Embed Size (px)
Citation preview
Table of ContentsLab Overview .................................................................................................................... 2
HOL-PRT-1305 - Abstract ......................................................................................... 3Overview of Cisco Nexus 1000V series Enhanced-VXLAN.......................................5vCloud Director Networking and Cisco Nexus 1000V .............................................. 7Solution Architecture............................................................................................... 9
Verify Cisco Nexus 1000V and vCloud Director Integration.............................................11Verify Cisco Nexus 1000V in vCloud Director ........................................................ 12
Create organization networks leveraging Enhanced VXLAN in Cisco Nexus 1000V ........24Create Organization vDC internal network leveraging Enhanced VXLAN..............25Verify Enhanced VXLAN capability on Nexus 1000V .............................................37Deploy Web vApp for SilverGroup ......................................................................... 40
Port-Mirroring using ERSPAN on Cisco Nexus 1000V ....................................................... 44Configure and verify ERSPAN on the Cisco Nexus 1000V......................................45
Configure QOS for Enhanced VXLAN network on Cisco Nexus 1000V.............................56Configure and verify QOS for Enhanced VXLAN network traffic ............................57
Congratulations !! ........................................................................................................... 65Conclusion............................................................................................................. 66
HOL-PRT-1305
Page 1HOL-PRT-1305
Lab Overview
HOL-PRT-1305
Page 2HOL-PRT-1305
HOL-PRT-1305 - AbstractTraditionally VXLAN required Multicast support in your network which made it a bitcomplex to deploy. With Enhanced VXLAN now supported with the Cisco Nexus 1000V,you could achieve segmentation at scale for your cloud with a simplified deploymentprocess. Enhanced VXLAN does not require Multicast, is purely Unicast based and is ahighly scalable solution. Network isolation techniques such as IEEE 802.1Q VLAN provide4096 LAN segments through a 12-bit VLAN identifier and may not provide enoughsegments for large cloud deployments. VXLAN uses a 24-bit LAN segment identifier toprovide segmentation at cloud scale.
Goal
In this lab the participant will take on the role of the IT administrator who is providinginfrastructure services to different business units by leveraging the Cisco Nexus 1000Vdistributed switch using Enhanced VXLAN based network isolation. The IT administratorwill configure network SPAN on the Nexus 1000V for visibility into network traffic andapply QOS policies for Enhanced VXLAN traffic.
This content is intended to provide the participant an interactive and hands-onexperience with configuring VXLAN on the Cisco Nexus 1000V and configuring and usinga VXLAN backed network pools in vCloud Director. Finally, the participant will experiencethe network level visibility and control provided when the Cisco Nexus 1000V is used toselect network classes in vCloud Director.
Target Audience
This lab is appropriate for cloud IT administrators who want to learn more about CiscoNexus 1000V and Enhanced-VXLAN
Lab Scenario
The IT department at the Umbrella IT Corporation is providing cloud services for internaldepartments in their organization. The Silver Group has requested that the ITdepartment host their web application. The IT administrator will create an organizationrepresenting the Silver Group in vCloud Director and will use Enhanced VXLAN toprovide network isolation, the web application is deployed as a vApp in thisorganization. Since the Silver Group Web vApp is leveraging Nexus 1000V, the IT admincan enable port-mirroring and QOS to troubleshoot any network issues or provideapplication QOS on Enhanced VXLAN traffic in the vApp.
HOL-PRT-1305
Page 3HOL-PRT-1305
HOL-PRT-1305
Page 4HOL-PRT-1305
Overview of Cisco Nexus 1000V seriesEnhanced-VXLANVXLAN is a Layer-2 network isolation technology that uses a 24-bit segment identifier toscale beyond the 4K limitation of VLANs. VXLAN creates LAN segments by using anoverlay approach with MAC-in-IP encapsulation. The Virtual Ethernet Module (VEM)encapsulates the original Layer-2 frame leaving the Virtual Machine.
While VXLANs have enabled a whole new level of scalability for virtual networks, one ofthe challenges in deploying VXLAN is its use of IP Multicast to implement the L2 over L3network capability. VXLAN is a MAC-in-IP encapsulation protocol in a UDP frame. TheNexus 1000V virtual switch that acts as the VXLAN termination takes the L2 packet fromthe VM, wraps it in a L3 IP header, and sends it out over UDP. But the challenge is thatthere’s no way to determine which IP address should be used for the destination host(VXLAN termination point) at which the desired MAC address can be found. VXLANtraditionally resort to IP Multicast (e.g., flooding and dynamic MAC-learning) todetermine which IP address the packet should be sent to given only the destination MACaddress. This leads to a lot of extra set-up, excessive network traffic, and somedependence on the physical network to be an IP Multicast enabled core.
