Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simplify, scale, and extend cloud networking with cisco nexus 1000 v

2,706 views

Published on

Simplify, Scale, and Extend Cloud Networking with Cisco Nexus 1000V speaking session from VMworld 2013

Published in: Technology, Education

Comments are closed

  • Be the first to comment

Simplify, scale, and extend cloud networking with cisco nexus 1000 v

  1. 1. Simplify, Scale, and Extend Cloud Networking with Cisco Nexus 1000V Han Yang, Cisco Systems, Inc PHC6409 #PHC6409
  2. 2. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Agenda Unified Fabric Integrating Physical and Virtual Networking Introduction to Cisco Virtual Machine Networking Simplify, Scale, and Extend VXLAN Virtualized Network Services with Cisco vPath Secure Hybrid Cloud with Nexus 1000V InterCloud Physical and Virtual Infrastructure Orchestration Summary
  3. 3. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3 Architect Design Where Can We Put It? Procure Install Configure Secure Is It Ready? Manual From Weeks to Automated Self-Service Provisioning • Faster application deployment is being demanded • Deploying applications requires acquiring and configuring physical and virtual infrastructures • Need Network Agility with best in class network service and SLA
  4. 4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4 VIRTUAL PHYSICAL CLOUD Consistency, Reduce Risk, Rapid Deployment Consistent Nexus Experience Intra-tenant Security Inter-tenant Security Application Acceleration Routing and Gateways Web-app Firewall Load Balancer
  5. 5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5 CLOUD NETWORK SERVICES WAN Router Switches Servers ASA 1000V Cloud Firewall PHYSICAL INFRASTRUCTURE Cisco Virtual Security Gateway vWAAS Multi-Hypervisor (VMware, Microsoft, KVM* Xen*) Nexus 1000VvPath Enhanced VXLAN Nexus 1000V • Distributed switch • NX-OS consistency VSG • VM-level controls • Zone- based FW ASA 1000V • Edge firewall, VPN • Protocol Inspection vWAAS • WAN optimization • Application traffic CSR 1000V (Cloud Router) • WAN L3 gateway • Routing and VPN Ecosystem Services • Citrix NetScaler VPX virtual ADC • Imperva Web App. Firewall Cloud Services Router 1000V Imperva SecureSphere WAF Citrix NetScaler 1000V Network Analysis Module (vNAM) Full Portfolio of Best in Class Virtualized Network Service *KVM in beta, Xen prototype
  6. 6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6 Across Hypervisors and Orchestration Tools Physical Network vSphere Hyper-V XenServer Unified Fabric (Nexus 2000 – 7000) UCSComputing Platform Hypervisor KVM vCloud Director/ Automation Center System Center Citrix CloudPlatform Cloud Portal and Orchestration Storage Platform CIAC/ OpenStack/ Partners Virtual Network Infrastructure L4-7 L2-3 vPath Nexus 1000V Cloud Network Services WAAS NAMASA 1000V NetScaler PartnersVSG
  7. 7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7 Nexus 1010/1110Virtual Appliance vWAAS VSG VSM NAM VSG Primary Secondary VSM VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module vPath: Virtual Service Data-path VXLAN: Scalable Segmentation VSG: Virtual Security Gateway vWAAS: Virtual WAAS ASA 1000V: Tenant-edge security Virtual Service Blades Virtual Supervisor Module (VSM) Network Analysis Module (NAM) Virtual Security Gateway (VSG) Data Center Network Manager (DCNM) VEM-2 Win Server 2012 vPath VXLAN ASA 1000V NAM VSGVSM L3Connectivity VEM-3 Open Source Hyp vPath VXLAN VEM-1 VMware ESX vPath VXLAN
  8. 8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8 Nexus 1000V Advanced EditionNexus 1000V Essential Edition Freemium Pricing Model Offers Flexibility for Customers to Deploy Cisco Virtual Data Center No-Cost Version $695 per CPU MSRP The world’s most advanced virtual switch • Full Layer-2 Feature Set • Security, QoS Policies • VXLAN virtual overlays • Full monitoring and management capabilities • vPath enabled Virtual Services Adds Cisco value-add features for DC and Cloud • All Feature of Essential Edition • VSG firewall bundled (previously sold separately) • VXLAN to VLAN Gateway • Support for Cisco TrustSec SGA policies • Platform for other Cisco DC Extensions in the Future
