacenter virtualization.
  • Bullet1: vMotion moves VMs across physical ports—the network policy must follow From a network perspective, one would like to have a security policy that is attached to the virtual machine as it moves.  Unfortunately, today’s tools only allow for network policy to be attached to the physical server.  In fact, VMware has a tool called DRS, or Dynamic Resource Scheduler, that automatically migrates the VM depending on CPU and memory loads. Regardless of the time of day, network administrators need to know what the VMs are doing.  What they really need is mobile security policy attached to the VM   Bullet2: Impossible to view or apply network policy to locally switched traffic The second issue with server virtualization is the virtual switch inside the hypervisor that switches packets between virtual machines.  It is actually fairly difficult to see which VM is actually talking to other VMs inside the server.  Customers are demanding troubleshooting and debugging capabilities inside the server.   Bullet3: Need collaboration between network and server admin There is muddled ownership of the virtual switch.  Nowadays, server admins manage the virtual switch, and they need constant communication with their nework administrator to configure the virtual switch. On one hand, Server admins want their network team to configure the virtual network. On the other hand, network admins are demanding network tools to configure the virtual switch and they want visibility down to the virtual machine. Nexus 1000V overcomes these three server virtualization issues, and accelerates datacenter virtualization.
  • Bullet1: vMotion moves VMs across physical ports—the network policy must follow From a network perspective, one would like to have a security policy that is attached to the virtual machine as it moves.  Unfortunately, today’s tools only allow for network policy to be attached to the physical server.  In fact, VMware has a tool called DRS, or Dynamic Resource Scheduler, that automatically migrates the VM depending on CPU and memory loads. Regardless of the time of day, network administrators need to know what the VMs are doing.  What they really need is mobile security policy attached to the VM   Bullet2: Impossible to view or apply network policy to locally switched traffic The second issue with server virtualization is the virtual switch inside the hypervisor that switches packets between virtual machines.  It is actually fairly difficult to see which VM is actually talking to other VMs inside the server.  Customers are demanding troubleshooting and debugging capabilities inside the server.   Bullet3: Need collaboration between network and server admin There is muddled ownership of the virtual switch.  Nowadays, server admins manage the virtual switch, and they need constant communication with their nework administrator to configure the virtual switch. On one hand, Server admins want their network team to configure the virtual network. On the other hand, network admins are demanding network tools to configure the virtual switch and they want visibility down to the virtual machine. Nexus 1000V overcomes these three server virtualization issues, and accelerates datacenter virtualization.
  • How will the Nexus 1000V allow me to virtualize 30% more of my datacenter?... Mileage may vary. 30% is conservative. Many customers are seeking to virtualize in excess of 60% of their datacenter. Operational readiness assessments across a variety of VMware customers have shown that network hurdles are some of the most difficult challenges in virtualizing more servers. That is where the Nexus 1000V comes in to increase the rate of server virtualization and allow companies to realize the benefits of more server virtualization right away. Virtualize 30% more applications DMZ applications can be virtualized with the help of private VLAN isolation, and security policy enforcement with ACL Regulatory applications can be virtualized with Netflow, ERSPAN, port statistics that persist after vMotion Tier-1 applications can be virtualized with increased visibility and IO optimization with LACP, vPC host mode How will the Nexus 1000V allow me to spend 30% less time maintaining my virtual network?...