Now Cisco has introduced Enhanced-VXLAN technology.
VXLAN Encapsulated Frame Format
Each VEM is assigned an IP address, which is used as the source IP address whenencapsulating MAC frames to be sent on the network. This is accomplished by creatingvmknics on each VEM. You can have multiple vmknics per VEM that are used as sourcesfor this encapsulated traffic. The encapsulation carries a VXLAN identifier, which is usedto scope the MAC address of the payload frame.
VEM VMKNIC Interface with VXLAN Capability
The connected VXLAN is specified within the port-profile configuration of the vNIC and isapplied when the VM connects. VXLAN frames are originated and terminated on theVXLAN tunnel end points called VTEPs and VM is unaware of the encapsulation.
HOL-PRT-1305
Page 5HOL-PRT-1305
In Enhanced VXLAN mode, instead of flooding to multicast destination, VEM will performingress replication of packets and send it over to other VEMs. Each VEM has intelligenceof membership information of other VEMs and associated VTEPs for a given VXLANsegment.
When a VM joins a VXLAN segment a VEM will publish its VTEP and segmentmembership information to VSM. Each VEM will publish its own information to VSM. VSMwill then build a database of all VTEPs for each VXLAN segment and distribute this to allVEMs. This information is dynamically updated on all the VEMs and each VEM uses thismembership list for flooding instead of using Multicast.
VSM, in addition, maintains a complete MAC forwarding table for all hosts anddistributes it to all the VEMs to enhance security by dropping unknown unicast packets,and eliminates traditional flood and learn forwarding methods. This allows control-planebased forwarding and also eliminates unknown unicast scenarios leading to securitygaps.
HOL-PRT-1305
Page 6HOL-PRT-1305
vCloud Director Networking and CiscoNexus 1000VVMware vCloud Director provides three classes of networks. The network class definesthe boundaries and respective service levels for each function within a given cloud’snetwork architecture.
External Networks
External networks provide transport between organizations or to networks outside of asingle-tenant network, such as the Internet. External networks are managed by thevCloud Director administrator and are not directly visible to a tenant organization. Thisnetwork type is also sometimes called a provider or data center network.
Organization Networks
A network allocated to a single organization or tenant and backed by the managedallocation of network resources for that organization. A single organization may havemany types of organization networks.
Organization networks provide network segments within a single tenant, and allowconnectivity between vApps assigned to the same organization network. vApps that areon different organization networks, even within the same tenant organization, are not inthe same broadcast domain.
The resources to create the isolation are managed by the vCloud administrator and areprovided to organizations as a managed allocation. The organization administrator hasthe ability to create isolated networks as needed.
Internal Network
Like an organization network, a vApp network is a segment that is created for theparticular application stack within the organization’s network to enable multi-tierapplications to communicate with each other, and at the same time , to isolate theintra-vApp traffic from other applications within the organization.
It is important to understand the relationship between the virtual networking constructs,features of the Cisco Nexus 1000V, and the classes of networks defined andimplemented in a vCloud Director environment. Most often a network class (organizationand vApp, specifically) is described as being backed by an allocation of isolated
HOL-PRT-1305
Page 7HOL-PRT-1305
networks. In other words, in order for an organization administrator to create an isolatedvApp network, the administrator must have a free isolation resource to consume and touse in order to provide that isolated network for the vApp.
vCloud Director employs three different networks to create managed pools of isolationthat can be allocated between and within tenant organizations. All three classes ofnetworks can be supported using the virtual networking features of the Cisco Nexus1000V Series. The network pool type used to provision organization network is of type:
vCloud Network Isolationbacked
A vCloud Network Isolation-backed (VCNI) network pool provides isolated Layer-2networks for multiple tenants of a cloud without consuming the VLAN IDs. This isolation-backed network pool does not require pre-existing VLAN IDs in vSphere. It uses port-groups that are dynamically created. A Cloud isolated network spans hosts, providestraffic isolation from other networks, and is the best source for vApp networks.
When leveraging Cisco Nexus 1000V Series Switches to provide a network pool that isbacked by vCloud Network Isolation, the underlying layer, Layer 2 isolation technologyis Enhanced-VXLAN.
