Vce Trusted Multi Tenancy White Paper

© 2011 VCE Company LLC, All rights reserved.

VBLOCK™

SOLUTION FOR

TRUSTED MULTI-TENANCY:

TECHNICAL OVERVIEW

August 2011

© 2011 VCE Company LLC, All rights reserved. 2

Table of Contents

Executive Summary ........................................................................................................................................................................ 6

Goal of This Document .................................................................................................................................................................................... 6

Audience ................................................................................................................................................................................................................. 6

Introduction....................................................................................................................................................................................... 7

Service Models ..................................................................................................................................................................................................... 7

The Trusted Multi-Tenancy Elements ..................................................................................................................................................... 8

Secure Separation........................................................................................................................................................................................ 9

Service Assurance ....................................................................................................................................................................................... 9

Security and Compliance ....................................................................................................................................................................... 10

Availability and Data Protection ........................................................................................................................................................ 10

Tenant Management and Control ...................................................................................................................................................... 11

Service Provider Management and Control .................................................................................................................................. 12

Overview of the TMT Model ...................................................................................................................................................... 13

Technology Overview.................................................................................................................................................................. 14

About the Vblock platform .......................................................................................................................................................................... 14

Management and Orchestration ............................................................................................................................................................... 14

Vblock Advanced Management Pod (AMP) .................................................................................................................................. 14

EMC Ionix™ Unified Infrastructure Manager (UIM) .................................................................................................................. 15

Security Technologies .................................................................................................................................................................................... 16

RSA enVision ................................................................................................................................................................................................ 19

RSA SecurID.................................................................................................................................................................................................. 20

RSA Authentication Manager ............................................................................................................................................................... 20

RSA Data Loss Prevention ..................................................................................................................................................................... 21

RSA Data Loss Prevention Network ................................................................................................................................................. 21

RSA Data Protection Manager ............................................................................................................................................................. 21

Cisco Virtual Security Gateway ........................................................................................................................................................... 21


VMware vShield ......................................................................................................................................................................................... 23

VMware vShield Zones ............................................................................................................................................................................ 25

VMware vShield App ................................................................................................................................................................................ 26

Cisco Adaptive Security Appliance .................................................................................................................................................... 26

Cisco Intrusion Prevention System ................................................................................................................................................... 27

Cisco Secure Access Control Server .................................................................................................................................................. 27

Storage Technologies ..................................................................................................................................................................................... 28

EMC Symmetrix® V-MAX™ ..................................................................................................................................................................... 29

EMC Symmetrix Management Console ........................................................................................................................................... 30

Symmetrix Priority Controls ................................................................................................................................................................ 31

EMC Symmetrix Performance Analyzer ......................................................................................................................................... 31

EMC Fully Automated Storage Tiering (FAST) ............................................................................................................................ 31

EMC Symmetrix Optimizer ................................................................................................................................................................... 32

EMC PowerPath®/VE............................................................................................................................................................................... 33

EMC Unified Storage ................................................................................................................................................................................ 34

EMC Unisphere® Management Suite ................................................................................................................................................ 35

EMC Unisphere Quality of Service Manager ................................................................................................................................. 36

EMC VPLEX™ ................................................................................................................................................................................................. 37

EMC Ionix Storage Configuration Advisor ..................................................................................................................................... 38

EMC Ionix ControlCenter ....................................................................................................................................................................... 38

EMC Virtual Storage Integrator .......................................................................................................................................................... 39

EMC Networker .......................................................................................................................................................................................... 40

EMC Data Domain® ................................................................................................................................................................................... 41

EMC Avamar® .............................................................................................................................................................................................. 42

EMC Replication Manager ..................................................................................................................................................................... 43

EMC RecoverPoint..................................................................................................................................................................................... 43

EMC RecoverPoint Storage Adapter for SRM ............................................................................................................................... 44


EMC Data Protection Advisor .............................................................................................................................................................. 45

Compute Technologies .................................................................................................................................................................................. 46

Cisco Unified Computing System ....................................................................................................................................................... 47

VMware vSphere™ ..................................................................................................................................................................................... 50

VMware vSphere High Availability ................................................................................................................................................... 51

VMware vSphere Fault Tolerance ..................................................................................................................................................... 51

VMware vSphere Distributed Resource Scheduler ................................................................................................................... 52

VMware vSphere Resource Pools ...................................................................................................................................................... 53

VMware vMotion™ ..................................................................................................................................................................................... 54

VMware vCenter Server ......................................................................................................................................................................... 54

VMware vCloud™ Director ..................................................................................................................................................................... 56

VMware vCloud Request Manager .................................................................................................................................................... 57

VMware vCenter Configuration Manager ...................................................................................................................................... 58

VMware vCenter Site Recovery Manager ...................................................................................................................................... 59

VMware vCenter Capacity IQ ............................................................................................................................................................... 60

VMware vCenter Chargeback .............................................................................................................................................................. 61

Network Technologies ................................................................................................................................................................................... 62

Nexus 1000V Series .................................................................................................................................................................................. 63

Nexus 5000 Series ..................................................................................................................................................................................... 65

Cisco Virtual PortChannels ................................................................................................................................................................... 66

Nexus 7000 Series ..................................................................................................................................................................................... 66

Cisco Overlay Transport Virtualization .......................................................................................................................................... 67

Cisco MDS ...................................................................................................................................................................................................... 68

Cisco Data Center Network Manager ............................................................................................................................................... 70

VLAN Separation ........................................................................................................................................................................................ 71

Virtual Routing and Forwarding ........................................................................................................................................................ 71

Hot Standby Router Protocol ............................................................................................................................................................... 72


MAC Address Learning ........................................................................................................................................................................... 72

EtherChannel ............................................................................................................................................................................................... 72

Conclusion ....................................................................................................................................................................................... 73

Further Reading ............................................................................................................................................................................ 75


Executive Summary

VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and

Intel, represents an unprecedented level of collaboration in development, services and partner enablement by four

established market and technology leaders. VCE accelerates the adoption of converged infrastructure and cloud-based

computing models that dramatically reduce the cost of IT while improving time to market for our customers. VCE,

through the VblockTM Infrastructure Platforms, delivers the industry's first completely integrated IT offering that

combines best-of-breed virtualization, networking, computing, storage, security, and management technologies with

end-to-end vendor accountability. VCE's prepackaged solutions cover horizontal applications, vertical industry

offerings, and application development environments, allowing customers to focus on business innovation instead of

integrating, validating and managing IT infrastructure.

VCE provides the fastest, most efficient and effective path to pervasive virtualization and cloud computing, available to

customers through a large and growing network of value added resellers, system integrators and service provider

partners. To date, more than 100 leading partners in 29 countries are actively selling Vblock platforms to a growing,

diverse global customer base. VCE continues to innovate with the goal of providing market-leading simplicity,

flexibility and efficiency. For more information, go to www.vce.com. This document outlines the six foundational

elements of the Trusted Multi-Tenancy (TMT) model and details its features, products and underlying design

principles.

Goal of This Document This document provides a technical overview of the TMT solution, which enables an organization to successfully

create and deploy a secure and dynamic data center infrastructure. The TMT solution comprises six foundational

elements that are standard Vblock platform components, together with additional products offered by RSA®, Cisco,

EMC, and VMware. These six elements address the unique requirements of the Infrastructure as a Service (IaaS)

provision model, which is the focus of this paper. In this document, the terms “Tenant” and “Consumer” refer to the

consumers of the services provided by a service provider.

Audience The target audience for this document is highly technical, and it includes technical consultants, professional services

personnel, IT managers, infrastructure architects, partner engineers, sales engineers, and consumers who wish to

deploy a TMT environment consisting of leading technologies from RSA, Cisco, EMC, and VMware.


Introduction

The concept of multi-tenancy is found in virtually every definition of cloud computing. In its simplest form, multi-

tenancy is an architectural model that optimizes resource sharing while providing sufficient levels of isolation to the

tenants and Quality of Service (QoS) throughout the shared environment.

While most in the industry understand the basics of providing a secure multi-tenancy environment using VMware

products, increases in compliance and security requirements are driving providers and tenants to require more than

just isolation as a prerequisite for doing business. The TMT model used with the Vblock platform directly addresses

this need, integrating high quality security, encryption, and compliance reporting elements into the stack.

Large and small companies are taking advantage of the economic and environmental benefits of cloud computing.

However, to take full advantage of cloud computing’s many benefits, service providers must be able to support

multiple tenants within the same physical infrastructure without tenant awareness of any co-resident. The separation

between tenants must be comprehensive, complete, and provide mechanisms for management, reporting, and

alerting.

TMT recognizes and incorporates the need for dynamic resource allocation and secure component isolation

throughout the Vblock platform and goes beyond traditional secure multi-tenant designs in the following ways:

The Vblock platform is a preconfigured and integrated product, which, combined with the six foundational

elements, produces the TMT solution.

TMT has a greater scope of security, which includes control and compliance through the integration of RSA

products such as RSA enVision®, RSA SecurID®, and RSA Data Protection Manager.

TMT includes EMC Ionix Unified Infrastructure Manager (UIM), which provides complete orchestration and

provisioning.

TMT provides simplified management by distinguishing between the needs of the tenants and the service

provider.

Finally, service providers faced with increasingly constrained operational expense budgets are demanding greater

operational efficiency from their infrastructure. The TMT model used with the Vblock platform directly addresses this

issue with the only pre-integrated single pane of glass management platform in the industry – the Ionix Unified

Infrastructure Manager (UIM) – and the only single-call support model that supports all of the included components.

Service Models In cloud computing, the meaning of a multi-tenant architecture has broadened because of new service delivery models

that take advantage of virtualization and remote access. The Cloud Security Alliance defines the following three basic

service delivery models:

Software as a Service (SaaS) – This model allows the tenant to use the provider’s applications running on a

cloud infrastructure. The applications are accessible from various client devices through a thin client device

such as a web browser. The tenant does not manage or control the underlying cloud infrastructure – including

network, servers, operating systems, storage, and application capabilities – with the possible exception of

limited user-specific application configuration settings.

Platform as a Service (PaaS) – This model allows the tenant to deploy tenant-created or acquired

applications onto the cloud infrastructure using programming languages and tools supported by the provider.

The tenant does not manage or control the underlying cloud infrastructure – including network, servers,


operating systems, and storage – but has control over the deployed applications and possibly application

hosting environment configurations.

Infrastructure as a Service (IaaS) – This model allows the tenant to provision processing, storage, networks,

and other fundamental computing resources whereby the tenant is able to deploy and run arbitrary software,

which can include operating systems and applications. The tenant does not manage or control the underlying

cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly

limited control of select networking components (for example, host firewalls).

Although multi-tenancy requirements are similar for all types of services,

this paper addresses the unique requirements of the IaaS delivery model.

The Trusted Multi-Tenancy Elements Isolation and service assurance are the primary concerns of the Trusted Multi-Tenancy model (Figure 1). The “trusted”

portion of the model relates to the visibility and control offered to the tenants to verify the environment. To support

these fundamental requirements, the TMT model on the Vblock platform is built on six foundational elements:

Secure Separation

Service Assurance

Security and Compliance

Availability and Data Protection

Tenant Management and Control

Service Provider Management and Control

Figure 1. Six elements of the Vblock platform Trusted Multi-Tenancy


Secure Separation

The first element is Secure Separation. Secure separation refers to the effective segmentation and isolation of tenants

and their assets within the multi-tenant environment. Without secure separation, Trusted Multi-Tenancy cannot

occur.

Tenant Concerns

Adequate secure separation ensures that the resources of existing tenants remain untouched and the integrity of the

applications, workloads, and data remain uncompromised when the service provider provisions new tenants. Each

tenant may have access to different amounts of network, compute, and storage resources in the converged stack. The

tenant sees only those resources allocated to them.

Provider Challenges

From the standpoint of the service provider, secure separation requires the systematic deployment of various security

control mechanisms throughout the infrastructure to ensure the confidentiality, integrity, and availability of tenant

data, services, and applications. The logical segmentation and isolation of tenant assets and information are essential

for providing confidentiality in a multi-tenant environment. In fact, ensuring the privacy and security of each tenant

becomes a key design requirement in the decision to adopt cloud services. Table 1 describes secure separation

methods.

Table 1. Secure separation methods

Infrastructure Layer Mechanisms

Network layer Various methods, including zoning and virtual local area networks (VLANs), can enforce network separation. Internet Protocol Security (IPsec) also provides application independent network encryption at the IP layer for additional security.

Compute layer Within the computing infrastructure of the Vblock platform, multi-tenancy concerns at multiple levels must be addressed beginning with the Intel

®

central processing unit (CPU), through the Cisco Unified Computing System

™ (UCS) server infrastructure, and within the VMware vSphere

™

Hypervisor.

Storage layer Features of EMC’s multi-tenancy offerings can be combined with standard security methods such as storage area network (SAN) zoning, and Ethernet VLANs to segregate, control, and manage storage resources among the infrastructure’s tenants. EMC’s multi-tenancy offerings include the following: data at rest encryption; secure transmission of data; and bandwidth, cache, CPU, and disk drive isolation.

Application layer A specially written, multi-tenant application or multiple, separate instances of the same application can provide multi-tenancy at this level.

Service Assurance

Service Assurance plays a vital role in providing tenants with consistent, enforceable, and reliable service levels. Unlike

physical resources, virtual resources are highly scalable and easy to allocate and reallocate on demand. In a multi-

tenant virtualized environment, the service provider prioritizes virtual resources to accommodate the growth and

changing business needs of tenants. Service level agreements (SLAs) define the level of service agreed to by tenants

and the service provider. Service assurance plays an important role in ensuring tenants receive the agreed upon level

of service.


Various methods are available to deliver consistent SLAs across the network, compute, and storage components of the

Vblock platform, including QoS in the Cisco Unified Computing System™ and Cisco Nexus® platforms, EMC Symmetrix®

Quality of Service tools, EMC Unisphere® Quality of Service Manager (UQM), and VMware Distributed Resource

Scheduler (DRS). Without the correct mix of service assurance features and capabilities, maintaining uptime,

throughput, quality of service, and availability SLAs can be difficult.

Tenant Concerns

Infrastructure support for evolving, growing and unpredictable workloads

SLA compliance measuring and reporting

Provider Challenges

Deliver consistent, stable, predictable service

Support and track tenant SLAs

Build a predictable cost model while delivering higher value services


The third element – Security and Compliance – ensures the confidentiality, integrity, and availability of each tenant’s

environment at every layer of the TMT stack using technologies like identity management and access control,

encryption and key management, firewalls, malware protection, and intrusion prevention. This is a primary concern

for both service provider and tenant.

The TMT solution must ensure that all activities performed in the provisioning, configuration, and management of the

multi-tenant environment, as well as day-to-day activities and events for individual tenants, are verified and

continuously monitored. It is also important that all operational events are recorded and that these records are

available as evidence during audits.

As regulatory compliance expands, the private cloud environment will become increasingly subject to security and

compliance standards, such as PCI DSS, HIPAA and SOX (GLBA). With the proper tools, achieving and demonstrating

compliance is not only possible, but it can often become easier than a non-virtual environment.

Tenant Concerns

Answer internal Audit and Governance Boards

Receive and rely on audit records from the service provider regarding security posture, as well as actions and

events occurring in their space

Provider Challenges

Meet archive and report requirements defined in standards such as PCI DSS and HIPAA

Address the tenant’s concerns about the confidentiality, integrity, and availability of their data and resources


Resources and data must be available for use by the tenant. High availability means that resources such as network

bandwidth, memory, CPU, or data storage are always online and available to users when needed. Redundant systems,


configurations, and architecture can minimize or eliminate points of failure that adversely affect availability to the

tenant.

