Virtualizace v Datových Centrech - Cisco...#3 Server VM #2 VM #1 Initiator Nexus 5000 VMW ESX VM #1 #3 #4 Server #2 NIC NIC LAN Nexus 1000V Nexus 1000V Virtual Machine Deployments

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 1

Virtualizace v Datových Centrech

Tomáš Michaeli

Konzultant /Datová Centra

[email protected]

2

© 2009 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID

Cíle prezentace

Pochopit dopady virtualizace serverů na síťovou infrastrukturu

Ukázat hodnoty Cisco Nexus 1000V

Pochopit metody integrace Nexus 1000V do Cisco infrastruktur

Virtualizace v SAN

Unifikované I/O ve virtuálním prostředí

3


Virtualization

Platform

Compute

Platform Network

Platform

Site Cost HVAC

Power

Dwelling

Platform Cost Storage

Network

Software

Server

Organization Cost Complexity

VM Administrator

Coordination

Costs

Costs

Costs

High

Complexity

High Touch

Virtualization in Today’s Environment

Virtualization Solutions to Date May Only Address Part of the Problem.

Virtualization is

Increasing OPEX,

Complexity, and Risk.

Environment

4


x86 Server Virtualization Overview

VMware ESXi

XEN Enterprise

Microsoft Hyper-V

Linux kernel virtualization

Hypervisor OS – provide abstract layer between virtual servers and physical server resources

Virtual network inside server –virtual servers are inter-connected via a virtual switch running w/in the virtualization layer.

Virtual servers can now be brought online w/o the need for installing new server hardware.

Rapid expansion of computing to support greater workloads

5


ESX Server NIC teaming compromise

NIC Teaming offer 4 different Load Balancing schemes

Load Balancing – HA or load balancing compromise

Are you ready for compromise?

ESX

vSwitch

App

O

S

App

O

S

ESX

vSwitch

App

O

S

App

O

S

6


VMotion and vSwitch security problemESX VMotion

.11 .12 .13

Permit .11 <-> .12Deny .11 <-> .13Deny .12 <-> .13

X

VMotion enables

Workload mobility & Disaster Recovery, migrations

VM balancing between servers

VMs can move between ESX cluster members with the same configuration

Port-groups, VLANs, Rate-Limitting, Port Security, ERSPAN, ACL, QoS

Inconsistent security policies enforcement and visibility

Policies applied at the server port or VLAN cannot be consistently applied

7


Virtual machine aware network

and storage services

Abstract physical and logical

infrastructure

Virtual machines are the new

data center building block

Cisco Virtual Network Link – VN-LinkVirtualizing the Network Domain

8


VN-Link Brings VM Level Granularity

Problems:

VN-Link:

•Extends network to the VM

•Consistent services

•Coordinated, coherent management

VMotion

• VMotion may move VMs across

physical ports—policy must

follow

• Impossible to view or apply

policy to locally switched traffic

• Cannot correlate traffic on

physical links—from multiple

VMsVLAN101


Cisco Nexus 1000V Components

VMW ESX

Server 3

VM

#9

VM

#12

VM

#11

VM

#10

VMW ESX

Server 2

VM

#5

VM

#8

VM

#7

VM

#6

VMW ESX

Server 1

VM

#1

VM

#4

VM

#3

VM

#2

Nexus 1000V VEM

Virtual Ethernet Module(VEM)

Replaces existing vSwitch

Enables advanced switching capability on the hypervisor

Provides each VM with dedicated ―switch ports‖

Virtual Supervisor Module(VSM)

CLI interface into the Nexus 1000V

Leverages NX-OS 4.01

Controls multiple VEMs as a single network device

Virtual Center

Nexus 1000V

VSM


Port Profiles Propagation

1. Nexus 1000V VSM automatically enables port groups in vCenter via API

2. Server Admin uses Virtual Center to assign vnic policy from available port groups

3. Nexus 1000V automatically enables VM connectivity at VM power-on

1.

VMW ESX

Server 1

Nexus 1000V - VEM

VM

#1

VM

#4

VM

#3

VM

#2

Available Port Groups

WEB Apps HR

DB Compliance

2.

Nexus 1000V

VSM

Virtual Center

3.

