Cisco Virtualization Experience Infrastructure Architecture Overview

November 15, 2010

What You Will LearnEnterprise IT departments are being pressured to control costs, improve manageability, enhance security, and accelerate the deployment of new capabilities, while providing a consistent user experience across a wide range of endpoints. Desktop virtualization (DV) has become a popular solution for addressing these needs. With hosted DV, end user desktop images (operating system, applications, and associated data) are hosted as virtual machines on data center servers. Users can access hosted virtual desktops from many locations through DV appliances, smart phones, tablet computers, laptop and desktop computers, and other clients.

To facilitate the deployment of DV solutions, Cisco has developed the Cisco® Virtualization Experience Infrastructure (VXI) system, an end-to-end architecture for virtualization. Cisco VXI integrates and extends proven Cisco architectures for data centers, borderless networks, and collaboration to provide a comprehensive system for deploying virtualization across the enterprise. Cisco VXI offers a superior collaboration and rich media experience with best-in-class return-on-investment (ROI), by delivering a fully integrated, open, and validated desktop virtualization system.

The Cisco VXI system architecture comprises three fundamental building blocks – the Virtualized Data Center, the Virtualization-Aware Network, and the Virtualized Workplace (Figure 1). The Virtualized Data Center is based on Cisco’s Data Center Business Advantage architecture, which creates data centers that are efficient, agile, and transformative. The Data Center Business Advantage architecture delivers faster service creation, higher efficiency and profitability through simplicity, innovative IT models, and open platforms that preserve customer choice.

Americas Headquarters:

Copyright © 2010 Cisco Systems, Inc. All rights reserved

Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

What You Will Learn

Figure 1 Cisco VXI System Architecture

The Virtualization-Aware Network is based on the Cisco Borderless Networks architecture, which reduces operational complexity and provides services needed to connect anyone, anywhere, on any device. The Virtualized Collaborative Workplace builds on the Cisco Collaboration architecture to extend the reach of the virtual desktop to a wide range of end points, while supporting critical collaboration capabilities such as conferencing and messaging.

This document describes the building blocks and services of the Cisco VXI architecture. Enterprises evaluating desktop virtualization can use this reference architecture to identify the critical products and technologies needed to deploy a successful DV system. This reference architecture is a companion to the Cisco Validated Design (CVD) Guide for Cisco VXI, and provides a foundation for understanding the best practices and design techniques described in that document. The information contained in these documents is derived from extensive end-to-end testing of the Cisco VXI system. The Cisco VXI architecture provides enterprises with a template that facilitates deployment, reduces risk, and accelerates adoption.

Cisco VXI Virtualized Data CenterData centers have long since evolved from cost centers into critical assets for achieving strategic business goals. The data center takes on even greater importance for enterprises considering desktop virtualization, as these systems rely heavily on the efficient centralization of processing, applications, and data. The optimum data center provides a robust, scalable, integrated, and manageable environment for hosting desktop virtualization, while improving manageability and cost-control. The primary building blocks of the Virtualized Data Center include (1) compute, (2) fabric interconnect and switching, and (3) storage.

2547

73

Cisco WAAS Cisco ACE

CiscoWAN

Cisco WAAS

Virtualized Collaborative

Workplace Virtualization Aware Network Virtualized Data Center

Branch

Cisco ISRRouter

Cisco Nexus

ConnectionBroker

App App App

Operating System

Desktop VirtualizationSoftware

Hypervisor

Data Center Network

Virtualization Endpoints

Cisco ZeroClient

Thin Clients

Cius BusinessTablets

Ecosystem

Thin Clients

Cisco VXI End-to-End System

Storage

Cisco Catalyst Switch

2

What You Will Learn

Figure 2 Cisco VXI Virtualized Data Center Building Block

Compute

The compute block provides the processing resources needed to host virtual desktops and applications. In the Cisco VXI architecture, the Cisco Unified Computing System™ (UCS) delivers a high-performance computing resource built especially for virtualized environments. The Cisco UCS extended memory architecture provides enhanced scalability and VM density per server blade, and service profiles enable rapid server provisioning, easy resource pooling, and policy management. The Cisco Unified Computing System supports converged network adapters (CNAs) that accommodate both network-attached storage (NAS) and Fibre Channel–based SANs.

