Brkvir 2011

Deploying Services in a Virtualised Environment
BRKVIR-2011
BRKVIR-2011
2013 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Agenda
Virtualisation/Cloud Trends Requirements for Virtualised Services
Virtual Networking & Services architecture

Nexus 1000V for Virtualised Services
Implementing Virtualised Services

Virtual Security Gateway (VSG) ASA 1000V Virtual WAAS (vWAAS) Network Analysis Module (NAM)
3rd Party Services on vPath

Virtual Services for VM Mobility Virtual Services on VXLAN
Reference Solutions, Resources & Wrap-Up

BRKVIR-2011 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Ciscos Approach
Physical Virtual Cloud Journey
PHYSICAL WORKLOAD
One app per Server Static Manual provisioning
VIRTUAL WORKLOAD
Many apps per Server Mobile Dynamic provisioning
CLOUD WORKLOAD
Multi-tenant per Server Elastic Automated Scaling
HYPERVISOR
VDC-1 VDC-2
CONSISTENCY: Policy, Features, Security, Management
Nexus 7K/5K/3K/2K WAAS, ASA, NAM, ACE

BRKVIR-2011
Nexus 1000V, VM-FEX Virtual WAAS, VSG*, ASA 1000V, 3rd Party Appliance
* Virtual only
2013 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Virtual Services in a Data Centre POD

L3 L2
Network Services NEXUS 5000
C6K
NEXUS 7000 - VPC

C6K
Network Services
Aggregation Typical L3/L2 boundary. Physical network services
L2
NEXUS 7000 - VPC

A B
Unified Compute System Fabric Interconnect
Unified Access Non-blocking paths to servers & IP storage devices
L2
NEXUS 2000
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
VM VM VM VM
VM VM VM VM
NEXUS 1000v
VM VM VM VM VM VM VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM VM
Rack 1 Rack 2 Rack 3

BRKVIR-2011
VM VM VM VM VM VM
Virtual Access Virtual switches Virtual services with horizontal scaling
Rack 1
Rack x
Cisco Public 5
Virtual Services Requirements
Server Virtualisation Issues

1. vMotion moves VMs across physical portsthe network policy must follow vMotion 2. Must view or apply network/security policy to locally switched traffic 3. Need to maintain separation of duties while ensuring nondisruptive operations
Port Group
Server Admin Security Admin

BRKVIR-2011
Network Admin
Network Services Options for Virtualised/Cloud DC

Redirect VM traffic via VLANs to external (physical) firewall
Web Server App Server Database Server
Apply hypervisor-based virtual network services

Web Server App Server Database Server
Hypervisor
Hypervisor
VLANs Virtual Contexts This Session
VSN VSN
Virtual Service Nodes
Cisco Public 8
Dedicated Service Nodes

BRKVIR-2011 2013 Cisco and/or its affiliates. All rights reserved.
Virtual Services Options

Stand-alone VSN Can be deployed with any virtual switch Example: vWAAS
VM VM VM VM VM VM VSN VSN 1 1 VSN VSN 2 2 VSN 1 VSN 2 VM VM VSN 1 VSN 2 VM VM
Hypervisor
Hypervisor
N1KV vPath integrated VSN

Integrates with N1KV port profile and virtual service datapath (vPath) Example: vWAAS, VSG, ASA 1000V
VSN: Virtual Service Node
vPath Nexus 1000V
Hypervisor
Hypervisor
Hypervisor
Server(s) for Virtual Services
Cisco Public
Virtual Services Architectural Approach

Requirement Requirement Virtualisation Awareness Dynamic policy-based provisioning Support VM mobility (e.g. vMotion) Solution Solution Virtual (SW) form-factor Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) Policies bound to vNIC/VM Integration with N1KV (vPath*) (vPath) Virtual service: multi-instance deployment Management: Multi-tenant N1KV vPath: Multi-tenant Profile-based provisioning for services Integration with N1KV port profile Optional hosting on Nexus 1010 HW appliance Integration with N1KV vPath DC-wide: VXLAN** DC-to-DC: OTV**
*vPath: Virtual Service Datapath **VXLAN: Virtual Extensible LAN **OTV: Overlay Transport Virtualisation
Multi-tenant / Scale-out deployment
Separation of Duties Non-disruptive to server team Efficient deployment Performance optimisation Broad mobility diameter DC-wide, DC-to-DC, DC-to-Cloud
Virtual Networking
Architecture for Virtual Services
Nexus 1000V Architecture

Respects DC Operational Model for PV
Virtual Appliance
Network Admin
VSM-1 (active)
VSM-2 (standby)
NX-OS Control Plane
Back Plane
Supervisor-1 (Active) Supervisor-2 (StandBy) Linecard-1 Linecard-2
Linecard-N
NX-OS Data Plane

VEM-1 VEM-2
Modular Switch
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
BRKVIR-2011
VEM-N
Hypervisor Server Admin
Hypervisor
Hypervisor
Hypervisors: vSphere (shipping); Win8/Hyper-V (announced)

