Your SlideShare is downloading. ×
  • Like
  • Save

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Deploying Services in a Virtualized Environment (2012 San Diego)

  • 1,605 views
Published

Server Virtualization is changing the way Datacenter have been designed, deployed. This session will discuss the impact of server virtualization when deploying services like firewall, load balancing …

Server Virtualization is changing the way Datacenter have been designed, deployed. This session will discuss the impact of server virtualization when deploying services like firewall, load balancing or WAN and application optimization services. We will discuss the concept of vPath and how the service enforcement is taking place by vPath The session will introduce the Nexus 1000V Virtual Security Gateway (VSG) that provides enhance security for the virtualized environment. Technical architecture and feature capabilities of VSG will be discussed and how to design into the virtualized environment. Closely related to this session are the sessions: BRKVIR-2012: Inside the Nexus 1000V Virtual Switch BRKVIR-3013: Deploying and Troubleshooting the Nexus 1000v virtual switch

Cisco Live 365: https://www.ciscolive365.com/connect/sessionDetail.ww?SESSION_ID=4477

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
1,605
On SlideShare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
0
Comments
0
Likes
5

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Deploying Services in a Virtualized Environment BRKVIR-2011BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 2. Agenda Virtualization/Cloud Trends Requirements for Virtualized Services Virtual Networking & Services – architecture ‒ Nexus 1000V for Virtualized Services Implementing Virtualized Services ‒ Virtual Security Gateway (VSG) ‒ ASA 1000V ‒ Virtual WAAS (vWAAS) ‒ Network Analysis Module (NAM) ‒ Virtual Application Control Engine (vACE) ‒ Virtual Services for VM Mobility ‒ Virtual Services on VXLAN Reference Solutions, Resources & Wrap-UpBRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
  • 3. Cisco’s Approach: Physical  Virtual  Cloud Journey PHYSICAL VIRTUAL CLOUD WORKLOAD WORKLOAD WORKLOAD • One app per Server • Many apps per Server • Multi-tenant per Server • Static • Mobile • Elastic • Manual provisioning • Dynamic provisioning • Automated Scaling HYPERVISOR VDC-1 VDC-2 CONSISTENCY: Policy, Features, Security, ManagementNexus 7K/5K/3K/2K Nexus 1000V, VM-FEXWAAS, ASA, NAM, ACE Virtual WAAS, VSG*, ASA 1000V**, vACE ** * Virtual only BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public ** Announced 4
  • 4. Virtual Services in a Data Centre POD AggregationL3 NEXUS 7000 - VPC • Typical L3/L2 boundary.L2 Network Network • Physical network services Services C6K C6K Services Unified Compute NEXUS 5000 NEXUS 7000 - VPCL2 System Fabric Interconnect Unified Access A B • Non-blocking paths to servers & IP storage devices NEXUS 2000L2 VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Virtual Access VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM NEXUS 1000v VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM • Virtual switches VM VM VM VM • Virtual services with horizontal scaling VM VM VM VM VM VM VM VM VM VM Rack 1 Rack 2 Rack 3 Rack 1 Rack x BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
  • 5. Virtual Services’ Requirements
  • 6. Server Virtualization Issues 1. vMotion moves VMs across physical ports—the network policy must follow vMotion 2. Must view or apply Port network/security policy to locally Group switched traffic 3. Need to maintain separation of duties while ensuring non- Server Admin disruptive operationsSecurityAdmin Network Admin BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
  • 7. Network Services Options for Virtualized/CloudDC Redirect VM traffic via VLANs to Apply hypervisor-based external (physical) firewall virtual network services Web App Database Web App Database Server Server Server Server Server Server Hypervisor Hypervisor VLANs Virtual Contexts This Session VSN VSN Dedicated Service Nodes Virtual Service Nodes BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
  • 8. Virtual Services Options VSN VSN VSN VSN Stand-alone VSN 1 2 VM VM 1 2 VM VM ‒ Can be deployed with any virtual switch Hypervisor Hypervisor ‒ Example: vWAAS VM VM VM VM VM VM N1KV vPath integrated VSN VSN VSN VSN VSN vPath 1 1 2 2 ‒ Integrates with N1KV port profile and Nexus 1000V Hypervisor virtual service datapath (vPath) Hypervisor Hypervisor Server(s) for ‒ Example: vWAAS, VSG, ASA 1000V Virtual Services VSN: Virtual Service Node BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
  • 9. Virtual Services – Architectural ApproachRequirementRequirement Solution SolutionVirtualizationVirtualisation Awareness • Virtual (SW) form-factor• Dynamic policy-based provisioning • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future)• Support VM mobility (e.g. vMotion) • Policies bound to vNIC/VM • Integration with N1KV (vPath) (vPath*)Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment • Management: Multi-tenant • N1KV vPath: Multi-tenantSeparation of Duties • Profile-based provisioning for services• Non-disruptive to server team • Integration with N1KV port profile • Optional hosting on Nexus 1010 HW appliance• Efficient deployment Integration with N1KV vPath• Performance optimization optimisationBroad mobility diameter • DC-wide: VXLAN**• DC-wide, DC-to-DC, DC-to-Cloud • DC-to-DC: OTV** *vPath: Virtual Service Datapath **VXLAN: Virtual Extensible LAN **OTV: Overlay Transport Virtualisation BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