WEB Apps: PVLAN 108, Isolated

Security Policy = Port 80 and 443

Rate Limit = 100 Mbps

QoS Priority = Medium

Remote Port Mirror = Yes


Virtual Center

VMW ESX

Server

Nexus 1000V - VEM

VM

#1

VM

#4

VM

#3

VM

#2

Policy definition supports:

VLAN, PVLAN settings

ACL, Port Security, ACL Redirect

Cisco TrustSec (SGT)

NetFlow Collection

Rate Limiting

QoS Marking (COS/DSCP)

Remote Port Mirror (ERSPAN)Nexus 1000V

VSM

What do Port Profiles Include?


Cisco Nexus 1000VFaster VM Deployment

VMW ESX

Server

VMW ESX

Server

Cisco Nexus 1000V

VM

#1

VM

#4

VM

#3

VM

#2

VM

#5

VM

#8

VM

#7

VM

#6

VM Connection Policy

Defined in the network

Applied in Virtual Center

Linked to VM UUID

Defined Policies

WEB Apps

HR

DB

Compliance

Cisco VN-Link—Virtual Network Link

Policy-Based

VM Connectivity

Non-Disruptive

Operational Model

Mobility of Network

& Security Properties

Virtual

Center


Cisco Nexus 1000VRicher Network Services

VMW ESX

Server

VMW ESX

Server

Cisco Nexus 1000V

VM

#5

VM

#8

VM

#7

VM

#6

VM

#4

VM

#3

VM

#2

VM

#1

VM

#4

VM

#3

VM

#2

VM

#1

VN-Link Property Mobility

VMotion for the network

Ensures VM security

Maintains connection stateVirtual

Center

VMs Need to Move

VMotion

DRS

SW Upgrade/Patch

Hardware Failure

Policy-Based

VM Connectivity

Non-Disruptive

Operational Model

Mobility of Network


VN-Link: Virtualizing the Network Domain


Cisco Nexus 1000VIncrease Operational Efficiency

VMW ESX

Server

VMW ESX

Server

Cisco Nexus 1000V

VM

#5

VM

#8

VM

#7

VM

#6

VM

#4

VM

#3

VM

#2

VM

#1

Network Benefits

Unifies network mgmt and ops

Improves operational security

Enhances VM network features

Ensures policy persistence

Enables VM-level visibility

Policy-Based

VM Connectivity

Non-Disruptive

Operational Model

Mobility of Network


VN-Link: Virtualizing the Network Domain

Virtual

Center

Server Benefits

Maintains existing VM mgmt

Reduces deployment time

Improves scalability

Reduces operational workload

Enables VM-level visibility


Security Function Comparisons

Security Function VMware Cisco

Segmentation Port Groups (VLAN,

PVLAN-single host only),

no promiscuous

VLAN/PVLAN, QoS

(Marking),

Access Control VACLs, PACLs, Port

Security, Rate Limiting

Anti-Spoofing Anti-spoofing (MAC) CISF (DHCP Snooping,

IP Source Guard,

Dynamic ARP

Inspection)

Visibility IPFIX lite Netflow v5 Netflow v5, v9,

ERSPAN,

16


ESX Server NIC Teaming and VSS/vPC

App

OS

App

OS

VMWare ESX

App

OS

vSwitch/VEM

VSS leverage the best of the MAC Pinning and IP Hash load-balancing

VSS/vPC

Increased Availability , no single

point of failure

Better Load-Sharing

One VM can use more than 1G

of traffic

Can do concurrent VMotion

over different link

With Nexus 1000V we can choose

16 different LB scenarios

17


Nexus 1000V vPC Host Mode

App

OS

App

OS

VMWare ESX

Nexus 1000V

App

OS

Virtual Supervisor Module

(VSM)

N1k-VSM#sh cdp neighbors

Device ID Local Intrfce Platform Port ID

N1k-VSM Eth 3/1 WS-4900-1 Gig 1/1

N1k-VSM Eth 3/2 WS-4900-1 Gig 1/2

N1k-VSM Eth 3/3 WS-4900-2 Gig 1/1

N1k-VSM Eth 3/4 WS-4900-2 Gig 1/2

The Nexus 1000V detect the upstream switch

Using CDP a port-channel bundling all the

links to the same switch – max 2 groups

―channel-group auto mode on subgroup cdp‖

No need for VSS/vPC

18


App

OS

App

OS

Nexus 1000V

App

OS

App

OS

Nexus 1000V

Security and Nexus 1000V

Netflow, ERSPAN, Rate-Limiting, ACL, PVLAN are

configured now on the Nexus 1000V

VLAN, PVLAN, ACL, port

Security

CTS, ERSPAN

NetFlow v5/v9

Rate Limiting QoS Marking

(COS/DSCP)

