Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the ...d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKVIR-2017.pdf · Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the Virtual

Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the Virtual Edge BRKVIR-2017

Appaji Malla

Sr. Product Manager

Cisco Cloud Networking Services Division

© 2014 Cisco and/or its affiliates. All rights reserved. BRKVIR-2017 Cisco Public

VSM VSM

Agenda

Cisco’s Virtual Networking Vision

Cisco Nexus 1000V Portfolio Overview

Cisco Nexus 1000V for Hyper-V

Cisco Nexus 1000V for KVM

Resources

Cisco Nexus 1000V

Cloud Network Services

vPath

VSG ASA1000V vWAAS NAM CSR NetScaler

1000V

3


Legal Disclaimer

Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis.

This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.

4


VSM VSM

Agenda





Resources

Cisco Nexus 1000V


vPath


1000V

5


Physical Virtual Cloud Journey Consistency reduces operational risk and complexity

PHYSICAL

WORKLOAD

VIRTUAL

WORKLOAD

CLOUD

WORKLOAD

• One app per Server

• Static

• Manual provisioning

• Many apps per Server

• Mobile

• Dynamic provisioning

• Multi-tenant per Server

• Elastic

• Automated Scaling

HYPERVISOR VDC-1 VDC-2

CONSISTENCY: Policy, Features, Security, Management, Separation of Duties

Nexus 1000V, VM-FEX

vWAAS, VSG, ASA 1000V, vNAM*

Nexus 7K/5K/3K/2K

WAAS, ASA, NAM

Cloud Services Router (CSR 1000V) ASR, ISR

Switching

Routing

Services ** 1H CY 2013 6


Cisco Virtual Networking Vision Any workload, any hypervisor, any cloud

Multi-Hypervisor

Multi-Services

Multi-Cloud

Nexus 1000V

7


Cloud technology stacks Multi-Hypervisor and Multi-Orchestration Strategy

Physical Network

vSphere Hyper-V Open Source

(Xen, KVM)

Nexus 2K-7K + ASR 9K (Edge)

UCS Computing Platform

Hypervisor vSphere, Hyper-V,

KVM

vCloud

Director/

DynamicOps

System

Center

Open

Source

Cloud Portal

and Orchestration

Storage Platform

CIAC/UCSD

OpenStack/

Partners

Virtual Network

Infrastructure

Nexus 1000V

Cloud Networking Services

vPath VXLAN

8


Tenant A

Cisco Cloud Networking Services Hypervisor agnostic multi-services platform

Nexus 1000V

Nexus 1000V

• Distributed switch

• NX-OS consistency

8000+ Customers

VSG

• VM-level controls

• Zone-based FW

Shipping

ASA 1000V

• Edge firewall, VPN

• Protocol Inspection

Shipping

vWAAS

• WAN optimization

• App, traffic

Shipping

CSR 1000V (Cloud Router)

• WAN L3 gateway

• Routing and VPN

Shipping

ASA

1000V

Cloud

Firewall

Cisco

Virtual

Security

Gateway

(VSG)

vWAAS

Citrix

NetScaler

VPX

Imperva

SecureSphere

WAF Cloud

Services

Router

1000V

Zone A

Zone B

vPath VXLAN

Multi-Hypervisor (VMware, Microsoft*, RedHat*, Citrix*)

Ecosystem Services

• Citrix NetScaler VPX virtual ADC

• Imperva Web App. Firewall

Shipping

Physical Infrastructure (Compute, Network, Storage)

9


Cisco Nexus1000V InterCloud Securely Extend Enterprise Environment into Provider Cloud

Nexus 1000V InterCloud

Enterprise-Grade Crypto and Firewalling within & across clouds Secure

Simple Transparent Application Migration; Centralized Management

Flexible Choice of Provider Clouds and Hypervisors

Private

Hosted

Utility

Public

Community Managed

Nexus Switching

IOS Routing

Network Services

10


VSM VSM

Agenda



– Recent Nexus 1000V Promotions

– Nexus 1000V Architectural Overview

– Cisco Virtual Services Architecture



Resources

Cisco Nexus 1000V


vPath


1000V

11


Cisco Nexus 1000V is available in two editions Essential & Advanced Editions

12

Essential ($0) Advanced ($695/cpu)

VLANs, ACL, QoS

vPath

VXLAN

LACP

Multicast

Netflow, ERSPAN

Management

vTracker

vCenter Plugin

Virtual Security Gateway

Cisco TrustSec SXP Support

DHCP Snooping

IP Source Guard

Dynamic ARP Inspection


Easy to get started on Cisco Nexus 1000V

Download Software

from cisco.com

Install Nexus 1000V

Using new Installer App

Create Port Profiles

& Start Using N1KV

Essential Edition – No licensing or procurement needed

Download Software

from cisco.com

Install Nexus 1000V

Using new Installer App

Change Switch mode to Advanced*

& Start Using N1KV

Advanced Edition – Get a 60-day free trial when you use essential

13


Cisco Nexus 1000V Promo Overview

Base Package (40% price

reduction included)

• Nexus 1110-X Hosting Appliance

• 64 Universal Advanced Licenses

• Nexus 1000V License for ANY hypervisor. Migration allowed.

• VSG licenses included

Optional Package

(40% price reduction included)

• Additional 64 Universal Licenses

• Nexus 1000V License for ANY hypervisor. Migration allowed.

