The Power When You Need It EffectThe Power When You Need ... · VN-Link With the Cisco Nexus 1000V Cisco Nexus 1000V Software Based V V V V Industry’s first 3rd-party vNetwork Distributed

The Power When You Need It EffectThe Power When You Need It EffectVirtualization Aware Networking

Cloud Computing

Nexus 1000V Overview & Design

Cloud Computing

Maciej BocianMaciej [email protected] Sales Manager

Data Center and Virtualization Central Europe

© 2009 Cisco Systems, Inc. All rights reserved.Presentation_ID 1

Data Center and Virtualization, Central Europe

CCIE#7785

Agenda

1. vSphere vNetwork Distributed Switch2 Ci Vi t l N t k Li k T h l2. Cisco Virtual Network Link Technology

3. Cisco Nexus 1000VA hit tArchitecture

Deployment

InstallationInstallation

Difference to the vSwitch

2

© 2008 Cisco Systems, Inc. All rights reserved.Presentation_ID

The Story Today—Networking with VI3.5Separation of Network and

Server provisioning and management systems

Virtual Center managing & provisioning ESX hosts and vSwitches

vSwitch vSwitch vSwitch

Physical network managed and provisioning separately

Net ork isibilit ends at

Virtual Center

Network visibility ends at physical switch port

Different interfaces and toolstoolsIOS or IOS-like cli for

physical network

Network Management

3


VC GUI and esxcfg cli for vSwitches

vSphere vNetwork Distributed Switch (VDS)Unified network virtualization management

vCenter provides abstracted, vSwitch

CU

R vSwitch vSwitch

Simplifies network

p ,resource-centric view of networking

vSwitchRR

ENT

vSwitch

Simplifies network management

Moves away from host-level network configuration (cluster level)(cluster level)Statistics and policies follow the VM simplifying debugging and

VDS

vNetwork Distributed Switch

troubleshootingBuilds foundation for networking resource pools (view the network as a

S

4


(view the network as a clustered resource)

vNetwork Distributed Switch & Cisco Nexus 1000V

vSwitch vSwitch vSwitch

Enterprise networking vendors can provide proprietary networking interfaces to monitor, control and manage virtual networksvSwitchC

UR

RE

vSwitch manage virtual networks

First offering: Cisco Nexus 1000V

Virtual machines retain policies, QoS as they move around theN

T QoS as they move around the datacenter

V

vNetwork Distributed Switch Cisco Nexus 1000V

VDS

5


Agenda

1. vSphere vNetwork Distributed Switch

2 Cisco Virt al Net ork Link Technolog2. Cisco Virtual Network Link Technology3. Cisco Nexus 1000V

Architecture

Deployment



6


VN-Link With the Cisco Nexus 1000V

Cisco Nexus 1000VCisco Nexus 1000VSoftware Based VV VV VV VV Industry’s first 3rd-party vNetwork

Distributed Switch for VMware vSphere

VVMM

VVMM

VVMM

VVMM

NexusNexus

Built on Cisco NX-OS Compatible with all switching

platformsvSphere

NexusNexus1000V1000V

Maintain vCenter provisioning model unmodified for server administration; allow network administration of virtual network via familiar Cisco NX OS CLI

Nexus 1000VNexus 1000V

network via familiar Cisco NX-OS CLI

PolicyPolicy--Based Based VM C ti itVM C ti it

PolicyPolicy--Based Based VM C ti itVM C ti it

Mobility of Network & Mobility of Network & S itS it PP titi

Mobility of Network & Mobility of Network & S itS it PP titi

NonNon--DisruptiveDisruptiveO ti l M d lO ti l M d l

NonNon--DisruptiveDisruptiveO ti l M d lO ti l M d l

7


VM ConnectivityVM ConnectivityVM ConnectivityVM Connectivity Security Security PPropertiesropertiesSecurity Security PPropertiesroperties Operational ModelOperational ModelOperational ModelOperational Model

Agenda


2 Cisco Virtual Network Link Technology2. Cisco Virtual Network Link Technology

3. Cisco Nexus 1000V

ArchitectureDeployment

Installation


8


Cisco Nexus 1000V ComponentsCisco Nexus 1000V ComponentsCisco VSMs

Virtual Ethernet Module(VEM)R l V ’ i t l it h

vCenter Server

Virtual Supervisor Module(VSM)CLI i f i h N 1000V Replaces Vmware’s virtual switch

Enables advanced switching capability on the hypervisor

Provides each VM with dedicated “switch ports”

CLI interface into the Nexus 1000V Leverages NX-OS 4.04a Controls multiple VEMs as a single

network device

Cisco VEM Cisco VEM Cisco VEM

9


VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM7 VM9 VM10 VM11 VM12

Cisco Nexus 1000V ‘Virtual Chassis’Cisco Nexus 1000V Virtual Chassispod5-vsm# show moduleMod Ports Module-Type Model Status--- ----- -------------------------------- ------------------ ------------1 0 Virtual Supervisor Module Nexus1000V active *1 0 Virtual Supervisor Module Nexus1000V active 2 0 Virtual Supervisor Module Nexus1000V ha-standby3 248 Virtual Ethernet Module NA ok

Cisco VSMs

Cisco VEM Cisco VEM

10


VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8

Single Chassis ManagementUpstream-Switch#show cdp neighborCapability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge

S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone

Device ID Local Intrfce Holdtme Capability Platform Port ID

N1KV-Rack10 Eth 1/8 136 S Nexus 1000V Eth2/2N1KV-Rack10 Eth 2/10 136 S Nexus 1000V Eth3/2