19


Intra VM Inspection with Firewall – PVLAN

Nexus 1000v Makes this possible

Segmentation between Servers on the same VLAN

Servers-to-Server traffic is required to be inspected by Firewall

VMs assigned ―Isolated Port‖ port profile

Switchport segmentation via PVLANassigned to Port-Profile

FWSM acts as ―promiscuous-port‖

Firewall Policies control Server-to-Server traffic w/ logging

Nexus 1000v Nexus 1000v

FWSM

or ASA

20


Intra VM Inspection with IDS – ERSPAN

Nexus 1000v Makes this possible

Take a Copy of Traffic from Servers and Switch to Appliance

IDS appliances analyze Server traffic and log activity

ERSPAN

Set Port-Profile w/ Switch port SPAN session

IP SPAN traffic to 6500

SPAN to connected 4200-IPS

Export Netflow Records to MARS appliance

Nexus 1000v Nexus 1000v

IPS and

MARS

21


Policy-Based

VM Connectivity

Virtualizing the Network Domain

Two Complementary Models to Address Evolving Customer Requirements

• Cisco switch for VMW ESX

• Compatible with any switching

platform

• Leverages Virtual Center for server

admin; Cisco CLI for network admin

•Scalable, hardware based, high

performance solution

•Standards driven approach to

delivering hardware based VM

networking

•Combines VM & physical network

operations into 1 managed node

VMW ESX

VM

#4

VM

#3

ServerVM

#2

VM

#1

Initiator

Nexus 5000

Nexus 5000 with VN-Link

(Hardware Based)

VMW ESX

VM

#1

VM

#4

VM

#3

Server

VM

#2

NIC NIC

LAN

Nexus

1000V

Nexus 1000V

Cisco Nexus 1000V

(Software Based)

Cisco Virtual Network Link – VN-Link

Mobility of Network


Non-Disruptive

Operational Model

22


VMW ESX

VM #4

VM #3

Server

VM #2

VM #1

Initiator

Nexus 5000

VMW ESX

VM#1

VM #4

VM #3

Server

VM #2

NIC NIC

LAN

Nexus 1000V

Nexus 1000V

Virtual Machine Deployments

• Small number of VMs (2-12) per host

• Low to High utilization per VM

• Mixed traffic N/S/E/W

Low Density Servers

• Increases number of server VMs (40-60)

• Low utilization per VM

• Mixed traffic N/S/E/W

Medium Density Servers

• High number of VMs (100+) per host

• Low utilization per VM

• Traffic is almost always North/South

Virtual Desktop

(VDI)

Network Interface Virtualization Software Switching

23


Storage

Virtualization

© 2009 Cisco Systems, Inc. All rights reserved. Cisco PublicBRKDCT-1870 24

SAN Consolidation & Higher Performance

SAN consolidation for operational efficiency

Cabling, power, space, cooling savings

Management simplification

Maintenance and licensing costs reduction

Upgrade SAN for higher performance

Applications demanding higher performance

Blade Server and Virtual Machine for server consolidation

Higher speed Inter Switch Links (ISLs)

High-end storage


MDS 9000 8G Fibre Channel ModulesTiered Connectivity Options

4/44-Port 8-Gbps Host-Optimized Module(4 x 8G ports, 44 x 4G ports)

48-Port 8-Gbps FC Module

24-Port 8-Gbps FC Module

Inter Switch Links

High End Storage

High Performance Servers

Highly Virtualized Servers

Standard Servers

Best Price/Port Option

Predictable, high performance, non-blocking architectureUp to 528 8G Fibre Channel ports


SAN Consolidation – 2G/4G to 8G Migration

3x MDS 9509 with 24-Port 4G Modules 1x MDS 9513 with 48-Port 8G Modules

MDS 8GMDS 4GMDS 9509 to MDS 9513

8:1 and 3:1 consolidation by migrating to 8G!