• VSG licenses included

Nexus 5K & 6K customers can get N1KV at 40% price-reduction

14


Cisco Nexus 1000V Promo Overview 2 PIDs: N5K-FEX-N1K-PROMO & N6K-FEX-N1K-PROMO

N6K-FEX-N1K-PROMO

N6001P-6FEX-1G

N6001P-4FEX-10G

N6001P-6FEX-10G

N6001P-4FEX-10GT

N6001P-6FEX-10GT

N6004EF-12FEX-1G

N6004EF-8FEX-10G

N6004EF-8FEX-10GT

Base Package:

N1110-X+64 licenses Optional Package:

Add. 64-licenses N6001P-8FEX-1G

N5K-FEX-N1K-PROMO

Optional Package:

Add. 64-licenses

N5548UP-4N2248TF Base Package:

N1110-X+64 licenses

N5548UPL3-2N2248TF

N6001P-4FEX-1G N6001P-2FEX-10G

N6004EF-4FEX-1G

N6004EF-6FEX-1G

N6004EF-8FEX-1G

N6004EF-4FEX-10G

N6004EF-6FEX-10G

N6004EF-4FEX-10GT

N6004EF-6FEX-10GT

N5548UPM-4FEX

N5596UPM-6FEX

N5596UP-6N2248TF

N5596UPMM-12N2248T

N5548UPM-6N2248TP

N5596UPM-8N2248TP

N5548UPM-6N2248TR

N5596UP-4N2232PF

N5596UP-4FEX

N5596UPMM-8FEX

N5596UPM-8N2248TF

N5548UP-4N2248TP

N5596UP-6N2248TP

N5548UP-4N2248TR

N5596UP-6N2248TR

15


Other promotional bundles with Nexus 1000V Up to 30% discount when you buy N1KV with UCS or ASA 1000V

N1KV/UCS Promo Description List Price

N1K-VSG-UCS-BUN Nexus 1000V Advanced Edition with the purchase of UCS B/C series

configurable SKUs (not available with fixed SmartPlay Bundles) $495/cpu

N1KV/ASA1000V Description List Price

L-N1K-ASA1K-01-PR 1 Promo N1KV Advanced licenses & ASA1000V $2,495/cpu

L-N1K-ASA1K-04-PR 4 Promo N1KV Advanced licenses & ASA1000V incremental licenses $9,945/cpu

L-N1K-ASA1K-16-PR 16 Promo N1KV Advanced licenses & , ASA1000V incremental licenses $39,445/cpu

L-N1K-ASA1K-32-PR 32 Promo N1KV Advanced licenses & ASA1000V incremental licenses $78,645/cpu

16


VSM VSM

Agenda








Resources

Cisco Nexus 1000V


vPath


1000V

17


Server Virtualization Issues Policy Mobility, Lack of VM Traffic Visibility, Operational Complexity

1. VM Migration moves VMs across physical ports—the network policy must follow this VM Motion (across racks, PODS, DCs)

2. Must view or apply network/security policy to locally switched traffic

3. Need to maintain segregation of duties while ensuring non-disruptive operations

Port Group

Server Admin

Network Admin

Security

Admin

18


Overlay Technology

Support

Operational Complexity

Managing

networks across

physical & virtual

environments

Choice of Hypervisors

Different types of

workloads require

different

hypervisors

Cloud Use-cases

Security concerns,

and hybrid cloud

use-cases

Resource Utilization

VM Mobility within

the DC, across DCs

and across clouds.

Customer Issues in virtualized environments

Complex Workloads

Requirement for

a secure virtual

environment with

rich network

services

Diverse Virtualization Requirements for DataCenter Customers

Multi-services support

Multi-hypervisor Support

Consistent Operational

Model

Multi-cloud support

19


Fast Changing DC environments Require platform-agnostic design & future-proof architectures

• Any Service, Any hypervisor, any cloud • Built on highly reliable NX-OS platform • Validated designs for new use-cases

Cisco Nexus 1000V

Reduced Risk Reduced Time to deploy Investment Protection

Fast Changing Technology Cycles

• Emerging choices for hypervisors & cloudstacks

• Pressure to reduce risk, TTM & protect investment

• New virtualization use-cases

Future-proof Architectures

• Consistency across hypervisors & cloudstacks

• Evolutionary approach to operational processes

• Proven, tested foundation

20


Hypervisor Hypervisor Hypervisor

VEM-N VEM-1 VEM-2

Modular Switch

… Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Ba

ck P

lan

e

Cisco Nexus 1000V Overview Architecture consistent with other modular switches

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

VSM1

VSM2

Virtual Appliance Network

Admin

Server

Admin 21


Virtual Appliance Physical Appliance: Nexus 1100

VSM

VEM-1 VEM-2 vPath vPath

Hypervisor Hypervisor

vPath • Service Binding

(Traffic Steering)

• Fast-Path Offload

• VXLAN-Aware

Cisco Nexus 1000V Overview Integrated Switching & Services

VXLAN VXLAN VXLAN* • 16mil. L2 segments

• Mobility across DC

• Friendly to services

Scale-out architecture for cloud

Built for multi-tenancy

Hosting platform for N1KV VMs

Simplifies network operations

vWAAS VSG ASA1000V NS1000V

NAM VSG

Primary VSM NS1000V

NAM VSG

Secondary VSM NS1000V

22


Cisco Nexus 1000V Overview

Dedicated NX-OS appliance for hosting virtual services

– Two form factors: 1110-S, 1110-X

– Up to 10 virtual services can be hosted on the 1110-X platform

Simplifies lifecycle management of virtual services

– Network/security team can deploy, upgrade, manage

Virtual services currently supported

– Nexus 1000V virtual supervisor modules (VSMs), Network Analysis Module (NAM)

– Virtual Security Gateway (VSG), Data Center Network Manager (DCNM)