A single switch from control plane and management plane perspective

Protocols such as CDP and SNMP t i l it h

Cisco VSMs

operate as a single switch

Cisco VEM Cisco VEM

11


Virtual Supervisor Modules OptionsVirtual Supervisor Modules Options VSM-PA

VSM Virtual Appliance VSM - Physical Appliance 2HCY09VSM - Virtual Appliance ESX Virtual Appliance Supports 64 VEMs Installable via ISO or OVA file

y pp Cisco Branded Physical Server Hosts 4 VSM Virtual Appliance Deployed in pairs for redundancy


VM4 VM VM6 VM8 VM9 VM10VSM VA

12


VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM8 VM9 VM10 VM11VSM-VA

Cisco Nexus 1000V ScalabilityCisco Nexus 1000V Scalability

A single Nexus 1000V supports: A single Nexus 1000V supports:2 Virtual Supervisor modules (HA)64 Virtual Ethernet modules512 Acti e VLANs

Nexus 1000V

512 Active VLANs2048 Ports (Eth + Veth)256 Port Channels

A single Virtual Ethernet module supports:

Cisco VEM216 Ports Veths32 Physical NICs8 Port Channels

13


Cisco Nexus 1000V DomainCisco Nexus 1000V Domain Each VSM is assigned a unique ‘Domain ID’

Domain ID ensures that VEMs do not respond to commands from non-pparticipating VSMs.

Each packet between VSM and VEM is tagged with the appropriate Domain ID

Domain range from 1-4095

Active VSM Other VSM

DID 15 CMD DID 25 CMD

Cisco VEM DID 15 Cisco VEM DID 15 Cisco VEM DID 15

DID 25 CMD

14


Distributed Data PlaneDistributed Data Plane Each Virtual Ethernet Module forwards packets independent of

each other.No address learning/synchronization across VEMsNo address learning/synchronization across VEMsNo concept of Crossbar/Fabric between the VEMs

Virtual Supervisor Module is NOT in the data pathNo concept of forwarding from an ingress linecard to an egress linecard (another server)No Etherchannel across VEMs

Cisco VSMs

Cisco VEMCisco VEMCisco VEM

15


Cisco Nexus 1000V Switch InterfacesCisco Nexus 1000V Switch Interfaces

Ethernet Port (eth)1 per physical NIC interface1 per physical NIC interfaceSpecific to each modulevmnic0 = ethx/1Up to 32 per host

Po1

Up to 32 per host

Port Channel (po)Aggregation of Eth ports

Eth3/1 Eth3/2

Veth2Veth1

Virtual Ethernet Port (veth)

gg g pUp to 8 Port Channels per host

VM1 VM2

1 per VNIC (including SC and VMK)Notation is Veth(port number). No module number is assigned to enable consistent naming when moved

16


consistent naming when moved216 per host

Cisco Nexus 1000V vEth InterfaceCisco Nexus 1000V vEth Interface

Virtual Ethernet Port

vEths are assigned sequentially

VM vNICs are statically bound to a vEthAssignment persistent through rebootsAssignment persistent through reboots

May change if the vNIC is reassigned to another port profile

vEths will move between modules when a VM is moved (HA, Vmotion, etc…)

Default virtual ‘speed’ is Gigabit as negotiated with the guest OS

By default performance is un-gated (i.e 1Gb vNIC can run faster than y p g (1Gb)

2048 vEths supported system wide

17


Loop Prevention without STPLoop Prevention without STP


Eth4/1 Eth4/2 XCisco VEM Cisco VEM Cisco VEM

X

VM1 VM2 VM3 VM4 VM5 VM6 VM7 VM7 VM9 VM10 VM11 VM12

BPDU are dropped No Switching From Physical NIC to NIC

Local MAC Address Packets Dropped on

18


Ingress (L2)

MAC LearningMAC Learning

Each VEM learns independentl andindependently and maintains a separate MAC table

VM MAC t ti ll VM MACs are statically mapped

Other vEths are learned this way (vmknics and vswifs)

Cisco VEM

Eth4/1

Cisco VEM

Eth3/1

way (vmknics and vswifs)

No aging while the interface is up

Devices external to theVM3 VM4VM1 VM2

Devices external to the VEM are learned dynamically

VEM 3 MAC Table

VM1 Veth12 StaticVM2 Veth23 StaticVM3 Eth3/1 DynamicVM4 Eth3/1 Dynamic

VEM 4 MAC Table

VM1 Eth4/1 DynamicVM2 Eth4/1 DynamicVM3 Veth8 StaticVM4 Veth7 Static

19


VM4 Eth3/1 Dynamic VM4 Veth7 Static

Port ChannelsPort Channels

1. Standard Cisco Port ChannelsChannelsBehaves like EtherChannel

2. Link Aggregation Control Protocol (LACP) Support

3. 17 hashing algorithms available Po1 Po2

Selected either system wide or per module

Default is source MACCisco VEM

4. Automated creation using Port Profiles

VM1 VM2 VM3 VM4

20


What is a Port-Profile?What is a Port Profile?