In the Cisco VXI system, each Cisco UCS server supports a hypervisor, which allows virtualized desktops and servers to run as independent virtual machines. Hypervisors facilitate the creation, deployment, and operation of virtual machines, helping ensure that all virtual machines receive a fair share of CPU, memory and I/O resources. The Cisco VXI architecture supports industry-leading hypervisors from ecosystem partners. These hypervisors provide tools for increasing virtual machine density, resource sharing, and migration. The hypervisor also manages storage access for virtual machines.

The Cisco Nexus® 1000V Series Virtual Ethernet Module (VEM) can be deployed alongside the ESXi hypervisor to provide Ethernet switching traffic isolation and policy-insertion within the virtualized environment. Virtual switching enables virtual machines to communicate directly within the virtualized environment, without being switched through the physical switching infrastructure. The virtual switch also allows policies to be applied directly within the virtualized environment. Multiple VEMs can be deployed as a single virtual distributed switch (VDS), enabling movement of virtual machines across the boundaries of physical servers while remaining in the same Layer 2 and 3 contexts. Since virtual switches are not bound to a physical server, multiple blades can be linked by the same virtual switch.

2547

95

ConnectionBroker

App App App

Operating System

Desktop VirtualizationSoftware

Cisco Unified Computing System

Hypervisor

3

What You Will Learn

Fabric Interconnect and Switching

The fabric interconnect building block supports networking and storage data flows to and from the compute building block, as well as traffic between server blades. The Cisco UCS 6100 Series Fabric Interconnect terminates Fibre Channel over Ethernet (FCoE) traffic flows from the Cisco UCS blade chassis. Ethernet traffic is separated and forwarded to Network-Attached Storage, and Fibre Channel traffic is forwarded to the appropriate SAN. The fabric interconnect also hosts Cisco UCS Manager, which manages compute and switch fabric resources. The high-speed Cisco Nexus Ethernet switches provide a tightly coupled switching infrastructure for desktop virtualization. These switches are generally installed as redundant pairs to increase availability.

Storage

External storage is used to aggregate the files systems of multiple virtual desktops. In a DV environment, information previously stored on the user’s local PC is instead stored in a shared array in the data center. Each shared array is divided into partitions. These partitions can be shared among servers; however, most organizations isolate virtual machines from other virtualized payloads to enhance security and balance the traffic load.

Cisco VXI supports NAS and SAN-based solutions provided by ecosystem partners. For either storage type, the hypervisor maps incoming storage data to a local storage pool. Virtual desktops can access this pool as if accessing a local hard drive. IP-based storage traffic, originating as Small Computer System Interface over IP (iSCSI) or Network File System (NFS) traffic, is switched as Ethernet traffic to the storage array through Cisco Nexus switches. This traffic terminates on the fabric interconnect, where it is encapsulated into FCoE and forwarded to the Cisco UCS servers. Fibre Channel–based storage traffic originates on a Fibre Channel storage array attached to a Cisco MDS 9000 Family Fibre Channel switch. The Cisco MDS 9000 Family switches allow multiple arrays to talk to multiple hosts (servers) in much the same manner as an Ethernet switch. The Cisco MDS 9000 Family switches connect to Fibre Channel links on the fabric interconnect, which encapsulates traffic into FCoE and passes it to the Cisco UCS servers.

4

Cisco VXI Virtualization-Aware Network

Figure 3 Cisco VXI Virtualized Data Center Detail

Cisco VXI Virtualization-Aware NetworkThe network plays a critical role in desktop virtualization, as end users connect back to the virtualized data center to access applications and information that formerly resided locally on their laptop computers. The additional transit time across a WAN has the potential to degrade delay-sensitive traffic, such as collaborative video, so it is essential that IT departments carefully plan their network strategies. The network also may need to cope with specialized display protocols used by desktop virtualization solutions.

