Cisco Virtual Networking Solution Nexus 1000v and Virtual Services · 2014. 6. 26. · Multi-Hypervisor (VMware, Microsoft, KVM* Xen*) vPath Enhanced VXLAN Nexus 1000V Full Portfolio

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services

Abhishek Mande Engineer

[email protected]

© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public

Agenda

2

§ Application requirements in virtualized DC § The Anatomy of Nexus 1000V § Virtual Services with vPath § Prime NSC § vPath Service Chaining § Summary


Server Virtualization Issues

3

1. vMotion moves VMs across physical ports—the network policy must follow vMotion

2. Must view or apply network/security policy to locally switched traffic

3. Need to maintain separation of duties while ensuring non-disruptive operations

Port Group

Server Admin

Network Admin Security Admin


Application Requirements for Network Services

§ Current generation network capabilities are driven by physical network topology. Example, If the firewall is plugged into the Internet connection and then the load balancer into firewall, the path of traffic must always flow in that order.

§  Application driven requirements that change the relationship (load balancing, then firewall) cannot be supported without physically changing the layout of the network.

Core Router/Switch

Firewall

Load Balancer Proxy Server

Application


Virtual Services – Architectural Approach

5

**VXLAN: Virtual Extensible LAN **OTV: Overlay Transport Virtualisation

*vPath: Virtual Service Datapath

Requirement Solution

Virtualisation Awareness •  Dynamic policy-based provisioning •  Support VM mobility (e.g. vMotion)

•  Virtual (SW) form-factor •  Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) •  Policies bound to vNIC/VM

•  Integration with N1KV (vPath)

Multi-tenant / Scale-out deployment •  Virtual service: multi-instance deployment •  Management: Multi-tenant •  N1KV vPath: Multi-tenant

Separation of Duties •  Non-disruptive to server team

•  Profile-based provisioning for services •  Integration with N1KV port profile •  Optional hosting on Nexus 1010 HW appliance

•  Efficient deployment •  Performance optimisation

Integration with N1KV vPath

Broad mobility diameter •  DC-wide, DC-to-DC, DC-to-Cloud

•  DC-wide: VXLAN** •  DC-to-DC: OTV**








•  Efficient deployment •  Performance optimization

Integration with N1KV vPath














Virtualization Awareness •  Dynamic policy-based provisioning •  Support VM mobility (e.g. vMotion)


•  Integration with N1KV (vPath*)


Network Services Options for Virtualized/Cloud DC

6

Hypervisor

Dedicated Service Nodes

Virtual Contexts

VLANs

Redirect VM traffic via VLANs to external (physical) firewall

App Server

Database Server

Web Server

App Server

Database Server

Web Server

VSN

VSN

Apply hypervisor-based virtual network services

Hypervisor

Virtual Service Nodes

This Session

The Anatomy of Nexus 1000V


Nexus 1000V - Consistent Cloud Networking Multi Hypervisors and Multi Orchestration strategy

8

Physical Network

vSphere Hyper-V XenServer

Unified Fabric (Nexus)

UCS Computing Platform

Hypervisor KVM

vCloud Director/ Automation

Center System Center

Citrix CloudPlatform

Cloud Portal and Orchestration

Storage Platform

CIAC/ OpenStack/

Partners

Virtual Network Infrastructure

L4-7

L2-3 vPath

Nexus 1000V

Cloud Network Services vWAAS NAM ASA 1000V NetScaler1000V Partners VSG


Cisco Nexus 1000V

9

Port Profile / Defined Policies

WEB Apps HR DB DMZ

Policy-Based VM Connectivity

Mobility of Network and Security Properties

Non-Disruptive Operational Model

Cisco Virtual Machine Networking

Nexus 1000V VEM

Nexus 1000V VEM

VM Connection Policy •  Defined in the network •  Applied in Virtual Centre •  Linked to VM UUID

VM VM VM VM VM VM VM VM

vCenter Nexus 1000V VSM


Cisco Nexus 1000V

10

VMs Need to Move •  VMotion •  DRS •  SW upgrade/patch •  Hardware failure

Policy-Based VM Connectivity

Mobility of Network and Security Properties

Non-Disruptive Operational Model

VM VM VM VM

VM VM VM VM

vCenter Nexus 1000V VSM

VM VM VM VM

Property Mobility •  VMotion for the network •  Ensures VM security •  Maintains connection state

Nexus 1000V VEM

Nexus 1000V VEM

Cisco Virtual Machine Networking


Nexus 1000V Architecture Respects DC Operational Model for PàV

11

Hypervisor Hypervisor Hypervisor

Modular Switch

…Linecard-N

Supervisor-1 (Active) Supervisor-2 (StandBy)