  • 10. Virtual NetworkingArchitecture for Virtual Services
  • 11. Nexus 1000V Architecture Respects DC Operational Model for PV Virtual Appliance VSM-1 (active) Network NX-OS Admin Control Plane VSM-2 (standby) Supervisor-1 (Active) Back Plane Supervisor-2 (StandBy) Linecard-1 Linecard-2 … NX-OS Linecard-N Data Plane Modular Switch VEM-1 VEM-2 VEM-N Hypervisor Hypervisor HypervisorVSM: Virtual Supervisor Module ServerVEM: Virtual Ethernet Module Admin Hypervisors: vSphere (shipping); Win8/Hyper-V (announced) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
  • 12. Embedding Intelligence in Virtual Network vPath: Virtual Services Data Path Virtual Appliance N1KV ASA1000V vWAAS VSG VSMVSG• Virtual Security GatewayvWAAS• Virtual WAASASA 1000V• Virtual ASA (announced) VXLAN* Virtual Extensible LAN • LAN segment over L3 (Mac- vPath VEM-1 VEM-2 over-UDP) Virtual Service Datapath vPath VXLAN vPath VXLAN • 16M LAN segments• Service Binding Hypervisor Hypervisor • Submitted to IETF with• Fast-Path Offload VMware, Citrix, RedHat, …• VXLAN aware* Hypervisors: vSphere (shipping); Win8/Hyper-V (announced) *N1KV Release 1.5.1 (now shipping) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
  • 13. Nexus 1010 / 1010-X Hosting Platform for Virtual Services Virtual Appliance Nexus 1010 / 1010-X VSM NAM VSG DCNM ASA 1000V vWAAS VSG VSM Primary VSM NAM VSG DCNM Secondary Nexus 1010 / 1010-X L3 Connectivity NX-OS based physical (server) appliance Access to VM mgmt tools NOT required Network team deploys & manages it Up to 10 virtual blades on Nexus 1010-X VEM-1 VEM-2 vPath VXLAN vPath VXLAN Hypervisor HypervisorHypervisors: vSphere (shipping); Win8/Hyper-V (announced) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
  • 14. Operational Segregation Example: vCenter* vCenter* Nexus1000v VSM Network Admins Nexus OS CLI Server Admins vCenter* Interface• Create or Update port-profiles • Install hypervisor on hosts with N1KV VEM • Create VM and assign Port profiles to VM No hand-off required between Server and Network Admins for Virtualized environment *SCVMM for Win8/Hyper-V BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
  • 15. Port Profile Configurationn1000v# show port-profile name WebProfile Support Commands Include:port-profile WebServers description:  Port management status: enabled capability uplink: no  VLAN system vlans:  PVLAN port-group: WebServers config attributes:  Port-Channel switchport mode access switchport access vlan 110  ACL no shutdown evaluated config attributes:  Netflow switchport mode access  Port security switchport access vlan 110 no shutdown  QoS assigned interfaces: Veth10 BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
  • 16. Port Groups: VI Admin View BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
  • 17. Cisco Nexus 1000VFaster VM Deployment Cisco Virtual Machine Networking Policy-Based Mobility of Network and Security Non-Disruptive VM Connectivity Properties Operational Model Port Profile VM VM VM VM VM VM VM VM Defined Policies WEB Apps Nexus Nexus HR 1000V 1000V VEM VEM DB DMZ VM Connection Policy • Defined in the network • Applied in Virtual Centre • Linked to VM UUID vCenter Nexus 1000V VSM BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
  • 18. Cisco Nexus 1000VRicher Network Services Cisco Virtual Machine Networking Policy-Based Mobility of Network and Security Non-Disruptive VM Connectivity Properties Operational Model VM VM VM VM VM VM VM VM VM VM VM VM VMs Need to Move • VMotion Nexus Nexus • DRS 1000V 1000V VEM VEM • SW upgrade/patch • Hardware failure N1KV Property Mobility •VMotion for the network •Ensures VM security •Maintains connection state vCenter Nexus 1000V VSM BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
  • 19. Advanced Features of the Nexus 1000V VLAN/VXLAN, IGMP Snooping, QoS Marking (COS & DSCP), Switching Class-based WFQ Policy Mobility, Private VLANS, Access Control Lists , Port Security, Security Dynamic ARP inspection, IP Source Guard, DHCP Snooping Network Services vPath technology to support services e.g. VSG, vWAAS Provisioning Automated vSwitch Config, Port Profiles, Virtual Centre Integration vMotion, NetFlow v.9 w/ NDE, CDP v.2, VM-Level Visibility Interface Statistics, SPAN & ERSPAN (policy-based) Management Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3IPv6 Support: As a Layer-2 switch, Nexus 1000V supports forwarding of IPv6 packets as well as Layer-2 features such as PVLAN and Port Security. Also, management interface can be assigned an IPv6 address. BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
  • 20. Nexus 1000V Interoperability with VMware VMware Product Nexus 1000V support vSphere 4 R vSphere 5 R (with stateless ESX) (Release 1.4a & above) VMware View 5 R VMware vCloud Director R • Port-group backed pools VMware vCloud Director 1.5 R • Port-group backed pools (Release 1.5.1a*) • VLAN-backed pools • Network-isolation backed pools (via VXLAN) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
  • 21. Implementing Virtual Network Services- Virtual Security Gateway (VSG)- ASA 1000V- Virtual WAAS (vWAAS)- NAM on Nexus 1010- vACE
