brkdct-3831

© 2006, Cisco Systems, Inc. All rights reserved.Presentation_ID.scr

1

© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public 1BRKDCT-383114488_04_2008_c2


Advanced Data Center Virtualization

BRKDCT-3831


2


Before We Get Started

Intermediate level session focused on data center virtualization technologies and solutions, including both front-end and back-end networks as well as server virtualization

Prerequisites: being familiar with the basic LAN and SAN design models as well as server virtualization technologies

Other recommended sessionsBRKDCT-2866: Data Center Architecture Strategy and Planning

BRKDCT-2840: Data Center Networking: Taking Risk Away from Layer 2 Interconnects

BRKDCT-1898: FCoE: The First 30 Feet of FC


Agenda

Data Center Virtualization OverviewFront-End Data Center Virtualization

Core LayerVDC

Aggregation LayerVSSServer Load BalancingSecurity Services

Access Layer

Server VirtualizationBack-End Virtualization

SANHBAUnified IO (FCoE)Storage

End-to-End ManagementVFrame Data Center

Fron

t-End

Virtual SANs/Unified IO

Virtual Storage

Virtual Network ServicesVirtual Firewall Context

1

Virtual SSL

Context 3

Virtual Machines

Front-End Virtualization

Virtual Firewall Context

1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


3


Virtualization—Definition (Well, One of Them)

VirtualizationIs the Pooling and Abstraction of

Resources and Services in a Way That Masks the Physical Nature and Boundaries of Those Resources and

Services from Their Users


What Is Network Virtualization?

Virtualization: One to many

One network supports many virtual networks

Data Center Front-End Network/LAN


4


Virtual

Merged NewCompany


Virtualization: One to many

One network supports many virtual networks

Data Center Front-End Network/LAN

OutsourcedIT Department

Virtual Virtual

Segregated Department(Regulatory Compliance)


Data Center Network

Out-of-Band Management Network

Backup Network

Guest/Partner Network

Security Network


Virtualization: Many to one One network consolidates many physical networks


5


Data Center Network


Virtualization: Many to 1 One network consolidates many physical networks


Consolidated Data Center

“Network Virtualization” in the Data CenterOne Term, Many Contexts

Virtual connectivity servicesIP/MPLS, L3 VPN, VRFsL2 VPNs, VFIs, PW

Virtualized front-endVLANs, PVLANs, VRF lite, VDCVirtual intelligent services (Firewall, SLB, SSL, L4–7, etc.)

Compute virtualizationClustering, GRID, virtualization software (hypervisor-based)

Virtualized storageVirtual HBAs, CNAsVirtual SANs (VSANs)Network-hosted storage virtualization software

Storage Area

Network

Storage

Servers

Front-End

Network Serv

ice

Mod

ules

Serv

ice

Mod

ules


6


DC Core

CBS 3100 Blade

Cisco Catalyst 49xxRack

Nexus 7000End-of-Row

Gigabit Ethernet

10 Gigabit Ethernet

10 Gigabit DCE

4/8Gb Fiber Channel

Nexus 5000Rack

DC Access

Nexus 700010GbE AggCisco Catalyst 6500DC Services

MDS 9500Storage

Cisco Catalyst 6500End-of-Row

Storage

IP+MPLS WAN Agg Router

10GbE and 4Gb FC Server Access

CBS 3100MDS 9124eBlade

10GbE and 4/8Gb FC Server Access10Gb FCoE Server Access

10 Gigabit FCoE/DCE

1GbE Server Access

Nexus 700010GbE Core

Cisco Catalyst 650010GbE VSS AggDC Services

DC Aggregation

Virtualized Data Center Infrastructure

FC

WAN

SAN A/BMDS 9500Storage Core


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


7


VRF OverviewWhat Is a VRF (Virtual Routing and Forwarding)?

Typically all route processes and static routes are populating one routing table

All interfaces are part of the global routing table

router eigrp 1network 10.1.1.0 0.0.0.255!router ospf 1network 10.2.1.0 0.0.0.255 area 0!router bgp 65000neighbor 192.168.1.1 remote-as 65000!ip route 0.0.0.0 0.0.0.0 140.75.138.114

Global Routing Table


VRF OverviewWhat Is a VRF (Virtual Routing and Forwarding)?

VRFs allow dividing up your routing table into multiple virtual tables

Routing protocol extensions allow binding a process/address family to a VRF

Interfaces are bound to a VRF usingip vrf forwarding <vrf-name>

router eigrp 1network 10.1.1.0 0.0.0.255!router ospf 1 vrf orangenetwork 10.2.1.0 0.0.0.255 area 0!router bgp 65000address-family ipv4 vrf blue…!ip route vrf green 0.0.0.0 0.0.0.0 …

Global Routing Table


8


VRF OverviewRoute Targets

Import/export routes to/from MP-BGP updates

Globally significant—creates the VPN

Allows hub and spoke connectivity (central services)

VRF Export 3:3 Import 3:3Export 2:2 Import 1:1

Export 3:3 Import 3:3Export 2:2Import 1:1VRF

VRF

VRFExport 3:3Import 3:3Import 2:2 Export 1:1

VRF VRF Red: Any-to-AnyBlue: Hub-and-Spoke


Shared Services Extranet VPNMultiple-Box Extranet Implementation

Central services routes imported into both VRF red and blue (1:1)Central VRF imports routes for blue and red subnets (3:3, 2:2)

No routes exchanged between blue/redNo transitivity: imported routes are not “reexported”

Blue and red remain isolated

VRFExport 3:3Import 1:1 Export 2:2Import 1:1

Export 3:3Import 1:1Export 2:2Import 1:1VRF

VRF

VRF

Import 3:3 Import 2:2Export 1:1

VRF

Shared ServicesBidirectional Communication

Between All VRFs and Central Services VRF


9


Data Center as a Shared Service on an Extranet VRF

DNS,CAC

L3 interface Without VRF-Enabled.1Q with VRF-enabled VLANsL3 Interface with VRF-Enabled

DC Core

Internet Module

ISP1

ISP2

MAN

Shared Services

Red VRF

Blue VRF

Virtualized Campus/MAN

Red VPNBlue VPN

WAN/Branch

Red VPN Blue VPN


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


10


Virtual Device Contexts at Nexus 7000 VDC Architecture

Virtual Device Contexts Provides Virtualization at the Device Level Allowing Multiple Instances of the Device to Operate on the Same Physical Switch at the Same Time

