volume3 ucs v

7/28/2019 Volume3 UCS V

1/107

UCS and Virtualization: Vol 3

Lesson 1: Examining UCS and

Lesson 2: Ciscos Virtual Secu

Gateway


2/107

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TOCHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL

ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS ORIMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTHIN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BYTHIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,

CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the University ofCalifornia, Berkeley (UCB) as part of UCBs public domain version of the UNIX operating system. All rights reserved.Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESESUPPLIERS ARE PROVIDED AS IS WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERSDISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OFMERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM

A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL,OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TODATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERSHAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Lumin, Cisco Nexus,Cisco Nurse Connect, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing

System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare(Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play,and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing theMeeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco CertifiedInternetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo,Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing,FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo,LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking

Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet,Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and theWebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certainother countries.

All other trademarks mentioned in this document or website are the property of their respective owners. The use ofthe word partner does not imply a partnership relationship between Cisco and any other company. (0907R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual

addresses and phone numbers. Any examples, command display output, network topology diagrams, and otherfigures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phonenumbers in illustrative content is unintentional and coincidental.Cisco Technical Documentation Style Guide19922009 Cisco Systems, Inc. All rights reserved.


3/107

Lesson 1

UCS and Virtual Desktop

SolutionsOverview

This lesson is designed to introduce you to virtual desktop solutions. Students will

examine the services, components, and infrastructures required to support a virtualdesktop infrastructure.

Objectives

The specific objectives of this lesson are to enable you to perform the following tasks:

Examine Virtual Desktop Infrastructure Business Case

Describe VDI Work Loads and Sizing Factors

Explain Components of a VDI Solution

Examine VDI design using UCS


4/107

1-1 UCS-Virtualization Cisco Systems, Inc.

Contents

EXAMINE VIRTUAL DESKTOP INFRASTRUCTURE BUSINESS CASE........................................................... 1-3

DEFINE WHAT VDIIS ................................................................................................................................... 1-4

DESCRIBE WHAT IS DESKTOP VIRTUALIZATION................................................................................................... 1-5

DESCRIBE THE 5GOALS OF DESKTOP VIRTUALIZATION

USER EXPERIENCE ............................................................. 1-6DESCRIBE THE 5GOALS OF DESKTOP VIRTUALIZATIONNETWORK LATENCY TOLERANCE.......................................... 1-7

DESCRIBE THE 5GOALS OF DESKTOP VIRTUALIZATIONEFFECTIVE PROVISIONING................................................... 1-8

DESCRIBE THE 5GOALS OF DESKTOP VIRTUALIZATIONSCALABILITY..................................................................... 1-9

DESCRIBE THE 5GOALS OF DESKTOP VIRTUALIZATIONAGILITY AND AVAILABILITY................................................ 1-10

DESCRIBE WHAT MAKES UP A DESKTOP .......................................................................................................... 1-11

SUMMARIZE TYPICAL DESKTOP DEPLOYMENTS ................................................................................................ 1-12

DESCRIBE THE DESKTOP VIRTUALIZATION BUSINESS CASE .................................................................................. 1-13

EXPLAIN 5KEY CHALLENGES OF THE CURRENT DESKTOP MODEL......................................................................... 1-14

EXPLAIN HOW VDICAN SOLVE THE 5KEY CHALLENGES.................................................................................... 1-15

DESCRIBE WHY NOW IS A PRIME TIME FOR VDI .............................................................................................. 1-16

DESCRIBE VDI WORK LOADS AND SIZING FACTORS ............................................................................. 1-17

DESCRIBE VDIUSE CASES BY USER TYPE ........................................................................................................ 1-18EXPLAIN USER CATEGORIZATION FOR VDIWORK LOADS................................................................................... 1-19

SUMMARIZE DESKTOP DELIVERY METHODS .................................................................................................... 1-20

DESCRIBE VDITESTING WORKLOADS ............................................................................................................ 1-21

EXPLAIN COMPONENTS OF A VDI SOLUTION ...................................................................................... 1-22

DEFINE COMPONENTS OF A VDISOLUTION .................................................................................................... 1-23

DESCRIBE PLATFORM VIRTUALIZATION........................................................................................................... 1-24

COMPARE HYPERVISOR OFFERINGS ............................................................................................................... 1-25

DESCRIBE APPLICATION VIRTUALIZATION........................................................................................................ 1-26

DESCRIBE DATA AND PROFILE MANAGEMENT ................................................................................................. 1-27

DESCRIBE ACCESS PROTOCOLS ..................................................................................................................... 1-28

EXAMINE ICA VS.PCOIP ............................................................................................................................ 1-29DEFINE THE SESSIONS BROKER ..................................................................................................................... 1-30

DEFINE STATIC AND DYNAMIC ARCHITECTURES................................................................................................ 1-31

EXPLAIN SERVER INFRASTRUCTURE................................................................................................................ 1-32

SUMMARIZE UCS/SOFTWARE/STORAGE COMPATIBILITY .................................................................................. 1-33

EXAMINE VDI DESIGN USING UCS ....................................................................................................... 1-34

DESCRIBE SUGGESTED ARCHITECTURE FOR VDI ON UCS ................................................................................... 1-35

EXAMINE UCSSCALABLE ARCHITECTURE........................................................................................................ 1-36

SUMMARIZE LOGICAL CONFIGURATION.......................................................................................................... 1-37

COMPARE COMPETITOR SUGGESTED ARCHITECTURE ........................................................................................ 1-38

SUMMARIZE UCSVDICONFIGURATION ........................................................................................................ 1-39

DESCRIBE VDITEST SETUP .......................................................................................................................... 1-40

SUMMARIZE FACTORS INFLUENCING SCALABILITY............................................................................................. 1-42DESCRIBE SOFTWARE STACK DESCRIPTIONINFRASTRUCTURE HOSTS ................................................................. 1-44

DESCRIBE WINDOWS 7 DESKTOP CONFIGURATION ........................................................................................... 1-45

EXPLAIN SCALABILITY RESULTS OF VDI ON UCS ............................................................................................... 1-46

EXAMINE LOGINVSIRESPONSE TIME GRAPHS.................................................................................................. 1-47

EXAMINE MEMORY UTILIZATION FOR 1760 DESKTOP TEST ................................................................................ 1-48

EXAMINE NETWORK UTILIZATION GRAPH ....................................................................................................... 1-49

COMPARE CISCO UCSSOLUTION FOR DESKTOP VIRTUALIZATION........................................................................ 1-50

EXPLAIN WHY UCS AND NETWORKING IS BEST FOR VDI ................................................................................... 1-51


5/107

Cisco Systems, Inc. UCS and Virtual Desktop Solutions 1-2

SUMMARIZE ADVANTAGES OF UCS FOR VDI .................................................................................................. 1-52


6/107


Examine Virtual Desktop Infrastructure Business Case

Upon completion students will learn:

Define What is VDI Describe What is Desktop Virtualization

Describe the 5 Goals of desktop virtualization

Describe what makes up a desktop

Summarize typical desktop deployment

Describe the desktop virtualization business case

Explain 5 Key challenges of the current desktop model

Explain How VDI Can Solve the 5 Key Challenges Describe Why Now is a Prime Time for VDI

2008 Nuova, Inc. All rights reserved. ICNX5 v1.02

ExamineVirtualDesktopInfrastructureBusiness Case

Upon completion of this section you will:

Define What is VDI Describe the 5 Goals of desktop virtualization Describe what makes up a desktop Summarize typical desktop deployment

Describe the desktop virtualization business case Explain 5 Key challenges of the current desktop model Explain How VDI Can Solve the 5 Key Challenges


7/107


Define What VDI Is

The acronym VDI brings a lot of ideas of what it means or what it is. For starters, VDI

denotes architecture neither a single product nor even a single vendor. This means thatintegration and collaboration between the vendors who supply the hardware, software,

and network infrastructures, is expected and seen in the myriad of eco partner

relationships springing up around VDI.