Elimination of ISLs enables even more consolidation

8x MDS 9506 with 16-Port 2G Modules 1x MDS 9513 with 48-Port 8G

Modules

MDS 2G MDS 8GMDS 9506 to MDS 9513


Virtual SAN (VSANs)

Blade Switch Virtualization

Link Virtualization

Storage Virtualization Port Virtualization

FlexAttach

Partitioning of a SAN into multiple SANs (virtual SANS) for enabling fabric and storage consolidation

Enables server mobility, reducing need for SAN and server teams to coordinate changes

Enables granular (secure) zoning and QoS for SAN-attached VM’s using RDM with N-Port ID Virtualization (NPIV)

Enables large-scale blade server deployments, simplifies management, and multi-vendor SAN connectivity

Enables multiple applications to share SANs with compromising performance (traffic management)

Blade Server

….

SAN

(Core)

(Edge)Server

Admin

SAN

Admin

….

Vir

tua

l HB

As

Server

Connect to

SAN Core

Sharing same

connection (link)

Blade Server

….

Blade switch

transparent

to server I/Os

Multi-layer SAN Virtualization (Cisco MDS)

DBVSAN

…

TapeVSAN

DRVSAN

EmailVSAN

Enables tiered storage services, online data migration, and heterogeneous copy services


Flex Attach: Autonomy and flexibility for server additions, moves, and changes.

NPIV / NPV technologies avoid the need for reconfiguration withserver changes.

F-Port Port Channeling and Trunking extends VSAN benefits and increases resilience.

VM-Optimized Storage Services

Sales

R & D

Finance

29© 2008 Cisco Systems, Inc. All rights reserved. Cisco Public

Mechanism to assign multiple N_Port_IDs to a single N_Port

Allows all the Access control, Zoning, Port Security (PSM) be implemented on application level

Multiple N_Port_IDs are allocated in the same VSAN

On all MDS and Nexus 5000

Application Server FC Switch

Email

Web

File Services

Email I/O

N_Port_ID 1

Web I/O

N_Port_ID 2

File Services I/O

N_Port_ID 3

N-Port ID Virtualization (NPIV)

FNP


NPV (N-Port Virtualizer)

NPV provides the FC switch’s connections (uplink) to act as server HBA connections – instead of acting like an Inter-Switch Link (ISL)

Utilizes NPIV type functionality to allow multiple server logins from other switch ports (non-uplink) to use uplink ports

MDS 9134, MDS 9124, Blade FC, Nexus 5000

Compatible with any SAN vendorFC Switch

Any Vendor

F

NPV Switch

NP

As HBA

behavior


NPIV Usage Examples

‘Intelligent Pass-thru’Virtual Machine Aggregation

FC FC FC FC

NP_Port

F_PortF_Port

FC FC FC FC

FC

NPIV enabled HBA

NPV Edge Switch


pWWN-P

Mapping Mapping Mapping Mapping

FC FC FC FC

FC

FC FC FC FC

FC

Disk Array

4 LUNs MappedMDS9000

VMs share pHBA

VMs use NPIV and RDM, vHBA can be zoned individually

The virtual HBA and the related disk are zoned together

There are as many virtual zones as virtual servers

Zone

HW

Hy

perv

iso

r

Vir

tual

Serv

ers

pWWN-1 pWWN-2 pWWN-3 pWWN-4

VM Storage Zoning via NPIV

Multiple Logins on a Single Point-to-Point Connection


F-Port Port Channel F-Port PortChannels

Bundle multiple ports in to 1 logical link

Any port, any module

High-Availability (HA)

Blade Servers are transparent if a cable, port, or line cards fails

Traffic Management

Higher aggregate bandwidth

Hardware-based load balancing

F-Port Trunking

Partition F-Port to carry traffic for multiple VSANs

Extend VSAN benefits to BladeServers

Separate management domains

Separate fault isolation domains

Differentiated services: QoS, Security

Enhanced Blade Switch Resiliency

Storage

Bla

de

Syste

m

Blade 1

Blade 2

Blade N

F-Port Port

Channel

F-PortN-Port

Core Director

SAN

NPV

Storage

Bla

de

Syste

m

F-Port Trunking

Blade 1

Blade 2

Blade N

Core Director

VSAN 1

VSAN 2

VSAN 3

F-Port

Trunking

F-PortN-Port

SAN

NPV


VMware ESX Storage Mapping Options

Raw Device Mapping

(iSCSI/FC)

VMFS Clustered File System

(Local/iSCSI/FC)

Notes:VM

•Both support VMotion

•VMFS is quite more widely deployed than RDM

•RDM from ESX 3.5, performance concerns regarding VMFS

VMFS

VM File System

RDM

Raw Device Mapping

!!