The network architecture for Cisco VXI is based on Cisco's best practices for deploying campus, WAN, and data center network infrastructures. The network infrastructure can be categorized into three main functions: security, optimization, and availability. Together these functions enable the display protocol to flow over the network. This section discusses the components and features needed for the data center, WAN, campus, branch-office, and teleworker places in the network.

Virtual Application machine pools

Compute

2547

66

Compute

Switching

WWW

Storage array

Switching

Fabric Interconnect& switching

EthernetSwitching

IP storage traffic Fiber Channel Switch

Storage

FC Storage traffic

Virtual switch

Email, webservices

DirectoryService

UnifiedCommunications

Manager

Hypervisor

Desktop Virtualization machine pools

Compute

Hypervisor

User Hosted Virtual Desktops

Network and storage traffic

Network and storage traffic

Data Center

IP Storage &network traffic

FabricInterconnect

Virtual switch

Network traffic

5

Cisco VXI Virtualization-Aware Network

Figure 4 Cisco VXI Virtualization-Aware Network

Data Center Network

The Cisco VXI architecture distinguishes between the compute, storage, and unified fabric functions located in the data center and the head-end networking functions that are also collocated there. These head-end functions include VPN aggregation, performance acceleration, and load balancing. For example, the Cisco Wide Area Application Engine (WAE) devices with Cisco Wide Area Application Services (WAAS) are at the network edge in both the data center and branch office. This arrangement enables Cisco WAAS to accelerate delivery while routing all traffic through a secure VPN tunnel set up by the Cisco Adaptive Security Appliance (ASA) or a Cisco router running Cisco IOS® Software.

The connection broker is a critical component of many desktop virtualization systems. Connection brokers authenticate and redirect end-user client requests to the appropriate virtual desktops. Connection brokers also provision new virtual desktops on demand and relay user credentials to the hosted desktop. The broker typically interacts with Microsoft Active Directory to authenticate users and apply user-specific policies. These devices also maintain the state of the connection in case of drops or disconnects and can optionally power down or delete the remote desktop. Connection brokers are typically deployed in pairs for resilience, and load balancers such as Cisco ACE can be deployed at the front end to monitor health and maintain responsiveness.

WAN

Cisco VXI is designed to deliver a high-quality user experience across a wide range of WAN architectures. Many of the display protocols used with desktop virtualization are not optimized for wide-area networking and may not perform well in high-latency or bandwidth-constrained environments. At the same time, desktop virtualization users tend to be highly mobile, and they increasingly demand access across the WAN to their virtual desktops. To improve the performance of virtual desktop traffic across a WAN, Cisco VXI provides several optimization and QoS features.

Cisco WAAS technology can improve application response time by reducing bandwidth consumption, thereby increasing application performance. This has the dual benefit of improving the user experience while allowing more users to be served by a given WAN link. Cisco WAAS capabilities rely on transport

2547

96WAAS Cisco ACE

CiscoWAN

Cisco ACNSand WAAS

Virtualization Aware Network

Branch Office

ISRRouter

CiscoNexus

ConnectionBroker

Data Center Network

6

Cisco VXI Virtualization-Aware Network

flow optimization (TFO), data-redundancy elimination (DRE), and Lempel-Ziv (LZ) compression technologies, which combine to increase bandwidth consumption efficiency. Cisco WAAS is discussed in more detail in the Services section of this document.

Because some display protocols are proprietary or encrypted, application traffic can be difficult to differentiate. Cisco switches in Cisco VXI can be configured to mark traffic with Differentiated Services Code Point (DSCP) values. These DSCP markings can then be used by Cisco networking devices to direct traffic to the proper queues, based on priority.

