Cisco Virtualized Network Services

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Cisco Virtualized Network Services: Ready for Your Cloud

Soumen ChatterjeeProduct Manager, Data Center Group

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Virtual Appliance Nexus 1010

vWAAS VSG VSM NAM

NAM

VSG

VSG

Primary

Secondary

VSM

VSM

2

L3

Con

nectivity

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

vPath: Virtual Service Data-path

VXLAN: Scalable Segmentation

VSG: Virtual Security Gateway

vWAAS: Virtual WAAS

ASA 1000V: Tenant-edge security

Virtual Service Blades

Virtual Supervisor Module (VSM)

Network Analysis Module (NAM)

Virtual Security Gateway (VSG)

Data Center Network Manager (DCNM)

VEM-2

vPath

Win Server 2012

VXLAN

VEM-1

vPath

VMware ESX

VXLAN

ASA 1000V

VXLAN

• 16M address space for LAN segments

• Network Virtualization (Mac-over-UDP)

vPath

• Service Binding (Traffic Steering)

• Fast-Path Offload

VEM-3

vPath

Open Source Hyp

VXLAN


External / multi-tenant edge deploymentZone based segmentation of VMs

Virtual Security Gateway ASA 1000V

Hypervisor Nexus 1000VVirtual Network Mgmt

Ctr (VNMC)

vPath


Virtual Network

Management Center

(VNMC)

VM context aware rulesContext aware Security

Establish zones of trustZone based Controls

Policies follow vMotionDynamic, Agile

Efficient, Fast, Scale-out SW(with vPath intelligence)

Best-in-class

Architecture

Security team manages securityNon-Disruptive

Operations

Central mgmt, scalable deployment,

multi-tenancy

Policy Based

Administration

Virtual Security

Gateway

(VSG)

XML API, security profilesDesigned for Automation


Virtual Security Gateway for Nexus 1000VContext-based, Virtualization-aware, Multi-tenant, Workload Segmentation for Data Centers and Clouds

Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VMVM

VM

vPath

VNMC

Log/Audit

VSG(active)

Secure Segmentation

(VLAN agnostic)

Efficient Deployment

(secure multiple hosts)

Transparent Insertion

(topology agnostic)High Availability

Dynamic policy-based

provisioning

Mobility aware

(policies follow vMotion)

VSG(Stand-by)

VNMC: Virtual Network Management Center


Secure zoning of 3-Tier Application Workload

Web

ServerWeb

Server

App

ServerApp

Server

DB

serverDB

server

Port 80 (HTTP)

and 443 (HTTPS)

of Web Servers

open

Only Port 22 (SSH)

of App Servers open

All other traffic

denied

Only Permit Web Servers access to

App servers via HTTP/HTTPS

Only Permit App servers

access to DB servers

Tenant_A

Web

ServerWeb

Server

App

ServerApp

Server

DB

serverDB

server

Tenant_B

ASA Firewall for

Inter-tenant Edge Control

(VLAN based)

VSG for secure

zoningVSG for secure

zoning


Source

Condition

Destination

ConditionAction

Rule

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

Condition

Attribute Type

Network

VM

User Defined

vZone

VM Attributes

Instance Name

Guest OS full name

Guest OS Host name

Parent App Name

Cluster Name

Hypervisor Name

Resource-pool

Port Profile Name

Zone Name

Network Attributes

IP Address

Network Port

ACE: Access Control Entry


Security Management

• Visibility

• Event correlation, syslog, centralized

authentication

• Forensics

• Anomaly detection

• Compliance

Infrastructure Security

• Infrastructure Security features

are enabled to protect device,

traffic plane and control plane

• 802.1ae and vPC provides

internal/external separation

Services

• IPS/IDS provide traffic analysis

and forensics

• Network Analysis provide traffic

monitoring and data analysis

• Server load balancing masks

servers and applications

Services

• Initial filter for DC ingress and

egress traffic. Virtual Context

used to split polices for server-

to-server filtering

• Additional firewall services for

server farm specific protection

UCSVirtual

Access

Storage

Access

Services

Aggregation

Core

Data security

authenticate &

access control

Virtual Firewall

Real-time Monitoring

Firewall Rules

ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP,

DHCP snooping


Public/Shared

VRF

vPath

Protected VRF(control point)

