Cisco Data Center 3.0 Update · Cloud Computing model in a Data Center Silo Silo Silo Applications...
Transcript of Cisco Data Center 3.0 Update · Cloud Computing model in a Data Center Silo Silo Silo Applications...
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 1
Cisco Data Center 3.0 UpdateVirtual Experience Infrastructure
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 2
IT Resources and Services that Are Abstracted from the Underlying Infrastructure and Provided “On Demand” and “At Scale” in aMultitenant and Elastic Environment
Cloud ComputingDefinition and Components
A Style of Computing Where Massively Scalable IT-Enabled Capabilities Are Delivered “As a Service” to Multiple External Customers Using Internet Technologies
Source: Gartner “Defining and Describing an Emerging Phenomenon,” June 2008.
Anywhere, Anyone, Any Service
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 3
Build Point Solutions Build Infrastructure Offering
Cloud Computing model in a Data Center
SiloSilo SiloSilo SiloSilo
ApplicationsApplications
ServersServers
NetworkNetwork
StorageStorage
Ethernet, FC, Ip
Ma
nu
al
Ma
nu
al
Project-
based
Vertical
solutions
Virtualization-Aware Network
Au
tom
atio
nA
uto
ma
tion
Applications
IT Service
Holistic Solution
Virtualized Shared Resource PoolVirtualized Shared Resource Pool
StorageStorage
Cisco UCSCisco UCS
Cisco NexusCisco Nexus
IT as a Service Model …
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 4
� Fewer adapters and switches needed� Lower CAPEX, power, administration costs,
fewer maintenance and support contracts
� Fewer points of management� Coordinated, consistent policy control� Less HW and SW to buy and support
5 Key Differentiators Improve TCO
Unified Management1
A1-1
A2-1
B1
B2
C D
Additional Central Management Server(s)
A1-2
A2-2
Single Domain of Management
Single Domain of Management
A: UCS Manager
StorageCompute
Network
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 5
• Unified Management Domain
•Automatic discovery
•Dynamic Provisioning
• Building Block for Dynamic Data Center
• Simplify management of infrastructure for ESX clusters and datacenters
• One-click configuration of LAN, SAN and firmware parameters
XML APITraditional
APIs
Service Profile: HR-App1Network: HR-VLANNetwork QoS: HighMAC: 08:00:69:02:01:FC-EWWN: 5080020000075740-3BIOS: Version 1.03Boot Order: SAN, LAN
OS
App
Firmware
Network
� Same HW dynamically deployed as different servers� Faster deployment and redeployment
5 Key Differentiators Improve TCOService Profiles & Dynamic Provisioning2
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 6
�Buy fewer spares
5 Key Differentiators Improve TCO
Service Profiles & Dynamic Provisioning2
Total Servers: 18
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Web Servers
Blade
Blade
Blade
Blade
Blade
Oracle RAC
Blade
Blade
Blade
Blade
Blade
VMware
Blade
Blade
Blade
Blade
Web Servers
Blade
Blade
Blade
Oracle RAC
Blade
Blade
Blade
VMware
HA Spare
BurstCapacity
Blade
Blade
Blade
Total Servers: 14
Blade
Hot SpareBurst Capacity SpareNormal use
With Service Profiles:•Abstracted resources configured and provisioned as needed •Availability and burst capacity delivered with fewer spares
Without Service Profiles:•Silos individually provisioned for peak demand and failures•Spare idle servers require application specific HW & Firmware Image configurations
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 7
