20
1 © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1 Enhanced VXLAN in Nexus 1000V Han Yang Senior Product Manager October, 2013 Co-Sponsored by Intel ®

Enhanced vxlan in nexus 1000v

Embed Size (px)

DESCRIPTION

Enhanced vxlan in nexus 1000v presentation from VMworld 2013.

Citation preview

Page 1: Enhanced vxlan in nexus 1000v

1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1

Enhanced VXLAN in Nexus 1000VHan YangSenior Product Manager

October, 2013

Co-Sponsored by Intel®

Page 2: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Architect Design Where Can We Put It?

Procure Install Configure Secure Is It Ready?

Manual

Accelerate Application Deployment

• Faster application deployment is being demanded

• Deploying applications requires acquiring and configuring physical and virtual infrastructures

• Need Network Agility with best in class network service and SLA

Page 3: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3

Build Once, Run AnywhereConsistency, Reduce Risk, Rapid Deployment

VIRTUAL

PHYSICAL CLOUD

Consistent Nexus Experience

Intra-tenant Security

Inter-tenant Security

Application Acceleration

Routing and Gateways

Web-app Firewall

Load Balancer

Page 4: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4

Single Network

Cisco Virtual Networking and Cloud Network Services

CLOUD NETWORK SERVICES

WAN Router

Switches

Servers

ASA 1000V Cloud Firewall

PHYSICAL INFRASTRUCTURE

Integration with Network Fabric Cisco Virtual

Security Gateway

vWAAS

Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)

Nexus 1000VvPath Enhanced VXLAN

Nexus 1000V

• Distributed switch• NX-OS consistency

VSG

• VM-level controls• Zone-

based FW

ASA 1000V

• Edge firewall, VPN• Protocol Inspection

vWAAS

• WAN optimization• Application traffic

CSR 1000V(Cloud Router)

• WAN L3 gateway• Routing and VPN

Ecosystem Services

• Citrix NetScaler VPX virtual ADC

• Imperva Web App. Firewall

Cloud Services Router 1000V

Imperva SecureSphere

WAFCitrix

NetScaler1000V

Network Analysis Module (vNAM)

Full Portfolio of Best in Class Virtualized Network Service

*KVM in beta, Xen prototype

Page 5: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5

Nexus 1010/1110Virtual Appliance

vWAAS VSG VSM

NAM VSG

Primary

Secondary

VSM

Cisco Nexus 1000 Portfolio

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

vPath: Virtual Service Data-path

VXLAN: Scalable Segmentation

VSG: Virtual Security Gateway

vWAAS: Virtual WAAS

ASA 1000V: Tenant-edge security

Virtual Service BladesVirtual Supervisor Module (VSM)Network Analysis Module (NAM)Virtual Security Gateway (VSG)Data Center Network Manager (DCNM)

VEM-2

Win Server 2012

vPath VXLAN

ASA 1000V

NAM VSGVSM

L3

Co

nn

ec

tiv

ity

VEM-3

Open Source Hyp

vPath VXLAN

VEM-1

VMware ESX

vPath VXLAN

Page 6: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6

New Nexus 1000V Freemium Go-to-Market Model

Nexus 1000V Advanced EditionNexus 1000V Essential Edition

Freemium Pricing Model Offers Flexibility for Customers to Deploy Cisco Virtual Data Center

No-Cost Version $695 per CPU MSRP

The world’s most advanced virtual switch

• Full Layer-2 Feature Set

• Security, QoS Policies

• VXLAN virtual overlays

• Full monitoring and management capabilities

• vPath enabled Virtual Services

Adds Cisco value-add features for DC and Cloud

• All Feature of Essential Edition

• VSG firewall bundled (previously sold separately)

• Support for Cisco TrustSec SGA policies

• Platform for other Cisco DC Extensions in the Future

Page 7: Enhanced vxlan in nexus 1000v

Cisco Confidential 7© 2013 Cisco and/or its affiliates. All rights reserved.

Enhanced VXLAN

Page 8: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8

VM VM VMVM VM

Add More Pods to Scale

Scalable Pod Deployment with VXLAN within a Data Center

VM VM

Utilize All Links in Port Channel with UDP

Logical Network Spanning Across Layer 3

Page 9: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9

Virtual Extensible Local Area Network (VXLAN)• Ethernet in IP overlay network

Entire L2 frame encapsulated in UDP50 bytes of overhead

• Include 24 bit VXLAN Identifier16 M logical networksMapped into local bridge domains

• VXLAN can cross Layer 3

• Tunnel between VEMsVMs do NOT see VXLAN ID

• IP multicast used for L2 broadcast/multicast, unknown unicast

• Technology submitted to IETF for standardization

With VMware, Citrix, Red Hat, and othersUDP Port 4789 assigned to VXLAN

Outer MACDA

Outer MACSA

Outer 802.1Q

Outer IP DA

Outer IP SA

Outer UDPVXLAN ID (24 bits)

Inner MAC DA

InnerMACSA

Optional Inner

802.1Q

Original Ethernet Payload

CRC

VXLAN Encapsulation

Ethernet Frame

Page 10: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

VXLAN Forwarding Basics

VEM 1 VEM 2

Forwarding mechanisms similar to Layer 2 bridge: Flood and Learn

VEM learns VM’s Source (MAC, Host VXLAN IP) tuple

Broadcast, Multicast, and Unknown Unicast Traffic

VM broadcast and unknown unicast traffic are sent as multicast

Unicast Traffic

Unicast packets are encapsulated and sent directly (not via multicast) to destination host VXLAN IP (Destination VEM)