Campus Network

The campus network connects the end users and devices in the corporate network with the data center, WAN, and Internet. In addition to the high-speed connectivity service, the campus network, with its direct interaction with end users and devices, provides a rich set of services, such as Power over Ethernet (PoE), secure access control, and traffic monitoring and management. The Cisco Enterprise Campus 3.0 architecture provides an overview of the campus network architecture and includes descriptions of design considerations, topologies, technologies, configuration design guidelines, and other factors relevant to the design of a highly available, full-service campus switching fabric. As with the WAN, the opaqueness of display protocols can be a challenge for traditional campus networks. A Cisco VXI campus network can use Cisco Catalyst® switches to provide security and availability functions. This capability allows some desktop virtualization traffic types to be characterized and secured based on log-in characteristics.

Branch-Office Network

A remote branch office is an enterprise-controlled environment. Cisco VXI branch offices typically deploy a Cisco branch-office router to enable services such as Cisco WAAS, IP telephony gateways, Cisco Unified Survivable Remote Site Telephony (SRST), and others that enhance desktop virtualization. The primary challenge in the delivery of hosted virtual desktops to branch offices is making sure that the WAN provides adequate performance to meet end-user experience expectations. When hosted virtual desktops are delivered over the WAN, the end user has to cope with limited WAN bandwidth, latency, and packet loss.

In a branch office, the Cisco WAE appliance is connoted to the local router, typically a Cisco Integrated Services Router (ISR). The branch-office Cisco WAAS deployment, together with the data center Cisco WAAS deployment, offers a WAN optimization service through the use of intelligent caching, compression, and protocol optimization. When end users access the virtual desktops through the connection broker, Cisco WAAS compresses the response and then efficiently passes it across the WAN at high speed and with little bandwidth use. Commonly used information is cached at both the Cisco WAAS solution in the branch office and in the data center, which significantly reduces the burden on the servers and the WAN.

Teleworkers

Teleworkers can be either fixed or mobile. A fixed teleworker uses a solution such as Cisco Virtual Office, which provides secure, rich network services to workers outside the traditional corporate office, including executives, contractors, and home workers. Cisco Virtual Office delivers extensible data, voice, video, and applications to create a complete office environment. The Cisco VXI architecture supports the use of virtualized endpoints, with users accessing virtual desktops through VPN tunnels. Cisco Unified Personal Communicator can be installed in the virtual desktop and can control the user’s desktop IP phone. Cisco VXI also supports mobile teleworkers connecting to their virtual desktops securely from any endpoint running Cisco AnyConnect™ Secure Mobility Client.

7

Cisco VXI Virtualized Workplace

Figure 5 Cisco VXI Virtualization-Aware Network Detail

Cisco VXI Virtualized Workplace Desktop virtualization enables highly mobile end users to access corporate data and applications from a wide range of thin, thick, and zero clients.. The endpoint can be chosen from an ever-expanding list of devices, including smart phones, tablet computing platforms, and laptop and desktop computers, spanning a multitude of operating systems. With Cisco VXI, the enterprise can now offer a consistent user experience across multiple devices. Employees can access their desktop environments from different endpoints during the day: a desktop computer while working from headquarters, a thin-client endpoint when visiting a remote branch office, a mobile smart phone while traveling, and a tablet when moving about the enterprise. Even if working from home, an employee can be provided with the means to attach to the enterprise through the use of a personal computer and a VPN client.

2547

67

Data Center

VPN tunnel

CiscoASA

CiscoWAE

CiscoASA

CiscoWAE

ConnectionBroker

Cisco WAASCentral Manager

CiscoACE

Hosted VirtualDesktop

Campus Branchoffice

Teleworker

VPN

8

Cisco VXI Rich Media

Figure 6 Cisco VXI Virtualized Workplace Building Block

Endpoint devices can be characterized as zero clients, thin clients, or thick clients. Zero clients are relatively simple, limited-function devices with operating systems that are not exposed to the end user. These devices rely heavily on the capabilities in their hosted virtual desktops. The embedded OS makes the zero-client endpoint inherently more secure than other options. Task workers are the primary users of these devices.

Thin-client devices are more feature rich than zero clients and are usually customizable. Thin-client devices offer more capability and greater flexibility. Thin-client endpoints are usually customized by system administrators and then locked down. Thin clients are most often used by power users who need, in addition to basic access, features such as streaming video.

