Nexus 1000V in Context of SDN
Martin Divis, CSE, [email protected]
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Why Cisco Nexus 1000V Losing the Edge Host Host Host Host
The rest of the network…
vSwitch vSwitch vSwitch vSwitch Server Admin manages
virtual switching !
Unsupervised VM to VM communication VMs on the wrong VLANs
Server Admin
Network Admin No Network visibility or control No policy and vlan control
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Why Cisco Nexus 1000V Finding it back ! Host Host Host Host
Server Admin freed from managing network
Nexus 1000V Distributed virtual switch
Server Admin
Network Admin Virtual switching managed by Network Admin Full network policy control, visibility
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Hypervisor Hypervisor Hypervisor
VEM-N VEM-1 VEM-2
Modular Switch
… Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Bac
k P
lane
Cisco Nexus 1000V Overview
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
VSM1
VSM2
Virtual Appliance Network Admin
Server Admin
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Why Not Configure Virtual Ports?
6
§ Too many ports, and they move too fast § Network admin needs sanity § Server admin needs freedom
– To deploy and move virtual machines – To deploy and move physical hosts
switch # int gi1/0/35 switchport mode access switchport access vlan 23 etc…
switch # int gi1/0/47 switchport mode access switchport access vlan 23 etc…
switch # int gi1/0/21 switchport mode access switchport access vlan 23 etc…
switch # int gi1/0/17 switchport mode access switchport access vlan 23 etc…
Source: http://images.webmagic.com/klov.com/screens/S/wSpace_Invaders.png
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Cisco Nexus 1000V Architecture
Virtual Service Data Path (vPath)
• Service chaining (traffic steering)
• Fast-path offload
• VXLAN aware
Virtual Extensible LAN (VXLAN)
Scaling LAN segments DC-wide VM Mobility
• LAN segment across Layer 3
• Works with existing network infrastructure
• 16 million segments
Embedding intelligence for virtual services
Nexus 1000V vPath VXLAN
Hypervisor ESX, Hyper-V
Nexus 1000V vPath VXLAN
Hypervisor KVM, Xen
* To be released in CY13
Ethernet/IP Network Fabric
Cisco vWAAS N1KV VSM ASA 1000V Cisco VSG Citrix VPX* CSR1000V Imperva WAF*
Virtual Appliance
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
vPath – Service Chaining
§ Service Path defines the service chain – an ordered list of service profiles (e.g. security profile, edge profile, slb profile etc.)
§ Traffic Selector rules are used to configure Service Table in vPath
§ An endpoint VM is associated with Service Path via Port-Profile Binding
Nexus 1000V vPath
123
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VxLAN Deep Dive – Overlays Why Overlays?
Flexible Overlay Virtual Network • Mobility
• Track end-point attach at edges • Scale
• Reduce core state • Distribute and partition state to
network edge • Flexibility/Programmability
• Reduced number of touch points
Robust Underlay/Fabric • High Capacity Resilient Fabric • Intelligent Packet Handling • Programmable & Manageable
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Ethernet Header Payload FCS
Outer IP
Outer UDP VXLAN Outer
Ethernet Inner
Ethernet Payload New FCS
Segment ID
1
Reserved Reserved Flags
Rsvd Rsvd
8 Bytes
1 Byte Outer UDP Destination Port = VXLAN (originally 8472, recently updated to 4789) Outer UDP Source Port = Hash of Inner Frame Headers (optional)
VxLAN Deep Dive – Overview Virtual eXtensible LAN (VXLAN)
• Virtual eXtensible LAN (VXLAN) is a Layer 2 overlay scheme over a Layer 3 network. • A 24-bit VXLAN Segment ID or VXLAN Network Identifier (VNI) is included in the
encapsulation to provide up to 16M VXLAN segments for traffic isolation/segmentation, in contrast to the 4K segments achievable with VLANs. • Each of these segments represents a unique Layer 2 broadcast domain, and can be
administered in such a way that it can uniquely identify a given tenant’s address space or subnet…
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VxLAN Deep Dive – Overview VTEP – Handling of Multi-Destination Traffic
• Since a control/signaling protocol has not been defined, emulation of Multi-Destination traffic (Broadcast, Multicast, Unknown Unicast) is handled through the VXLAN IP underlay through the use of segment control multicast groups…
VTEP-1
End System A MAC-A IP-A
VTEP-2
End System B MAC-B IP-B
Mcast Group
IP Network VTEP 1 IP-1
VTEP 2 IP-2
VTEP-3
End System End System
VTEP 3 IP-3
Note: VxLAN 1.1 added control/signaling mechanism via centralized agent, in case of Nexus1000V, it is VSM
VTEP – implemented in software or hardware. Required for VxLAN gateway.