  • How will the Nexus 1000V allow me to spend 30% less time maintaining my virtual network?... Example, in a 3 server cluster it would take 30 minutes each (or 1.5 hours) for a typical change request. With the 1000V this same change takes 1 hour for all 3 servers in the cluster. This is a 30% reduction in the number of hours to manage the virtual network, which grows as the cluster grows. Let’s try it out for ourselves… With a distributed switch, network change requests take 1 hour per domain rather than 30 minutes per server (for 3 servers that is 30% less hours/yr) With Nexus 1000V, regulatory and organizational audits take 20 minutes per server rather than 1 hour With Nexus 1000V, the server admin may offload network configuration to the network admin, this division of labor increases productivity
  • Accelerate & Simplify deployment of new ESX hosts Network Admin provisions physical switch trunks & ESX host PNICs in a uniform and consistent way (takes care of both sides of physical connection) Virtualization Admin 1) plugs in a new ESX host, 2) assigns PNICs to Cisco vNetwork Distributed Switch in vCenter, 3) ESX PNIC configuration (including vMotion & Console) automatically assigned and enabled, 4) ESX host ready for VMs Ensure proper connectivity & networking safeguards are in place Virtualization Admin leverages existing workflow (vCenter & Port Groups) to assign VNIC policy. Network Admin responsible for ensuring Port Groups provide proper VLAN access & DC network security policy Cisco Nexus 1000V extends VM networking to include IP/Port security rules, multi-host PVLAN, Flow Statistics, Quality of Service.
  • VM workflow doesn’t change Virtualization administrator continues to leverage vCenter for VM creation, maintenance, monitoring ESX vSwitch configuration & management responsibility offloaded vSwitch and Port Groups now provisioned along with the physical network infrastructure ensuring consistency, virtualization administrator subscribes VMs to available Port Groups and vSwitch is dynamically provisioned Equip Data Center operations teams to respond to applications issues By extending the data center network operations model and troubleshooting toolkit down to the virtualization infrastructure, customers can leverage physical world tools and diagnostic procedures for their VM-based applications – 1 consistent model for the whole data center
  • 1000V overcomes network hurdles to virtualize tier-1, regulatory and DMZ applications 1000V makes ESX deployment faster, “one and done” 1000V offloads network workflow to the network admin Three largest hurdles to server virtualization (once the low hanging fruit has been virtualized) are highly secure DMZ applications, high risk regulatory applications, and high uptime Tier-1 applications. The applications are hard to virtualize without the 1000V’s VM-level visibility and port-profile security.
  • 1000V overcomes hurdles to virtualize applications with DMZ, high bandwidth, highly secure applications 1000V standardizes workflow for virtual and physical networks 1000V allows visibility into VM traffic
  • -- slide 4 – [Nexus-An Unmatched rate of Innovation] Soni and Rajiv, I think we would all clearly agree that not only has Cisco delivered a number of high impact announcements in the last year, there has been major technology innovation in these announcements. In quick review we first introduced the Cisco Nexus 7000 in January at CiscoLive in Barcelona, This device formed the basis a new product category, the Data Center Class switch, that fundamentally reinvented and elevated what a switch must do in a core datacenter role. At the same time, we introduced NX-OS, a unified OS for the data center that drew on the legacy of all we had learned with IOS and SAN-OS and combined them At our Partner conference in April, with the Introduction of the Nexus 5000, we delivered both Data Center Ethernet (lossless 10 Gb transport for this next generation data center and FCOE, that provides the unified transport of both LAN and FC. There was also the very important news about a series of ecosystem partner and their announcements so crucial to making this effort a success. Finally, at the recently created VMWorld we revolutionized virtual machine internetworking with the introduction of Nexus 1000V ..—our theme there was Virtual machine Aware network, storage and unified fabric, given that the virtual machine is the new Data Center atomic unit.
  • NAM Virtual Blade on Nexus 1010 appliance is the first step of multi-phased NAM product strategy to address virtualization challenges Offers Nexus 1000v differentiation through integrated solution for performance monitoring and operational manageability
  • Can I evaluate the Nexus 1000V?... Yes, for 60-days. Special promotion for $795 for bundled upgrade of both vSphere and Nexus 1000V Want to learn more about the Nexus 1000V?...
  • Can I evaluate the Nexus 1000V?... Yes, for 60-days. Special promotion for $795 for bundled upgrade of both vSphere and Nexus 1000V Want to learn more about the Nexus 1000V?...
  • Transcript

    • 1. Nexus 1000V Switch Nexus 1010 Appliance Martin Vo zár, [email_address] Consultant
    • 2.