Thick-client devices are desktop or laptop computers running a standard OS, but with thin-client-type software installed as an application. Thick-client devices allow users to work offline and are often the choice of mobile users.

Cisco VXI is designed to provide the greatest possible flexibility in terms of endpoint selection. Cisco VXI is ecosystem based, with an open and technology-agnostic approach to client selection.

Cisco VXI Rich Media In enterprises today, rich media is critical for business productivity. Rich media incorporates everything from content rich web pages with embedded video content to collaboration and social web applications. The type of content could include Adobe Flash media, audio, video on demand (VoD), voice over IP (VoIP), application streaming and more. However, in a desktop virtualization environment, rich media can consume considerable processor, memory, storage, and network resources. While high-performance, scalable computing capabilities, and effective storage technologies can help ease the pressure, transporting rich media across the network has remained a challenge for many organizations.

The Cisco VXI architecture incorporates a wide range of tools and techniques for efficiently handling rich media. The most powerful of these tools is Cisco WAAS, which employs advanced compression techniques to conserve bandwidth and optimize traffic flows.

2547

97

Virtualized Collaborative

Workplace

Virtualization Endpoints

Cisco ZeroClient

Thin Clients

Cius BusinessTablets

Ecosystem

Thin Clients

9

Cisco VXI Security

Cisco VXI also uses network-based QoS features to differentiate rich media streams. While display protocols may obscure traffic from the network to varying degrees, enterprises can use the DSCP marking capabilities in Cisco network infrastructure products, along with Cisco IOS Software queuing techniques, to provide preferential treatment for rich media traffic. Moreover, Cisco VXI can easily adapt to new products and technologies that may provide even greater granularity and control over virtual desktop traffics. For example, Cisco WAAS and related Cisco rich media services can be combined with emerging technologies such as HDX and Multimedia Redirection (MMR) to optimize delivery of rich media in the display protocol.

Cisco VXI enables end users to make and receive voice or video calls through their virtualized desktops running Cisco Unified Personal Communicator. In this scenario, the control traffic flows from the end user to the virtual desktop, but the actual media traffic flows directly from phone to phone. IP phones in branch offices can communicate with each other, without needing to run the voice and video traffic through the virtual desktop. This separation of control and media planes also allows the network to apply QoS functions, call admission control, and path optimization for the media traffic.

Figure 7 Cisco WAAS for Rich Media

Cisco VXI enables end users to make and receive voice or video calls through their virtualized desktops running Cisco Unified Personal Communicator. Cisco Unified Personal Communicator, in effect, becomes the controller for the user’s local IP desk phone. In this scenario, the control traffic flows from the end user to the virtual desktop, but the actual media traffic flows directly from phone to phone. IP phones in branch offices can communicate with each other, without needing to run the voice and video traffic through the virtual desktop. This separation of control and media planes also allows the network to apply QoS functions, call admission control, and path optimization for the media traffic.

Cisco VXI Security Desktop virtualization is inherently more secure, as data and applications actually reside in the data center rather than on the end-user device. Desktop virtualization thus provides protection against data leakage and data loss due to theft or damage. However, desktop virtualization also introduces several security challenges that potentially extend from the data center to the end user.

2547

69

Branch OfficeCisco WAE

VirtualizedData Center

Data CenterCisco WAE

BranchRouter

Branch Office

EdgeRouter

Video Source

End-users see pixelizationas media is rendered from

the data center

End-users experienceno pixelization

WAN Optimization

10

Cisco VXI Security

In the data center, enterprises now have to contend with controlling access to, and between, the virtual resources that reside on physical servers. Virtual desktop addresses, for example, can be dynamic and require the same level of surveillance as a desktop device outside the data center's infrastructure. The Cisco VXI architecture employs an intelligent Layer 2 virtual switch, such as the Cisco Nexus 1000V Switch (Figure 8), within the virtual machine group. This switch helps ensure that security policies follow each virtual machine throughout its lifecycle, and it provides the same protections for virtual machines as a physical switch provides for physical devices. Similarly, security boundaries must be respected and enforced within the virtual machine group. By routing traffic from the Cisco Nexus 1000V to the data center aggregation layer, enterprises can create a firewall security checkpoint that enforces policies based on IP addresses and access control lists. At the data center aggregation layer, Cisco Nexus switches and Cisco ASA security devices can be deployed to make appropriate routing and access decisions based on common security policies.

