Shape Your Business For the Future: Powering ... Security Management Tools Operational Readiness...

download Shape Your Business For the Future: Powering ... Security Management Tools Operational Readiness Business

If you can't read please download the document

  • date post

    16-Aug-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Shape Your Business For the Future: Powering ... Security Management Tools Operational Readiness...

  • © 2012 Cisco and/or its affiliates. All rights reserved. 1 © 2012 Cisco and/or its affiliates. All rights reserved. 1

    Shape Your Business For the Future:

    Powering Transformation With Cisco Building a Secure Virtualized Cloud Infrastructure

    Amy Chan, Systems Development Unit, Cisco Systems 15 May 2012

  • © 2012 Cisco and/or its affiliates. All rights reserved. 2 © 2012 Cisco and/or its affiliates. All rights reserved. 2

    Agenda

    Building a Secure Virtualized Cloud Infrastructure

    Case Study: Cisco CITEIS Data Center Virtualization Transformation

  • © 2012 Cisco and/or its affiliates. All rights reserved. 3 © 2012 Cisco and/or its affiliates. All rights reserved. 3

    Cisco Validate Design Process Innovation and Quality Through System Level Design and Validation

    System

    Development

    Fundamentals

    System Development Guidelines

    Planning Design End-To-End Validation Documentation

    U n

    it

    Fe at

    u re

    In te

    gr at

    io n

    Sy st

    em

    C u

    st o

    m er

    www.cisco.com/go/designzone

  • © 2012 Cisco and/or its affiliates. All rights reserved. 4 © 2012 Cisco and/or its affiliates. All rights reserved. 4

    VMDC – Cloud Blueprint for the Unified Data Center Foundation for Cloud Applications and Services

    IaaS PaaS SaaS And

    More…

    VMDC the Unified Data Center

    Reference Architecture Private

    Public Hybrid

    Community

    Simplify Operations Maximize ROI Accelerate Time to

    Deployment

    vPrivate

  • © 2012 Cisco and/or its affiliates. All rights reserved. 5 © 2012 Cisco and/or its affiliates. All rights reserved. 5

    Building a Secure Virtualized Cloud Infrastructure Key Considerations

    Service Orchestration Dynamic application and reuse of resources

    Automated service orchestration and fulfillment Integration with Network Containers

    Rapid Self Service IT

    High Availability Carrier Class Availability

    Platform/Network/Hardware/Software Resiliency Minimize the probability and duration of incidents

    Focus on your business, not fighting fires

    Differentiated Service Support Design logical models around use cases

    Services-oriented framework Combines compute/storage/network

    Resources are applied and tuned to meet needs

    Modularity Pod based design

    Scalability framework for manageable increments Predictable physical and cost characteristics

    Streamline Turn-up of New Services

    Secure Multi-tenancy

    Shared Physical Infrastructure Tenant Specific Resources

    Use Cases Comply with business policies

  • © 2012 Cisco and/or its affiliates. All rights reserved. 6 © 2012 Cisco and/or its affiliates. All rights reserved. 6

    Internet

    Partners

    Subscriber “A” Application 1

    Subscriber “B” Application 1

    Subscriber “A” Application 2

    Subscriber “B” Application 2

    App 1

    App 1

    App 2

    App 2

    7600 CRS ASR9k ASR1k

    Nexus 7000 Cat 6500 VSS (as Services Chassis) ASA appliance FW and VPN

    Nexus 5000 N2k

    Rack Servers UCS B-Series, C-Series

    Nexus 1000v VSG

    SAN Switches MDS ( VMDC 1.X) Consolidated Storage Arrays (EMC, NetApp etc.)

    Application Software

    Virtual Machine

    Virtual Access

    Access Services Core/Agg.