Unified I/O and

Virtualization

??? Demo


I/O Consolidation – in the Host

VMware put enormous interface demand on the serves

ESX v4 minimum of 4 x 1GbE, 2 x HBA, 1 x Mgmt

Less power consumption, less cables, better cooling

All traffic

goes over

10GE

CNA

FC TrafficFC HBA

HCA IPC Traffic

FC TrafficFC HBA

NIC Enet Traffic

NIC Enet Traffic

HCA IPC Traffic

CNA

© 2006 Cisco Systems, Inc. All rights reserved. Cisco ConfidentialPresentation_ID 374/23/2009 Nuova Systems Inc., Company Confidential - NDA Required 37

Mapping of FC Frames over Ethernet

Enables FC to Run on a Lossless Ethernet Network

Fewer Cables

Both block I/O & Ethernet traffic co-exist on same cable

Fewer adapters needed

Overall less power

Interoperates with existing SAN’s

Management SAN’s remains constant

No Gateway

FCoE Benefits

FC over Ethernet (FCoE)

Fibre

Channel

Traffic

Ethernet


Gateway-less FCoE

FC

fabric

iSCSI

Initiator iSCSI

gatewayEthernet

FC

Target

iSCSI session

FCP sessionstateful

FCoE

InitiatorFCoE

mapper

stateless

encaps/decapsFCP session

Stateful gateway issues:

Single point of failure

Limited scalability


4

2

LAN SAN BSAN A

FCoE Benefits – cable, adapter reduction

16 Servers Enet FC Total

Adapters 16 16 32

Switches 2 2 4

Cables 36 36 72

Mgmt Pts 2 2 4

16 Servers Enet FC Total

Adapters 16 0 16

Switches 2 0 2

Cables 36 4 40

Mgmt Pts 2 0 2

4

2

LAN SAN BSAN A

Nearly HALF the Cables

40


FC

FC

Ethernet

Ethernet

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Today’s End of Row Deployment

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Blade Servers

Blade Servers

Blade Servers

Blade Servers

41


Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Fabric Extender – Benefits of EoR and ToR

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Server

Fiber

between

racks

Copper

In

racks

Nexus 5000

Central

point

of

management

Blade Servers

Blade Servers

Blade Servers

Blade Servers

42


High density server aggregation switch that:

Physically resides on the top of each rack but

Logically acts like an end of row access switch

Combines benefits of both ToR and EoR architectures

Introduces a new ―remote line-card‖ design paradigm

Reduces management devices

Ensures feature consistency

Reduces cable runs, power consumption

48x 1GE ports

downlink

4x 10GE ports

Uplink

Nexus 2148TFabric Extender

Nexus Fabric Extender

43


Business Benefits Fabric Extender

• Simplified operational model

• Reduced management points

• Significant cabling reduction

• Software Feature and image consistency

• Lower TCO

• Common architecture enables 1GE to 10GE migration

• Future-proofing for Unified Fabric migration

• NX-OS (software modularity, high availability etc.)

44


Central Point

of ManagementFE4x10G uplinks

from each rack

Rack-1 Rack-2 Rack-3 Rack-4 Rack-12

Access

Layer

Servers

Aggregation

Layer

Core

Layer

L3

L2

VSS/

vPC

FEX

Rack-5

Nexus5020

FEX FEX FEX FEX FEX

ToR/EoR Nexus Deployment

45


Documents

Virtualizace v Datových Centrech - Cisco...#3 Server VM #2 VM #1 Initiator Nexus 5000 VMW ESX VM #1 #3 #4 Server #2 NIC NIC LAN Nexus 1000V Nexus 1000V Virtual Machine Deployments