� Fewer CPU’s and servers needed� Allows use of lower cost memory
components
5 Key Differentiators Improve TCO
Extended Memory Technology3
NOTE: DDR3 10600 memory pricing as of 9/29/09
� 70%-80% Lower mainstream memory costs
� Unmatched High End Capacity
� Industry Standard DDR3
384GB
192GB
144GB
96GB
48GB
Not Available
$40,620
$60,720
$10,992
$8,240
$30,510
$5,760
$20,310 Cisco
Competitors$2,808
$2,760
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 8
� Fewer adapters and switches needed� Lower CAPEX, power, administration costs,
fewer maintenance and support contracts
5 Key Differentiators Improve TCO
Unified Fabric and Fabric Extenders4
Servers
FC HBA 10GbE Adapter
Single CNA
Chassis
UCS Legacy
+
2 Fabric Extenders
2 Management Modules2-8 Chassis Fabric Switches
Rack and Row
Fewer EOR Ports required
Greater number of TOR and/or EOR switch ports required
Separate FC+Enetfabrics
2 Fabric Interconnects
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 9
� Increased system performance and I/O flexibility yields higher consolidation ratios
� Fewer adapters and switches needed
5 Key Differentiators Decrease TCOVN Link – Virtual Interface Card5
PCIe x16
10GbE/FCoE
User Definable
vNICs
Eth
0
FC
1
QP
2
FC
3
Eth
127
UCS TCO Inputs:•Higher server consolidation ratios:
• When combined with larger memory servers to support larger quantities of virtual machines per physical server
• Positive impact on overall server system performance via pass-through switching (hypervisorbypass) enacted in hardware vs. software
• More difficult to quantify•VN Link
• Supports Service Profiles and Dynamic Provisioning. Contributes to assumptions for lower System Administration burden for UCS
• More difficult to quantify
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 10
What does it all have to do with Virtual Machines?
To IOM 1
To IOM 2
• Ports tagged/untagged just like fex ports
• Appear as virtual ports on top-level bridge (6100)
VM1
VM2
VM3
VM4
�Vntag part: nothing
�Now connect each Palo Port to Virt Machine
�Now: VN-Link! (VM-specific ports on 6100)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 11
Virtual eXperience Infrastructure
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 12
Total Cost of Ownership
Data SecurityBusiness Agility & Continuity
Platforms
Desktop Virtualization Services
Business Imperatives
Virtualized End-to-End System
Switching
Security
Application
Networking
Storage
Part
ner
Ecosyste
m
VirtualizedCollaborativeWorkspace
Virtualized Data
Center
Virtualization Experience InfrastructureNew Business and Technical Architecture Approach
User Experience
Rich Media
Performance Acceleration
Security
Mobility Policy Location
AwarenessHigh
AvailabilityEnergy
Efficiency
Virtualization Aware
Network
End Points
Cisco and Ecosystem Partners
Unified Computing
Unified Communications
Location Video Streaming
Manag
em
ent
and P
olic
y
Applications
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 13
Design Validation and Best-Practices SharingCommitted to Your Success
http://www.cisco.com/go/vdihttp://www.cisco.com/go/dcdesignzonehttp://www.cisco.com/go/optimizemyapp
Best-practices design zone
Application certification
Operational best practices
Cisco® IT shared experiences
More…
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 14
Cisco Desktop Virtualization Solution
Clients
Cisco UCS Platform
Virtualized Data Center
Cisco
WAAS
Cisco ACE
Desktop O/S
Cisco ASA
Cisco
MDS9000
Family
App App Data
Storage