  9. 9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9 N1KV Release 2.xN1KV Release 1.X Free Upgrade to Advanced Edition N1KV Licenses Bought and Deployed N1KV—Advanced Edition: No Cost Use Existing Licenses VSG License*: No Cost Existing Cisco TAC Support Contract Will Include Cisco VSG Support *Contact Cisco Representative for Free VSG licenses Free Upgrade to Release 2.x Advanced +
  10. 10. Cisco Confidential 10© 2013 Cisco and/or its affiliates. All rights reserved.
  11. 11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11 VM VM VMVM VM Add More Pods to Scale VM VM Utilize All Links in Port Channel with UDP Logical Network Spanning Across Layer 3
  12. 12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12 • Ethernet in IP overlay network Entire L2 frame encapsulated in UDP 50 bytes of overhead • Include 24 bit VXLAN Identifier 16 M logical networks Mapped into local bridge domains • VXLAN can cross Layer 3 • Tunnel between VEMs VMs do NOT see VXLAN ID • IP multicast used for L2 broadcast/multicast, unknown unicast • Technology submitted to IETF for standardization With VMware, Citrix, Red Hat, and others UDP Port 4789 assigned to VXLAN Outer MAC DA Outer MAC SA Outer 802.1Q Outer IP DA Outer IP SA Outer UDP VXLAN ID (24 bits) Inner MAC DA Inner MAC SA Optional Inner 802.1Q Original Ethernet Payload CRC VXLAN Encapsulation Ethernet Frame
  13. 13. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13 VEM 1 VEM 2 Forwarding mechanisms similar to Layer 2 bridge: Flood & Learn VEM learns VM’s Source (MAC, Host VXLAN IP) tuple Broadcast, Multicast, and Unknown Unicast Traffic VM broadcast & unknown unicast traffic are sent as multicast Unicast Traffic Unicast packets are encapsulated and sent directly (not via multicast) to destination host VXLAN IP (Destination VEM) VM VM VM VM
  14. 14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14 No Multicast Needed SHIPPING VM VM VM VM VM VM Broadcast / unknown unicast VEM performs replication and encapsulation
  15. 15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15 Unknown Unicast Flood Prevented SHIPPING VEM IP / MAC Table 5000 [a.a.a] VXLAN IP/MAC VEM IP / MAC Table 5000 VXLAN IP/MAC VSM IP / MAC Table 5000 VXLAN IP/MAC Nexus® 1000V VSM Data Center Network 10.10.10.10 VM 1 [a.a.a] VM 2 [b.b.b] VM 3 [c.c.c] VM 4 [d.d.d] 20.20.20.20 [b.b.b] [c.c.c] [d.d.d] [a.a.a] [b.b.b] [c.c.c] [d.d.d] [a.a.a] [b.b.b] [c.c.c] [d.d.d] VSM learns VXLAN / MAC VSM distributes VXLAN / MAC VM (M) Send unicast to MAC X Malicious VM in VXLAN 5000 MAC X not found in table. Packet Dropped.
  16. 16. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16 VSM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] PREVIEW No ARP Broadcast VEM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC Data Center Network 10.10.10.10 VM 1 [192.1.1.1,a.a.a] 20.20.20.20 In this mode VEM learns VXLAN / IP / MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] VEM IP / MAC Table 5000 [192.1.1.1,a.a.a] VXLAN IP/MAC [192.1.1.1,b.b.b] [192.1.1.1,c.c.c] VM 2 [192.1.1.1,b.b.b] VM 3 [192.1.1.1,c.c.c] VSM distributes VXLAN / MAC VM 3 ARP request for 192.1.1.1 192.1.1.1 found in VXLAN 5000 VEM ARP reply with VM1’s MAC a.a.a Nexus® 1000V VSM VSM learns VXLAN / IP / MAC
  17. 17. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17 VXLAN (multicast mode) Enhanced VXLAN (unicast mode) Enhanced VXLAN MAC Distribution Enhanced VXLAN ARP Termination Broadcast / Multicast Multicast Encapsulation Replication plus Unicast Encap Replication plus Unicast Encap Replication plus Unicast Encap Unknown Unicast Multicast Encapsulation Replication plus Unicast Encap Drop Drop Known Unicast Unicast Encapsulation Unicast Encap Unicast Encap Unicast Encap ARP Multicast Encapsulation Replication plus Unicast Encap Replication plus Unicast Encap VEM ARP Reply VXLAN Mode Packet