Data protection is a key ingredient in a resilient architecture. Cloud computing imposes a resource tradeoff between

high performance, and the requirements of increasingly robust security and data classification are an essential tool for

balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites to

making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss

prevention procedures.

Tenant Concerns

Assurance that data and resources will be available when needed and protected at all times

Confidence that data and resources are protected against intrusion and attack without regard to the status of

other tenants in the environment

Provider Challenges

Ensure that resources needed by tenants are available for use

Provide a secured environment by means of threat detection and mitigation, including the monitoring and

response to intrusions and attacks against the TMT environment and its tenants

Provide tenant isolation and secure separation to ensure that other tenants in the TMT environment will stay

up and available for use, even if one tenant is the target of a Denial-of-Service attack


The fifth element is Tenant Management and Control. In every cloud services model there are elements of control that

the service provider will delegate to the tenant. Reasons for delegation of control include convenience, new revenue

opportunities, security, compliance, or tenant requirement. In all cases, the goal of the TMT model is to allow for and

simplify the management, visibility and reporting of this delegation.

Tenants should have control over relevant portions of their service. Specifically, tenants should be able to provision

allocated resources, manage the state of all virtualized objects, view change management status for all parts of their

infrastructure, add and remove administrative contacts, and request more services as needed. In addition, tenants

taking advantage of data protection or data backup services should be able to manage this capability on their own,

including setting schedules and backup types, initiating jobs, and running reports.

This tenant-in-control model allows tenants to dynamically change the environment to suit their workloads as

resource requirements change.

Tenant Concerns

Accountability for all data inside the multi-tenant environment at all times

Proof of compliance with corporate policies, and relevant laws

Isolation of their services, or some subset of their services, on demand – with a service provider guarantee

thereof


Provider Challenges

Providing different tenants different levels of control; thus, the ability to delegate tenant control at a granular

level

Reporting on and auditing changes made by the provider and the tenant


The sixth element in the TMT model on the Vblock platform is Service Provider Management and Control. One goal of

Trusted Multi-Tenancy is to simplify management of resources at every level of the infrastructure and to provide the

functionality to provision, monitor, troubleshoot, and charge back the resources used by tenants. Management of

multi-tenant environments comes with challenges, from reporting and alerting to capacity management and tenant

control delegation. The Vblock platform helps address these challenges by providing scalable, integrated management

solutions inherent to the infrastructure and a rich, fully developed API stack for adding additional service provider

value.

Providers of infrastructure services in a multi-tenant environment require comprehensive control and complete

visibility of the shared infrastructure in order to provide the availability, data protection, security, and service levels

expected by tenants. The ability to control, manage, and monitor resources at all levels of the infrastructure requires a

dynamic, efficient, and flexible design that allows the service provider to access, provision, and then release computing

resources from a shared pool – quickly, easily, and with minimal effort.


Overview of the TMT Model

The TMT model (Figure 2) on the Vblock platform uses a layered approach with security controls, isolation

mechanisms, and monitoring controls embedded in the network, compute, and storage layers of the service stack. This

layered approach provides secure access to the cloud, guarantees resources to tenants, and provides abstraction to the

physical elements. Virtualization at different layers allows the infrastructure to provide logical isolation without

dedicating physical resources to each tenant.

Figure 2. The Vblock platform Trusted Multi-Tenancy model


Technology Overview

The following sections describe the key components of the Vblock platform and the other security, storage, compute,

and network software and applications that work in conjunction with the Vblock platform to create a Trusted Multi-

Tenant environment.

About the Vblock platform With the Vblock platform, VCE delivers the industry’s first completely integrated IT offering that combines high quality

networking, computing, storage, virtualization, security, and management technologies with end-to-end vendor

accountability. The Vblock platform provides pre-engineered, production ready, fully tested virtualized infrastructure

components, including excellent private cloud offerings from RSA, Cisco, EMC, and VMware. The Vblock platform is

available in different sizes and configurations to meet dynamic and extensible workload needs. Enabled by the leading

players in IT product delivery, each with industry leading, enterprise level credibility, the Vblock platform provides

consumers several benefits through its integrated hardware and software stacks including:

Fewer unplanned outages and reduced planned downtimes for maintenance activities

Reduced complexity due to preconfigured and centralized IT resources and resulting standardized IT services

Predictable performance and operational characteristics

Tested and validated solutions

Unified support and end-to-end vendor accountability

Graceful scaling of the Vblock platform environment by adding capacity to the Vblock platform or adding

more Vblock platforms

Virtualized efficiency with predictable scaling for a given footprint

Management and Orchestration Table 2 lists the standard management and orchestration components on each of the Vblock platforms.

Table 2. Management and orchestration components

Component TMT on Vblock 300 TMT on Vblock 700

Vblock platform Advanced Management Pod (AMP)

EMC Ionix™

Unified Infrastructure Manager (UIM)

Vblock Advanced Management Pod (AMP)

The Advanced Management Pod (AMP) is an optional component in the Vblock platform but is recommended as a best

practice, inasmuch as it provides the capability to manage the Vblock platform. The AMP will normally consume 6U of

rack space. The AMP consists of:

Two Cisco UCS C200 M1 Servers

Cisco 2921 Integrated Services Router


Cisco 4948 Switch

Cisco UCS C200 M1 Servers provide (N+1) redundancy to support mission critical applications for Vblock platform

management. The logical servers in the AMP provide separate and independent services to both the AMP environment

and the production TMT environment. The servers are preconfigured with the following necessary tools to manage

the Vblock platform:

Cisco UCS Manager

Cisco Nexus 1000V Supervisor

EMC Ionix UIM

EMC Symmetrix Management Console or Unisphere

EMC PowerPath/VE Server

VMware vCenter Server and VMware Update Manager

Active Directory, DNS, and Database services dedicated to support all management applications – this function

may be standalone or be integrated into an existing customer environment.

The Cisco 2921 Integrated Services Router and the Cisco 4948 Switch enable monitoring and managing Vblock

platform health, performance, and capacity.

With these tools, the AMP provides the following benefits:

Fault isolation for management

Eliminates resource overhead on the Vblock platform

A clear demarcation point for remote operations

EMC Ionix™ Unified Infrastructure Manager (UIM)

EMC Ionix UIM provides simplified management for the Vblock platform in a TMT environment by combining

provisioning as well as configuration, change, and compliance management.

Key Features

Manage the Vblock platform as a single entity

Integrate with enterprise management platforms

Consolidate views into all the Vblock platform components, including network, compute, and storage

Achieve system wide compliance through policy based management

Easily deploy hardware and software, VMware vSphere and infrastructure provisioning, and disaster recovery

infrastructure

With UIM, management of the individual components in the Vblock platform can be combined into a single entity to

reduce operational costs and ease the transition from physical to virtual to private cloud infrastructure. Centralizing


provisioning, change, and compliance management across the Vblock platform reduces operating costs, ensures

consistency, improves operational efficiency, and speeds deployment of new services. With EMC Ionix UIM taking care

of the Vblock platform, the management transition from a physical to virtual to private cloud infrastructure is easier.

Compared to building and integrating pieces individually, the advantages provided by UIM’s integrated management

solution UIM become obvious. Although some tools integrate basic health and performance data from the network,

compute, and storage domains, the operationally critical areas of configuration, change, and compliance management

remain separate or do not exist. This type of disjointed, distributed management can result in:

Higher ongoing operational costs and reduced ongoing operational efficiency

Slower service deployments

Inconsistent management across the Vblock platform

Inability to automatically ensure configurations for accuracy and compliance

Inability to simultaneously and easily restore multiple elements to a compliant state

Less overall flexibility in supporting the IT needs of the business

Security Technologies Table 3 lists the standard and optional security components and features of the Vblock platform. The table maps each

component and feature to the TMT elements that it addresses.

Table 3. Security and Compliance components

Component Secure

Separation

Service

Assurance

Security

and

Compliance

Availability

Tenant

Mgmt &

Control

Service

Provider

Mgmt &

Control

RSA Solution for Cloud Security and Compliance

RSA enVision

RSA SecurID

RSA SecurID Authentication Manager

RSA Data Loss Prevention

RSA DLP Network

RSA Data Protection Manager

Cisco Virtual Security Gateway

VMware vShield

VMware vShield Zones

VMware vShield App


Component Secure

Separation

Service

Assurance

Security

and

Compliance

Availability

Tenant

Mgmt &

Control

Service

Provider

Mgmt &

Control

Cisco Adaptive Security Appliance (ASA)

Cisco Intrusion Prevention System

Cisco Secure Access Control Server

RSA Solution for Cloud Security and Compliance

Built on the RSA® Archer eGRC Suite, the RSA Solution for Cloud Security and Compliance enables end user

organizations and service providers to orchestrate and visualize the security of their VMware virtualization

infrastructure and physical infrastructure from a single console (Figure 3). The solution offers a solid foundation that

enables organizations to address security of VMware environments systematically so they can confidently continue

their migration to virtualization and cloud computing models.

Figure 3. System overview

Secure Separation

The RSA Archer eGRC Platform is a multi-tenant software platform, supporting the configuration of separate instances

in provider-hosted environments. These individual instances support data segmentation, as well as discrete user

experiences and branding. Individual instances store data in physically separate databases while using a common

hardware environment and a single deployment of RSA Archer application code. Users identify their instance as part


of a manual login process, although instance identification can be automated through DNS or single sign-on

configuration.


Rationalizing the complexity of compliance requirements across both physical and virtual environments – especially in

today’s evolving regulatory landscape – is a challenge for security and compliance teams. The RSA Archer eGRC Suite

for enterprise governance, risk, and compliance answers this challenge with a comprehensive library of policies,

control standards, procedures, and assessments mapped to current global regulations and industry guidelines.

More than 130 control procedures in the library, written specifically against the VMware vSphere 4.0 Security

Hardening Guide, are mapped to security policies and authoritative sources such as PCI, COBIT, NIST, HIPAA and

NERC. In addition, the library includes thousands of other control procedures for operating systems, databases,

network devices, and other infrastructure assets, which are mapped to the same laws, regulations, and industry

standards – thereby forming the basis of a complete technology controls approach.

Using automated workflow within the RSA Archer eGRC Platform, a project manager can distribute security policies

and control procedures to appropriate administrators for both physical and virtual infrastructure (Figure 4). For

example, VMware vSphere configuration steps are sent to the VMware administrator, storage configuration steps are

sent to the storage administrator, security configuration steps are sent to the security administrator, and so forth.

Figure 4. Distribution and tracking control procedures

RSA’s solution includes new software that substantially automates the assessment of whether VMware security

controls have been implemented correctly. The results of these automated configuration checks are fed directly into

the RSA Archer eGRC Platform, which also captures the results of configuration checks for physical assets through

prebuilt integration with commercially available scan technologies.


As a result, the Platform serves as a point of consolidation for continuous controls monitoring across the physical and

virtual infrastructure. While a significant number of the VMware control procedures are tested automatically, the

remainder must be tested manually because their status cannot be directly inferred from the environment. For these

control procedures, project managers can issue manual assessments from the RSA Archer eGRC Platform, using a

preloaded bank of questions mapped to control procedures and regulatory requirements. Project managers can create

new questionnaires within minutes and issue them to appropriate users based on asset ownership.

Issue Remediation

Configuring the physical and virtual infrastructure according to best practice security guidelines and regulatory

requirements is critical. However, the security and compliance process does not stop there. Organizations also require

the ability to monitor incorrect configurations, policy violations, and control failures across their infrastructure and to

respond swiftly with appropriate remediation steps.

RSA’s solution also enables security operations teams to manage policy violations and control failures. The RSA Archer

eGRC Platform integrates with RSA enVision log management to collect and correlate security and compliance events

from a variety of sources, including the RSA Data Loss Prevention suite, VMware vShield, and VMware Cloud Director,

among others.

RSA SecurBook for Cloud Security and Compliance

The RSA SecurBook for Cloud Security and Compliance is a simple solution guide that provides detailed instructions

for deploying and administering RSA’s solution in a virtualized environment. Designed to help organizations reduce

implementation time and total cost of ownership, the RSA SecurBook offers guidance in the following areas:

Solution architecture for managing VMware security and compliance

Solution deployment and configuration guides

Operational guidance for effectively using the solution

Troubleshooting guidance

Tenant and Service Provider Management and Control

The multi-tenant reporting capabilities of the RSA Archer eGRC Platform give each tenant a comprehensive, real-time

view of the enterprise governance, risk, and compliance (eGRC) program. Tenants can take advantage of prebuilt

reports to monitor activities and trends and generate ad hoc reports to access the information needed to make

decisions, address issues, and complete tasks. The cloud provider can build customizable dashboards tailored by

tenant or audience, so users get exactly the information they need depending on their roles and responsibilities.

RSA enVision

The RSA enVision 3-in-1 platform offers an effective security and information event management (SIEM) and log

management solution, capable of collecting and analyzing large amounts of data in real time – from any event source

and in computing environments of any size. RSA enVision is easily scalable, eliminating the need for filtering and

deploying agents.


RSA enVision is a 3-in-1 solution designed to:


Simplify compliance – Complete accounting of network activity, comprehensive reporting with built-in and

customized reporting capabilities, and retention and maintenance of complete log records help ease the

burden of compliance. Preconfigured reporting content for all major regulations and frameworks (for

example, PCI DSS, HIPAA, FISMA, and ISO) is included.

Enhance security – Real-time notification of high risk events, a streamlined incident handling process, and

reporting on the most vulnerable assets directly enhance security operations. This is SIEM in action – not just

log collection, but actionable intelligence.

Optimize IT and network operations – Determine network availability and status, identify network issues

and faulty equipment, and gain visibility into specific behavioral aspects of users in order to optimize the

performance of your network.

RSA enVision includes preconfigured integration with all of the the Vblock platform infrastructure components,

including the Cisco UCS and Nexus components; EMC storage; and VMware vSphere, vCenter, vShield, and vCloud™

Director. In addition, RSA enVision has preconfigured integration and support for more than 235 more (and counting)

of the most common IT components, including network gear, security systems, operating systems, databases, and

applications.


The baselining, trending, and reporting capabilities of RSA enVision give tenants and cloud administrators a long-term

graphical overview of performance and security events, improving their overall management and control of cloud

resources. The RSA enVision platform collects the event logs generated by IP devices within the cloud infrastructure,

permanently archives copies of the data, processes the logs in real time, and generates alerts when it observes

suspicious patterns of behavior. Administrators can interrogate the full volume of stored data through intuitive

dashboards, and advanced analytical software that turns complex and unstructured raw data into structured

information.

RSA SecurID

RSA SecurID two-factor authentication is based on something you know (a password or PIN) and something you

possess (an authenticator) – providing a more reliable level of user authentication than reusable passwords. RSA

SecurID automatically changes user passwords every 60 seconds.

The RSA SecurID solution is regarded as a more secure alternative to authentication systems based on reusable

passwords. In addition, the RSA SecurID solution is easier to use than challenge-and-response systems that require

multiple steps to generate a valid access code. The RSA SecurID two-factor authentication solution is a fundamental

piece in support of security and compliance.

RSA Authentication Manager

RSA Authentication Manager is the management component of the RSA SecurID solution used to verify authentication

requests and centrally administer authentication policies for enterprise networks. RSA Authentication Manager is

interoperable with many network, remote access, VPN, Internet, wireless, and application solutions.

Secure Separation

RSA Authentication Manager supports logical partitioning whereby a provider can define and enforce separate

authentication policies by assigning each tenant a Security Domain.