– Citrix NetScaler 1000V*, Imperva WAF**

Cloud Services Platform aka Cisco Nexus 1100

23


Uniform Management Interface across hypervisors

NTP

TACACS+

RADIUS

Netflow

SPAN & ERSPAN

NX-OS CLI

SNMP Support

NetConf/XML

CDP

Syslog

vm-network-definition (id, vlan, ip-pool) – for network segments

logical-network-definition (name, id, connected-ports) – fabric n/w

virtual-port-profile (type, id, maxports, switch-id) – for vEth

uplink-port-profile (state, type, id, maxports, switch-id) – for PNIC

ip-address-pool (name, dhcp-server, range etc.) – for ip-pools

Cisco Nexus 1000V

REST-APIs for manageability

24


Strong Management Ecosystem

Cisco Prime Infra. Cisco Prime DCNM Cisco PNSC Cisco UCSD & CIAC

• NX-OS CLI, SNMP, NetConf/XML, REST*

• CDP, NTP, Telnet/SSH

• Syslog, ACL- Logging, TACACS+, RADIUS

• Netflow, SPAN, ERSPAN, REST-ful APIs

Consistent management

interfaces across physical & virtual

Your existing Mgmt tools

work well with Nexus 1000V

*Available in H2CY13

Cisco NMS Support

Systems Management Vendors

Other ISVs

Virtualization Vendors

25


Proven Architecture for virtualization use-cases

Nexus 1000V

Portfolio

Vblock (Converged

Virtualization Infrastructure)

Virtual Desktop Infrastructure (User Identity & Security)

DC to DC VM Migration (Disaster Recovery)

Private & Public Cloud Deployments

(Multi-tenancy & Scalability)

PCI

(Security & Compliance)

Hosted Collaboration (Quality of Service &

Availabiity)

26

http://www.vce.com/pdf/solutions/vce-vblock-infrastructure-reference-architecture.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VXI/configuration/VXI_Config_Guide.pdf


http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DCI/4.0/EMC/dciEmc.html




http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/2.1/design_guide/archOver.html



http://www.cisco.com/en/US/docs/solutions/Verticals/PCI_Retail/PCI_Retail_DIG.html

http://sdu.cisco.com/publications/viewdoc.php?docid=6279

http://sdu.cisco.com/publications/viewdoc.php?docid=6279


For Server Admins

For Network Admins

Cisco Nexus 1000V Overview Simplified Operations for network & server admins

Consistent feature-set across physical & virtual

• Consistent feature-set, operational model & consistent mgmt tools

• Reduces operational complexity

Visibility into VM-to-VM Traffic

• SPAN, ERSPAN, Netflow, VM-level Traffic Statistics

• Simplifies troubleshooting and allows better network design

Cisco Validated Design Guides

• Well-tested, well-documented designs for new use-cases

• Reduces risk, and time-to-deploy new technologies

Future-proofs application architecture

• Consistent feature-set across any hypervisor, and any cloud

• Flexibility to choose any hypervisor platform

Simplifies operational processes

• Integration with VM-mgmt tools, Simplified installation process, visibility into VM network

• Reduced operational burden on server admins

Improves app security, mobility & availability

• Additional NX-OS security features, strong services port-folio, VXLAN & DCI etc.

• Fewer security, availability & utilization issues

27


VSM VSM

Agenda








Resources

Cisco Nexus 1000V


vPath


1000V

28


New Services Requirements in Data Center

Traditional Data Center Virtual/Cloud Data Center

FW WAN Opt

• Application-specific services

• Form factors:

Appliance

Switch module

• Virtual appliance form factor

• Dynamic instantiation/provisioning

• Service transparent to VM mobility

• Support scale-out

• Large scale multitenant operation

Virtual Service Node (VSN)

ADC/ SLB

APP

OS

Hypervisor

VDC-1

VDC-2

29


Hypervisor

Traditional Service Nodes

Virtual Contexts

VLANs

Redirect VM traffic via VLANs to external (physical) firewall

App Server

Database Server

Web Server

App Server

Database Server

Web Server

VSN

VSN

Apply hypervisor-based virtual network services

Hypervisor

Virtual Service Nodes

Services deployment in Virtualized DC

30


Nexus 1000V

Distributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

Log/Audit Initial Packet

Flow

Virtual Service

Node (VSN)

1 Flow Access Control

(policy evaluation)

2

Decision

Caching 3

4

Intelligent Traffic Steering with vPath

31


Nexus 1000V


VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

Remaining packets

from flow

ACL offloaded to

Nexus 1000V

(policy enforcement)

Log/Audit

Virtual Service

Node (VSN)

Performance Acceleration with vPath

32


Service chaining with vPath

Cisco Nexus 1000V


VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

Cisco vPath

VSN1

VSN2

1 2

3

4 5

33


Nexus 1000V


VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VM VM

VM

vPath

ACL offloaded to

Nexus 1000V

(policy enforcement)

Multi-tenancy with vPath

Tenant1 VSN

Tenant2 VSN

Tenant1 Client Tenant2 Client

Tenant1 VMs Tenant2 VMs

34


Extending

firewalling & other

network services

to VM to VM

traffic on VXLAN

Nexus 1000V

Distributed Virtual Switch vPath

vPath Extends services to VMs on VXLANs

VM VM VM VM

VSN1

VXLAN 101

VXLAN 5001

VSN2

35


Without vPath With vPath

• Complex deployment- per

host service nodes

• Capacity planning made

difficult

• No Fast path acceleration

• Manual service chaining

• Services tightly coupled with

network topology

• Distributed Service Insertion

• Better capacity planning (service

at tenant-level)

• Application based dynamic

service chains

• Non-disruptive operations

• Fast-Path acceleration

• Decouple Network and Services

vPath Benefits

36


VSM VSM

Agenda




– Nexus 1000V/Hyper-V architecture Overview

– Design Consistency across hypervisors

– SCVMM Networking Concepts

– Nexus 1000V Integration with SCVMM

– Deploying Nexus 1000V for Hyper-V

– Demo


Resources Cisco Nexus 1000V


vPath


1000V

37


Hyper-V: Comparison with ESX Terminology

VMware ESX Microsoft Hyper-V

Virtual Distributed Switch (VDS) Logical Switch

Port Group Virtual Port Profiles + VM networks

vmknic Host VNIC

Folder/Data Center Host Group

vMotion Live Migration

Distributed Resource Scheduling (DRS) Dynamic Optimization

Distributed Power Mgmt (DPM) Power Management

vCenter, vCloud Director SCVMM, SCO

Site Recovery Manager Hyper-V Replica

Virtual Machine Disk (VMDK) Virtual Hard Disk (VHDX)

