Evolution of Virtual Networking to Applications and Clouds · Evolution of Virtual Networking to Applications and Clouds BRKSPG-2466 Balaji Sivasubramanian, Director, Product Management

Evolution of Virtual Networking to Applications and Clouds

BRKSPG-2466

Balaji Sivasubramanian, Director, Product Management

[email protected] ; @balajisiva

mailto:[email protected]

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public

Agenda

• Introduction

• Market Trends

• Phase 1: Core Virtual Networking

• Phase 2: Application Virtual Networking

• Phase 3: Cloud Virtual Networking

• Conclusion

3


Virtual Networking 101 – Why Need it ?

2. vMotion moves VMs across physical ports—the network policy must follow vMotion in a timely fashion

3. Must view or apply network/security policy to locally switched traffic

4. May need to maintain segregation of duties while ensuring non-disruptive operations

PortPolicy

Server Admin

Network Admin

Security

Admin

1. 70% of workloads virtualized today

Market Trends

5


Industry/Market Trends Affecting Virtual Networking

Multi-

Hypervisor,

Container,

Opensource

Increasing

Physical/Virtual

Integration in

Networking

L4-7 Market in

Transition with

Virtual

Services

New Markets

(SP) for Virtual

Networking

Increasing

Adoption of

Public and

Private Clouds

Hybrid Cloud

gaining

Momentum

Virtual Networking is Key Component of Data Center and Cloud

Public

Enterprise

Public

Enterprise


80 % of physical servers are still bare-metal

At least 70% of workload virtualized;

Virtualization is Increasing

* Gartner x86 virtualization report 2014

9%14%

22%

33%

42%

51%58%

65% 67% 70%

0%

10%

20%

30%

40%

50%

60%

70%

80%

2005 2006 2007 2008 2009 2010 2011 2012 2013 2014

% of Virtualized Workload


Multi-Hypervisor adoption is increasing.

42 % of customers run multiple hypervisors

Increased traction of containers –Dockers, LXC etc

Virtualization is Evolving

vSphere

Hyper-V

KVM/XEN


Containers (eg.Dockers) is hitting a key pivotal transition point in the virtualization of the workloads with key advantages of containers being

Ability to run applications with much lesser footprint (compared to VM)

Faster creation (< 1sec) and lighter footprint for mobility

Ease of development and test

Lower cost (1 EC2 instance can hold lot of containers)

Growth of containers will result in slower growth of VM based virtualization

Increased density of containers also needs further new products that support container networking and management for private/hybrid/public cloud stack.

Containers Gaining Market Traction Virtual Machine

Docker Container


OVS is gaining features and contributions from many vendors

Caching (2.0) to improve performance, SPAN, RSPAN, NetFlow, sFlow, VXLAN, OpFlex, L3, Hyper-V Support etc

Openstack networking continues to evolve with Neutron

Ease of automation, L4-L7 services, VLAN/VXLAN, Security groups etc

Major impact on virtual networking from Open Source Projects


Box-Box configuration to policy based automated controller based networking

Network Consumption is Evolving

ACI

SW Overlay

with HW

GWMinimal Automation

Managing virtual resources are important element of this transition

Physical + Virtual full integrated solution

Virtual overlay over standalone hardware. Need HW gateways for bare-metal servers


Network Functions Virtualization in Enterprise/SP

Network Appliance (box) per function

on vendor provided hardware. Slow

innovation and slow to deploy

Virtualized network functions easily

orchestrated on any server. Fast scale

up/scale down and also available in

aaS offering

CP

U, G

B, b

ps

Traditional Data Center/ Managed Service Services with NFV


Service Provider NFV Use Cases by ETSI

ETSI Formalized NFV Use Cases Potentially Virtualized Functions

Network Functions Virtualization Infrastructure as a Service vNAT, vFW, vLB, vRR, vVPN, vRouter

Virtual Network Function as a Service (VNFaaS) vCPE, vPE

Virtual Network Platform as a Service (VNPaaS) vPrivateCloud

VNF Forwarding Graphs VPE-F,

Virtualization of Mobile Core Networks and IMS vEPC (vS/P-GW, vMME, vPCRF, vSGSN, vGGSN, vGiLan)

vIMS (vP/S/I-CSCF, vMGCF, vAS)

