This document discusses the Cisco Nexus 1000V virtual switch, which provides virtual machine-level network visibility and policy enforcement within VMware vSphere environments. The Nexus 1000V replaces the hypervisor virtual switch with Cisco's modular software switch. It extends the network to each virtual machine and allows consistent network and security policies to follow VMs during live migration. The Nexus 1000V integrates tightly with VMware vCenter and leverages Cisco's NX-OS operating system, providing familiar CLI management of the virtual switch.

1. Cisco Nexus 1000V:
Technical Preview
Paul Fazzone
Product Manager
pf

2. Transparency in the Eye of the Beholder
With virtualization,
VMs have a
transparent view of
their resources…

3. Transparency in the Eye of the Beholder
…but its difficult to
correlate network and
storage back to virtual
machines

4. Transparency in the Eye of the Beholder
Scaling globally depends
on maintaining
transparency while also
providing operational
consistency

5. Networking Challenges to Scaling Server Virtualization
Security and Policy Operations and Organizational
Enforcement Management Structure
Applied at physical Lack of VM visibility, Muddled ownership
server—not the accountability, and as server admin
individual VM consistency must configure
virtual network
Impossible to enforce Inefficient
policy for VMs in management model Organizational
motion and inability to redundancy creates
effectively compliance
troubleshoot challenges

6. Why the Network is Changing…
Desire for VM-level access-layer policy & monitoring
Virtualization is driving higher link utilization
More demanding role of network (i.e. DRS, vMotion)
Current approaches lead to inconsistent network policies

7. Cisco Virtual Network Link – VN-Link
Virtual Network Link (VN-Link) is about:
– VM-level network granularity
– Mobility of network and security properties
(follow the VM)
VNIC
– Policy-based configuration of VM interfaces VNIC
Hypervisor
(Port Profiles)
– Non-disruptive operational model
VN-Link refers to a literal link
VN-Link with Nexus 1000V VETH VETH
– Replaces Hypervisor switch with Cisco modular
switch (software)

8. VN-Link Brings VM Level Granularity
Problems:
VMotion
 VMotion may move VMs across
physical ports—policy must follow
 Impossible to view or apply policy to
locally switched traffic
 Cannot correlate traffic on physical
links—from multiple VMs
VLAN
101
VN-Link:
Extends network to the VM
Consistent services
Coordinated, coherent management

9. VN-Link With the Cisco Nexus 1000V
Cisco Nexus 1000V
Software Based
Server
 Industry’s first 3rd-party vNetwork VM VM VM VM
#1 #2 #3 #4
Distributed switch for ESX
 Built on Cisco NX-OS
Nexus 1000V
 Compatible with all switching platforms VMW ESX
 Maintain vCenter provisioning model NIC NIC
unmodified for server administration;
allow network administration of Nexus Nexus
1000V
1000V via familiar Cisco NX-OS CLI
LAN
Policy-Based Mobility of Network Non-Disruptive
VM Connectivity & Security Properties Operational Model

10. vNetwork – 3rd Party Virtual Switches
 Enterprise networking vendors can
provide their own implementations
CURRENT
of the virtual switch leveraging the
vSwitch
vSwitch vSwitch vNetwork switch API interfaces
 Enables support for 3rd party
networking capabilities, including
monitoring and management of the
virtual network
vNetwork
vNetwork Distributed Switch Third Party Switch Products
vNetwork Platform vNetwork Platform

11. VI Virtual Networking - 3rd Party Virtual Switch Style
Host1 Host2 Host3 Host4
W2003EE-32-A W2003EE-32-B W2003EE-32-A2 W2003EE-32-B2 W2003EE-32-A3 W2003EE-32-B3 W2003EE-32-A4 W2003EE-32-B4
Single
Distributed
Port
Group
3rd Party Distributed vSwitch Machine Network
Virtual Single
Distributed
vNetwork Platform Switch
3rd Party Distributed
Switch Spanning
Host1, Host2,
Host3, Host4

12. Cisco Nexus 1000V Architecture
Server 1 Server 2 Server 3
VM VM VM VM VM VM VM VM VM VM VM VM
#1 #2 #3 #4 #5 #6 #7 #8 #9 #10 #11 #12
VEM
VMware vSwitch VEM
VMware vSwitch VMware vSwitch
VEM
VMW ESX VMW ESX VMW ESX
Virtual Supervisor Module (VSM)
 Virtual or Physical appliance running
Virtual Ethernet Module (VEM)
Cisco OS (supports HA)
 Enables advanced networking
Cisco Nexus 1000V Installation:&
 Performs management, monitoring,
capability on the hypervisor vCenter
 configuration
ESX & ESXi
 Provides each VM with dedicated
 Tight integrationInstallation
“switch Manual with VMware
 VUM & port” Nexus 1000V
vCenter
 VEM is installed/upgraded like an
 Collection of VEMs = 1 Distributed
ESX patch
Switch
VSM