Cisco Public 12
Embedding Intelligence in Virtual Network

vPath: Virtual Services Data Path
Virtual Appliance ASA1000V VSG
Virtual Security Gateway
vWAAS
VSG
N1KV VSM
vWAAS
Virtual WAAS
ASA 1000V
Virtual ASA (announced)
VXLAN*
Virtual Extensible LAN
LAN segment over L3 (MacVEM-1
vPath VXLAN
vPath
Virtual Service Datapath
Service Binding Fast-Path Offload
VEM-2
vPath VXLAN
over-UDP)
16M LAN segments Submitted to IETF with
Hypervisor
Hypervisor
VMware, Citrix, RedHat,
VXLAN aware*
Nexus 1010 / 1010-X

Hosting Platform for Virtual Services
Virtual Appliance
ASA 1000V vWAAS VSG VSM
Primary
VSM
Nexus 1110 / 1110-X

VSM NAM VSG
DCNM
Secondary
NAM
VSG
DCNM
Nexus 1010 / 1010-X L3 Connectivity

NX-OS based physical (server) appliance Access to VM mgmt tools NOT required Network team deploys & manages it Up to 10 virtual blades on Nexus 1010-X
VEM-1
vPath VXLAN
VEM-2
vPath
VXLAN
Hypervisors: vSphere (shipping); Win8/Hyper-V (announced)

BRKVIR-2011
Hypervisor
Hypervisor
Cisco Public 14
Operational Segregation
Example: vCenter*
vCenter* Nexus1000v VSM
Network Admins
Nexus OS CLI
Server Admins
vCenter* Interface
Create or Update port-profiles
Install hypervisor on hosts with N1KV VEM Create VM and assign Port profiles to VM
*SCVMM for Win8/Hyper-V

BRKVIR-2011
No hand-off required between Server and Network Admins for Virtualised environment
Port Profile Configuration

n1000v# show port-profile name WebProfile port-profile WebServers description: status: enabled capability uplink: no system vlans: port-group: WebServers config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10
Support Commands Include:
Port management VLAN PVLAN Port-Channel ACL
Netflow
Port security QoS
BRKVIR-2011
Cisco Public
16
Port Groups: VI Admin View
BRKVIR-2011
Cisco Public
17
Cisco Nexus 1000V

Faster VM Deployment
Cisco Virtual Machine Networking
Policy-Based VM Connectivity Port Profile Defined Policies
WEB Apps
HR DB DMZ
Nexus 1000V VEM Nexus 1000V VEM
Mobility of Network and Security Properties

VM VM VM VM VM
Non-Disruptive Operational Model

VM VM VM
VM Connection Policy
Defined in the network Applied in Virtual Centre Linked to VM UUID
vCenter
Nexus 1000V VSM
BRKVIR-2011
Cisco Public
18
Cisco Nexus 1000V

Richer Network Services
Cisco Virtual Machine Networking
Policy-Based VM Connectivity Mobility of Network and Security Properties
VM VM VM VM
Nexus 1000V VEM
Non-Disruptive Operational Model

VM VM VM VM VM VM VM VM
Nexus 1000V VEM
VMs Need to Move VMotion DRS SW upgrade/patch Hardware failure
N1KV Property Mobility

VMotion for the network Ensures VM security Maintains connection state
vCenter
Nexus 1000V VSM
BRKVIR-2011
Cisco Public
19
Advanced Features of the Nexus 1000V

Switching Security
VLAN/VXLAN, IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ
Policy Mobility, Private VLANS, Access Control Lists , Port Security, Dynamic ARP inspection, IP Source Guard, DHCP Snooping
vPath technology to support services e.g. VSG, vWAAS Automated vSwitch Config, Port Profiles, Virtual Centre Integration vMotion, NetFlow v.9 w/ NDE, CDP v.2, VM-Level Interface Statistics, SPAN & ERSPAN (policy-based) Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3
Network Services
Provisioning Visibility Management
BRKVIR-2011
IPv6 Support: As a Layer-2 switch, Nexus 1000V supports forwarding of IPv6 packets as well as Layer-2 features such as PVLAN and Port Security. Also, management interface can be assigned an IPv6 address.
Nexus 1000V Interoperability with VMware

VMware Product vSphere 4 vSphere 5
(with stateless ESX)
Nexus 1000V support R R

(Release 1.4a & above)
VMware View 5 VMware vCloud Director

Port-group backed pools
R R R
(Release 2.1)
VMware vCloud Director 5.1

Port-group backed pools VLAN-backed pools Network-isolation backed pools (via VXLAN)
BRKVIR-2011
Cisco Public
21
Implementing Virtual Network Services

- Virtual Security Gateway (VSG) - ASA 1000V - Virtual WAAS (vWAAS) - NAM on Nexus 1110 - 3rd Party Services
Defence in Depth Security Model

Virtual Security
Policy applied to VM zones Dynamic, scale-out operation VM context based controls Segment internal network Policy applied to VLANs Application protocol inspection Virtual Contexts
VSG (and ASA 1000V*)
ASA-SM
Internal Security
ASA 55xx
Internet Edge
ASA 55xx
Filter external traffic Extensive app protocol support VPN access, Threat mitigation
BRKVIR-2011
Cisco Public
*Announced
24
Use Case Secure Multi-tenancy

Secure zoning of 3-Tier Application Workload
Tenant_A
Only Permit Web Servers access to App servers via HTTP/HTTPS Only Permit App servers access to DB servers
Tenant_B
Web Web Server Server
App App Server Server
DB DB server server
DB DB server server
Port 80 (HTTP) and 443 (HTTPS) of Web Servers open