RSA Data Loss Prevention

The RSA Data Loss Prevention (DLP) suite provides a policy-based approach to securing data in data centers, networks

and end points, enabling organizations to discover and classify their sensitive data, educate end users, ensure data is

handled appropriately, and report on risk reduction and progress towards policy objectives. The RSA DLP Suite

reduces the total cost of ownership with high scalability, automated data protection services, and the most extensive

data policy and classification library available in the industry. The RSA DLP suite improves security by protecting the

tenant’s confidential data, such as intellectual property, product roadmaps, and company financials; and it facilitates

compliance by securing customer records and other sensitive data as required by regulations and standards.

RSA Data Loss Prevention Network

RSA Data Loss Prevention (DLP) Network identifies and enforces policies for sensitive data transmitted through

corporate e-mail (SMTP), webmail, instant messaging, FTP, web based tools (HTTP or HTTPS), and generic TCP/IP

protocols.

Key Features

Depth of policy and classification library increases ROI by eliminating the need to fine tune policies and

helping organizations realize the value of their DLP deployment more quickly.

Comprehensive support for numerous protocols dramatically reduces risk exposure.

Retention of end user actions logs helps administrators simplify the compliance process.

Numerous automatic and manual remediation options allow organizations to customize policy responses

based on varying levels of risk.

RSA DLP Network provides deep visibility into network policy violations by sender, recipient and content

type.

Secure Separation

RSA DLP Network virtual appliances can be deployed for each tenant. Each virtual DLP appliance enforces the policies

defined for that specific tenant.

RSA Data Protection Manager

RSA Data Protection Manager is an enterprise encryption key management system designed to manage encryption

keys at the application, database, and storage layers. RSA Data Protection Manager lowers the total cost of ownership

associated with encryption by giving administrators fine grained control over the vaulting and management of keys

from a single, central console. The RSA SafeProxy™ architecture employs a unique combination of tokenization,

advanced encryption, and public-key technologies to protect sensitive data with a layered approach to security. RSA

Data Protection Manager’s combination of application encryption and tokenization increases security and facilitates

compliance.

Cisco Virtual Security Gateway

Cisco Virtual Security Gateway (VSG) for Nexus 1000V Series switches is a virtual firewall appliance that provides

trusted access to virtualized data centers. VSG facilitates multi-tenancy by allowing tenants with varied security

profiles to share a common compute infrastructure.


In a multi-tenant environment, deployment of VSG can occur at several levels of the virtualized infrastructure (Figure

5).

Deployment options include:

Using VSG as a tenant edge firewall

Placing VSG in each virtual center within a tenant

Deploying VSG within each virtual application

Secure Separation

VSG provides secure segmentation of the virtual machines in the virtualized data center using granular, zone based

control and monitoring with context-aware security policies (based on virtual machine identities, custom attributes,

and 5-tuple network parameters).

Key benefits include the following

Controls are applied across organizational zones, lines of business, and multi-tenant environments.

Security policies are organized into security profiles (templates).

Context-based access logs are generated with activity details at the network and virtual machine levels.

Non-disruptive administration through administrative segregation across security and server teams.


With VMs organized into distinct trust zones, configurable security policies control and monitor traffic between zones.

In this way, the VSG can effectively control traffic between trust zones, as well as between trust zones and external

zones.


Figure 5. Cisco Virtual Security Gateway (VSG)

VMware vShield

The VMware vShield family of security solutions (Table 4) provides virtualization-aware protection for virtual data

centers and cloud environments. VMware vShield products strengthen application and data security, enable TMT,

improve visibility and control, and accelerate IT compliance efforts across the organization. Figure 6 illustrates the

interaction between vShield components.

Table 4. VMware vShield family

Solution Description

vShield Zones Basic access control list (ACL) capability built into vSphere.

Support applications belonging to different trust levels on the same virtual data

center.

vShield App Enhanced version provides firewalling capability between virtual machines by

placing a firewall filter on every virtual network adapter.

Allows for the easy application of firewall policies based upon logical Security

Groups, which are associated with resource pools, folders, containers, and

other vSphere groupings from the vCenter inventory.

vShield Edge Virtualizes data center perimeters and offers firewall, VPN, web load balancer,

NAT, and DHCP services.

Isolates the virtual machines in a port group from the external network.

Connects isolated, tenant stub networks to the shared (uplink) networks and

provides common perimeter security services such as DHCP, VPN, and NAT.


Solution Description

vShield Endpoint Enables offloading of antivirus and other anti-malware processing to dedicated

security-hardened virtual machines delivered by VMware partners.

Figure 6. VMware vShield family

Secure Separation

Two components of the VMware vShield suite that enable service providers to protect and isolate VMs belonging to

different tenants are vShield App and vShield Edge. Table 5 describes these components.

Table 5. VMware vShield isolation mechanisms

Component Description

vShield App Implements an IP-based, stateful firewall and application layer gateway for a broad

range of protocols including Oracle, FTP, and Sun Remote Procedure Call (RPC),

Linux RPC, and Microsoft RPC.

Places firewall filter on every virtual network adapter to provide firewalling capability

between VMs.

Operates transparently and does not require network changes or modifications of IP

addresses.

Firewall rules defined using various object types, including data center, cluster,

resource pools, vApp, port group, and VLAN.

vShield Edge Secures the edge of a virtual data center with firewall, VPN, and NAT services (Figure

7).


Component Description

Creates logical security perimeters around virtual data centers (vDCs) to support multi-

tenancy environments.

Other common deployments for vShield Edge include DMZs and extranets.

Compatible with port groups on the vNetwork Standard Switch (vSwitch), vNetwork

Distributed Switch (vDS), and the Nexus 1000v.

Figure 7. VMware vShield Edge


VMware vShield Manager is the management interface for all vShield products. Integrated with VMware vCenter and

deployed in its own virtual machine, vShield Manager leverages vSphere resources. The user interface offers

configuration and data viewing options for all vShield products. Tight integration with vCenter allows display of all

underlying vSphere resource pools within vShield Manager.

Service providers can use the VMware vShield Manager unified dashboard overview to manage and deploy policies for

the entire vCenter environment, leveraging their existing virtual infrastructure containers as organizational zones

across physical hosts, virtual switches, and networks. The inventory panel offers multiple view options, each

displaying different perspectives of the underlying vSphere resource pool and vCenter inventory.

VMware vShield Zones

VMware vShield Zones is a firewall deployed as a hypervisor-level Loadable Kernel Module (LKM) security virtual

appliance that provides visibility and enforcement of network activity within a VMware vSphere deployment to

comply with corporate security policies and industry regulations such as PCI or Sarbanes-Oxley.


VMware vShield App

VMware vShield App is a more feature-rich version of vShield Zones, which is highly recommended for multi-tenant

environments. It adds the following capabilities: Service providers can use vShield Manager to deploy distributed

vShield App LKMs on each vSphere host, providing visibility and control of virtual network traffic across virtual server

environments. The distributed vShield App LKMs are administered by vShield Manager, which integrates seamlessly

with the service provider’s vCenter deployment to present policies and events in the context of the existing virtual

machines, networks, host, and clusters used to service their customer deployments.

Key Features

Central management of logical zone boundaries and segmentation

Extensive visibility through flow monitoring to help define and refine firewall rules, detect botnets, and secure

business processes

Simplified policy management through Security Groups, which allow administrators to define business-

relevant groupings of any virtual machines by their virtual NICs

Secure Separation

The hypervisor-level firewall in VMware vShield ensures that proper segmentation and trust zones are enforced for all

application deployments.


VMware vShield App integrates into VMware vCenter and leverages virtual inventory information – such as vNICs,

port groups, clusters, and VLANs – to simplify firewall rule management and trust zone provisioning. Leveraging

various VMware logical containers reduces the number of rules required to secure a multi-tenant environment and

therefore reduces the operational burden that accompanies the isolation and segmentation of tenants. This method of

creating security policies closely links with VMware virtual machine objects, and therefore follows the VMs during

vMotion™. Using vShield App within Distributed Resource Scheduler (DRS) clusters ensures secure compute load

balancing operations without performance compromise, as the security policy follows the virtual machine.

Cisco Adaptive Security Appliance

The Cisco Adaptive Security Appliance (ASA) is a purpose-built security appliance that combines firewall, Virtual

Private Network (VPN), and optional content security and intrusion prevention to distribute network security across

the data center. A single Cisco ASA appliance can be partitioned into multiple virtual firewalls, known also as security

contexts. Each security context acts as a separate firewall with its own security policy, interfaces, and configuration,

although some features are not available for virtual firewalls – such as IPSEC and SSL VPN, Dynamic Routing Protocols,

Multicast and Threat Detection.

Secure Separation

In a multi-tenant environment, the service provider may assign one or more security contexts to each tenant to

provide separation at the network level.


The ASA provides threat defense and highly secure communications services to stop attacks before they affect

business continuity.


Cisco Intrusion Prevention System

Cisco Intrusion Prevention System (IPS) appliances provide proven protection against well known and emerging

threats to help secure confidential data and meet ever increasing compliance mandates. Cisco IPS accurately identifies,

classifies, and stops malicious traffic, including worms, spyware, adware, network viruses, and application abuse

before they affect business continuity. Cisco Anomaly Detection stops Day-Zero attacks before signature updates are

available.

Cisco IPS collaborates with other key network components for end-to-end network-wide protection. Cisco IPS may

participate in Cisco Global Correlation, where the visibility and controls of the IPS are enhanced with threat

information shared by the Cisco SensorBase network. Available as a dedicated appliance, Cisco IPS is also integrated

into Cisco firewall, switch, and router platforms for maximum protection and deployment flexibility.

Key Features

Proven protection against well known and zero-day attacks

Protects against more than just virus outbreaks, such as attacks targeted against a company’s information

Helps prevent against severe loss due to disruptions, theft, or defacement caused by compromised servers

Stops worm and virus outbreaks at the network level, before they reach the desktop

Identifies, classifies, and stops malicious traffic, including worms, spyware, adware, viruses, and application

abuse.

Delivers high performance, intelligent threat detection and protection over a range of deployment options.

Secure Separation

IPS virtual sensors allow the logical partition of a physical sensor appliance or module into multiple virtual sensors.

Each virtual sensor maintains its own configuration indicating the data streams to be inspected and the policies to be

enforced. By separating tenant traffic into multiple virtual sensors, the cloud provider can define and enforce separate

sets of policies tailored to address the unique requirements of each tenant.


Cisco IPS sensors protect the data center by detecting, classifying, and blocking network-based threats by means of

attack signatures associated with worms, viruses, and various application abuse scenarios. This process occurs on a

per connection basis, allowing legitimate traffic to flow unobstructed.

Cisco Secure Access Control Server

Cisco Secure Access Control Server (ACS) is a highly scalable, high performance, access policy system that centralizes

authentication, user access, and administrator access policy and reduces the administrative and management burden.

The Cisco ACS supports authentication, authorization, and accounting (AAA) protocols such as TACACS+ and RADIUS

as well as directory databases such as LDAP and Active Directory.

Key features

A comprehensive, identity-based access policy system for Cisco intelligent information networks

Central management of access policies for both network access and device administration


Support for a wide range of access scenarios including wireless LAN, 802.1x wired, and remote access


ACS enforces the access control policy for network or service devices within the secure multi-tenant data center.

Storage Technologies Table 6 lists the standard and optional storage components and features of the Vblock platform. The table maps each

component or feature to the TMT elements it addresses.

Table 6. Storage components and features

Component Secure

Separation

Service

Assurance

Security and

Compliance Availability

Tenant

Mgmt &

Control

Service

Provider

Mgmt &

Control

EMC Symmetrix® V-

MAX™

EMC Symmetrix Management Console (SMC)

Symmetrix Priority Controls

EMC Symmetrix Performance Analyzer

EMC Fully Automated Storage Tiering (FAST)

EMC Symmetrix Optimizer

EMC PowerPath/VE

EMC Unified Storage

EMC Unisphere Management Suite

EMC Unisphere Quality of Service Manager (UQM)

EMC VPLEX

EMC Ionix Storage Configuration Advisor (SCA)

EMC Ionix ControlCenter

EMC Virtual Storage Integrator (VSI) Plugin


Component Secure

Separation

Service

Assurance

Security and


Tenant

Mgmt &

Control

Service

Provider

Mgmt &

Control

EMC NetWorker

EMC Data Domain

EMC Avamar

EMC Replication Manager

EMC RecoverPoint

EMC RecoverPoint Storage Adapter for SRM

EMC Data Protection Advisor (DPA)

EMC Symmetrix® V-MAX™

EMC Symmetrix V-MAX with Enginuity provides high-end storage for the virtual data center. V-MAX has high

availability, with 100 percent fault tolerance for all physical components. Enginuity, the operating environment for

Symmetrix V-MAX, manages data integrity through continuous checking of all data and hardware – from host, to

memory, to disk drive, and back again. This includes trend analysis and early detection as well as automatic failover

and escalation when a problem does occur.

Secure Separation

Symmetrix V-MAX arrays provide multiple methods of separating storage resources, which include:

Mapping and masking by means of Auto-provisioning Groups gives the storage administrator the ability to

logically group hosts into host groups, each of which has access only to data for volumes assigned to that host

group. In this case, two tenants may have access to the same array, but their view of storage assets is

completely independent.

Storage formatting methods (I-VTOC) ensure that when space is reused to provision a new volume, host B

cannot read any lingering data from host A.

Symmetrix Access Control (SymACL) offers Host Authorization. Each host’s unique WWID is used to assign

certain management rights. Two hosts with management responsibilities will see and manage entirely

different resources.

User Authorization assigns different privilege levels to each user on a host, so that hosts exist for both

management and read/write access, depending on the user. The different roles assigned are users (no

management privileges), auditors, monitors (read-only), storage administrators, and security administrators.

User Authorization Enhancements for VMware allow vCenter administrators to log onto the Symmetric

Management Console (SMC) from wherever they are. Based on their user ID, administrators can access a

subset of storage resources that other tenant administrators cannot access. Similar to SymACL, individual

resources can be assigned to different tenants, as opposed to normal user authentication, which only decides


which level of administration privilege each user has. User Authorization Enhancements were established to

better support EMC Symmetrix VSI plugin for vCenter.

Service Assurance

Cache partitioning is dedicated memory allocation for predictable performance for a storage tier. Dynamic cache

partitioning segregates memory resources on a V-MAX array into many partitions, for different applications. Partitions

can expand and contract according to policies in order to maximize performance while isolating workloads among

applications.


V-MAX also provides the following availability features:

Incremental scaling of both capacity and back-end performance.

Online upgrades.

Completely redundant critical components, including V-MAX directors, virtual matrix data paths, power

supplies, standby power supplies, and all back-end Fibre Channel components.

The Enginuity operating system manages all operations, from monitoring and optimizing the internal data

flow, ensuring fastest responses to users request for information, and replicating and protecting data.

Cache integrity checks, including error checking and correction (ECC), protect service providers from any

errors in cache/memory. Global memory mirroring protects the system from memory component failures.

Power-vault drives destage memory to disks during unexpected power failure.

Symmetrix systems provide a range of RAID protection options in order to meet different performance, availability,

and cost requirements. RAID protection options are configured at the physical drive level. Symmetrix systems support

varying levels of protection, including RAID 1, RAID 10, RAID 5 (3+1 and 7+1), and RAID 6 (6 + 2 and 14 + 2). RAID 6

protection allows for failure of two drives per RAID group, which makes it ideal for large SATA drives. Different levels

of RAID protection can be easily configured with different datasets within a Symmetrix V-MAX system.