Unified Network Services
Unified Computing
Unified Fabric
CiscoNexus
WAN
Partner Solution Elements
Cisco Data Center Business Advantage Framework
VDI Broker
� 60% greater density of virtual desktops per server blade
� 1/3 cost of networking infrastructure
� UCS Service Profiles
� Bandwidth optimization and Rich Media acceleration
� Over 20% savings per seat* vs. competitors
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 15
VDI OverviewBusiness Drivers
� Capital Expenditures (CAPEX)
Lengthened desktop hardware refresh cycles
Reduced desktop hardware capital expenses
Reduced desktop software license
� Operational Expenditures (OPEX)
Reduced desktop software maintenance and operational expenses
Lower desktop power consumption
Self-service desktop fault resolution
� Capabilities
Disaster Recovery (DR)
Improved desktop and data security/protection
Improved user mobility
� Externalization
Increased numbers of contractor, outsourcer, or partner desktops to support
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 16
Terminal ServicesApplication Streaming
Virtual Desktop Streaming Remote Virtual Desktop
Server Hosted ComputingClient Hosted Computing
O/S
Deskto
pA
pp
licati
on
Presentation Server
Display Data
OS
AppApp
Server
AppOS
App
Main OS
Guest OS
Guest App
Hypervisor
Apps
OS
Apps
OS
Apps
OSApp
Server
SynchronizedDesktop
OS
OS
Apps
OSApps
OSApps
OSApps
OS
VDI OverviewVirtual Desktop Models
Display Data
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 17
VDI TechnologyRemote Virtual Desktop Architecture
VirtualDesktop
Call Control
Content Delivery ACNS/CDS
MediaServices
PresentationServer
Desktop
ICA/RDP
Enterprise Data Center
SIP/SCCP/MGCP
Connection Broker
Windows DirectoryPrint
HTTP(S)
RTSPHTTP
SIP/MGCP
SMB
WAN Acceleration
IPP
NFSiSCSI
FC
CIFS
Desktop
File
Web Application
RDP
Storage
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 18
VDI Server ComputeUnified Computing System UCS 5108
� Blade
Two Intel Xeon 5500 series 2.93 GHz quad core processors
Two optional SAS hard drives
Hot pluggable blades and hard disk drive support
½ width - up to 96 GB RAM and one dual port 10Gb/CNA
full width up to 384 GB and two dual port 10GE/CNAs (future)
Two 73 GB SAS 15K RPM SFF HDD hot plug
� Chassis
8 ½ width blades or 4 full blades
2 Fabric Extenders
Up to 8 (2x4) 10 Gb converged I/O uplinks
� Fabric Interconnect
Deployed in pairs
6120 - Up to 20 access ports
6140 – Up to 40 access ports
Fixed and modular uplink ports
Compute ChassisCompute Chassis
Enclosure
Compute Node(Half slot)
X
x86 Computer
X
A A
G G G
Compute Node(Full slot)
X
x86 Computer
X X X
GG G G
G
C ICI
M P PB B
SS
G G
RR
California Manager
Fabric ExtenderFabric Extender
Adapter Adapter Adapter
LAN SANSAN MGMT
Fabric Interconnect
FabricInterconnect
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 19
slot 1
slot 2
slot 3
slot 4
slot 5
slot 6
slot 7
slot 8
slot 1
slot 2
slot 3
slot 4
slot 5
slot 6
slot 7
slot 8
slot 1
slot 2
slot 3
slot 4
slot 5
slot 6
slot 7
slot 8
slot 1
slot 2
slot 3
slot 4
slot 5
slot 6
slot 7
slot 8
VDI Server ComputeUCS Virtual Desktop Density (1/2 Blade)
Uplink(s) Per FEX
Desktops Per 96 GB
B200 Blade
Desktops Per 8 Blade
Chassis
UCS-6120 Max No. of
Chassis
UCS-6120Desktops
Per System
UCS-6140 Max No. of
Chassis
UCS-6140 Desktops
Per System
1 160 1280 20 25,600 40 51,200
2 160 1280 10 12,800 20 25,600
4 160 1280 5 6,400 10 12,800
Fabric Extenders
Fabric Interconnects
Unified Compute Chassis