Virtualization of Mobile Base Station vMAC, vRLC, vPDCP, vRRC, vCOMP, vBBU

Virtualization of the Home Environment vBNG, vRGW, vSTB

Virtualization of CDNs vCDN,

Fixed Access Network Functions Virtualization vOLT, vDSLAM, vONU, vONT, vMDU, vDPU

Source: http://www.etsi.org/deliver/etsi_gs/NFV/001_099/001/01.01.01_60/gs_NFV001v010101p.pdf


Cisco InterCloud

IT Evolving To Support Cloud Centric Models

Hybrid

Vblock FlexPod

DC/Private Cloud

Public Clouds

Cloud Management

XaaS

Increasing XaaS, Private Cloud and Public Cloud Adoption IT enabling self-service, automated infrastructure


Virtual networking in hypervisors is becoming key component of all Data Center and Cloud Deployments

Open choice in virtual networking in hypervisors is key to have choice in solutions

Requirements on hypervisors

Native vSwitch that supports industry standard protocols like OpenFlow, OpFlex, OMI etcAND OR

Support 3rd party vSwitch to allow for other integrated solutions

Open Choice in Virtual Networking in Hypervisors


Choice in Virtual Networking - Key for Open Choice in Solutions

Hypervisor Native vSwitches 3rd party

vSphere • Standard vSwitch

• DVS

• Cisco Nexus 1000V and Cisco

Application Virtual Switch

• IBM 5000v

• HP

Hyper-V Native vSwitch • Cisco Nexus 1000V

• NEC

KVM Linux Bridge /OVS • Cisco Nexus 1000V

• OVS

Xen OVS • OVS

Choice in 3rd Party

Switches

• Open source : OVS

project with multiple

contributions from

different vendors

and individuals

• Enterprise Grade

Vendor Switch –

Brings integrated

solutions from other

vendors to provide

choice

Phase 1 – Core Virtual Networking


VIRTUAL

PHYSICAL CLOUD

Genesis of Cisco Virtual Switching

Consistent Nexus Experience

Intra-tenant

Security

Inter-tenant

Security

Application

Acceleration

Routing and

Gateways

Web-app

Firewall

Load

Balancer


Cisco Nexus 1000V – Only Multi-Hypervisor SolutionSeamless Interaction Across Physical and Virtual Workloads & Services

WAN Op

Zone FWFW

Physical WorkloadsASA 55xx

Physical

Fabric

L3

Nexus 1000V

vPath VXLAN

Physical Service Nodes

Nexus 1000V

• Only Multi-Hypervisor solution

• Distributed Zone Firewall

• Enterprise grade networking

features

• Large scale – 250

servers/12000 VMs per

controller

• L4-L7 Services service chaining

• VXLAN based network

virtualizationVXLAN 802.1Q

10000 + Customers


Nexus 1000V Architecture for Reference

20

Server 1 Server 2 Sever 3

Virtual Supervisor

Module

VEM-NVEM-1 VEM-2

Network

Admin

Cloud/Server

Admin

VEM: Virtual Ethernet

Module

Any Hypervisor (ESX, Hyper-V, KVM

VSM

SCVMM,

Openstack

, VC

© 2015 Cisco and/or its affiliates. All rights reserved.BRKSPG-2466 Cisco Public 21

Features Description

SwitchingIPv4/IPv6, L2 Switching,L3 planned 802.1Q Tagging, VLAN, VXLAN, Rate

Limiting (TX), IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ

SecurityPolicy Mobility, Private VLANs w/ local PVLAN Enforcement, Access Control

Lists, Distributed Port Security, Cisco TrustSec 2.0, Dynamic ARP inspection, IP

Source Guard, DHCP Snooping, BPDU Guard, Strom Control

Network ServicesVirtual Services Datapath (vPath) support for traffic steering & fast-path off-load [leveraged by Virtual Security Gateway (VSG), vWAAS, ASA1000V]

ProvisioningPort Profiles, Integration with virtualization & cloud mgmt. tools, Optimized NIC Teaming with Virtual Port Channel – Host Mode

ManagementIntegrated Provisioning with VM Mgmt station, Cisco LMS, DCNM,Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3),Hitless upgrade, Virtual Switch Update Manager