EMC Symmetrix Management Console


The EMC Symmetrix Management Console (SMC) is an intuitive, web-based interface that service providers can use to

discover, monitor, configure, and control Symmetrix arrays. SMC enables initial system discovery and configuration,

including device creation and configuration, along with basic device masking and support for managing local and

remote replication activities.

Service providers can use SMC to accelerate routine processes, reduce manual errors, and gain new flexibility when

managing their Symmetrix storage systems. SMC has the ability to provision priority controls.

SMC also includes password-based authentication and access controls that restrict user actions according to their

assigned roles.


Symmetrix Priority Controls


EMC Symmetrix Priority Controls help service providers manage multiple application workloads by setting priority

levels for device groups, giving higher priority applications to faster response times than lower priority applications

during times of disk contention, on a per LUN basis. Priority controls provide predictable performance across multiple

storage tiers in the same system.

EMC Symmetrix Performance Analyzer


EMC Symmetrix Performance Analyzer is an automated monitoring, diagnostics, and trending tool launched through

the Symmetrix Management Console to assist with real-time troubleshooting and diagnostics, as well as long term

planning decisions, such as system upgrades and consolidation. Customizable dashboards (Figure 8) provide intuitive

analysis of key performance indicators (KPIs) at the application level in order to assess performance and utilization

trends for both logical and physical resources.

Figure 8. EMC Symmetrix Performance Analyzer dashboard

EMC Fully Automated Storage Tiering (FAST)

EMC Fully Automated Storage Tiering (FAST) represents the next generation of storage tiering (Figure 9). FAST

automates the movement and placement of data across storage resources as needed. FAST enables continuous

optimization of your applications by eliminating tradeoffs between capacity and performance, while lowering cost and

delivering higher service levels at the same time.


Service Assurance

FAST lowers overall storage costs and simplifies management while allowing different applications to meet different

service level requirements on distinct pools of storage within the same Symmetrix V-MAX. FAST technology automates

the dynamic allocation and relocation of data across tiers for a given FAST policy, based on changing application

performance requirements. FAST helps to maximize the benefits of preconfigured tiered storage by optimizing cost

and performance requirements to put the right data, on the right tier, at the right time.


FAST LUN Migrator monitors workloads and moves heavily used data to higher performing Enterprise Flash drives

and the less frequently accessed data to higher capacity drives (SATA). FAST does this dynamically and non-

disruptively without affecting business continuity and availability.

FAST VP monitors thin VP LUN utilization and moves the busiest thin extents to appropriate pools located on various

drive technologies. It also moves underutilized thin extents to pools located on high capacity drives. Because the unit

of analysis and movement is measured in thin extents, this sub–LUN optimization is extremely powerful, precise, and

efficient.

Figure 9. EMC Fully Automated Storage Tiering (FAST)

EMC Symmetrix Optimizer

Service Assurance

EMC Symmetrix Optimizer improves array performance by continuously monitoring access patterns and migrating

devices (Symmetrix logical volumes) to achieve balance across the drives within a physical disk group, and thereby


reduce the risk of hot spots. Based on user-defined parameters, this automated process is transparent to end users,

hosts, and applications in the environment.

EMC PowerPath®/VE

EMC PowerPath®/VE delivers PowerPath multipathing features (Figure 10) to optimize VMware vSphere

environments by removing the administrative overhead associated with load balancing and failover.

Availability

PowerPath/VE enables automation of optimal server, storage, and path utilization in a dynamic virtual environment,

eliminating the need to load balance hundreds or thousands of virtual machines and I/O intensive applications

manually. PowerPath/VE provides extreme performance by intelligently scheduling application I/O across all

available paths while also providing automated path failure detection, failover, and failback.

Key Features

Standardized path management unifies management across heterogeneous physical and virtual

environments.

Optimized utilization leverages all channels to provide optimal, predictable, and consistent information

access.

Dynamic load balancing constantly adjusts I/O path usage and respond to changes in I/O loads from virtual

machines.

Automatic I/O path failure detection keeps the virtual environment and applications running in the event of

failure.

Simplified management eliminates the need to monitor and rebalance the dynamic environment.


Figure 10. EMC PowerPath/VE multipathing

EMC Unified Storage

The EMC Unified Storage system is a highly available architecture capable of five nines availability. The Unified Storage

arrays from EMC achieve five nines availability by eliminating single points of failure throughout the physical storage

stack with technologies such as dual ported drives, hot spares, redundant back-end loops, redundant front-end and

back-end ports, dual storage processors, redundant fans and power supplies, and battery backup for the cache.

Secure Separation

EMC Unified Storage systems provide various methods for ensuring the secure isolation of tenant data and resources

in the converged Vblock infrastructure (Table 7).

Table 7. Storage secure separation methods

Method Description

RAID Groups RAID groups (RG) are 2–16 drive logical containers with the same RAID level. Drives

within a RG can be logically partitioned into logical unit numbers (LUNs) so that multiple

discrete datasets can reside on the same RG.

RGs allow separation of tenant workloads to dedicated disks when very high performance

and low latency are the primary concerns. LUNs built on a RG dedicated to a tenant have

their own discrete resources, which are not shared with other RGs or disks, and which

allow predictable performance and resource control for the tenant.


Method Description

Pools Pools are logical containers of between two and many drives that share the same RAID

level and allow for advanced array features, such as thin provisioning, compression, and

Fully Automated Storage Tiering (FAST).

A pool can have up to the maximum number of drives available in an array, which allows

workloads to be spread over hundreds of disks. Pools can have mixed drive types so that

a pool could be composed of a mix of EFD, FC and SATA. These pools can dynamically

move data between the different tiers, based on performance needs, by utilizing FAST.

Thin provisioning allows efficient use of space in the pool by only allocating used blocks

consumed by the host.

Pools allow for extremely flexible consumption of storage while maintaining separation of

data and resources between pools. Pools can be associated with tenants to provide a

single resource capable of providing high performance, efficient capacity utilization and

simplified storage management.

VSAN A virtual storage area network (VSAN) is a collection of ports from hosts, switches and

storage arrays that forms a virtual SAN fabric. VSANs create self-contained fabrics

capable of using distinct security policies, zones, memberships and name services. This

segments SAN traffic in order to ensure communication only between devices authorized

to communicate. VSANs allow shared SAN resources to be segmented among tenants

securely.

Virtual Data Mover Virtual Data Mover (VDM) is a software feature of the EMC Celerra X-Blade that enables

the grouping of file systems and CIFS servers into virtual containers. Each VDM contains

all the data necessary to support one or more CIFS servers and their file systems. A VDM

can be loaded and unloaded, moved from Data Mover to Data Mover, or replicated to a

remote Data Mover as an autonomous unit. The servers, their file systems, and

configuration data are available in one virtual container. VDMs allow tenants to share

Data Mover resources while maintaining data and namespace separation.

Service Assurance

EMC Unisphere Quality of Service Manager (QoS Manager) enables dynamic allocation of Unified Storage resources to

meet service level requirements for critical applications. QoS Manager also provides performance data charts, which

allows performance analysis and trending.


The EMC unified storage systems can be securely managed in cloud environments with role-based access controls

(RBAC) and lightweight directory authentication protocol (LDAP) integration. User accounts can be mapped to specific

roles within Unisphere to give fine-grained control of storage system features based on group membership.


The Unified storage arrays promote high availability through logical constructs such as RAID, proactive hot sparing,

rebuild avoidance, cache mirroring, and error bit correction. Clouds built on EMC Unified storage will benefit from

having the most highly available storage in the midrange, providing reliable access to tenant data.

EMC Unisphere® Management Suite

EMC Unisphere provides a simple, integrated experience for managing EMC Unified storage through both a storage

and VMware lens. It is designed to provide simplicity, flexibility, and automation – key requirements for using private

clouds.


Key Features

Web-based management interface to discover, monitor, and configure EMC Unified storage

Self-service support ecosystem to gain quick access to real-time online support tools

Task-based navigation and controls to provide an intuitive, context based approach to configure storage,

create replicas, and monitor the environment

Automatic event notification to proactively manage critical status changes

Customizable dashboard views and reporting


Unisphere includes a unique self-service support ecosystem that is accessible with one-click, task-based navigation

and controls for intuitive, context-based management. It provides customizable dashboard views and reporting

capabilities that present users with valuable storage management information.

EMC Unisphere Quality of Service Manager

Service Assurance

EMC Unisphere™ Quality of Service Manager (QoS Manager) enables dynamic allocation of storage resources to meet

service level requirements for critical applications (0). Prioritizing applications and setting specific performance

targets with QoS Manager determines desired application service levels. QoS Manager monitors storage system

performance on an application-by-application basis, providing a logical view of application performance on the

storage system.

QoS Manager provides performance data charts that allow performance analysis and trending. In addition to

displaying real-time data, performance data can be archived for offline trending and data analysis. Two standalone

client tools retrieve performance archives from the storage system, as well as export data to other file formats.


Figure 11. EMC Unisphere QoS Manager

EMC VPLEX™

EMC VPLEX is the next-generation solution for information mobility and access within, across, and between data

centers. In combination with VMware vMotion, VPLEX enables effective distribution of applications and their data

across multiple hosts over synchronous distances (Figure 12). With virtual storage and virtual machines working

together over distance, the infrastructure can provide load balancing, real-time remote data access, and improved

application protection.


EMC VPLEX allows users to concurrently access a single copy of the data at different geographical locations, enabling a

transparent migration of running virtual machines between data centers. This capability allows for transparent load

sharing between multiple sites while providing the flexibility of migrating workloads between sites in anticipation of

planned events. Furthermore, in case of an unplanned event that causes service disruption of one of the data centers,

the surviving site can restart the failed services with minimal effort while minimizing recovery time objective (RTO).


Figure 12. EMC VPLEX with vMotion

EMC Ionix Storage Configuration Advisor

Enterprises want to minimize operational costs within the data center by reducing time spent planning and validating

changes to the storage environment and resolving configuration issues. They also want to eliminate downtime

associated with human error and improve the maturity of the change and configuration management processes.


EMC Ionix Storage Configuration Advisor is storage resource management (SRM) software that addresses storage

compliance and change management challenges in the following ways:

Performs near real-time discovery, change tracking, and best practice validation of the SAN environment

Helps improve the efficiency of change processes by automating discovery and configuration validation

Helps improve service levels by ensuring compliance with configuration best practices

Helps improve operational planning and control by providing reports, dashboards, and trending analysis

EMC Ionix ControlCenter

EMC Ionix™ ControlCenter family of storage resource management and device management software enables

automation of common tasks such as reporting, planning, and provisioning through a single, consistent information

centered approach. ControlCenter applications enable comprehensive tiered storage infrastructure management,

which facilitates implementation of an information lifecycle management (ILM) strategy.


Key Features

View SAN topology health and performance

Correlate and display relationship of SAN infrastructure across physical and virtual resources

Simulate SAN changes in a safe environment

Automate provisioning based on business requirements

Monitoring and reporting

View topology from server through storage to support planning and troubleshooting

Service Assurance

The Ionix portfolio of products is particularly valuable in detecting and responding to configuration changes at both

the physical and virtual level, so that potential compromise of secure separation can be immediately detected and

remedied.


Ionix ControlCenter applications enable comprehensive management of the tiered storage infrastructure, which

facilitates implementation of an information lifecycle management (ILM) strategy.

EMC Virtual Storage Integrator


EMC Virtual Storage Integrator (VSI) is a free VMware vCenter plugin that brings storage management capabilities to

the virtual infrastructure administrator through the standard VMware vSphere client interface (Figure 7).

EMC Virtual Storage Integrator (VSI) for vSphere Client provides the following Storage Viewer (SV) and Storage Pool

Management (SPM) functionality:

SV functionality extends the vSphere Client to facilitate the discovery and identification of EMC Symmetrix

and Unified storage devices allocated to VMware VSphere hosts and virtual machines.

SPM functionality simplifies the provisioning of Symmetrix V-MAX™ virtual pooled storage for data centers,

vSphere Servers, clusters, and resource pools. VSI for vSphere Client presents the underlying storage details

to the virtual data center administrator, merging the data of several different storage mapping tools into a few

seamless vSphere Client views.

VSI resolves the underlying storage of Virtual Machine File System (VMFS) and Network File System (NFS) data stores

and virtual disks, as well as raw device mappings (RDM). In addition, VSI presents lists of host-accessible storage

arrays and devices in the virtual data center.

VSI brings critical information about EMC storage arrays into a single pane of glass in the vCenter client. This allows

visibility into the storage cloud from within the vCenter interface to allow the vCenter administrator to see the how

storage resources are utilized in the vSphere infrastructure and how those resources map to vSphere constructs.

VSI also allows storage and vCenter administrators to easily provision resources from a V-MAX and quickly import

them into vCenter with little overhead.


Table 8. Summary of EMC Virtual Storage Integrator features

Feature Description

Storage Viewer Discover and identify EMC Celerra, CLARiiON, VPLEX and Symmetrix arrays

Present granular details of the storage allocated to the virtual infrastructure from

each array

Unified Storage Management Automatically provision VMFS data stores, including all underlying CLARiiON

functions on vSphere hosts or automatically across vSphere

Extend and reconfigure VMFS and block storage

Leverage EMC SnapView for mass data store–level VM replication

Automatically provision NFS data stores, including all underlying Celerra

functions, on vSphere hosts or automatically across vSphere clusters

Extend and reconfigure NFS data stores and underlying Celerra file systems

Quickly and efficiently create snapshots and clones of virtual machines and data

stores

Leverage the Celerra’s unique capability for production NFS data store–level

and VM-level real time compression and decompression

Mass replicate individual VMs

Storage Pool Management Create pools of virtually provisioned storage and provide those to VMware

Teams to use while protecting other workloads from any impact and enabling

VMware Teams to self-provision the storage allocated to them

Allocate storage to specific VMware Infrastructure Objects or share it across the

entire cluster

Extend and reconfigure VMFS and block storage

Path Management Discover and configure path management topologies and functions as provided

by either EMC PowerPath, or VMware’s Native Multipath (NMP) software

Receive information such as the number of available paths to a data device and

the load balancing policy associated with the device, along with the ability to

modify the load balancing policy

EMC Networker

Increased user demands are driving the need for higher availability of applications and data, and consequently backup

administrators are facing ever decreasing nightly windows of time in which to backup and protect the enterprise’s

digital assets.

Key Features

Heterogeneous platform and application support simplifies management of UNIX, Microsoft® Windows®,

Linux, NetWare, OpenVMS, Macintosh, and hot backup of major applications.

Deduplication accelerates backups, reduces bandwidth, and stores more data longer by eliminating duplicate

data with EMC Avamar® and EMC Data Domain® products.

Centralized backup and recovery ensures reliable backups and provides control across local area network

(LAN), wide area network (WAN), and SAN environments.


Disaster recovery and granular restore ensures business continuity and improves productivity with flexible

recovery options.

Backup to disk enables fast backups and reliable recoveries by leveraging arrays, EMC Data Domain products,

and snapshots.

Availability

EMC NetWorker helps protect applications and data by simplifying and centralizing backup and recovery operations.

NetWorker backup software provides a common platform that supports a wide range of data protection options

across physical and virtual environments. The versatility of NetWorker makes it the ideal backup software for a range

of environments – from large data centers to remote offices.

EMC Data Domain®

Data recovery options must align with application and business requirements to yield the highest availability. Creating

a full backup to tape is no longer economical nor does it provide the highest availability when compared to next

generation solutions. By identifying and removing redundant, variable-length data sequences before they are stored to

disk, EMC Data Domain® deduplication storage systems dramatically reduce the amount of disk storage needed to

store backup and archive data generated by backup software applications like EMC Networker. Data Domain systems

provide a storage footprint that is 10 to 30 times smaller, on average, than the original dataset. Figure 13 illustrates the

Data Domain deduplication process.