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 20
VDI Server ComputeCPU Capacity Planning
� % Processor Time average 5% on 2 GHz core
� Requires 100 MHz per desktop
� 100 desktops require 10 GHz processing
� Add 10% to 25% overhead for virtualization, display protocol, and buffer for spike
� 100 desktops achieved on ~4 cores to achieve 12 GHz
� ESX 3.5 limits apply
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 21
VDI Server ComputeMemory Capacity Planning
� Vmware ESX Transparent Page Sharing to share master copy of memory pages among virtual machines
� WinXP desktops commonly need 254 MB RAM
� Memory optimizations yield 175 MB per desktop
� 100 desktops tops require 17.5 GB min and ~ 25 GB peak
� Recommend provisioning 512 MB desktops
Application/OS Optimized Memory Use
Windows XP 125 MB
Microsoft Word 15 MB
Microsoft Excel 15 MB
MSFT Powerpoint 10 MB
Microsoft Outlook 10 MB
Total 175 MB
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 22
VDI Server ComputeESX 3.5 and vSphere 4 Planning
Capacity ESX 3.5 Limits
vSphere 4Limits
Number of virtual CPUs per host 192 512
Number of VMs per host 170 320
CPUs per core for workload 20* 20*
Size of RAM per server 256 GB 1 TB
Number VMs managed per vCenterServer instance
2000 3000 (64-bit)
Number of hosts per vCenter server 200 300 (64-bit)
Number of NAS datastores per cluster (NFS)
8 / 32 (Default / Advanced)
8 / 64 (Default / Advanced)
Number of VMFS datastores per server (FC/iSCSI)
256 256
VMs per VMFS datastore 32 64
Hosts per HA/DRS cluster 32 32
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 23
VXI Compute Bundles
1. VXI Base Compute Bundle: 300+ Hosted VM-Based Desktops
� Expandable in 100 desktop increments to 700+ Hosted VM-Based Desktops through additional Ala a Carte desktop nodes in remaining chassis slots
2. VXI Scale Compute Bundle: 400+ Hosted VM-Based Desktops
Notes:
� Cisco will provide design guidelines for a number of different storage architectures
� SI / Channel partners will be bundling specific vendors solutions (software, etc) into the solution offering.
Compute Infrastructure Package
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 24
VXI Base Compute Bundle (Entry-Level)
Support for 300+ Hosted VM-Based Desktops, Scale to 700+ / App virtualization (win 7 32bit)
High Level BOM Includes:
� Dual UCS 6120 Fabric Interconnects� Two UCS 5100 Series Chassis� Two Management Nodes
– B200 M2 w/ 48 GB� Three Desktop Blades
– B250 M2 w/ 192 GB
B250 M2 Additional desktop blades can be added
A la carte to the four remaining slots. Each
individual blade can support over 100+ VMs
(Win 7 32 bit)
B200 M2 w/48
B200 M2 w/48
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 25
VXI Scale Compute BundleAdds Capacity for an Additional 400+ Hosted VM-Based Desktops /
## App Virtualization
B250 M2 w/ 192GB
B250 M2 w/ 192GB
B250 M2 w/ 192GB
B250 M2 w/ 192GB
Includes:1 Chassis
4 x B250 M2 with 192 GB of memory
Xeon 5670 Hex Core processor
Virtual Interface Card2 redundant FEX modules3 Power supplies (N+1)
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 26
Sample Deployment: VXI Base Compute Bundle + 2 VXI Scale Compute Bundles
Support for up to 1,500+ Hosted VM-Based Desktops
2 Scale Bundles to add 800 VM
desktops / ## App Virts
Base Bundle +
4 X B250-M2 Blades
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
B200 M2 w/48
B200 M2 w/48
B250 M2 w/ 192
B250 M2 w/ 192
B250 M2 w/ 192
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 27
