march 22 virtual switching with n1k

© 2009 Cisco. Confidential. 1

Yann Bouillon

DC Technical Marketing Engineer

Virtual Switching with Nexus 1000V

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

Server Virtualization Issues

1. vMotion moves VMs across physical ports—the network policy must follow vMotion

2. Must view or apply network/security policy to locally switched traffic

3. Need to maintain segregation of duties while ensuring non-disruptive operations

PortGroup

Server Admin

Network Admin

Security

Admin

Nexus 1000V

© 2006 Cisco Systems, Inc. All rights reserved. Cisco Confidential 4

Cisco Nexus 1000V

vSphere

Nexus

1000V

Nexus 1000V

VM VM VM VM

Industry’s most advanced software switch for

VMware vSphere

Built on Cisco NX-OS

Compatible with all switches

Compatible with all servers on the VMware

Hardware Compatibility List

Winner of VMworld Best in Show 2008 and

Cisco Most Innovative Product of 2009


L2

M

O

D

E

L3

M

O

D

E

…

ESX ESX ESX

VSM-1

VSM-2

VEM-1

VEM-2

VEM-N

Nexus 1000V Architecture

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Linecard-N

…

Modular Switch

Nexus 1010

VSM-

A1

VSM-

A4

VSM-

B1

VSM-

B4

Virtual Appliance

B

A

C

K

P

L

A

N

E

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

• 200+ vEth ports per VEM

• 64 VEMs per 1000V

• 2K vEths per 1000V

• Multiple 1000Vs can be

created per vCenter


…

ESX ESX

Embedding Intelligence for Virtual ServicesvPath – Virtual Service Datapath

L2

M

O

D

E

L3

M

O

D

E

VEM-1 VEM-2vPath vPath

vPath: Virtual Service Datapath

VSG: Virtual Security Gateway for 1000V

vWAAS: Virtual WAAS

Nexus 1010Virtual Appliance

vWAAS VSG VSM…

VSM-1 VSM-4

…VSM-1 VSM-4


…

ESX ESX

Nexus 1010 – hosting platform for services

L2

M

O

D

E

L3

M

O

D

E

VEM-1 VEM-2vPath vPath

NAM

NAM

VSG

VSG

vPath: Virtual Service Datapath

VSG: Virtual Security Gateway for 1000V

vWAAS: Virtual WAAS

Nexus 1010Virtual Appliance

vWAAS VSG VSM…

VSM-1 VSM-4

…VSM-1 VSM-4

*VSG on 1010 target: 2Q CY11


Why 1000V?

Feature & operational consistencyNX-OS across physical and virtual networks (Nexus

7K/5K/2K/1KV)

Cisco CLI experience

Standards based, IEEE 802.1Q

Advanced NX-OS switching featuresSecurity, QoS, Monitoring, Management, …

Non-disruptive administration Network team manages virtual network, creates port profiles

Server team assigns port profiles to VMs

Intelligent integration with virtual services (vPath)Transparent insertion (topology agnostic)