      • Cisco Nexus 1000V
    • 3. Server Virtualization Issues 1 vMotion Moves VMs Across Physical Ports—the Network Policy Should Follow
    • 4. Server Virtualization Issues 2 Impossible to View or Apply Network Policy to Locally Switched Traffic
    • 5. Server Virtualization Issues Need Shared Nomenclature Between Network Admin and Server Admin 3 VMware vCenter Manager Switch Supervisor Interface
    • 6. Key Findings of the 1000V ROI Study Virtualize More Apps with 1000V Spend Fewer Hours Running the vNetwork With 1000V 30% APPS 30% HOURS
    • 7. Virtualize 30% More Applications
      • Virtualize general compute with a consistent policy workflow from Physical  Virtual
      • Virtualize DMZ’s with VLAN isolation, and security policy enforcement with ACL
      • Virtualize PCI, SOX, HIPAA applications with Netflow, ERSPAN, and port statistics
      • Virtualize Tier-1 applications with LACP, vPC host mode
      • Virtualize VDI with DHCP Snooping, Port Security, Dynamic ARP Inspection
      Port Profiles DMZ High Density VM VM VM VM VM VM VM
    • 8. Spend 30% Less Hours/Yr on vNetwork Fewer Hours “ Keeping the Lights on” Means More Hours “ Innovating”
    • 9. Cisco Nexus 1000V
      • Industry’s most advanced software switch for VMware vSphere
      • Built on Cisco NX-OS
      • Compatible with all switches
      • Compatible with all servers on the VMware Hardware Compatibility List
      • Winner of VMWorld Best in Show 2008 and Cisco Most Innovative Product of 2009
      1000V VEM 1000V VSM VM VM VM VM Server Physical Switches vSphere
    • 10. Policy-Based VM Connectivity Mobility of Network and Security Properties Non-Disruptive Operational Model Nexus 1000V VM VM VM VM Nexus 1000V VM VM VM VM Nexus 1000V VSM Server Server Physical Switches vSphere vSphere VMware vCenter
    • 11. Policy-Based VM Connectivity Policy-Based VM Connectivity Non-Disruptive Operational Model Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VSM Server Server Physical Switches Mobility of Network and Security Properties vSphere Port Profiles WEB Apps HR DB DMZ vSphere VM VM VM VM VM VM VM VM
      • VM Connection Policy
      • Defined in the network
      • Applied in Virtual Center
      • Linked to VM UUID
      VMware vCenter
    • 12. Mobility of Network And Security Properties Policy-Based VM Connectivity Non-Disruptive Operational Model Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VSM Mobility of Network and Security Properties Server Server Physical Switches vSphere vSphere VM VM VM VM VM VM VM VM
      • VMs Need to Move
      • VMotion
      • DRS
      • SW Upgrade/Patch
      • Hardware Failure
      VMware vCenter VM VM VM VM
      • Property Mobility
      • VMotion for the network
      • Ensures VM security
      • Maintains connection state
    • 13. Non-Disruptive Operational Model Policy-Based VM Connectivity Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VSM
      • VI Admin Benefits
      • Maintains existing VM mgmt
      • Reduces deployment time
      • Improves scalability
      • Reduces operational workload
      • Enables VM-level visibility
      Non-Disruptive Operational Model Server Server Physical Switches Mobility of Network and Security Properties vSphere vSphere VM VM VM VM
      • Network Admin Benefits
      • Unifies network mgmt and ops
      • Improves operational security
      • Enhances VM network features
      • Ensures policy persistence
      • Enables VM-level visibility
      VMware vCenter VM VM VM VM
    • 14. Nexus 1000V Architecture Nexus 1000V VM VM VM VM Nexus 1000V VM VM VM VM Nexus 1000V VSM Server Server Physical Switches vSphere vSphere
      • Installation
      • ESX and ESXi
      • VUM and Manual Installation
      • VEM is installed/upgraded like any ESX patch
      VMware vCenter
    • 15. Benefits for the Server Admin
      • Offloads setup and daily vSwitch tasks to the network team
      • Provides a common nomenclature for network and server teams to discuss network policy – the port profile