38


Hyper-V Extensible Switch Architecture

Extensions process all network traffic including VM-to-VM traffic

Forwarding Extensions can capture and Filter Traffic as well

Nexus 1000V will work with other 3rd party Capture and Filtering Extensions as well

Live Migration and NIC Offloads continue to work even when the extensions are present

39


System Center Virtual Machine Manager

40

Manages Hyper-V Virtualization environment

Similar in function to VMware vCenter Server

– But includes some functionality similar to VMware vCloud Director

What SCVMM Manages

– Hyper-V hosts

– Virtual Machines

– Logical Switches

– Logical Networks and Network Sites

– VM Networks and Subnets

– IP Addressing

– Port Profiles and Classifications


SCVMM Management of Switch Extensions

Virtualization

Root Partition

3rd Party components

SCVMM

Service

SCVMM

Vendor network mgmt

console

Policy

database

Vendor

SCVMM

Plugin

VM VM VM

41


Cisco Nexus 1000V for Hyper-V Award Winning Networking Platform for Hyper-V

Nexus

1000V VSM

Extensible vSwitch

Nexus 1000V VEM

VM VM VM VM

VNICs

Advanced NX-OS feature-set

Innovative Services architecture (vPath)

Consistent operational model

SCVMM Integration PNICs

42


System Center Virtual Machine Manager

Cisco

Nexus

1000V

VEM

Cisco

Nexus

1000V

VEM

Cisco

Nexus

1000V

VEM

VM VM VM VM VM VM VM VM VM VM VM VM

Cisco Nexus 1000V VSM

Virtual Supervisor Module (VSM)

• Performs management, monitoring, and configuration

• Tight integration with management platforms

Virtual Ethernet Module (VEM)

• Enables advanced networking capability on the hypervisor

• Provides each virtual machine with dedicated “switch port”

• Collection of VEMs : 1 virtual switch

WS 2012 Hyper-V WS 2012 Hyper-V WS 2012 Hyper-V

Server Server Server

Cisco Nexus 1000V for Hyper-V A simple Deployment Scenario

43


Switching L2 Switching, 802.1Q Tagging, VLAN, Rate Limiting (TX)

IGMP Snooping, QoS Marking (COS & DSCP)

Security Policy Mobility, Private VLANs w/ local PVLAN Enforcement

Access Control Lists, Port Security, Cisco TrustSec Support*

Dynamic ARP inspection*, IP Source Guard*, DHCP Snooping*

Provisioning Port Profiles, Integration with virtualization & cloud mgmt. tools

Optimized NIC Teaming with Virtual Port Channel – Host Mode

Visibility VM Migration Tracking, NetFlow v.9 w/ NDE, CDP v.2

VM-Level Interface Statistics, SPAN & ERSPAN (policy-based)

Network Services Virtual Services Datapath (vPath) support for traffic steering & fast-path off-load

[leveraged by Virtual Security Gateway (VSG)* and other services]

Cisco Nexus 1000V for Hyper-V Features

Management Integrated Provisioning with SCVMM, Cisco LMS, Cisco DCNM, Cisco VNMC

Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

Hitless upgrade, SW Installer

* Available only with Advanced Edition 44


VSM VSM

Agenda









– Demo




vPath


1000V

45


VM VM VM VM

Nexus

1000V

VEM

VM VM VM VM

Nexus

1000V

VEM Nexus 1000V

VSM

WS 2012 Hyper-V Nexus 1000V

VSM

VMware vSphere

VMware vCenter

SCVMM

Cisco Nexus 1000V for Hyper-V Consistent Architecture across hypervisors

46


vPath and Cloud Network Services Consistent Services Infrastructure across Hypervisors

VMware

vCenter

Cisco

PNSC

Cisco

Nexus

1000V

Virtual Machine

Attributes

Po

rt

Pro

file

s

VSNs vPath

MSFT

SCVM

M

Cisco

PNSC

Cisco

Nexus

1000V

Virtual Machine

Attributes

Po

rt

Pro

file

s

VSNs vPath

47


Nexus 1110

VMware ESX VMware ESX

VSM VSG*

WS 2012 Hyper-V WS 2012 Hyper-V

VSM NAM VSG

Existing Nexus 1010 virtual blades support EITHER hypervisor environment

VEM-2 vPath VXLAN

VEM-1 vPath VXLAN

VEM-2 vPath VXLAN?

VEM-1 vPath VXLAN?

Cloud Services Appliance – Nexus 1110 Consistent Hosting Platform across Hypervisors

48


VSM VSM

Agenda









– Demo




vPath


1000V

49


Microsoft SCVMM Networking Concepts

Logical Networks

Network Sites

VM Networks

Port Classifications

Logical Switch

Multiple user-defined constructs

50


Host5

VM VM VM

Host6

VM VM VM

Host3

VM VM VM

Host4

VM VM VM

Host1

VM VM VM

Host2

VM VM VM

Logical Network

Microsoft SCVMM Networking Concepts Logical Networks & Network Sites

51

Network Site2

San Jose Seattle

Network Site3 Network Site1

Logical Network = { Network Sites }; Network Sites = {(Hosts, VLAN/IP-Subnets) }


Microsoft SCVMM Networking Concepts Logical Networks & Network Sites

52


Microsoft SCVMM Networking Concepts VMs are bound to VM Networks

53


Microsoft SCVMM Networking Concepts Port-Classifications

Extensible vSwitch

VM VM VM VM

VNICs

Bundling of profiles

from each extension

is port-classification

PNICs

Port-Classification = {Forwarding Profile, Filtering Profile, Capture Profile} per VNIC

54



Switch Template created on SCVMM - allows consistent configuration on all HyperV Hosts where Logical Switch is instantiated

Logical Switch = {Switch extensions, Uplink Profiles, Port-classifications}

Logical Switch

55

Extensible vSwitch

VM VM VM VM

VNICs

PNICs

Choose the port-classifications allowed by this logical switch

Choose the extensions supported by this logical switch

Choose the uplink profiles (VLANs and network policies to be applied to this logical switch