VDI in general can be described as a replacement or augmentation of your existingdesktop as a service provided through the use of virtualization. It is also should be

characterized as being an excellent solution for some use cases, and not so good for

others. Careful assessment of the needs of your users or consumers of this service is

essential for designing and implementing VDI solutions.

2008 Cisco Systems Inc. All rights reserved. Course Title Module Name 3

Define What is VDI

VDI is an architecture

VDI is NOT a single producto Multiple Componentso Multiple Vendors

VDI is a replacement or augmentationof the desktop using virtualization

Best suited to specific use cases


8/107


Descr ibe What is Deskto p Vir tual izat ion

Basically desktop virtualization is the providing of typical workers desktop to them

regardless of location or device. This means that the desktop they are using exists in the

host that is in the data center. End points then access these virtual desktops over thenetwork either internally or through a VPN as necessary. The desktop will continue as it

was precisely as it was left the last time. The user also has the expectation that all

functionality, data, and performance will be identical to their physical desktop computer.


Describe What is Desktop Virtualization

Separate the physical endpoint from the logical

desktop

Host the logical desktop in a data center

Allow endpoints to access the logical desktop over the

network

Endpoints may include a variety of device types;

end user continues where he/she last left off

Virtualizeddesktophosted inDC


9/107


Descr ibe the 5 Goals o f desk top Vir tual izat ion User Experience

When implementing a VDI solution there are 5 key goals that you will be attempting to

achieve. The first and likely the most important is the user experience. If the user

experience does not perform the same or better than their original desktop then they willlikely not want to use this new model of operation. Key factors important to users in a

VDI solution:

Faster boot times

Better Mobility

Same functionality

Use of traditional peripherals

Fast and better response from support.


Describe the 5 Goals of desktopVirtualization User Experience

Virtual Desktops

Virtual Desktop

Consumers

Keys to User Experience

Instant On Boot Faster

Mobility Desktop available

through any device

Functionality Full functioning

Desktop that is personalized

Peripherals USB, Network,Printing, Scanning, etc

Support Performance, service

level compliance, faster time toresolved problems


10/107


Descr ibe the 5 Goals o f Desktop Vir tual izat ion Network

Latency Tolerance

Another of the goals is tolerance of network latencies. As indicated in the previous slide

users wish to use this from any device but also from anywhere. This means that they willlikely be connecting through any number of types of connectivity:

Hotel Internet

Satellite

Wireless and 3/4G

Intranet

Each of these types of connecting has different network bandwidths and latencies. VDI

solutions have to encompass this by using protocols that make the communications

between the virtual desktop and the connecting client's displays as efficient as possible.Factor in that your consumers will also want to run multimedia applications or data likeflash.


Describe the 5 Goals of DesktopVirtualization Network LatencyTolerance

Virtual Desktop

Consumers

Internet


11/107


Descr ibe the 5 Goals o f Desktop Vir tual izat ion Effective

Provis ioning

Provisioning in a traditional model (physical desktops) takes days to weeks. Factor into

this that for each type of device that is supported you have to have support procedure,trained support staff, and lots of storage for backups and images.

With VDI the goal is to be able to stream line the provisioning by creating the desktop

virtually. By doing this a desktop can be provisioned from an image in a matter ofminutes. Mass deployment can be done using tools on your storage or even from the

hypervisor platform. Also this means that support for a desktop can be done centrally

including roll backs to snap shotted desktop VMs.


Describe the 5 Goals of DesktopVirtualization Effective Provisioning

Support StaffUsers Individual Desktops

Support Staff

Virtual Desktops

IndividualDesktop Support

Virtual DesktopSupport


12/107


Descr ibe the 5 Goals o f Desktop Vir tual izat ion Scalabi l i ty

A VDI infrastructure needs to be scalable as well. What is meant by this is; what is the

impact on your design when you need to go from say 500 desktops to 2000? Keep in

mind this may require adding new physical equipment, modifying networks, andinstalling hosts. As you can imagine the more complex your setup the hard it is to scale.

Also an assessment of the current infrastructure would be needed as this may also impact

it as your solution grows.


Describe the 5 Goals of DesktopVirtualization Scalability


13/107


Descr ibe the 5 Goals o f Desktop Vir tual izat ion Ag i l i ty and

Avai labi l i ty

Finally VDI needs to offer both users and IT departments the ability to be agile and

flexible. This means different things to each of these groups. For users it is reflected inthe choice of device, mobility, and functionality. For IT departments is about flexibility

of software, hardware, and storage. You can also include integration into currentmanagement and DR systems.


Describe the 5 Goals of DesktopVirtualization Agility and Availability

User Flexibility IT Department

Same environment

regardless of device

Should be able to use any

Hypervisor

Same usage of peripherals


Multiple types of virtual

storage

Same personalization


Support every major OS

Same desktop regardless ofwhere they are Should be able to serve upsame applications as a

physical desktop


14/107


Descr ibe what makes up a Desktop

In desktop virtualization what we are essentially doing is abstracting what we call the

"desktop" from the physical piece of hardware. That abstraction includes:

Operating System

Applications - Not required but can be abstracted

User Data - Can be local to their client device or on the network in a networkdrive

Personalization - Specific application, data resources, and persistent desktops


Describe What Makes up a Desktop


15/107


Summarize Typic al Desktop Deploym ents

To begin to build the business case for VDI, you need to have a basic understanding of

how desktops are deployed today. Traditional deployments go through a life cycle as seen

above. This process typically takes weeks to deploy. To add to this then this device has tosomehow be backed up, monitored, and updated all which requires a complex set of

processes and technology. Finally you also have to have a procedure and system for

retiring old desktops and implementing new. This represents a huge cost that is measuredin dollars per desktop. For example it likely costs us thousands of dollars currently per

user to use the model above. VDI can likely take this into the 10s to 100s of dollars.


Summarize Typical Desktop Deployments

Procure

Monitor

Image

Secure

DeployMaintain

Backup

Retire

Slow to DeployComplex to secureCostly to Maintain


16/107


Descr ibe the Desktop Vir tual ization B usin ess Case

Also keep in mind during the life of the deployed physical desktop you will have a

number of different challenges at the various layers. For example application updates can

be challenging for not only the network, but also for the automation. Operating systemchanges can break compatibility leaving IT departments scrambling to distribute fixes.

Finally the user device presents problems from security due to loss, to the ability to

support different worker types across different devices.