HOL-PRT-1305
Page 8HOL-PRT-1305
Solution Architecture
Key components of the solution to integrate Cisco Nexus1000V with VMware vCloud Director
• VMware vCloud Director and vCNS Manager Communication• Cisco Nexus 1000V VSM and vCNS Manager Communication• VMware vCNS Manager and vCenter Communication• vCenter and Cisco Nexus 1000V VSM Communication
vCloud Director and vCNS Manager Communications
vCloud Director provides network services to the Cloud via VMware vCNS Manager.vCNS Manager interacts with Cisco Nexus 1000V VSM to make the 1000V available tovCloud Director to build any type of network when building a tenant cloud. Each vCloudDirector cell requires access to a vCNS Manager host, which in turn provides networkservices to the cloud. You must have a unique instance of vCNS Manager for eachvCenter server you add to vCloud Director.
NexusCisco Nexus 1000V VSM and vCNS Manager Communications
vCloud Director interacts with the Cisco Nexus 1000V using vCNS Manager. Cisco Nexus1000V VSM implements a REpresentational State Transfer (REST) API that allows theuser to create all types of networks supported by vCloud Director.
This allows the user to design and implement networks in vCloud Director which thenget created on the Cisco Nexus 1000V Series Switch.
VMware VCNS Manager needs the following information to manage the VSM.
a) VSM connectivity details
b) Number of VXLANs which that can be consumed by vCloud Director
c) Multicast Group address associated with Network Pool in vCNS manager. This isignored and not used by Nexus 1000V for Enhanced-VXLAN Networks
VCNS Manager and vCenter Communications
This communication will occur when an organization routed network is required for anorganization. vCNS Manager will instantiate a VCNS Edge appliance dynamically to
HOL-PRT-1305
Page 9HOL-PRT-1305
provide Network Address Translation (NAT), and IP Gateway gateway service for anorganization network.
vCenter and Cisco Nexus 1000V VSM Communications
vCenter provides centralized control and visibility to VMware vSphere virtualinfrastructure and is tightly integrated with the Cisco Nexus 1000V. This integrationenables the network administrator and the server administrator to collaborateefficiently. While the networking policies can be enforced in the virtual access layer justlike as in the physical network, Cisco Nexus 1000V helps maintain separation of dutiesfor the network and server teams.
.
HOL-PRT-1305
Page 10HOL-PRT-1305
Verify Cisco Nexus 1000Vand vCloud Director
Integration
HOL-PRT-1305
Page 11HOL-PRT-1305
Verify Cisco Nexus 1000V in vCloudDirectorIn this lesson you'll review and learn Enhanced VXLAN configuration on Nexus 1000Vand how Nexus 1000V registers with vCNS Manager as an external switch provider. Inaddition you'll verify the configuration of the network policy for an organization invCloud Director. The configuration will be verified through the Nexus 1000V CLI.
HOL-PRT-1305
Page 12HOL-PRT-1305
Open a PuTTY connection to the Nexus 1000V VSM
Note: Refer to "HOL-PRT-1305 Key-In help" text file on your Control CenterDesktop to find or Copy/Paste Login details and Commands used in this labguide.
Click on Start -> PuTTY, this will open up the PuTTY client. Or alternately double clickon Putty icon on Desktop.
Login to Nexus 1000V VSM console
Scroll down the list of saved sessions and select the host, Nexus 1000V VSM host,vsm.corp.local from the saved sessions. Click on the Open button to open the session.The login credentials are:
User name: admin
HOL-PRT-1305
Page 13HOL-PRT-1305
Password: Cisco123
HOL-PRT-1305
Page 14HOL-PRT-1305
Verify Features on Nexus 1000V
VXLAN functionality on the Ciso Nexus 1000V is enabled by configuring the featuresegmentation.Theintegration with vCNS Manager is enabled by configuring thenetwork-segmentation feature.
These features have already been enabled while preparing this lab. The "showfeature" command output shows that both of these features have been enabled.
On the Nexus 1000V console, run the command:
show feature
HOL-PRT-1305
Page 15HOL-PRT-1305
View the capability vxlan Port-Profile
To view the port-profile configured to carry VXLAN traffic, run the command:
show run port-profile vmk-vxlan
The port-profile configured for VXLAN traffic will have capability vxlan configured on it.This port-profile is attached to a vmkernel interface on each ESXi host which will serveas the source of VXLAN traffic. We will verify this in the next step.