13. VSM to vCenter Communication
Nexus 1000V
vCenter VSM
Two-way API between the VSM and vCenter
Certificate (Cisco self signed or customer supplied) ensures secure
communications
Connection is setup on the VSM
n1000v# show svs connections
connection vc:
ip address: 10.95.5.227
protocol: vmware-vim https
datacenter name: Nexus1K-RC1
DVS uuid: 58 ae 0f 50 c4 f9 af 4d-47 df c7 a8 f5 72 f5 64
config status: Enabled
operational status: Connected

14. Deploying the Cisco Nexus 1000V
Collaborative Deployment Model
1. VMW vCenter & Cisco
Nexus 1000V Server 1
relationship established
2. Network Admin
configures Nexus 1000V
Nexus 1000V—VEM
to support new ESX
hosts VMW ESX
3. Server Admin plugs new
ESX host into network & 3.
adds host to Cisco 2.
switch in vCenter
Nexus 1000V
vCenter 1. VSM

15. Deploying the Cisco Nexus 1000V
Collaborative Deployment Model
1. VMW vCenter & Cisco
Nexus 1000V Server N Server 1
relationship established
2. Network Admin
configures Nexus 1000V
to support new ESX Nexus 1000V—VEM Nexus 1000V 1000V—VEM
Nexus
hosts VMW ESX VMW ESX
3. Server Admin plugs new
ESX host into network &
adds host to Cisco
4.
switch in vCenter
Nexus 1000V
4. Repeat step three to
add another host and
extend the switch
vCenter
configuration VSM

16. Cisco Nexus 1000V Architecture – Network View
nexus1000v01# show module
Mod Ports Module-Type Model Status
--- ----- -------------------------------- ------------------ ------------
1 1 Virtual Supervisor Module Nexus1000V active * VSM
3 48 Virtual Ethernet Module ok
4 48 Virtual Ethernet Module ok
VEM
Mod Sw Hw World-Wide-Name(s) (WWN)
--- -------------- ------ --------------------------------------------------
1 4.1(1a)S1(0.14 0.0 --
3 NA 0.0 --
4 NA 0.0 --
Mod MAC-Address(es) Serial-Num
--- -------------------------------------- ----------
1 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8 NA
3 02-00-0c-00-07-00 to 02-00-0c-00-07-80 NA
4 02-00-0c-00-08-00 to 02-00-0c-00-08-80 NA
Mod Server-IP Server-UUID Server-Name
--- --------------- ------------------------------------ --------------------
ESX
1 192.168.32.31
3 192.168.32.101 48c8d12a-1e15-00db-5efe-001e0bcae426 esx01a.cisco.com Details
4 192.168.32.102 48c8da10-e70b-aa66-3089-001e0bcab2e4 esx02b.cisco.com

17. vNetwork Distributed Switch – VI Admin View

18. Cisco Nexus 1000V - Faster VM Deployment
Virtualizing the Network Domain
Policy-Based Mobility of Network Non-Disruptive
VM Connectivity & Security Properties Operational Model
Server Server
VM VM VM VM VM VM VM VM
#1 #2 #3 #4 #5 #6 #7 #8
Cisco Nexus 1000V
Defined Policies VMW ESX VMW ESX
WEB Apps
HR
VM Connection Policy
 Defined in the network
DB
 Applied in vCenter
Compliance  Linked to VM UUID
vCenter

19. Policy Based VM Connectivity
Enabling Policy
1. Nexus 1000V automatically
enables port groups in vCenter Server 1
2. Server Admin uses vCenter to VM VM VM VM
#1 #2 #3 #4
assign vnic policy from available
port groups
3. Nexus 1000V automatically 2. Nexus 1000V - VEM
enables VM connectivity at VM VMW ESX
power-on
3.
WEB Apps:
 PVLAN 108, Isolated 1. Nexus 1000V
 Security Policy = Port 80 and 443 Available Port Groups
 Rate Limit = 100 Mbps
WEB Apps HR
 QoS Priority = Medium vCenter
 Remote Port Mirror = Yes DB Compliance VSM

20. Policy Definition with NX-OS Port Profiles
Port Profiles (aka Port Groups) defined in the Nexus 1000V VSM
Port profiles are pushed to vCenter via API
Upon connection/reconnection with vCenter the VSM re-verifies the
correct port profile configuration exists within vCenter
Port profile ‘state’ and ‘type’ must be set for propagation to occur
– N1K-CP(config-port-prof) state enable
– N1K-CP(config-port-prof) vmware port-group
(optional name)