Describe the Desktop VirtualizationBusiness Case

Challenges

Managing Updates Licensing Compliance

Security and Policy

complianceNew Applications

Driver Compatibility

Integration

Patching Upgrading

New Installs

Performance

Life Cycle Management Security

Mobility

Supportability


17/107


Explain 5 Key Chal lenges of the Current Deskto p Model

So the 5 key challenges to VDI environments are:

Hardware Costs - Multiple devices to purchase, updates can break systems

Compliance and Data Security - Loss prevention for devices, enforcingcompliance to your security policies

IT Productivity - Different support model for each device, disparate managementsoftware needed to manage it all

Growth - Provisioning days to weeks

Resiliency - backing up users desktops and data, the time it takes to recover froma loss


Explain 5 Key Challenges of the CurrentDesktop Model

Challenges Description

Hardware Costs Updates may require changes in hardware

Updates can break a system because for

compatibility

Compliance and DataSecurity

Lost devices can contain sensitives/secure data

Compliance must be checked on each device

IT Productivity Each device type requires different support

models

Different tools to manage and orchestrate

Growth Provisioning new Desktops can take days

Refresh Cycles

Resilience Restoring lost desktops

Backing up data


18/107


Explain How VDI Can Solve the 5 Key Chal lenges

VDI answers these challenges in the following ways:

Hardware - While you can have almost any type of device, the desktop support iscentralized in the datacenter.

Compliance\security - Desktops and user data can be contained in the networkstorage, lost devices contain only personal information

IT Productivity - Provision hundreds and thousands of desktops at a time, can alsobe done with applications

Growth - Desktops can be made ready in minutes

Resilience - Data and desktop centrally stored, snapshot can give complete rollback capability


Explain How VDI Can Solve the 5 KeyChallenges

Challenges Description

Hardware Costs Desktop is virtualized on a server / HW

compatibility is removed

Freedom of device to access desktop

Compliance and DataSecurity

vDesktops have no physical storage

Lost or stolen devices do not have desktop data

IT Productivity Desktop updates can be done to hundreds at a

time

Application updates can be done by the hundreds

at a time

Growth New Desktops can be ready in minutes New applications can be streamed

Resilience Centralized storage of desktops can easily be fit

into DR plan

Centralized backing up of data


19/107


Descr ibe Why Now is a Prime Time for VDI

You can see the full list on the slide but any of these can be a reason for this move.

Primary among these is the movement to ITaaS ( IT as a Service) to reduce costs, as well

as now that many companies need to migrate to Windows 7.


Describe Why Now is a Prime Time for VDI

1. Lower TCO by 50%

2. Migration to Windows 7

3. Technology is ripe, ready for prime time

4. User adaption is on the rise

5. Broad Partner ecosystem support

6. Top 10 initiatives planned by CIOs for 2010

7. Secure data access, increased security andcontrol

8. Desktops as Managed Service

9. Simplified and Automated Desktop Provisioning

10.SLA for Users

Desktop Virtualization is at tipping point


20/107


Describe VDI Work Loads and Sizing Factors

Upon completion students will learn the following:

Describe VDI Use Cases by User Type

Explain User Categorization for VDI Work Loads

Summarize Desktop Delivery Methods

Describe VDI Testing Workloads


Describe VDI WorkLoads and SizingFactors


Describe VDI Use Cases by User Type Explain User Categorization for VDI Work Loads Summarize Desktop Delivery Methods Describe VDI Testing Workloads


21/107


Descr ibe VDI Use Cases b y User Type

When designing a VDI solution you want to make sure you do an assessment of whattypes of users will be consuming it. This is critical for all sides of the design from the

number of network links to the type of storage you choose to use.

User can be broken down into the following categories:

Task Workers - Small number typically, they require a simple desktop with littlecustomization and a very limited set of applications

Knowledge Worker - This is typically the bulk of the work force, they expect afully customizable desktop and a media rich experience.

Power Users - For example and design engineer who may need a virtual desktopblade in order to run resource hungry applications like CAD. This is a smallsegment of users

Mobile users - The fastest growing group these days. They are like the knowledgeworker but are limited by their connectivity to what is provided in terms ofapplications.


Describe VDI Use Cases by User Type

Task Workers Power Users MobileUsers

Knowledge Workers

Pooled Desktops - PVS(Limited Customizable) Assigned Desktops

(Fully Customizable)

Ease of management (e.g.patch)

Lower storage requirement Limited user flexibility

More freedom for users More storage requirement Patch management more

difficult


22/107


Explain User Categor izat ion fo r VDI Work L oads

When you break down the types of workers you can see how the knowledge worker can

encompass the largest numbers in terms of consumers of VDI. By designing to the

correct type of consumer, the solution should be able to achieve its ROI goals.This is also helpful in testing a solution. Software to test a solution performance and

robustness can simulate the type of activities any of these types of workers perform.


Explain User Categorization for VDI Work Loads

Guest Workers

rich PCexperience

instant resets standard app

set

universitycomputer lab

trainingcenter

Office Workers

rich PCexperience

personal diverse apps

and users

finance operations marketing administrati

on

Remote Workers

secured accessand control

location anddevice flexibility

diverse apps andusers

offshoreworkers

outsourcers,contractors

branch offices teleworkers

Mobile Workers

offline access secure diverse apps

and users

sales executives field

service

Task Workers

simple locked

down few apps

factoryworkerretail clerk

bank teller credit card

call center

Requirements:

Knowledge Worker


23/107


Summarize Desktop Del ivery Methods

Desktops can be delivered either in a hosted model similar to terminal services from

Microsoft. Most people are familiar with this form of delivery where in a single instance

of Windows server allows for multiple custom desktops. While this works well and hasbeen in use for quite some time, it does have some flaws in that it lacks the resiliency

provided to Virtual Machine based architecture by the hypervisor.

Desktops also can deliver application to the end user in a number of ways including

installing them on the virtual desktop itself, to streaming them from a server to the user'svirtual desktop or client device.


Summarize Desktop Delivery Methods

Terminal Services VDI

Office WorkersRemote Workers Mobile WorkersTask Workers Guest Workers

HostedVM-basedDesktops

HostedBlade PCDesktops

HostedShared

Desktops

LocalStreamedDesktops

LocalVM-basedDesktops

VirtualApps

InstalledDesktops

Server Side Compute Client Side Compute


24/107


Descr ibe VDI Test ing Wo rkloads

When testing your VDI deployment typically you will perform the tasks seen above to

scale. This means that they will slowly ratchet up the number of desktops performing

theses task to see how many are supported before we begin to see a loss in performance.The expectation is that applications used on the virtual desktop will respond in 1 to less

than 2 seconds. Seems short doesn't it, however this is indeed the users expectation.


Describe VDI Testing Workloads

Knowledge Worker simultaneous use ofMS Office

IE

PDF

Typical Work Load Tasks:Browse and compose Outlook messages

Open and interact with multiple instances of InternetExplorer

Open and interact with multiple instances of Word

Open, Review, Print PDF

Open, and interact with multiple large Excel sheet.