HOL-PRT-1305
Page 16HOL-PRT-1305
VXLAN Port-Profile
Deploying VXLAN requires the creation of a VMkernel interface on each ESXi host thatwill be sending VXLAN traffic. In this lab we have two ESXi hosts, a VMkernel interfacehas been created for each host and configured to use the vmk-vxlan port-group. To seethe VMkernel interfaces that are attached to the the vmk-vxlan port-profile, run thefollowing command:
show port-profile name vmk-vxlan
Here we see that Vethernet3 and Vethernet4 are attached to the vmk-vxlan port-profile.
Network Policy for vCloud Director Organization Network
Nexus 1000V provides an easy way to define and apply a network policy at anorganization level in vCloud Director. In the output below, the policy SilverGroup-Policy is tied to the organization in vCloud Director that is representing SilverGroup bymeans of the organization ID. Any internal networks that are created for thisorganization will have this network policy applied to them by default. The network-segment policy is also configured to import a port-profile that can be configured withQoS policies or ACLs that will be applied on an organization-wide level.
HOL-PRT-1305
Page 17HOL-PRT-1305
To view the network-segment policy that is tied to Silver Group enter the followingcommand:
show run network-segment policy SilverGroup-Policy
Subsequent lessons in the lab will illustrate the network-segment policy beingautomatically applied to a new organization network, and QoS configuration on theSilverGroup-Profile being applied to VXLAN traffic.
Integrating Nexus 1000V with vCNS Manager
Nexus 1000V Network Segmentation Manager (NSM) integrates with vCNS Manager toprovision a pool of network segments that are backed by VXLAN. The configurationincludes registering the Nexus 1000V NSM and configuring the range of multicastaddresses and associated VXLAN segment identifiers. In this lesson we will log in to theVCNS Manager web interface and verify the VSM and vCenter status.
HOL-PRT-1305
Page 18HOL-PRT-1305
Login to the vCNS Manager Web Interface
Double-click the desktop shortcut called vCNS Manager and accept the securitycertificate error if prompt, to proceed to the login screen for VCNS Manager.
Use the following login credentials:
User name: admin
Password: default
HOL-PRT-1305
Page 19HOL-PRT-1305
Verify Nexus 1000V is successfully registered
Navigate to Settings & Reports -> Configuration -> Networking. You'll see Nexus1000V registered as a External Switch Provider.
HOL-PRT-1305
Page 20HOL-PRT-1305
Verify Network Pool Configuration
Navigate to Datacenters->Datacenter-Site A-> Network Virtualization->Preparation->SegmentID. The network pool configuration will show the multicastaddresses and VXLAN segments in to pool. In this lab we have configured VXLANsegments from 10000 to 10100. Please ignore Multicast group values here, as these areignored by the Nexus 1000V switch for Enhanced VXLAN networks.
DataCenter-Site-A and Cluster-Site-B is pre-provisioned for you in this lab. Networksegments created here will be consumed by VM's in this Datacenter.
HOL-PRT-1305
Page 21HOL-PRT-1305
Nexus 1000V networking in vCloud Director
Next step is to verify that the VXLAN backed network pools are available to use invCloud Director. This is verified by logging into vCloud Director using the Umbrella ITadministrator's credentials. Double-click on vCloud Director shortcut on your Desktopand login to vCloud Director.
vCloud Login: administrator
Password: VMware1!
HOL-PRT-1305
Page 22HOL-PRT-1305
Verify Network Pool provider VSM
Navigate to Manage & Monitor > Cloud Resources> Network Pools. You will see anetwork pool called SilverGroup-vDC-VXLAN, this network pool is backed by VXLANon the Nexus 1000V
In Network Pools Pane, SilverGroup-vDC-VXLAN shows - vDS providing the network isthe Nexus 1000V as indicated by the switch name VSM.
HOL-PRT-1305
Page 23HOL-PRT-1305
Create organizationnetworks leveraging
Enhanced VXLAN in CiscoNexus 1000V
HOL-PRT-1305
Page 24HOL-PRT-1305
Create Organization vDC internalnetwork leveraging Enhanced VXLANThe previous chapters introduced the basic configuration to deploy a VXLAN backedorganization network in vCloud Director. Silver Group Organization vDC has one internalnetwork created for it to host their web application. They have now made a request toUmbrella IT for a new network segment for their test environment. The actions in thislab chapter are performed by the Umbrella IT administrator through the vCloud Directorsystem portal that was accessed in the previous chapter. In this lesson we will create anew internal network for Silver Group using Nexus 1000V Enhanced VXLAN networkpool.