Figure 8 Cisco Nexus 1000V Virtual Switch

Throughout the rest of the network, the primary objectives are to authenticate users and to protect data traveling between the data center and the end user. For client authentication, IEEE 802.1x is the preferred solution, but MAC authentication bypass (MAB) can also be used. Beyond the authentication of the device as a network entity, devices should be monitored for continued authenticity as close to their access point as possible. This is accomplished with network-based port security measures such as Dynamic Host Configuration Protocol (DHCP) snooping, dynamic Address Resolution Protocol (ARP) inspection, and IP source guard.

Branch offices belong to the corporate security domain, but are separated from it by WAN links. To protect data traveling between branch-office and corporate locations, Cisco VXI uses IP Security IPsec encryption between data center and branch-office routers. These tunnels can be deployed by using certificates or preshared passwords to authenticate the tunnel endpoints. This approach encrypts the Cisco VXI data between the two locations to reduce the likelihood that data will be compromised in transit. The branch office likewise should employ the proper authentication measures and use network-based infrastructures like those mentioned here.

Teleworkers can use Cisco’s award-wining VPN technology to connect to the enterprise network across the Internet. The mobile teleworker typically uses Cisco AnyConnect VPN Client 2.5 to connect with a VPN security appliance (like the Cisco ASA) at the network edge, where the user will be authenticated. The user’s virtual desktop data will be fully protected as it traverses the Internet in an encrypted VPN tunnel. This technology can also be deployed for traffic traversing a managed WAN.

2547

70

VM VM VM VM

CiscoNexus1000VVEM

Cisco Nexus1000V VSM

Physical switches

Hypervisor

Server

11

Cisco VXI Performance Acceleration

Cisco VXI Performance Acceleration Cisco VXI includes a number of performance-enhancing technologies and features. In the data center, Cisco Extended Memory Technology increases user density (50 percent more virtual machines) and improves application performance by up to 43 percent. The Cisco Application Control Engine (ACE) supports SSL offload on behalf of connection brokers to reduce their processor load by up to 50%. Cisco Unified Fabric provides a cohesive, scalable, and intelligent data center infrastructure that supports the storage throughput and I/O operations per second (IOPS) necessary for high application responsiveness during peak demand periods.

Cisco WAAS, also a critical component of Cisco VXI Rich Media Services, accelerates the delivery of virtual desktops to remote users, increases the number of users that can be effectively supported over the WAN, lowers IT costs, and improves the overall user experience. Cisco WAAS optimizes desktop virtualization display protocols by mitigating latency and reducing bandwidth requirements. The solution employs advanced compression and DRE to dramatically reduce the number of redundant packets traversing the network, which conserves bandwidth while improving application performance. Cisco WAAS supports transport file optimization (TFO) for improved throughput and reliability, and application-specific accelerators for a broad range of application protocols.

A special use case for Cisco WAAS involves remote users sending requests to a local printer. In a desktop virtualization environment, the print request may be initiated locally, but it is actually processed in the data center in which the virtual desktops and print servers are located. The print job delivered to the user’s local printer travels outside the display protocol as it crosses the network (Figure 9). Cisco WAAS can optimize this traffic to reduce the effect of print jobs on network operations.

Figure 9 Cisco WAAS Printing Optimization

Cisco VXI High AvailabilityToday’s network is more strategic than ever. Maintaining application uptime and availability has become essential for IT departments. Nearly all mission-critical applications require transparent failover if parts of the system become unresponsive. Therefore, resilient network design should be considered throughout the network. Network resiliency can be achieved by designing with redundancy technologies, redundant devices, and redundant links.