Open, and interact with multiple PowerPointpresentations

Perform zipping (file compression) operations using 7-Zip


25/107


Explain Components of a VDI Solution

In this final section students will learn:

Define Components of a VDI Solution

Describe Platform Virtualization

Summarize Application Virtualization

Define Data and Profile Management

Describe Access Protocols

Define the Sessions Broker

Describe Static vs. Dynamic

Explain Server Infrastructure


Explain Components

of a VDI Solution


Explain Components of a VDI Solution Describe Platform Virtualization Summarize Application Virtualization Define Data and Profile Management

Describe Access Protocols Define the Sessions Broker Describe Static vs. Dynamic Explain Server Infrastructure


26/107


Define Compon ents of a VDI Solut ion

Here is a general diagram depicting the components of a VDI deployment. A VDI

deployment consists of:

Clients

Session Broker

Virtualization hosts (ESX, XenServer, Hyper-V)

Desktop VMs

Infrastructure VMs

Back end network storage


Define Components of a VDI Solution


27/107


Descr ibe Platform Virtual izat ion

At the heart of VDI is the virtualization platform. This is used to host both the desktop

VMs and infrastructure VMs. These hosts can be clustered to provide a highly available

platform. When choosing a hypervisor, the choice of VDI software determines which youwill use. Some work with all hypervisors some only with the specific one from the same

company providing the hypervisor. You will want to examine what features a hypervisor

provides as well, like business continuity features.


Describe Platform Virtualization

Host both infrastructureVMs and Desktop VMs test

Physical hosts can beclustered to take advantageof HA and other features

When choosing thehypervisor consider:

Management

HA features

OS support

VM requirements


28/107


Compare Hyperviso r Offer ing s

In comparing Hypervisors there are a number of categories you need to examine:

Business Continuity

Storage Integration

Back-up

Networking support

Platform support (Cores)

Virtual Machine limitations

Operating system support

For example if you wish to provide desktop using Solaris then your only option is

vmware.


Compare Hypervisor Offerings - Cont

Feature vSphere 4 Hyper - V XenServer 5

OS System Support

Windows NT

Windows 2000 1 CPU (No x64)

Windows 2003 2CPU

Windows 2008 4CPU

RedHat Linux

SuSE Linux SLES10 SP1/2,

1CPU

Mandrake Linux

Umbuntu Linux

SUN Solaris

Free BSD

Netware


29/107


Descr ibe Appl icat ion Vir tual izat ion

Like desktop applications can be virtualized. In doing this the application is distributed

across the network in much the same way as the desktop is. In fact you could look at the

desktop as the first application streamed to your client. Applications can also be made torun in a web interface or even pushed down onto the client where required.


Describe Application Virtualization

Normal application deployment is slow

By deploying applications virtually they can beadded in minutes to seconds

Apps can be streamed or run from desktop


30/107


Descr ibe Data and Prof i le Management

As part of meeting the need of your consumers it is necessary to also provide the ability

to customize the virtual desktop to the type of worker, their data resource needs, and

applications that are usable. Through the use of group and user profiles as well as policiesthis is easily implemented and enforced.


Describe Data and Profile Management

Clients can access different desktop VM each time

By using profiles personality and data can be maintained

Storage of data can be redirected to a network location

Profiles stored on network applied as needed

Allow for security policy enforcement and customizedstorage access


31/107


Descr ibe Access Protocols

Key to user performance is the type of protocol used to connect a client to their virtual

desktop. Each vendor has their own protocol:

Citrix - ICA-HDX

Vmware- PCoIP

MS- RDP

Which you use is dependent on which vendor is supplying the VDI software.


Describe Access Protocols

Used to access thevirtualized desktops

Should support Fatand Thin clients

Vendor specific

Citrix: ICA

Vmware: PCoIP

MS: RDP

Web Portals for easyaccess from anywhere


32/107


Exam ine ICA vs. PCoIP

Comparison is somewhat of an odd thing to do as the protocol will likely not be the major

decision factor in which vendor you will choose. However there is a lot of FUD and

misunderstanding about which is the better to use.Ultimately they both work well however in the above table are a number of

distinguishable comparatives for them. In general ICA is more tolerant of network

latency, and vmware is best at providing the richest VD experience.


Examine ICA vs. PCoIP

Category ICA PCoIP

User Experience Lossy Compression Lossless Compression

Bandwidth

Constraints

Better Performance Good Performance

Handling Flash

Content

Flash Redirection Flash Remoting

Resource

Comsumption /Scalability (host)

Less Host Resources More Host Resources


33/107


Define the Session s Bro ker

Every VDI architecture has a server that will be used to broker session to virtual

desktops. The broker will:

Authenticate a user

Coordinate attaching them to a desktop - or

Initiate the provisioning process for a new one

Register new desktops as they are created

This server can be a bare metal installed system or a VM in the VDI infrastructure.

Obviously putting it into the VDI infrastructure allows this system to be protected by thehypervisors ha features. This also allows you to scale this in a farm through VM cloning.


Define the Sessions Broker

Coordinatesconnection to yourdesktop

Directs users to newVM desktops

Redirects clients toprevious desktops

Responsible for

connection distributionand management


34/107


Define Static and Dyn amic Arc hi tectures

Virtual desktops can be assigned or pooled sometimes known as static or dynamic. In a

static deployment you are assigned a virtual desktop machine which is the same one you

use every time you connect. In a dynamic architecture you are assigned to a virtualmachine desktop and through the use of profiles and policies it is modified to be your

desktop when you connect. Each can be use separate or together. For example a typical

knowledge worker will wish to have his desktop VM persist and be the same one he left,exactly as he left it. A good use of pooled would be like a university computer lab where

students log in and get a desktop with their specific applications on it.


Define Static and Dynamic Architectures

Can use both architectures

Static Maps the user to the same VM eachconnection

Dynamic creates the VM each time a userconnects


35/107


Explain Server Infrastruc ture

Infrastructure servers are the VM that run the VDI software that includes the broker,

provisioner, licenser, as well as some that may be used for communications grooming.

They also can be the type that supplies AD, DHCP, DNS, and other essential services.In some VDI products it is recommended that these be dedicated machines, however they

can hugely benefit from protection to scale if you put them in VMs as part of the overall

solution.


Explain Server Infrastructure

Provide Specific Servicesto the VDI solution:

Applications Server (Farms)

Management Servers

i.e. Virtual Center

Communication Grooming

Dynamic Provisioning Server

Application Profiler

Other Servers Essential toVDI

Domain Controller

DNS

RDP Licensing server

DHCP


36/107


Summarize UCS/Software/Storage Compat ibi l i ty

This chart depicts the eco partner relationship to Cisco and the UCS in terms of VDI

solutions. Each of these will have a Cisco validated design (CVD) that can be referenced.


Summarize UCS/Software/StorageCompatibility

Hypervisor

Desktop

Storage

UCS

VMware

View 4.5 XenDesktop 4

Hyper-V

Microsof t VDI XenDesk top4

Xenserver 5.6

XenDesktop 4

EMC /

NETAPPEMC/NETAPP

EMC/NETAPPEMC/NETAPP

EMC/NETAPP


37/107


Examine VDI design using UCS


Describe Suggested Architecture for VDI on UCS

Examine UCS Scalable Architecture

Summarize Logical Configuration

Compare Competitor Suggested Architecture

Summarize UCS VDI Configuration

Summarize Advantages of UCS for VDI


Examine VDI design

using UCS


Describe Suggested Architecture for VDI on UCS Examine UCS Scalable Architecture Summarize Logical Configuration Compare Competitor Suggested Architecture

Summarize UCS VDI Configuration Summarize Advantages of UCS for VDI


38/107


Descr ibe Suggested Archi tectu re for VDI on UCS

The UCS is ideal for VDI deployments. In the picture above we see a UCS with 2 fabric

interconnects. Beneath them are the chassis that will contain blades for virtual desktops

and blades for the infrastructure servers. Networking is provided northbound from thefabric interconnects to a Nexus 5K or some other access layer switching. The nexus 5K

and the UCS use 10GbE so speed and performance are exceptional. The FIs also connect

to 2 separate MDS to provide access to FC LUNs used for booting. By doing this the hostcan have mobile service profiles within the UCS. The storage using unified storage

provides FC LUNs for booting hosts and NFS storage for VM disks.