VisibilityVM Migration Tracking, Distributed NetFlow v.9 w/ NDE, CDP v.2,VM-Level Interface Statistics, SPAN & ERSPAN (policy-based)

Cisco Nexus 1000V Features Consistent NX-OS Features across physical & virtual


Nexus 1000V Scalable to Support Large Deployments

Feature Details

Number of servers/hosts per switch 250 hosts/servers

Number of ports per switch 10,000 ports per switch

Number of vEth ports per server/hosts 1000 ports per host/server

Active Vlans per switch 4094 VLANS

Active VXLAN per switch 6000 VXLAN

Number of Port Profile per switch 6000 port profiles

Domain Id’s 1 to 1023

VXLAN G/W Pairs 8 pairs per switch

VXLAN G/W Pair per server/host Associated to one G/W pair

Number of VXLAN Mapping per G/W 512 mappings


VM

Scaling VXLAN – Extending VXLAN across Nexus 1000V

VMVM

VSM

VEM 1 VEM 2 VEM 3

vt1 vt2 vt3

Membership List

Membership Membership Membership

VSM

VEM 1 VEM 2

vt4 vt5

Segment VTEPs

Green vt4 vt5

Membership List

Membership Membership

VM

Segment VTEPs

Green vt1 vt3

Nexus 1000V Cluster 1 Nexus 1000V Cluster 2

Membership List with BGPSegment VTEPs

Green vt1, vt3, vt4, vt5

• Segments can extend across multiple VSMs

• VSMs distribute the information among them using BGP

• VSM and VEMs will continue to exchange information using AIPC like single VSM mode


Cisco TrustSec – Simple & Effective SecuritySGT Tagging and Enforcement

VMVM VM VM

Nexus

1000V

VEM

Server

VMVM VM VM

Nexus

1000V

VEM

Server

Hypervisor Hypervisor

Finance Application

TOR filters traffic based

on SG-ACLsNexus 1000V VSM

ISE

PAC

N1KV:

Assigns SGT based on

static Port-profile Assignments

Finance Application

N1KV:

Uses SG ACL to enforce tags set by

N1KV or ToR


Virtual Security GatewayStateful Distributed Virtual Firewall

VM context aware rulesContext aware

Security

Establish zones of trustZone based

Controls

Policies follow vMotionDynamic, Agile

Efficient, Fast, Scale-out SW(with vPath intelligence)

Best-in-class

Architecture

Security team manages securityNon-Disruptive

Operations

Central mgmt, scalable deployment,

multi-tenancy

Policy Based

Administration

Virtual

Security

Gateway

(VSG)

XML API, security profilesDesigned for

Automation

VSG available in the market over 4 years. Not these features are gaining popularity as micro segmentation and distributed firewall


Virtual Security GatewayIntelligent Traffic Steering with vPath

Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VMVM

VM

vPath

PNSC

Log/Audit

Initial Packet

Flow

VSG

1 Flow Access Control

(policy evaluation)

2

Decision

Caching3

4


Virtual Security GatewayDistributed Firewall - Performance Acceleration

Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VMVM

VM

vPath

Remaining

packets from flow

ACL offloaded to

Nexus 1000V

(policy enforcement)

PNSC

Log/Audit

VSG


VSG Policy: Rule Construct

28

Source

Condition

Destination

Condition

Rule

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

Condition

Attribute Type

Network

VM

User Defined

vZone

VM Attributes

Instance Name

Guest OS full name

Guest OS Host name

Parent App Name

Cluster Name

Hypervisor Name

Resource-pool

Port Profile Name

Zone Name

Network Attributes

IP Address

Network Port

ACE: Access Control Entry

Action


Use Cases for Nexus 1000V

Virtual Data CenterManaging Policies for VMs

Secure Container - Cloud Secure Multi-Tenancy

Virtual Services Hosting Easy of Deployment

Multi-DC DC to DC Live Migration

VDISecure VDI

OpenStack Self-Service Cloud


Easy Life Cycle Management of Nexus 1000V/AVSCisco Virtual Switch Update Manager

Install & Migrate

Upgrade & Monitor

Configure*

• Easily install the Nexus1000V &

Cisco AVS using vCenter

• Smoothly migrate vSwitch/VDS to

N1KV

• Upgrade the Nexus1000V and

AVS(multiple hosts allowed).