  18. 18. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18 VM Data Center Network Physical Firewall Bare Metal Servers Router Gateway Gateway Gateway Overlay: Instant Provisioning • Overlay needs gateway to access physical network • Physical network to support overlay traffic pattern Overlay WAN
  19. 19. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19 VXLAN to VLAN Gateway VXLAN to VLAN Gateway Hosted on local hypervisor as virtual machine connected to Virtual Ethernet Module Managed as a module from VSM Active/Standby VXLAN Gateway Integrated with OpenStack Scale: 4 VXLAN Gateway per VSM 2k Active VXLAN 2k Active VLAN SHIPPING
  20. 20. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20 L2 Domain CL2 Domain BL2 Domain A LAYER 3 Web VM VXLAN GatewayVXLAN Gateway VXLAN GatewayVXLAN GatewayBare Metal DB Server VXLAN 5500 ASA 5500 VLAN 100 VLAN 200 L2 Domain A L2 Domain B L2 Domain C
  21. 21. Cisco Confidential 21© 2013 Cisco and/or its affiliates. All rights reserved.
  22. 22. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22 Nexus 1000V (Dist. Virtual Switch) VSG (Zone-based FW) ASA 1000V (Cloud FW) vWAAS (WAN Optimization) CSR 1000V (Cloud Router) vNAM (Network Analytics) Partner Services • Distributed switch • NX-OS consistency • VM-level controls • Zone-based FW • Edge firewall, VPN • Protocol Inspection • WAN optimization • Application traffic • WAN L3 gateway • Routing and VPN • App Visibility (L2- L7) • Overlay Intelligence (OTV, VXLAN, FP**) • Citrix NetScaler 1000V virtual ADC • Imperva Web App. FW Nexus 1000V vPath Any Hypervisor VM VM VM • A complete Layer 4 through 7 virtual service portfolio • Best-in-class service insertion technology with vPath • Built for all major hypervisor platforms Cisco Cloud Network Services (CNS) Citrix NetScaler 1000V Prime virtual NAM Imperva SecureSphere WAF Virtual Security Gateway ASA 1000V Virtual WAAS CloudServices Router 1000V
  23. 23. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23 10G and SSL Ready VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13 Nexus 1000V vPath Any Hypervisor VM VM VM • Dedicated Cloud Services appliance • Flexible, on-demand allocation of resources • Allows policy management by network teams Cisco Cloud Network Services (CNS) Citrix NetScaler 1000V Prime virtual NAM Imperva SecureSphere WAF Virtual Security Gateway Nexus 1110 Cloud Services Platform VSM VSM DCNM*
  24. 24. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24 VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13 Nexus 1000V vPath Any Hypervisor VM VM VM • Citrix Best-in-Class virtual application delivery controller (vADC) • Sold and supported by Cisco (Q3) • Integrated with Nexus 1100, vPath Cisco Cloud Network Services (CNS) Citrix NetScaler 1000V Prime virtual NAM Imperva SecureSphere WAF Virtual Security Gateway Nexus 1110 Cloud Services Platform VSM VSM DCNM* Citrix NetScaler 1000V
  25. 25. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25 Virtualized/Cloud Data Center Application Services Nexus 1000V VSG Tenant-A Tenant-B Tenant-C Application Services INSTRUMENTATION FLEXIBILITY Increased Agility ANALYTICS Optimized Network Resources PROGRAMMABILITY Enhanced Operational Efficiency AWARENESS Improved Application Performance Maintain Consistency Across Physical and Virtual Environments OS APP Virtual NAM OS APP OS APP OS APP OS APP Virtual Network Analysis Module (vNAM)— Track Workload Performance and Resource Usage
  26. 26. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26 • Stops Web attacks that lead to compromise and downtime • Easy to deploy and manage via N1110 Integrated with Cisco Cloud Services Portfolio SecureSphere WAF on Cisco Nexus 1110 HTTP HTTPS SQL Injection XSS Site Scraping Web Fraud Web Servers Most Widely Deployed WAF in the World FirewallInternet Hacker and Bots