      “ 1000V has a lot more functionality than our own virtual switch” – Steve Herrod, VMware CTO
    • 16. Port Profile: Server Admin View
    • 17. Benefits for the Network Admin
      • Enabled visibility and troubleshooting of VM traffic
      • Standardizes workflow for virtual and physical networks
      • Overcomes hurdles to virtualize applications with high bandwidth, highly secure applications (e.g. DMZ, regulatory, tier-1)
      BEFORE 1000V AFTER 1000V “ 1000V overcomes the biggest network hurdles to virtualization” – Ed Bugnion, Cisco CTO
    • 18. Port Profile: Network Admin View
      • Support Commands Include:
      • Port management
      • VLAN
      • PVLAN
      • Port-channel
      • ACL
      • Netflow
      • Port Security
      • QoS
    • 19. Features of the Nexus 1000V Switching
      • L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)
      • IGMP Snooping, QoS Marking (COS & DSCP)
      Security
      • Policy Mobility, Private VLANs w/ local PVLAN Enforcement
      • Access Control Lists (L2–4 w/ Redirect), Port Security
      Provisioning
      • Automated vSwitch Config, Port Profiles, Virtual Center Integration
      • Optimized NIC Teaming with Virtual Port Channel – Host Mode
      Visibility
      • ERSPAN, NetFlow v.9 w/ NDE, CDP v.2
      • VM-Level Interface Statistics
      Management
      • Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks
      • Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)
      VDI
      • DHCP Snooping, Dynamic ARP Inspection, Port Security
      • Virtual Service Domains
    • 20. Cisco Integrated Security Features
      • Secure Virtual Desktops Like Campus Networks
      Feature Capability Prevents Port Security Restricting MAC addresses on a port Rogue VM spoofing MAC address IP Source Guard Maps IP address to MAC address IP/MAC spoofing DHCP Snooping Monitors DHCP transactions Rogue DHCP Server Dynamic ARP Inspection ARP: Maps IP address to MAC Monitors ARP transactions, used in VMotion ARP attacks
    • 21. Nexus Switch Family Product Technology Cisco Nexus 7000 Cisco Nexus 5000 Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 2000 NX-OS: Unified OS for the data center Unified Fabric: Lossless 10Gb transport for next-generation DC Fibre Channel over Ethernet (FCoE): Unified transport for LAN and FC VN-Link: Virtual Machine Aware Network RAB, DAL: High performance for HPC environments 10GbE: Enhanced speed for growing demand Access Access Core Server
    • 22.
      • Cisco Nexus 1010
    • 23. What Is the Nexus 1010?
      • Allows network administrators to manage the Nexus 1000V Virtual Supervisor Module (VSM) as a standard Cisco switch, with all 1000V features
      • Physical appliance for virtual network services (VSM, NAM, etc.)
      • Supported by CiscoWorks LAN Management Solution (LMS)
      • The Nexus 1010 is a networking appliance to host four Nexus 1000V virtual supervisor modules (VSM)
      • Available April/May 2010
    • 24. Architecture Comparison Nexus 1000V VM VM VM 1000V VSM x 1 Server VSM on Virtual Machine Nexus 1000V VEM VM VM VM Server VM Cisco Nexus 1010 1000V VSM x 4 VSM on Nexus 1010 Physical Switches Physical Switches vSphere vSphere
    • 25. Benefits for Both Teams Server Admin Network Admin Offload VSM Install/Mgmt to Network Team VSM Doesn’t Need VMware ESX Licensing Install The VSM Like a Standard Cisco Switch Prepare for VM Sprawl with Ample Scalability (256 Hosts Per Nexus 1010 Appliance)
    • 26. Feature Comparison VSM on Virtual Machine VSM on Nexus 1010 Nexus 1000V features and scalability VEM running on vSphere 4 Enterprise Plus NX-OS high availability of VSM 64 hosts per VSM Nexus 1000V features and scalability VEM running on vSphere 4 Enterprise Plus NX-OS high availability of VSM 64 hosts per VSM, 4 VSMs, 256 hosts in total Installation like a standard Cisco switch Network Team manages the switch hardware Dedicated services appliance (NAM, etc.) Pure software deployment
    • 27. Benefits of Cisco NAM on Nexus 1010
      • VM-level Interface Statistics (e.g. which VM uses most bandwidth?)