• Easily monitor your virtual

network.

Configure and Manage

Nexus1000V features and port-

profiles

* future


Reduced efficiency due to uncontrolled VM sprawl

Reduced Efficiency in DC

Long delay to onboard a new

developer / customer

Developers leveraging

Public Cloud due to delays

Uncontrolled Virtual Application Sprawl


From VM Sprawl to Secured Containers

Uncontrolled Virtual Application Sprawl Enterprise Apps Transactional Apps Collaborative Apps

SME


Challenge: Weeks to Identify Resources, Configure Network and Security Devices per Container

Complex and Manual

1.Long onboarding time

2.Operational

Challenges across

teams and domains

Ready?

Procure /

License

Install

Provision

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Procure /

License

Install

Provision

Ready?

Enterprise

Apps

Transactional

Apps

Collaborative

Apps


Evoving Easy of Use -Rapidly Deploy Containers using VACS

Enterprise

Apps

Transactional

Apps

Collaborative

Apps

VACS VACS VACS

Key Values:

1. Simple to design and

deploy containers

2. Consistent Automated

Deployments w/

Operational Simplicity

3. Best in Class

Virtual Services

w/ Unified Licensing


VACS Built on Proven Technology

Enterprise Apps

Virtual Fabric – Nexus 1000V

Platform for Distribute FW

Zone Based FW –

Virtual Security Gateway

Edge FW – CSR 1000V

Routing – CSR 1000V

Automated Provisioning and

Orchestration – UCS Director

Enforced by Best in

Class ServicesBuilt on flag ship Cisco NXOS & IOS SW

Unified Licensing Per Server based


“Out of the Box” Compliant VACS Containers

“Out of the Box” VACS Containers:

1. 3-Tier App Container

2. 3-Tier App Container w/ Ext Access

3. Custom Container

Note: Customer is not provisioning N1KV, VSG or CSR. VACS backend will take care of the details


Evolving Cisco Solution for OpenStack

Bare-metal

servers

VXLAN

Gateway

Neutron

Tenant 1 Tenant n

Tenant 2

Physical Networks (VLANs)

Physical

FirewallsKVM

Virtual Networks (VXLANs)

Solution Highlights

• Enterprise Grade Virtual Network virtualization solution (using VxLAN)

• Enhanced security , visibility and troubleshooting for networking

• Consistent networking between physical and virtual workloads

• Integrated in OpenStack Juno release - Ubuntu 14.0.4 and RHEL 7.0/RHOS 6.0

• Automated Installation via Juju/Charm on Canonical and StayPuft on RHAT


Tight Integration with Horizon - Simplified Operational Model

Nexus

1000V

VEM

Server

Nexus 1000V

VSM

OpenStack Controller

Nova Service

Network

Mgmt

VM VM VM VM

Cloud

MgmtHorizon

Neutron Service

Other Services

Create policy-profiles1

Policy-profiles are synced to Controller. Controller in

turn uses Neutron API to create networks & subnets on

VSM.2

Create tenants,

networks, subnets &

VMs

3

4


Simple one-click install via Juju/Charm of Nexus 1000V solution

Nexus 1000V Openstack Solution on Ubuntu

Phase 2 : Application Virtual Networking


New Application Demands on Infrastructure

Dynamic Instantiation

and Removal

Increasingly

Virtualized/Containarized

Infrastructure Independent

Scale-Out/Multi-Node

Multi-Cloud Models

Application-Awareness for Agile

Deployment and Placement

Physical/Virtual/Cloud

Integration and Visibility

Dynamic Shared

Resource Pool

Increasing Performance 1/10/40/100G

and Scale

Secure and Multi-Tenant Aware

Cloud and Big Data Are Driving a Paradigm Shift

Distributed

Virtualized

Bare-metal

Cloud


Application Language Barriers

Developers

Application

Tiers

Provider /

Consumer

Relationships

Infrastructure Teams

VLANs

Subnets

Protocols

Ports

Developer and infrastructure teams must translate between disparate languages.