BRKVIR-2011
Only Port 22 (SSH) of App Servers open
All other traffic denied
Cisco Public
25

Tenant_A
Only Permit Web Servers access to App servers via HTTP/HTTPS Only Permit App servers access to DB servers
Tenant_B
VSG for secure zoning VSG for secure zoning
DB DB server server
DB DB server server

BRKVIR-2011
ASA Firewall for Inter-tenant Edge Control (VLAN based)

Cisco Public 26

Tenant_A
Only Permit Web Servers access to App servers via HTTP/HTTPS
Tenant_B
VSG for Only Permit App servers access to DB secure zoning servers VSG for secure zoning
Benefits
Tenant isolation via VLANs DB DB

server server
Broader Mobility Diameter for VMs
DB DB server server

BRKVIR-2011
ASA Firewall for Inter-tenant Edge Control (VLAN based)

Cisco Public 27
Introducing Virtual Security Gateway

Context aware Security
VM context aware rules Establish zones of trust Policies follow vMotion Efficient, Fast, Scale-out SW
(with Nexus 1000V vPath)
Virtual Security Gateway (VSG)
Zone based Controls Dynamic, Agile Best-in-class Architecture Non-Disruptive Operations Policy Based Administration Designed for Automation
Virtual Network Management Centre (VNMC)
Security team manages security

Central mgmt, scalable deployment, multi-tenancy
XML API, security profiles
IPv6 Support: VSG/VNMC support IPv4 packets in Phase 1. Security rules based on Ethertype can be deployed to permit or deny IPv6 packets.

Logical deployment like physical appliances
VNMC
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Nexus 1000V
Distributed Virtual Switch
vPath
VSG
Secure Segmentation (VLAN agnostic) Transparent Insertion (topology agnostic)

BRKVIR-2011
Efficient Deployment (secure multiple hosts) High Availability

Dynamic policy-based provisioning Mobility aware (policies follow vMotion)

Cisco Public
Log/Audit
29

Intelligent Traffic Steering with vPath
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
VNMC
Nexus 1000V
vPath
Decision Caching
VSG
3
1 Initial Packet Flow

2 Flow Access Control
(policy evaluation)
Cisco Public
Log/Audit
30

Performance Acceleration with vPath
VM VM VM
VNMC
VM VM VM VM
VM VM VM
VM VM
VM VM VM
VM VM
VM VM
Nexus 1000V
vPath
Decision offloaded to Nexus 1000V (policy enforcement)
VSG
Remaining packets from flow

BRKVIR-2011 2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
Log/Audit
31
Decoupled Deployment Across Applications & Virtual Services

VSGs VSGs
Tenant A
Web Zone App Zone QA Zone
Tenant B
Dev Zone
VM
VM
VM
VM
VM
VM
VM
VM
vPath
vPath
vPath
No Need to deploy Virtual Services on every host Decouple Service from Compute Resources Easy to scale out with dedicated hosting of Services Simpler to deploy with multiple 1000V
VSM
BRKVIR-2011
Data Center operations Network teams (server,
network, security, etc.)

Cisco Virtual Network Management VMWare vCenter Center ServerServer
Cisco Public 32
Apply Security at Multiple Levels

Enables multi-tenant scale-out deployment
Deployment granularity depending on use case
Tenant, VDC, vApp
VDC

Tenant A vApp Tenant B
Multi-instance deployment provides horizontal scale-out
vApp
vPath Nexus 1000V
Hypervisor
VSG Policy: Rule (ACE) Construct

Rule
Source Condition
Network VM
Destination Condition
Attribute Type
Action
Condition
User Defined vZone
VM Attributes Instance Name
Network Attributes IP Address Network Port
Operator eq neq gt lt range
Operator member Not-member Contains
Guest OS full name

Zone Name Parent App Name Port Profile Name Cluster Name
Not-in-range
Prefix
Hypervisor Name
VSG Policy Provisioning Logical Flow

vCenter
Using VM/Network Attributes

VNMC
PortGroup
Create Rules based on Zones/Network Conditions Put Policy Set in the Security Profile
Define Zones
Define Policy
VSM
Port Profile Protection
Create Security Profile
Bind the Security Profile to Port Profile Assign Security Profile to Tenant VSG
Assign Tenant VSG
35
Port Profile to Security Profile Binding

VNMC Tenant Policy Management
1. Create Security Profile for Tenant A in VNMC
vCenter VM Properties
2. Bind the Security Profile with the PortProfile for Tenant A
3. VMs connect to the Network with Firewall enabled
Nexus 1000V
Use Case 1: Carecore National Secure Zoning Using VM Attribute

VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
Database Servers
Dev Servers
Exchange Servers
VM VM VM VM VM VM VM VM VM VM
QA Servers
Training Servers
If vm-name contains TRNG ,Servers that VM belongs to TRNG zone R&D

Source Zone=TRNG Any Zone=TRNG Destination Zone=TRNG Zone=TRNG Any Protocol Any Any Any Action Permit Permit Drop
BRKVIR-2011
Cisco Public
37
Use Case 2 Securing VDI with Cisco VSG

Persistent virtual workspace for the doctor
Server Zones
Healthcare Portal Records Database Application
Flexible workspace for Doctors assistant