Viewing SilverGroup Organization vDC Properties
Double-click on the vCloud Director shortcut on your Desktop and login to vCloudDirector.
vCloud User name: administrator
Password: VMware1!
HOL-PRT-1305
Page 25HOL-PRT-1305
SilverGroup Organization vDC Properties
Once logged into the vCloud Director administrator GUI: Select System -> Manage &Monitor -> Organization vDCs -> Click on SilverGroup link
HOL-PRT-1305
Page 26HOL-PRT-1305
Organization Networks Configuration
Navigate to Org VDC Networks in SilverGroup vDC Top Menu
Here you will see that Silver Group already has two networks configured for it. Thesenetworks are created as part of the lab preparation and are consumed by SilverGroupvApp VMs. The organization has been set up with one external network, which is aDirect Network and one Internal isolated network, which is using the VXLAN NetworkPool.
We now want to add another internal network to Silver Group to support the new vApprequirements. Click on the + button to add an organization network.
HOL-PRT-1305
Page 27HOL-PRT-1305
Configure a new Internal Network for SilverGroup
Select Create an isolated network within this virtual datacenter in Network Type.Then Click Next
HOL-PRT-1305
Page 28HOL-PRT-1305
Configure organization network details
This screen allows the administrator to define network mask, default gateway and rangeof IP addresses that can be used by VMs on the network. Enter values as shown in thescreen and click on the Next button to proceed.
Enter Values as shown here:
Gateway address: 192.168.10.1
Network mask: 255.255.255.0
Static IP Pool: 192.168.10.10-192.168.10.100
Name Organization vDC Network
This is the last step in the creation of the internal network, provide a nameSilverGroup_Test_Net_1 and an optional description and click on the Next button.
Then Click Finish on next Screen
HOL-PRT-1305
Page 29HOL-PRT-1305
HOL-PRT-1305
Page 30HOL-PRT-1305
Verify Org Network creation
The network status for SilverGroup-Test-net-1 will show Creating for a few secondswhile the network is created and the associated port-profiles created on Nexus 1000V.Once the network has been created successfully it will show up with a green check markagainst it. In case you do not see green check mark for the newly created network, hitthe Refresh button in vCD.
This network can now be utilized for the test vApps that the Silver Group wants todeploy, however this lab will not cover creating and deploying a new vApp.
For the rest of the lab we will be using the previously created SilverGroup_Web1internal network for the SilverGroup-Web-vApp.
Verify Nexus 1000V Port-Profile created for neworganization vDC network
The creation of a new organization network will result in a port-profile being created onthe Nexus 1000V VSM through the vCloud Director interface to the vCNS Manager. Thisnew port-profile will inherit the port-profile SilverGroup-Profile that was imported intothe network-segment policy SilverGroup-Policy tied to this organization.
To verify the new network on the Nexus 1000V, login to the Nexus 1000V console :
1. Double click on Putty icon on desktop and open session to vsm.corp.local
HOL-PRT-1305
Page 31HOL-PRT-1305
Nexus 1000V console login credentials:
User: admin
Password: Cisco123
2. To view the newly created port-profile, From Nexus 1000V console, run this command:
show port-profile brief
The port-profile is auto-generated and it may not exactly match the output above.However, it will contain the name of the test network created SilverGroup_Test_Net1.
Verify SilverGroup-Profile for new organization network
To view the details of the port-profile configuration, copy the name of the port-profilefrom the previous command and provide it as input to:
show run port-profile <Test-profile-name>
The output of this command shows the port-profile inheriting SilverGroup port-profilewhich will be used to configure network policies for this organization network.
HOL-PRT-1305
Page 32HOL-PRT-1305
Note: The port-profile name might be different in your specific setup.
Deploying Web vApp for Silver Group
The Silver Group has created a web application to run on the SilverGroup_Web1network.
In this exercise you'll deploy the Web-vApp and verify that it is running successfully. Thesteps in this lesson are carried out by the Silver Group administrators (admin) through aorganization-specific portal provided to them by Umbrella IT.
HOL-PRT-1305
Page 33HOL-PRT-1305
Logging into vCloud Director
Double Click on SilverGroup vCloud IE Shortcut icon on your Desktop to Open thevCloud Director Web GUI.
HOL-PRT-1305
Page 34HOL-PRT-1305
SilverGroup Admin Login
Use SilverGroup administrators (admin) credentials to login to SilverGroup Cloud Portal.
User name : admin
Password: VMware1!