  • 22. Defence in Depth Security Model Virtual • Policy applied to VM zones Security • Dynamic, scale-out operation VSG • VM context based controls (and ASA 1000V*) • Segment internal network Internal • Policy applied to VLANsASA-SM Security • Application protocol inspection • Virtual ContextsASA 55xx Internet • Filter external traffic Edge • Extensive app protocol support • VPN access, Threat mitigationASA 55xx BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public *Announced 24
  • 23. Use Case – Secure Multi-tenancySecure zoning of 3-Tier Application WorkloadTenant_A Tenant_B Only Permit Web Servers Only Permit App access to App servers via servers access to DB HTTP/HTTPS servers Web App DB Web App DB Web Server App Server DB Web App DB server Server Server server Server Server server Server Server server Port 80 (HTTP) Only Port 22 (SSH) All other and 443 (HTTPS) of App Servers open traffic denied of Web Servers open BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
  • 24. Use Case – Secure Multi-tenancySecure zoning of 3-Tier Application WorkloadTenant_A Tenant_B Only Permit Web Servers Only Permit App VSG for VSG for access to App servers via servers access to DB secure zoning secure zoning HTTP/HTTPS servers Web App DB Web App DB Web Server App Server DB Web App DB server Server Server server Server Server server Server Server server Port 80 (HTTP) Only Port 22 (SSH) All other and 443 (HTTPS) of App Servers open traffic denied ASA Firewall for of Web Servers Inter-tenant Edge Control open (VLAN based) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
  • 25. Use Case – Secure Multi-tenancySecure zoning of 3-Tier Application WorkloadTenant_A Tenant_B Only Permit Web Servers Only Permit App VSG for VSG for access to App servers via servers access to DB secure zoning secure zoning HTTP/HTTPS servers Benefits Web Web App App Tenant isolation via VLANs DB DB Web App DB Server Server Web Server App Server DB Server server server Server server Server server Broader Mobility Diameter for VMs Server Port 80 (HTTP) Only Port 22 (SSH) All other and 443 (HTTPS) of App Servers open traffic denied ASA Firewall for of Web Servers Inter-tenant Edge Control open (VLAN based) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
  • 26. Introducing Virtual Security Gateway Context aware Security VM context aware rules Virtual Security Zone based Controls Establish zones of trust Gateway (VSG) Dynamic, Agile Policies follow vMotion Best-in-class Efficient, Fast, Scale-out SW Architecture (with Nexus 1000V vPath) Non-Disruptive Virtual Network Operations Security team manages securityManagement Centre Policy Based Central mgmt, scalable deployment, (VNMC) Administration multi-tenancy Designed for Automation XML API, security profilesIPv6 Support: VSG/VNMC support IPv4 packets in Phase 1. Security rules based on Ethertype can be deployed to permit or deny IPv6 packets. BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
  • 27. Virtual Security GatewayLogical deployment like physical appliances VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Nexus 1000V vPath Distributed Virtual Switch VSG Secure Segmentation Efficient Deployment Dynamic policy-based (VLAN agnostic) (secure multiple hosts) provisioning Transparent Insertion High Availability Mobility aware Log/Audit (topology agnostic) (policies follow vMotion) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
  • 28. Virtual Security GatewayIntelligent Traffic Steering with vPath VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V vPath Distributed Virtual Switch Decision VSG Caching 3 2 Flow Access Control 1 Initial Packet Flow (policy evaluation) Log/Audit BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
  • 29. Virtual Security GatewayPerformance Acceleration with vPath VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Nexus 1000V vPath Distributed Virtual Switch Decision offloaded to VSG Nexus 1000V (policy enforcement) Remaining packets from flow Log/Audit BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
  • 30. Decoupled Deployment across Applications & Virtual Services VSGs VSGs Tenant A Tenant B A B A BWeb Zone App Zone QA Zone Dev ZoneVM VM VM VM VM VM VM VM vPath vPath vPath  No Need to deploy Virtual Services on every host  Decouple Service from Compute Resources  Easy to scale out with dedicated hosting of Services Data Center  Simpler to deploy with multiple 1000V operations Network (server, teams network, security, etc.) VSM Cisco Virtual Network Management VMWare vCenter Center Server Server BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
  • 31. Apply Security at Multiple Levels Enables multi-tenant scale-out deploymentDeployment Virtual Network Management Centre (VNMC) granularity depending on use case Tenant A Tenant B VDC vApp ‒ Tenant, VDC, vAppMulti-instance deployment provides vApp horizontal scale-out vPath Nexus 1000V Hypervisor BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
  • 32. VSG Policy: Rule (ACE) ConstructRule   Source Destination Action Condition Condition Attribute TypeCondition Network VM User Defined vZoneVM Attributes Network Attributes Operator OperatorInstance Name IP Address eq memberGuest OS full name Network Port neq Not-memberZone Name gt ContainsParent App Name ltPort Profile Name rangeCluster Name Not-in-rangeHypervisor Name Prefix BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