  27. 27. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27 Intelligent Policy-based Traffic Steering Through Multiple Network Services DB Tier VM VM VM Web Tier OS OS OS APP APP APP Client Initiates Flow to Web Server (VIP as Server IP) Client › LB-VIP 1 1 NS1000V load balance web request, selects Web Server 1 (Client › S1)2 2 Based on policy, vPath redirect traffic to service chain, starting with zone-based firewall, VSG 3 3 Traffic returns to Virtual Ethernet Module ready for next network service4 4 WAF inspects packets for web attacks; prevents attack and generate alerts 5 5 vPath Forwards packet to Web Server VM6 6 Cisco vPath 7 8 Cisco vPath Policy-Based Service Chaining Through Multiple Network ServicesDatabase tier security policy7 Sent to database8
  28. 28. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28 • Service chaining with vPath and non-vPath network services • Virtual and physical network services • Any network service can now be distributed, not just firewalls • Submitted to IETF for standardization* • Supporting Multiple hypervisors Any Hypervisor VM vPath vPath Virtualized Network Service Non vPath Virtualized Network Service vPath Physical Network Service Non vPath Physical Network Service Nexus 1000V vPath *http://tools.ietf.org/html/draft-quinn-nsh-00
  29. 29. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29 Enterprise Use Cases • Secure multipoint VPN Gateway • L3 Extension • VXLAN Gateway Cloud Provider Use Cases • Secure VPN Gateway • MPLS Extension Enterprise A DC ASRBranch ISR Servers Virtual Infrastructure Cloud Provider’s Data Center Can be Deployed by Enterprises or Cloud Providers Tenant A Tenant B CSR 1000V CSR 1000V Physical Infrastructure SwitchesWAN Router Internet MPLS Branch ISR Enterprise B
  30. 30. Cisco Confidential 30© 2013 Cisco and/or its affiliates. All rights reserved.
  31. 31. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31 Complex Use, Lack of Visibility and Flexibility Security: Workload Security, Connection Security Transparent Migration Between On-Prem and Cloud Reinventing It – New Techniques for Every Cloud VM VM Enterprise Data Center Public Cloud Hybrid Cloud VPC VM VM
  32. 32. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32 Program Unique APIs Convert Image Format Reconfigure Application Insert Custom Tools Recreate Services Validate Operations Onboard New Monitoring Use Cloud Provisioning Identify New Security Translate Policies Enterprise Apps and Network Services—on the Public Cloud Enterprise Cloud VM VM VM VM Provider Cloud Nexus 1000V InterCloud VM VM VM VM L2 Services Routing Optimization Firewalls IDS ENTERPRISE VISIBILITY ENTERPRISE CONTROL ENTERPRISE SECURITY PROVIDER RESOURCES PROVIDER EASE OF BUSINESS PROVIDER VALUE Centralized VM Migration and Management
  33. 33. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 33 Enterprise Apps and Network Services—on the Public Cloud Program Unique APIs Convert Image Format Reconfigure Application Insert Custom Tools Recreate Services Validate Operations Onboard New Monitoring Use Cloud Provisioning Identify New Security Translate Policies Enterprise Cloud VM VM VM VM Provider Cloud Nexus 1000V InterCloud VM VM VM VM L2 Services Routing Optimization Firewalls IDS Centralized VM Migration and Management • All data in motion is cryptographically isolated and encrypted: Enterprise to Cloud and VM to VM within Cloud • Enterprise owns the keys
  34. 34. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34 Private Cloud Policy manager Resource manager Service registry VM Manager Cloud Provider Manager Cisco Prime Network Services Controller (Management Layer) (Integration via Northbound API) (Workloads moved via InterCloud) Cisco Intelligent Automation for Cloud Cisco Cloud Portal Orchestrator manages workflow across multiple cloud environments User requests cloud services via end-user portal Cisco Process Orchestrator InterCloud + Cisco Intelligent Automation for Cloud Nexus 1000V (Platform Layer) VM VM VM N1KV switching firewall, routing crypto secure Tenant B