1 A port profile is a container used to define a common set of1. A port-profile is a container used to define a common set of configuration commands for multiple interfaces

2. Define once and apply many times

3. Simplifies management by storing interface configuration

4. Key to collaborative management of virtual networking resources

5. Why is it not like a template or SmartPort macro? Port-profiles are ‘live’ policies

Editing an enabled profile will cause config changes to propagate toEditing an enabled profile will cause config changes to propagate to all interfaces using that profile (unlike a static one-time macro)

21


Port Profile ConfigurationPort Profile Configuration

n1000v# show port-profile name WebProfileport-profile WebProfiledescription:status: enabledcapability uplink: no

Support Commands Include:

P t t

Support Commands Include:

P t tcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:switchport mode accessit h t l 110

Port management VLAN PVLAN Port-channel

Port management VLAN PVLAN Port-channelswitchport access vlan 110

no shutdownevaluated config attributes:switchport mode accessswitchport access vlan 110

Port-channel ACL Netflow Port Security

Port-channel ACL Netflow Port Securityp

no shutdownassigned interfaces:Veth10

y QoS

y QoS

22


Port Profile Policy DistributionPort Profile Policy Distribution

n1000v(config)# port-profile WebServersn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shutg p p

Cisco VSM

PP

23


vCenter Server

Overriding Port Profile Configuration

1. Administrators can interact with individual switchports, overriding a port profile

Overriding Port Profile Configuration

a port profile

2. Use to isolating problems with one or two interfaces without changing the port-profile and affecting other ports

3. Manual configuration always takes precedence over a port profile configuration

1000 ( fi )# i t th t 2

4. The ‘no’ command can remove the override and restore the

n1000v(config)# int vethernet 2n1000v(config-if)# switchport access vlan 250

profile’s config by doing:

n1000v(config)# int vethernet 2n1000v(config-if)# no switchport access vlan

24


n1000v(config if)# no switchport access vlan

Port Profile InheritancePort Profile Inheritance Profile inheritance allows the construction of profile hierarchies

‘Parent’ profiles pass configuration to ‘child’ profiles Parent profiles pass configuration to child profiles

Only the child profiles need to be visible within VC

Updates to the parent filter to the child

Child profiles can be updated independently

n1000v(config)# port-profile Webn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shut

n1000v(config)# port-profile Web-Goldn1000v(config-port-prof)# inherit port-profile Web

n1000v(config)# port-profile Web-Silvern1000v(config-port-prof)# inherit port-profile Webn1000v(config port prof)# inherit port profile Web

n1000v(config-port-prof)# service-policy output Goldn1000v(config-port-prof)# vmware port-group Web-Gold

n1000v(config port prof)# inherit port profile Webn1000v(config-port-prof)# service-policy output Silvern1000v(config-port-prof)# vmware port-group Web-Silver

Effective Port Profile – Web-Gold Effective Port Profile – Web-Silver

25


Access PortVLAN 100Gold QoS Policy

Access PortVLAN 100Silver QoS Policy

Uplink Port ProfilesUplink Port Profiles Special profiles that define physical NIC

properties

Usually configured as a trunk

Defined by adding ‘capability uplink’ to a port profile

Uplink profiles cannot be applied to vEths

Non-uplink profiles cannot be applied to NIC

Cisco VEM

NICs

Only selectable in vCenter when adding a host or additional NICs

VM1 VM2 VM3 VM4

n1000v(config)# port-profile DataUplinkn1000v(config-port-prof)# switchport mode trunkn1000v(config-port-prof)# switchport trunk allowed vlan 10-15n1000v(config-port-prof)# system vlan 51, 52n1000v(config-port-prof)# channel-group mode auto sub-group cdpn1000v(config port prof)# capability uplink

26


VM1 VM2 VM3 VM4n1000v(config-port-prof)# capability uplinkn1000v(config-port-prof)# no shut

Cisco Nexus 1000V Architecture

NexusNexus NexusNexusNexus

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

vSphere

NexusNexus1000V1000VVEMVEM

vSphere vSphere

Nexus1000V VEM


Nexus 1000V VSM

Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM) Virtual or Physical appliance running Virtual or Physical appliance running

Cisco NXOS (supports HA)Cisco NXOS (supports HA) Performs management, monitoring, & Performs management, monitoring, &

fi tifi ti

Virtual Supervisor Module (VSM)Virtual Supervisor Module (VSM) Virtual or Physical appliance running Virtual or Physical appliance running

Cisco NXOS (supports HA)Cisco NXOS (supports HA) Performs management, monitoring, & Performs management, monitoring, &

fi tifi ti

Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM) Enables advanced networking Enables advanced networking

capability on the hypervisorcapability on the hypervisor

Virtual Ethernet Module (VEM)Virtual Ethernet Module (VEM) Enables advanced networking Enables advanced networking

capability on the hypervisorcapability on the hypervisorCisco Nexus 1000V InstallationCisco Nexus 1000V InstallationCisco Nexus 1000V InstallationCisco Nexus 1000V Installation

vCentervCenter

configurationconfiguration Tight integration with VMware vCenterTight integration with VMware vCenter

configurationconfiguration Tight integration with VMware vCenterTight integration with VMware vCenter

capability on the hypervisorcapability on the hypervisor Provides each VM with dedicated Provides each VM with dedicated

“switch port”“switch port” Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork

Distributed SwitchDistributed Switch

capability on the hypervisorcapability on the hypervisor Provides each VM with dedicated Provides each VM with dedicated

“switch port”“switch port” Collection of VEMs = 1 vNetwork Collection of VEMs = 1 vNetwork

Distributed SwitchDistributed Switch

Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation ESX & ESXiESX & ESXi VUM & Manual InstallationVUM & Manual Installation VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX

patchpatch

Cisco Nexus 1000V InstallationCisco Nexus 1000V Installation ESX & ESXiESX & ESXi VUM & Manual InstallationVUM & Manual Installation VEM is installed/upgraded like an ESX VEM is installed/upgraded like an ESX

patchpatch

27


pppp

Scaling Server Virtualization with Nexus 1000V

1. Offload VM networking to network teamAbstracts network configuration from virtualization

tteamNetwork administrator to provide consistent

network configuration to VM

2 Optimi e band idth to ser er / greater2. Optimize bandwidth to server w/ greater availabilityDual connectivity to non-clustered switchesQuality of Service for VMotion Service Console