Choose network

– VM Network

– VM Subnet is tied to the Network (1:1)

Choose IP address type

– Can be dynamic (DHCP) or statically assigned

– Choose IP pool for static IPs

Choose Port Profile Classification

– Policy (QoS, Security, Monitoring)

– A Classification refers to a Port Profile

Associating VM VNICs to VM Networks & Port-classifications

Network Profile

Policy Profile

56


Logical Network ‘DMZ’

Microsoft SCVMM Networking Concepts Putting everything together

57

Network-site ‘DMZ_POD1’

DMZ_Pod1_Subnet1

DMZ_Pod1_Subnet2

DMZ_Pod1_Subnet3

Network-site ‘DMZ_POD2’

DMZ_Podz2_Subnet4

DMZ_Pod2_Subnet5

DMZ_Pod2_Subnet6

Clients VM VM VM

IP-Pool1

IP-Pool2

IP-Pool3

IP-Pool4

IP-Pool5

IP-Pool6

Guests VM VM

Servers

VM VM


VSM VSM

Agenda









– Demo




vPath


1000V

58


Cisco Nexus 1000V Terminology

SCVMM Terminology Cisco Nexus 1000V Terminology

Logical Networks Logical Networks

Network Sites Network Segment Pools

VM Networks Network Segments

IP-Pools IP-Pools & IP-Pool Templates

Port-Classifications Port-profiles

59


nsm logical network DMZ

# nsm network segment pool DMZ_POD1

# member-of logical network DMZ

# nsm network segment DMZ_POD1_SUBNET1

member-of network segment pool DMZ_POD1

switchport mode access

switchport access vlan 20

ip pool import template DMZ_POD1_Pool1











Cisco Nexus 1000V for Hyper-V Defining “Network sites” and “VM Networks”

Network Site “DMZ_POD1”

VM Network DMZ_POD1_SUBNET1



Logical network “DMZ”

60


Current N1KV/ESX Version N1KV/Hyper-V Version

Network Segments and Port Profiles Splitting the port-profile into “Network Connectivity” and “Policy”

# port-profile db-client

ip port access-group dbclient in

no shut

state enabled

# port-profile db-server

ip port access-group dbserver in

no shut

state enabled

#nsm network segment db-network



Data Base Clients Data Base Servers

Data Base Network (VLAN 10)

VM VM VM VM

# port-profile db-client



ip port access-group dbclient in

no shut

state enabled

# port-profile db-server



ip port access-group dbserver in

no shut

state enabled 61


Cisco Nexus 1000V for Hyper-V Operational Model with SCVMM

Networks & policies

synced to SCVMM

Adds hosts to N1KV

Connects VMs (VNICs) to

VM Networks

Nexus

1000V

VEM

Server

Nexus 1000V

VSM

WS 2012 Hyper-V

SCVMM

Network

Admin

Create networks and

policies (logical

networks, network

sites, VMnetworks)

SCVMM manages the placement and

live-migration of the VMs based on the

constraints between VM networks and

the network sites.

VM VM VM VM

Server

Admin

1

2

3

4

5

62


Cisco Nexus 1000V PowerShell Cmdlets Available from http://developer.cisco.com/web/n1k/hyperv

Open a connection to VSM from PowerShell using the credentials

Identify the required

PowerShell CmdLets

Run the Cmdlet directly from

the PowerShell Prompt

Parse the response for the required information

PowerShell CmdLet: <Action>-N1k<Object>

Action Verbs

Create an object* New

Read an object Get

Update an object Set

Delete an object Remove

*Objects can be Logical Networks, VM networks, Port-profiles, IP-Pools, Port-profiles etc.

Write/Update Operations are only supported on limited set of objects

Examples

Create a Logical Network* New-N1kLogicalNetwork()

Read port-profile info Get-N1kPortProfile()

Update an IP-Pool Set-N1kPoolTemplate()

Remove network segment Remove-N1kNetworkSegment()

63

http://developer.cisco.com/web/n1k/hyperv


Cisco Nexus 1000V for Hyper-V Accessing N1KV with PowerShell CmdLets

Set-N1kIpPoolTemplate

Set-N1kLogicalNetwork

Set-N1kNetworkSegment

Set-N1kNetworkSegmentPool

Get-N1kPortProfile

Get-N1kUplinkPortProfile

Get-N1kUplinkPorts

Get-N1kVirtualPortProfile

Get-N1kVirtualPorts

Get-N1kVsemSystemInfo

New-N1kIpPoolTemplate

New-N1kLogicalNetwork

New-N1kNetworkSegment

New-N1kNetworkSegmentPool

New-N1kVMNetwork

Remove-N1kIpPoolTemplate

Remove-N1kLogicalNetwork

Remove-N1kNetworkSegment

Remove-N1kNetworkSegmentPool

Remove-N1kVMNetwork

64


Security Profiles Device Profiles VM attributes

Port Profiles Interactions

VM/Network Attributes

Packets (Slow-Path)

VM-to-IP Binding

Packets (Fast-Path)

Cisco Virtual Security Gateway System Architecture

Hyper-V Servers

Nexus 1000V VEM vPath

Microsoft

SCVMM

VSM VSM VSN

VSG

Packets (Fast-Path)

Cisco Prime Network Services

Controller (PNSC)

65


Cisco Virtual Security Gateway Defining Security Policies

Security Profile

Policy Set

Policy 2

Rule 1

Rule 2

Rule N

Policy N

Rule 1

Rule 2

Rule N

Policy 1

Rule 2

Rule N

Rule 1

Rule is analogous to an Access Control Entry; Policy is analogous to an ACL

66



Xian SCOM Plugin for Nexus 1000V

Monitors

– Availability (ICMP and SNMP)

– TCP Connections

– Uptime

– Traffic, total, error etc.