  • 33. VSG Policy Provisioning Logical FlowvCenter Using VM/Network Attributes VNMC Create Rules based on PortGroup Define Zones Zones/Network Conditions Define Policy Put Policy Set in theVSM Security Profile Create Port Profile Security Profile Protection Bind the Security Assign Tenant VSG Profile to Port Profile Assign Security Profile to Tenant VSG BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
  • 34. Port Profile to Security Profile Binding VNMC – Tenant Policy Management vCenter – VM Properties 1. Create Security Profile forTenant A in VNMC2. Bind the SecurityProfile with the Port-Profile for 3. VMs Tenant A connect to the Network with Firewall enabled Nexus 1000V BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
  • 35. Use case 1: Carecore NationalSecure Zoning using VM attribute VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Database Servers Dev Servers Exchange Servers VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM QA Servers Training Servers If vm-name contains “TRNG”,Servers belongs to TRNG zone R&D that VM Source Destination Protocol Action Zone=TRNG Zone=TRNG Any Permit Any Zone=TRNG Any Permit Zone=TRNG Any Any Drop BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
  • 36. Use Case 2 Securing VDI with Cisco VSG Server Zones  Persistent virtual workspace for the Healthcare Records Database Application doctor Portal  Flexible workspace for Doctor’s Virtual Security assistant Gateway (VSG)  Maintain compliance while supporting IT Admin Assistant Doctor Guest IT consumerization HVD Zones ASALeverage VM context (eg VM-name) to Guestcreate VSG security policies iT Admin Network Doctor Reference Architecture: Cisco AnyConnect • 1000V and VSG in VXI Reference Architecture BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
  • 37. Use Case 3Securing a 3-tier Application Infrastructure Web Client Permit Only Port 80(HTTP) of Web Permit Only Port 22 (SSH) to Block All External Access Servers Application Servers to Database Servers Web-Zone Application-Zone Database-Zone Web App DB Server Web Server App Server DB Server Server Server Only Permit Web Servers Access to Only Permit Application Servers Access to Application Servers Database Servers BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
  • 38. VSG Release 1.3: What’s New?1 Virtual Appliance VSG New L2 Mode L3 Mode 2 VMware Product VSG & VNMC support VEM-1 VEM-2 vPath vPath Hypervisor Hypervisor vSphere 4 R vSphere 5 New R 3 Protect VMs on VXLAN (see details in the “VM Mobility” section) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
  • 39. ASA 1000VCloud Firewall
  • 40. Cisco Virtual Security ProductsVirtual Security Gateway ASA 1000V Zone based intra-tenant External / multi-tenant edge segmentation of VMs deployment BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
  • 41. Securing Multi-tenant Cloud With Virtual ASA and VSG Proven Cisco Security…Virtualized Virtual Network Management Centre (VNMC) • Physical – virtual consistency Tenant A Tenant B Collaborative Security Model VDC VDC • VSG for intra-tenant secure zones vApp • Virtual ASA for tenant edge controls VSG VSG VSG • vApp Context-based controls VSG Seamless Integration ASA 1000V ASA 1000V • With Nexus 1000V & vPath vPath Nexus 1000V Scales with Cloud Demand Hypervisor • Multi-instance deployment for horizontal scale-out deployment BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
  • 42. Policies Enforcement with the ASA 1000V 1. Security Policy is attached to the Port-Profile 2. No vPath encapsulation for VM to VM communication in the same subnet Port 3. You can have different Port-Profile with different SecurityProfile 1 Profile for the same Subnet SP- 1 Security Profile - SP 1 Security Profile - SP 2 Inside Outside Security Profile - SP 3 SP 2 Security Profile- SP 4 PortProfile 2 Edge Firewall BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 43. Integration with vPath: Outbound Access For Your Reference 1. Nexus 1000V [vPath] receives packet to be sent to the outside, looks up the security profile binding, and attaches vPath tag. 2. This tag contains the service profile ID for the source VM VM VM VM VM 3. ASA 1000V creates forward and reverse flows for the packet and applies policy corresponding to the security profile specified in the packet 4. ASA 1000V ‘routes’ the packet to the outside without a tag 5. Reply packet comes from the outside without any vPath tag vPath 6. ASA 1000V looks up the flow table, adds a vPath tag with Nexus 1000V the Service profile ID cached in flow tableHypervisor 7. vPath receives the packet, removes the tag and forwards it to the VM BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 44. vPath as Data Plane: Inbound Access For Your Reference 1. Packet from the outside hits ASA 1000V, which performs NAT translation to get the internal VM IP address. 2. ASA 1000V consults the VM IP address to service VM VM VM VM profile binding database received from VNMC, 3. ASA 1000V creates forward and reverse flows for this packet, adds a vPath tag with Service profile ID, and forwards packet to the destination VM 4. The VM responds with a packet which reaches vPath vPath 5. vPath adds vPath tag (same as previous) and forwards to Nexus 1000V ASAHypervisor 6. ASA 1000V receives the packet, matches it to the flow created previously, applied NAT and forwards it to the outside without the vPath tag BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 45. DMZ Use Cases