    Peering Backbone

    VMWare Vsphere 4 ESXi 4

    Storage & SAN

    Compute

    Cisco and Third-Party Applications

    10G Ethernet 10G FCoE 4G FC 1G Ethernet VM to vSwitch vSwitch to HW App to HW / VM Int. Compute Stack

    ACE

    FW

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    App

    OS

    WAN/ IP-NGN

    Subscriber “B” Application 3

    App 3

    L2, L3 MPLS Internet

    FW & Remote VPN

    Example: IaaS Cloud Services Solution Architecture An End-End Systems Approach

  • © 2012 Cisco and/or its affiliates. All rights reserved. 7 © 2012 Cisco and/or its affiliates. All rights reserved. 7

    Journey to IT Delivered As a Service Technology Adoption

    Consolidate Assets

    Virtualize the Environment

    Automate Service Delivery

    Standardize Operations

    Increased Agility, Efficiency and Simplicity

    Increased Cloud Readiness

    High Availability Networking

    Optimize the WAN

    Unify Networks

    VM to Network Link

    Deploy Multi-Tenancy

    Deploy Integrated Compute and

    Storage

    Business Continuance, VM

    Mobility

    Self-Service Provisioning

    Deploy Unified Computing

    Automated Provisioning

    Secure the Data Center

    Cloud Bursting

  • © 2012 Cisco and/or its affiliates. All rights reserved. 8 © 2012 Cisco and/or its affiliates. All rights reserved. 8

    The Challenge: Predictably grow my Data Center

    The Solution • Point of Delivery

    (POD)

    Integrated Compute Stack

    Compute Storage Network

    Integrated Compute Stack

    Compute Storage Network

    Service Appliances

    Data Center Services Node

    PoD

    Point of Delivery (PoD) Architectural consistency

    through a modular approach

    • Modular, tiered construct consisting of groupings of integrated compute stacks plus storage and networking infrastructure

    • A single Pod can be deployed and operated by itself or connected together to other Pods to achieve scale

    • VMDC validates 2 styles of Pods: Compact and Large

    Benefits • Simplified capacity planning • Ease of new technology adoption • Consistent and efficient operation

  • © 2012 Cisco and/or its affiliates. All rights reserved. 9 © 2012 Cisco and/or its affiliates. All rights reserved. 9

    The Challenge: Predictably scale my Data Center

    The Solution • PoD replication

    Benefits • Optimize CAPEX savings while maintaining SLAs • Predicable performance and scale based on building blocks • Effective way to add separate application environments

    Integrated Compute Stack

    Compute Storage Network

    Integrated Compute Stack

    Compute Storage Network

    Service Appliances

    Data Center Services Node

    PoD

    Integrated Compute Stack

    Compute Storage Network

    Integrated Compute Stack

    Compute Storage Network

    Service Appliances

    Data Center Services Node

    PoD

    Key Factors to Consider

    • L2 Scale - Virtual Machine Density, VMNics per VM, MAC Address Capacity,

    • Cluster Scale, ARP Table Size, VLAN scale, Port Capacity, Logical Failure Domains L2 Control Plane

    • L3 Scale – BGP Peering, HRSP Interfaces, VRF Instances, Routing Tables and Convergence, Services

    • Resource Oversubscription – Network Compute, and Storage Oversubscription, Bandwidth per VM

  • © 2012 Cisco and/or its affiliates. All rights reserved. 10 © 2012 Cisco and/or its affiliates. All rights reserved. 10

    The Challenge: Securely separate my tenants

    The Solution • Tenant container

    service abstraction

    and right sizing

    Benefits • End to end secure separation across the data center • Overlapping IP addresses are allowed • Automation tools to simplify deployment

    WAN

    L2

    L3

    L3

    L3

    Layer 2 Trunks

    Layer 2 Trunks

    HSRP/L3 Gateway

    Web

    Data base

    App

    Web

    Data base

    App

    Web

    Data base

    App

    Core

    Aggregation

    WAN Edge SiSiSiSi

    • Built upon tradition infrastructure security

    • Defense in Depth per Tenant (front end ASA, back end VSG)

    • VRF-lite implemented at core and aggregation layers provides per tenant isolation at L3

    • Separate dedicated per- tenant routing and forwarding tables insuring that no inter-tenant (server to server) traffic within the data center will be allowed, unless explicitly configured

    • VLAN IDs and the 802.1q tag provide isolation and identification of tenant traffic across the L2 domain

    • Compute Separation (vNICs, VLANs, Port Profiles)

    • Storage Separation (Cluster File System Mgmt, VSAN and FC Zoning, LUN Masking, vFilers)

    • Application Tier (Network Centric, Logical and Physical segmentation with L2/L3 firewalling and security zoning)

  • © 2012 Cisco and/or its affilia