It is More than just a VM or Server

It is collection of all the Application’s End Points

‘plus’

The Application’s L2 – L7 Network Policies

‘plus’

The Relationship between these End Points and their Policies

External

Network

App Tier

End Points

DB Tier

End Points

Web Tier

End Points QoS

Service

Filter

QoS

Service

Filter

QoS

Service

Filter

What is an Application to the Network?


Remember UCS & Stateless Computing?

Service Profile

Network– Uplinks

– LAN settings

• VLAN

• QoS

• etc…

– Firmware

• Revisions

Storage

Optional Disk usage

SAN settings

LUNs

Persistent Binding

SAN settings

vSAN

Firmware

Revisions

Server– Identity (UUID)

– Adapters

• Number

• Type: FC, Ethernet

• Identity

• Characteristics

– Firmware

• Revisions

• Configuration settings


Stateless Networking

EPG App EPG DBEPG WebC C C

Application

Network Profile Contracts define “what”

an EPG exposes to other

app tiers and “how”

TCP Ports,

Protocols,

Redirects etc

There is a stateless filtering implicitly provided by the ACI fabric between EPGs that

may be able to eliminate the need for some firewalls within the datacenter.

Contracts define what an EPG exposes to other app tiers and how.


Nexus 1000V

Only virtual networking and services solution across multiple hypervisors

Single point of management for virtual networking via VSM with integration to cloud management platforms (Cisco UCS Director, OpenStack, SCVMM, vCD etc)

L4-L7 integrated via vPath

Firewall, Load Balancer, L3 services, WAN optimization, Network Monitoring

Distributed zone firewall (Virtual Security Gateway)

Licensing : Licensed per CPU socket for advanced edition

Application Virtual Switch

Purpose built ACI virtual leaf with OpFlexintegration

Single point of management with APIC Controller

APIC specifies network policy for virtual and physical networks and does L4-L7 integration

AVS does local switching

Licensed is part of the APIC

Cisco Nexus 1000V and Application Virtual Switch


AVS for Application Centric InfrastructureIntelligent Application Policy Enforcement – Consistent Across Physical and Virtual Workloads

Consistent Policy enforcement for Virtual and Physical workloads

DB

Tier

APIC

Web

VM

App

VM


AVS Architecture and Components

• AVS has two major components

• AVS-DVS (Distributed Virtual Switch) on vCenter

• AVS .VIB bits on ESXi host

• OpFlex Agent runs on AVS ESXihost

• Increased control plane scale through APIC cluster and Leaf Node

VMware vCenter

Hypervisor Manager

ESXi

VMVM VM VM

OpFlex Agent

AVS DVSSpine Spine

Leaf Leaf Leaf

ESXi

VMVM VM VM

OpFlex Agent


Application Virtual Switch with OpFlex in ACI Fabric

OpFlex

AVS

vCenter

Hypervisor Manager

• AVS: First Virtual Leaf to implement OpFlex. OVS is next

• Network policy communicated from APIC to AVS through N9kusing OpFlex

• Increased control plane scale through APIC Cluster and Leaf Node

• APIC communicates with vCenterServer for Port Group creation

VMVM VM VMVMVM VM VM

OpFlex OpFlex

OpFlex

AVS


ASupports a Full Layer 2 Network (Nexus 7k/6k/5k/3k/2k/FI) between Nexus 9k and AVS: Investment Protection

VDS (VMware Distributed Switch) can only support a single L2 switch between N9k and VDS

