Upload
cisco-data-center-sdn
View
730
Download
4
Tags:
Embed Size (px)
DESCRIPTION
Enhanced vxlan in nexus 1000v presentation from VMworld 2013.
Citation preview
1© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 1
Enhanced VXLAN in Nexus 1000VHan YangSenior Product Manager
October, 2013
Co-Sponsored by Intel®
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Architect Design Where Can We Put It?
Procure Install Configure Secure Is It Ready?
Manual
Accelerate Application Deployment
• Faster application deployment is being demanded
• Deploying applications requires acquiring and configuring physical and virtual infrastructures
• Need Network Agility with best in class network service and SLA
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Build Once, Run AnywhereConsistency, Reduce Risk, Rapid Deployment
VIRTUAL
PHYSICAL CLOUD
Consistent Nexus Experience
Intra-tenant Security
Inter-tenant Security
Application Acceleration
Routing and Gateways
Web-app Firewall
Load Balancer
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Single Network
Cisco Virtual Networking and Cloud Network Services
CLOUD NETWORK SERVICES
WAN Router
Switches
Servers
ASA 1000V Cloud Firewall
PHYSICAL INFRASTRUCTURE
Integration with Network Fabric Cisco Virtual
Security Gateway
vWAAS
Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)
Nexus 1000VvPath Enhanced VXLAN
Nexus 1000V
• Distributed switch• NX-OS consistency
VSG
• VM-level controls• Zone-
based FW
ASA 1000V
• Edge firewall, VPN• Protocol Inspection
vWAAS
• WAN optimization• Application traffic
CSR 1000V(Cloud Router)
• WAN L3 gateway• Routing and VPN
Ecosystem Services
• Citrix NetScaler VPX virtual ADC
• Imperva Web App. Firewall
Cloud Services Router 1000V
Imperva SecureSphere
WAFCitrix
NetScaler1000V
Network Analysis Module (vNAM)
Full Portfolio of Best in Class Virtualized Network Service
*KVM in beta, Xen prototype
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Nexus 1010/1110Virtual Appliance
vWAAS VSG VSM
NAM VSG
Primary
Secondary
VSM
Cisco Nexus 1000 Portfolio
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
vPath: Virtual Service Data-path
VXLAN: Scalable Segmentation
VSG: Virtual Security Gateway
vWAAS: Virtual WAAS
ASA 1000V: Tenant-edge security
Virtual Service BladesVirtual Supervisor Module (VSM)Network Analysis Module (NAM)Virtual Security Gateway (VSG)Data Center Network Manager (DCNM)
VEM-2
Win Server 2012
vPath VXLAN
ASA 1000V
NAM VSGVSM
L3
Co
nn
ec
tiv
ity
VEM-3
Open Source Hyp
vPath VXLAN
VEM-1
VMware ESX
vPath VXLAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
New Nexus 1000V Freemium Go-to-Market Model
Nexus 1000V Advanced EditionNexus 1000V Essential Edition
Freemium Pricing Model Offers Flexibility for Customers to Deploy Cisco Virtual Data Center
No-Cost Version $695 per CPU MSRP
The world’s most advanced virtual switch
• Full Layer-2 Feature Set
• Security, QoS Policies
• VXLAN virtual overlays
• Full monitoring and management capabilities
• vPath enabled Virtual Services
Adds Cisco value-add features for DC and Cloud
• All Feature of Essential Edition
• VSG firewall bundled (previously sold separately)
• Support for Cisco TrustSec SGA policies
• Platform for other Cisco DC Extensions in the Future
Cisco Confidential 7© 2013 Cisco and/or its affiliates. All rights reserved.
Enhanced VXLAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
VM VM VMVM VM
Add More Pods to Scale
Scalable Pod Deployment with VXLAN within a Data Center
VM VM
Utilize All Links in Port Channel with UDP
Logical Network Spanning Across Layer 3
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Virtual Extensible Local Area Network (VXLAN)• Ethernet in IP overlay network
Entire L2 frame encapsulated in UDP50 bytes of overhead
• Include 24 bit VXLAN Identifier16 M logical networksMapped into local bridge domains
• VXLAN can cross Layer 3
• Tunnel between VEMsVMs do NOT see VXLAN ID
• IP multicast used for L2 broadcast/multicast, unknown unicast
• Technology submitted to IETF for standardization
With VMware, Citrix, Red Hat, and othersUDP Port 4789 assigned to VXLAN
Outer MACDA
Outer MACSA
Outer 802.1Q
Outer IP DA
Outer IP SA
Outer UDPVXLAN ID (24 bits)
Inner MAC DA
InnerMACSA
Optional Inner
802.1Q
Original Ethernet Payload
CRC
VXLAN Encapsulation
Ethernet Frame
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
VXLAN Forwarding Basics
VEM 1 VEM 2
Forwarding mechanisms similar to Layer 2 bridge: Flood and Learn
VEM learns VM’s Source (MAC, Host VXLAN IP) tuple
Broadcast, Multicast, and Unknown Unicast Traffic
VM broadcast and unknown unicast traffic are sent as multicast
Unicast Traffic
Unicast packets are encapsulated and sent directly (not via multicast) to destination host VXLAN IP (Destination VEM)
VM VM VM VM
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Broadcast and Unknown Unicast in Enhanced VXLAN
No Multicast Needed
SHIPPING
VM VM VM VM VM VM
Broadcast / unknown unicast
VEM performs replication and encapsulation
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
VXLAN MAC Distribution
Unknown Unicast Flood Prevented
SHIPPING
VEM IP / MAC Table
5000 [a.a.a]
VXLAN IP/MAC
VEM IP / MAC Table
5000
VXLAN IP/MAC
VSM IP / MAC Table
5000
VXLAN IP/MAC
Nexus® 1000V VSM
Data Center Network
10.10.10.10
VM1
[a.a.a]
VM2
[b.b.b]
VM3
[c.c.c]
VM4
[d.d.d]
20.20.20.20
[b.b.b]
[c.c.c]
[d.d.d]
[a.a.a]
[b.b.b]
[c.c.c]
[d.d.d]
[a.a.a]
[b.b.b]
[c.c.c]
[d.d.d]
VSM learns VXLAN / MAC
VSM distributesVXLAN / MAC
VM(M)
Send unicast to MAC X
Malicious VM inVXLAN 5000
MAC X not found in table. Packet Dropped.
