Cisco Virtualized NetworkServices: Ready for YourCloudSoumen ChatterjeeProduct Manager, Data Center Group© 2010 Cisco and/...
Virtual Appliance                                                                         Nexus 1010            ASA 1000V ...
Virtual Security Gateway                                 ASA 1000V                               Zone based segmentation o...
Context aware Security    VM context aware rules                     Virtual Security                      Zone based Cont...
Virtual Security Gateway for Nexus 1000V                 Context-based, Virtualization-aware, Multi-tenant, Workload Segme...
Secure zoning of 3-Tier Application Workload        Tenant_A                                                              ...
Rule                                                                                                    Source          ...
Core               Security Management                                                                                    ...
Private                                                 Public/Shared                                                     ...
© 2010 Cisco and/or its affiliates. All rights reserved.   Cisco Confidential   10
Virtual Network Management Center (VNMC)                               VMware vCenter                        Tenant A     ...
Built using ASA technology           IPSec VPN (Site-to-Site)                                                             ...
© 2010 Cisco and/or its affiliates. All rights reserved.   Cisco Confidential   13
Cloud-ready WAN Optimization                                                                                   FEATURES   ...
1         Stand-alone                                                                                                     ...
Tenant A            Virtualized/Cloud                                                                                     ...
© 2010 Cisco and/or its affiliates. All rights reserved.   Cisco Confidential   17
Can be deployed by Enterprises or Cloud Providers   Enterprise A                                                          ...
Thank you.
Upcoming SlideShare
Loading in …5
×

Cisco Virtualized Network Services: Ready for your Cloud

1,303 views

Published on

Published in: Technology, Education
0 Comments
1 Like
Statistics
Notes

Comments are closed

  • Be the first to comment

No Downloads
Views
Total views
1,303
On SlideShare
0
From Embeds
0
Number of Embeds
17
Actions
Shares
0
Downloads
64
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Cisco Virtualized Network Services: Ready for your Cloud