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VxLAN implementations today
§ Nexus 1000V (L2) – network virtualization in server virtualization context – vCenter, Hyper-V, KVM, OpenStack
§ Nexus 3100 (L2), 5600 (L2, L3), 9000 (L2, L3) - gateway § Cisco ASR 1000(L2, L3), 9000 (L2, L3) - gateway § VMware vShield & DVS (L2) § VMware NSX (L2, L3)
– alternatively can use STT – can use limited number of switch models for HW gateway (L2)
§ Many other chipset & HW vendors (L2)
12
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
REST API
HTTP Programmability
Open RPC API – Extensible to support REST
{ "1": { "url": "/api/vlan/1", "properties": { "id": 1, "state": "active", "name": "default", "shutdown": false } }, "5": { "url": "/api/vlan/5", "properties": { "id": 5, "state": "active", "name": "dbs", "shutdown": false } } }
HTTP GET http://192.168.133.131/api/vlan
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Nexus 1000v REST API Services
§ VLAN, VXLAN § Port-Profiles § Virtual Service Nodes, vPath § Span Ports § User access § Hypervisor dependent operations, mostly read only
– License – Connectivity – vNIC, uplinks, port-profiles – Inventory
14
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
Warning, warning, warning
§ Nexus 1000v available for: – vSphere – Hyper-V – KVM
§ And while features and CLI is almost the same for all platforms... ...REST API is totaly different
15
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
OpenStack Neutron Architecture
Neutron Server
REST API
Neutron Core plugins
ML2
Cis
co (N
exus
, N
1Kv)
OV
S
Mor
e ve
ndor
pl
ugin
s
Neutron Service plugins
• Core + Extension REST API’s
• Message Queue for communicating with Neutron Agents
• Core and Service Plugins
• Different vendor core plugins
• Different network technology support
• ML2 plugin with Type and Mechanism Drivers
• Service plugins with backend drivers
Core API Network Port Subnet
Resource and Attribute Extension API ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….
DHCP Agent
L3 Agent
Message Queue
IPTables on Network
Node
L2 Agent OVS on Compute
Node
Load
Bal
ance
r
Fire
wal
l
VP
N
HA
Pro
xy
IPTa
bles
Ope
nSw
an
L3 S
ervi
ces
Futu
res
Type Drivers Mechanism Drivers
VLA
N
GR
E
VX
LAN
Cis
co N
exus
OV
S
Ope
nDay
Ligh
t
AP
IC
Southbound interfaces
Mor
e ve
ndor
dr
iver
s
16
Cisco and/or its affiliates. All rights reserved. Presentation_ID Cisco Public
VMs on Compute Node
N1Kv VEM
Compute Nodes
Neutron Cisco Nexus1000v Plugin (KVM) Neutron N1Kv specific API extensions usage – neutron network-‐profile-‐create PROFILE_NAME vlan -‐-‐segment_range 400-‐499 neutron net-‐create NETWORK_NAME -‐-‐n1kv:profile_id PROFILE_ID neutron policy-‐profile-‐list neutron port-‐create NETWORK_NAME -‐-‐n1kv:profile_id PROFILE_ID
17
Neutron Server
Neutron Core plugin (Cisco)
Cisco N1Kv Plugin
N1Kv VSM
Benefits:
§ Network Profiles – VLAN, VXLAN (multicast/unicast), Trunk
§ Policy Profiles – ACLs, QoS
§ VXLAN Gateway Service VM
Network Profile (admin)
REST API
Nova Policy Profile defined in VSM (periodic polling)
Policy Profile
Network Profile:Network Segment Pool Policy Profile:Port Profile,
VM VM
Prosíme, ohodnoťte tuto přednášku
• Děkujeme