– Bandwidth

SCOM Management Plugin from Jalasoft

67


VSM VSM

Agenda









– Demo




vPath


1000V

68


Cisco Nexus 1000V Installation

Prerequisites

• WS2012 or later

• SCVMM 2012 SP1 UR2 v. 3.1.6020.0 or later

• Windows Active Directory Service

• Enable Hyper-V Cmdlets in PowerShell on Hyper-V hosts (with VEM)

System Requirements

• Hardware Requirements: none other than those imposed by Hyper-V role

• VSM VM Requirements: 4GB hard disk, 4GB RAM, 4 NICs

VSM Configuration

• Need VSM IP-address

• VSM Domain ID (1 to 1023)

• Layer 3 connectivity between VSM and the VEMs

• TCP Port 80 open between SCVMM and VSM

Prerequisites & System Requirements

69

http://technet.microsoft.com/en-us/library/hh846767.aspx








Virtual Supervisor Module ISO (n1000vh-dk9.5.2.1.SM1.5.1.iso)

Virtual Ethernet Module MSI package (Nexus1000V-VEM-5.2.1.SM1.5.1.msi)

Cisco VSEM Provider MSI package (Nexus1000V-VSEMProvider-5.2.1.SM1.5.1.msi)

Cisco SCVMM VM Template (Cisco Nexus1000V VSM Template)

Installation Package Contents

70


Cisco Nexus 1000V Installation Simple 4-step deployment process

Download Nexus 1000V image

• Go to http://www.cisco.com/go/1000v/hyper-v

• Click on the Download link

Install N1KV Components into

SCVMM

• Install Cisco Nexus 1000V VSEM Provider MSI

• Install Cisco VSM Template File

• Copy VEM to SCVMM Switch Extension Location

• Copy VSM ISO to SCVMM Library

Install and Configure VSM

• Create Microsoft switch for VSM Connectivity

• Install VSM VM using SCVMM VM template

• Configure VSM

Configure SCVMM Fabric

• Add N1KV Switch Extension manager to SCVMM

• Create Logical Switch

• Create VM Networks

71


Cisco Nexus 1000V Installation Virtual Switch Extension Manager (VSEM) & Logical Switch

VSEM Port-classifications –

defines network policy

for virtual machine

interfaces

Logical Switch

Uplink Profiles –

defines VLANs and

network policy to be

applied to the server

uplink

72



Choose network

– VM Network

– VM Subnet is tied to the Network (1:1)

Choose IP address type

– Can be dynamic (DHCP) or statically assigned

– Choose IP pool for static IPs

Choose Port Profile Classification

– Policy (QoS, Security, Monitoring)

– A Classification refers to a Port Profile

Associate VM VNICs to VM Networks & Port-classifications

73


Publishing Logical Networks Nexus 1000V VSM publishes Logical Networks to SCVMM

74


Add a host (VEM) to Nexus 1000V Configure Logical switch & Uplink on one or more Physical adapters

75

Select Fabric tab

Select the host

Right-Click for Properties

Select Virtual Switches

For each uplink, select N1KV as the logical switch & the uplink port-profile


Add a Veth to a host (N1KV VEM) Configure Logical switch & Uplink on one or more Physical adapters

76

Select “VM & Services” tab

Select the host

Select the VM

Right-Click for Properties

Select Hardware Configuration

Select Network Adapters

Select VM Network and Logical Switch


VSM VSM

Agenda


Cisco Nexus 1000V Portfolio Update







– Demo




vPath


1000V

77


Win 2012 Hyper-V

Win 2012 Hyper-V

NAM

Demo Topology

Nexus 1000V VSM

Nexus

1000V

VEM

Nexus

1000V

VEM

Configure the port-profiles so that web-server access is restricted: • Employee can access • Contractor is restricted

NAM (or any other monitoring tool) can be configured to analyze the VM-to-VM traffic using ERSPAN on N1KV.

Contractor Employee Web

Server

78

© 2014 Cisco and/or its affiliates. All rights reserved. BRKVIR-2017 Cisco Public 79


VSM VSM

Agenda









– Demo

– What is new with v1.5.2?




vPath


1000V

80


What is new with N1KV/Hyper-V v1.5.2?

Support for Windows Server 2012 R2

Additional PowerShell Commands

Multi-hypervisor Licensing

VSG/PNSC support for VM and Custom attributes

R2 support, VSG with VM-attributes, multi-hypervisor licensing

81


What is new with N1KV/Hyper-V v1.5.2?

CRUD Operations for User-creation

– To Create/Read/Update/Delete VSM user account information

– Get-User, New-User, Set-User, Remove-User

Managing SPAN & ERSPAN sessions

– To Create/Read/Update/Delete SPAN/ERSPAN session information

– Get-Session, New-Session, Set-Session, Remove-Session

CRUD operations for port-profiles

– To Create/Update/Delete port-profiles

– New-PortProfile, Set-PortProfile, Remove-PortProfile

New REST-APIs & PowerShell Commands

82


What is new with N1KV/Hyper-V v1.5.2? Multi-hypervisor Licensing

Before v1.5.2

• Separate Advanced Licenses for each hypervisor version

• Licenses for one hypervisor won’t work on other hypervisors

After v1.5.2

• Existing N1KV Licenses can be used for N1KV/Hyper-V

• If you already bought N1KV/Hyper-V, we will issue new universal licenses

83


Condition

What is new with N1KV/Hyper-V v1.5.2? Virtual Security Gateway with support for VM & Custom attributes

VM Attributes

VM Name

Guest OS name

Port Profile Name

VM DNS Name

Network Attributes

IP Address

Network Port

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

And (Global Level)

Or (Global Level)

Source

Condition

Destination

Condition Action

Rule

Attribute Type

Network

VM

User Defined

vZone

Condition Match

Criteria

Match All (And)

Match Any (Or)