Maintain compliance while supporting IT consumerisation
Virtual Security Gateway (VSG)
IT Admin
Assistant
Doctor
Guest
HVD Zones
ASA Network
Doctor Guest
Leverage VM context (eg VM-name) to create VSG security policies

Reference Architecture:
iT Admin
Cisco AnyConnect
1000V and VSG in VXI Reference Architecture

Use Case 3
Securing a 3-tier Application Infrastructure
Web Client
Permit Only Port 80(HTTP) of Web Servers Permit Only Port 22 (SSH) to Application Servers Block All External Access to Database Servers
Web-Zone Web Server Web Server
Application-Zone App Server App Server
Database-Zone DB Server DB Server
Only Permit Web Servers Access to Application Servers
Only Permit Application Servers Access to Database Servers
BRKVIR-2011
Cisco Public
39
VSG Release 1.3: Whats New?

1
Virtual Appliance VSG
New
L2 Mode
L3 Mode
2
VEM-2
vPath
VEM-1
vPath
VMware Product vSphere 4 vSphere 5

New
VSG & VNMC support R R
Hypervisor
Hypervisor
Protect VMs on VXLAN (see details in the VM Mobility section)

ASA 1000V
Cloud Firewall
Cisco Virtual Security Products

Zone based intra-tenant segmentation of VMs
ASA 1000V
External / multi-tenant edge deployment
BRKVIR-2011
Cisco Public
42
Securing Multi-tenant Cloud

With Virtual ASA and VSG
Proven Cisco SecurityVirtualised
Physical virtual consistency

Tenant A
VDC
Collaborative Security Model
Tenant B
VDC
VSG for intra-tenant secure zones

Virtual ASA for tenant edge controls Context-based controls
ASA 1000V ASA 1000V
VSG VSG
vApp VSG vApp VSG
Seamless Integration With Nexus 1000V & vPath
vPath Hypervisor
Nexus 1000V
Scales with Cloud Demand
Multi-instance deployment for horizontal scale-out deployment

Policies Enforcement with the ASA 1000V

1. Security Policy is attached to the Port-Profile 2. No vPath encapsulation for VM to VM communication in the same subnet 3. You can have different Port-Profile with different Security Profile for the same Subnet
Port Profile 1 SP- 1
Security Profile - SP 1 Inside

SP 2 Port Profile 2
Security Profile - SP 2 Security Profile - SP 3 Security Profile- SP 4
Outside
Edge Firewall
BRKVIR-2011
Integration with vPath: Outbound Access

1. 2.
VM VM VM VM
Nexus 1000V [vPath] receives packet to be sent to the outside, looks up the security profile binding, and attaches vPath tag. This tag contains the service profile ID for the source VM ASA 1000V creates forward and reverse flows for the packet and applies policy corresponding to the security profile specified in the packet ASA 1000V routes the packet to the outside without a tag Reply packet comes from the outside without any vPath tag ASA 1000V looks up the flow table, adds a vPath tag with the Service profile ID cached in flow table vPath receives the packet, removes the tag and forwards it to the VM
3.
4. 5. vPath
Nexus 1000V
6. 7.
Hypervisor
For Your Reference

vPath as Data Plane: Inbound Access

1.
Packet from the outside hits ASA 1000V, which performs NAT translation to get the internal VM IP address. ASA 1000V consults the VM IP address to service profile binding database received from VNMC, ASA 1000V creates forward and reverse flows for this packet, adds a vPath tag with Service profile ID, and forwards packet to the destination VM The VM responds with a packet which reaches vPath vPath adds vPath tag (same as previous) and forwards to ASA ASA 1000V receives the packet, matches it to the flow created previously, applied NAT and forwards it to the outside without the vPath tag
2.
VM
VM
VM
VM
3.
4.
vPath
5.
Nexus 1000V
Hypervisor
6.
For Your Reference

DMZ Use Cases
ASA 1000V DMZ Use Case

Two ASA 1000V Approach Two Edge Firewalls one for inside subnet and other for DMZ subnet No enforcement within Inside and DMZ VLAN
Tenant A
PP-Inside (VLAN 200) PP-DMZ (VLAN 400) PP-Inside (VLAN 200)
ASA 1000V and VSG Approach Inside Security Profile and DMZ Security Profile addressing the security requirements for both Zones Shared VLAN for both DMZ and Inside
Tenant B
PP-DMZ (VLAN 200)
Inside
DMZ PP- Port-Profile SP- Security Profile
Inside
DMZ
BRKVIR-2011
Cisco Public
ASA 1000V 1.0: Features and Capabilities

NAT IPSec VPN (Site-to-Site)
Default Gateway DHCP Static Routing Stateful Protocol IP Audit
Role based separation
Consistent ASA feature set Intelligent traffic steering via vPath
Strategic Partnership with VMWare
Not just an ASA Part of a solution which benefits from vPath

Cisco Public
vCD Technology Integration Roadmap

VMW Cloud Orchestration
vCloud Director vShield Manager
VMW Network Stack
VMW Cisco Network Stack (N1KV v1.5.1a*)

vShield Edge (Security) Nexus 1000V
Cisco Network & Security Stack (future)