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
VSM IP / MAC Table
5000 [192.1.1.1, a.a.a]
VXLAN IP/MAC
[192.1.1.1, b.b.b]
[192.1.1.1, c.c.c]
VXLAN ARP Termination
PREVIEW
No ARP Broadcast
VEM IP / MAC Table
5000 [192.1.1.1, a.a.a]
VXLAN IP/MAC
10.10.10.10 20.20.20.20
In this mode VEM learns VXLAN / IP / MAC
[192.1.1.1, b.b.b]
[192.1.1.1, c.c.c]
VEM IP / MAC Table
5000 [192.1.1.1, a.a.a]
VXLAN IP/MAC
[192.1.1.1, b.b.b]
[192.1.1.1, c.c.c]
VSM distributesVXLAN / MAC
Nexus® 1000V VSM
Data Center Network
VM1
[192.1.1.1, a.a.a]
VM2
[192.1.1.1, b.b.b]
VM3
[192.1.1.1, c.c.c]
VM 3 ARP request for 192.1.1.1
192.1.1.1 found in VXLAN 5000
VEM ARP reply with VM1’s MAC a.a.a
VSM learns VXLAN / IP / MAC
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Enhanced VXLAN
VXLAN (multicast mode)
Enhanced VXLAN (unicast mode)
Enhanced VXLANMAC Distribution
Enhanced VXLANARP Termination
Broadcast / Multicast
Multicast Encapsulation
Replicationplus
Unicast Encap
Replicationplus
Unicast Encap
Replicationplus
Unicast Encap
Unknown UnicastMulticast
Encapsulation
Replicationplus
Unicast EncapDrop Drop
Known UnicastUnicast
Encapsulation Unicast Encap Unicast Encap Unicast Encap
ARPMulticast
Encapsulation
Replicationplus
Unicast Encap
Replicationplus
Unicast EncapVEM ARP Reply
VXLAN Mode
Packet
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Summary• Shipping Nexus 1000V with Enhanced VXLAN: Simplifying and Scaling VXLAN
• IP multicast is no longer required to deploy VXLAN
• Cisco invented VXLAN and continues to enhance VXLAN
• Cisco continues to drive VXLAN standardization at IETF, even with Enhanced VXLAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Visit Cisco Booth D209•Twitter: @ciscoDC, #vmworld
•Facebook: http://www.facebook.com/CiscoDC
•Youtube: http://www.youtubecisco.com/datacenter
•Cisco DCC Blog: http://blogs.cisco.com/datacenter
•Slideshare: http://slideshare.com/CiscoDataCenter
•Community: : https://communities.cisco.com/community/technology/datacenter
•Pinterest: http://pinterest.com/ciscosystems/data-center
•LinkedIn: http://www.linkedin.com search “Cisco Data Center” group
•Google +: http://goo.gl/irm4b
•In Collaboration with Intel®
•Intel, the Intel logo, Xeon and Xeon inside are trademarks of Intel Corporation in the U.S. and other countries.
17
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Virtual Overlay Network
VMData Center
Network
Physical Firewall
Bare MetalServers
Router
Gateway
Gateway
Gateway
Overlay: Instant Provisioning
• Overlay needs gateway to access physical network
• Physical network to support overlay traffic pattern
Overlay
WAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
VXLAN to VLAN Gateway
VXLAN to VLAN GatewayVXLAN to VLAN
Gateway
Hosted on local hypervisor as virtual machine connected to Virtual Ethernet Module
Managed as a module from VSM
Active/Standby VXLAN Gateway
Integrated with OpenStack
Scale:4 VXLAN Gateway per VSM 2k Active VXLAN 2k Active VLAN
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
L2 Domain CL2 Domain BL2 Domain A
VXLAN to VLAN Gateway
LAYER 3
Web VMVXLAN
GatewayVXLAN Gateway
VXLAN GatewayVXLAN
GatewayBare MetalDB Server
VXLAN 5500
ASA5500
VLAN 100
VLAN 200
L2 Domain A L2 Domain B L2 Domain C