84


Virtual Security Gateway use-case Secure zoning using VM attributes

Source Destination Protocol Action

Zone=TRNG Zone=TRNG Any Permit

Any Zone=TRNG Any Permit

Zone=TRNG Any Any Drop

If vm-name contains “TRNG”, that VM belongs to TRNG zone

Database Servers

VM VM VM VM VM VM VM VM VM VM

Training Servers


Dev Servers


Exchange Servers


R&D Servers


QA Servers


85


VSM VSM

Agenda





Resources

Cisco Nexus 1000V


vPath


1000V

86


Cisco Nexus 1000V for KVM Integration with KVM & OpenStack

Nexus

1000V

VEM

Server

Nexus 1000V

VSM

OpenStack Controller

Nova Service

Network

Admin

VM VM VM VM

Cloud

Admin

Horizon Service

Neutron Service

Other Services

87



Expand Cisco Nexus 1000V support to KVM

Tight Integration with OpenStack – Neutron Service Integration

– Deployment Integration

– REST-APIs

VXLAN Support – Without IP multicast

– Ease VXLAN deployment

Highly Scalable Platform

88



Nexus 1000V

REST API

KVM

Tenant 1

Virtual Services

vWAAS

VSG ASA 1KV

Tenant 3

ASA 55xx

Physical Workloads

Physical

(VLAN)

Network

VXLAN – VLAN Gateway

Virtual Workloads

Tenant 2

Nexus 1000V Neutron Plug-in

OpenStack

89


Neutron Architecture

Clients Neutron Service Backend Networks

Physical and Virtual

91


Basic Neutron Abstractions & APIs

• Create, Delete, Update

• List, Show

Networks


• List, Show

Subnets


• List, Show

Ports

Neutron

92

What is new with N1KV/ESX?

93


Cisco Nexus 1000V for VMware vSphere?

Increased Scale

• 128 hosts

• 300 ports per host

• 4000+ ports per VSM

Simplified VXLAN Deployment

• No IP-multicast requirement

• VSM distributes relevant VXLAN info to all VEMs

• Flooding avoidance through MAC distribution

• Head-end replication to reduce broadcast traffic

VXLAN Gateway

• Seamless integration with Physical network (VXLAN to VLAN bridging)

• Hosted as a VM on any ESX host

• Support for hi-availability (active/standby)

What is new in v2.2?

94


Citrix NetScaler 1000V in Cloud Services Portfolio

VSM = Virtual Supervisor Module

DCNM = Data Center Mgt. Center

Nexus 1000V

vPath

Any Hypervisor

VM VM VM

• Citrix Best-in-Class virtual application delivery

controller (vADC)

• Sold and supported by Cisco

• Integrated with Nexus 1110/1010, vPath

Cisco Cloud Network Services (CNS) Citrix

NetScaler

1000V

Prime virtual

NAM

Imperva

SecureSphere

WAF

Virtual

Security

Gateway

Nexus 1110 Cloud Services Platform

VSM VSM DCNM*

Citrix

NetScaler

1000V

100


Hypervisor

App Tier Virtual Services DB Tier

VM

VM

VM

VM

VM

VM

Data vPath Cisco vPath

Hypervisor

Cisco vPath

• With vPath there is no Source NAT required on SLB to receive return traffic. NetScaler 1000V

dynamically inserts flow entry in vPath

• Supports Use Source IP without Application changes

Citrix NetScaler 1000V with vPath

VM

VM

VM

VM

VM

VM

1

2

3

4 5

6

101


VSM VSM

Agenda





Summary & Resources

– Reference Solutions

– Webinars

– Deployment Guides, Cheat Sheets

Cisco Nexus 1000V


vPath


1000V

102


Converged Infrastructure

Virtual Desktop

DC to DC VM Migration

DC-wide Mobility

Secure Multi-tenancy

Private & Public Clouds

Validated Designs VMware vSphere

WS 2012 Hyper-V

KVM & others

VSG, ASA1000V

vWAAS, CSR

Ecosystem Partners

vCloud Director

SCVMM, Openstack

InterCloud

Cisco Virtual Networking Solution Summary

Powered by Nexus 1000V

Multi-Cloud

Multi-Service

Multi Hypervisor

Reduced time to deploy

Reduced Risk

Investment Protection

Consistent Feature-set

Consistent Network Services

Consistent Operational Model 103


Reference Solutions With Nexus 1000V, Nexus 1010, VSG & vWAAS

vBlock with Nexus 1000V; Vblock with VSG and vWAAS

FlexPOD with Nexus 1000V and Nexus 1010

Virtual Multi-tenant Data Center with Nexus 1000V

Virtual Desktop

– 1000V and VMware View

– 1000V and Citrix XenDesktop

– 1000V and VSG in VXI Reference Architecture

Virtual Workload Mobility (aka DC-to-DC vMotion)

– Cisco, VMware and EMC (with 1000V and VSG)

– Cisco, VMware and NetApp (with 1000V and VSG)

PCI 2.0 with Nexus 1000V and VSG

104



http://www.vce.com/pdf/solutions/vce-cloud-service-assurance.pdf







http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/Virtualization/flexpod_vmware.html

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VMDC/1.1/design.pdf



http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/vmware/cisco_VMwareView.html

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/Virtualization/ucs_xd_vsphere_ntap.pdf

http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/Virtualization/ucs_xd_vsphere_ntap.pdf
















http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/DCI/4.0/Netapp/dciNetapp.html

