Nexus

1000v VSG

ASA Context

(per tenant)

Public Zone (DMZ) Protected FE Zone 1 Zone 2 Zone 3

Sub-Zone

W

Sub-Zone

X

Sub-Zone

Y

Sub-Zone

Z

Private

(Tenant VRF)Less Trusted Zones

Front-end Zones Back-end Zones

Front-end Tenant Perimeter

Back-end Tenant Perimeter

Back-end ManagementPerimeter



•Virtual ASA provides consistent ASA feature set to

secure the tenant edge

•VSG complements Virtual ASA to secure intra-

tenant VM-to-VM traffic

•Solution provides:

Increase flexibility and operational efficiency

via vPath (Nexus1000V)

Dynamic, context-aware, multi-tenant

management via VNMC

Tenant BTenant A

VDC

vApp

vApp

vSphere

Nexus 1000V

vPath

VDC

Virtual Network Management Center (VNMC) VMware vCenter

VSGVSG

VSG

VSG

ASA 1000V ASA 1000V


IPSec VPN (Site-to-Site)

NAT

DHCP

Default Gateway

Static Routing

Stateful Inspection

IP Audit

Built using ASA technology

Support for VXLAN

Multi-tenant management

via VNMC

Inter-operability with VSG

via Service Chaining



Cloud-ready WAN Optimization

ESX ESXi Hypervisor w/Nexus 1000

UCS /x86 Servers

Virtual WAAS “Appliances”

vPath

Virtual WAAS

on Nexus 1000V with vPath

FEATURES

Allows Agile, Elastic, & Multi Tenant Deployment

Supports DRE Cache in SAN

Policy-based Provisioning w/ Nexus 1000V

Extends WAAS Solution Portfolio

BUSINESS BENEFITS

Business Agility with on-demand orchestration

Lower operational cost, reduced migration risk

Fault-tolerance with VM mobility awareness


WAN or Internet

UCS Compute/Virtualized Servers

Nexus 2K/5K

UCS Compute/Physical servers

WCCP

VMware ESXi Server

UCS /x86 Server

Stand-alone

• Traditional WAN Edge Deployment at Branch and DC

Gradual migration from Physical to Virtual

Multi-tenancy support

vPath-integrated

Re-direction using vPath @VM level

Elastic provisioning

Multi-tenancy support

1

2

VMware ESXi Server

Nexus 1000V

VMware ESXi

VMware ESXi Server

Nexus 1000V

UCS /x86 Server

vPATH

vPATH

vPATH


Nexus 1000V

• Distributed switch

• NX-OS consistency

VSG

• VM-level controls

• Zone-based FW

ASA 1000V

• Edge firewall, VPN

• Protocol Inspection

vWAAS

• WAN optimization

• Application traffic

Multi-Hypervisor

WAN

RouterSwitches

Servers

Tenant A

ASA

1000V

Zone BZone A

Nexus 1000VvPath

Physical Infrastructure

Virtualized/CloudData Center

vWAAS

VSG

VXLAN

CSR 1000V(Cloud Router)

• WAN L3 gateway

• Routing and VPN



DC

ASR

Branch

ISR

Enterprise B

Enterprise A

Branch

ISR

Tenant A

WAN

Router

Switches

Servers

Tenant B

CSR 1000V

Physical Infrastructure

Virtual Infrastructure

Cloud Provider’s Data Center

CSR 1000V

Enterprise Use Cases

• Secure VPN Gateway

• L3 Extension

• Tenant Firewall

Cloud Provider Use Cases

• Secure VPN Gateway

• MPLS Extension

• Tenant Firewall

MPLS

Internet

Can be deployed by Enterprises or Cloud Providers

ASA 1000V

ASA 1000V

Thank you.

Technology

Cisco Virtualized Network Services