Po2SG0 SG1

Po1SG0 SG1

Quality of Service for VMotion, Service Console, and VM traffic

3. Enable virtual machines to be basic building blocks of data center

Cisco VEMC P

Consistent network operational model for physical and virtual infrastructure

Easier regulatory compliance VM Data

VMKSC

28


Cisco Nexus 1000V – Faster VM Deployment

PolicyPolicy--Based Based PolicyPolicy--Based Based Mobility of Network & Mobility of Network & Mobility of Network & Mobility of Network & NonNon--DisruptiveDisruptiveNonNon--DisruptiveDisruptive

Cisco VNCisco VN--Link: Virtual Network LinkLink: Virtual Network LinkCisco VNCisco VN--Link: Virtual Network LinkLink: Virtual Network Link

Defined PoliciesDefined PoliciesDefined PoliciesDefined Policies

VM ConnectivityVM ConnectivityVM ConnectivityVM Connectivity Security PropertiesSecurity PropertiesSecurity PropertiesSecurity Properties Operational ModelOperational ModelOperational ModelOperational ModelVVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

S h


S h


Defined PoliciesDefined PoliciesWEB AppsWEB AppsHRHRDBDB

Defined PoliciesDefined PoliciesWEB AppsWEB AppsHRHRDBDB vSphere vSphereDMZDMZDMZDMZ

VM Connection PolicyVM Connection PolicyVM Connection PolicyVM Connection Policy

Nexus 1000V VSMC tC t

yy•• Defined in the networkDefined in the network•• Applied in Virtual CenterApplied in Virtual Center•• Linked to VM UUIDLinked to VM UUID

yy•• Defined in the networkDefined in the network•• Applied in Virtual CenterApplied in Virtual Center•• Linked to VM UUIDLinked to VM UUID

29


Nexus 1000V VSMvCentervCenter

Cisco Nexus 1000V – Richer Network Services



VMs Need to MoveVMs Need to MoveVMs Need to MoveVMs Need to Move


VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

S h


S h


VMs Need to MoveVMs Need to Move•• VMotionVMotion•• DRSDRS•• SW Upgrade/PatchSW Upgrade/Patch

H d F ilH d F il

VMs Need to MoveVMs Need to Move•• VMotionVMotion•• DRSDRS•• SW Upgrade/PatchSW Upgrade/Patch

H d F ilH d F il vSphere vSphere

VNVN--Link Property MobilityLink Property MobilityVNVN--Link Property MobilityLink Property Mobility

•• Hardware FailureHardware Failure•• Hardware FailureHardware Failure

Nexus 1000V VSM

p y yp y y•• VMotion for the networkVMotion for the network•• Ensures VM securityEnsures VM security•• Maintains connection stateMaintains connection state

p y yp y y•• VMotion for the networkVMotion for the network•• Ensures VM securityEnsures VM security•• Maintains connection stateMaintains connection state

C tC t

30



Cisco Nexus 1000V - Increased Operational Efficiency



VI Ad i B fitVI Ad i B fitVI Ad i B fitVI Ad i B fit


VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

S h


S h


VI Admin BenefitsVI Admin Benefits•• Maintains existing VM mgmtMaintains existing VM mgmt•• Reduces deployment timeReduces deployment time•• Improves scalabilityImproves scalability•• Reduces operational workloadReduces operational workload

VI Admin BenefitsVI Admin Benefits•• Maintains existing VM mgmtMaintains existing VM mgmt•• Reduces deployment timeReduces deployment time•• Improves scalabilityImproves scalability•• Reduces operational workloadReduces operational workload

vSphere vSphere

Network Admin BenefitsNetwork Admin Benefits•• Unifies network mgmt and opsUnifies network mgmt and opsNetwork Admin BenefitsNetwork Admin Benefits•• Unifies network mgmt and opsUnifies network mgmt and ops

•• Enables VMEnables VM--level visibilitylevel visibility•• Enables VMEnables VM--level visibilitylevel visibility

Nexus 1000V VSMC tC t

Unifies network mgmt and opsUnifies network mgmt and ops•• Improves operational securityImproves operational security•• Enhances VM network Enhances VM network

featuresfeatures•• Ensures policy persistenceEnsures policy persistence•• Enables VMEnables VM--level visibilitylevel visibility

Unifies network mgmt and opsUnifies network mgmt and ops•• Improves operational securityImproves operational security•• Enhances VM network Enhances VM network

featuresfeatures•• Ensures policy persistenceEnsures policy persistence•• Enables VMEnables VM--level visibilitylevel visibility

31


Nexus 1000V VSMvCentervCenterEnables VMEnables VM level visibilitylevel visibilityEnables VMEnables VM level visibilitylevel visibility

Agenda



3. Cisco Nexus 1000VArchitectureArchitecture

DeploymentInstallation


32


Key Features of the Nexus 1000V

Switching L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX)

IGMP Snooping, QoS Marking (COS & DSCP)

Security Policy Mobility, Private VLANs w/ local PVLAN Enforcement

Access Control Lists (L2–4 w/ Redirect), Port Security

Provisioning Automated vSwitch Config, Port Profiles, Virtual Center Integration

Optimized NIC Teaming with Virtual Port Channel – Host Mode

Visibility VMotion Tracking, ERSPAN, NetFlow v.9 w/ NDE, CDP v.2

VM-Level Interface Statisticsy

Management Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks

Cisco CLI Radius TACACs Syslog SNMP (v 1 2 3)

33


Management Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3)

Deploying the Cisco Nexus 1000VCollaborative Deployment ModelCollaborative Deployment Model


1. VMW vCenter & Cisco Nexus 1000V relationship established

3. vSphere

2. 2. Network Admin

configures Nexus 1000V to support new ESX hosts

3. Server Admin plugs new ESX host into network & adds host to Cisco switch in


1.