Network Services Mgr (Cisco Net Abstraction) Virtual ASA (Security) Nexus 1000V
vShield Edge (Security) vSwitch
vSphere
Cisco Unified Computing System
Continue future innovations across virtual/hypervisor and physical security

Virtual WAAS
Cisco vWAAS Accelerates Cloud Deployment

Accelerate cloud-bursting, workload mobility, virtualised deployment
Virtual Private Cloud
Enterprise B Enterprise A
Private Cloud
Enterprise A
Cisco vWAAS Benefits
Key Requirements
Elastic provisioning Workload mobility Awareness Scale-out Multi-tenancy
BRKVIR-2011
Branch Office
WAAS
Policy based on-demand orchestration lowers OpEx Application based optimisation Elastic, Multi-tenancy
Cisco Public 52
Cisco vWAAS Provides Flexible Cloud Private Cloud 1 Deployment Options Traditional WAN Edge Deployment at Branch and
WAN or Internet
DC
VMware ESXi Server
Gradual migration from Physical to Virtual
UCS /x86 Server WCCP

VMware ESXi
Multi-tenancy support
Private Cloud, Virtual Private Cloud, & Public Cloud

Re-direction using vPath @VM level

Elastic provisioning Multi-tenancy support
vPATH
vPath Nexus 1000V VMware ESXi Server
Nexus 1000V vPATH VMware ESXi Server
UCS Compute/ Physical servers

BRKVIR-2011
UCS Compute/ Virtualised Servers
UCS /x86 Server

vWAAS Policy Based configuration in N1000V

Feature
1. Optimisation based on the port-profile policy
Benefit
1.
configured in Nexus 1000V
Provide on-demand service orchestration in the cloud without network disruption
2. Policy gets propagated to vCenter automatically

Web Server DB Server Web Server App Server
vWAAS
vCM
vPATH Nexus 1000V VMware ESXi Server
Nexus 1000V
vPATH
VMware ESXi Server
Optimise Port-Profile
Non Opt Port-Profile vWAAS Port-Profile
BRKVIR-2011
Nexus 1000v VSM

vCenter Server Cisco Public
54
vWAAS Application Based Interception

Port-Profile
Network Admin view
vPATH interception
Port-group
Nexus 1000v VSM
Server Admin view
vSphere client
Attach Opt-port-profile to server VMs
BRKVIR-2011
Cisco Public
55
vWAAS VM Mobility Awareness

Feature
1. vPATH aware of movement of VM from one host to another. 2. Traffic interception continue to work as-is without any disruption or changes required.
Web Server DB Server Web Server
Benefit
1. 2.
No disruption in WAN optimisation service if VM moves from one host to another. Support VMware resources scheduling (DRS) and provides High availability
Web Server App Server
vWAAS
vCM
Nexus 1000V
vPATH
Nexus 1000V
vPATH
VMware ESXi Server
VMware ESXi Server
Optimise Port-Profile
Nexus 1000v VSM
Non Opt Port-Profile

vCenter Server
Cisco Public
vWAAS Port-Profile
56
vWAAS Architected for Elastic Workloads

Feature
1. 2.
Benefit
1.
2.
Automatic application of vWAAS service when a new Web Server VM gets provisioned vWAAS services associated with Web server VMs using Nexus 1000V policies.
Elastic vWAAS deployment

Scale-out Virtual Web Server farm by provisioning additional VMs while applying WAN optimisation
Web Server 1
vWAAS
Web Server 1
App Server
vWAAS
Web Server 2
App Server
Add New WebServer Virtual Machine (VM)
NEW
BRKVIR-2011
Cisco Public
57
vWAAS Optimised Performance with vPath

Feature
1. vWAAS send offload to vPATH for non-
Benefit
1.
intresting traffic (inter-server traffic or nopeer traffic) 2. vPATH provide automatic bypass of these traffic
Router Integrated WAAS
High scale with automatic application or portprofile based traffic filtering
vWAAS
Web Server
Branch 1 (w/ WAAS)
WAN

Optimised vPath Redirection
Branch 2 (w/o WAAS)
Non-Optimised Automatic bypass

58
BRKVIR-2011
Cisco Public
rd 3
Party Service on vPath
Imperva Web Application Firewall (WAF)

3rd Party Service leveraging vPath for Policy based Service Insertion
Imperva SecureSphere WAF protects from Web-borne threats like SQL injection or fraud that can lead to a costly Website breach. Available as a virtual appliance and integrates with the Cisco Nexus 1000V Series vPath Architecture
Technical Attack Protection
Business Logic Attack Protection Fraud Prevention


VM VM Web VM VM Web VM VM Web VM Web VM Web VM Web VM
VM VM VM
VM VM
VM VM
VM VM
Nexus 1000V
vPath
WAF
Web http and https traffic will always be redirected to WAF Appliance
Imperva Application Defense Center

62

VM VM Web VM VM Web VM VM Web VM Web VM Web VM Web VM
VM VM VM
VM VM
VM VM
VM VM
Nexus 1000V
vPath
WAF
Non-Interesting Traffic is offloaded to vPath to go directly to the servers

Imperva Application Defense Center

63
vPath 2.0 Service Chaining
VSG and ASA Service Chainig Example 1:

Outside Client trying to access a VM protected by both VSG and ASA
VM VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
3 2
VSG
Inside Outside
Nexus 1000V
vPath
ASA
ASA inline Enforcement