Kernel

Infrastructure

Protocol Stack (IPv4/IPv6/L2)

L2 Protocols

VDC1

VLAN Mgr

Nexus 7000 Physical Switch

VDCn

Protocol Stack (IPv4/IPv6/L2)

L3 Protocols

UDLD

VLAN Mgr UDLD

LACP CTS

IGMP 802.1x

RIB

OSPF GLBP

BGP HSRP

EIGRP VRRP

PIM SNMP

RIB

L2 Protocols

VLAN Mgr

L3 Protocols

UDLD

VLAN Mgr UDLD

LACP CTS

IGMP 802.1x

RIB

OSPF GLBP

BGP HSRP

EIGRP VRRP

PIM SNMP

RIB

…


Virtual Device Contexts Properties of the VDC

Each VDC treated as standalone device with limited resourcesEach VDC uniquely identified by ID or nameEach VDC has unique MAC address assigned to identify VDCShared processor, shared linecards, and dedicated interfaces Per VDC role-based management allows per VDC admin configuration and managementSoftware fault isolation for protocol processes within the VDC

The Hardware Is Shared Across the VDCs but from the User, Configuration and Management Perspective, the VDC Should Appear as a Standalone Device


11


Virtual Device Contexts VDC Fault Domain

Kernel

Infrastructure

Protocol StackVDCA

Physical Switch

VDC A

Pro

cess

AB

C

Pro

cess

DE

F

Pro

cess

XY

Z…

Protocol StackVDCB

VDC B

Pro

cess

AB

C

Pro

cess

DE

F

Pro

cess

XY

Z

…

Fault Domain

Process “DEF” in VDC B Crashes

Process DEF in VDC A Is Not Affected and Will Continue to Run Unimpeded

A VDC Builds a Fault Domain Around All Running Processes Within That VDC—Should a Fault Occur in a Running Process, It Is Truly Isolated from Other Running Processes and They Will Not Be Impacted


Virtual Device Contexts VDC Configuration

A VDC Is Created in the Following Manner—This Example Creates a VDC Called CiscoLive 2008

switch# conf tswitch(config)# vdc CiscoLive2008switch(config-vdc)# show vdc

vdc_id vdc_name state mac ------ -------- ----- ----------1 switch active 00:18:ba:d8:4c:3d2 CiscoLive2008 active 00:18:ba:d8:4c:3e

switch(config-vdc)# show vdc detail vdc id: 1vdc name: switchvdc state: activevdc mac address: 00:18:ba:d8:4c:3dvdc ha policy: RESET

vdc id: 2vdc name: CiscoLive2008vdc state: activevdc mac address: 00:18:ba:d8:4c:3evdc ha policy: BRINGDOWN


12


Virtual Device Contexts VDC Resource Assignment

The Default Resource Allocation Can Be Changed from the CLI—An Example Follows…

This Example Shows How the Minimum Number of VLANs Allocated to the CiscoLive 2008 VDC Is Changed from 16 to 32…

switch(config)# vdc CiscoLive2008switch(config-vdc)# limit-resource vlan minimum 32 maximum 4094switch(config-vdc)# show run | begin vdc<snip>vdc CiscoLive2008 id 2template defaulthap bringdownlimit-resource vlan minimum 32 maximum 4094limit-resource span-ssn minimum 0 maximum 2limit-resource vrf minimum 16 maximum 8192limit-resource port-channel minimum 0 maximum 256limit-resource glbp_group minimum 0 maximum 4096

<snip>


Virtual Device Contexts Resource Templates

Resource Templates Are Another Option for Assigning a Resource Allocation to Each VDC—An Example of This Is Shown Below…

switch(config)# vdc resource template N7Kswitchswitch(config-vdc-template)# limit-resource vlan minimum 32 maximum 256switch(config-vdc-template)# limit-resource vrf minimum 32 maximum 64switch(config-vdc-template)# exitswitch(config)# vdc CiscoLive2008 template N7Kswitchswitch(config-vdc)# show vdc resource templatetemplate ::N7Kswitch--------

Resource Min Max---------- ----- -----vrf 32 64vlan 32 256

template ::default--------

Resource Min Max---------- ----- -----glbp_group 0 4096port-channel 0 256span-ssn 0 2vlan 16 4094vrf 16 8192

switch(config-vdc)#


13


Virtual Device Contexts VDC and Interface Allocation

32-Port10GE

Module

VDCA

VDCB

VDCC

VDCC

Ports Are Assigned on a per VDC Basis and Cannot Be Shared

Across VDCs

Once a Port Has Been Assigned to a VDC, All Subsequent Configuration Is

Done from Within That VDC…


Linecard 1 Linecard 2 Linecard 3

VDC

30VD

C

20VDC

20VD

C

20

Virtual Device Contexts VDC Resource Utilization (Layer 2)

Switch Fabric

MAC Table MAC Table MAC Table

VDC

10 VD

C

10 VDC

30

1/1 1/2 1/3 1/4 2/1 2/2 2/3 2/4 3/1 3/2 3/3 3/4

MAC Address A

MAC “A” MAC “A”

X

MAC “A” Is Propagated to Linecard 2 and 3 but Only Linecard 2 Installs MAC Due to Local Port Being In VDC 10

Layer 2 Learning with Multiple Active VDCs Also Has an Impact on Resource Utilization—MAC Addresses Learnt in a VDC Are Only Propagated to Other Linecards When That Linecard Has a Port in That VDC


14



Linecard 1 Linecard 2 Linecard 3 Linecard 4 Linecard 5 Linecard 6 Linecard 7 Linecard 8

64K 64K 64K 64K 64K 64K 64K 64K

128K 128K 128K 128K 128K 128K 128K 128K

FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM

ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM

When Only the Default VDC Is Active, the FIB and ACL TCAM on Each Linecard Is Primed with Forwarding Prefixes and Policies Associated with That Default VDC as Shown Below



VDC Number Number of Routes Number of ACEs Allocated Linecards

10 100K 50K Linecard 1 and 2

20 10K 10K Linecard 1, 2, 3, 5

30 90K 40K Linecard 3 and 5

When Physical Port Resources Are Split Between Multiple VDCs, Then Only Linecards That Have Ports Associated with a Given VDC Have Local TCAMs Primed with FIB and Policy Information