Cisco switch in vCenter

34


Deploying the Cisco Nexus 1000VCollaborative Deployment ModelCollaborative Deployment Model

1 VMW vCenter & Cisco1. VMW vCenter & Cisco Nexus 1000V relationship established

2. Network Admin fi N


NexusNexus1000V1000VVEMVEMconfigures Nexus

1000V to support new ESX hosts

3. Server Admin plugs new

vSphere

VEMVEM

vSphere

VEMVEM

ESX host into network & adds host to Cisco switch in vCenter

4 Repeat step three to add4. Repeat step three to add another host and extend the switch configuration Nexus 1000V VSMvCentervCenter

4.

35


Policy Based VM ConnectivityEnabling PolicyEnabling Policy

1. Nexus 1000V automatically enables port groups in

VVMM

VVMM

VVMM

VVMMenables port groups in

VMware vCenter

2. Server Admin uses vCenter to assign vnic policy from


3. MM MM MM MM

available port groups

3. Nexus 1000V automatically enables VM connectivity at VM power-on

vSphere

VEMVEM

1. 2.

po e o

Defined PoliciesDefined PoliciesWEB AWEB ADefined PoliciesDefined PoliciesWEB AWEB A

WEB Apps:WEB Apps:PVLAN 108, IsolatedPVLAN 108, Isolated

WEB Apps:WEB Apps:PVLAN 108, IsolatedPVLAN 108, Isolated


WEB AppsWEB AppsHRHRDBDBDMZDMZ

WEB AppsWEB AppsHRHRDBDBDMZDMZ

,,Security Policy = Port 80 and 443 Security Policy = Port 80 and 443 Rate Limit = 100 MbpsRate Limit = 100 MbpsQoS Priority = MediumQoS Priority = MediumRemote Port Mirror = YesRemote Port Mirror = Yes

,,Security Policy = Port 80 and 443 Security Policy = Port 80 and 443 Rate Limit = 100 MbpsRate Limit = 100 MbpsQoS Priority = MediumQoS Priority = MediumRemote Port Mirror = YesRemote Port Mirror = Yes

36


Policy Based VM Connectivity

What can a policy do? What can a policy do? VVMM

VVMM

VVMM

VVMM

vSphere


Policy definition supports:Policy definition supports:•• VLAN, PVLAN settingsVLAN, PVLAN settings•• ACL Port Security ACLACL Port Security ACL vSphere•• ACL, Port Security, ACL ACL, Port Security, ACL

RedirectRedirect•• Cisco Trust Sec (SGT)Cisco Trust Sec (SGT)•• NetFlowNetFlow CollectionCollection•• NetFlowNetFlow CollectionCollection•• Rate LimitingRate Limiting•• QoSQoS Marking (COS/DSCP) Marking (COS/DSCP)

R t P t MiR t P t Mi


•• Remote Port Mirror Remote Port Mirror (ERSPAN)(ERSPAN)

37


Mobility of Security & Network PropertiesMobility of Security & Network PropertiesFollowing your Following your VMsVMs aroundaround1 vCenter kicks off a

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM1. vCenter kicks off a

Vmotion (manual/DRS) and notifies Nexus 1000V NexusNexus

1000V1000VVEMVEM


MM MM MM MM MM MM MM MM

2. During VM replication, Nexus 1000V copies VM port state to new host

vSphere

VEMVEM

vSphere

VEMVEM

1 2

Mobile PropertiesMobile PropertiesMobile PropertiesMobile Properties

1. 2.


Mobile Properties Mobile Properties Include:Include:

Port policyPort policyInterface state and countersInterface state and counters

Mobile Properties Mobile Properties Include:Include:

Port policyPort policyInterface state and countersInterface state and counters VMotion Notification

Current: VM1 on Server 1Network Persistence VM port config, state

38


Flow statisticsFlow statisticsRemote port mirror sessionRemote port mirror sessionFlow statisticsFlow statisticsRemote port mirror sessionRemote port mirror session

New: VM1 on Server 2p g,

VM monitoring statistics

Mobility of Security & Network Propertiesy y pFollowing your Following your VMsVMs aroundaround

1. vCenter kicks off a VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMM

VVMMVmotion (manual/DRS)

and notifies Nexus 1000V

2 During VM replicationNexusNexus1000V1000VVEMVEM


MM MM MM MM MM MM MMMM

2. During VM replication, Nexus 1000V copies VM port state to new host

vSphere

VEMVEM

vSphere

VEMVEM

33. Once VMotion completes, port on new ESX host is brought up & VM’s MAC address

3.

is announced to the network Nexus 1000V VSMvCentervCenter

Network Update ARP for VM1 sent

to network Flows to VM1 MAC

39


redirected to Server 2

Increase Operational EfficiencyWhat stays the same? What gets better?What stays the same? What gets better?