HOL-PRT-1305
Page 35HOL-PRT-1305
Managing the Cloud for the SilverGroup
Select the My Cloud tab to view the vApps and VMs for an organization. To explore thevApp that has been created, click Open as indicated in Screenshot.
Verify SilverGroup-Web-vApp VM's Networking details
The vApp deployed for Silver Group consists of a web server and a client. The IPaddresses on the VMs have been configured to use static addresses, and they are on theSilverGroup_Web1 network.
HOL-PRT-1305
Page 36HOL-PRT-1305
Verify Enhanced VXLAN capability onNexus 1000VVerify Multicast-less, i.e Enhanced VXLAN configuration for logical networks in Nexus1000V.
Show bridge-domain verifies segmentation mode is unicast-only. Group-IP in thecommand output is ignored in Nexus 1000V.
Verify Bridge-Domain Segment Mode Unicast-Only
Segmentation Mode Unicast-Only can either be specified at Global level or for specificBridge Domain. In the above example you see there are 2 Bridge Domains dynamicallycreated in Nexus 1000V by VCNS Manager. 2nd Bridge Domain with Segment ID 10002is consumed by 3 virtual ethernet ports, i.e its consumed by SilverGroup Web vApp VM'spre-provisioned for this lab.
Verify VM's associated with VXLAN segments
Show bridge-domain brief command on Nexus 1000V console shows all vEthernetinterfaces for a particular bridge-domain network, which is dynamically created by VCNS
HOL-PRT-1305
Page 37HOL-PRT-1305
manager, when create Org network in vCloud Director. Show interface virtualdisplays VM's associated with vEth ports.
HOL-PRT-1305
Page 38HOL-PRT-1305
Verify VXLAN VTEPs
As we've learned in previous Lab lessons, every VEM has a VMkernel interface withcapability-vxlan port-profile attached. This vmkernel interface is a tunnel endpoint(VTEP) for for VXLAN segment. In this output, there are 2 VEM's, Module 3 and 4 withone VTEP each assigned IP address of 192.168.10.96 & 192.168.10.98.
HOL-PRT-1305
Page 39HOL-PRT-1305
Deploy Web vApp for SilverGroupSilver Group has created a web application to run on the SilverGroup_Web1 network. Inthis exercise we will deploy the vApp and verify that it is running successfully. The stepsin this lesson are carried out by Silver Group administrators through a organization-specific portal provided to them byUmbrella IT.
Start SilverGroup-Web-vApp
To Open the vApp, Navigate to My Cloud -> vApps -> SilverGroup-Web-vApp.Select Start, if vApp is in Stopped State.
Note: Continue to use vCloud Director open browser session. If you've closed yourbrowser session, please follow previous Step # 26.
HOL-PRT-1305
Page 40HOL-PRT-1305
SilverGroup vApp Client access
Select SilverGroup-Web-vApp and click on the icon for Client VM. This will openVMRC console for the VM.
HOL-PRT-1305
Page 41HOL-PRT-1305
Login to Client VM
Login to Client VM with credentials:
User: vmware
Password : VMware1!
HOL-PRT-1305
Page 42HOL-PRT-1305
Open Web Server in Browser
Double Click "Cisco Systems" IE Shortcut on Client desktop. The web home page hasbeen set up to access the web server at 192.168.1.1. This vApp has been deployedsuccessfully if the web page for Silver Group is visible.
The VMRC console session for the Client can be left open since it will be used in thenext two exercises
HOL-PRT-1305
Page 43HOL-PRT-1305
Port-Mirroring usingERSPAN on Cisco Nexus
1000V
HOL-PRT-1305
Page 44HOL-PRT-1305
Configure and verify ERSPAN on theCisco Nexus 1000VAfter a few days in production the web vApp deployed by Silver Group is showing aperformance degradation. They have opened a trouble ticket with Umbrella IT totroubleshoot the issue. The Umbrella IT administrator can enable ERSPAN on the Nexus1000V to gain visibility into the vApp traffic. The ERSPAN session will mirror traffic onVXLAN to a VM on the network that is running a network analyzer.
In this lesson, you'll act as an Umbrella IT administrator to enable ERSPAN for Web vApptraffic monitoring with Nexus 1000V.
HOL-PRT-1305
Page 45HOL-PRT-1305
Open PuTTY Session to Nexus 1000V
On the Control Center Desktop, double-click on the PuTTY icon, this will open up thePuTTY client. Select Nexus 1000V VSM - vsm.corp.local and click Open to openconsole for Nexus 1000V.