Let’s See How This Setup Impacts TCAM Resource Allocation on the Same Chassis Assuming the Following Breakup Shown Below


15



Linecard 1 Linecard 2 Linecard 3 Linecard 4 Linecard 5 Linecard 6 Linecard 7 Linecard 8

64K 64K 64K 64K 64K 64K 64K 64K

128K 128K 128K 128K 128K 128K 128K 128K

FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM FIB TCAM

ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM ACL TCAM

VDC 10 VDC 20 VDC 30FIB and ACL TCAM Resources Are More Effectively Utilized


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


16


Common Data Center challenges

Traditional Data Center Designs Are Requiring Ever Increasing Layer 2 Adjacencies Between Server Nodes Due to Prevalence of Virtualization Technology. However, They Are Pushing the Limits of Layer 2 Networks, Placing More Burden on Loop-Detection Protocols Such as Spanning Tree…

L2/L3 Core

L2 Distribution

L2 Access

Dual-Homed Servers to Single Switch, Single Active Uplink per VLAN (PVST), L2 Reconvergence

Single Active Uplink per VLAN (PVST), L2 Reconvergence, Excessive BPDUs

FHRP, HSRP, VRRPSpanning TreePolicy Management


Virtual Switch System at Data Center

A Virtual Switch-Enabled Data Center Allows for Maximum Scalability so Bandwidth Can Be Added When Required, but Still Providing a Larger Layer 2 Hierarchical Architecture Free of Reliance on Spanning Tree…

L2/L3 Core

L2 Distribution

L2 Access

Dual-Homed Servers, Single Active Uplink per VLAN (PVST), Fast L2 Convergence

Dual Active Uplinks, Fast L2 Convergence, Minimized L2 Control Plane, Scalable

Single Router Node, Fast L2 Convergence, Scalable Architecture


17


Introduction to Virtual SwitchConcepts

Virtual Switch System Is a New Technology Break Through for the Cisco Catalyst 6500 Family


Virtual Switch ArchitectureForwarding Operation

Virtual Switch Domain

Switch 1—Control Plane Active Switch 2—Control Plane Hot Standby

Virtual Switch Domain

Switch 1—Data Plane Active Switch 2—Data Plane Active

In Virtual Switch Mode, While Only One Control Plane Is Active, Both Data Planes (Switch Fabrics) Are Active, and as Such, Each Can Actively Participate in the Forwarding of Data


18


Virtual Switch ArchitectureVirtual Switch Link

The Distance of VSL Link Is Limited Only by the Chosen 10 Gigabit Ethernet Optics. VSLs Can Carry Regular Data Traffic in Addition to the Control Plane Communication.

The Virtual Switch Link Is a Special Link Joining Each Physical Switch Together—It Extends the Out of Band Channel Allowing the Active Control Plane to Manage the Hardware in the Second Chassis


EtherChannel ConceptsMultichassis EtherChannel (MEC)

Regular EtherChannel on Single Chassis

Multichassis EtherChannel Across Two VSL-Enabled Chassis

Virtual Switch Virtual Switch

LACP, PAGP, or ON EtherChannel Modes Are Supported…

Prior to Virtual Switch, EtherChannels Were Restricted to Reside Within the Same Physical Switch. In a Virtual Switch Environment, the Two Physical Switches Form a Single Logical Network Entity—Therefore EtherChannels Can Now Also Be Extended Across the Two Physical Chassis


19


EtherChannel ConceptsEtherChannel Hash for MEC

Link A1 Link B2

Blue Traffic Destined for the Server Will Result in Link A1 in the MEC Link Bundle Being Chosen as the Destination Path…

Orange TrafficDestined for the Server Will Result in Link B2 in the MEC Link Bundle Being Chosen as the Destination Path…

Server

Deciding on Which Link of a Multichassis EtherChannel to Use in a Virtual Switch Is Skewed in Favor Towards Local Links in the Bundle—This Is Done to Avoid Overloading the Virtual Switch Link (VSL) with Unnecessary Traffic Loads


MEC—Layer 3 Packet Flow

A B

VSL

Po1 Po2

Switch 1 Forwards an IP Packet Through Po1. Virtual Switch Learns

the IP Route Through Po2.

Switch 1 Switch 2

Core 1(C1)

Core 2(C2)

Port 1 Port 2

U1 U2 U3 U5

Po1 and Po2 Are Layer3 MECs

Po1 Members—U1, U3 Po2 Members—U2,U4,U5

U4

Virtual Switch


20



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U5U4

A port1

Core1 Receives the Packet Through U1 Based on the RBH Chosen on

Switch 1.

Core1 Does an IP Lookup andSelects the Port-Channel Po2.

Virtual Switch

Core 1(C1)

Core 2(C2)



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U5U4

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)

Lookup for Po2 Selects the Member U2 for All the RBH Values.

Packet Exits via U2.


21



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U5U4

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)

Lets SHUTDOWN the Port U2, Turning MEC into a Regular Port-Channel with Members U4 and U5.

Lookup for Po2 on Core 1 Selects the VSL Port-Channel as Exit Point.



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U5U4

A port1

Virtual Switch

Lookup for Po2 on Core 2 Selects U4 (or) U5 as Exit Point Based Upon

the RBH Value for the Flow.

Core 1(C1)

Core 2(C2)


22



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U5U4

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)

Now, “no shut” U2 and Shut Down U1. Po2 Is a MEC Again. Traffic

Enters Core2 Through U3. Lookup for Po2 on Core 2 Selects U4 (or) U5 as Exit Point Based Upon the

RBH Value for the Flow.



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

1st

2nd

A port13rd

Virtual Switch

Core 1(C1)

Core 2(C2)

1st) A Transmits Packet to B.2nd) Switch 1 Forwards Packets Out

of Po1.3rd) Core1 Receives the Packet.

Core1 Learns A Is on Port 1.


