Enhanced vxlan in nexus 1000v

Like this? Share it with your network

Share

Enhanced vxlan in nexus 1000v

  • 1,505 views
Uploaded on

Enhanced vxlan in nexus 1000v theater presentation from VMworld 2013.

Enhanced vxlan in nexus 1000v theater presentation from VMworld 2013.

More in: Technology , Education
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,505
On Slideshare
1,505
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
56
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. 1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Enhanced VXLAN in Nexus 1000V Han Yang Senior Product Manager August, 2013 Co-Sponsored by Intel®
  • 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Architect Design Where Can We Put It? Procure Install Configure Secure Is It Ready? Manual • Faster application deployment is being demanded • Deploying applications requires acquiring and configuring physical and virtual infrastructures • Need Network Agility with best in class network service and SLA
  • 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Consistency, Reduce Risk, Rapid Deployment VIRTUAL PHYSICAL CLOUD Consistent Nexus Experience Intra-tenant Security Inter-tenant Security Application Acceleration Routing and Gateways Web-app Firewall Load Balancer
  • 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 CLOUD NETWORK SERVICES WAN Router Switches Servers ASA 1000V Cloud Firewall PHYSICAL INFRASTRUCTURE Cisco Virtual Security Gateway vWAAS Multi-Hypervisor (VMware, Microsoft, KVM* Xen*) Nexus 1000VvPath Enhanced VXLAN Nexus 1000V • Distributed switch • NX-OS consistency VSG • VM-level controls • Zone- based FW ASA 1000V • Edge firewall, VPN • Protocol Inspection vWAAS • WAN optimization • Application traffic CSR 1000V (Cloud Router) • WAN L3 gateway • Routing and VPN Ecosystem Services • Citrix NetScaler VPX virtual ADC • Imperva Web App. Firewall Cloud Services Router 1000V Imperva SecureSphere WAF Citrix NetScaler 1000V Network Analysis Module (vNAM) Full Portfolio of Best in Class Virtualized Network Service *KVM in beta, Xen prototype
  • 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 Nexus 1010/1110Virtual Appliance vWAAS VSG VSM NAM VSG Primary Secondary VSM VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module vPath: Virtual Service Data-path VXLAN: Scalable Segmentation VSG: Virtual Security Gateway vWAAS: Virtual WAAS ASA 1000V: Tenant-edge security Virtual Service Blades Virtual Supervisor Module (VSM) Network Analysis Module (NAM) Virtual Security Gateway (VSG) Data Center Network Manager (DCNM) VEM-2 Win Server 2012 vPath VXLAN ASA 1000V NAM VSGVSM L3Connectivity VEM-3 Open Source Hyp vPath VXLAN VEM-1 VMware ESX vPath VXLAN
  • 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Nexus 1000V Advanced EditionNexus 1000V Essential Edition Freemium Pricing Model Offers Flexibility for Customers to Deploy Cisco Virtual Data Center No-Cost Version $695 per CPU MSRP The world’s most advanced virtual switch • Full Layer-2 Feature Set • Security, QoS Policies • VXLAN virtual overlays • Full monitoring and management capabilities • vPath enabled Virtual Services Adds Cisco value-add features for DC and Cloud • All Feature of Essential Edition • VSG firewall bundled (previously sold separately) • Support for Cisco TrustSec SGA policies • Platform for other Cisco DC Extensions in the Future
  • 7. Cisco Confidential 7© 2013 Cisco and/or its affiliates. All rights reserved.
  • 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 VM VM VMVM VM Add More Pods to Scale VM VM Utilize All Links in Port Channel with UDP Logical Network Spanning Across Layer 3
  • 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 • Ethernet in IP overlay network Entire L2 frame encapsulated in UDP 50 bytes of overhead • Include 24 bit VXLAN Identifier 16 M logical networks Mapped into local bridge domains • VXLAN can cross Layer 3 • Tunnel between VEMs VMs do NOT see VXLAN ID • IP multicast used for L2 broadcast/multicast, unknown unicast • Technology submitted to IETF for standardization With VMware, Citrix, Red Hat, and others UDP Port 4789 assigned to VXLAN Outer MAC DA Outer MAC SA Outer 802.1Q Outer IP DA Outer IP SA Outer UDP VXLAN ID (24 bits) Inner MAC DA Inner MAC SA Optional Inner 802.1Q Original Ethernet Payload CRC VXLAN Encapsulation Ethernet Frame