Server uptime is also important in helping prevent lost productivity and helping ensure that users can access their virtual desktops without any interruptions. Desktop virtualization systems must be able to detect failures of a connection broker or virtual desktop and dynamically mitigate these failures. Cisco VXI high-availability services use load-balancing technology to enhance the availability and scalability

2547

72

Branch officeCisco WAE

Data CenterCisco WAE

Branch officerouter

EdgeRouter

Hosted VirtualDesktopNetwork

printer

Displayprotocol

WAN acceleration for display protocol

WAN acceleration for print job

Printserver

Print Job

12

Cisco VXI Energy Efficiency

of desktop virtualization environments. Load balancers such as the Cisco ACE can help ensure that connections are distributed evenly across connection brokers, with failed or inaccessible servers automatically excluded.

Cisco ACE is typically deployed in pairs at the aggregation layer in data center networks, where it monitors the health of connection brokers and processes client requests and server responses. Cisco ACE also provides session persistence on behalf of client IP addresses. Cisco ACE can be deployed either as a standalone appliance (Cisco ACE 4710) or as a network module in a device such as the Cisco Catalyst 6500 Series Switches. After the connection broker has assigned a virtual desktop to an end user, subsequent display protocol traffic bypasses the Cisco ACE. Another important Cisco ACE capability, from a Cisco VXI perspective, is that the device can be partitioned into multiple logical devices. Cisco ACE virtualization enables IT administrators to create separate, individual load-balancing contexts for different DV solutions.

Cisco ACE can be used to load balance connection brokers deployed in direct or tunneled modes. In direct mode, the broker is only used to set up a connection between a user and a virtual desktop agent. One the connection is established, subsequent traffic flows directly between the end point and the virtual desktop. In tunneled mode, all traffic flows through the connection broker. Tunneled mode can provide enhanced security, but also increases processor overhead. Figure 10 shows the Cisco ACE deployed in a direct mode environment. Traffic from the client to the connection broker is load-balanced by Cisco ACE, while display traffic from client to the virtual desktop does not flow through the broker and is therefore not load-balanced.

Figure 10 Cisco ACE Load Balancing

Cisco VXI Energy EfficiencyCisco VXI increases energy efficiency in desktop virtualization environments. The Cisco Unified Computing System, for example, supports a greater virtual machine density per blade than other solutions, resulting in less power consumed and lower cooling costs per virtual machine. The unified fabric deployed in the data center enables a dramatic reduction in network adapters, blade-server

2547

71

Cisco ACE

VM VM VM

Connection Brokers Connection

Brokers

Cisco UCS

13

Cisco VXI Location Awareness

switches, and cabling, which improves performance and reduces the number of devices that have to be powered and cooled. Cisco networking products now support cost-effective PoE, and Cisco EnergyWise services are implemented across Cisco’s routing and switching portfolio. Cisco EnergyWise services provide measurement, monitoring, and control of energy use by network and network-attached IT devices. Collectively, these services enable organizations to significantly reduce energy consumption and environmental impact.

Cisco VXI Location AwarenessMany enterprises need to restrict user access to corporate resources on the basis of factors such as location or time of day. A financial trading firm, for example, may want to allow access to email and basic applications to any employee, anywhere, but to allow access to customer trading accounts only when an employee is on premises. Cisco VXI provides the services needed to tailor access according to location. The Cisco Secure Access Control System (ACS), for example, can apply rule-based policies to control user access based on identity or on other factors such as time of day, location, or access type. The Cisco Mobility Services Engine (MSE) platform supports context-aware networking and provides the capability to track wired and wireless network devices. Cisco VXI enables organizations to extend access to more users in more places, while maintaining compliance with corporate policy.