Efficient deployment – no need to deploy on every host

Dynamic policy-based operation

Performance acceleration

Nexus 1000V Differentiators

vSphere

Nexus

1000V

VEM

Nexus 1000V

VSM

VM VM VM VM


Cisco Nexus 1000V

Nexus 1000V VSMvCenter

vSphere

Nexus

1000V

VEM

vSphere

Nexus

1000V

VEM

Port Profiles

WEB Apps

HR

DB

DMZ

VM Connection Policy

• Defined by network Admin

• Applied in Virtual Center

• Linked to VM UUID

Faster VM Deployment

Policy-Based

VM Connectivity

Mobility of Network &

Security Properties

Non-Disruptive

Operational Model

Cisco VN-Link: Virtual Network Link

VM VM VM VM VM VM VM VM


Cisco Nexus 1000V

Nexus 1000V VSM

vSphere

Nexus

1000V

VEM

vSphere

Nexus

1000V

VEM

Property Mobility

• VMotion for the network

• Ensures VM security

• Maintains connection state

VMs Need to Move

• VMotion

• DRS

• SW Upgrade/Patch

• Hardware Failure

vCenter

Richer Network Services

Policy-Based

VM Connectivity


Security Properties

Non-Disruptive

Operational Model


VM VM VM VM VM VM VM VMVM VM VM VM


Cisco Nexus 1000V

Nexus 1000V VSM

vSphere

Nexus

1000V

VEM

vSphere

Nexus

1000V

VEM

vCenter

Network Admin Benefits

• Unifies network mgmt and ops

• Improves operational security

• Enhances VM network features

• Ensures policy persistence

• Enables VM-level visibility

VI Admin Benefits

• Maintains existing VM mgmt

• Reduces deployment time

• Improves scalability

• Reduces operational workload

• Enables VM-level visibility

Increased Operational Efficiency

Policy-Based

VM Connectivity


Security Properties

Non-Disruptive

Operational Model


VM VM VM VM VM VM VM VM


Advanced Features of the Nexus 1000V

Switching L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)

IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ

Security Policy Mobility, Private VLANs w/ local PVLAN Enforcement

Access Control Lists (L2–4 w/ Redirect), Port Security

Dynamic ARP inspection, IP Source Guard, DHCP Snooping

Provisioning Automated vSwitch Config, Port Profiles, Virtual Center Integration

Optimized NIC Teaming with Virtual Port Channel – Host Mode

Visibility VMotion Tracking, NetFlow v.9 w/ NDE, CDP v.2

VM-Level Interface Statistics

SPAN & ERSPAN (policy-based)

Management Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks

Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

Hitless upgrade, SW Installer

Network Services Virtual Services Datapath (vPath) support for traffic steering & fast-path

off-load [leveraged by Virtual Security Gateway (VSG) and vWAAS]


VblocksImagine:

30 racks reduced down to 3 racks

Provisioning applications in hours

instead of weeks

Secure

Multi-tenancyImagine:

Securely sharing servers between

multiple users/groups without

having to add another server

Nexus 1000V in Cisco Validated Solutions

Cisco’s network-centric virtualized data center is best positioned to enable the journey to the networked cloud

FlexpodImagine:

Predesigned, validated, Flexible

infrastructure that can grow and

scale to meet cloud computing

requirements

Virtual

DesktopImagine:

Over 4000 desktops in a single rack!

Savings up to 60+% per PC per year

Significant savings in operations

1000V

R

1000V

R

1000V

R

1000V

R

InstallingNexus 1000V


Flexible Deployment Options

All servers on VMware Compatibility List

All switches, including all Cisco switches

1G & 10G NICs


Collaborative Deployment Model

Deploying the Nexus 1000V

1. VMW vCenter & Cisco Nexus 1000V relationship established

2. Network Admin configures Nexus 1000V to support new ESX hosts

3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter

Nexus 1000V VSMvCenter

1.

3. vSphere

Nexus

1000V

VEM

2.


Collaborative Deployment Model

Deploying the Nexus 1000V

1. VMW vCenter & Cisco Nexus 1000V relationship established

2. Network Admin configures Nexus 1000V to support new ESX hosts

3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter

4. Repeat step three to add another host and extend the switch configuration Nexus 1000V VSM

vSphere

Nexus

1000V

VEM

vSphere

Nexus

1000V

VEM

vCenter4.


Enabling Policy

Policy Based VM Connectivity

1. Nexus 1000V automatically enables port groups in VMware vCenter

2. Server Admin uses vCenter to assign vnic policy from available port groups

3. Nexus 1000V automatically enables VM connectivity at VM power-on

Nexus 1000V VSM

vSphere

Nexus

1000V

VEM

vCenter

1.

Defined Policies

WEB Apps

HR

DB

DMZ

WEB Apps:PVLAN 108, Isolated

Security Policy = Port 80 and 443

Rate Limit = 100 Mbps

QoS Priority = Medium

Remote Port Mirror = Yes

2.

3.