23



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

4th

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)

4th) Core1 Performs Lookup on BCore1 Floods Packet Due to Miss Flood Index Selects Port 2 and VSLMEC LTL Index Selects U2



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

5th

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)

5th) S2 Receives Packet from U2S2 Transmits Packet Out Port2 to B


24



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

A port1

C2 Receives Packet from VSLC2 Learns A Is on Port 1C2 Performs Lookup for BC2 Floods Due to MissFlood Excludes U4 Since It Is a MultichassisBundle and Packet Came from VSL

A port1

Virtual Switch

Core 1(C1)

Core 2(C2)



A B

VSL

Po1 Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

1st

2nd

A port1

3rd

A port1B port2

Virtual Switch

Core 1(C1)

Core 2(C2)

1st) B Transmits a Packet to A.2nd) Virtual Switch Receives the Packet

Through U4. 3rd) C2 Receives the Packet. C2 Learns B

Is on Port 2.


25



A B

VSL

Po2

Switch 1 Switch 2

Port 1 Port 2

U1 U2 U3 U4

A port1 A port1B port2

4th

Virtual Switch

Core 1(C1)

Core 2(C2)

Po15th

4th) C2 Performs Lookup for A andSelects Port1Port1 LTL Index Selects U3C2 Transmits the Packet

5th) S1 Receives the Packet andTransmits It to A on Port 1


Hardware RequirementsVSL Hardware RequirementsThe Virtual Switch Link Requires Special Hardware as Noted Below…


26


Hardware RequirementsOther Hardware Considerations

12.2 (33) SXH

BRKDCT-383114488_04_2008_c2


Virtual Switch System at Data CenterBenefits


27


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


Storage10GbE and 4Gb FC Server Access10GbE and 4/8Gb FC Server Access10Gb FCoE Server Access

1GbE Server Access

CBS 3100 Blade

Cisco Catalyst 49xxRack

Nexus 7000End-of-Row

Gigabit Ethernet

10 Gigabit Ethernet

10 Gigabit DCE

4/8Gb Fiber Channel

Nexus 5000Rack

DC Access

Nexus 700010GbE AggCisco Catalyst 6500DC Services

MDS 9500Storage

Cisco Catalyst 6500End-of-Row

IP+MPLS WAN Agg Router

CBS 3100MDS 9124eBlade

10 Gigabit FCoE/DCE

Nexus 700010GbE Core

Cisco Catalyst 650010GbE VSS AggDC Services

DC Aggregation

FC

WAN

SAN A/BMDS 9500Storage Core

DC Core

One-Arm Service SwitchesEmbedded Service Modules

Aggregation Services Design Options


28


One Physical DeviceMultiple Virtual Systems

(Dedicated Control and Data Path)

ACE Virtual Partitioning System Separation for Server Load Balancing and SSL

Single configuration file

Single routing table

Limited RBAC

Limited resource allocation

Distinct context configuration filesSeparate routing tablesRBAC with contexts, roles, domainsManagement and data resource controlIndependent application rule setsGlobal administration and monitoring

25% 25% 20%15%15%100%

Cisco Application Infrastructure ControlTraditional Device


GuaranteedRates

GuaranteedMemory

ACE Virtual PartitionsResource Control

BandwidthData connections/secManagement connections/secSSL bandwidthSyslogs/sec

Access listsRegular expressions# Data connections# Management connections#SSL connections# Xlates# Sticky entries

Guaranteed resource levels for each context with support for oversubscription


29


Firewall Service Module (FWSM)Virtual Firewalls

e.g., Three customers three security contexts—scales up to 250

VLANs can be shared if needed (VLAN 10 on the right-hand side example)

Each context has its own policies (NAT, access-lists, fixups, etc.)

FWSM supports routed (Layer 3) or transparent (Layer 2) virtual firewalls at the same time

Core/Internet

Cisco Catalyst 6500

FW SMVFW VFW VFW

MSFC

Core/Internet

Cisco Catalyst 6500

FW SMVFW VFW VFW

MSFC

VLAN 10 VLAN 20 VLAN 30

VLAN 11 VLAN 21 VLAN 31

VLAN 10

VLAN11 VLAN 21 VLAN 31

A B C A B C


FWSM—Virtual Firewall Resource Limiter

In system mode, classes can be defined

Individual contexts are then mapped to classes

Within a class, limits can be applied to specific resources such as: (use “show resource types” for up-to-date list)

Rate Limited

Absolute Limits

Limits specified as integer or %; 0 means no limit

Resources can be oversubscribed: e.g., class assigns max 10% of resources, but 50 contexts are mapped to it

Conns CPSFixups Fixups/secSyslogs Syslogs/sec

Conns Connections XlatesHosts Hosts MAC-entriesIPSec IPSec Mgmt Tunnels ALLSSH SSH SessionsTelnet Telnet Sessions


30


Data Center Virtualized ServicesCombination Example

v5

v105

v6 v7

v107

v2081v2082v2083

...v206 v207

v206

BU-4BU-2 BU-3

v105

v108

BU-1

1

2

3

4

* vX = VLAN X**BU = Business Unit

VRF

VRF

VRFVRFVRF

v208

“Front-End” VRFs (MSFC)

Firewall Module Contexts

ACE Module Contexts

“Back-End” VRFs (MSFC)

Server Side VLANs

v207

3

4v8


Virtualized ServicesExample: Modules and VLANs Association

ACE/Admin# show vlansVlans configured on SUP for this modulevlan1301-1310 vlan1401-1410ACE/Admin#

FWSM# show vlan1201-1210, 1301-1310FWSM#

svclc multiple-vlan-interfacesfirewall multiple-vlan-interfaces

svclc vlan-group 1 1201-1210svclc vlan-group 2 1301-1310svclc vlan-group 3 1401-1410

firewall module 7 vlan-group 1,2svclc module 4 vlan-group 2,3

MSFC

FWSM

vlan-group1

vlan-group2

vlan-group3

cse-6509a# show module 7Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------7 6 Firewall Module WS-SVC-FWM-1 SAD0930052K

Mod MAC addresses Hw Fw Sw Status--- ---------------------------------- ------ ------------ ------------ -------7 0014.a90c.987a to 0014.a90c.9881 3.0 7.2(1) 3.2(0)67 Ok

Mod Online Diag Status---- -------------------7 Pass

cse-6509a#cse-6509a# show module 4Mod Ports Card Type Model Serial No.--- ----- -------------------------------------- ------------------ -----------4 1 Application Control Engine Module ACE10-6500-K9

SAD102905V2Mod MAC addresses Hw Fw Sw Status--- ---------------------------------- ------ ------------ ------------ -------4 000a.b870.e43a to 000a.b870.e441 1.1 8.6(0.252-En 3.0(0)A1(4a) Ok