LAN

Nexus 5000Access

UCS FabricInterconnect

MDS 9xxx

NetAPP/EMC

UCS Chassis and Blades

Describe Suggested Architecture for VDIon UCS


39/107


Examine UCS Scalable Arc hi tecture

The UCS architecture scales up to 12 Chassis currently and shortly up to 20 chassis in the

future as a single UCS domain. The interesting thing about this architecture is that as we

add chassis we have to do nothing at all to the underlying infrastructure providing nearlinear scaling. This also means rapid deployment by just connect more chassis to the

fabric interconnect; deploy servers from the SP templates. All you then need to do is add

more storage and increase the XenDesktop infrastructure to handle more desktops


Examine UCS Scalable Architecture


40/107


Summ ar ize Logical Conf igu ration

This is the logical diagram of how this would be linked:

Each chassis has 1-4 up links per IOM. The fewer uplinks the fewer chassis, butnetwork performance is essential for large deployments.

The first chassis has 2 B200 blades for the infrastructure VMs

All other blades are B250 to host the Desktops

Links are port channeled from the FI to the nexus 5K

5Ks are port channeled together with 4 links

5Ks provide network links to the storage for NFS access

FC is split out at the FI and handle by two separate fabrics each with its own

MDS. The Storage is best handled by an array that can provide multi-protocol support.


Summarize Logical Configuration


41/107


Compare Compet itor Sugg ested Arch i tecture

Compare this to an HP suggested deployment. Notice the following:

If you were to scale how many switching elements have to be managed

How difficult it is to add additional server arrays.

How many pieces of bolt on software will be required?

And this is all before adding in the VDI software. The picture while neat looking

demonstrates how the simplicity of the UCS provides a much better platform for VDI.


Compare Competitor SuggestedArchitecture Consider this from our Competition, whats your

first reaction to this?

Source: Scalability of XenDesktop 4 on Microsoft Windows Server 2008 R2 Hyper-V paper


42/107


Summarize UCS VDI Con f igurat ion

This slide summarizes how the infrastructure and virtual desktops will be distributed in

the solution. The first chassis houses 2 B200 for infrastructure servers. The other 3 slots

have B250 blades for the virtual desktops. As you scale you simply add more chassispacked with B250s.


Summarize UCS VDI Configuration

VM VM VM VM

Windows 7 Desktops

VM VM VM VM

Windows 7 Desktops

VM VM VM VM

Windows 7 Desktops

VM VM VM VM

Windows 7 Desktops

VDI Mgr

SessionBroker

Profile Mgmt

ManagementServices

Profile Srv

LIC

AD/DNS

/DHCP

ManagementServices

Legend:

AD Active DirectoryDDC Desktop DeliveryControllerPVS Provisioning ServerDMC Desktop MasterControllerLIC Licensing server


43/107



Describe VDI Test Setup

VM VM VM VM

Win7 Desktops

VM VM VM VM

vSphere

XenDesktop Infrastructure

NetappStorage

LAN

vSphere

OS

VSI

Launchers

OS

VSI

Launchers

Cisco UCS

Cisco UCS

Nexus 5000Access

UCS FabricInterconnect

Load GeneratorWorkload -LoginVSI Pro 2.1

System under test

MDS 9xxxKnowledge workerworkload

Descr ibe VDI Test Setup

In the Cisco validated designs for VDI our testing was done in the following fashion:

The first chassis was used to house the infrastructure servers and workload

generators

2 x B200, 48 GB RAM; are running vmware ESX and host the infrastructureVMs

3 x B250 are running Login VSI virtual desktop benchmarking tool

Benchmarking blades generate work load for the desktop VMs

1-4 UCS chassis each containing up to 4 B250 blades to host the desktop VMs

Testing includes:

Booting

Login

Use of Exchange and other Office programs

Use of other common business programs (acrobat, zip)


44/107


The testing was done with a single chassis, 2 chassis, and 3 chassis to determine the

scaling per blade as the infrastructure grew. The test was monitored for some key

performance values to ensure user usability even under load.


45/107



Summarize Factors Influencing Scalability

End user experience

App response ()

Desktop Response

Workload definition Knowledge

Mobile

Power

Hardware platform.

B250-M2 with 192 GB

B230 with 192 GB

Hypervisor choice

vSphere + Xendesktop

XenServer + Xendesktop

Vmware View and vSphere

Desktop OS configuration

Windows 7 1, 1.5, 2GB RAM

Windows XP

No system degradation

Ballooning Thrashing

Backend Storage

IOPS are very heavy

vmware

View Xendesktop

xenserver

Inf-

Srv

Windows

- XP

Windows

- 7

Inf-

Srv

Inf-

SrvInf-

Srv

Windows

- XPWindows

- 7

Inf-

Srv

Inf-

Srv

Summarize Factors Inf luencin g Scalabi l i ty

In order to determine the scalability of the solution as designed we needed to achieve

specific goals in performance. The following are factors that influence scalability in this

deployment:

End user Experience - User expects applications to respond in less than 2 secondsat worst.

Workload definition - Task based vs. Knowledge worker. All our tests reflect theknowledge worker as 80 % of VDI consumers typically are knowledge workers.

Hardware Platform - We used B250 M2 for the processors. We needed only192GB RAM as we became CPU bound before memory. How would B230 help

with this?

Hypervisor - This moderately impacts the results in terms of performance and

numbers of supportable desktops. With View you have no choice, but withXendesktop you do.

Desktop OS Configuration - Typically a desktop OS should be optimized fordesktop virtualization. Typically customers do not do this. This impacts how

much resources are needed per desktop.

System Degradation - Ballooning and Thrashing can occur as you scale when itdoes you have reached the limit of your design


46/107


Backend storage - Expect to see heavy IOPs. These are offset by storagecapabilities mentioned earlier.


47/107



Describe Software Stack DescriptionInfrastructure Hosts

Cisco UCS 1.3(1j)

Descr ibe Software Stack Descr ip t ion Infrastruc ture Hosts

This describes the build out of the infrastructure hosts, and desktop host blades and OS:

The desktop hosts are:

B250 M2 2 x 6 core with 192 GB RAM

Blades run either ESX4.01 or ESXi 4.01

Infrastructure hosts are:

B200 2x4 core with 48 GB RAM

Blades run ESX 4.01


48/107



Describe Windows 7 desktopconfiguration

Descr ibe Windows 7 desktop con f iguration

The above picture describes how the desktop VMs are configured:

1 vCPU

1.5 GB RAM - This is average for W7 desktops

OS - Windows 7 Enterprise - This is 32 bit, 64 bit would require more memoryresources.