  • 46. ASA 1000V DMZ use case• Two ASA 1000V Approach  ASA 1000V and VSG Approach• Two Edge Firewalls one for inside subnet  Inside Security Profile and DMZ Security and other for DMZ subnet Profile addressing the security• No enforcement within Inside and DMZ requirements for both Zones VLAN  Shared VLAN for both DMZ and Inside Tenant A Tenant B PP-Inside PP-DMZ PP-Inside PP-DMZ (VLAN 200) (VLAN 400) (VLAN 200) (VLAN 200) Inside DMZ Inside DMZ PP- Port-Profile SP- Security Profile BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 47. ASA 1000V 1.0: Features and Capabilities NAT Role based separation IPSec VPN (Site-to-Site) Consistent ASA feature set Default Gateway Intelligent traffic steering via DHCP vPath Static Routing Strategic Partnership with VMWare Stateful Protocol IP Audit Not just an ASA – Part of a solution which benefits from vPath BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 48. vCD Technology Integration Roadmap VMW Cloud Orchestration vCloud Director vShield Manager VMW Network Stack VMW – Cisco Network Stack Cisco Network & Security (N1KV v1.5.1a*) Stack (future) Network Services Mgr (Cisco Net Abstraction) vShield Edge vShield Edge (Security) (Security) Virtual ASA (Security) vSwitch Nexus 1000V Nexus 1000V vSphere Cisco Unified Computing System Continue future innovations across virtual/hypervisor and physical security BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
  • 49. Virtual WAAS
  • 50. Cisco vWAAS Accelerates Cloud Deployment Accelerate cloud-bursting, workload mobility, Virtualized deployment Virtual Private Cloud Private Cloud Enterprise B Enterprise A Enterprise A Cisco vWAAS Benefits Key Requirements Branch Office  Policy based “on-demand” Elastic provisioning orchestration lowers OpEx Workload mobility Awareness  Application based optimisation Scale-out WAAS  Elastic, Multi-tenancy Multi-tenancy BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
  • 51. Cisco vWAAS Provides Flexible Cloud 1 Private Cloud Deployment Options • Traditional WAN Edge Deployment at Branch and WAN or DC Internet VMware ESXi Server  Gradual migration from Physical to Virtual  Multi-tenancy support UCS /x86 Server WCCP Private Cloud, Virtual Private Cloud, VMware ESXi 2 & Public Cloud  Re-direction using vPath @VM level  Elastic provisioning  Multi-tenancy support vPATH Nexus 1000V vPath VMware ESXi Server Nexus 1000V vPATH VMware ESXi ServerUCS Compute/ UCS Compute/Physical servers Virtualized Servers UCS /x86 Server BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
  • 52. vWAAS – Policy Based configuration in N1000VFeature Benefit1. Optimisation based on the port-profile policy 1. Provide on-demand service orchestration in theconfigured in Nexus 1000V cloud without network disruption2. Policy gets propagated to vCenter automatically Web DB Server Web App vWAAS Server Server Server vCM Nexus 1000V vPATH Nexus 1000V vPATH VMware ESXi Server VMware ESXi ServerOptimise Port-ProfileNon Opt Port-ProfilevWAAS Port-Profile Nexus 1000v VSM BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. vCenter Server Public Cisco 54
  • 53. vWAAS – Application based interception Port-Profile Port-groupNetwork Admin view vPATH interception Nexus 1000v VSMServer Admin view Attach Opt-port-profile vSphere client to server VMs BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
  • 54. vWAAS – VM mobility awarenessFeature Benefit1. vPATH aware of movement of VM from one 1. No disruption in WAN optimisation service if VMhost to another. moves from one host to another.2. Traffic interception continue to work as-is 2. Support VMware resources scheduling (DRS) andwithout any disruption or changes required. provides High availability Web DB Server Web Server Web App vWAAS Server Server Server vCM Nexus 1000V vPATH Nexus 1000V vPATH VMware ESXi Server VMware ESXi Server Optimise Port-Profile Nexus 1000v VSM Non Opt Port-Profile vCenter Server vWAAS Port-Profile BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
  • 55. vWAAS – Architected for Elastic WorkloadsFeature Benefit1. Automatic application of vWAAS service when a 1. Elastic vWAAS deployment new ‘Web Server’ VM gets provisioned 2. Scale-out Virtual Web Server farm by2. vWAAS services associated with ‘Web server’ VMs provisioning additional VMs while applying WAN using Nexus 1000V policies. optimisation Web Server App Web Server Web App Server vWAAS 1 Server vWAAS 1 Server 2 Add New Web- NEW Server Virtual Machine (VM) vPATH Nexus 1000V vPATH Nexus 1000V VMware ESXi Server VMware ESXi Server BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
  • 56. vWAAS – Optimised performance with vPathFeature Benefit1. vWAAS send “offload” to vPATH for non- 1. High scale with automatic application or port-intresting traffic (inter-server traffic or no- profile based traffic filteringpeer traffic)2. vPATH provide automatic bypass of thesetraffic Web Server Router Integrated WAAS vWAASBranch 1 (w/ WAAS) Nexus 1000V vPATH WAN VMware ESXi Server Optimised – vPath Redirection Branch 2 (w/o WAAS) Non-Optimised – Automatic bypass BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
  • 57. Cisco vACE on vPath