Task Virtualization or Server Admin

Network Admin

What stays the same? What gets better?What stays the same? What gets better?

vSwitch Config Automated Same as physical networkPort Group Config Automated Policy BasedPort Group Unchanged -Assignment (Virtual Center based)Add new ESX host Automated

(assign NIC & go)Unchanged

NIC Teaming Config Automated EtherChannel OptimizedNIC Teaming Config Automated EtherChannel OptimizedVM Creation Unchanged Policy BasedSecurity Policy Based ACL, PVLAN, IP Redirect,

Port Security TrustSecPort Security, TrustSecVisibility VM Specific VM SpecificManagement Tools Unchanged

(Virtual Center)Cisco CLI, XMP API,

SNMP, DCNM

40


( ) ,

Cisco Nexus 1000V – VM SecurityVVMM

VVMM

VVMM

VVMM

II PP CC

VVMM

VVMM

VVMM

VVMM

CC II

VVMM

VVMM

VVMM

VVMM

vSphere vSphere vSphere

II PP CC CC II

Cisco Cisco TrustSecTrustSec

P i t VLANP i t VLAN

Security FeaturesSecurity Features•• Access Control ListAccess Control List•• Port SecurityPort Security

•• Admission control: 802.1XAdmission control: 802.1X•• HopHop--byby--hop crypto: 802.1AEhop crypto: 802.1AE•• Security Group TagSecurity Group Tag

SGACL Destination GroupPrivate VLANPrivate VLAN•• Promiscuous portPromiscuous port•• Isolated portIsolated port•• Community portCommunity port

yy•• DHCP SnoopingDHCP Snooping•• IP Source GuardIP Source Guard•• Dynamic ARP InspectionDynamic ARP Inspection

Matrix

Sour

ce

Gro

up - ++

41


S G + -

Nexus 1000V Deployment ScenariosNexus 1000V Deployment ScenariosPick your flavorPick your flavor

Rack Optimized1. All types of servers

2. 1G & 10G NICs

3 Any type of physical switch

Blade Serversp

Servers

3. Any type of physical switch (Cisco & other vendors)

4. Requires External Management ApplianceManagement Appliance (VSM) which can be a virtual or physical appliance

5. Requires VMware vSphere q p4.0 Enterprise Plus License

6. Network stats, interface state, flow stats maintained Nexus 1000V VSMvCentervCenter

42


in VEM, exposed through VSM


Agenda




Deployment

InstallationInstallationDifference to the vSwitch

43


Cisco Nexus 1000V Installation OverviewCisco Nexus 1000V Installation Overview

1 Installing the Cisco Nexus 1000V is a five step process involving1. Installing the Cisco Nexus 1000V is a five step process involving the server and network administrators

1) Install the primary and secondary VSMs2) D fi li k d VM t fil2) Define uplink and VM port profiles3) Connect the primary VSM and VC4) Install the VEM (manually or using VUM)5) Adding the ESX host to the Nexus 1000V

2. Repeat steps 4 and 5 for each additional ESX host

44


Creating the VSM VM using ISOCreating the VSM VM using ISO

1 Create VM1. Create VMType: Other 64 bit Linux

1 Processor

2 GB RAM2 GB RAM

3 vNICs (e1000 Driver)

Minimum 3GB SCSI Hard Disk with LSI Logic adapter (default)adapter (default)

2. Reserve 2GB RAM for the VM

3. Configure VM network adaptersadapters

4. Attach ISO to VM and power on

45


Creating the VSM VM using OVACreating the VSM VM using OVA

1 From VC File menu select “Deploy OVF Template ”1. From VC File menu, select Deploy OVF Template…OVA deployment automated the VSM VM configuration Configuration is limited to mapping portgroups to proper networks

2. CPU and RAM still need to be reserved for the VM

46


VSM Dedicated ResourcesVSM Dedicated Resources

1 Each VSM requires dedicated1. Each VSM requires dedicated resources (not shared)

2. Set the RAM reservation to 2GB3. Set CPU reservation to 1Ghz

47


VSM Setup WizardVSM Setup Wizard

1 Automatically runs when the VSM VM is started for the first time1. Automatically runs when the VSM VM is started for the first time

2. Minimum configuration suggested:Switch name

Out-of-band management configuration

Default gateway

Telnet/SSH service

Domain parameters (domain ID, control/packet VLAN)

3 Secondary VSM will reboot and gather configuration from the3. Secondary VSM will reboot and gather configuration from the Primary VSM

48


Registering Nexus 1000V Plug-inRegistering Nexus 1000V Plug in1. Plug-in enables VC to communicate with the VSM and contains the security certificate2 Download http://<VSM-IP>/cisco nexus1000V extension xml2. Download http://<VSM IP>/cisco_nexus1000V_extension.xml3. In VC client, go to Plug-ins menu and select “Manage plug-ins…”

4. Right-click under “Available Plug-ins” and select “New Plug-in”

49


Connecting the VSM to the VCConnecting the VSM to the VC

1. Nexus 1000V Plug-in must be registered first!1. Nexus 1000V Plug in must be registered first!2. Configure the connection on the VSM

n1000V(config)# svs connection vc1000V( fi )# t l in1000V(config-svs-conn)# protocol vmware-vimn1000V(config-svs-conn)# remote ip address 172.28.15.111n1000V(config-svs-conn)# vmware dvs datacenter-name WestDCn1000V(config-svs-conn)# connect

The connection name (‘vc’ in the example) is arbitraryProtocol specifies the type of server to connect to (only VMware is supported)Remote IP address is the VC IP addressDatacenter name is the name of the datacenter that will contain the Nexus 1000VDatacenter name is the name of the datacenter that will contain the Nexus 1000V

Datacenter must be present on VC before connectingConnect command initiates the connection with the VC and creates the Nexus 1000V

in VC

50


Connecting the VSM to the VC (cont.)Connecting the VSM to the VC (cont.)