Mod Online Diag Status---- -------------------4 Pass

cse-6509a#

ACE


31


svclc multiple-vlan-interfacesfirewall multiple-vlan-interfaces

svclc vlan-group 1 1201-1210svclc vlan-group 2 1301-1310svclc vlan-group 3 1401-1410

firewall module 7 vlan-group 1,2svclc module 4 vlan-group 2,3

FWSM#admin-context admin!context adminallocate-interface Vlan1210allocate-interface Vlan1310config-url disk:/admin.cfg

!context INTERNETallocate-interface Vlan1201allocate-interface Vlan1301allocate-interface Vlan1302config-url disk:/INTERNET.cfg

!context INTRANETallocate-interface Vlan1205allocate-interface Vlan1305config-url disk:/INTRANET.cfg

ACE/Admin#

context INTERNET1description *** INTERNET (WEB TIER)allocate-interface vlan 1301allocate-interface vlan 1401

!context INTERNET2description *** INTERNET (APPLICATION TIER)allocate-interface vlan 1302allocate-interface vlan 1402

!context INTRANETdescription *** INTRANETallocate-interface vlan 1305allocate-interface vlan 1405

ACE/INTERNET1# show run | i vlanGenerating configuration....interface vlan 1301interface vlan 1401

ACE/INTERNET2# show run | i vlanGenerating configuration....interface vlan 1302interface vlan 1402

ACE/INTRANET# show run | i vlanGenerating configuration....interface vlan 1305interface vlan 1405

FWSM/admin# show run | i Vlaninterface Vlan1210interface Vlan1310

FWSM/INTERNET# show run | i Vlaninterface Vlan1201interface Vlan1301interface Vlan1302

FWSM/INTRANET# show run | i Vlaninterface Vlan1205interface Vlan1305

Virtualized ServicesExample: Modules and VLANs Association (Cont.)


Cisco ACEand

Cisco FWSM

ESX Server

Virtual Machines

Bank Apps

MicrosoftOracle

MicrosoftOutlook

Virtual Machines

Bank Apps

MicrosoftOracle

App Has Capacity Available

Ideal Isolation

Online BankApplication

(SSL Offloading Required)

Virtualized ServicesCisco ACE and FWSM Virtualized


32


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


On Failover, Src MAC Eth1 = Src MAC Eth0IP Address Eth1 = IP Address Eth0

Eth1: StandbyEth0: Active

SFT—Switch Fault Tolerance

IP=10.2.1.14MAC =0007.e910.ce0f

On Failover, Src MAC Eth1 = Src MAC Eth0IP Address Eth1 = IP Address Eth0

Eth1: StandbyEth0: Active

AFT—Adapter Fault Tolerance

Hea

rtbe

ats

Hea

rtbe

ats

One Port Receives, All Ports TransmitIncorporates Fault Tolerance

One IP Address and Multiple MAC Addresses

Eth1-X: ActiveEth0: Active

ALB—Adaptive Load Balancing

Hea

rtbe

ats

IP=10.2.1.14MAC =0007.e910.ce0f

IP=10.2.1.14MAC =0007.e910.ce0f

IP=10.2.1.14MAC =0007.e910.ce0e

Default GW 10.2.1.1 HSRP



Increasing HA in the Data Center Common NIC Teaming Configurations

Note: NIC manufacturer drivers are changing and may operate differently. Also, server OS have started integrating NIC teaming drivers which may operate differently.

Note: You can bundle multiple links to allow generating higher throughputs between servers and clients.


33


Virtual Switch System Deployment Scenario at Data Center Access Layer



Enhanced Ethernet: PFC and DCBCXP

Enables lossless fabrics for each class of service

PAUSE sent per virtual lane when buffers limit exceeded

CoS BW managementPriority Flow Control (PFC)Congestion management (BCN/QCN)Application (user_priority usage)Logical link down

Transmit QueuesEthernet Link

Receive Buffers

EightVirtualLanes

OneOne OneOne

TwoTwo TwoTwo

ThreeThree ThreeThree

FourFour FourFour

FiveFive FiveFive

SevenSeven SevenSeven

EightEight EightEight

SixSix SixSixSTOP PAUSE

NuovaSwitchNuovaSwitchNexus 5000

Data Center Bridging Capability eXchange Protocol

Handshaking Negotiation for:

Priority Flow Control


34


LAN

Nexus 5000 Ethernet Host Virtualizer

Eliminates need for spanning tree protocol on uplink bridge ports

Reduces CPU load on upstream switches

Allows multiple active uplinks from nexus 5000 switch to network

Doubles effective bandwidth vs. STP

Prevents loops by pinning a MAC address to only one port

Completely transparent to next hop switch

Ethernet Host Virtualizer

Nexus 5000

Active-Active

MACB

MACA

MACB

MACA


Pinning

Border interface

Server interface


35


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


Server Virtualization Scenarios

Hardware-based virtualization

Software-based virtualizationHosted (application virtualization)

Hypervisor

Full virtualization (binary translation)

Para-virtualization (OS assisted)

Hardware-assisted virtualization (Intel VT-x/AMD-V)

X86 Hardware

GuestOS

App

Guest OS

App

Host Operating System

VirtualizationSoftware

MgmtPartition

Guest OS

Guest OS

X86 Hardware

Hypervisor

App App


36


Hypervisor Hypervisor

Full Virtualization

Software-Based Virtualization (Examples)

VMware ESX server

Microsoft HyperV

Xen (with AMD-SVM or Intel VM-T)

Virtuallron (hardware-assisted)

Para-Virtualization Application Virtualization

ExamplesXen (with traditional hardware)

Oracle VM server

ExamplesVMware server

VMware workstation

Examples


VMware ESX Architecture in a Nutshell

ESX Server Host

VirtualMachines

…

ProductionNetwork

MgmtNetwork

VM KernelNetwork

OS OS OS

ConsoleOS

App. App. App.

VM Virtualization Layer

Physical Hardware

CPUMemory


37


VMware Networking ComponentsVMs

vmnic0

vmnic1

vNIC

vNIC

Virtual Ports

VM_LUN_0007

VM_LUN_0005

vSwitch0

vSwitch

VMNICS =Uplinks

Per ESX Server Configuration


VMware Networking Components (Cont.)