Other software includes:

vmware tools

Microsoft Office2001

IE 8.0

Adobe Reader 9

Adobe Flash 9


49/107



Explain Scalability Results of VDI onUCS

Explain Scalabi l i ty Resu l ts of VDI on UCS

Based on the build stated in the previous slides you can see the scalability results for 1-16

blades (1 - 4 Chassis). Below are the highlights of this:

1 B250 can handle a load of 110 VM desktops

8 B250 can handle 880 VM Desktops - Linear scaling No infrastructure changes

16 B250 can handle 1760 VM desktops - Linear scaling no infrastructure changes

This comes out to be 9.16 VM per CPU core, which is a great density. If these were

Windows XP desktops the numbers would be considerably larger as XP uses less

resources. The key here is that we went from 1 desktop to nearly 2000 all without havingto add additional switchin and management endpoints.


50/107



Examine LoginVSI Response timegraphsvSphere results descibed in the the next few slides

0

500

1000

1500

2000

2500

3000

3500

Responsetime/ms

Active Sessions

1760 Desktop Sessions on vSphereBelow 2000ms: 99.9%

Average Response_Time

Max Response_Time

Min Response_Time

Examine Log inVSI Respon se t ime graph s

This graphs depicts the response time to VMs as the number of desktops scale. While

there are spikes notice that the response time has a near flat growth up through 1760

VMs. This is 99.9% of the time responding in under 2 seconds.


51/107



Examine Memory Utilization for 1760 desktoptest

The non-Kernel memory is almost 96% utilized(192*94%) by 110 Windows 7 desktop each of 1.5 G

Examine Memory Ut i l izat ion fo r 1760 desk top test

In this graph you can see the memory utilization for a single blade running 110 desktop

VMs. As depicted it is about 96% utilized. Provided we had more CPU resource the

B250 could handle more VMs for future growth.


52/107



Examine Network Utilization Graph

vmnic0/vmnic2 were A/A nics, Average 100Mb/s and Peak 300Mb/sPer chassis seen around 800-900Mb/s

Examine Netwo rk Ut i l izat ion Graph

This shows the network traffic and how easily the UCS handles it. Average was 100 Mb/s

with spikes up to 300.


53/107



Compare Cisco UCS Solution for DesktopVirtualization

Single Server Performance of XenDesktop

Server Hypervisor Processor Memory # of desktops

Dell PowerEdge R710 Hyper-V [email protected] GHz 72 GB 67

HP 460C G6 Hyper-V [email protected] GHz 48 GB 44

Cisco UCS B250-M2 vSphere 4.0 U2 5680 @3.33 GHz 192 GB 110

Cisco UCS B250-M2 XenServer 5.6 5680 @3.33 GHz 192 GB 110

Performance results and competitive comparison

Up to 40% more desktops compared tocompetition

Single server scale testing comparison: Same Workload LoginVSI 2.1 medium workload (knowledgeworker) Windows 7 32-Bit, 1.5 GB desktops Large memory clearly a differentiator for Windows 7 desktops

Source: Based on publicly available documents from Citrix/Dell/Microsoft

Source: Based on work done by Citrix Consulting, Windows 7 VM is 1 GB

Compare Cisco UCS Solut ion fo r Desktop Vir tual izat ion

When compared to our competitors you can see for the physical space used we are able

pack more desktop vms per blade. This is a testament to our large memory density and

the M81 KR card. The M81KR card gives us more than 2 virtual NICs to work withallowing us to neatly separate traffic with the blade.


54/107



Explain Why UCS and Networking is bestfor VDI

Using a Provisioning Server based designrequires a fast/low-latency network

Cisco UCS provides 10Gbe as well as QoS inservice profile

Competitors require multiple layers andswitches to accomplish this (complexity)

UCS is best in class Compute/Network andstorage for VDI Deployments

Keyvalue

Explain Why UCS and Networkin g is best for VDI

Basically no other competitor offers anything similar to our linear scaling design. The

UCS offers the following advantages:

Configure once, scale a lot - Because we can configure the UCS through the useof the service profile, new hypervisors hosts can be deployed quickly without

adding to your management headache.

As part of a service profile you can use policies to control behavior like QoS foryour desktop VMs

As you scale there is little to no change to the infrastructure other than addingchassis and blades


55/107


Summarize Advantages of UCS for VDI

This chart summarizes the advantages of the UCS in VDI. Take a moment to review.


UCS Manager constructs pools, Templates and policies allows rapid serverprovisioning

Various user type can be mapped to specific server pools based on userprofilesVarious policies like boot from SAN, makes provisioning OS simplerUCSM allows QoS policies to be set right from the server adapter

UCS ServiceProfiles

Windows 7 has a large memory footprint; scaling Win 7 requires large memoryUCS extended memory technology makes it possible for high bandwidth(1333MHz) memory access even with four times more DIMM slots on a twosocket architectureLargermemory footprint desktops makes B250-M2 ideal for VDI deployment

UCS ExtendedMemory

Cisco VIC simplifies Network management in the hypervisorUsing VN-Link in hardware the number of network management points can bereduced by an order of magnitudeProvides low latency and high bandwidth for applications

Virtual InterfaceCard (Palo)

Summarize Advantages of UCS for VDIUnique benefits due to key UCS technologies

UCS is an ideal platform for Desktop Virtualization

Unified Fabric with high I/O bandwidth helps in scaling data intensive workloadsWire once infrastructure for bandwidth and not for connectivityEliminates multiple adapters, cables and switches to scale the infrastructure,reduces power in the Data Center.

Unified Fabric

(FCoE)


56/107

Lesson 2

Virtual Security Gateway

Overview

Overview

This lesson introduces the motivation, concepts, and basic functionality of the CiscoVirtual Security Gateway ( VSG )

Objectives

The specific objectives of this lesson are to familiarize you with the following product

features and functionalities:

Virtual Security Gateway (VSG) Overview

VSG Architecture

VSG Packet Flow

vPath Summary

VSG Policy Model

Virtual Network Management Center (VNMC)

Deployment Scenario

High Availability

Use Case Example

Licensing

Summary


57/107


Contents

VIRTUAL SECURITY GATEWAY OVERVIEW ............................................................................................ 2-0

OVERVIEW ............................................................................................................................................ 2-0

OBJECTIVES ........................................................................................................................................... 2-0

OVERVIEW OF CISCO VIRTUAL SECURITY GATEWAY ............................................................................................ 2-3WHAT PROBLEM IS BEING SOLVED WITH VIRTUAL SECURITY GATEWAY ................................................................... 2-4MANAGING VIRTUAL FIREWALLS WITH THE VSG AND VNMC .............................................................................. 2-5VSGDEPLOYMENT REQUIREMENTS ................................................................................................................ 2-6MULTI-TENANT DEPLOYMENT ........................................................................................................................ 2-7APPLICATION TIERED DEPLOYMENT ................................................................................................................. 2-8THE BIG PICTURE ....................................................................................................................................... 2-10

VSGARCHITECTURE COMMUNICATIONS ........................................................................................................ 2-11LOGICAL DEPLOYMENT LIKE PHYSICAL SERVERS ................................................................................................. 2-13INTELLIGENT TRAFFIC STEERING WITH VPATH .................................................................................................. 2-14VSGPERFORMANCE ACCELERATION WITH VPATH ............................................................................................ 2-15VPATH SUMMARY...................................................................................................................................... 2-16VSGPOLICY MODEL .................................................................................................................................. 2-18VSGPOLICY MODEL .................................................................................................................................. 2-19ATTRIBUTES.............................................................................................................................................. 2-20ATTRIBUTES (CONTINUED) ........................................................................................................................... 2-21VIRTUAL NETWORK MANAGEMENT CENTER (VNMC) ...................................................................................... 2-23NON DISRUPTIVE ADMINISTRATION ............................................................................................................... 2-24VNMC:MULTI-TENANT ORG STRUCTURE...................................................................................................... 2-25VNMC:MULTI-TENANT MANAGEMENT ....................................................................................................... 2-26