  1. 1. Cisco Virtualized NetworkServices: Ready for YourCloudSoumen ChatterjeeProduct Manager, Data Center Group© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
  2. 2. Virtual Appliance Nexus 1010 ASA 1000V vWAAS VSG VSM VSM NAM VSG Primary VSM NAM VSG Secondary VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module L3 Connectivity vPath: Virtual Service Data-path Virtual Service Blades Virtual Supervisor Module (VSM) VXLAN: Scalable Segmentation Network Analysis Module (NAM) VSG: Virtual Security Gateway Virtual Security Gateway (VSG) vWAAS: Virtual WAAS Data Center Network Manager (DCNM) ASA 1000V: Tenant-edge security vPath VXLAN VEM-1 VEM-2 VEM-3• Service Binding (Traffic Steering) • 16M address space for LAN vPath VXLAN vPath VXLAN vPath VXLAN segments• Fast-Path Offload VMware ESX Win Server 2012 Open Source Hyp • Network Virtualization (Mac-over- UDP) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 2
  3. 3. Virtual Security Gateway ASA 1000V Zone based segmentation of VMs External / multi-tenant edge deployment vPath Virtual Network Mgmt Hypervisor Nexus 1000V Ctr (VNMC)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
  4. 4. Context aware Security VM context aware rules Virtual Security Zone based Controls Establish zones of trust Gateway (VSG) Dynamic, Agile Policies follow vMotion Best-in-class Efficient, Fast, Scale-out SW Architecture (with vPath intelligence) Non-Disruptive Virtual Network Operations Security team manages security Management Center Policy Based Central mgmt, scalable deployment, (VNMC) Administration multi-tenancy Designed for Automation XML API, security profiles© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
  5. 5. Virtual Security Gateway for Nexus 1000V Context-based, Virtualization-aware, Multi-tenant, Workload Segmentation for Data Centers and Clouds VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Nexus 1000V vPath Distributed Virtual SwitchVSG VSG(Stand-by) (active) Secure Segmentation Efficient Deployment Dynamic policy-based (VLAN agnostic) (secure multiple hosts) provisioning Transparent Insertion Mobility aware High Availability Log/Audit (topology agnostic) (policies follow vMotion) © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 VNMC: Virtual Network Management Center
  6. 6. Secure zoning of 3-Tier Application Workload Tenant_A Tenant_B Only Permit Web Servers access to Only Permit App servers VSG for secure VSG for secure App servers via HTTP/HTTPS access to DB servers zoning zoning Web App DB Web App DB Web Server App Server DB Web Server App Server DB server server Server Server server Server Server server Port 80 (HTTP) Only Port 22 (SSH) All other traffic and 443 (HTTPS) of App Servers open denied ASA Firewall for of Web Servers Inter-tenant Edge Control open (VLAN based)© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
  7. 7. Rule   Source Destination Action Condition Condition Attribute Type Condition Network VM User Defined vZoneVM Attributes Network Attributes Operator OperatorInstance Name IP Address eq memberGuest OS full name Network Port neq Not-memberGuest OS Host name gt ContainsParent App Name ltCluster Name rangeHypervisor Name Not-in-rangeResource-pool PrefixPort Profile NameZone Nameits affiliates. All rights reserved.© 2010 Cisco and/or ACE: Access Control Entry Cisco Confidential 7
  8. 8. Core Security Management Infrastructure Security Aggregation• Visibility • Infrastructure Security features• Event correlation, syslog, centralized are enabled to protect device, authentication traffic plane and control plane• Forensics• Anomaly detection • 802.1ae and vPC provides• Compliance Services internal/external separation Access Services ACLs, Port Security, VN Services• Initial filter for DC ingress and Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping egress traffic. Virtual Context • IPS/IDS provide traffic analysis used to split polices for server- and forensics to-server filtering Storage Virtual UCS • Network Analysis provide traffic• Additional firewall services for Access monitoring and data analysis server farm specific protection • Server load balancing masks Data security Virtual Firewall servers and applications authenticate & Real-time Monitoring access control Firewall Rules © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
  9. 9. Private Public/Shared Front-end Tenant Perimeter Less Trusted Zones (Tenant VRF) VRF ASA Context (per tenant) Protected VRF (control point) Back-end Tenant Perimeter Nexus vPath 1000v VSG Sub-Zone W Sub-Zone X Back-end Management Perimeter Sub-Zone Sub-Zone Public Zone (DMZ) Protected FE Zone 1 Zone 2 Y Zone 3 Z Front-end Zones Back-end Zones© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
  10. 10. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
  11. 11. Virtual Network Management Center (VNMC) VMware vCenter Tenant A Tenant B •Virtual ASA provides consistent ASA feature set to VDC VDC secure the tenant edge vApp •VSG complements Virtual ASA to secure intra- VSG tenant VM-to-VM traffic VSG VSG vApp •Solution provides: VSG  Increase flexibility and operational efficiency ASA 1000V ASA 1000V via vPath (Nexus1000V) vPath Dynamic, context-aware, multi-tenant Nexus 1000V management via VNMC vSphere© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
  12. 12. Built using ASA technology IPSec VPN (Site-to-Site) NAT Inter-operability with VSG DHCP via Service Chaining Default Gateway Support for VXLAN Static Routing Stateful Inspection Multi-tenant management via VNMC IP Audit© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
  13. 13. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
  14. 14. Cloud-ready WAN Optimization FEATURES Virtual WAAS “Appliances”  Allows Agile, Elastic, & Multi Tenant Deployment  Supports DRE Cache in SAN  Policy-based Provisioning w/ Nexus 1000V  Extends WAAS Solution Portfolio ESX ESXi Hypervisor w/Nexus 1000 vPath BUSINESS BENEFITS UCS /x86 Servers  Business Agility with on-demand orchestration  Lower operational cost, reduced migration risk  Fault-tolerance with VM mobility awareness Virtual WAAS on Nexus 1000V with vPath© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
  15. 15. 1 Stand-alone • Traditional WAN Edge Deployment at Branch and DC WAN or Internet  Gradual migration from Physical to Virtual VMware ESXi Server  Multi-tenancy support UCS /x86 Server WCCP VMware ESXi 2 vPath-integrated  Re-direction using vPath @VM level  Elastic provisioning Nexus 2K/5K  Multi-tenancy support vPATH Nexus 1000V vPATH VMware ESXi Server Nexus 1000V vPATH VMware ESXi Server UCS Compute/ UCS Compute/Physical servers Virtualized Servers UCS /x86 Server © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
  16. 16. Tenant A Virtualized/Cloud Zone A Zone B ASA Data Center 1000V VSG Servers vWAAS WAN SwitchesRouter vPath VXLAN Nexus 1000V Physical Infrastructure Multi-Hypervisor Nexus 1000V VSG ASA 1000V vWAAS CSR 1000V (Cloud Router) • Distributed switch • VM-level controls • Edge firewall, VPN • WAN optimization • WAN L3 gateway • NX-OS consistency • Zone-based FW • Protocol Inspection • Application traffic • Routing and VPN© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
  17. 17. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
  18. 18. Can be deployed by Enterprises or Cloud Providers Enterprise A Cloud Provider’s Data Center Enterprise Use Cases DC CSR 1000V ASA 1000V • Secure VPN Gateway • L3 Extension ASR • Tenant Firewall MPLS Branch Tenant A Cloud Provider Use Cases ISR WAN Switches Router Servers CSR 1000V Enterprise B • Secure VPN Gateway Internet ASA 1000V Branch • MPLS Extension Tenant B • Tenant Firewall Physical Virtual Infrastructure Infrastructure ISR © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
  19. 19. Thank you.

×