21. Port Profile – Network View
n1000v-RC# show port-profile
port-profile web-server-dmz-2
description: Web Server – DMZ-2
status: enabled
capability uplink: no
system vlans: none
port-group: Web Server – DMZ-2
max-ports: 32 Port Group
inherit: Name
config attibutes:
switchport mode access
switchport acess vlan 5
ip port access-group web-secure in ACL
ip flow monitor output
no shutdown
evaluated config attibutes:
switchport mode access
switchport acess vlan 5
ip port access-group web-secure in
ip flow monitor output
no shutdown
assigned interfaces:
Vethernet10 Interfaces

22. Port Groups - VI Admin View
Consistent Workflow: VI admin
selects Port Groups when
configuring a VM in VMware
Virtual Infrastructure Client

23. Policy Based VM Connectivity
Virtualization Admin Benefits
Accelerate & Simplify deployment of new ESX hosts
– Network Admin provisions physical switch trunks & ESX host PNICs in a
uniform and consistent way (takes care of both sides of physical connection)
– Virtualization Admin 1) plugs in a new ESX host, 2) assigns PNICs to Cisco
vNetwork Distributed Switch in vCenter, 3) ESX PNIC configuration (including
vMotion & Console) automatically assigned and enabled, 4) ESX host ready
for VMs
Ensure proper connectivity & networking safeguards are in place
– Virtualization Admin leverages existing workflow (vCenter & Port Groups) to
assign VNIC policy.
– Network Admin responsible for ensuring Port Groups provide proper VLAN
access & DC network security policy
– Cisco Nexus 1000V extends VM networking to include IP/Port security rules,
multi-host PVLAN, Flow Statistics, Quality of Service.

24. Cisco Nexus 1000V
Richer Network Services
Virtualizing the Network Domain
Policy-Based Mobility of Network Non-Disruptive
VM Connectivity & Security Properties Operational Model
Server
VM VM VM VM
VM VM VM VM VM #1 VM#2 VM #3 VM #4
#1 #2 #3 #4 #5 #6 #7 #8
Cisco Nexus 1000V
VMW ESX VMW ESX
VMs Need to Move
 VMotion VN-Link Property Mobility
 DRS  VMotion for the network
 SW Upgrade/Patch  Ensures VM security
 Hardware Failure  Maintains connection state
vCenter

25. Mobility of Security & Network Properties
Following Your VMs Around
1. vCenter kicks off a Server 1 Server 2
VMotion (manual/DRS) VM VM VM VM VM VM VM VM
and notifies Nexus #1 #2 #3 #4 #5 #6 #7 #8
1000V
2. During VM replication, Nexus
Nexus 1000V—VEM 1000V
Nexus 1000 -—VEM
Nexus 1000V copies VM VMW ESX VMW ESX
port state to new host
Mobile Properties Include: 2.
 Port policy 1.
 Interface state and
counters Nexus 1000V
 Flow statistics Network Persistence
VMotion Notification

 Current: VM1 onstate 1
VM port config, Server
 Remote port mirror vCenter  New: VM1 on Server 2
 VM monitoring statistics
session VSM

26. Mobility of Security & Network Properties
Following Your VMs Around
1. vCenter kicks off a Server 1 Server 2
VMotion VM VM VM VM VMVM VM VM VM
(manual/DRS) & #1 #2 #3 #4 #1
#5 #6 #7 #8
notifies Nexus 1000V
2. During VM replication, Nexus
Nexus 1000V—VEM 1000V
Nexus 1000 -—VEM
Nexus 1000V copies VMW ESX VMW ESX
VM port state to new
host
3. Once VMotion 3.
completes, port on
new ESX host is
brought up & VM’s Nexus 1000V
MAC address is Network Update
 ARP for VM1 sent
announced to the to network
vCenter
network  Flows to VM1 MAC
redirected to Server 2 VSM

27. Mobility of Network & Security Properties
Virtualization Admin Benefits
Prevent ESX host/network config discrepancies from impacting
VMotion
– VMotion domains can be configured once and the vSwitch parameters across
the cluster will always be consistent with the physical network
Gain consistent visibility into VM-level I/O
– Virtual applications can be diagnosed using the same tools and method NOCs
currently use in the physical environment. 1 consistent operations model
provides faster MTTR of virtual applications
Secure I/O to VMs located in the DMZ
– The use of IP/Port security rules (also know as Access Control Lists) can lock
down traffic to/from a particular VM. For instance, a Web server in a DMZ can
have traffic limited only to Port 80 to support a Web Server. This rule set is
applied to the VM VNIC and moves with the VM during VMotion