Cisco VXI MobilityCisco recognized long ago that networks needed to accommodate mobile users, and Cisco has delivered a wide range of mobility products and technologies, including wireless network infrastructure, mobile routers, Cisco IOS Mobile IP, intelligent roaming, and an adaptive wireless intrusion prevention system (IPS). The Cisco AnyConnect VPN Client enables PCs to establish VPN connections with the corporate network. More recently, Cisco CleanAir Technology delivered silicon-level intelligence to create a self-healing, self-optimizing wireless infrastructure that reduces the effect of radio-frequency (RF) interference. Cisco provides many tools for extending enterprise networks to support employees on the move.

Cisco VXI PolicyPolicy services can encompass a wide range of capabilities, but in the context of desktop virtualization they refer primarily to QoS functions for traffic handling. QoS functions are critical to providing users with the high-quality experience to which they are accustomed. As previously noted, however, QoS in a virtualized environment presents challenges. Display protocols can be proprietary and encrypted, making their contents opaque to the network. Another complication is that a single desktop virtualization session may transport data for multiple applications at the same time, with no effective way to prioritize one application’s traffic over another. In the near term, satisfactory results can be achieved by configuring the Cisco network to perform hardware-based DSCP marking and forwarding traffic on the basis of these values.

14

Managing the Cisco VXI Environment

Managing the Cisco VXI EnvironmentAn end-to-end Cisco VXI deployment requires a comprehensive management architecture that provides the ability to provision, monitor, and troubleshoot the service for a large number of users on a continuous basis. The task of managing a desktop virtualization system can be a challenge given the number of hardware and software components in the overall system (for example, data center, campus, branch office, and Internet). These components provide services (for example, desktop virtualization, network, storage, computing, storage, security, load-balancing, WAN acceleration, and unified communications services) to both end users (local and remote) and administrators. The administrators are expected to manage different technologies and services (for example, to perform network, storage, database, and desktop administration). Main features of the Cisco VXI management architecture include:

• Operations management - the process of monitoring the status of every element and its components and performing diagnostic testing. It includes the use of Simple Network Management Protocol (SNMP), syslog, and XML-based monitoring of elements as well as the use of HTTP-based interfaces to manage devices. It also includes endpoint and virtual desktop inventory and hardware and software asset management.

• Service management - the process of monitoring and troubleshooting the status and quality of experience (QoE) of user sessions. It includes the use of packet capture and monitoring tools such as Cisco Network Analysis Module (NAM), NetFlow, and Wireshark to monitor a session. It also enables the desktop virtualization administrator to remotely access the endpoints and virtual desktops to observe performance and collect data (bandwidth and latency measurements). It includes the ability to measure computing, memory, storage, and network resource utilization in real time to identify bottlenecks or causes of service degradation. Session detail records for a virtual desktop session can help administrators diagnose any connection failures or quality problems.

• Service statistics management - the process of collecting quality and resource use measurements and generating reports that can be used for operations, infrastructure optimization, and capacity planning. Measurements can include session volume, service availability, session quality, session detail records, resource utilization, and capacity across the system. The reports can be used for billing purposes and to manage service levels.

• Provisioning management - the process of provisioning end users, virtual desktops, and endpoints using batch provisioning tools and templates. It can involve vendor-provided APIs (for instance, XML) that can be used for scripting, automation, and self-service provisioning. It includes software image and application management on endpoints and virtual desktops.

ConclusionCisco VXI is a fully integrated, open, and validated desktop virtualization system which delivers a superior collaboration and rich media experience and best-in-class ROI. Cisco VXI facilitates rapid deployment of desktops and improves control and security by improving visibility at the virtual machine level. Its modular, ecosystem-based architecture preserves customer flexibility and helps ensure long-term alignment with the industry. With Cisco VXI, customers can deploy a solution that enables agile and efficient service provisioning, provides personalized and pervasive user interactions, and creates a more open environment while increasing IT control.

15

For More Information

For More InformationCisco Virtual Experience Infrastructure Validated Design

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VXI/CVD/VXI_DG.html

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, andLearn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco,the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity,Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient,IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers,Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your InternetQuotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.

All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply

a partnership relationship between Cisco and any other company. (0711R)

16