1 Resulting output on VC after issuing connect command1. Resulting output on VC after issuing connect command

51


Adding an Uplink Port ProfileAdding an Uplink Port Profile1. In order to insert a module into the VSM (i.e. add a host to the vDS

on VC), you must configure an uplink port-profile for a host to use

n1000V(config)# port-profile SystemUplinksn1000V(config-port-prof)# capability uplinkn1000V(config-port-prof)# switchport mode trunkn1000V(config-port-prof)# switchport trunk allowed vlan 51-52n1000V(config-port-prof)# system vlan 51, 52n1000V(config-port-prof)# vmware port-group SystemUplinksn1000V(config-port-prof)# no shutdownn1000V(config port prof)# state enabledn1000V(config-port-prof)# state enabled

2. The third parameter of the “vmware port-group” command is optionalU d t if th th t i di l d i th VCUsed to specify the name that is displayed in the VCIf left blank, the port-profile name will be used

52


Adding an Uplink Port Profile (cont.)Adding an Uplink Port Profile (cont.)1. Resulting output on VC after issuing port-profile command

53


Manual VEM InstallationManual VEM Installation

1 The host VEM VIB file must be installed before performing the “Add1. The host VEM .VIB file must be installed before performing the Add Host” operation on VC

2. Steps to install VEM bits on hostC th VEM k t th ESX h t i (SCP th h VC)Copy the VEM package onto the ESX host using (SCP or through VC)SSH into the host and run esxupdate

# esxupdate -b ./cross_cisco-vem-v100-4.0.4.1.0.42-0.4.2-release.vib --nosigcheck update

cross cisco-vem-v100-4 0 4 1 ######################################## [100%]cross_cisco vem v100 4.0.4.1.. ######################################## [100%]

Unpacking cross_cisco-vem-v1.. ######################################## [100%]

Installing cisco-vem-v100-esx ######################################## [100%]

Running [/usr/sbin/vmkmod-install.sh]...

okok.

#

After esxupdate completes, the “Add Host” operation can be performed on the VC

54


Automated Installation with VUMAutomated Installation with VUM

1 What is VUM?1. What is VUM?VMware Update Manager

Used for patching/updating software on ESXUses ‘esxupdate’ on application on ESX host to do the installation and

management of software modules

2. Starting the installationgSimply click “Add Host”, and VUM will take care of loading the VEM

onto the hostThe host pulls the packages from the VUM repository. The VSM web serverThe host pulls the packages from the VUM repository. The VSM web server

is only used to populate the VUM repository

55


Adding a Host to the Nexus 1000V1. Right click on the Cisco Nexus 1000V and select ‘Add Host’

56


Verifying the Installation1. The ‘show module’ command on the VSM will display the VEM if the installation is completed

successfullypod5-vsm# show moduleMod Ports Module-Type Model Status--- ----- -------------------------------- ------------------ ------------1 0 Virtual Supervisor Module Nexus1000V active *2 0 Virtual Supervisor Module Nexus1000V ha-standby3 248 Virtual Ethernet Module NA ok

Mod Sw Hw--- --------------- ------1 4.0(4)SV1(0.42) 0.02 4.0(4)SV1(0.42) 0.03 4.0(4)SV1(0.42) 0.4

Mod MAC-Address(es) Serial-NumMod MAC Address(es) Serial Num--- -------------------------------------- ----------1 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8 NA2 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8 NA3 02-00-0c-00-03-00 to -2-00-0c-00-03-80 NA

Mod Server-IP Server-UUID Server-Name--- --------------- ------------------------------------ --------------------1 10.95.5.159 NA NA2 10.95.5.159 NA NA3 10 95 5 151 41483531 3141 5553 4537 31324e353646 ph 2 dc pod5 h 1

57


3 10.95.5.151 41483531-3141-5553-4537-31324e353646 phx2-dc-pod5-hv1

Migrating to the Cisco Nexus 1000V Migration Wizard enables simple migration from the vSwitch to the

Cisco Nexus 1000V

58


Agenda




Deployment



59


Keep your process consistentNetwork Administrator view Server Administrator view

N1k-VSM# sh port-profile name Ubuntu-VM

port-profile Ubuntu-VM

description:

status: enabled

capability uplink: nop y p

capability l3control: no

system vlans: none

port-group: Ubuntu-VM

max-ports: 32

i h itinherit:

config attributes:

switchport mode access

switchport access vlan 95

no shutdown

assigned interfaces:

Vethernet2

Vethernet4

60


Keep your process consistentFew of the Datacenter are completely virtualized

Using Nexus 1000V keeps all the process consistent and give Using Nexus 1000V keeps all the process consistent and give you the same visibility for VMs and Server

Troubleshoot your network as before using tools you knowTroubleshoot your network as before using tools you know

Make your regulatory compliance much easier because of the simpler process

Cisco VEM

ERSPANNetflowCounters

61


VM1 VM2 VM3 VM4 CDP PVLAN

virtual Port Channel Host Mode

Allows a single PC to span multiple upstream switches using ‘subgroups’switches using subgroups

Forms up to two subgroups based on Cisco Discovery Protocol (CDP)

Subgroups can be manually defined outside of a Port

Po1 SG1SG0

Subgroups can be manually defined outside of a Port Profile

Does not require EtherChannel upstream when using source hashing

Cisco VEMEtherChannel is recommended upstream

Required when connecting to multiple switches

VM1 VM2 VM3 VM4

(only supports two upstream switches when using flow based hashing)

62


Cisco Nexus 1000V3 new features that make a difference3 new features that make a difference