VDI Server NetworkLAN only and Converged I/O
The POD Concept: Separate from application environments Modular physical, network and compute infrastructurePredictable and repeatable scalabilityCampus security best practices
The POD Concept: Separate from application environments Modular physical, network and compute infrastructurePredictable and repeatable scalabilityCampus security best practices
PODPODPODPODPODPOD
Core
Aggregation
Access
Virtual Access
POD Core
SAN FabricStorage Storage ArraysArrays
SANEdge
B
SANEdge
A
LAN FabricCore
Aggregation
Access
Virtual Access
LANAccess
Fabric AFabric A Fabric BFabric B
Unified Compute System Unified Compute System
Virtual Desktop with NAS�Single Fabric
�Fabric Interconnect: 10GE attached▪End-host Mode
�Interconnect Connectivity Point▪L3/L2 Boundary in all cases▪Nexus 7000 & Catalyst 6500
Virtual Desktop with Converged I/O�Dual Fabrics
�Fabric Interconnect: 4G FC attached▪NPV Mode
�Interconnect Connectivity Point▪SAN Core; or▪SAN Edge for more Scalability
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 28
IP Source Guard
Dynamic ARPInspection
DHCPSnooping
Port Security
VDI Server NetworkClient Campus Security
� Port Security prevents CAM attacks, DHCP Starvation attacks and spanning tree loop mitigation
� DHCP Snooping prevents Rogue DHCP Server attacks
� Dynamic ARP Inspection prevents current ARP attacks
� IP Source Guard prevents IP/MAC Spoofing and a wide variety of TCP/UDP splicing and DoS attacks
00:0e:00:aa:aa:aa00:0e:00:bb:bb:bb00:0e:00:aa:aa:cc00:0e:00:bb:bb:ddetc.
132,000 Bogus MACs
Switch Acts Like
a Hub
DHCP Server
X
“Use this IP Address !”
Email Server
Man in the Middle
“Your Email Passwd Is
‘joecisco’ !”
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 29
VMW ESXVMW ESXVMW ESX
VM#1
VMVM#1#1
VM #4
VM VM #4#4
VM #3
VM VM #3#3
ServerServer
VM #2
VM VM #2#2
Nexus 1000VNexus 1000VNexus 1000V
NICNICNIC NICNICNIC
LAN
Nexus 1000V
Nexus Nexus 1000V1000V
Security and Automation: Cisco software switch for VMware platform - Nexus 1000V
Virtualize at Network Scale
On Premise Data Center
Policy Based VM ConnectivityPolicy Based VM Policy Based VM ConnectivityConnectivity
Non-Disruptive Operational ModelNonNon--Disruptive Disruptive Operational ModelOperational Model
Mobility of Network & Security Properties
Mobility of Network & Mobility of Network & Security PropertiesSecurity Properties
Virtualizing the Network DomainVirtualizingVirtualizing the Network Domainthe Network Domain
Nexus 1000v100+ customers worldwide in first 90 days.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 30
Policy Based VM Connectivity
Enabling PolicyEnabling Policy
1. Nexus 1000V automatically enables port groups in Virtual Center
2. Server Admin uses Virtual Center to assign vnic policy from available port groups
3. Nexus 1000V automatically enables VM connectivity at VM power-on
1. 1.
Virtual CenterVirtual Center
VMW ESXVMW ESXVMW ESX
Server 1Server 1
Nexus 1000 -VEMNexus 1000 Nexus 1000 --VEMVEM
Nexus 1000V
VSM
Nexus 1000VNexus 1000V
VSMVSM
VM #1
VM VM #1#1
VM #4
VM VM #4#4
VM #3
VM VM #3#3
VM #2
VM VM #2#2
Available Port Groups
WEB AppsWEB Apps HRHR
DBDB ComplianceCompliance
WEB Apps:WEB Apps:••PVLAN 108, IsolatedPVLAN 108, Isolated
••Security Policy = Port 80 & 443 Security Policy = Port 80 & 443 ••Rate Limit = 100 MbpsRate Limit = 100 Mbps••QoSQoS Priority = MediumPriority = Medium
••Remote Port Mirror = YesRemote Port Mirror = Yes
2. 2.