38


vSwitch Overview

VM1 VM2 ServiceConsole

VMkernel

VMkernelNIC VSwitch A VSwitch B

ESXServer

PhysicalSwitches

Physical NIC’s

Virtual NIC’s

XNo Loop

XNo LoopIn ESXWithout a bridging VM

XNo Trunk

Btwn vSwitch

Software implementation of an Ethernet switch

How is it like a switch:-MAC addr forwardingVLAN segmentation

How is it different:-No need to learn MAC addresses – it knows the address of the connecting vNIC’s-No participation in spanning tree


vSwitch Forwarding Characteristics

Forwarding based on MAC address (no learning): If traffic doesn’t match a VM MAC is sent out to vmnic

VM-to-VM traffic stays local

Vswitches TAG traffic with 802.1q VLAN ID

vSwitches are 802.1q-capable

vSwitches can create EtherChannels


39


VMware Best Practices:VST is Preferred


Meaning of NIC Teaming in VMware

ESX Server Host

vSwitch Uplinks

vmnic0 vmnic1 vmnic2 vmnic3

vNIC vNICvNIC vNIC

vNIC

ESX Server NIC Cards

NIC Teaming NIC Teaming

This Is Not NIC Teaming


40


Meaning of NIC Teaming in VMware (2)Th

is is

NO

T Te

amin

gTeaming is Configured at

The vmnic Level


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


41


Virtual Storage Area Network Deployment

Consolidation of SAN islandsIncreased utilization of fabric ports with just-in-time provisioning

Deployment of large fabricsDividing a large fabric in smaller VSANsDisruptive events isolated per VSANRBAC for administrative tasksZoning is independent per VSAN

Advanced traffic managementDefining the paths for each VSANVSANs may share the same EISLCost effective on WAN links

Resilient SAN extensionStandard solution (ANSI T11 FC-FS-2 section 10)

SAN Islands

Department A

Department B Department C

Virtual SANs (VSANs)

Department A

Department B

Department C


VSAN Advantages for Consolidation

OLTP

SAN Islands

Overlay Isolated Virtual Fabrics (VSANs) on Same Physical Infrastructure

E-Mail

Backup Backup VSAN

E-Mail VSANOLTP VSAN

Consolidated SANs

YesShare DR FacilitiesNo SimpleSAN ManagementComplex

EasySupport Virtualization and MobilityVery hard

YesShare Disk/TapeNoFewerNumber of SAN SwitchesMore

Attribute


42


VSAN Technology

Hardware-based isolation of tagged traffic belonging to different VSANs

Create independent instance of fiber channel services for each newly created VSAN—services include:

Fibre ChannelServices for Blue VSAN

Fibre ChannelServices for Red VSAN

Fibre ChannelServices for Blue VSAN

Fibre ChannelServices for Red VSAN

Cisco MDS 9000Family with VSAN

Service

VSAN Header Is Added at Ingress Point Indicating

Membership

No Special Support Required

by End Nodes

Trunking E_Port

(TE_Port)

Trunking E_Port

(TE_Port)

Enhanced ISL (EISL) Trunk Carries

Tagged Traffic from Multiple VSANs

VSAN Header Is Removed at Egress Point

The Virtual SANs Feature Consists of Two Primary Functions


Inter VSAN Routing

Similar to L3 interconnection between VLAN

Allows sharing of centralized storage services such as tape libraries and disks across VSANs—without merging separate fabrics (VSANs)

Network address translation allow interconnection of VSANs without a predefined addressing schema

TapeVSAN_4(Access via IVR)

VSAN-SpecificDisk

EngineeringVSAN_1

MarketingVSAN_2

HRVSAN_3

IVR

IVR


43


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


N-Port ID Virtualization (NPIV)

Mechanism to assign multiple N_Port_IDs to a single N_Port

Allows all the access control, zoning, port security (PSM) be implemented on application level

Multiple N_Port_IDs are allocated in the same VSAN

Application Server FC Switch

E-Mail

Web

File Services

Email I/ON_Port_ID 1

Web I/ON_Port_ID 2

File Services I/ON_Port_ID 3

F_Port


44


NPIV Usage Examples‘Intelligent Pass-Thru’Virtual Machine Aggregation

FC FC FC FC

NP_Port

F_PortF_Port

FC FC FC FC

FC

NPIV-Enabled HBA

NPV Edge Switch


NPIV Configuration Example

npiv enable

Notice that a F-port supports multiple logins

NPIV Is Enabled Switchwide with the Command:


45


FC

Storage Array(LUN Mapping and Masking)MDS9000

Zone FC Name Server

pWWN-P

Single Login on a Single Point-to-Point Connection

Virtual Servers Share a Physical HBA

A zone includes the physical HBA and the storage arrayAccess control is demanded to storage array “LUN masking and mapping”, it is based on the physical HBA pWWN and it is the same for all VMsThe hypervisor is in charge of the mapping, errors may be disastrous

HW

Hyp

ervi

sor

Virt

ual

Serv

ers

pWWN-P

Mapping

FC


HW

Hyp

ervi

sor

Virt

ual

Serv

ers

pWWN-P

Mapping Mapping Mapping Mapping

FC FC FC FC

FC

Storage ArrayMDS9000

Virtual Server Using NPIV and Storage Device Mapping

Virtual HBAs can be zoned individually“LUN masking and mapping” is based on the virtual HBA pWWN of each VMsVery safe with respect to configuration errorsOnly supports RDMAvailable in ESX 3.5

pWWN-PpWWN-1pWWN-2pWWN-3pWWN-4

Multiple Logins on a Single Point-to-Point Connection FC Name Server

pWWN-1 pWWN-2 pWWN-3 pWWN-4

To pWWN-1

To pWWN-2

To pWWN-3

To pWWN-4FC


46


(No FL Ports)

Up to 100NPV Switches

VSAN 15

FC10.5.710.5.2

Server Port (F)

TargetInitiator

FC

20.2.1

VSAN

10

20.5.1

Can Have MultipleUplinks, on DifferentVSANs (Port Channel and Trunking in a Later Release)

MDS 9124MDS 9134

N-Port Virtualization (NPV): An Overview

Cisco MDS in a

Blade Chassis

NPV DeviceUses the Same Domain(s) as the NPV-Core Switch(es)

F-Port

NPV-Core Switch (MDS or Third-Party Switch with NPIV Support)