Linecard-1 Linecard-2

Bac

k P

lane

VEM-N VEM-1 VEM-2

VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module

VSM-1 (active)

VSM-2 (standby)

Virtual Appliance

Network Admin

Server Admin

NX-OS Control Plane

NX-OS Data Plane


Port-Profile Configuration

12

n1000v# show port-profile name WebProfile port-profile WebServers description: status: enabled capability uplink: no system vlans: port-group: WebServers config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10

Support Commands Include: ü  Port management

ü  VLAN

ü  PVLAN

ü  Port-Channel

ü  ACL

ü  Netflow

ü  Port security

ü  QoS

ü  vService


Port Groups: VI Admin View

13


Nexus 1000V Architecture vPath – service insertion in the hypervisor

14

Hypervisor Hypervisor Hypervisor

Modular Switch

…Linecard-N

Supervisor-1 (Active) Supervisor-2 (StandBy)

Linecard-1 Linecard-2

Bac

k P

lane

VEM-N VEM-1 VEM-2

VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module

VSM-1 (active)

VSM-2 (standby)

Virtual Appliance

Network Admin

Server Admin

NX-OS Control Plane

NX-OS Data Plane

vPath vPath vPath


Cloud Network Services

(CNS)

Any Hypervisor

Nexus 1000V vPath

vPath is Nexus 1000V dataplane component:

1.  Distributed Service insertion architecture, with Intelligent traffic intercept and redirection mechanism

2.  Topology agnostic service insertion model

3.  Service Chaining across multiple virtual services

4.  Performance acceleration with vPath e.g. VSG flow offload

5.  Efficient and Scalable Architecture

6.  VM Policy mobility with VM mobility

Evolve the Network for the next wave of application requirements

vPath – Policy Based Service Enablement

Virtual Services


Cisco Virtual Networking and Cloud Network Srvs CLOUD NETWORK SERVICES

WAN Router

Switches Servers

PHYSICAL INFRASTRUCTURE Cisco Virtual

Security Gateway

Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)

Nexus 1000V vPath Enhanced VXLAN

Full Portfolio of Best in Class Virtualized Network Service

Imperva SecureSphere

WAF

vWAAS Cloud Services

Router 1000V

ASA 1000V Cloud Firewall

Citrix NetScaler

1000V

Network Analysis Module (vNAM)

Nexus 1000V

•  Distributed switch

•  NX-OS consistency

VSG

•  Distributed •  Zone-

based FW

ASA 1000V

•  Edge firewall, VPN

•  Protocol Inspection

vWAAS

•  WAN optimization

•  Application traffic

CSR 1000V (Cloud Router)

•  WAN L3 gateway

•  Routing and VPN

Ecosystem Services

•  Citrix NetScaler VPX virtual ADC

•  Imperva Web App. Firewall

*KVM in beta, Xen prototype VSG


10G and SSL Ready

Cisco Cloud Services Platform

VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

•  Dedicated Cloud Services appliance •  Flexible, on-demand allocation of resources •  Allows policy management by network teams

Cisco Cloud Network Services (CNS) Citrix

NetScaler 1000V

Prime virtual NAM


WAF

Virtual Security Gateway

Nexus 1110 Cloud Services Platform

VSM VSM DCNM*




Cisco Virtual Security Gateway Distributed, Zone Based Firewall

VM context aware rules Context aware Security

Establish zones of trust Zone based Controls

Policies follow vMotion Dynamic, Agile

Efficient, Fast, Scale-out SW (with vPath intelligence)

Best-in-class Architecture

Virtual Security Gateway (VSG)

Prime NSC


Virtual Security Gateway Intelligent Traffic Steering with vPath

21

Nexus 1000V Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

PNSC

Log/Audit Initial Packet Flow

VSG

1 Flow Access Control (policy evaluation)

2

Decision Caching 3

4

1 2

3

4


Virtual Security Gateway Intelligent Traffic Steering with vPath

22

Nexus 1000V Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

Remaining packets from flow

Decision offloaded to Nexus 1000V

(policy enforcement)

VNMC

Log/Audit

VSG 5 3


Decoupled Deployment Across Applications and Virtual Services

VM

Virtualized Infrastructure with Cisco Nexus® 1000V Deployment VEM VEM VEM VEM VEM

VM VM VM VM VM VM VM

Cisco VSG

No need to deploy virtual services on every host

Plan CPU capacity independently across application workloads and virtual services

Solution is simpler to deploy with multiple operations teams (server, network, and security)


vSphere

Cisco Nexus 1000V VEM

vSphere vSphere



VM VM VM VM VM VM VM VM

Active VSG (Tenant B)