1
Initial Packet Flow
vPath Encap links Traffic Path

Cisco Confidential 65
VSG and ASA Service Chaining Example 1:

VM VM VM 4. VSG Policy decision downloaded to VEM VM
VM
VM
VM
VM
VM
4
VSG
Nexus 1000V
vPath
Inside Outside
ASA
vPath Encap links
Cisco Confidential
66

VM VM VM Policy offloaded to VEM VM VM VM VM VM VM
VSG
Nexus 1000V
vPath
Inside Outside
Inline Enforcement
ASA 1000V
Traffic flow after first packet vPath Encap links

Cisco Confidential
67

VM1 to VM2 communication on the same subnet
VM VM VM
VM
VM
VM
VM
VM
VM 2
VSG
VM VM 1 VM VM VM VM VM VM
Nexus 1000V
vPath
Inside
ASA ASA not in the path for the same Subnet VM to VM communication
vPath Encap links
Outside
Cisco Confidential
68

VM1 to VM2 communication on the same subnet
VM VM VM
VM
VM
VM
VM
VM
VM 2
VM
VM 1
VM
VM
VM
VM
VM
VM
4 3
VSG
Nexus 1000V
vPath
Inside Outside
ASA
vPath Encap links
Cisco Confidential
69

VM to VM communication on the same subnet
VM VM VM
VM
VM
VM
VM
VM
VM 2
VM
VM 1
VM
VM
VM
VM
VM
VM
VSG
Inside Outside
Nexus 1000V
vPath
ASA vPath enforcing at VEM level and Policy offloaded from VSG to VEM
vPath Encap links
Cisco Confidential
70
Service Channing Example

Chain VSG and ASA 1000V for a tenant
vservice node ASA1 type asa

ip address 172.31.2.11
adjacency l2 vlan 3770
vservice node VSG1 type vsg

ip address 10.10.11.202 adjacency l3
Defining the Service Node on Nexus 1000V
vservice path chain-VSG-ASA

node VSG1 profile sp-web order 10 node ASA1 profile sp-edge order 20
Chain the Service Nodes Order is inside to outside Enable the Service Chain Per Port-Profile
Cisco Public 71
port-profile type vethernet Tenant-1

org root/Tenant-1
BRKVIR-2011
vservice path chain-VSG-ASA 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Prime NAM for Nexus 1010
The Challenge: Server Virtualisation Creates a Demand for VM-level Visibility

Boundary of network visibility
BRKVIR-2011
Cisco Public
73

Extends Visibility into Virtual Machine (VM) Network
VM
Nexus 1000V VEM
VM
VM
VM
Boundary of network visibility
vSphere
Server Server
Server
Release 5.1(2)
NetFlow ERSPAN
Enable NAM as a Network Service on N1KV

Netflow Configuration flow exporter exporter1 destination 172.23.180.38 transport udp 3000 source mgmt0 ERSPAN Configuration monitor session 1 type erspan-source source vlan 16,173 both destination ip 172.23.180.38 erspan-id 100
For Your Reference
dscp 63
version 9 ..
mtu 1500
header-type 3
NAM Receiver for Netflow and ERSPAN Traffic

Virtual Services & VM Mobility

- DC wide - DC to DC
DC-wide VM Mobility Multiple Options

Bigger UCS domain broader mobility within UCS domain
FabricPath/Trill DC-wide VM mobility with N7K/N5K Nexus 1000V & VXLAN w/ OTV
This Session
BRKVIR-2011
Cisco Public
77
VM Mobility across DCs

Maintain network & security policies during vMotion
Nexus 1000V VSM Pair & VSG Pair (or VSG/VSG hosted on Nexus 1010s)
Data Centre #1
VSM (Active) vCenter (Active) VSG (Active) VSM (Standby) VSG (Standby)
Data Centre #2
Layer 2 Extension (OTV)
vSphere Nexus 1000V VEM vSphere Nexus 1000V VEM
vSphere Nexus 1000V VEM
vPath
vSphere Nexus 1000V VEM
Virtualised Workload Mobility
vPath
Stretched Cluster
vPath
vPath
vCenter SQL/Oracle Database
Replicated vCenter SQL/Oracle Database
Migrate virtual workloads seamlessly across Data Centres Maintain transparency to network & security policies (via N1KV & VSG)
Deploying Services on VXLAN
Why VXLANs?
Pain points in scaling cloud networking
Use of server virtualisation and cloud computing is stressing the network infrastructure in several ways:
Server Virtualisation increases demands on switch MAC address tables Multi-tenancy and vApps driving the need for more than 4K VLANs Static VLAN trunk provisioning doesnt work well for Cloud Computing and VM mobility Limited reach of VLANs using STP constrains use of compute resources
BRKVIR-2011
Cisco Public
80
Multi-Tenancy and vApps Drive the Need for Many L2 Segments

Both MAC and IP addresses could overlap between two tenants, or even within the same tenant in different vApps.
Each overlapping address space needs a separate segment
VLANs use 12 bit IDs = 4K
VXLANs use 24 bit IDs = 16M
BRKVIR-2011
Cisco Public
81
Virtual Extensible Local Area Network (VXLAN)