Key Features

Network-efficient replication reduces or eliminates tape using minimal network bandwidth for disk- and

network-optimized data protection.

Flexible replication topologies replicate data from multiple sites for additional deduplication benefits and

disaster recovery options.

Data Invulnerability Architecture ensures data is stored and recoverable with continuous write verification,

fault-detection, and self-healing.

Availability

Storing only unique data on disk means that data can be replicated more cost effectively over existing networks to

remote sites for disaster recovery or consolidated tape operations. Data on disk is available online and on site longer,

and restores are faster and more reliable.


Figure 13. EMC Data Domain

EMC Avamar®

EMC Avamar® is a source-based deduplication software appliance that leverages the VMware vStorage API for Data

Protection to provide advanced backup functionality including agentless client backup. Avamar can also leverage

VMware Change Block Tracking (CBT) to further reduce operational backup load on the virtual infrastructure. EMC

Avamar backup and recovery products use patented global data deduplication technologies to identify redundant data

at the source, minimizing backup data before it is sent over the LAN/WAN.

Key Features

Global source-based deduplication reduces daily backup data up to 500x, backup times up to 10x, and total

storage up to 50x.

Centralized management manages multisite backup control operations from a single location through an

intuitive, web-based interface.

Fast, single-step recovery recovers data (whole backups, files, or directories) immediately, without restoring

the last full and incremental backups.

VMware Infrastructure backups reduce resource utilization on highly consolidated host servers and support

guest- and image-level backups.

EMC NetWorker client integration blends deduplication capabilities with traditional backup and recovery

using a common management interface and backup window

Availability

Increased user demands are driving the need for higher application and data availability, and consequently, backup

administrators are facing decreasing nightly time windows in which to back up and protect the enterprise’s digital

assets. In larger environments where backup needs cannot be met, assets may go unprotected and companies incur


greater risk that their data may be lost in a disaster. Avamar is ideal for protecting data in remote offices, VMware

environments, LAN/NAS servers, and desktop/laptop systems.

Unlike traditional backup methods, Avamar identifies redundant subfile variable length data segments at the source

(client) before data is transferred across the network and stored to disk. As a result, Avamar reduces the required daily

network bandwidth by up to 500X, enabling fast, daily full backups using existing physical and virtual infrastructure.

Avamar also provides simple, one-step recovery, eliminating the need to restore the last good full and subsequent

incremental backups to reach the desired recovery point. Lastly, data recoverability is automatically verified daily, so

there are no surprises when recovery is needed.

EMC Replication Manager

EMC Replication Manager (Figure 14) manages EMC point-in-time replication technologies through a centralized

management console. Replication Manager coordinates the entire data replication process – from discovery and

configuration to the management of multiple application-consistent, disk-based replicas.

Key features

Automates the discovery of storage arrays, applications, replication technologies, and hosts in the

environment

Creates and manages application-consistent replicas for backup acceleration, and instant restore and data

repurposing with little or no impact on production

Streamlines operations through a common user interface for simplified replica management

Saves valuable time by automating scheduling, mounting, dismounting, and expiration of EMC replicas

Availability

With EMC Replication Manager, you can create and manage application-consistent replicas for backup acceleration,

instant restore, and repurposing – such as development, testing, business intelligence, and training with little or no

impact to production. Streamlined operations, automation, and simple management make data protection

dramatically easier to accomplish.

Figure 14. EMC Replication Manager

EMC RecoverPoint

Remote replication is the key to the protecting user data from site failures. EMC RecoverPoint is enabling software for

remote replication between EMC unified storage systems. EMC RecoverPoint provides continuous data protection and


any point-in-time recovery of logical drives on EMC storage arrays. A splitter residing in the storage fabric or in the

storage array writes to the production logical drive and the RecoverPoint Appliance (RPA) simultaneously. The RPA

logs, writes, and, depending on the configuration, maintains local and remote replicas of the production and logical

drives. RecoverPoint’s advanced capabilities include policy-based management, application integration, and

bandwidth reduction.

Key Features

Continuous data protection employing on-demand local recovery to any point in time, regardless of array type

Continuous remote replication using bi-directional, heterogeneous block-level replication across any distance

Concurrent local and remote data protection to protect and replicate data in many local and remote-site

combinations for operational and disaster recovery

Policy-based management leveraging service-level policies that optimize storage and Internet protocol (IP)

wide area network (WAN) resources

Bandwidth reduction enhancing network utilization with unique bandwidth reduction and compression

technologies

Block-level journaling of data changes enabling full read/write access to any point-in-time image

Data protection using RecoverPoint to protect against data corruption with flexible protection and recovery

options

VMware infrastructure integration simplifying VMware replication management with vCenter Server and Site

Recovery Manager integration

Availability

EMC RecoverPoint provides continuous data protection and remote replication for on demand protection and

recovery to any point in time.

EMC RecoverPoint Storage Adapter for SRM

EMC RecoverPoint Storage Replication Adapter (SRA) for VMware Site Recovery Manager (SRM) is a software package

that allows SRM to implement disaster recovery for vSphere virtual machines using RecoverPoint systems. The

adapter facilitates SRM functions – such as failover and replication, and failover testing – using the RecoverPoint

system as the replication engineer.

Key Features

Accelerates recovery for the virtual environment through automation

Ensures reliable recovery by enabling non-disruptive testing

Simplifies recovery by eliminating complex manual recovery steps and centralizing recovery plan

management


EMC Data Protection Advisor

Data protection is a key ingredient in a resilient architecture. In addition, cloud computing imposes a resource tradeoff

between high performance and the requirements of increasingly robust security. Data classification is an essential tool

for balancing that equation. Enterprises need to know what data is important and where it is located as prerequisites

to making performance cost-benefit decisions, as well as ensuring focus on the most critical areas for data loss

prevention procedures.


EMC Data Protection Advisor (DPA) (Figure 15) allows service providers to make the right decisions faster, which

saves them time and money, and improves their data protection. Collecting information from across the infrastructure,

it automates manual tasks, enables faster problem solving, and simplifies the management of service levels – all while

significantly reducing the time involved with audit, compliance, and other reporting requirements.

EMC Data Protection Advisor for Backup lets users find problems affecting recovery through a powerful analysis

engine, perform capacity planning, and anticipate issues with trend analysis to find failures, resource utilization, and

slow performance. Users can also prove compliance with recoverability and service level reporting for all backups.

Availability

EMC Data Protection Advisor for Replication provides monitoring, alerting, troubleshooting, and reporting of

replicated application data.

Key Features

Single console provides single point of management with consolidated access to all operational information

across replication and backup environments.

Real-time alerts help identify potential data protection problems before they escalate.

Easy to use troubleshooting provides fast resolution, reduced effort, and improved protection.

Broad backup support provides unified monitoring, analysis, and reporting across all backup infrastructures

for complete visibility.

Replication support provides increased insight into replication operations for Symmetrix, CLARiiON, and

RecoverPoint technologies.

VMware integration allows users to view configuration, status, performance, and utilization data for growing

VMware environments.


Figure 15. EMC Data Protection Advisor

Compute Technologies Table 9 lists the standard and optional compute components and features of the Vblock platform. The table maps each

component and feature to the TMT elements that it addresses.

Table 9. Compute components and features

Component Secure

Separation Service

Assurance Security and Compliance

Availability Tenant Mgmt & Control

Service Provider Mgmt & Control

Cisco Unified Computing System (UCS)

VMware vSphere

VMware vSphere High Availability (HA)

VMware vSphere Fault Tolerance (FT)

VMware vSphere Distributed Resource Scheduler (DRS)

VMware vSphere Resource Pools

VMware vMotion

VMware vCenter Server

VMware vCenter Configuration Manager

VMware vCenter Site Recovery Manager (SRM)


Component Secure

Separation Service

Assurance Security and Compliance

Availability Tenant Mgmt & Control


VMware vCenter Capacity IQ

VMware vCenter Chargeback

VMware vCloud Director

VMware vCloud Request Manager

Cisco Unified Computing System

The Cisco Unified Computing System (UCS) is a next generation, data center platform that unites network, compute,

storage, and virtualization into a cohesive system designed to reduce total cost of ownership (TCO) and increase

business agility. The system integrates a low latency, lossless, 10 Gigabit Ethernet unified network fabric with

enterprise class, x86-architecture servers. The system is an integrated, scalable, multi-chassis platform in which all

resources participate in a unified management domain. Whether it has only one server or many servers with

thousands of virtual machines, the Cisco UCS is managed as a single system, thereby decoupling scale from complexity.

The Cisco UCS accelerates the delivery of new services simply, reliably, and securely through end-to-end provisioning

and migration support for both virtualized and non-virtualized systems.

Cisco UCS Manager provides unified, centralized, embedded management of all software and hardware components of

the Cisco UCS across multiple chassis and thousands of VMs. The entire UCS is managed as a single logical entity

through an intuitive GUI, a command-line interface (CLI), or an XML API. UCS Manager delivers greater agility and

scale for server operations while reducing complexity and risk. It provides flexible role- and policy-based management

using service profiles and templates, and it facilitates processes based on IT Infrastructure Library (ITIL) concepts.

Through its simplified, ecosystem-friendly approach, UCS Manager helps reduce management and administration

expenses, which are among the largest costs in most IT budgets.

Key Features

Centralized management interface that integrates the entire set of Cisco UCS components

Role-based administration that builds on existing skills and best practices and supports collaboration across

disciplines

Policy-based management that shifts IT’s focus from maintenance to strategic initiatives

Auto discovery of added or changed system components

Service profiles for fast, consistent, compliant, and accurate configuration

Service profile templates that help ensure consistent policies within the system for a given service or

application

Physical and virtual machine flexibility through just-in-time provisioning

High-availability configuration when two fabric interconnects are used


Scalability across multiple chassis per manager instance

XML API to facilitate integration with third-party systems management tools

Secure Separation

The TMT model allows partitioning of the physical resources of the UCS and sharing of those resources across tenant

organizations. Each server provisioned in a UCS has a service profile that defines the server and its storage and

networking characteristics. Service profiles allow service providers to treat server resources as raw computing

capacity, which they can allocate and reallocate among application workloads.

In a multi-tenant environment, the service provider can define service profiles that give access to specific server

resources, and then assign them to specific tenants. For example, the service provider may define a service profile that

gives access to any server in a predefined pool of server resources with specific processor, memory, or other

administrator-defined characteristics. The service provider then can assign one or more service profiles to each

tenant, which ensures that each tenant receives access to the appropriate UCS resources and policies. Service profiles

are particularly useful when deployed in conjunction with UCS role-based access control (RBAC). RBAC provides

granular administrative access control to the UCS system resources based on administrative roles, tenant organization,

and locale.

Service Assurance

System classes in the UCS specify the bandwidth allocated for types of traffic across the entire system. Each system

class reserves a specific segment of the bandwidth for a specific type of traffic. This provides a level of traffic

management, even in an oversubscribed system. Using QoS policies, the UCS assigns a system class to the outgoing

traffic. The UCS matches a QoS policy to the Class of Service (CoS) value marked by the Nexus 1000V Series switch for

each virtual machine (VM), and the associated mapping to the relative bandwidth reservations takes place. The CoS

marking is handled at the Nexus 1000V level so that associating a vNIC policy to a service profile is not necessary. The

UCS only has to police the bandwidth reservations. The UCS enforces the CoS value by controlling the amount of

available bandwidth for a given CoS when the traffic on a given segment approaches saturation (10GbE). The user-

defined weight integer translates automatically into a percentage to allow easy computation of the relative bandwidth.

All the properties of these system classes can be assigned custom settings and policies.


Cisco UCS allows organizations to make the most of their cloud infrastructure by consolidating and sharing network,

compute, and storage resources. Although consolidation facilitates the centralization and standardization of certain

security controls, the use of a shared infrastructure may amplify the effects of security incidents such as unauthorized

administrative access, privilege escalation, and denial of service, to name a few. The Cisco UCS Manager incorporates a

set of features that help ensure the secure access, administration, and monitoring of Cisco UCS resources. These

features include:

Administrative access to the Cisco UCS is authenticated against a local database, by using a remote protocol

such as LDAP, RADIUS or TACACS+, or by using a combination of local database and remote protocols.

Role-based access control (RBAC) provides granular administrative access control to the UCS system

resources based on administrative roles, tenant organization and locale.

HTTPS provides authenticated and encrypted access to the Cisco UCS Manager GUI. HTTPS uses components

of the Public Key Infrastructure (PKI), such as digital certificates, to establish secure communications between

the client’s browser and Cisco UCS Manager.


SSH provides authenticated and encrypted access to the Cisco UCS Manager CLI.

Cisco UCS Manager supports SNMPv3 for authenticated and encrypted event reporting and system

monitoring, which is helpful for auditing and accountability.

Syslog provides system logging for auditing and accountability.


Role-based access control (RBAC) is a security mechanism that can greatly lower the cost and complexity of Vblock

security administration. RBAC simplifies security administration by using roles, hierarchies, and constraints to

organize privileges. Cisco UCS Manager offers flexible role-based access control (RBAC) to define the roles and

privileges for different administrators within the Cisco UCS environment (Figure 16).

A role contains one or more system privileges where each privilege defines an administrative right to a certain object

or type of object in the system. By assigning a user a role, the user inherits the capabilities of the privileges defined in

that role. For example, for a server role, responsibilities may include provisioning blades and privileges may include

creating, modifying, and deleting service profiles.

Roles and privileges in the system can easily be modified and new roles quickly created. Administrators can focus on

defining policies needed to provision compute infrastructure and network connectivity and collaborate on strategic

architectural issues, while implementation of basic server configuration can be automated. UCS Manager supports

multi-tenant service providers and enterprise data centers serving internal clients as separate business entities. The

system supports logical partitioning and allocation of resources to different tenants to administer as their own.

UCS Manager supports the creation of local users in the UCSM database as well as the integration of name services

such as LDAP, RADIUS, and TACACS+ for remote users. When a user logs in, UCS Manager authenticates the user

against the appropriate back-end name service and assigns privileges to the user based on his or her roles.

Figure 16. Example of Role-Based Access Control (RBAC)



UCS Manager runs on a UCS 6100 Series fabric interconnect, which provides uniform access to both networks and

storage. The UCS High Availability (HA) architecture becomes active when two fabric interconnects in a cluster are

joined as peers. In this case, an instance of UCS Manager runs on each fabric interconnect. The two instances

communicate over dual cluster links between the fabric interconnects. The UCS manager uses active/standby

architecture, in which the active instance is primary, and the standby instance is subordinate. The primary instance,

which maintains the main configuration database, handles all communication with the external world. The main

configuration database is stored on the primary instance and replicated on the subordinate instance. The primary

instance sends updates to the subordinate instance when configuration changes occur. A single management address

is assigned to the cluster fabric interconnects to provide a single management point, regardless of which fabric

interconnect is active at any given time.

VMware vSphere™

VMware vSphere is a complete, scalable and powerful virtualization platform, delivering the infrastructure and

application services that organizations need to transform their information technology and deliver IT as a service.

VMware vSphere is a host operating system that runs directly on the Cisco UCS infrastructure and fully virtualizes the

underlying hardware, allowing multiple virtual machine (VM) guest operating systems to share the UCS physical

resources.

Developed as a purpose-built full virtualization platform using secure engineering, VMware vSphere has an optimized,

low footprint that minimizes attack surface area and vulnerabilities. VMware vSphere and VMware vCenter Server

have Common Criteria certification at Evaluation Assurance Level 4 (EAL4+) under the Common Criteria Evaluation

and Certification Scheme (CCS).