VM VM VM VM


Port Profile: Network Admin View

n1000v# show port-profile name WebProfile

port-profile WebProfile

description:

status: enabled

capability uplink: no

system vlans:

port-group: WebProfile

config attributes:

switchport mode access

switchport access vlan 110

no shutdown

evaluated config attributes:



no shutdown

assigned interfaces:

Veth10

Support Commands Include:

Port management

VLAN

PVLAN

Port-channel

ACL

Netflow

Port Security

QoS


Port Profile: Server Admin View


Server and Access Virtualization Business Unit

Cisco Nexus 1010


VSM on Nexus 1010VSM on Virtual Machine

Nexus 1010: VSM on an Appliance

vSphere

1000V

VEM

Server

VM VM VM

vSphere

Cisco Nexus 1010

Server

VM VM VM VM

1000V

VEM

1000V

VSM x 1

1000V

VSM x 4


Feature Comparison

VSM on Virtual Machine VSM on Nexus 1010

Nexus 1000V features and scalability

VEM running on vSphere 4 Enterprise Plus

NX-OS high availability of VSM

Installation like a standard Cisco switch

Network Team manages the switch hardware

Nexus 1000V features and scalability

VEM running on vSphere 4 Enterprise Plus

NX-OS high availability of VSM


NAM Virtual Blade on Nexus 1010Optimize Application Performance and Network Resources

Application Performance Monitoring

Traffic Analysis and Reporting

Applications, Host, Conversations, VLAN, QoS, etc.

Per-application, per-user traffic analysis

View VM-level Interface Statistics

Packet Capture and Decodes

Historical Reporting and Trending

ERSPAN

Nexus 1000V

VSM

vSphere

Nexus

1000V

VEM

vCenter

NetFlow

NAM

Virtual

Blade on

Nexus

1010

VM VM VM VM


Cisco Nexus 1000V:Version 4.2(1)SV1(4) Update


New in Nexus 1000V

Cisco vPath

Class-Based Weighted Fair Queuing

LACP Offload to VEM

Network State Tracking

Policy Based ERSPAN

Restricting Port Profile Visibility in vCenter Server

Increased Scalability

Other Features

Version 4.2(1)SV1(4)


Cisco vPath

Integrated into Virtual Ethernet Module with

Intelligent Traffic Steering

Decision Caching

Performance Acceleration

Integrated policy with Port Profile and Security Profile

Supports Virtual Service Nodes

Virtual Security Gateway

Virtual WAAS

For Virtual Network Services

Nexus 1000V VEM

vPath


Class-Based Weighted Fair Queuing on Nexus 1000V

Provide bandwidth guarantee for up to 64 total queues on uplinks

User defined Queues

8 Predefined traffic classes

For VMware and N1KV protocol traffic

Queuing configured via MQC

20%

30%

15%

5%

15%

15%

vMotion

VM_Platinum

VM_Gold

Default

ESX_Mgmt

N1K_Control, N1K_Packet

VM VM VMVMK NIC

vMotion


Configure up to 56 custom queuing classes of VM, vApp data and other traffic

Each queue can have a queue limit (# of packets)

Queuing is done per physical uplink outbound

8 predefined protocol classes:

vMotion

FT-Logging

iSCSI

NFS

ESX Management

N1K Control

N1K Packet

N1K Management

Class-Based Weighted Fair Queuing on Nexus 1000V


LACP Offload to VEM LACP is traditionally a control

plane protocol run on the supervisor of a switch (VSM on N1KV)

When VSM is down or disconnected, VEM operates in headless mode, without ability of LACP control plane operations

LACP can not be run on a single link between a VEM and the upstream network

LACP Offload solves this problem by offloading all LACP operations to the VEM

Makes data plane more robust and helps in FCoE deployments where VSM is behind VEM

Nexus 1000V VSM

Nexus 1000V VEM

Control

Plane

Data

Plane

LACP PDU


Network State Tracking

Detect upstream Layer 2 network connectivity failure

Automatically fail over to surviving connections for vPC Host Mode port channel

Makes use of Network Tracking packet to probe interfaces on other Sub-Groups

VM VM VM VM

Sub-Group 0 Sub-Group 1

Data Center

Network

MAC A MAC B


Increase DMZ Visibility with ERSPAN

ERSPAN allows VM traffic to be mirrored to traffic analyzer

Mirrored traffic can traverse through Layer 3 Network

Visibility through centralized L4-7 services

Firewall

Intrusion Detection System

Port Mirroring

Intrusion

Detection

Firewall

VM VM VM VM


Policy Based ERSPAN

ERSPAN all interfaces with same policy

Troubleshoot applications in the cloud

Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM

VM

VM

VM

VM VM VMVM

VM

VM VM VM

Intrusion

Detection


Restricting Port Profile Visibility in vCenter Server Based on vCenter Server users and user groups, Port