3.3.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 31
Virtual CenterVirtual Center
VMW ESXVMW ESXVMW ESX
Server 2Server 2
Nexus 1000 -VEMNexus 1000 Nexus 1000 --VEMVEM
Nexus 1000V
VSM
Nexus 1000VNexus 1000V
VSMVSM
VMW ESXVMW ESXVMW ESX
Server 1Server 1
Nexus 1000V -VEMNexus 1000V Nexus 1000V --VEMVEMNexus 1000V DVSNexus 1000V DVSNexus 1000V DVS
VM #5
VM VM #5#5
VM #8
VM VM #8#8
VM #7
VM VM #7#7
VM #6
VM VM #6#6
Mobility of Security & Network PropertiesFollowing your Following your VMsVMs aroundaround
1. Virtual Center kicks off a Vmotion (manual/DRS) &
notifies Nexus 1000V
2. During VM replication, Nexus 1000V copies VM
port state to new host
VM #1
VM VM #1#1
VM #4
VM VM #4#4
VM #3
VM VM #3#3
VM #2
VM VM #2#2
VM #1VM VM #1#1
VMotionVMotion NotificationNotification••Current: VM1 on Server 1Current: VM1 on Server 1
••New: VM1 on Server 2New: VM1 on Server 2
1. 1.
Network PersistenceNetwork Persistence••VM port VM port configconfig, state, state
••VM monitoring statisticsVM monitoring statistics
2. 2. Mobile Properties Include:
• Port Policy
• Interface State & Counters
• Flow Statistics
• Remote Port Mirror Session
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 32
Virtual CenterVirtual Center
VMW ESXVMW ESXVMW ESX
Server 2Server 2
Nexus 1000 -VEMNexus 1000 Nexus 1000 --VEMVEM
Nexus 1000V
VSM
Nexus 1000VNexus 1000V
VSMVSM
VMW ESXVMW ESXVMW ESX
Server 1Server 1
Nexus 1000V -VEMNexus 1000V Nexus 1000V --VEMVEMNexus 1000V DVSNexus 1000V DVSNexus 1000V DVS
VM #5
VM VM #5#5
VM #8
VM VM #8#8
VM #7
VM VM #7#7
VM #6
VM VM #6#6
Mobility of Security & Network PropertiesFollowing your Following your VMsVMs aroundaround
1. Virtual Center kicks off a Vmotion (manual/DRS) &
notifies Nexus 1000V
2. During VM replication, Nexus 1000V copies VM
port state to new host
3. Once VMotion completes, port on new ESX host is brought up & VM’s MAC address is announced to
the network
VM #4
VM VM #4#4
VM #3
VM VM #3#3
VM #2
VM VM #2#2
VM #1VM VM #1#1
VM #1
VM VM #1#1
Network UpdateNetwork Update••ARP for VM1 sent to ARP for VM1 sent to
networknetwork••Flows to VM1 MAC Flows to VM1 MAC
redirected to Server 2redirected to Server 2
3. 3.
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 33
VN-LinkComplimentary Models for Evolving Requirements
UCS VIC
(Hardware Based)
UCS VICUCS VIC
(Hardware Based)(Hardware Based)
Cisco Nexus 1000V
(Software Based)
Cisco Nexus 1000VCisco Nexus 1000V
(Software Based)(Software Based)
VMW ESX
VM#1
VM #4
VM #3
ServerVM #2
Nexus 1000V
NIC NIC
LAN
Nexus1000V
Policy-Based VM Connectivity
Non-DisruptiveOperational Model
Mobility of Network and Security Properties
VMW ESX
VM #4
VM #3
California Blade
VM #2
VM #1
UCS VIC
California Switch
Pass Through Switch
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 34
Virtual Security Gateway
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 35
Virtual Firewall:What Problem is Being Solved
App
OS
App
OS
App
OS
App
OS
VM-to-VM traffic VM-to-VM traffic
Control inter-VM trafficAddress new blind spot
Enable Dynamic Provisioning
Mobility Transparent Enforcement
VLAN-agnostic OperationPolicy based
Administrative SegregationServer • Network • Security
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 36
VMWarevCenter
VSM
Virtual Security Gateway (VSG) System Architecture
VMWarevCenter
VSM
VN-Management Center
Policy,VN Service Profiles
Port ProfilesInteractions
VMAttributes
VN-ServiceAgent
VN-ServiceAgent
VSNVSNVSNVSN
VSGVSG
ESXESXESXESX VEM vPathvPath
� Attribute-based policies
– Network & VM attributes (from vCenter and custom)
� Multi-tenant aware policy composition, authoring and dynamic provisioning