Key Features

Ability to segment tenant assets and resource shares logically through management interfaces such as

VMware vCenter Server, VMware vShield Manager, and VMware vCloud Director

Resource management capabilities such as shares and limits to control server resources that a VM consumes,

ensuring a single VM does not take resources needed by other VMs

Port group isolation feature used in conjunction with vShield App to create a secure, isolated network without

using VLANs or PVLANs

Role-based access control (RBAC) to enhance security and flexibility. Administrators can use VMware vCenter

Server to create custom roles that restrict access to virtual machines, resource pools and servers. Users can

then be assigned to these custom roles.

Secure Separation

VMware vSphere can provide secure separation through two primary mechanisms – the inherent security of its own

internal software architecture; and the capabilities it provides to logically segment tenant assets and resource shares

through its management interfaces, such as VMware vCenter, VMware vShield Manager, and vCloud Director.

To provide secure separation, VMware vSphere must be able to make every guest OS believe and operate as if it is the

sole owner of the hardware platform, making all other operating systems invisible to it during normal operations.

Further, the hypervisor must gracefully handle all hardware and software faults on the system in order to maintain

this separation in all circumstances.


Service Assurance

Ensuring end user Quality of Service for multi-tier applications is increasingly difficult on a conventional

infrastructure. IT has to implement a patchwork of availability solutions and support unpredictable loads on a static

infrastructure. VMware vSphere enables administrators to ensure end user QoS by automatically providing the right

levels of application availability and scalability using built-in Application Services. VMware vSphere also allows

dynamic tuning of application availability and scalability levels as business requirements evolve, which facilitates

meeting Quality of Service requirements cost effectively.

VMware vSphere High Availability

VMware vSphere High Availability (HA) provides uniform, cost effective failover protection against hardware and

operating system failures within the virtualized IT environment to minimize downtime from server and operating

system failures.

Key Features

Automates monitoring of VM availability and detects operating system failures within VMs

Automatically restarts failed VMs

Automates the optimal placement of VMs restarted after server failure (requires VMware vSphere DRS)

Supports up to 32 nodes in a cluster for high application availability and has the same limits for VMs per host,

hosts per cluster, and VMs per cluster as vSphere

Continuously and intelligently monitors capacity utilization and reserves spare capacity for restarting VMs

Identifies abnormal configuration settings detected within HA clusters

Reports relevant health status and potential error conditions and suggested remediation steps

Service Assurance

The vSphere HA feature reduces downtime due to software error and hardware failure and thus enables service

providers to provide strong uptime as an SLA.


VMware HA provides automated restart within minutes for all applications in the event of hardware or operating

system failures. When enabled, VMware HA continuously monitors the virtual environment to detect failures. In case

of failure, VMware vSphere restarts the affected VM on another physical host automatically. Because HA functionality

resides in VMware vSphere, it does not require complex configuration.

VMware vSphere Fault Tolerance

The VMware Fault Tolerance (FT) feature is a component of VMware vSphere that provides continuous availability to

applications, preventing downtime and data loss in the event of server failures.


Key Features

Automatically detects server failures and triggers instantaneous, seamless stateful failover, resulting in zero

downtime, zero-data-loss continuous availability

Automatically triggers the creation of a new secondary VM after failover, to ensure continuous protection to

the application

Works with all major block-level and file-level access protocols

Works with all operating systems supported with VMware vSphere

Works with existing VMware DRS and VMware HA clusters

Service Assurance

The FT feature provides continuous availability to applications, preventing downtime and data loss in the event of

server failures. It also provides operational continuity and high levels of uptime in cloud environments – simply and at

a low cost.


Downtime associated with critical enterprise applications can be very expensive and disruptive to businesses.

Traditional solutions that address this problem through hardware redundancy or clustering are complex and

expensive. While VMware HA addresses server failures by automatically restarting VMs on alternate servers, FT

eliminates downtime due to hardware failures – at a low cost and across all applications – regardless of operating

system.

With the FT feature enabled, a hardware failure has no effect on the VM. Two synchronized instances of the VM run on

separate physical hosts: a primary VM and a shadow VM. If the primary VM’s host fails, the shadow VM seamlessly and

instantly takes over. Eliminating a major source of downtime with the FT feature allows service providers to provide

tenants stronger uptime SLAs.

VMware vSphere Distributed Resource Scheduler

VMware Distributed Resource Scheduler (DRS) dynamically balances computing capacity across a collection of

hardware resources aggregated into logical resource pools.

Key features

Resources prioritized to the highest value applications in order to align resources with business goals

Hardware utilization automatically and continuously optimized to respond to changing conditions

Dedicated resources provided to business units with cost benefits from higher hardware utilization through

resource pooling

Service Assurance

Distributed Resource Scheduler continuously monitors utilization across resource pools and intelligently allocates

available resources among the VMs based on predefined rules that reflect business needs and changing priorities.

When a VM experiences an increased load, Distributed Resource Scheduler automatically allocates additional


resources by redistributing VMs among the physical servers in the resource pool. In this way, Distributed Resource

Scheduler provides guaranteed autonomy and service levels to tenants to fulfill QoS SLAs.


Distributed Resource Scheduler continuously monitors the distribution and usage of CPU and memory resources for

all hosts and VMs in a cluster. Distributed Resource Scheduler compares these metrics to an ideal resource utilization

given the attributes of the cluster’s resource pools and VMs, the current demand, and the imbalance target. It then

performs or recommends VM migrations accordingly.

VMware vSphere Resource Pools

Resource pools allow delegation of control over the resources of a host (or a cluster), and the benefits are evident

when used to compartmentalize all resources in a cluster. A resource pool represents a set of physical resources; for

example, a single host, a subset of a host’s resources, or resources spanning multiple hosts.

Key Features

Flexible hierarchical organization – the ability to add, remove, or reorganize resource pools or change

allocations as needed.

Isolation between pools and sharing within pools.

Access control and delegation.

Separation of resources from hardware – if using clusters enabled for Distributed Resource Scheduler, the

resources of all hosts are always assigned to the cluster. That means administrators can perform resource

management independently of the actual hosts that contribute to the resources.

Secure Separation

Service provider administrators can make a pool of resources available to a tenant-level administrator. Allocation

changes to one tenant resource pool will not affect other tenant resource pools.

Service Assurance

A resource pool is configured with a set of CPU (in MHz) and memory (in MB) resources. These resources are specified

in absolute terms with a resource reservation and a resource limit, along with a shares setting. The shares ensure

graceful degradation during resource contention.

To achieve service assurance for compute resources (CPU and memory), built-in resource pool attributes can be set

based on the tenant’s SLA. When a service provider administrator makes a resource pool available to a tenant-level

administrator, that administrator can then perform all VM creation and management tasks within the boundaries of

the resources to which the resource pool is entitled by the current shares, reservation, and limit settings. The following

resource pool settings provide governance for compute resources for each tenant in the environment:

Reservation (set aside a specified amount of CPU and memory resources) – Affects guaranteed CPU or

memory allocation for the tenant’s resource pool. A nonzero reservation is subtracted from the unreserved

resources of the parent (host or resource pool). The resources are considered reserved, regardless of whether

virtual machines are associated with the resource pool.


Limit (maximum amount of CPU and memory resources consumable by the tenant) – Defines the maximum

amount of CPU, memory resource a given tenant can utilize, or both.

Shares (dictates preferential treatment to tenants with higher share value under resource contention) – Set to

high, normal, or low on a per tenant resource pool level. Under transient (non–steady state) conditions with

CPU, memory resource contention, or both, tenants with high shares or larger number of shares configured

have resource consumption priority.

Expandable Reservation (if enabled, tenant resource pool can utilize additional available CPU and memory

resource from parent resource pool) – Indicates whether expandable reservations are considered during

admission control. With this option enabled for a tenant, if the tenant powers on a VM in their respective

resource pool and the reservations of the VMs combined are larger than the reservation of the resource pool,

the resource pool can use resources from its parent or ancestors.

VMware vMotion™

VMware vMotion™ enables the live migration of running virtual machines from one physical server to another with

zero downtime, continuous service availability, and complete transaction integrity. VMware vMotion is a key enabling

technology for creating the dynamic, automated, and self-optimizing data center.

Key Features

Perform hardware maintenance without scheduled downtime

Proactively move virtual machines away from failing or underperforming servers

Automatically optimize and allocate entire pools of resources for optimal hardware utilization and alignment

with business priorities


Migration of a virtual machine with VMware vMotion preserves the precise execution state, the network identity, and

the active network connections – resulting in zero downtime and no disruption to users.

In combination with VPLEX, VMware vMotion enables effective distribution of applications and their data across

multiple hosts over synchronous distances. With virtual storage and virtual machines working together over distance,

the infrastructure can provide load balancing, real-time remote data access, and improved application protection.

VMware vCenter Server

VMware vCenter Server is simple and efficient way to manage VMware vSphere. It provides unified management of all

the hosts and VMs in your data center from a single console with an aggregate performance monitoring of clusters,

hosts and VMs. VMware vCenter Server gives administrators deep insight into the status and configuration of clusters,

hosts, VMs, storage, the guest OS, and other critical components of a virtual infrastructure.

Key Features

Centralized control and visibility at every level of virtual infrastructure

Proactive management of VMware vSphere

Scalable and extensible management platform with a broad partner ecosystem


Dynamic allocation of resources using VMware vSphere DRS

Storage maps and reports that convey storage usage, connectivity and configuration

Customizable topology views that provide visibility into the storage infrastructure and assist in diagnosis and

troubleshooting of storage issues

Improved alerts and notifications that support new entities, metrics and events such as data store- and VM-

specific alarms

Secure Separation

The vCenter Server and vSphere hosts determine the user access level based on the permissions assigned to the user.

The combination of user name, password, and permissions is the mechanism by which vCenter Server and vSphere

hosts authenticate a user for access and authorize the user to perform activities. The servers and hosts maintain lists of

authorized users and the permissions assigned to each user. Privileges define basic individual rights that are required

to perform actions and read properties. vSphere and vCenter Server use sets of privileges, or roles, to control which

users or groups can access particular vSphere objects. You can define different access levels for each tenant object and

restrict access using these access levels.

Service Assurance

One of the most important features of vCenter Server is the ability to use VMware vSphere to create resource pools to

easily manage network, compute, and storage capacity, with the lowest total cost per application workload. In

addition, VMware vSphere Distributed Resource Scheduler (DRS) continuously monitors utilization across resource

pools and intelligently allocates available resources among virtual machines according to business needs to deliver

high service levels.

Availability

VMware vCenter plays a key role in availability by enabling High Availability, Fault Tolerance, Site Recovery Manager,

and vMotion to work successfully.


Robust permission mechanisms and integration with Microsoft® Active Directory® guarantee authorized access to the

tenant environment and its virtual machines. Responsibilities can be delegated to tenant administrators.


One key management task in the TMT environment is determining who can use VMware vCenter and what tasks those

users are authorized to perform. VMware vCenter has built-in, role-based access control for tenant access

authorization. In vCenter, a role is a predefined set of privileges paired with a user or group. That pairing is associated

with a VMware vSphere inventory object. Key concepts in this system are:

Privilege – Ability to perform a specific action or read a specific property. Examples include powering on a

virtual machine and creating an alarm.

Role – A collection of privileges. Roles provide a way to aggregate all the individual privileges that are

required to perform a higher-level task, such as administer a virtual machine.

Object – an entity upon which actions are performed. VMware vCenter objects are data centers, folders,

resource pools, clusters, hosts, and VMs.


For example, suppose a TMT environment has two tenants (A and B) and two resource pools (1 and 2). If the Virtual

Machine User role for resource pool 1 is assigned to tenant A, tenant A can power on virtual machines in resource pool

1 but does not have view/operational access to resource pool 2 or any other resource pools.


VMware vCenter Server simplifies resource planning for both cloud and tenant environments by displaying detailed

CPU and memory allocation at individual resource pool and virtual machine levels. A cloud owner can use information

provided at the cluster level to get an overview of CPU and memory resources allocated to infrastructure virtual

machines and individual tenants. A tenant owner can use information provided at the resource pool level to get an

overview of CPU and memory resource allocated to the virtual machines and VMware vApps.

Performance charts in vCenter Server provide a single view of all performance metrics at both the data center and

individual resource pool level. Information such as CPU, memory, disk, and network can be seen without navigating

through multiple charts. Performance charts include aggregated charts that show high level summaries of resource

distribution, which helps administrators identify top tenants. Thumbnail views of virtual machines, hosts, resource

pools, clusters, and data stores allow easy navigation to individual charts.

VMware vCloud™ Director

VMware vCloud™ Director gives customers the ability to build secure private clouds that dramatically increase data

center efficiency and business agility (Table 10). Coupled with industry-leading VMware vSphere, VMware vCloud

Director delivers cloud computing for existing data centers by pooling virtual infrastructure resources and delivering

them to users as catalog-based services.

Secure Separation

With VMware vCloud Director, administrators can group users into organizations that can represent any policy group,

such as a business unit, division, or subsidiary company. Each group has isolated virtual resources, independent LDAP

authentication, specific policy controls, and unique catalogs. These features enable a multi-tenant environment with

multiple organizations sharing the same infrastructure. Visibility and resource control are restricted to each

Organization virtual data center (vDC).

The vCloud Director software provides three different models for allocating resources to an Organization vDC. The

allocation model for an Organization vDC determines the QoS of allocated resources allocated, as well as the cost of

those resources (Figure 17).

Table 10. Resource allocation methods in vCloud Director

Model Description

Allocation Pool Only a percentage of allocated resources are committed to an Organization

vDC.

The service provider can specify the percentage.

This model does not have resource QoS, which means over-commitment of

resources is possible.

Pay-As-You-Go Allocated resources are committed only when users create vApps in the

Organization vDC.

The service provider can specify the maximum amount of CPU and memory

resources to commit to the Organization vDC.

Reservation Pool All allocated resources are committed to the Organization vDC.



The vCloud Director self-service portal provides direct access to individual tenant catalogs and virtual data centers.

Tenants consume resources as a catalog-based service through a web portal and programmatic interfaces.


By standardizing processes, increasing automation, and delivering IT as a service, it is possible to achieve additional

savings beyond virtualization, while significantly reducing required hands-on maintenance. Standardizing service

offerings can simplify IT management tasks such as troubleshooting, patching, and change management.

Administrative maintenance can be eliminated and provisioning can be automated through policy-based workflows

that allow authorized users to deploy preconfigured services when they need them.

Figure 17. VMware vCloud Director

VMware vCloud Request Manager

VMware vCloud Request Manager provides compliance and control in VMware vCloud Director based private clouds

by adding sophisticated approval workflows to provisioning requests and automatically tracking software license

usage. Requests initiated through the vCloud Request Manager portal drive predefined workflow processes, including

approvals, updates to software license inventories, cloud provisioning actions, and email notifications. The actual

provisioning of cloud infrastructure takes place through vCloud Director, driven by the vCloud API. A single instance of

vCloud Request Manager can support multiple private clouds, and even public clouds, thereby delivering a unified

experience.


Key Features

Intuitive, self-service portal

Intelligent private cloud workflow automation

Software license management

Automated tracking of software licenses

Automated approval and email notifications


VMware vCloud Request Manager provides a request portal and workflow engine that communicates with VMware

vCloud Director through the VMware vCloud API. Tenants of cloud resources (cloud consumers) can create their own

organizations and provision new vApps using the web portal to initiate requests. They receive email notifications of

the results of these requests and email approvals that require their action.