VM VM VM VM

Page 11: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11

Broadcast and Unknown Unicast in Enhanced VXLAN

No Multicast Needed

SHIPPING

VM VM VM VM VM VM

Broadcast / unknown unicast

VEM performs replication and encapsulation

Page 12: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

VXLAN MAC Distribution

Unknown Unicast Flood Prevented

SHIPPING

VEM IP / MAC Table

5000 [a.a.a]

VXLAN IP/MAC

VEM IP / MAC Table

5000

VXLAN IP/MAC

VSM IP / MAC Table

5000

VXLAN IP/MAC

Nexus® 1000V VSM

Data Center Network

10.10.10.10

VM1

[a.a.a]

VM2

[b.b.b]

VM3

[c.c.c]

VM4

[d.d.d]

20.20.20.20

[b.b.b]

[c.c.c]

[d.d.d]

[a.a.a]

[b.b.b]

[c.c.c]

[d.d.d]

[a.a.a]

[b.b.b]

[c.c.c]

[d.d.d]

VSM learns VXLAN / MAC

VSM distributesVXLAN / MAC

VM(M)

Send unicast to MAC X

Malicious VM inVXLAN 5000

MAC X not found in table. Packet Dropped.

Page 13: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13

VSM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

VXLAN ARP Termination

PREVIEW

No ARP Broadcast

VEM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

10.10.10.10 20.20.20.20

In this mode VEM learns VXLAN / IP / MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

VEM IP / MAC Table

5000 [192.1.1.1, a.a.a]

VXLAN IP/MAC

[192.1.1.1, b.b.b]

[192.1.1.1, c.c.c]

VSM distributesVXLAN / MAC

Nexus® 1000V VSM

Data Center Network

VM1

[192.1.1.1, a.a.a]

VM2

[192.1.1.1, b.b.b]

VM3

[192.1.1.1, c.c.c]

VM 3 ARP request for 192.1.1.1

192.1.1.1 found in VXLAN 5000

VEM ARP reply with VM1’s MAC a.a.a

VSM learns VXLAN / IP / MAC

Page 14: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14

Enhanced VXLAN

VXLAN (multicast mode)

Enhanced VXLAN (unicast mode)

Enhanced VXLANMAC Distribution

Enhanced VXLANARP Termination

Broadcast / Multicast

Multicast Encapsulation

Replicationplus

Unicast Encap

Replicationplus

Unicast Encap

Replicationplus

Unicast Encap

Unknown UnicastMulticast

Encapsulation

Replicationplus

Unicast EncapDrop Drop

Known UnicastUnicast

Encapsulation Unicast Encap Unicast Encap Unicast Encap

ARPMulticast

Encapsulation

Replicationplus

Unicast Encap

Replicationplus

Unicast EncapVEM ARP Reply

VXLAN Mode

Packet

Page 15: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15

Summary• Shipping Nexus 1000V with Enhanced VXLAN: Simplifying and Scaling VXLAN

• IP multicast is no longer required to deploy VXLAN

• Cisco invented VXLAN and continues to enhance VXLAN

• Cisco continues to drive VXLAN standardization at IETF, even with Enhanced VXLAN

Page 16: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16

Visit Cisco Booth D209•Twitter: @ciscoDC, #vmworld

•Facebook: http://www.facebook.com/CiscoDC

•Youtube: http://www.youtubecisco.com/datacenter

•Cisco DCC Blog: http://blogs.cisco.com/datacenter

•Slideshare: http://slideshare.com/CiscoDataCenter

•Community: : https://communities.cisco.com/community/technology/datacenter

•Pinterest: http://pinterest.com/ciscosystems/data-center

•LinkedIn: http://www.linkedin.com search “Cisco Data Center” group

•Google +: http://goo.gl/irm4b

•In Collaboration with Intel®

•Intel, the Intel logo, Xeon and Xeon inside are trademarks of Intel Corporation in the U.S. and other countries.

Page 17: Enhanced vxlan in nexus 1000v

17

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17

Page 18: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18

Virtual Overlay Network

VMData Center

Network

Physical Firewall

Bare MetalServers

Router

Gateway

Gateway

Gateway

Overlay: Instant Provisioning

• Overlay needs gateway to access physical network

• Physical network to support overlay traffic pattern

Overlay

WAN

Page 19: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19

VXLAN to VLAN Gateway

VXLAN to VLAN GatewayVXLAN to VLAN

Gateway

Hosted on local hypervisor as virtual machine connected to Virtual Ethernet Module

Managed as a module from VSM

Active/Standby VXLAN Gateway

Integrated with OpenStack

Scale:4 VXLAN Gateway per VSM 2k Active VXLAN 2k Active VLAN

Page 20: Enhanced vxlan in nexus 1000v

© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20

L2 Domain CL2 Domain BL2 Domain A

VXLAN to VLAN Gateway

LAYER 3

Web VMVXLAN

GatewayVXLAN Gateway

VXLAN GatewayVXLAN

GatewayBare MetalDB Server

VXLAN 5500

ASA5500

VLAN 100

VLAN 200

L2 Domain A L2 Domain B L2 Domain C