      • Application Response Time Analysis
      • Integrated with the 1010 for ease of deployment
      • Monitoring of VMs un-interrupted by vMotion operation
      NetFlow ERSPAN
    • 28.
      • Comparision to vSwitch
    • 29. Switch Feature Comparison 1 Feature ESX 3.5: Standard vSwitch ESX 4.0: vNetwork Standard Switch (U1) ESX 4.0: vNetwork Distributed Switch (U1) Cisco Nexus 1000V (U1) Switching Features Layer 2 Forwarding Yes Yes Yes Yes IEEE 802.1Q VLAN Tagging Yes Yes Yes Yes Multicast Support (IGMP v2 and v3) Yes Yes Yes Yes IGMPv3 Snooping - - - Yes VMware VMotion Support Yes Yes Yes Yes Network VMware VMotion (Network Policy) - - Yes Yes Upstream Switch Connectivity Virtual MAC Pinning Yes Yes Yes Yes EtherChannel Yes Yes Yes Yes Virtual Port Channels - - - Yes Link Aggregation Control Protocol (LACP) - - - Yes Load Balancing Algorithms Virtual Switchport ID Yes Yes Yes Yes Source MAC Yes Yes Yes Yes Source and Destination IP Yes Yes Yes Yes Source and Destination MAC - - - Yes Source and Destination Port IP - - - Yes Additional Hashing Options - - - Yes
    • 30. Switch Feature Comparison 2 Feature ESX 3.5: Standard vSwitch ESX 4.0: vNetwork Standard Switch (U1) ESX 4.0: vNetwork Distributed Switch (U1) Cisco Nexus 1000V (U1) Traffic Management Features Tx Rate Limiting (from virtual machine) Yes Yes Yes Yes Rx Rate Limiting (from virtual machine) - - Yes Yes iSCSI Multipathing - Yes Yes Yes Quality-of-service (QoS) marking Differentiated Services Code Point (DSCP) - - - Yes Type of Service - - - Yes Class of Service - - - Yes Security Features Port Security Yes Yes Yes Yes VMware VMSafe compatible Yes Yes Yes Yes Private VLANs (PVLANs) - - Yes Yes Local PVLAN enforcement - - - Yes Access Control Lists (ACL) - - - Yes DHCP Snooping - - - Yes IP Source Guard - - - Yes Dynamic ARP Inspection - - - Yes Virtual Service Domain - - - Yes
    • 31. Switch Feature Comparison 3 ** Virtual switch network syslog information is exported and included with VMware ESX Server events. Feature ESX 3.5: Standard vSwitch ESX 4.0: vNetwork Standard Switch (U1) ESX 4.0: vNetwork Distributed Switch (U1) Cisco Nexus 1000V (U1) Management Features VMware vCenter Support Yes Yes Yes Yes Third Party Accessible APIs Yes Yes Yes Yes Network Policy Groups Yes Yes Yes Yes VMware port mirroring (promiscuous) Yes Yes Yes - Multi-Tier Policy Groups (inheritance) - - - Yes SPAN - - - Yes ERSPAN - - - Yes Netflow v9 - - - Yes SNMP v3 Read/Write - - - Yes CDP v1/v2 Yes Yes Yes Yes Syslog ** ** ** Yes Packet Capture & Analysis - - - Yes Radius/TACACS+ - - - Yes Configuration and management console and interface VI Client VI Client VI Client to VMware vCenter Server VMware vCenter and Cisco CLI IPv6 for Management Yes Yes Yes Yes NX-OS XML API - - - Yes
    • 32.
      • More Info…
    • 33. More info…
      • http://www.cisco.com/go/1000vcommunity
    • 34. Evaluate
      • No-charge Evaluation www.cisco.com/go/1000veval
    • 35. Ďakujem za pozornosť Martin Vozár, vo [email_address]