NP-Port

FC

Blade Server 1

VSAN 5

10.1.1

Blade Server 2

Blade Server n

Solves the Domain-id Explosion Problem


Domain ID Scalability: NPV Solves the Issue

Eliminates Domain ID for MDS FC switch in blade enclosures—HBA model

Server ports automatically assigned to NP ports (load balancing algorithm)

Need to configure the same VSAN between NP ports and core F-ports

When F-trunking will be available, the limitation of single VSAN per link will go away

Server 1

Server 2

Server N

FC BladeSwitch 1…

…

FC BladeSwitch 2…

N-Ports

Blade Chassis

F-Ports

……

NP Ports F-Ports

NPIV-Enabled Switche.g., MDS Switch

SAN Fabric

F-PortF-Port


47


NP

F

NP

F

VMware SupportNested NPIV FLOGI/FDISC Login Process

When NP port comes up on a NPV edge switch, it first FLOGI and PLOGI into the core to register into the FC name server

End devices connected on NPV edge switch does FLOGI but NPV switch converts FLOGI to FDISC command, creating a virtual PWWN for the end device and allowing to login using the physical NP port

NPIV capable devices connected on NPV switch will continue FDISC login process for all virtual PWWN which will go through same NP port as physical end device

NPV Edge Switch

NPV-Core Switch

F F

FC FC FC FC

FCFC FC FC FC

FC

FCNSpWWN1, pWWN2pWWN3,pWWN4


FlexAttach

FlexAttach (based on WWN NAT)Each blade switch F-Port assigned a virtual WWN

Blade switch performs NAT operations on real WWN of attached server

BenefitsNo SAN reconfiguration required when new blade server attaches to blade switch port

Provides flexibility for server administrator, by eliminating need for coordinating change management with networking team

Reduces downtime when replacing failed blade servers

Blade 1

Blade N

Blade Server

Storage

New

B

lade

….

FlexAttachNo Blade

Switch Config Change

Flexibility for Adds, Moves, and Changes

No Array Configuration

Change

No Switch Zoning Change

SAN

NPV


48


FlexAttach—Since SANOS 3.2(2)

Creation of virtual PWWN on NPV switch F-portZone vPWWN to storageLUN masking is done on vPWWNCan swap blade server or replace physical HBA

No need for zoning modificationNo LUN masking change required

Automatic link to new PWWNNo manual relinking to new PWWN is needed

FC1/1

PWW

N 1

Server 1

vPWWN1 FC1/1

PWW

N 2

Server 1

vPWWN1

Before After

FlexAttach Point (Virtual PWWN)


VMotion and Virtual HBAs VM Migration with Emulex HBA

Dynamic migration relocates VMs to available resources

By operatorAutomatic load balancingHA and DR

Enhanced VMotion in ESX 3.5Tear down initial virtual portReregisters same address on another server

Enhanced VMotion preserves access configuration

ZoningLUN maskingVSAN selective routingFabric QoS priority level

NPIV HBAs

A B CHypervisor

NPIV HBAs

Server 1 Out of Resources

Move Selected Apps, FC Access to Server 2

D E BHypervisor

VSANs


49


Validated Solution from Cisco, Emulex, and VMware

Cisco MDS directors and switches with NPIV (SAN OS 3.0 and later)

Emulex 4G HBAs

VMware ESX 3.5

Jointly tested and validated by three companies


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


50


Unified I/O (FCoE)Fewer HBA/NICs per Server

CNA

CNA

FC HBA

FC HBA

NIC

NIC

SAN (FC)

SAN (FC)

LAN (Ethernet)

LAN (Ethernet)

SAN (FCoE)

LAN (Ethernet)

CNA = Converged Network Adapter


Fiber Channel over Ethernet:How It Works

Direct mapping of fiber channel over Ethernet

Leverages standards-based extensions to Ethernet to provide reliable I/O delivery

Priority flow control

Data Center Bridging Capability eXchange Protocol (DCBCXP)

MACPHY

FCoE Mapping

FC-0

FC-1

FC-2

FC-3

FC-4

FC-2

FC-3

FC-4

FC Frame

Ethernet Header

Ethernet Payload

Ethernet FCS

SOF

EOF

CR

C

(a) Protocol Layers (b) Frame Encapsulation

10GE LosslessEthernet

Link

FCoE Traffic

Other NetworkingTraffic


51


FCoE Enablers

10 Gbps Ethernet

Lossless EthernetMatches the lossless behavior guaranteed in FC by B2B credits

Ethernet jumbo framesMax FC frame payload = 2112 bytes

Ethe

rnet

Hea

der

FCoE

Hea

der

FCH

eade

r

FC Payload CR

C

EOF

FCS

Same as a Physical FC Frame

Control Information: Version, Ordered Sets (SOF, EOF)

Normal Ethernet Frame, Ethertype = FCoE


Ethernet

IPTCP

iSCSI

IB

SRP

IPTCPFCIP

FCP

IPTCPiFCP

FCP

FCoE

FCP

FC

FCP

SCSI Layer

Operating System/Applications

1, 2, 4, (8), 10 Gbps 1, 10 . . . Gbps 10, 20 Gbps

Encapsulation Technologies


52


E. Ethernet

FCoE

FCP

SCSI Layer

OS/Applications

1, 10 . . . Gbps

Encapsulation Technologies

FCP layer is untouched

Allows samemanagement tools for fiber channel

Allows same fiber channel drivers

Allows same multipathingsoftware

Simplifies certifications

Evolution rather than revolution


SAN BSAN ALAN

FCoEEthernetFC

Today

Unified I/O Use Case

Management


53


SAN BSAN ALAN

FCoEEthernetFC

Unified I/O Use Case

Unified I/OReduction of server adapters

Fewer cables

Simplification of access layer and cabling

Gateway-free implementation—fits in installed base of existing LAN and SAN

L2 multipathing access—distribution

Lower TCO

Investment protection (LANs and SANs)

Consistent operational model

One set of ToR switches

Unified I/O

FCoE Switch

Management


CNA: I/O Consolidation Adapter

Off the shelf NIC and HBA ASICs from: Qlogic, Emulex

Dual 10 GbE/FCoE ports

Support for native drivers and utilities

Customer certified stacks

Replaces multiple adapters per server

Consolidates 10 GbE and FC on a single interface

Minimum disruption in existing customer environments

10 GbE/FCoE

PCIe Bus

Designed Multiplexer and FCoE Offload Protocol Engine

FC10 GbE


54


FCoE Software Stack

Supported on Intel Oplin 10 GbE Adapters

Software upgraded turns 10 GbE adapter into FCoE adapter

Software implementationInitiator and target mode

FCP, FC class 3

Fully supports Ethernet pause frames (per priority pause)