Supported in Nexus 1000V Release 1.5
Tunnel between VEMs VMs do NOT see VXLAN ID IP multicast used for L2 broadcast/multicast, unknown unicast Technology submitted to IETF for standardsation
With VMware, Citrix, Red Hat and Others
Ethernet in IP overlay network

Entire L2 frame encapsulated in UDP 50 bytes of overhead Include 24 bit VXLAN Identifier 16 M logical networks
Mapped into local bridge domains
VXLAN can cross Layer 3

Outer MAC DA Outer MAC SA Inner MAC DA InnerM AC SA Optional Inner 802.1Q Original Ethernet Payload
Outer 802.1Q
Outer IP DA
Outer IP SA
Outer UDP
VXLAN ID (24 bits)
CRC
VXLAN Encapsulation
Original Ethernet Frame

Cisco Public 82
Scalable Pod Deployment with VXLAN within Logical Nework Spanning a Data Centre Across Layer 3
VM VM VM VM VM VM VM
Add More Pods to Scale

Logical Topology with VSG and ASA 1000V

VSG and workload and inside interface of ASA 1000V on the same L2 segment (VXLAN 5500) VSG VM VM
VXLAN 5500
VLAN 55
BRKVIR-2011
Cisco Public
84
ASA 1000V and VSG Service Chaining on VXLAN

ASA 1000V VM
Data
VSG
vPath Data
Nexus 1000V
vPath Nexus 1000V
Nexus 1000V
Hypervisor
Hypervisor
ESX
Hypervisor
2
VXLAN vPath Data
VXLAN vPath Data
vPath
Client
Security Profile ID for VSG Decision returned to the vPath


ASA 1000V VM Policy off Loaded VSG
Nexus 1000V
vPath Nexus 1000V
Nexus 1000V
Hypervisor
Hypervisor
ESX
Hypervisor
6
VXLAN vPath Data
VXLAN vPath Data
vPath
Client
Security Profile ID for VSG Decision returned to the vPath


ASA 1000V
10 Data
VSG
9
VM
vPath Data
Nexus 1000V
vPath Nexus 1000V
Nexus 1000V
Hypervisor VXLAN
Hypervisor
VXLAN vPath Data
ESX
Hypervisor
vPath Data
Data
Client
vPath
Edge Security Profile ID for ASA

Configuration Example
Applying Service on both VLAN and VXLAN backed Port-Profiles vlan 10 bridge-domain vxlan_5005 segment id 5005 group 225.1.1.5 ! Port-Profile VXLAN Backed
For Your Reference
Bridge Domain
! Port-Profile VLAN Backed port-profile type vethernet TenantA switchport access vlan 10 org root/abc vn-service ip-address 10.10.10.137 vlan 20 security-profile secure-abc
port-profile type vethernet TenantA switchport access bridge-domain vxlan_5005 org root/abc vn-service ip-address 10.10.10.137 vlan 20 security-profile secure-abc
no shutdown
state enabled
BRKVIR-2011
no shutdown
state enabled
Summary
Nexus 1000V vPath makes the Virtual Service Possible
VSG and ASA 1000V are different firewalls but they compliment each other
Services can be enabled on a per tenant basis vPath is designed to scale out for Multi-tenant Environment Services can be deployed on VXLANs as well as VLANs
BRKVIR-2011
Cisco Public
89
Related Sessions
Other N1KV Related Session which you may be interested to attend
For Your Reference
BRKVIR-2011 Environment
BRKVIR-2014 VXLAN and BRKVIR-2017 V: Expanding BRKVIR-3013 Nexus 1000v
Deploying Services in a Virtualised

Architecting Scalable Clouds using Nexus 1000V The Nexus 1000V on Microsoft Hyperthe Virtual Edge Deploying and Troubleshooting the virtual switch
BRKVIR-2011
Cisco Public
90
Wrap-Up
- Solutions - Webcasts - Resources - CloudLab (on-line remote lab) - Related Sessions & Cisco Live hands-on labs - Session Evaluation
Reference Solutions
Solution Nexus 1000V Implicit Support Implicit support Implicit support Implicit support Implicit support
*Based on default Citrix configuration
Nexus 1010
Virtual WAAS *
NAM (N1010)
Vblock FlexPOD Virtual Desktop Virtual Multi-tenant DC (VMDC) DC-to-DC vMotion PCI 2.0 Hosted Collaboration
Implicit Support Implicit support
Implicit support Implicit support Implicit support
Reference Solutions
Vblock with Nexus 1000V; Vblock with VSG and vWAAS FlexPOD with Nexus 1000V and Nexus 1010 Virtual Multi-tenant Data Centre with Nexus 1000V and VSG Virtual Desktop
For Your Reference
1000V and VMware View
1000V and Citrix XenDesktop

1000V and VSG in VXI Reference Architecture
Virtual Workload Mobility (aka Long-distance vMotion)
Cisco, VMware and EMC (with 1000V and VSG)