Active VSG (Tenant A) Web Zone App Zone

Tenant A Tenant B Dev Zone QA Zone

VMWare vCenter Server

Data Center Network

vPath vPath

1000V VSM

Deployment in Multitenant Environment

Standby VSG Standby VSG

vPath

Cisco Prime Network Service Controller


•  Cisco VSG supports policies based on network attribute and virtual machine (VM) attributes

Rul

e Source Condition

Destination Condition Action

Attribute Type Network VM Custom

VM Attributes Instance Name Guest OS full name Zone Name Parent App Name

VM Attributes Port Profile Name Cluster Name Hypervisor Name

Network Attributes IP Address

Network Port

Operator eq

neq

gt

lt

range

Operator Not-in-range

Prefix

member

Not-member

Contains

Con

ditio

n

Policy Rule Construct


Citrix NetScalar1000V


Citrix NetScaler 1000V

VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

•  Citrix Best-in-Class virtual application delivery controller (vADC)

•  Sold and supported by Cisco (Q3) •  Integrated with Nexus 1100, vPath •  NetScaler 1000V = VPX – (Cloud Bridge, Cloud Connect,

SSL VPN )

Cisco Cloud Network Services (CNS) Citrix

NetScaler 1000V

Prime virtual NAM


WAF


Nexus 1110 Cloud Services Platform

VSM VSM DCNM*

Citrix NetScaler

1000V


Without vpath

§  Source NAT (SNAT) - Client/ Source Obscured

§  Policy Based Routing (PBR) - Complex §  Inline ADC’s – Performance bottleneck

§  Selective traffic – Optimal implementation

SLB : With and Without vPath


SLB - why vPath ?

§  Source NAT (SNAT) - Client/ Source Obscured

§  Policy Based Routing (PBR) - Complex §  Inline ADC’s – Performance bottleneck §  Selective traffic – Optimal implementation

•  Preserve Source IP with vPath; vPath redirects server-return traffic to SLB

•  Easy deployment – Topology agnostic

•  Service Chaining

•  Optimal use of Performance

•  Enable New east-west flow use cases

With vPath Without vpath


Web Tier DB Tier App Tier

Client IP 172.50.20.10

NetScalar 1000V without vPath East-West / Distributed Services

DST IP: 192.168.20.10 Src IP: 192.168.20.100

Data

1 Web Server initiates connection to App Server with LB services enabled, now destination IP is VIP

1

Virtual Services



Client IP 172.50.20.10


Data

DST IP: 192.168.30.10 Src IP: 192.168.20.200

2

VIP selects App Server for the destination; sends packet with destination IP of App Server , and Source IP of its SNIP

2

Virtual Services



Client IP 172.50.20.10


Firewall needs to know Source/Client IP for policy evaluation

Data

Distributed Firewall policy for App Server receives packet, but lacks visibility of Source information for policy evaluation. Policy fails !

3

Data

3



Client IP 172.50.20.10

5

NetScalar 1000V with vPath Enabling East-West flow use-case for SLB

Firewall has visibility of Source and destination for Policy evaluation

Data

3

Distributed Firewall enabled for App Server receives packet, and has full visibility of Source information for policy evaluation

3

Data

Cisco vPath Cisco vPath



Client IP 172.50.20.10

5

Firewall has visibility of Source and destination for Policy evaluation

Data

Data

4

4 Packet is forward to App Server on Policy evaluation

Cisco vPath Cisco vPath

-  East-West Services and Application Servers ready to delivers best in class services J

NetScalar 1000V with vPath Enabling East-West flow use-case for SLB


Deployment Network Topologies One-Arm

§  One-armed topologies have several benefits –  Simple, one physical interface and no risk of bridge loops –  Can make use of Link Aggregation to satisfy bandwidth

requirements –  SLB does not have to be default gateway for application

VM’s –  Very few failure modes, easing HA failure analysis

35

vPath

Web NetScaler 1000V

Logical Topology

vPath interface

vPath Service-Chaining and why it is important


•  Decouples network services from underlying network topology with vPath Overlays

•  Dynamic Service chains enabled per VM port

•  Programmability

•  Transparent Services Insertion

•  Multi-Tenancy

•  VxLAN

Web VM Tenant #1 (Policy 1)

Virtual Service A

Virtual Service B

Virtual Service C

Client

Web VM Tenant #2 (Policy 2)

Cisco Nexus 1000V – vPath Embedded (Policy 1 & Policy 2 defined for each tenant)

vPath Service Chaining Benefits Intelligent policy-based traffic steering through multiple network services

Expanded vPath Ecosystem: VSG, ASA 1000V, vWAAS, & NetScaler 1000V


Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services

DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

1

Cisco vPath

Cisco vPath

1Client Initiates Flow to Web Server (VIP as Server IP)