� Performance driven – distributed enforcement
Packets
Port Profile –VNService Profile Binding
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 37
Distributed VSG ArchitectureHighly scalable
VM #7
VM VM
#7#7
Zone 1 Zone 2
VSG
VEM
Flow Lookup Service Lookup
vPath VEM
Flow Lookup Service Lookup
vPath
VM #3
VM VM
#3#3
VM #11
VM VM
#11#11
Zone 3
� VSG (VM) instance can be on any host
� Does NOT require VSG per host
� Host’s compute resources devoted to VMs
� No VLAN stitching
� Fast-path (vPath) in every host’s Nexus 1000V switch
� Highly scalable
� VM mobility is supported by design
� High availability (active-standby) deployment
VM #1
VM VM
#1#1VM #2
VM VM
#2#2VM #6
VM VM
#6#6
Zone 3
VM #12
VM VM
#12#12
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 38
Trusted Zones
HR ZoneFinance Zone
QA ZoneDev Zone
VDI Zone
VSG
Zoning Classification• Based upon network attributes• Based upon custom attributes – Tag VM through port-profile/vn-service-profile• Based upon VM attributes
Security Support• Interior Security: Zone-to-Zone and within-Zone• Exterior Security: External-to-Zone
Virtual Machine(s) can belong in multiple zones
Tenant A
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 39
Example: 3-tier Server Zones
WebServer
WebWeb
ServerServerWebServer
WebWeb
ServerServer
Permit Only Port 80(HTTP) of Web
Servers
Permit Only Port 22 (SSH) to application
servers
Only Permit Web servers access to Application servers
Policy – Content Hosting
WebClient
WebWeb
ClientClient
Web-zone
DBserver
DBDB
serverserverDBserver
DBDB
serverserver
Database-zone
AppServer
AppApp
ServerServerAppServer
AppApp
ServerServer
Application-zone
Only Permit Application servers access to Database servers
Block all external access to database
servers
• Beta 1 release has CLI ONLY• Beta 2 and FCS will be through GUI Tool ���� VN-MC
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 40
zone web-zonecondition 1 vm.custom.app-type eq web
Example: 3-tier Server Zones
WebServer
WebWeb
ServerServerWebServer
WebWeb
ServerServer
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone
DBserver
DBDB
serverserverDBserver
DBDB
serverserver
Database-zone
AppServer
AppApp
ServerServerAppServer
AppApp
ServerServer
Application-zone
Only Permit Application servers access to Database servers
Defining Zones
zone application-zonecondition 1 vm.custom.app-type eq application
zone database-zonecondition 1 vm.custom.app-type eq database
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 41
Example: 3-tier Server Zones
WebServer
WebWeb
ServerServerWebServer
WebWeb
ServerServer
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone
DBserver
DBDB
serverserverDBserver
DBDB
serverserver
Database-zone
AppServer
AppApp
ServerServerAppServer
AppApp
ServerServer
Application-zone
Only Permit Application servers access to Database servers
Creating Rules
Permit Only Port 80(HTTP) of Web Servers
rule web-http-rulecondition 1 dst.zone.name eq web-zone condition 2 dst.net.port eq 80 action 1 permit
rule application-ssh-rulecondition 1 dst.zone.name eq application-zone condition 2 dst.net.port eq 22 action 1 permit
Permit Only Port 22 (SSH) to application servers
Default is set to “Deny”
Block all external access to database servers
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 42
Example: 3-tier Server Zones
WebServer
WebWeb
ServerServerWebServer
WebWeb
ServerServer
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone
DBserver
DBDB
serverserverDBserver
DBDB
serverserver
Database-zone
AppServer
AppApp
ServerServerAppServer
AppApp
ServerServer
Application-zone