Cisco, VMware and NetApp (with 1000V and VSG)
PCI 2.0 with Nexus 1000V and VSG
Cisco Cloud Lab Hands On Training & Demos

https://cloudlab.cisco.com
Open to all Cisco employees Customers/Partners require
For Your Reference
Hands on labs available for Nexus 1000V and VSG in Cloud Lab
sponsorship from account team

for access via CCO LoginID
BRKVIR-2011
Cisco Public
94
Resources
CCO Links 1000V: www.cisco.com/go/1000v 1010: www.cisco.com/go/1010 VSG: www.cisco.com/go/vsg VNMC: www.cisco.com/go/vnmc vWAAS: www.cisco.com/go/waas Deployment Guides Nexus 1000V Deployment Guide Nexus 1000V on UCS Best Practices Nexus 1010 Deployment Guide VSG Deployment Guide White papers: Nexus 1000V and vCloud Director N1K on UCS Best Practices Nexus 1000V QoS White paper (draft) VSG and vCloud Director (draft) vWAAS Technical Overview vWAAS for Cloud-ready WAN Optimization Nexus 1000V Community
2013 Cisco and/or its affiliates. All rights reserved. Cisco Public
For Your Reference
BRKVIR-2011
95
Additional Links
N1K Download and 60-day Eval: www.cisco.com/go/1000vdownload N1K Product Page: www.cisco.com/go/1000v N1K Community: www.cisco.com/go/1000vcommunity N1K Twitter www.twitter.com/official_1000V N1K Webinars: www.tinyurl.com/1000v-webinar
For Your Reference
N1K Case Studies: www.tinyurl.com/n1k-casestudy

N1K Whitepapers www.tinyurl.com/n1k-whitepaper N1K Deployment Guide: www.tinyurl.com/N1k-Deploy-Guide VXI Reference Implementation: www.tinyurl.com/vxiconfigguide N1K on UCS Best Practices: www.tinyurl.com/N1k-On-UCS-Deploy-Guide
BRKVIR-2011
Cisco Public
96
Q&A
Complete Your Online Session Evaluation

Give us your feedback and receive a Cisco Live 2013 Polo Shirt!
Complete your Overall Event Survey and 5 Session Evaluations. Directly from your mobile device on the Cisco Live Mobile App By visiting the Cisco Live Mobile Site www.ciscoliveaustralia.com/mobile Visit any Cisco Live Internet Station located throughout the venue Polo Shirts can be collected in the World of Solutions on Friday 8 March 12:00pm-2:00pm
Dont forget to activate your Cisco Live 365 account for access to all session material, communities, and on-demand and live activities throughout the year. Log into your Cisco Live portal and click the "Enter Cisco Live 365" button. www.ciscoliveaustralia.com/portal/login.ww
Cisco Public 99
BRKVIR-2011
BRKVIR-2011
Cisco Public

Brkvir 2011

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkvir 2011

Uploaded by

Copyright:

Available Formats

Deploying Services in a Virtualised Environment

2013 Cisco and/or its affiliates. All rights reserved.

Virtual Networking & Services architecture

Implementing Virtualised Services

3rd Party Services on vPath

Reference Solutions, Resources & Wrap-Up

CONSISTENCY: Policy, Features, Security, Management

Nexus 7K/5K/3K/2K WAAS, ASA, NAM, ACE

Virtual Services in a Data Centre POD

NEXUS 7000 - VPC

Aggregation Typical L3/L2 boundary. Physical network services

NEXUS 7000 - VPC

Unified Compute System Fabric Interconnect

Unified Access Non-blocking paths to servers & IP storage devices

Rack 1 Rack 2 Rack 3

Virtual Access Virtual switches Virtual services with horizontal scaling

2013 Cisco and/or its affiliates. All rights reserved.

Virtual Services Requirements

Server Virtualisation Issues

Server Admin Security Admin

Network Services Options for Virtualised/Cloud DC

Apply hypervisor-based virtual network services

VLANs Virtual Contexts This Session

Dedicated Service Nodes

Virtual Services Options

N1KV vPath integrated VSN

vPath Nexus 1000V

Virtual Services Architectural Approach

Multi-tenant / Scale-out deployment

Nexus 1000V Architecture

NX-OS Control Plane

Supervisor-1 (Active) Supervisor-2 (StandBy) Linecard-1 Linecard-2

NX-OS Data Plane

Hypervisor Server Admin

Hypervisors: vSphere (shipping); Win8/Hyper-V (announced)

2013 Cisco and/or its affiliates. All rights reserved.

Embedding Intelligence in Virtual Network

VMware, Citrix, RedHat,

Nexus 1010 / 1010-X

Nexus 1110 / 1110-X

Nexus 1010 / 1010-X L3 Connectivity

Hypervisors: vSphere (shipping); Win8/Hyper-V (announced)

Create or Update port-profiles

*SCVMM for Win8/Hyper-V

Port Profile Configuration

Support Commands Include:

Port management VLAN PVLAN Port-Channel ACL

2013 Cisco and/or its affiliates. All rights reserved.

Port Groups: VI Admin View

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Nexus 1000V

Mobility of Network and Security Properties

Non-Disruptive Operational Model

Nexus 1000V VSM

2013 Cisco and/or its affiliates. All rights reserved.

Cisco Nexus 1000V

Non-Disruptive Operational Model

VMs Need to Move VMotion DRS SW upgrade/patch Hardware failure

N1KV Property Mobility

Nexus 1000V VSM

2013 Cisco and/or its affiliates. All rights reserved.

Advanced Features of the Nexus 1000V

Nexus 1000V Interoperability with VMware