  • 58. vACE Optimized Virtual Application DeliveryChallenge: Deploying virtualized app delivery services is complex and inefficientOne Arm Design: Client IP Preserved One Arm Design: Client Server Traffic Bypasses ACE Benefits:Overview: • vPath offers per-flow handling of traffic though • Reduced complexity since identification of SLB vs. non-SLB virtual switch flows is handled in real-time automatically • ACE can leverage business policy to signal to • CAPEX reduction due to fewer virtual devices and resources vPath which flows require SLB required to support application delivery • In one-armed mode, Non-SLB traffic will not be • Lower OPEX driven by configuration simplification and device processed by ACE reduction BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 59. vACE Insertion with vPath Server VM 1 Server VM 2 Server VM 3 vPath vPath vPath Nexus 1000V Nexus 1000V Nexus 1000V ESXHypervisor Hypervisor Hypervisor Packet from Client to VIP. Router routes to vACE on Client VLAN. Real Server Client/VIP VLAN VLAN Client© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 62
  • 60. vACE Insertion with vPath Server VM 1 Server VM 2 Server VM 3 vPath Data vPath vPath vPath Nexus 1000V Nexus 1000V Nexus 1000V ESX Hypervisor Hypervisor Hypervisor1. vACE1 does LB decision and encap packet with VPATH header Real Server2. vACE1 instructs vPath to create a flow entry VLAN for reverse traffic coming from server Client/VIP VLAN Client © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 63
  • 61. vACE Insertion with vPath Server VM 1 Server VM 2 Server VM 3 vPath vPath vPath Nexus 1000V Nexus 1000V Nexus 1000V ESXHypervisor Hypervisor Hypervisor 1. VPATH creates a forward flow (Client Real Server to Server2 – decap and send to VLAN Server2) and reverse flow (Server to Client – redirect to vACE) 2. No NAT/PBR required to force the traffic back to ACE Client/VIP VLAN Client© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 64
  • 62. vACE – vPath Summary vACE can dynamically insert flow entry in vPath to redirect return packets to itself (no need of PBR/NAT for redirecting return traffic) No need to make vACE a default gateway to avoid NAT vACE service chaining will come 1HCY2013 vPath Nexus 1000V Hypervisor BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 63. vPath 2.0 Service Chaining
  • 64. VSG and ASA Service Chainig Example 1: Outside Client trying to access a VM protected by both VSG and ASA VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 3 VSG 2 Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA ASA inline Enforcement 1 Initial Packet vPath Encap links Flow Traffic Path© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 67
  • 65. VSG and ASA Service Chaining Example 1: Outside Client trying to access a VM protected by both VSG and ASA VM VM VM 4. VSG Policy decision downloaded to VEM VM VM VM VM VM VM 4 VSG VM VM VM VM VM VM VM VM 5 Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA vPath Encap links© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 68
  • 66. VSG and ASA Service Chaining Example 1: Outside Client trying to access a VM protected by both VSG and ASA VM VM VM Policy offloaded to VEM VM VM VM VM VM VM VSG VM VM VM VM VM VM VM VM Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA Inline 1000V Enforcement Traffic flow after first packet vPath Encap links© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 69
  • 67. VSG and ASA Service Chaining Example 2: VM1 to VM2 communication on the same subnet VM VM VM VM VM VM VM VM VM 2 VSG VM VM 1 VM VM VM VM VM VM 2 1 Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA ASA not in the path for the same Subnet VM to VM communication vPath Encap links© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 70
  • 68. VSG and ASA Service Chaining Example 2: VM1 to VM2 communication on the same subnet VM VM VM VM VM VM VM VM VM 2 VSG 4 VM VM 1 VM VM VM VM VM VM 3 Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA vPath Encap links© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 71
  • 69. VSG and ASA Service Chaining Example 2: VM to VM communication on the same subnet VM VM VM VM VM VM VM VM VM 2 VM VM 1 VM VM VM VM VM VM VSG Nexus 1000V vPath Inside Distributed Virtual Switch Outside ASA vPath enforcing at VEM level and Policy offloaded from VSG to VEM vPath Encap links© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 72
  • 70. Service Channing Example Chain VSG and ASA 1000V for a tenant  vservice node ASA1 type asa ip address 172.31.2.11 Defining the Service Node adjacency l2 vlan 3770 on Nexus 1000V  vservice node VSG1 type vsg ip address 10.10.11.202 adjacency l3  vservice path chain-VSG-ASA Chain the Service Nodes node VSG1 profile sp-web order 10 Order is inside to outside node ASA1 profile sp-edge order 20  port-profile type vethernet Tenant-1 Enable the Service Chain org root/Tenant-1 Per Port-Profile vservice path chain-VSG-ASA BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
  • 71. Cisco Prime NAMfor Nexus 1010
  • 72. The Challenge: Server virtualization creates a demand for VM-level visibilityBoundary of network visibility BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
  • 73. Cisco Prime NAM for Nexus 1010Extends Visibility into Virtual Machine (VM) Network VM VM VM VM Nexus Boundary of 1000V network VEM visibility vSphere Server Server Server Release 5.1(2) NetFlow ERSPAN Cisco Prime NAM for Nexus 1010 BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