Private VLANsNetflow v.9 with Data Encapsulated

• Great for mixed use ESX clusters

(PVLANs)• View flow based stats

for individual VMs

Export

• Mirror VM interface traffic to a remote sniffer

Remote SPAN (ERSPAN)

• Segment VMs w/o burning IP addresses

• Supports isolated, community and

• Captures multi-tiered app traffic inside a single ESX host

• Export aggregate stats

• Identify root cause for connectivity issues

• No host based sniffer virtual appliance to y

promiscuous trunk ports

• Follows your VM w/ VMotion or DRS

to dedicated collector for DC-wide VM view


virtual appliance to maintain


63


VMotion or DRS

VMW vSwitch & the Cisco Nexus 1000VFeature ESX 3.5: Standard

vSwitchESX 4.0: vNetwork Standard Switch

ESX 4.0: vNetwork Distributed

SwitchCisco Nexus 1000V

Switching Features

Layer 2 Forwarding Yes Yes Yes Yes

IEEE 802.1Q VLAN Tagging Yes Yes Yes Yes

Multicast Support Yes Yes Yes Yes

IGMP Snooping v3 - - - Yes

VMotion Support Yes Yes Yes Yes

Network Policy VMotion - - Yes Yes

Upstream Switch Connectivity

EtherChannel Yes Yes Yes Yes

Asyncronous Port Channels - - - YesAsyncronous Port Channels - - - Yes

Link Aggregation Control Protocol (LACP) - - - Yes

Load Balancing Algorithms

Virtual Switchport ID Yes Yes Yes Yes

Source MAC Yes Yes Yes YesSource MAC Yes Yes Yes Yes

Source-Destination IP Yes Yes Yes Yes

Source-Destination MAC - - - Yes

Source-Destination-Port IP - - - Yes

Additional Hashing Options - - - Yes

64


Additional Hashing Options Yes

VMW vSwitch & the Cisco Nexus 1000VFeature

ESX 3.5: Standard vSwitch

ESX 4.0: vNetwork

Standard Switch

ESX 4.0: vNetwork

Distributed Switch

Cisco Nexus 1000V

Traffic Management Features

T R t Li iti Y Y Y YTx Rate Limiting Yes Yes Yes Yes

Rx Rate Limiting - - Yes Yes

Quality of Service Marking

DSCP - - - Yes

T f S i YType of Service - - - Yes

Class of Service - - - Yes

Security Features

Port Security Yes Yes Yes Yesy

VMSafe Compatible Yes Yes Yes Yes

Private VLANs - - Yes Yes

PVLAN Promiscuous Trunk Support - - - Yes

Access Control Lists - - - Yes

DHCP Snooping - - - Yes

IP Source Guard - - - Yes

Dynamic ARP Inspection - - - Yes

65


VMW vSwitch & the Cisco Nexus 1000V

FeatureESX 3.5: Standard vSwitch

ESX 4.0: vNetwork

Standard Switch

ESX 4.0: vNetwork

Distributed Switch

Cisco Nexus 1000V

Management FeaturesgVMware vCenter Support Yes Yes Yes Yes

Third Party Accessible APIs Yes Yes Yes Yes

Network Policy Groups Yes Yes Yes Yes

Multi-Tier Policy Groups - - - Yes

SPAN - - - Yes

ERSPAN - - - Yes

Netflow v5 * * * Yes

Netflow v9 - - - Yes

SNMP v3 Read/Write - - - Yes

CDP v1/v2 Yes Yes Yes Yes

Syslog ** ** ** Yes

Packet Capture & Analysis - - - Yes

Radius/TACACS+ - - - Yes

* Experimental Support** Network Syslog information is compiled and exported with other non network related vCenter events

66


** Network Syslog information is compiled and exported with other, non-network related, vCenter events.

Accelerate Server VirtualizationBenefits of the Nexus 1000VBenefits of the Nexus 1000V

O ti &O ti &O ti &O ti & O i ti lO i ti lO i ti lO i ti l

EnableEnable VMVM--levellevelEnableEnable VMVM--levellevel

Security & Policy Security & Policy EnforcementEnforcement

Security & Policy Security & Policy EnforcementEnforcement

Simplify Simplify t dt d

Simplify Simplify t dt d

Operations & Operations & ManagementManagementOperations & Operations & ManagementManagement

Enable Enable flexible flexible Enable Enable flexible flexible

Organizational Organizational StructureStructure

Organizational Organizational StructureStructure

Enable Enable VMVM level level security and policysecurity and policy

Scale Scale the use of the use of VM ti d DRSVM ti d DRS

Enable Enable VMVM level level security and policysecurity and policy

Scale Scale the use of the use of VM ti d DRSVM ti d DRS

management and management and troubleshooting troubleshooting with with VMVM--level level visibilityvisibility

management and management and troubleshooting troubleshooting with with VMVM--level level visibilityvisibility

collaboration with collaboration with individual team individual team autonomyautonomy

collaboration with collaboration with individual team individual team autonomyautonomy

VMotion and DRSVMotion and DRSVMotion and DRSVMotion and DRSScale Scale with with automated server & automated server & network network

Scale Scale with with automated server & automated server & network network

Simplify Simplify and and maintain existing maintain existing VMVM mgmt modelmgmt model

Simplify Simplify and and maintain existing maintain existing VMVM mgmt modelmgmt model

67


provisioningprovisioningprovisioningprovisioning

68


Documents

The Power When You Need It EffectThe Power When You Need ... · VN-Link With the Cisco Nexus 1000V Cisco Nexus 1000V Software Based V V V V Industry’s first 3rd-party vNetwork Distributed