Client › LB-VIP 1



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

NS1000V load balance web request, selects Web Server 1 (Client › S1) 2

Cisco vPath

Cisco vPath

2



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Cisco vPath

Cisco vPath

3

Based on policy, vPath redirect traffic to service chain, starting with zone-based firewall, VSG 3



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

4

Cisco vPath

Cisco vPath

Traffic returns to Virtual Ethernet Module ready for next network service 4



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Cisco vPath

Cisco vPath

WAF inspects packets for web attacks; prevents attack and generate alerts 5

5



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

6

Cisco vPath

Cisco vPath

vPath Forwards packet to Web Server VM 6



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Cisco vPath

7Cisco vPath

Web to DB Tier Connection 7



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Cisco vPath

Cisco vPath

Web to DB Tier Connection : Database tier security policy 8

8



DB Tier

VM

VM VM

Web Tier

OS

OS OS

APP

APP APP

Cisco vPath 9

Cisco vPath

Apply VSG policy and forward packet to database 9


vPath 3.0

•  Service chaining with vPath and non-vPath network services •  Virtual and physical network services •  Any network service can now be distributed, not just firewalls •  Submitted to IETF for standardization* •  Supporting Multiple hypervisors

Any Hypervisor

VM

vPath

vPath

Virtualized Network Service

Non vPath

Virtualized Network Service

vPath

Physical Network Service

Non vPath

Physical Network Service

Nexus 1000V

vPath

*http://tools.ietf.org/html/draft-quinn-nsh-00

Service-Chaining Use-cases


Enterprise: Multi-Tier Applications

§  Intelligent service chaining §  Network topology agnostic

§  Flat network: VM’s are on same VLAN 100 segment, still each have different set of Services enabled

§  Service chain stays attached to VM on VM mobility

49

vPath

Web

WAN Optimization + Edge Firewall + NAT + Load Balancer + Web Application Firewall + Zone based Firewall Load Balancer + Zone based Firewall

VSG Zone based Firewall

VLAN 100 VLAN 100 VLAN 100


ASA: Permit Only Port 80(HTTP) to Web

Servers

VSG: Only Permit Web Servers Access to Database Servers

Tenant-A

Web-Zone Database-Zone

VSG: Only Permit Client Access to Web Server and Deny access

to DB server

ASA: Block All External Access to Database Servers

Web"Server"

DB"Server"

App-Zone Client"

IP – 192.168.1.1 IP – 192.168.1.2 IP – 192.168.1.203

ASA

VSG

ASA1000v: NAT VIP:10.10.25.100

NetScaler 1000V – Server Load Balancer ASA 1000V - Edge Security Profile VSG - Compute Security Profile

Web"Server"

NS1000V: Web Server LB

3-Tier Server zone


Cloud Provider’s Data Center Multi-Tenancy

Tenant A

Switches

Servers

CSR1kV

Physical Infrastructure

Virtual Infrastructure

NS1KV VSG

Tenant B

NS1KV VSG

CSR1kV

WAN Router

Internet DC Branch MPLS

Enterprise B Enterprise A

•  Secure VPN Gateway

•  MPLS Extension •  Tenant SLB •  East-West Firewall

Cloud Provider Multi-Tenancy Use Cases


Cloud Provider’s Data Center Multi-Tenancy

Tenant A

Switches

Servers

CSR1kV

Physical Infrastructure

Virtual Infrastructure

NS1KV VSG

Tenant B

NS1KV VSG

CSR1kV

WAN Router

Internet DC Branch MPLS

Enterprise B Enterprise A

Server Load-Balancer and East-West Firewall offered as a Service by CSP

•  Secure VPN Gateway

•  Tenant SLB •  East-West Firewall

Cloud Provider Multi-Tenancy Use Cases


Prime Network Service Controller Simple Yet Powerful Virtual Network Services Management

Custom created to manage virtualization-specific workflows

Centralized Manager for all Virtual Services

Multi-Tenant

XML API Third-party integration

Role-Based Access Controls

Cisco Nexus® 1000V, VMware vCenter, SCVMM

Dynamic Provisioning


Summary Cisco Provides Consistent Layer 2-7 Networking for Physical,

Virtual, and Cloud Deployments: Design Once, Run Everywhere

vPath 3 for Standardized Service Chaining for Virtual and Physical Network Services

Orchestration Tool of Your Choice: SCVMM, OpenStack, UCS Director and more

Hypervisor Agnostic

Single Network for Physical, Virtual, and Cloud Consistent Operational Model and Troubleshooting, especially with ACI

Documents

Cisco Virtual Networking Solution Nexus 1000v and Virtual Services · 2014. 6. 26. · Multi-Hypervisor (VMware, Microsoft, KVM* Xen*) vPath Enhanced VXLAN Nexus 1000V Full Portfolio