  • 74. Enable NAM as a Network Service on N1KV For Your Reference Netflow Configuration  ERSPAN Configurationflow exporter exporter1 monitor session 1 type erspan-source destination 172.23.180.38 source vlan 16,173 both transport udp 3000 destination ip 172.23.180.38 source mgmt0 erspan-id 100 dscp 63 mtu 1500 version 9 header-type 3….. NAM Receiver for Netflow and ERSPAN Traffic BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
  • 75. Virtual Services & VM Mobility- DC wide- DC to DC
  • 76. DC-wide VM Mobility – Multiple Options Bigger UCS domain  broader mobility within UCS domain FabricPath/Trill  DC-wide VM mobility with N7K/N5K Nexus 1000V & VXLAN w/ OTV This Session BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
  • 77. VM Mobility across DCs Maintain network & security policies during vMotionNexus 1000V VSM Pair & VSG Pair(or VSG/VSG hosted on Nexus 1010s) Data Centre #1 Data Centre #2 VSM vCenter VSG VSM VSG Layer 2 Extension (Active) (Active) (Active) (Standby) (Standby) (OTV) vSphere vSphere Virtualized Workload Mobility vSphere vSphere Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VEM vPath vPath vPath vPath Stretched Cluster vCenter SQL/Oracle Replicated vCenter SQL/Oracle Database Database Migrate virtual workloads seamlessly across Data Centres Maintain transparency to network & security policies (via N1KV & VSG) BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
  • 78. Deploying Services on VXLAN
  • 79. Why VXLANs?Pain points in scaling cloud networking Use of server virtualization and cloud computing is stressing the network infrastructure in several ways: ‒ Server Virtualization increases demands on switch MAC address tables ‒ Multi-tenancy and vApps driving the need for more than 4K VLANs ‒ Static VLAN trunk provisioning doesn’t work well for Cloud Computing and VM mobility ‒ Limited reach of VLANs using STP constrains use of compute resources BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
  • 80. Multi-Tenancy and vApps Drive the Need for ManyL2 Segments  Both MAC and IP addresses could overlap between two tenants, or even within the same tenant in different vApps. ‒ Each overlapping address space needs a separate segment  VLANs use 12 bit IDs = 4K  VXLANs use 24 bit IDs = 16M BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
  • 81. Virtual Extensible Local Area Network (VXLAN)Supported in Nexus 1000V Release 1.5 Tunnel between VEMs  Ethernet in IP overlay network ‒ VMs do NOT see VXLAN ID ‒ Entire L2 frame encapsulated in UDP IP multicast used for L2 ‒ 50 bytes of overhead broadcast/multicast, unknown unicast  Include 24 bit VXLAN Identifier Technology submitted to IETF for ‒ 16 M logical networks standardzsation ‒ With VMware, Citrix, Red Hat and Others ‒ Mapped into local bridge domains  VXLAN can cross Layer 3 Outer Outer Outer Outer Outer Outer VXLAN ID Inner InnerM Optional Original MAC MAC MAC AC Inner Ethernet CRC 802.1Q IP DA IP SA UDP (24 bits) DA SA DA SA 802.1Q Payload VXLAN Encapsulation Original Ethernet Frame BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
  • 82. Scalable Pod Deployment with VXLAN within aData Centre Logical Nework Spanning Across Layer 3 VM VM VM VM VM VM VM Add More Pods to Scale BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
  • 83. Logical Topology with VSG and ASA 1000VVSG and workload and inside interface of ASA 1000V on the same L2 segment (VXLAN 5500) VSG VM VM VXLAN 5500 VLAN 55 BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
  • 84. ASA 1000V and VSG Service Chaining on VXLANASA 1000V VSG VM Data 1 vPath Data 4 vPath Nexus 1000V Nexus 1000V Nexus 1000V ESXHypervisor Hypervisor Hypervisor VXLAN vPath Data 2 VXLAN vPath Data 3 vPath  Security Profile ID for VSG  Decision returned to the Client vPath© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 87
  • 85. ASA 1000V and VSG Service Chaining on VXLANASA 1000V Policy off Loaded VSG VM vPath Nexus 1000V Nexus 1000V Nexus 1000V ESXHypervisor Hypervisor Hypervisor VXLAN vPath Data 6 VXLAN vPath Data 5 vPath  Security Profile ID for VSG  Decision returned to the Client vPath© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 88
  • 86. ASA 1000V and VSG Service Chaining on VXLAN ASA 1000V VSG 9 VM 10 vPath DataData vPath Nexus 1000V Nexus 1000V Nexus 1000V ESX Hypervisor Hypervisor Hypervisor VXLAN vPath Data VXLAN vPath Data 8 7 Data vPath Edge Security Profile ID for ASA Client © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 89
  • 87. Configuration Example For Your ReferenceApplying Service on both VLAN and VXLAN backed Port-Profilesvlan 10 bridge-domain vxlan_5005 Bridge segment id 5005 Domain group 225.1.1.5! Port-Profile VLAN Backed ! Port-Profile VXLAN Backedport-profile type vethernet TenantA port-profile type vethernet TenantAswitchport access vlan 10 switchport access bridge-domain vxlan_5005org root/abc org root/abcvn-service ip-address 10.10.10.137 vlan vn-service ip-address 10.10.10.137 vlan20 security-profile secure-abc 20 security-profile secure-abcno shutdown no shutdownstate enabled state enabled BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