VMware vCloud Request Manager comes preconfigured with provisioning workflows and email templates, providing

enhanced compliance and control for private clouds with minimal configuration. This not only helps Service Provider

deploy private clouds quickly, but also eliminates the cost and risk associated custom software development. Key

benefits include the following:

Avoids virtual machine sprawl by enforcing business policies and procedures

Maximizes efficiency and service delivery by automating provisioning processes

Simplifies the experience for consumers of cloud-based services

VMware vCenter Configuration Manager

VMware vCenter Configuration Manager (formerly EMC Ionix Server Configuration Manager) automates configuration

management across virtual and physical servers, workstations, and desktops across physical and virtual

environments. It discovers, collects and detects changes, and identifies policy violations for more than 80,000

configuration settings.


Configuration Manager enforces compliance with security best practices and hardening guidelines, as well as

compliance with security and regulatory mandates such as SOX, HIPAA, and PCI. Using Configuration Manager

increases IT efficiency and lowers costs by eliminating the effort and expense of using multiple tools for managing

change, provisioning, patches, configurations, remediation, and compliance.


Configuration Manager automates configuration management across virtual and physical servers and desktops,

increasing efficiency by eliminating manual, error prone, time consuming work while providing powerful enterprise

control and visibility of the virtualized data center.


VMware vCenter Site Recovery Manager

Organizations find it increasingly difficult to provide disaster recovery solutions that meet their needs. VMware

vCenter Site Recovery Manager (SRM) helps organizations address the challenges of traditional disaster recovery so

that they can meet their recovery objectives. SRM delivers centralized management of recovery plans and automates

the recovery process. It integrates tightly with vSphere, vCenter Server, RecoverPoint (by means of the EMC

RecoverPoint Storage Adapter for SRM), and storage replication from leading storage vendors (Figure 18).

Key Features

Ensures recovery time objectives are met by automating the recovery process

Eliminates common causes of failure during recovery and makes it possible to thoroughly and easily test

recovery plans

Simplifies and centralizes the process of creating, updating and managing recovery plans

Improves the reliability of recovery plans by simplifying recovery and testing

Improves compliance with disaster recovery documentation and testing requirements

Service Assurance

With SRM, service providers can deliver a truly service-oriented and comprehensive disaster recover methodology

with a rapid, reliable, and predictable recovery process, taking risk and worry out of disaster recovery.

Availability

Site Recovery Manager makes it possible to automate recovery plan execution, eliminating many of the slow and

unreliable manual processes common in traditional disaster recovery. At the same time, Site Recovery Manager

ensures that the recovery process is executed as intended. It enables organizations to take the risk and worry out of

disaster recovery, as well as expand availability and protection to all of their important systems and applications.


Figure 18. VMware vCenter Site Recovery Manager

VMware vCenter Capacity IQ

VMware virtualization enables a shared, dynamic environment with pools of resources and capacity that can

dynamically shrink and expand. This constantly changing environment provides an opportunity for better, more

effective capacity management. Users need a purpose-built tool that enables automated, continuous capacity

intelligence to empower informed decision-making.

Key Features

Dashboard with at-a-glance charts and graphs

Detailed reports with recommendations

Interactive What-If modeling scenarios

Service Assurance

VMware vCenter CapacityIQ ensures that infrastructure capacity is used in the most efficient and cost effective

manner. CapacityIQ provides complete visibility into past, present, and future capacity states – including what capacity

is available, what is being used, what is needed, and when capacity will run out.


VMware vCenter CapacityIQ enables IT administrators to analyze, forecast, and plan the capacity needs of their virtual

data center or desktop environments.


VMware vCenter Chargeback

VMware vCenter Chargeback is an end-to-end cost reporting solution for virtual environments that enables accurate

cost measurement, analysis, and reporting of virtual machines using VMware vSphere. Virtual machine resource

consumption data is collected from VMware vCenter Server, ensuring the most complete and accurate tabulation of

resource costs. Integration with VMware vCloud Director and VMware vShield also enables automated chargeback for

private cloud environments (Figure 19 illustrates).

Virtual machine resource consumption data is collected from VMware vCenter Server, ensuring the most complete and

accurate tabulation of resource costs. Integration with VMware vCloud Director also enables automated chargeback

for private cloud environments.

Key Features

Map IT cost to business units, cost centers, or external consumers thereby enabling a better understanding of

how much resources cost and what can be done to optimize resource utilization

Supports policy-driven accountability for self-service environments so that business owners can pay as they

go for cloud resources

Supports allocation-based costing, utilization-based costing, or a combination of both to fit an organization’s

unique costing policies

Allows users to base costs, fixed costs, onetime costs, multiple rate factors, and overage fees to model true

costs

Meters resources managed in VMware vCloud Director, including network traffic, public IP addresses, and

other services such as DHCP, NAT, and firewalling


The detailed reports generated for tenants by vCenter Chargeback facilitate decision-making and planning,


With vCenter Chargeback, service providers can see the actual cost of the cloud infrastructure required to support

business services. Cost models can be customized to different tenants’ processes and policies.


Figure 19. Chargeback model

Network Technologies Table 11 lists the standard and optional components and features that provide networking capabilities for the Vblock

platform. Table 11 maps each component or feature to the TMT elements it addresses.

Table 11. Network components

Component Secure

Separation Service

Assurance

Security and


Tenant Mgmt & Control


Nexus 1000V Series

Nexus 5000 Series

Cisco Virtual PortChannels (vPC)

Nexus 7000 Series

Cisco Overlay Transport Virtualization (OTV)

Cisco Data Center Services Node (DSN)

Cisco MDS

Cisco Data Center Network Manager (DCNM)

Cisco Fabric Manager

VLAN Separation

Virtual Routing and Forwarding


Component Secure

Separation Service

Assurance

Security and


Tenant Mgmt & Control


Hot Standby Router Protocol

MAC Address Learning

EtherChannel

Nexus 1000V Series

The Nexus 1000V is a software switch embedded in the software kernel of VMware vSphere. The Nexus 1000V

provides virtual machine–level network visibility, isolation, and security for VMware server virtualization.

With the Nexus 1000V Series, virtual servers can leverage the same network configuration, security policy, diagnostic

tools, and operational models as their physical server counterparts attached to dedicated physical network ports.

Virtualization administrators can access predefined network policies that follow mobile virtual machines to ensure

proper connectivity, saving valuable resources for virtual machine administration.

Key Features

Policy-based virtual machine connectivity

Mobile virtual machine security and network policy

Non-disruptive operational model

Secure Separation

The Nexus 1000V software based switch provides several methods for enforcing network separation in a multi-tenant

environment (Table 12). These methods include port profiles, virtual service domains (VSDs), and access control lists

(ACLs). Figure 20 illustrates the virtual service domain (VSD).

Table 12. Nexus 1000V Secure Separation Methods

Method Description

Port profile Network segmentation based on interface-level parameters such as VLANs

and ACLs.

Primary mechanism for defining and applying network policy to the Nexus

1000V switch interfaces.

Defines a collection of interface-level attributes that make up a complete

network policy for VMs.

In addition to supported attributes, a port profile can include a VLAN and an

ACL, both useful for network segregation.

With port profiles, provider can define and enforce distinct VM policies per

tenant, or different policies based on the VM type or class.

Virtual service domain (VSD) Allows the provider to group interfaces into distinct security groups and enforce

control policies for traffic flowing among them.

Simplifies the integration of security services provided by a service virtual

machine (SVM) such as VMware vShield or the Cisco Virtual Security Gateway


Method Description

(VSG).

Groups interfaces into Inside, Outside, and Member groups – each defined by

a port profile.

Forces traffic travelling into or out of the SVM unless the traffic both originates

and terminates within the same VSD. In this case, the traffic is considered to

belong to the same security group, so it is not routed through the SVM.

Access control list (ACL) Variety of ACLs supported by the Nexus 1000V, including standard and

extended Layer 2, Layer 3 and Layer 4 ACLs, and port-based ACLs (PACLs).

Used to identify applications and classify traffic within or among several

tenants and enforce granular policies for network separation between tenants.

Figure 20. Virtual Service Domains

Service Assurance

Service providers can use the QoS capabilities of Nexus switches to provide prioritized processing to particular

network communication in order to deliver a guaranteed level of bandwidth or performance. Service providers can

leverage Cisco QoS to keep the network resources consumed by one tenant from adversely affecting other tenants

sharing the same network infrastructure. The service provider can also grant a higher network service priority to

those tenants who pay a premium for enhanced performance or bandwidth beyond the baseline service level. Cisco

QoS also allows service providers to control the distribution of their shared network infrastructure capacity in order to

maximize efficient resource utilization while complying with tenants’ SLAs.


In addition to using port profiles, VSDs, and ACLs to provide network security, the Nexus switches also support the

following security features:

Private VLANs

Dynamic Address Resolution Protocol (ARP) inspection

Dynamic Host Configuration Protocol (DHCP) snooping


IP source guard

Availability

The Nexus 1000V Series Virtual Supervisor Module (VSM) controls multiple Virtual Ethernet Modules (VEMs) as one

logical modular switch. The VEM takes configuration information from the VSM and provides advanced networking

functions – QoS, security features, and monitoring. Nexus 1000V switches support redundant VSMs – one active and

one passive – configured under separate UCS blade servers. These synchronized, redundant VSMs enable rapid,

stateful failover and ensure an always-available virtual machine network.

Nexus 5000 Series

Nexus 5000 Series switches are data center class, high performance, standards-based Ethernet and Fibre Channel over

Ethernet (FCoE) switches that enable the consolidation of LAN, SAN, and cluster network environments onto a single

Unified Fabric.

Secure Separation

Nexus 5000 Series switches provides several methods for enforcing network separation in a multi-tenant

environment. These methods include port profiles, virtual service domains (VSDs), and access control lists (ACLs).

Service Assurance

Nexus 5000 Series switches provide QoS capabilities such as traffic prioritization and egress bandwidth allocation. The

default QoS configuration on the switch provides lossless service for Fibre Channel (FC) and Fibre Channel over

Ethernet (FCoE) traffic and best-effort service for Ethernet. FCoE converges Fiber Channel and Ethernet into one

Unified Fabric, providing a simplified architecture for both network and storage traffic. Configuration of additional

classes of service for Ethernet traffic is possible. The Nexus 5000 provides a Unified Fabric by consolidating LAN, SAN,

and server cluster networks, which results in lower power consumption, simplified cabling, reduced cost, and

increased performance.


Redundant Nexus 5000 switches provide connectivity to both SAN and LAN. Virtual PortChannels (vPCs) that span

separate chassis, allow highly reliable scaling of Layer 2, and add a flexible and resilient network design.


Nexus 5000 Series switches provide many management features to help provision and manage the device including:

CLI-based console to provide detailed out-of-band management

vPC configuration synchronization

SSHv2

Telnet

Authentication, authorization, and accounting (AAA)

AAA with RBAC


Integration of Cisco Data Center Network Manager (DCNM) and Cisco Fabric Manager provides overall uptime and

reliability of the cloud infrastructure and improves business continuity.

The Smart Call Home feature continuously monitors hardware and software components to provide email notification

of critical system events. A versatile range of message formats is available for optimal compatibility with pager

services, standard email, and XML-based automated parsing applications. This feature offers alert grouping

capabilities and customizable destination profiles. For example, it can be used to directly page a network support

engineer, send an email message to a NOC, and employ Cisco Auto-Notify services to directly generate a case with the

Cisco Technical Assistance Center (TAC). This feature is a step toward autonomous system operation, enabling

networking devices to inform IT when a problem occurs and helping ensure that the problem is acted on quickly,

thereby reducing time to resolution and increasing system uptime.

Cisco Virtual PortChannels

A virtual PortChannel (vPC) allows links that are physically connected to two different Nexus 5000 Series or Nexus

7000 F-Series devices to appear as a single PortChannel to a third device. The third device can be a Nexus 2000 Series

Fabric Extender or a switch, server, or any other networking device.

Availability

A vPC can provide Layer 2 multipathing, which allows increasing bandwidth, enabling multiple parallel paths between

nodes and load-balancing traffic where alternative paths exist for redundancy. The vPC links enhance system

availability and rapid recovery in the event of a link failure.

Nexus 7000 Series

Nexus 7000 Series switches are modular switching system designed for use in the data center. Nexus 7000 switches

deliver the scalability, continuous systems operation, and transport flexibility required for 10-Gbps Ethernet networks

today, In addition, the system architecture is capable of supporting future 40-Gbps Ethernet, 100-Gbps Ethernet, and

unified input/output modules.

Secure Separation

Cisco Nexus 7000 Series switches can be segmented into virtual devices based on business needs. Nexus 7000 virtual

device contexts (VDCs) and the VLAN feature deliver true segmentation of network traffic, context-level fault isolation,

and management through the creation of independent hardware and software partitions. Tenants can administer and

maintain their own configurations independently.

Service Assurance

The Nexus 7000 implements buffering, queuing, and scheduling in both the ingress and the egress directions. Queuing

and bandwidth control are the two most common methods used by Nexus 7000 switches to provide steady state

performance.

Queuing is the ordering and scheduling of packets for delivery based on classification criteria. The ability to specify

which types of packets receive preferential delivery treatment means better response time for important applications

when oversubscription occurs.

Bandwidth control is the allocation of bandwidth to a queue based on the class of traffic utilizing it. Assigning

bandwidth prevents certain classes of traffic from over utilizing bandwidth. Other queues, therefore, have a fair chance

of serving the needs of the rest of the classes. Queuing and bandwidth control go hand in hand since queuing


determines the ordering of packets, while bandwidth control determines the number of packets (amount of data) sent

through in each queue.


Nexus 7000 Series switches address the infrastructure security needs for next generation data centers by supporting:

Cisco TrustSec, which improves compliance, strengthens security, and increases operational efficiency. It is

available as an appliance-based overlay solution, and as an integrated 802.1X infrastructure-based service

that extends access enforcement throughout the network.

Integrated security features that protect the data center network and devices from denial-of-service (DoS)

attacks and network host spoofing or data and voice traffic snooping.

Port access control lists (PACLs), Router ACLs (RACLs), VLAN ACLs (VACLs), and role-based access control

(RBAC) for securing privileges and providing flexibility in protecting information.

Control Plane Protection with enhanced hardware based policing.

Availability

Nexus 7000 switches support core and aggregation layers in the network with redundant connectivity. They also

provide lossless non-disruptive upgrades for no-downtime service through any single point of failure in the system

hardware and a modular operating system.

In addition to security and flexibility, virtual device contexts (VDCs) on the Nexus 7000 network switch allow efficient

management in a multi-tenant design. Service providers can configure and deploy multiple VDCs on each physical

switch. Each VDC runs as a discrete entity with its own configuration, network administrator, and set of running

processes. With Nexus VDC, technology multi-tenant service providers can extend logical partitioning of tenant

environments into the network device layer.

Cisco Overlay Transport Virtualization

Cisco Overlay Transport Virtualization (OTV) on the Nexus 7000 significantly simplifies extending Layer 2 applications

across distributed data centers. OTV solves many of the challenges that have made it difficult to shift large workloads

between facilities, potentially opening new frontiers in disaster recovery and data center consolidation. For example,

OTV facilitates deployment of Data Center Interconnect (DCI) between sites without changing or reconfiguring your

existing network design.

Key features

Extends Layer 2 LANs over any network using IP-encapsulated MAC routing

Works over any network that supports IP

Designed to scale across multiple data centers

Simplifies configuration and operation

Increases resiliency by preserving existing Layer 3 failure boundaries

Maximizes available bandwidth by using equal-cost multipathing and optimal multicast replication


Availability

Cisco OTV allows deployment of virtual computing resources and clusters across geographically distributed data

centers, delivering transparent workload mobility, business resiliency, and superior computing resource efficiencies.