Due to lack of OpFlex support

N2K with N5K/N6K/N7K/N9K considered one L2 switch

Layer 2 network is required to support OpFlex bootstrapping in this phase

AVS Makes Existing Switching Network ACI Enabled

L2 NetworkO

pF

lex

Op

Fle

x

Op

Fle

x

VMVM VM VM

VMVM VM VM

VMVM VM VM


APIC Admin

VI/Server Admin Instantiate VMs,

Assign to Port Groups

L/B

EPGAP

PEPG DB

F/W

EPG

WEB

Application Network Profile

Create Application Policy

WebWebWeb App

HYPERVISOR HYPERVISOR

Cisco AVS

WEB PORT GROUP APP PORT GROUP DB PORT GROUP

vCenter

Server

8

5

1

9ACI

Fabric

Automatically Map

EPG To Port Groups

Push Policy

Create AVS-

DVS2

Cisco APIC and

VMware vCenter Initial

Handshake

6

DB DB

7Create Port

Groups

Cisco ACI Hypervisor Integration – Cisco AVS

APIC

3

Attach Hypervisor

to AVS

4Learn location of ESX

Host through OpFlex

OpFlex Agent OpFlex Agent


Virtual Leaf Switching Modes

• No Local Switching (NS) Mode: All traffic sent to physical Leaf for switching

• Local Switching (LS) Mode: Intra-EPGs traffic switched on the same host

• Full Switching (FS) Mode: Inter-EPG traffic locally switched on same server

Hypervisor

VM VM

EPG App

No Local Switching

VM VM

EPG Web

Punt to Leaf for all traffic

Hypervisor

VM VM

EPG App

Local Switching

VM VM

EPG Web

Punt to Leaf for Inter-EPG traffic

Hypervisor

VM VM

EPG App

Full Switching Mode

VM VM

EPG Web

Full Policy Enforcement

Future


Benefits of Application Virtual Switch – Extending Policy to the Virtual Edge

AVS AVSAVSAVSAVS

APIC Policy

Controller

ACI Leaf

Nexus 9000

Policy Enforcement

and Forwarding for

intra and Inter-

EPG Traffic

APIC

End to End Visibility

and Application

Performance

Management

Phase 3: Cloud Virtual Networking

54


Expanding Cloud

Provider Ecosystem

…

Cisco

Intercloud Fabric

Cisco’s Hybrid Cloud Approach

Enterprise

Open

No Vendor Lock-In

Any Hypervisor to Any Provider

Heterogeneous Infrastructure

End-to-End Security

Unified Workload Management and Governance

Workload Mobility Across Clouds

Choice


DC/Private Cloud

End User and IT Admin Portals

Secure Fabric Extender Network,

Compute, and Storage

vSphere

Hyper-V*

KVM*

Xen*

Intercloud Fabric

for Business

EC2 APIs

Azure APIs

Intercloud

Fabric for

Providers

Provider Clouds

Intercloud Ecosystem

Intercloud

Fabric for

Providers

Cisco Powered Services and Cloud

Providers

Cisco Intercloud Fabric: Solution Overview

* Available in subsequent releases


Intercloud Fabric Secure Extender

(Secure Network Extension)

DC/Private Cloud

Provider Cloud

Cisco Intercloud Fabric Solution Details

Intercloud

Switch

VM Manager

Intercloud Fabric

for Providers

Intercloud

Fabric Services

Intercloud

Extender

Intercloud

Fabric Director

End User and IT Admin PortalWorkload and Fabric ManagementIT AdminsEnd Users

VM VM

VM VMIntercloud Fabric

for Business


Intercloud Fabric for Business

Intercloud Secure Extender

Provider Cloud

Intercloud

Switch

Intercloud

Extender

Intercloud

Fabric ServicesVM VM

Hybrid Cloud Requirements for Virtual Networking

Extend VLAN/VXLAN with TLS Tunnel

Inter-VM firewalling and routingEnterprise IP Address or Provider IP

Address

Intercloud

Fabric Director


Intercloud Fabric Architecture Vision

Cisco Intercloud Fabric Architecture is Modularized to Achieve the

Elasticity Needed to Support Evolving Cloud Environments

ICF Extended Services + External Partners (storage, load balancing, etc.)