Only Permit Application servers access to Database servers
Creating Rules
Permit bi-directional traffic between web and application servers
rule web-to-application-rulecondition 1 src.zone.name eq web-zone condition 2 dst.zone.name eq application-zone action 1 permit
rule application-to-web-rulecondition 1 src.zone.name eq application-zone condition 2 dst.zone.name eq web-zone action 1 permit
Permit bi-directional traffic between application and database servers
rule application-to-database-rulecondition 1 src.zone.name eq application-zone condition 2 dst.zone.name eq database-zone action 1 permit
rule database-to-application-rulecondition 1 src.zone.name eq database-zone condition 2 dst.zone.name eq application-zone action 1 permit
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 43
Example: 3-tier Server Zones
WebServer
WebWeb
ServerServerWebServer
WebWeb
ServerServer
Only Permit Web servers access to Application servers
Policy – Content Hosting
Web-zone
DBserver
DBDB
serverserverDBserver
DBDB
serverserver
Database-zone
AppServer
AppApp
ServerServerAppServer
AppApp
ServerServer
Application-zone
Only Permit Application servers access to Database servers
Defining Policy
policy content-host-policyrule web-http-rule order 10 rule application-ssh-rule order 20rule web-to-application-rule order 30 rule application-to-web-rule order 40 rule application-to-database-rule order 50 rule database-to-application-rule order 60
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 44
VSG VM-to-VM Traffic Flow 1st packet
� For the 1st packet within a network session, although the traffic redirection scheme is different, but the packet flow is similar.
� Traffic redirection bases on Port-profile-to-VSG binding and flow entry lookup in the Service Data Path (SDP)
� Processing of internet � VMs and Inter-VMs traffic are normalized. Different firewall policies will be applied to these traffic strictly based on source/destination attributes defined in the policy
VM #1
VM VM
#1#1
VM #8
VM VM
#8#8VM #7
VM VM
#7#7VM #6
VM VM
#6#6VM #4
VM VM
#4#4VM #3
VM VM
#3#3VM #2
VM VM
#2#2VM #5
VM VM
#5#5
Web servers Servers App
Nexus 1000 DVS
Service Data Path12 3 4 56
VSG
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 45
VSG VM-to-VM Traffic Flow2nd and subsequent packets
� After VSG has done the policy evaluation against the first packet of a network section, a flow-entry cache is established in SDP, which off-loads the processing of the rest of packets to SDP
� The flow-lookup done in SDP would be able to identify the current state of the flow, thus SDP can process the subsequent packets based on the actions stored at the flow entry
VM #1
VM VM
#1#1
VM #8
VM VM
#8#8VM #7
VM VM
#7#7VM #6
VM VM
#6#6VM #4
VM VM
#4#4VM #3
VM VM
#3#3VM #2
VM VM
#2#2VM #5
VM VM
#5#5
Web Servers App Servers
Nexus 1000 DVS
Service Data Path1 2 34
VSG
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 46
Virtual Network Manager Center (VN-MC)Policy-based, Programmatic Management Architecture
VSNVSG
VSNVSG
VSNVSG
PolicyRepository
Cloud Service Portal
Cloud Service Portal
3rd Party Orchestrator
3rd Party Orchestrator
Cisco Management Tools
Cisco Management Tools
vCentervCenter
Nexus 1000V VSM
� Policy driven provisioning
� Stateless configuration model
� Role-based administration
� Natively API driven for interaction with external mgmt stations
� Consistent management across traditional services and VSGs
X M L A P I
X M L A P I
XM
L
AP
IXM
L A
PI
© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKVIR-2002_c1 47
VN-MC Zone Configuration
Definition for custom attribute defined for a zone