VNMC:ADMINISTRATIVE ROLES.................................................................................................................. 2-27DEPLOYMENT IN A MULTITENANT ENVIRONMENT ............................................................................................ 2-29DEPLOYMENT IN A MULTITENANT ENVIRONMENT ............................................................................................ 2-30DEPLOYMENT OF VSGS ON A DEDICATED HOST. .............................................................................................. 2-31DEPLOYMENT OF VSGS ON A DEDICATED HOST. .............................................................................................. 2-32VSG/VNMCDEPLOYMENT STEPS ................................................................................................................ 2-33VSGSOLUTIONHIGH AVAILABILITY............................................................................................................. 2-34

VSG USE CASES ................................................................................................................................... 2-35

EXAMPLE :3-TIER SERVER ZONES.................................................................................................................. 2-36VSGPOLICY PROVISIONING LOGICAL FLOW.................................................................................................... 2-37SECURITY POLICY FLOW-DEFINE ZONES......................................................................................................... 2-38

SECURITY

POLICY

FLOW

-D

EFINEZ

ONES......................................................................................................... 2-39SECURITY POLICY FLOW-DEFINE POLICY ........................................................................................................ 2-40

SECURITY POLICY FLOW-RULES WITHIN POLICY............................................................................................... 2-41SECURITY POLICY FLOW-CONDITIONS WITHIN RULES........................................................................................ 2-42SECURITY POLICY FLOW-ASSIGN POLICIES TO POLICY SET.................................................................................. 2-43SECURITY PROFILE...................................................................................................................................... 2-44ASSIGN VSG TO THE SECURITY PROFILE ......................................................................................................... 2-45PORT PROFILE TO SECURITY PROFILE BINDING ................................................................................................. 2-46VCENTER:VM ATTACH TO A PORTGROUP (PORTPROFILE)................................................................................. 2-47


58/107

Virtual Security Gateway Overview 2-2

VSGLICENSING MODEL.............................................................................................................................. 2-49SUMMARY................................................................................................................................................ 2-51

OVERVIEW OF CISCO VIRTUAL SECURITY GATEWAY ............................................................................................ 2-3WHAT PROBLEM IS BEING SOLVED WITH VIRTUAL SECURITY GATEWAY ................................................................... 2-4MANAGING VIRTUAL FIREWALLS WITH THE VSG AND VNMC .............................................................................. 2-5VSGDEPLOYMENT REQUIREMENTS ................................................................................................................ 2-6MULTI-TENANT DEPLOYMENT ........................................................................................................................ 2-7APPLICATION TIERED DEPLOYMENT ................................................................................................................. 2-8THE BIG PICTURE ....................................................................................................................................... 2-10VSGARCHITECTURE COMMUNICATIONS ........................................................................................................ 2-11LOGICAL DEPLOYMENT LIKE PHYSICAL SERVERS ................................................................................................. 2-13INTELLIGENT TRAFFIC STEERING WITH VPATH .................................................................................................. 2-14VSGPERFORMANCE ACCELERATION WITH VPATH ............................................................................................ 2-15VPATH SUMMARY...................................................................................................................................... 2-16VSGPOLICY MODEL .................................................................................................................................. 2-18VSGPOLICY MODEL .................................................................................................................................. 2-19ATTRIBUTES.............................................................................................................................................. 2-20ATTRIBUTES (CONTINUED) ........................................................................................................................... 2-21VIRTUAL NETWORK MANAGEMENT CENTER (VNMC) ...................................................................................... 2-23NON DISRUPTIVE ADMINISTRATION ............................................................................................................... 2-24VNMC:MULTI-TENANT ORG STRUCTURE...................................................................................................... 2-25VNMC:MULTI-TENANT MANAGEMENT ....................................................................................................... 2-26VNMC:ADMINISTRATIVE ROLES.................................................................................................................. 2-27DEPLOYMENT IN A MULTITENANT ENVIRONMENT ............................................................................................ 2-29DEPLOYMENT IN A MULTITENANT ENVIRONMENT ............................................................................................ 2-30

DEPLOYMENT OF VSGS ON A DEDICATED HOST. .............................................................................................. 2-31DEPLOYMENT OF VSGS ON A DEDICATED HOST. .............................................................................................. 2-32

VSG/VNMCDEPLOYMENT STEPS ................................................................................................................ 2-33VSGSOLUTIONHIGH AVAILABILITY............................................................................................................. 2-34

VSG USE CASES ................................................................................................................................... 2-35

EXAMPLE :3-TIER SERVER ZONES.................................................................................................................. 2-36VSGPOLICY PROVISIONING LOGICAL FLOW.................................................................................................... 2-37SECURITY POLICY FLOW-DEFINE ZONES......................................................................................................... 2-38SECURITY POLICY FLOW-DEFINE ZONES......................................................................................................... 2-39SECURITY POLICY FLOW-DEFINE POLICY ........................................................................................................ 2-40SECURITY POLICY FLOW-RULES WITHIN POLICY............................................................................................... 2-41SECURITY POLICY FLOW-CONDITIONS WITHIN RULES........................................................................................ 2-42SECURITY POLICY FLOW-ASSIGN POLICIES TO POLICY SET.................................................................................. 2-43SECURITY PROFILE...................................................................................................................................... 2-44ASSIGN VSG TO THE SECURITY PROFILE ......................................................................................................... 2-45PORT PROFILE TO SECURITY PROFILE BINDING ................................................................................................. 2-46VCENTER:VM ATTACH TO A PORTGROUP (PORTPROFILE)................................................................................. 2-47VSGLICENSING MODEL.............................................................................................................................. 2-49

Licensing Details ........................................................................................................................................... 2-49SUMMARY................................................................................................................................................ 2-51


59/107


2009 Cisco Systems, Inc. All rights reserved. UCS Technical Training Overview

Overview of Cisco

Virtual SecurityGateway


Virtual Security Gateway (VSG) Overview

VSG Architecture

VSG Packet Flow

vPath Summary

VSG Policy Model Virtual Network Management Center (VNMC)

Deployment Scenario

High Availability

Use Case Example

Licensing

Summary

Overview o f Cisco Vir tual Securi ty Gateway

This section discusses the challenges server, network and security administrators face invirtualized environments and how the Virtual Security Gateway (VSG) addresses a

subset of those challenges.


60/107


2010 Ciscoand/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 33

App

OS

App

OS

App

OS

App

OS

VM-to-VM traffic VM-to-VM traffic

Control inter-VM trafficAddress new security challenges

Enable Dynamic Provisioning

Mobility Transparent Enforcement

VLAN-agnostic OperationPolicy based

Administrative SegregationServer Network Security

VSG: What Problem is Being Solved

What prob lem is being solved w ith Vir tual Securi ty Gateway

The use of Virtual Security Gateway (VSG) will allow inter VM access and control aswell as handling new instantiations of VMs that are immediately secure upon creation.

Security policy continues to travel with the VM as it does with network policy as

provided with the Nexus 1000V.

Security is separate from network segregation.

The administration of virtual environments by IT groups is preserved with tasking

separated along the traditional IT groups of Server, Network and Security administrators.