Supported OSLinux: Red Hat and SLES

Windows

“Free” access to the SANL2 Ethernet NIC

Sof

twar

eH

ardw

are

FCoE Software Stack

Website: www.Open-FCoE.orgAnnouncement is: http://lkml.org/lkml/2007/11/27/227


CNAs: View from Operating System

Standard drivers

Same management

Operating system sees:2 x 10 Gigabit Ethernet adapter

2 x 4 Gbps fiber channel HBAs


55


IO Consolidation

virtual-ethernet interface (veth)Paired with host’s Ethernet deviceConfiguration point for all Ethernet features

virtual-fc interface (vfc)Paired with host’s HBA deviceConfiguration point for all fiber channel features

virtual-interface-group (vig)Logical representation of a switch port

Consists of one veth and one vfcConfigured online or offlineBound to physical switch port for deployment

EtherChannel post FCS

vig

vethvfc

Ethernet Forwarding

Fiber Channel

Forwarding

mux

Ethernet

Connecting LAN and SAN on a Single Physical Link

SAN A SAN B LAN

SCSI IP

eth0host0

mux


IO Consolidation: Interface Configuration

Create virtual-interface-group and bind to physical interfaceswitch(config)# interface vig 20switch(config-if)# bind Ethernet 1/1

Configure virtual-ethernet and virtual-fcswitch(config-if)# interface veth 20/1switch(config-if)# interface vfc 20/1

vfc30/1veth30/1vfc20/1veth20/1

vig20

Eth1/1

vig30

Eth1/33


56


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


SAN-Based Storage (Block) Virtualization

A SCSI operation from the host is mapped in one or more SCSI operation to the SAN-attached storage

This mapping function is enable by a network resource

Centralized management

Highly scalable

Works across heterogeneous arrays

Example: LUN concatenation

Virtualization(Volume Management)

Storage Pool

Production

9 GB

4 GB 5 GB

VirtualVolume


57


Block Level Virtualization Is Enhanced by VSANs

Volume management functionality are provided by the intelligent storage network

The volume management functionalityExposes a virtual target to the host to provide storage capacity

Accesses the storage by mean of a virtual initiator

The architecture relies heavily on the VSAN underlying infrastructure to provide the desired level of isolation

High performances are achieved by processing in software the SCSI control path and using application specific hardware to process the SCSI data path


Virtual Target1 VSAN 10

Virtual Target2VSAN 20

Host-1 VSAN10

Host-3VSAN 20

StorageVSAN 50

Back-End

Distributed Storage Virtualization on VSANs

Front-end VSANs

Virtual targets

Virtual volumes

Virtual initiators

Back-end VSAN

Zoning connects real initiator and virtual target or virtual initiator and real storage

Virtual Initiator VSAN 50

Virtual Volume1

Virtual Volume2

Front-End

Virtual InitiatorVSAN 50

ZonesStorage

ArrayStorage

Array

Fabric


58


Sample Use: Seamless Data Mobility

Works across heterogeneous arrays

Nondisruptive to application host

Can be utilized for “end-of-lease” storage migration

Movement of data from one tier class to another tier

VirtualizationMobility

Tier1 Tier2


Agenda


Core LayerVDC


Access Layer




Fron

t-End


Virtual Storage


1

Virtual SSL

Context 3

Virtual Machines



1


1

Virtual SLB

Context 29

Virtual SSL

Context 3

Virtual SSL

Context 175

VSSVLAN VRF VPNsVDC

vHBAVSANs FCoECNA

Bac

k-En

d


59


Cisco VFrame Data Center:Network-Driven Service Orchestration

Compute Pool

HypervisorVM VM

Storage PoolNetwork Pool

Coordinated Provisioning and Reuse of Physical and Virtualized

Compute, Storage, and Network Resources

Operational cost savings

Faster and simpler service orchestration

Robust virtualization scale-out

VFrame Data Center

FC FCFC


FCFCFC

Traditional silosHypervisor

1. Categorize physical resources into service views2. Ensure design consistency with standardized infrastructure templates

6. Provide policy-based dynamic capacity on-demand for applications

3. Automate physical provisioning for server virtualization environments 4. Reduce break-fix server support costs with rapid recovery from shared pool5. Recover failed service with rapid local disaster recovery

Slow Application Performance

Adopting VFrame DC TodayAddressing Today’s Challenges While Building SOI Foundation

VFrame DC

Hypervisor

PolicyPolicy

XV VV V

V VV V

Application Degradation or FailureRapidly Configure New Application Environment

X

Storage Service ViewSAN NAS

Server Service View

Network Service View

FC FCFC

Application Service 1

FC

FC


60


Design to Operate Workflow for SOILogical, Structured for Ease of Use

DesignService Template

Switch Port ConfigVLANs, DHCP, Trunks, SVIs

Zones, VSANs, LUNs,NFS Volumes

Image Mgmt,Remote Boot, VM Mappings

VIPs, LB Policies

Firewall Selection,Firewall Chaining,Firewall Rules

DeployService Networks

Automated Failover Policy-Based Resource Optimization

Service MaintenanceManagement Integration thru API

Operate

Policies

Boot OS/Application

ServerI/O

SAN Infrastructure

L4–L7LANsDiscover

Resources

Firewall


FC

FC

LAN SANAppDeliverySecurity

Data Center Virtualization via the Network

StorageServersClient

Service Orchestration

End-to-End Service Provisioning


61


Q and A


Recommended Reading

Continue your Cisco Live learning experience with further reading from Cisco Press

Check the Recommended Reading flyer for suggested books

Available Onsite at the Cisco Company Store


62


Complete Your Online Session Evaluation

Give us your feedback and you could win fabulous prizes. Winners announced daily.

Receive 20 Passport points for each session evaluation you complete.

Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.

Don’t forget to activate your Cisco Live virtual account for access to all session material on-demand and return for our live virtual event in October 2008.

Go to the Collaboration Zone in World of Solutions or visit www.cisco-live.com.


brkdct-3831

Documents