ICF Core Services

Security Management and Visibility

AutomationNetworking VM Portability

ICF Core Infrastructure ICFD PNSC ICFPPSecure

Communications

Private Cloud: Enterprise Public Cloud: Provider


Virtual Networking part of ICF Core Services

ICF Core ServicesFundamental Service Functions and Capabilities

Integrated Natively to ICF and its Operation

Security

Management

and Visibility

Automation

and APIs

Networking

VM

Portability

Switching, routing and other advanced network-based capabilities

VM to VM and App-to-App security controls

VM format conversion and mobility

Private and hybrid cloud monitoring capabilities

VM lifecycle capabilities, automated operations and Programmatic APIs



Intercloud Secure Extender

Intercloud

Fabric Director

DC/Private Cloud

Provider Cloud

Core Services: Network Extension

Enterprise Virtual Switch

Application

VM

Provider Network Switch

Enterprise VM

access port

Tunnel Port

Trunk Port

Enterprise Ports

Outer MAC/

IP/UDP Tunnel L2X

Application

VM

IC Driver

Data

Data

Data

1

2 3

Intercloud

Switch

Intercloud

Extender

Outer MAC/

IP/UDP Tunnel L2X Data




DC/Private Cloud

Provider Cloud

Intercloud

Switch

Intercloud

Extender

Intercloud

Fabric Director


Core Services: Firewalling/Zoning

IT Admins Intercloud Fabric

Intercloud Fabric VSG: Protects VMs in Provider Cloud

Test

VM

Test

VM

Enterprise VSG: Protects VMs in Private Cloud

Single Security Policy for Private

and Provider Clouds

Web

VM



Intercloud

Fabric Director

Enterprise VPN Access to Public cloud VMs

Core Services: Routing Across Hybrid Cloud

Direct access to public cloud VMs through NAT


DC/Private Cloud

Provider Cloud

Intercloud

Extender

VM VM

VM VM

VLAN App

19.2.168.x.x

Default Gateway

for VLAN A &B

VLAN Web

VMVM

VMVM

Provider

Gateway

10.x..x.x

54.x..x.x

VLAN AIntercloud

Fabric CSR

Inter-VLAN communication through ICF Routing

VLAN B

192.168.x.x

Remote/ Branch Office

ISR

VPNVPN

Mobile

Worker

Mobile

Worker

Intercloud

Switch




DC/Private Cloud

Provider Cloud

Intercloud

Switch

Intercloud

Extender

Intercloud

Fabric Director


Core Services: Establishing Trust

Web

VM

IT Admins

IT Admin configures an icfCloud1

Generate SSH key pair2

SSH public key passed as part of creating VM along with SSH username

3

SSH public key downloaded as part of VM startup and made as authorized key for SSH user

4

HTTP/HTTPS




DC/Private Cloud

Provider Cloud

Intercloud

Switch

Intercloud

Extender

Intercloud

Fabric Director


Core Services: Establishing Secure Communications

Web

VM

IT Admins

Select encryption algorithm and hash for an icfCloud

1

S2S Tunnel Profile:Control Channel PSK

2

S2S and Access Tunnel Profile: Control Channel PSKData Tunnel Encryption KeyData Tunnel Hash Key

3 Control Channel PSK4

Encryption algorithm – AES-128-GCM, AES-128-CBC,

AES-256-GCM (Suite B), AES-256-CBC

Hashing algorithm – SHA-1, SHA-256, SHA-384

HTTPS/XML API

SCP


Consistency

Security/Networking as an extension of

Private Cloud

Control

Unified workload management across clouds

Choice

Freedom to place workloads across

heterogeneous Clouds

Compliance

Policy-based deployment/governance

in cloud

Cisco Intercloud Fabric Value Proposition: Secure Workload Mobility via Cisco Virtual Networking

DC/Private CloudCisco Intercloud Fabric

Fixed Workloads Variable Workloads

Provider Cloud


Summary

• Virtual Networking is becoming critical component of every Enterprise and SP deployments

• Virtual networking has involved from simple networking to application and cloud aware networking.

• Movement of workloads from VM to containers form factor will make the true agility of workloads to cloud easier leading to increased cloud adoption in the market

• Containers will require additional scale and innovation in the virtual networking and will be next phase of our data center and cloud networking


Complete Your Online Session Evaluation

• Please complete your online sessionevaluations after each session.Complete 4 session evaluations& the Overall Conference Evaluation(available from Thursday)to receive your Cisco Live T-shirt.

• All surveys can be completed viathe Cisco Live Mobile App or theCommunication Stations

68


Call to Action

• Visit the World of Solutions for

– Cisco Campus

– Walk in Labs

– Technical Solution Clinics

• Meet the Engineer

• Lunch time Table Topics

• DevNet zone related labs and sessions

• Recommended Reading: for reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2015

69

http://www.pearson-books.com/CLMilan 2015

Documents

Evolution of Virtual Networking to Applications and Clouds · Evolution of Virtual Networking to Applications and Clouds BRKSPG-2466 Balaji Sivasubramanian, Director, Product Management