61/107



Virtual NetworkManagement

Center

(VNMC)

Virtual Security GatewayVirtual Firewall for Nexus 1000V

VM context aware rulesContext awareSecurity

Establish zones of trustZone based

Controls

Policies follow vMotionDynamic, Agile

Efficient, Fast, Scale-out SWBest-in-class

Architecture

Security team manages securityNon-Disruptive

Operations

Central mgmt, scalable deployment,

multi-tenancyPolicy Based

Administration

Virtual

Security

Gateway

(VSG)

XML API, security profilesDesigned for

Automation

Managing Vir tual Firewal ls with the VSG and VNMC

VSG / VNMC provides a framework in which security administrators define security

policy that network or server administrators can use as new similar virtual machines arecreated. Security policies defined in VNMC are created and utilized in security profiles

that are bound to port profiles by network administrators.

Port profiles separate network and server administration. When a new virtual machine is

provisioned, the server administrator selects the appropriate port profile(port group) foruse by the VM

Firewall services can be based on concepts of zoning, vDCs or vApps as well as tenants.

Security policies are mobile and provide for scaling in larger or growing virtual

environments.

The security teams activities area non disruptive to other IT activities.

A published XML API schema is supplied with VNMC for the automation of repetitivetasks.


62/107



VMWare vSphere 4.0+ and Virtual Center

Nexus 1000V Series switch (1.4 or later)

One (or More) Active VSGs per tenant

Virtual Network Management Center(VNMC)

Note: Licensing is based on the same linesas Nexus 1000V (per CPU Socket)

VSG Deployment Requirements

VSG Deployment Requ irements

VMWare vSphere 4.0+ and Virtual Center

Nexus 1000V Series switch (1.4 or later)

One (or More) Active VSGs per tenant

Virtual Network Management Center (VNMC

One or more VSGs per tenant

Note: Licensing is based on the same lines as Nexus 1000V (per CPU Socket)

*VMWare with Enterprise + license


63/107



Multi-tenant Deployment

Deployment granularity depending on use case

Tenant, VDC, vApp

Multi-instance deployment provides scale-out

Tenant A

vSphere

Nexus 1000V

vPath

Tenant B

VDC-1

vApp

vApp

VDC-2

Virtual Network Management Center

Mult i - tenant Deployment

VNMC can be used to define Tenants, VDCs and vAPPs for the application of various

firewall services. This granularity can meet most expected use cases. The tenant modelfollows or is analogous to the org model used by Cisco UCS for administration. And

users of the VSM via the CLI will recognize the org definitions starting at the root org.

Visibility is restricted to the scope of the tenant unlike the current implementation of

UCS.

VSG uses a two component model for deployment. The first is the Policy Decision Point

(PDP) and the second the Policy Enforcement Point. (PEP). The PDP (VSG) resides as a

VM, and is deployed as a Virtual services node (VSN-Generic) (Cisco-VSB,Virtual

services Blade) or the VSG can be deployed on the Nexus 1010

The Policy Enforcement Point (PEP) is deployed as part of the VEM used by the Nexus1000V. a component of the VEM (vpath) provides additional services to be discussed in a

subsequent topic.


64/107



Application Tiered Deployment3-tier Server Zones

WebServerWeb

Server

Permit Only Port 80(HTTP) of WebServers

Permit Only Port 22 (SSH) to

application servers

Only Permit Web servers

access to Application servers

Policy Content Hosting

WebClient

Web-zone

DBserverDB

server

Database

zone

AppServerApp

Server

Application

zone

Only Permit Application servers

access to Database servers

Block all external access to

database servers

Tenant A

Appl icat ion Tiered Deployment

In this example we have a deployment needing North/South security as well as East/West

security. Inbound and outbound traffic can be controlled through the construction of ruleslimiting the inbound and out bound ports access. East/West traffic can be controlled

through the construction of zones and rules constructed to limit the contact these zones

have with one another.

Rules are constructed to allow or deny access. And the creation of numerous rules can beaggregated into policies and further into policy sets.


65/107


2010 Ciscoand/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8 2010 Ciscoand/or its affiliates. All rights reserved. Cisco ConfidentialPresentation_ID 8

VSG SystemArchitecture


66/107



VMWare

vCenter

VSM

VMWarevCenter

VSM

Virtual Network

Management Center

(VNMC)

Security Profiles

Port ProfilesInteractions

VMAttributes

VSNVSG

Packets

VSG System Architecture

ESX Servers

Nexus 1000VvPath

VM-to-IP Binding

The Big Picture

The components that comprise a VSG /VNMC software architecture consist of VSG

(which can run redundantly-i.e. with a secondary) and also includes the virtual supervisormodule VSM (which can run redundantly or standalone), VMware Virtual Center, and

one or more instances of a virtual Ethernet module (one per ESX server).


67/107



VMWare

vCenter

VSM

VMWarevCenter

VSM

Virtual Network

Management Center

(VNMC)

Encrypted Channel

VSNVSG

VSG System Architecture -Communication

SOAP/HTTPS

APIXML/HTTPS

ESX Servers

Nexus 1000VvPath

XML/HTTPS

Encrypted Channel

Security Profiles

Port Profiles

Interactions

VMAttributes

Packets

VSG Archi tecture Communicat ions

VMWare vCenter communicates using a certificate based exchange over https. As you

can see from the above graphic https is used for VSM and VSG communications with theVNMC. VNMC gets the visibility to vCenter VM attributes to use in the Security Policy

VSG and VMNC communicate over secure layer 3 (SSL) with Pre-Shared Key

VNMC publishes Device and Security Policies to Tenant VSGs

VMNC and VSM communicate over secure layer 3 (SSL) with Pre-Shared Key

VSM provides VM to IP Mapping to VNMC

VEM communicate with VSG over Layer 2 Service VLAN

vPath redirects the data traffic over Service VLAN

Policy Result is sent to vPath (VEM) by VSG and cached for flow duration.

Note: SOAP, originally defined as Simple Object Access Protocol, is a protocol

specification for exchanging structured information in the implementation of WebServices in computer networks. It relies on Extensible Markup Language (XML) for its

message format, and usually relies on other Application Layer protocols, most notably

Remote Procedure Call (RPC) and Hypertext Transfer Protocol (HTTP)


68/107


Encrypted communication between VSM and VEMs (Nexus 1000V) are over the

control Vlan and communication between VSG and the vPath component of the

VEMs is over a service Vlan.

These Vlans will need to be defined on a UCS system in addition to management andpacket vlans


69/107



Virtual Security GatewayLogical deployment l ike physic al appl iances

Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VMVM

VM

vPath

VNMC

Log/Audit

VSG

Secure Segmentation(VLAN agnostic)

Efficient Deployment(secure multiple hosts)

Transparent Insertion(topology agnostic)

High Availability

Dynamic policy-basedprovisioning

Mobility aware(policies follow vMotion)

Logical deploym ent l ike physical servers

Each VSG is deployed as a VSB (virtual services blade) and resides outside of the areas

needing licensing for deployment. This reduces the licensing requirement to those nodesthan need service security. Licensing requirements based on CPU socket would see their

need for licensing reduced on nodes that are used a dedicated service nodes.

Logging can be off loaded to syslog servers for event recoding of allow /deny events as

they occur.

VEMS( using vPath tech

volume3 ucs v

Documents