  35. 35. Cisco Confidential 35© 2013 Cisco and/or its affiliates. All rights reserved.
  36. 36. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 36 Bundled Functions are Modular and Simplified for Scale and Automation Virtual Fabrics Optimized Network Fabric Management Workload Automation Innovative Building Blocks
  37. 37. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 37 Virtual Machines N1K Auto-config Triggers VDP DHCP/ARP-ND Data Packet Driven Programmatic Orchestration Stack Network and Services Orchestration Compute and Storage Orchestration Cisco Prime DCNM Physical Machines
  38. 38. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 38 Cisco Prime DCNM Configuration Profiles OpenStack vCloud Director Cisco N1kV DVS 1 a a 2 b Create Tenant Network Communicate Tenant Network to Fabric New VM gets created in Red Network Instantiates Red network Tenant Network a b21 Vrf x Interface bdi b
  39. 39. Network Services Security Storage (Future) Compute (Future) Network InfrastructureElements UNIFIED API - UNIFIED INFORMATION MODEL (RESTFUL XML/JSON API) Open APIs, Open Source, Open Standards COMMON POLICY DRIVEN OPERATIONAL MODEL Hypervisor Network Services ASA Network Management, Automation, Orchestration Efficiency Scale Optimization Telemetry Application Awareness Nexus 1000V Fits within Application Centric Infrastructure
  40. 40. Cisco Confidential 40© 2013 Cisco and/or its affiliates. All rights reserved.
  41. 41. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41 Blade Server Managers Storage APIs Network API/CLI SCVMMvCenter RM Physical Infrastructure Virtual Infrastructure API to Cisco UCSM Enterprise Systems Integration LDAP, CMDB, Metering DB • Single, unified product built from the ground up • Modular architecture • Extensibility through APIs • Deployed as an on- premise virtual appliance(s) Cloupia Network Services Agent Virtual Infrastructure Management Provides: • Policy-driven • Self-service infrastructure • Lifecycle management Cisco Cloupia Multi-tenant Infrastructure Management Platform Mobile Platform IT Admins IT OperationsEnd Users Cloupia Provides Unified, Centralized Management of Physical and Virtualization Infrastructure in Private and Hybrid Clouds VMware Hyper-V KVM Other Providers Savvis VPDC, Terremark Amazon, Entel, Rackspace Self Service Catalog Admin Console Dashboard Cisco UCS Cisco Nexus
  42. 42. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42 VMVM VM VM Nexus 1000V VEM VMware Nexus 1000V VSM VMVM VM VM Nexus 1000V VEM VMware SSH • Install BareMetal ESXi • Download and Install VEM using Cloupia Script • Configure/Un-Configure Port-Profiles, VLAN, ACL, VXLAN vCenter Server Server UCS Director Integrated Multi-tenant Cloud Platform CNSA Server
  43. 43. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43 • Single-click provisioning • Intelligent resource allocation • Automated, controlled delivery End-to-End Operations and Provisioning Result: Improved time to market Minutes
  44. 44. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44 Accelerating Application Deployment Requires Physical, Virtual, and Cloud Infrastructure Automation Cisco Provides Consistent Layer 2-7 Networking for Physical, Virtual, and Cloud Deployments: Design Once, Run Everywhere vPath 3 for Standardized Service Chaining for Virtual and Physical Network Services Orchestration Tool of Your Choice: vCD, SCVMM, OpenStack, CloudStack, UCS Director, and More Supports Multiple Hypervisors: vSphere, Hyper-V, KVM Single Network for Physical, Virtual, and Cloud— Consistent Operational Model and Troubleshooting, especially with ACI
  45. 45. Thank you.
  46. 46. 46 Other VMware Activities Related to This Session  HOL: HOL-PRT-1305 Cisco - Enhanced VXLAN Networking in vCloud Director  Group Discussions: PHC1001-GD vCHS Networking with Greg Herzog
  47. 47. THANK YOU
  48. 48. Simplify, Scale, and Extend Cloud Networking with Cisco Nexus 1000V Han Yang, Cisco Systems, Inc PHC6409 #PHC6409

×