Login to Nexus 1000V VSM console using credentials:
User: admin
Password: Cisco123
Note: If you have kept the PuTTY session open after the last exercise involving theNexus 1000V VSM, skip the steps of connecting to the Nexus 1000V VSM again.
HOL-PRT-1305
Page 46HOL-PRT-1305
HOL-PRT-1305
Page 47HOL-PRT-1305
Identify virtual interface (vEthernet) Interface for ERSPANsession
Before creating the ERSPAN session, identify the vEthernet port that will be used as thesource of the span traffic. In this example we will be enabling ERSPAN for the trafficgoing to/from the Client VM. Issue the command from Nexus 1000V console:
show interface virtual
In the example output above, the Client VM is on Veth6. This may be different inyour setup as the assignment of VM to Vethernet interfaces is dynamic. Notethe Vethernet number specific to your lab, it will be used in the next step.
Setting up ERSPAN on Nexus 1000V
The monitor session we will configure in this exercise will mirror both Tx and Rx trafficfrom the Client_vApp VM. The VM running the network analyzer has an IP address of192.168.110.134
Enter the following commands to configure the ERSPAN session on the Nexus 1000V.NOTE: Make sure to use the Vethernet port identified in the previous step.
config t
monitor session 1 type erspan-source
description MonitorClient
source interface Vethernet 6 both
destination ip 192.168.110.134
HOL-PRT-1305
Page 48HOL-PRT-1305
erspan-id 999
no shut
end
HOL-PRT-1305
Page 49HOL-PRT-1305
Analyzing Network Traffic
Double Click on "Wireshark VM " Icon on your desktop to open an RDP session toWindows sniffer Wireshark VM. Login credentials are:
User: vmware
Password: VMware1!
The ERSPAN traffic is mirrored to the Windows7-Wireshark virtual machine at192.168.110.134. In this exercise we will first set up the traffic analyzer (Wireshark) andthen start a HTTP request from the client. We will then verify that the packets are beingcaptured in Wireshark.
HOL-PRT-1305
Page 50HOL-PRT-1305
Setup Wireshark to capture traffic
Double-click on Wireshark shortcut on desktop to open Wireshark application.
Configure Wireshark to match traffic
Select a pre-configured filter from the drop-down filter menu. The IP address for theClient is 192.168.1.1. After selecting the filter click on Apply.
Note If no pre-configured filter is displayed, please enter following in the filter field:
ip.addr==192.168.1.1
HOL-PRT-1305
Page 51HOL-PRT-1305
HOL-PRT-1305
Page 52HOL-PRT-1305
Set Capture Interface
Select the interface "Local Area Connection 2" and Click on Start to start thecapture
HOL-PRT-1305
Page 53HOL-PRT-1305
Access Web Page from Client VM
On Client VM, access the web page with a double click on "Cisco Systems IE icon" ondesktop.
HOL-PRT-1305
Page 54HOL-PRT-1305
View captured traffic
Navigate to the Wireshark VM RDP session and the traffic that is captured by Wireshark.The IP addresses correspond to that of the Client(192.168.1.2) and the webserver(192.168.1.1). Stop the capture by clicking on the Stop the running live capturebutton to stop capturing packets till the next exercise.
HOL-PRT-1305
Page 55HOL-PRT-1305
Configure QOS forEnhanced VXLAN network
on Cisco Nexus 1000V
HOL-PRT-1305
Page 56HOL-PRT-1305
Configure and verify QOS for EnhancedVXLAN network trafficSetup QOS for SilverGroup Web vApp Traffic
After analyzing the traffic capture logs it was determined that the performance of thevApp could be improved by applying a QoS policy that will provide dedicated bandwithto the vApp. QoS will be configured on the Nexus 1000V to provide platinum service tothe vApp network.
Quality of Service (QoS) lets you classify network traffic so that it can be policed andprioritized in a way that prevents congestion. Traffic is processed based on theclassification and the policies attached to the traffic class. The Cisco Nexus 1000V offersall the QoS features that can be found on other hardware switches in the Nexus productline. In addition the QoS can be applied on a port-profile level, as shown in this exampleor on a virtual ethernet interface level. This allows both a organization-wide policyapplication as well as a policies that are fine-tuned to specific traffic types like VM,vMotion or management traffic.
Configuring the QoS policies will be done through the PuTTY session that is opened tothe Nexus 1000VVSM.
HOL-PRT-1305
Page 57HOL-PRT-1305
Open PuTTY Session to Nexus 1000V
On the Control Center Desktop, double-click on the PuTTY icon, this will open up thePuTTY client. Select Nexus 1000V VSM - vsm.corp.local and click Open to openconsole for Nexus 1000V.