28. Cisco Nexus 1000V
Increase Operational Efficiency
Virtualizing the Network Domain
Policy-Based Mobility of Network Non-Disruptive
VM Connectivity & Security Properties Operational Model
Server Server
VM VM VM VM VM VM VM VM
#1 #2 #3 #4 #5 #6 #7 #8
Cisco Nexus 1000V
Server Benefits VMW ESX
Network Benefits
VMW ESX
 Unifies network mgmt and ops
 Maintains existing VM mgmt
 Reduces deployment time  Improves operational security
 Improves scalability  Enhances VM network features
 Reduces operational workload  Ensures policy persistence
 Enables VM-level visibility  Enables VM-level visibility
vCenter

29. Non-Disruptive Operational Model
Virtualization Admin Benefits
VM workflow doesn’t change
– Virtualization administrator continues to leverage vCenter for VM creation,
maintenance, monitoring
ESX vSwitch configuration & management responsibility offloaded
– vSwitch and Port Groups now provisioned along with the physical network
infrastructure ensuring consistency, virtualization administrator subscribes
VMs to available Port Groups and vSwitch is dynamically provisioned
Equip Data Center operations teams to respond to applications
issues
– By extending the data center network operations model and troubleshooting
toolkit down to the virtualization infrastructure, customers can leverage
physical world tools and diagnostic procedures for their VM-based
applications – 1 consistent model for the whole data center

30. Increase Operational Efficiency
What stays the same? What gets better?

31. Key Features of the Cisco Nexus 1000V
 L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting
Switch  IGMP Snooping, QoS Marking/Classification
 Policy Mobility, PVLAN, ACL (L2–4 w/ Redirect), Port Security
Secure  Cisco Security Toolkit, TrustSec
 Automated vSwitch Config, Port Profiles, vCenter Integration
Provision  Virtual Port Channel – Host Mode
 Historical vMotion Tracking, ERSPAN, NetFlow v.9 w/ NDE, CDP v.2
View  VM-Level Interface Statistics, Wireshark
 vCenter VM Provisioning, Cisco Network Provisioning
Manage  Cisco CLI, XML API, SNMP (r/w)

32. Cisco Nexus 1000V
Three New Features that Make a Difference
Encapsulated Remote NetFlow v.9 Private VLANs
SPAN (ERSPAN) with Data Export (PVLANs)
 Mirror VM interface  View flow-based stats  Great for mixed use
traffic to a remote sniffer for individual VMs ESX clusters
 Identify root cause for  Captures multi-tiered  Segment VMs w/o
connectivity issues app traffic inside a burning IP addresses
 No host-based sniffer single ESX host
 Supports isolated,
virtual appliance to  Export aggregate stats community and
maintain to dedicated collector promiscuous trunk ports
 Follows your VM with  Follows your VM with  Follows your VM with
VMotion or DRS VMotion or DRS VMotion or DRS

33. Nexus 1000V Deployment Scenarios
Pick Your Flavor
Rack Optimized
1. Works with all servers on Servers
the VMW Hardware Blade Servers
Compatibility List
2. Requires next version of
VMW ESX or ESXi
(1H 2009)
3. Works with ANY
upstream switch (Blade,
Top or Rack, Modular)
4. Works at any speed
(1G or 10G) Nexus 1000V
5. Nexus 1000V VSM can
be deployed as a VM or a
physical appliance
VSM
vCenter

34. Olivier Parcollet
Direction des Systèmes
d'information
SETAO

35. SETAO Background
Responsible for urban transportation for metropolitan
area of Orleans
100,000 riders each day
24km MAN Metropolitan Area Network
High availability is critical

36. SETAO Design
Primary Data
Center VMotion
19 km
Backup Data
Center
DCI
VSS
SRM

37. Evaluation of Nexus 1000V beta
NX-OS consistent with rest of IOS-based network
– Provides visibility to each VM
Great for troubleshooting
– Tools to monitor and diagnose individual VM traffic
– Example: Use Cisco Discovery Protocol to isolate configuration errors
in physical network that cause VMotion problems
Very good integration with Virtual Center
– Example: Port Profiles automatically become Port Groups
Conclusion: Will deploy Nexus 1000V in production
– Already tested the migration in SEATO’s complex environment

38. Accelerate Server Virtualization
Enable, Simplify, Scale
Security and Policy Operation & Organizational
Enforcement Management Structure
Simplify Enable flexible
Enable VM-level management and collaboration with
security and policy troubleshooting with individual team
VM-level visibility autonomy
Scale the use of Scale with Simplify and
VMotion and DRS automated server & maintain existing
network VM mgmt model
provisioning

39. More Information…
VMWorld Europe 2009 Events
– TP34 – Designing the Next Generation Data Center – Ed Bugnion
– Nexus 1000V Demonstration – Cisco Booth
– VMware Nexus 1000V Hands-On LAB
On the Web
– http://www.cisco.com/go/1000v

41. Thank you for coming.
Rate your session and
watch for the highest scores!