VMware vMotion can leverage OTV to move data center workloads easily and cost effectively across long distances,

providing tenants with resource flexibility and workload portability that span across geographically dispersed data

centers.

Cisco Data Center Services Node

The Cisco Data Center Service Node (DSN) complements the Nexus 7000 Series switches in the data center. Cisco DSN

is the platform of choice to host specific integrated network services relevant in a given data center. Examples of

network services include the Cisco Firewall Services Module (FWSM), Cisco Intrusion Detection System (IDSM-2), and

the Cisco ACE Application Control Engine Module. The service node-based solution offers proven enterprise products

enabling providers to use a common architecture and easily integrate the solution with existing network

infrastructure. Deploying a consistent architecture using a common platform can reduce connectivity costs

significantly and increase network performance, manageability, and flexibility.

Availability

Cisco DSN uses a dual-homed approach for data path connectivity to redundant aggregation-layer switches. This

approach decouples the service modules from dependence on a specific aggregation switch.

Because the Cisco DSN is self-contained, it provides operational flexibility for the system maintenance that may be

required for the aggregation-layer switches or the Cisco DSN. From a high-availability perspective, if one of the

aggregation switches or Cisco DSNs fails, traffic can continue to flow through the other aggregation switch to the active

Cisco DSN without the need of any failover event in the service modules themselves.

Cisco MDS

Vblock 2 enabled by Cisco MDS 9000 Series Multilayer SAN Switch contain cost effective, highly scalable and

configurable, easy-to-install Fibre Channel fabrics that provide exceptional flexibility, while maintaining consistent

feature sets and management capabilities. The Cisco MDS 9000 Series helps build highly available, scalable storage

networks with advanced security and unified management.

Secure Separation

The Cisco MDS 9000 Family facilitates secure separation at the network layer with virtual Storage Area Networks

(VSANs) and zoning.

VSANs help achieve higher security and greater stability in Fibre Channel fabrics. VSANs provide isolation among

devices that are physically connected to the same fabric. With VSANs, multiple logical SANs can be created over a

common physical infrastructure. VSANs provide the following features:

Traffic isolation – Traffic is contained within VSAN boundaries and devices reside only in one VSAN,

ensuring absolute separation between tenants.

Scalability – VSANs are overlaid on top of a single physical fabric. The ability to create several logical VSAN

layers increases the scalability of the SAN.


The zoning service within a Fibre Channel fabric provides security between devices sharing the same fabric. The

primary goal is to prevent certain devices from accessing other devices within the fabric. This allows the service

provider to segregate devices based on access to a particular storage device (target).

Note: UIM currently only supports 1 VSAN per switch.

Service Assurance

The QoS feature in the NX-OS software in Cisco MDS 9000 Family of switches allows traffic to be classified into four

distinct levels for service differentiation. Application of QoS helps to ensure Fibre Channel data traffic for latency

sensitive applications receives higher priority over throughput-intensive applications such as data warehousing.

Zone-based QoS is included in the Cisco MDS 9000 Family Enterprise Package and complements the standard QoS

data-traffic classification by VSAN ID, N-port worldwide name (WWN), and Fibre Channel identifier (FC-ID). Zone-

based QoS helps simplify configuration and administration by using the familiar zoning concept. QoS can also be

configured per VSAN or be policy or class based.


The Cisco MDS 9000 Family Enterprise Package includes many enhanced network security features:

Switch-switch and host-switch authentication – Fibre Channel Security Protocol (FC-SP) capabilities in Cisco

MDS 9000 NX-OS provide switch-switch and host-switch authentication. This feature helps eliminate

disruptions that can occur because of unauthorized devices connecting to a large enterprise fabric.

LUN Zoning – Cisco MDS SAN-OS hardware enforced LUN Zoning ensures LUNs (Logical Unit Numbers) are

accessible only by specific hosts.

LUN Zoning provides a single point of control for managing secure access to LUNs across heterogeneous

storage subsystems.

Diffie-Hellman Challenge Handshake Authentication Protocol (DH-CHAP) is used to perform authentication

locally in the Cisco MDS 9000 Family switch or remotely through RADIUS or TACACS+. If authentication fails, a

switch or host cannot join the fabric.

Port security locks down the mapping of an entity to a switch port. The entity can be a host, target, or switch

and is identified by its WWN. This feature helps ensure that SAN security is not compromised by connection of

unauthorized devices to a switch port.

VSAN-based access control allows customers to define roles in which the scope of the roles is limited to

certain VSANs. For example, a Service Provider administrator role can be set up to allow configuration of all

platform-specific capabilities, and Tenant VSAN-administrator roles can be set up to allow configuration and

management of only specific VSANs. VSAN-based access control reduces SAN disruptions by localizing the

effects of user errors to the VSANs for which the user has administrative privileges.

IP Security (IPsec) is available for FCIP and SCSI over IP (iSCSI) over Gigabit Ethernet ports on the Cisco MDS

9000 14/2-Port MSM and MDS 9216i. The proven IETF standard IPsec capabilities offer secure authentication,

data encryption for privacy, and data integrity. Internet Key Exchange version 1 (IKEv1) and IKEv2 protocols

are used to set up the security associations for IPsec dynamically using pre-shared keys for remote-side

authentication.


Digital certificates are issued by a trusted third party and are used as electronic passports to prove the

identity of certificate owners. After the owner’s identity is verified by the trusted third party, the certificate

uses the owner’s public encryption key to protect identity data contained in the certificate. On the Cisco MDS

9000 Family platform, digital certificates apply to IKE as well as to Secure Shell (SSH).

Fabric binding for open systems helps ensure that Inter-Switch Links (ISLs) are enabled only between

switches that have been authorized in the fabric binding configuration. This feature helps prevent

unauthorized switches from joining the fabric or disrupting current fabric operations.


The Cisco MDS 9000 Family Series PortChannel can be configured to bundle physical links from any ports on any Cisco

MDS 9000 Family Fibre Channel Switching Module logically with no restrictions. This feature allows customers to

deploy highly available solutions with great flexibility. If a port, ASIC, or even module fails, the stability of the network

will not be affected because the logical PortChannel may have reduced overall bandwidth but will still be active.

Several VSANs created on the same physical SAN ensure redundancy. If one VSAN fails, redundant protection (to

another VSAN in the same physical SAN) is configured using a backup path between the host and the device. In

addition, replication of fabric services on a per VSAN basis provides increased scalability and availability.


Cisco device and fabric management software, combined with leading SAN management and storage resource

management software, provide all the features needed to rapidly install, configure, manage, and troubleshoot the Cisco

MDS 9000 Family and Cisco Nexus 5000 SAN features.

Cisco Data Center Network Manager

Cisco Data Center Network Manager (DCNM) provides an effective tool to manage the data center infrastructure and

actively monitor the SAN and LAN.


With DCNM, many features of Cisco NX-OS – including Ethernet switching, physical ports and port channels, and ACLs

– can be configured and monitored.

Cisco Fabric Manager

Cisco Fabric Manager is the management tool for storage networking across all Cisco SAN and Unified Fabrics. It

provides comprehensive visibility for improved management and control of Cisco storage and helps reduce overall

total cost of ownership (TCO) and complexity through unified discovery of all Cisco Data Center 3.0 devices and

through task automation and detailed reporting. Cisco Fabric Manager provides centralized storage network

management services, performance monitoring, federated reporting, troubleshooting tools, discovery, and

configuration automation.


Visibility and control in the Cisco storage network enables service providers and IT departments to optimize for the

QoS levels required to meet service-level agreements (SLAs) for internal and external consumers.


VLAN Separation

Secure Separation

A virtual LAN (VLAN) is a logical grouping of switch ports and host ports into a logical LAN, regardless of the actual

physical LAN. As such, the VLAN is a mechanism that allows for the segregation of network traffic. In multi-tenant

environments, assigning a different group of VLANs to each tenant separates tenant traffic. At the same time, VLANs

can separate control and management traffic from user data traffic. The TMT architecture supports VLANs in all the

Vblock components. In every multi-tenant environment, the effective degree of separation derives directly from the

lowest common denominator of segmentation and isolation; therefore, enforcement at every layer of the service stack

must ensure secure separation. Achieving Trusted Multi-Tenancy may require the use of one or more methods at each

infrastructure layer. Figure 21 illustrates VLAN separation.

Figure 21. VLAN separation

Virtual Routing and Forwarding

Virtual routing and forwarding (VRF) is a technology included in IP (Internet Protocol) network routers that allows

multiple instances of a routing table to exist in a router and to work simultaneously (Figure 22).

Secure Separation

VRF allows provider administrators to split a physical link into multiple virtual links completely isolated from each

other and to create multiple redundant paths. Typically, redundant pairs of VRF instances provide Layer 3 services for

their associated tenant VLAN segments.


Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for

encryption and authentication.


Service providers often use VRF to create separate virtual private networks (VPNs) for tenants; the technology is also

known as VPN routing and forwarding.


Figure 22. Virtual routing and forwarding

Hot Standby Router Protocol

Availability

The Hot Standby Router Protocol (HSRP) supports non-disruptive failover of IP traffic to help ensure networking

service availability. In particular, the protocol protects against the failure of the first hop router when the source host

cannot learn the IP address of the first hop router dynamically. Using HSRP, a set of routers can work in concert to

present the illusion of a single virtual router to the hosts on the LAN. This set is known as an HSRP group or a standby

group. A single router elected from the group is responsible for forwarding the packets that hosts send to the virtual

router. This router is known as the active router. Another router is elected as the standby router. In the event that the

active router fails, the standby assumes the packet forwarding duties of the active router.

MAC Address Learning

Availability

MAC address learning is a service in which the source MAC address of each received packet is stored so that future

packets destined for that address can be forwarded only to the bridge interface on which that address is located.

Packets destined for unrecognized addresses are forwarded out every bridge interface. This scheme helps minimize

traffic on the attached LANs. The IEEE 802.1 standard defines MAC address learning.

EtherChannel

Availability

EtherChannel provides incremental trunk speeds between Fast Ethernet, Gigabit Ethernet, and 10 Gigabit Ethernet,

which allows load sharing of traffic among the links in the channel as well as redundancy in the event that one or more

links in the channel fail.


Conclusion

Cloud computing offers many economic and environmental advantages to service providers. The ability to deliver

infrastructure services to multiple internal or external consumers is a core component of cloud computing. With

shared virtual converged infrastructure and best-of-class network, compute, storage, virtualization, and security

technologies from Cisco, EMC,and VMware, the Vblock platform presents new opportunities for service providers to

deliver secure dedicated services to multiple tenants. Vblock Trusted Multi-Tenancy (TMT) enables service providers

to address the key concerns of tenants in the multi-tenant environment – confidentiality, security, compliance, service

levels, availability, data protection, and management control.

Vblock TMT uses a layered approach with security controls, isolation mechanisms, and monitoring controls embedded

in the network, compute, and storage layers of the converged infrastructure. This layered approach provides secure

access to the cloud, guarantees resources to tenants, and provides abstraction of the physical elements. Virtualization

at different layers allows the infrastructure to provide logical isolation without dedicating physical resources to each

tenant.

Effective, efficient coordination and management of the Vblock components and processes across the infrastructure

are critical to delivering Infrastructure as a Service. Standard management tools at each layer allow views into that

layer’s configurations, resources, and usage. The optional Vblock Advanced Management Pod (AMP) is preconfigured

with EMC Ionix Unified Infrastructure Manager (UIM), Nimsoft Monitoring Solution (NMS), and other tools necessary

to manage and monitor the entire Vblock converged infrastructure. VMware vCenter Server provides unified

management of all the hosts and VMs in your the Vblock platform. In addition, a variety of component-specific

management tools and interfaces enable granular visibility into each system element.

The confidentiality and security of tenant data is a fundamental requirement of a multi-tenant environment. A variety

of products from RSA, VMware, and Cisco provide proven protection against well-known and emerging threats to help

secure confidential data and meet ever-increasing compliance mandates. Most notably, the RSA Solution for Cloud

Security and Compliance offers a foundation that enables organizations to effectively address the security of VMware

environments.

As shown in this paper, the following six foundational elements form the basis of the TMT model:

Secure Separation – Ensures the resources of existing tenants remain untouched and uncompromised when

new tenants are provisioned. Vblock TMT provides secure separation methods at every layer of the shared

converged infrastructure to safeguard the security and privacy of each tenant.

Service Assurance – Provides tenants with consistent and reliable service levels that accommodate their

growth and changing business needs. Various methods are available in the TMT model to deliver consistent

service level agreements (SLAs) and ensure quality of service across the network, compute, and storage

components of the Vblock platform.

Security and Compliance – Maintains the confidentiality, integrity, and availability of each tenant’s

environment. Vblock TMT provides security at every layer of the shared infrastructure using technologies

such as identity management and access control, encryption and key management, firewalls, malware

protection, and intrusion prevention.

Availability and Data Protection – Ensures that resources such as network bandwidth, memory, CPU, or

data storage are always online and available to tenants when needed. Vblock TMT provides a secured

environment by using threat detection and mitigation, including the monitoring and response to intrusions

and attacks against the TMT environment and its tenants.


Tenant Management and Control – Allows tenants to change the environment to suit their workloads as

resource requirements change.

Service Management and Control – Simplifies management of resources at every level of the infrastructure

and provides the functionality to provision, monitor, troubleshoot, and charge for the resources used by

tenants. The Vblock platform help address these challenges by providing scalable, integrated management

solutions inherent to the infrastructure and a rich, fully developed API stack for adding additional service

provider value.

VCE is extensively involved in designing, testing, and validating Vblock TMT with innovative technologies, platforms,

and solutions at the network, compute, storage, and virtualization layers. Service providers can use these tested

solutions to deploy TMT public and private clouds. By using these solutions as a reference guide, they can create a

Trusted Multi-Tenant infrastructure that is secure, flexible, highly functional, and interoperable to generate revenue by

providing value-added services.


Further Reading

The RSA Solution for Cloud Security and Compliance

http://www.rsa.com/solutions/technology/secure/sb/11065_CLDINF_SB_0810.pdf

http://www.rsa.com/solutions/technology/secure/sb/11065_CLDINF_SB_0810.pdf

Copyright © 2011 VCE Company, LLC. All rights reserved. Vblock and the VCE logo are registered trademarks or trademarks of VCE Company, LLC. and/or its affiliates in the United States or other countries. All other trademarks used herein are the property of their respective owners.

Copyright © 2011 Harris Corporation. All rights reserved. Harris, the Harris logo, and Harris Corporation are registered trademarks or trademarks of Harris Corporation

and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective

owners. The use of the word partner does not imply a partnership relationship between Harris Corporation and any other company.

Harris Corporation | 1025 West NASA Boulevard, Melbourne, Florida 32919-0001 USA | 321-727-9207 or 800-442-7747 | www.harris.com

Microsoft, Active Directory, and Windows are registered trademarks of Microsoft Corporation in the United States and/or other countries.

© 2011 VCE Company LLC, All rights reserved.

ABOUT VCE

VCE, the Virtual Computing Environment Company formed by Cisco and EMC with investments from VMware and Intel,

accelerates the adoption of converged infrastructure and cloud-based computing models that dramatically reduce the cost of

IT while improving time to market for our customers. VCE, through the Vblock platform, delivers the industry's first

completely integrated IT offering with end-to-end vendor accountability. VCE's prepackaged solutions are available through

an extensive partner network, and cover horizontal applications, vertical industry offerings, and application development

environments, allowing customers to focus on business innovation instead of integrating, validating and managing IT

infrastructure.

For more information, go to www.vce.com.

http://www.harris.com/

Documents

Vce Trusted Multi Tenancy White Paper