Login to Nexus 1000V VSM console using credentials:
User: admin
Password: Cisco123
Note: If you have kept the PuTTY session open after the last exercise involving theNexus 1000V VSM, skip the steps of connecting to the Nexus 1000V VSM again.
Traffic classification
Execute the following commands on the Nexus 1000V CLI to configure an access-listthat matches all traffic:
HOL-PRT-1305
Page 58HOL-PRT-1305
config t
ip access-list QOS
permit ip any any
exit
Configuring class-map for traffic
Create a class-map called SilverGroup_Class to classify packets that match the QoSaccess-group configured in the previous step.
Execute the following commands to configure a class-map:
config t
class-map type qos match-all SilverGroup_Class
match access-group name QOS
exit
HOL-PRT-1305
Page 59HOL-PRT-1305
Creating QOS Policy for the traffic class
The policy defined for the SilverGroup_Class is marked with a DSCP value of cs7.Assigning cs7: "class selector 7 " value marks this traffic for a higher priority.
To configure a policy-map for the SilverGroup_Class enter the following commands:
config t
policy-map type qos SilverGroup_QOS_Policy
class SilverGroup_Class
set dscp cs7
end
Apply QOS policy to organization vApp
As described earlier the SilverGroup-Profile port-profile is inherited by all organizationnetworks that are created for Silver Group. Applying the QoS policy on this port-profilewill result in the policy being applied to all virtual ethernet interfaces for theorganization, including the Client and WebServer traffic.
Enter the following commands to configure the QoS policy on theSilverGroup port-profileconsumed by SilverGroup-Web-vApp VM's:
config t
port-profile type vethernet SIlverGroup-Profile
service-policy type qos input SilverGroup_QOS_Policy
service-policy type qos output SilverGroup_QOS_Policy
exit
HOL-PRT-1305
Page 60HOL-PRT-1305
Verify configuration applied using command:
show run port-profile SilverGroup-Profile
HOL-PRT-1305
Page 61HOL-PRT-1305
Verify QOS settings on vApp traffic
Navigate back to the Wireshark application that is running in the RDP session for theWindows-Sniffer VM. Start a new capture and click on Continue without Saving tocontinue without saving the old capture file.
HOL-PRT-1305
Page 62HOL-PRT-1305
Access Web Page from Client VM
Hit Browser Refresh or Close any existing browser windows on the Client VM. Repeat thesteps to open the IE shortcut to Cisco Systems on the desktop. This will access the webpage from the web server and should generate traffic towards the traffic analyzer.
HOL-PRT-1305
Page 63HOL-PRT-1305
Verify QOS with Wireshark packet capture
1. Stop Capture if running from previous steps.
2. Select filter in drop-down to ip.addr==192.168.1.1
3. Start Capture
4. Select a packet with a source of 192.168.1.1. The outer encapsulation is the IPencapsulation for ERSPAN, and the inner packet contains the payload we want toanalyze.
5. Expand the inner Internet Protocol field and verify the Class Selector (DSCP) valueis 7.
This confirms that the QoS settings have been applied on the packet.
HOL-PRT-1305
Page 64HOL-PRT-1305
Congratulations !!
HOL-PRT-1305
Page 65HOL-PRT-1305
ConclusionCongratulations! You have successfully integrated the Nexus 1000V using EnhancedVXLAN with vCloud Director, deployed a vApp and explored troubleshooting withERSPAN and advanced features like QoS on the Nexus 1000V.
In this Lab you've gained hands on experience deploying Enhanced VXLAN networks forVMs in a vCloud Director environment with Cisco Nexus1000V. Cisco Nexus 1000V is afeature rich distributed virtual switch for Multi-Hypervisor, Multi-Services and Multi-Cloud environments. Cisco Nexus 1000V provides you consistent Networking andServices experience across physical and network environments, as well as across multi-hypervisor environments. To get more information about Nexus 1000V, please visit :www.cisco.com/go/nexus1000v or stop by Cisco Data Center (Nexus 1000V) Booth.
Thank You!!!
HOL-PRT-1305
Page 66HOL-PRT-1305
ConclusionThank you for participating in the VMware Hands-on Labs. Be sure to visithttp://hol.vmware.com/ to continue your lab experience online.
Lab SKU: HOL-PRT-1305
Version: 20141126-105854
HOL-PRT-1305
Page 67HOL-PRT-1305