  • 88. Summary Nexus 1000V vPath makes the Virtual Service Possible VSG and ASA 1000V are different firewalls but they compliment each other Services can be enabled on a per tenant basis vPath is designed to scale out for Multi-tenant Environment Services can be deployed on VXLANs as well as VLANs BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
  • 89. Related Sessions For YourOther N1KV Related Session which you may be interested to attend Reference BRKVIR-2011 Deploying Services in a Virtualized Environment BRKVIR-2014 Architecting Scalable Clouds using VXLAN and Nexus 1000V BRKVIR-2017 The Nexus 1000V on Microsoft Hyper-V: Expanding the Virtual Edge BRKVIR-3013 Deploying and Troubleshooting the Nexus 1000v virtual switch BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
  • 90. Wrap-Up- Solutions- Webcasts- Resources- CloudLab (on-line remote lab)- Related Sessions & Cisco Live hands-on labs- Session Evaluation
  • 91. Reference Solutions Solution Nexus Nexus Virtual Virtual NAM 1000V 1010 Security WAAS (N1010) Gateway Vblock    FlexPOD   Virtual Desktop  Implicit  * Implicit Support Support Virtual Multi-tenant DC  Implicit  Implicit (VMDC) support support DC-to-DC  Implicit   Implicit vMotion support support PCI 2.0  Implicit  Implicit support support Hosted Collaboration  Implicit Implicit support support *Based on default Citrix configuration BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
  • 92. For YourReference Solutions Reference  Vblock with Nexus 1000V; Vblock with VSG and vWAAS  FlexPOD with Nexus 1000V and Nexus 1010  Virtual Multi-tenant Data Centre with Nexus 1000V and VSG  Virtual Desktop ‒ 1000V and VMware View ‒ 1000V and Citrix XenDesktop ‒ 1000V and VSG in VXI Reference Architecture  Virtual Workload Mobility (aka Long-distance vMotion) ‒ Cisco, VMware and EMC (with 1000V and VSG) ‒ Cisco, VMware and NetApp (with 1000V and VSG)  PCI 2.0 with Nexus 1000V and VSG BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
  • 93. Cisco Cloud Lab For Your ReferenceHands On Training & Demos  Hands on labs available for Nexus 1000V and VSG in Cloud Lab https://cloudlab.cisco.com  Open to all Cisco employees  Customers/Partners require sponsorship from account team for access via CCO LoginID  Extended duration lab licenses for 1000V and VSG are available upon request Just added: VXLAN Basic Introduction BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
  • 94. Resources For Your  CCO Links Reference ‒ 1000V: www.cisco.com/go/1000v ‒ 1010: www.cisco.com/go/1010 ‒ VSG: www.cisco.com/go/vsg ‒ VNMC: www.cisco.com/go/vnmc ‒ vWAAS: www.cisco.com/go/waas  Deployment Guides ‒ Nexus 1000V Deployment Guide ‒ Nexus 1000V on UCS – Best Practices ‒ Nexus 1010 Deployment Guide ‒ VSG Deployment Guide  White papers: ‒ Nexus 1000V and vCloud Director ‒ N1K on UCS Best Practices ‒ Nexus 1000V QoS White paper (draft) ‒ VSG and vCloud Director (draft) ‒ vWAAS Technical Overview ‒ vWAAS for Cloud-ready WAN Optimization  Nexus 1000V Community BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
  • 95. Additional Links For Your Reference  N1K Download and 60-day Eval: www.cisco.com/go/1000vdownload  N1K Product Page: www.cisco.com/go/1000v  N1K Community: www.cisco.com/go/1000vcommunity  N1K Twitter www.twitter.com/official_1000V  N1K Webinars: www.tinyurl.com/1000v-webinar  N1K Case Studies: www.tinyurl.com/n1k-casestudy  N1K Whitepapers www.tinyurl.com/n1k-whitepaper  N1K Deployment Guide: www.tinyurl.com/N1k-Deploy-Guide  VXI Reference Implementation: www.tinyurl.com/vxiconfigguide  N1K on UCS Best Practices: www.tinyurl.com/N1k-On-UCS-Deploy-Guide BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
  • 96. Concluding Remarks  Virtual Services needs to be deployed with an architectural mind-set ‒ Virtual Data Centre, Private Cloud, Public Cloud  Network intelligence for virtual services is critical for: ‒ Simplified deployment ‒ Optimized performance ‒ Virtualization-aware operation  Separation of duties and operational non-disruptiveness needs to be maintainedCisco virtual services with Nexus 1000V/vPath provide an extensible architecture and an excellentplatform for building out Virtualized DC and private/public clouds BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
  • 97. Q&A
  • 98. Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Passport points for each session evaluation you complete. Complete your session evaluation Don’t forget to activate your online now (open a browser Cisco Live Virtual account for access to through our wireless network to all session material, communities, and access our portal) or visit one of on-demand and live activities throughout the year. Activate your account at the the Internet stations throughout Cisco booth in the World of Solutions or visit the Convention Center. www.ciscolive.com. BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
  • 99. Final Thoughts Get hands-on experience with the Walk-in Labs located in World of Solutions, booth 1042 Come see demos of many key solutions and products in the main Cisco booth 2924 Visit www.ciscoLive365.com after the event for updated PDFs, on- demand session videos, networking, and more! Follow Cisco Live! using social media: ‒ Facebook: https://www.facebook.com/ciscoliveus ‒ Twitter: https://twitter.com/#!/CiscoLive ‒ LinkedIn Group: http://linkd.in/CiscoLIBRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
  • 100. BRKVIR-2011 © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public