Additional N1KV/Hyper-V Resources

Cisco Nexus 1000V for Microsoft Hyper-V: http://www.cisco.com/go/1000v/hyper-v

Cisco Virtual Security Gateway: http://www.cisco.com/go/vsg

Cisco Nexus 1000V Portfolio: http://www.cisco.com/go/1000v

N1KV PowerShell: http://developer.cisco.com/web/n1k/hyperv

N1KV Community Site: http://www.cisco.com/go/1000vcommunity

Cisco-Microsoft Partnership: http://www.cisco.com/go/microsoft

105

http://www.cisco.com/go/1000v/hyper-v




http://www.cisco.com/go/vsg

http://www.cisco.com/go/nexus1000v

http://www.cisco.com/go/nexus1000v

http://developer.cisco.com/web/n1k/hyperv

http://www.cisco.com/go/1000vcommunity

http://www.cisco.com/go/microsoft


Additional Nexus 1000V Portfolio Resources

CCO Links

– 1000V: www.cisco.com/go/1000v

– 1010: www.cisco.com/go/1010

– VSG: www.cisco.com/go/vsg

– VNMC: www.cisco.com/go/vnmc

– vWAAS: www.cisco.com/go/waas

– NAM on 1010: www.cisco.com/go/nam

White papers:

– Nexus 1000V and vCloud Director

– N1K on UCS Best Practices

– Nexus 1000V QoS White paper (draft)

– VSG and vCloud Director (draft)

– vWAAS Technical Overview, vWAAS for Cloud-ready WAN Optimization

Cheat Sheets

– Nexus 1010 Configuration Cheat Sheet v.2.0 – https://communities.cisco.com/docs/DOC-28188

– Nexus 1000V with UCS Configuration Cheat Sheet v.1.1

– https://communities.cisco.com/docs/DOC-28187

– More on the way

Deployment Guides

– Nexus 1000V Deployment Guide

– Nexus 1000V on UCS – Best Practices

– Nexus 1010 Deployment Guide

– VSG Deployment Guide

My Cisco Community: www.cisco.com/go/1000vcommunity

106

http://www.cisco.com/go/1000v

http://www.cisco.com/go/1010

http://www.cisco.com/go/vsg

http://www.cisco.com/go/vnmc

http://www.cisco.com/go/waas

http://www.cisco.com/go/nam

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-650440.pdf




http://www.tinyurl.com/N1k-On-UCS-Deploy-Guide






https://communities.cisco.com/docs/DOC-28419





https://communities.cisco.com/servlet/JiveServlet/downloadBody/25337-102-1-42993/VSG_VCD_0.3.pdf






http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps11231/technical_overview_c17-620098.html



http://www.cisco.com/en/US/prod/collateral/contnetw/ps5680/ps11231/solution_overview_c22-620028.html












http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/guide_c07-556626.html

http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.html







http://www.cisco.com/en/US/prod/collateral/modules/ps2706/ps11208/deployment_guide_c07-647435_ps9902_Products_White_Paper.html





Cisco Cloud Lab Hands On Training & Demos

Hands on labs available for Nexus 1000V and VSG in Cloud Lab

https://cloudlab.cisco.com

Open to all Cisco employees

Customers/Partners require sponsorship from account team for access via CCO LoginID

Extended duration lab licenses for 1000V and VSG are available upon request

107

https://cloudlab.cisco.com/


Additional Nexus 1000V Public Links

N1K Download and 60-day Eval: www.cisco.com/go/1000vdownload

N1K Product Page: www.cisco.com/go/1000v

N1K Community: www.cisco.com/go/1000vcommunity

N1K Twitter www.twitter.com/official_1000V

N1K Webinars: www.cisco.com/go/1000vcommunity

N1K Case Studies: www.tinyurl.com/n1k-casestudy

N1K Whitepapers www.tinyurl.com/n1k-whitepaper

N1K Deployment Guide: www.tinyurl.com/N1k-Deploy-Guide

VXI Reference Implementation: www.tinyurl.com/vxiconfigguide

N1K on UCS Best Practices: www.tinyurl.com/N1k-On-UCS-Deploy-Guide

108

http://www.cisco.com/go/1000vdownload

http://www.cisco.com/go/1000v


http://www.twitter.com/official_1000V


http://www.tinyurl.com/n1k-casestudy



http://www.tinyurl.com/n1k-whitepaper



http://www.tinyurl.com/N1k-Deploy-Guide





http://www.tinyurl.com/vxiconfigguide











Call to Action…

Visit the World of Solutions:-

Cisco Campus

Walk-in Labs

Technical Solutions Clinics

Meet the Engineer

Lunch Time Table Topics, held in the main Catering Hall

Recommended Reading: For reading material and further resources for this session, please visit www.pearson-books.com/CLMilan2014

109

http://www.pearson-books.com/CLMilan2014




Complete your online session evaluation

Complete four session evaluations and the overall conference evaluation to receive your Cisco Live T-shirt

Complete Your Online Session Evaluation

110

IP Pools in SCVMM


Microsoft SCVMM Networking Concepts IP Pools – Who does IP Address Management?

113

Who decides on IP address ranges?

– Network admin

– SCVMM admin

Who allocates IP Addresses?

– DHCP Server as part of network infrastructure

– SCVMM as part of VM creation and replication


Microsoft SCVMM Networking Concepts IP Pools - Address Ranges Chosen and Allocated by an external DHCP Server

114

#nsm ip pool template name my-dhcp-pool

description “Pool for DHCP segments”

dhcp

#nsm network segment mydhcpnet1

ip-pool my-dhcp-pool

#nsm network segment mydhcpnet2

ip-pool my-dhcp-pool

Clients Servers

DHCP

Server

mydhcpnet1


IP Pools Created for SCVMM by Nexus 1000V IP Ranges Chosen by Nwk Admin, Individual IP Addresses allocated by SCVMM

115

# nsm ip pool template DMZ_POD1_Pool1

Ip address 10.10.11.2 10.10.11.254

subnet-mask 255.255.255.0

gateway 10.10.11.1

dns-servers 192.168.1.2

#nsm network segment DMZ_POD1_SUBNET1



IP Pools Created and Allocated by SCVMM IP Address Ranges Chosen and Allocated by Server Admin

116

# network-segment mysubnet1

# <no reference to ip-pool>

Documents

Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the ...d2zmdbbm9feqrf.cloudfront.net/2014/eur/pdf/BRKVIR-2017.pdf · Cisco Nexus 1000V for Microsoft Hyper-V: Expanding the Virtual