  • 10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10 VEM 1 VEM 2 Forwarding mechanisms similar to Layer 2 bridge: Flood and Learn VEM learns VM’s Source (MAC, Host VXLAN IP) tuple Broadcast, Multicast, and Unknown Unicast Traffic VM broadcast and unknown unicast traffic are sent as multicast Unicast Traffic Unicast packets are encapsulated and sent directly (not via multicast) to destination host VXLAN IP (Destination VEM) VM VM VM VM
  • 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 No Multicast Needed SHIPPING VM VM VM VM VM VM Broadcast / unknown unicast VEM performs replication and encapsulation
  • 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 Unknown Unicast Flood Prevented SHIPPING VEM IP / MAC Table 5000 [a.a.a] VXLAN IP/MAC VEM IP / MAC Table 5000 VXLAN IP/MAC VSM IP / MAC Table 5000 VXLAN IP/MAC Nexus® 1000V VSM Data Center Network 10.10.10.10 VM 1 [a.a.a] VM 2 [b.b.b] VM 3 [c.c.c] VM 4 [d.d.d] 20.20.20.20 [b.b.b] [c.c.c] [d.d.d] [a.a.a] [b.b.b] [c.c.c] [d.d.d] [a.a.a] [b.b.b] [c.c.c] [d.d.d] VSM learns VXLAN / MAC VSM distributes VXLAN / MAC VM (M) Send unicast to MAC X Malicious VM in VXLAN 5000 MAC X not found in table. Packet Dropped.
  • 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 VSM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] PREVIEW No ARP Broadcast VEM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC 10.10.10.10 20.20.20.20 In this mode VEM learns VXLAN / IP / MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] VEM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] VSM distributes VXLAN / MAC Nexus® 1000V VSM Data Center Network VM 1 [192.1.1.1,a.a.a] VM 2 [192.1.1.1,b.b.b] VM 3 [192.1.1.1,c.c.c] VM 3 ARP request for 192.1.1.1 192.1.1.1 found in VXLAN 5000 VEM ARP reply with VM1’s MAC a.a.a VSM learns VXLAN / IP / MAC
  • 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 VXLAN (multicast mode) Enhanced VXLAN (unicast mode) Enhanced VXLAN MAC Distribution Enhanced VXLAN ARP Termination Broadcast / Multicast Multicast Encapsulation Replication plus Unicast Encap Replication plus Unicast Encap Replication plus Unicast Encap Unknown Unicast Multicast Encapsulation Replication plus Unicast Encap Drop Drop Known Unicast Unicast Encapsulation Unicast Encap Unicast Encap Unicast Encap ARP Multicast Encapsulation Replication plus Unicast Encap Replication plus Unicast Encap VEM ARP Reply VXLAN Mode Packet
  • 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 • Shipping Nexus 1000V with Enhanced VXLAN: Simplifying and Scaling VXLAN • IP multicast is no longer required to deploy VXLAN • Cisco invented VXLAN and continues to enhance VXLAN • Cisco continues to drive VXLAN standardization at IETF, even with Enhanced VXLAN
  • 16. Visit Cisco Booth 1005 Twitter: @ciscoDC, #ciscovmw Facebook: http://www.facebook.com/CiscoDC Youtube: http://www.youtubecisco.com/datacenter Cisco DCC Blog: http://blogs.cisco.com/datacenter Slideshare: http://slideshare.com/CiscoDataCenter Community: : https://communities.cisco.com/community/technology/datacenter Pinterest: http://pinterest.com/ciscosystems/data-center LinkedIn: http://www.linkedin.com search “Cisco Data Center” group Google +: http://goo.gl/irm4b In Collaboration with Intel® Intel, the Intel logo, Xeon and Xeon inside are trademarks of Intel Corporation in the U.S. and other countries.
  • 17. 17© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  • 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 VM Data Center Network Physical Firewall Bare Metal Servers Router Gateway Gateway Gateway Overlay: Instant Provisioning • Overlay needs gateway to access physical network • Physical network to support overlay traffic pattern Overlay WAN
  • 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 VXLAN to VLAN GatewayVXLAN to VLAN Gateway Hosted on local hypervisor as virtual machine connected to Virtual Ethernet Module Managed as a module from VSM Active/Standby VXLAN Gateway Integrated with OpenStack Scale: 4 VXLAN Gateway per VSM 2k Active VXLAN 2k Active VLAN
  • 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 L2 Domain CL2 Domain BL2 Domain A LAYER 3 Web VM VXLAN GatewayVXLAN Gateway VXLAN GatewayVXLAN GatewayBare Metal DB Server VXLAN 5500 ASA 5500 VLAN 100 VLAN 200 L2 Domain A L2 Domain B L2 Domain C