Profiles can be configured to restrict access

Prevent server administrators from large list of Port Groups

Restrict access to sensitive Port Profiles to only privileged administrators

Must define access on vCenter

Must enable new feature on VSM:feature port-profile-role

Configure and assign visibility:Example:

port-profile-role adminUser

description adminOnly

user jsmith

port-profile allaccess2

assign port-profile-role adminUser


Increased Scalability

64 VEMs per VSM

2048 Active VLANs per VSM

2048 vEths per VSM

2048 Port-Profiles per VSM

4K Mac Addresses per VLAN

16K Mac Address Table per VEM

Red Italicized Indicate Increased Scalability


Other Features

Updated Installer

Installs L2 or L3 communications between VSM and VEM

Configures active/standby VSM for HA

Access Control List on the VSM management interface

Ephemeral Port Binding

Port ID is set and released upon VM power on/off

Support virtual desktop deployments

Hardware iSCSI Multipathing

Leverage NIC based iSCSI multipathing


VIRTUALIZING THE DMZ


Virtualizing the DMZMapping the Roles and Responsibilities

Separation of duties for virtualization, security, and network administrators

Implement existing policies and procedures

Identical tools for physical network: Minimize miscommunication

n1000v# show port-profile name WebProfile

port-profile WebProfile

description:

status: enabled

capability uplink: no

system vlans:

port-group: WebProfile

config attributes:



no shutdown

evaluated config attributes:



no shutdown

assigned interfaces:

Veth10


DMZ with Virtual and Physical ServersMaintaining Isolation and Protection with Private VLAN

Nexus 1000V VSM

vSphere

Nexus

1000V

VEM

vSphere

Nexus

1000V

VEM

VM VM VM VM VM

Private VLAN

Community

Identical tools for physical and virtual machine network: Minimize miscommunication

Less time for accurate configuration where mistakes are costly


Virtualize the DMZ

Restrict production VM access to sensitive parts of data center

Segregate Traffic To/From Web Server

Protect Management Traffic

Protect Servers

Access Control List

vSphere

VMKernel

FTP WWW

dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-server

dcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp any

dcvsm(config-acl)# permit ip any any

VM


Increase DMZ Visibility with ERSPAN

ERSPAN allows VM traffic to be mirrored to traffic analyzer

Mirrored traffic can traverse through Layer 3 Network

Visibility through centralized L4-7 services

Firewall

Intrusion Detection System

Port Mirroring

Intrusion

Detection

Firewall

VM VM VM VM


Increase DMZ Visibility with NetFlow

NetFlow allows network statistics to be exported

Anomaly detection

Across virtual to physical servers

Distributed network application monitoring

Both physical and virtual application

Network planning

Assist with growth and scaling of data center

Network Statistics

vSphere

VM VM VM VM

Network

Analysis


Recommendations for Securing Virtualized DMZ*

1. Consistent security in physical and virtual environment

2. Secure the hypervisor using VMware recommendations

3. Limit VMs with different security affinities on same server

4. Limit connectivity Service Console and VMKernel

5. Secure VM-to-VM traffic flows

6. Use monitoring tools to increase visibility of VM traffic

7. Document virtual and physical network connections

8. Clear separation of roles and responsibilities

9. Enforce clearly defined change management controls

10. Perform ongoing auditing and monitoring

Nexus 1000V Secures Virtualized DMZ

*http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf


Summary

Version 4.2(1)SV1(4) provides updated Nexus 1000V capabilities

Virtualized network services with Cisco vPath

Numerous features preparing cloud deployment

Enhanced scalability and stability

Are you ready for the cloud?

march 22 virtual switching with n1k

Documents