Table of Contents HOL-PRT-1305

Transcription

1 Table of Contents Lab Overview Abstract... 3 Overview of Cisco Nexus 1000V series Enhanced-VXLAN... 5 vcloud Director Networking and Cisco Nexus 1000V... 7 Solution Architecture... 9 Verify Cisco Nexus 1000V and vcloud Director Integration Verify Cisco Nexus 1000V in vcloud Director Create organization networks leveraging Enhanced VXLAN in Cisco Nexus 1000V Create Organization vdc internal network leveraging Enhanced VXLAN Verify Enhanced VXLAN capability on Nexus 1000V Deploy Web vapp for SilverGroup Port-Mirroring using ERSPAN on Cisco Nexus 1000V Configure and verify ERSPAN on the Cisco Nexus 1000V Configure QOS for Enhanced VXLAN network on Cisco Nexus 1000V Configure and verify QOS for Enhanced VXLAN network traffic Congratulations!! Conclusion Page 1

2 Lab Overview Page 2

3 - Abstract Traditionally VXLAN required Multicast support in your network which made it a bit complex to deploy. With Enhanced VXLAN now supported with the Cisco Nexus 1000V, you could achieve segmentation at scale for your cloud with a simplified deployment process. Enhanced VXLAN does not require Multicast, is purely Unicast based and is a highly scalable solution. Network isolation techniques such as IEEE 802.1Q VLAN provide 4096 LAN segments through a 12-bit VLAN identifier and may not provide enough segments for large cloud deployments. VXLAN uses a 24-bit LAN segment identifier to provide segmentation at cloud scale. Goal In this lab the participant will take on the role of the IT administrator who is providing infrastructure services to different business units by leveraging the Cisco Nexus 1000V distributed switch using Enhanced VXLAN based network isolation. The IT administrator will configure network SPAN on the Nexus 1000V for visibility into network traffic and apply QOS policies for Enhanced VXLAN traffic. This content is intended to provide the participant an interactive and hands-on experience with configuring VXLAN on the Cisco Nexus 1000V and configuring and using a VXLAN backed network pools in vcloud Director. Finally, the participant will experience the network level visibility and control provided when the Cisco Nexus 1000V is used to select network classes in vcloud Director. Target Audience This lab is appropriate for cloud IT administrators who want to learn more about Cisco Nexus 1000V and Enhanced-VXLAN Lab Scenario The IT department at the Umbrella IT Corporation is providing cloud services for internal departments in their organization. The Silver Group has requested that the IT department host their web application. The IT administrator will create an organization representing the Silver Group in vcloud Director and will use Enhanced VXLAN to provide network isolation, the web application is deployed as a vapp in this organization. Since the Silver Group Web vapp is leveraging Nexus 1000V, the IT admin can enable port-mirroring and QOS to troubleshoot any network issues or provide application QOS on Enhanced VXLAN traffic in the vapp. Page 3

4 Page 4

5 Overview of Cisco Nexus 1000V series Enhanced-VXLAN VXLAN is a Layer-2 network isolation technology that uses a 24-bit segment identifier to scale beyond the 4K limitation of VLANs. VXLAN creates LAN segments by using an overlay approach with MAC-in-IP encapsulation. The Virtual Ethernet Module (VEM) encapsulates the original Layer-2 frame leaving the Virtual Machine. While VXLANs have enabled a whole new level of scalability for virtual networks, one of the challenges in deploying VXLAN is its use of IP Multicast to implement the L2 over L3 network capability. VXLAN is a MAC-in-IP encapsulation protocol in a UDP frame. The Nexus 1000V virtual switch that acts as the VXLAN termination takes the L2 packet from the VM, wraps it in a L3 IP header, and sends it out over UDP. But the challenge is that there s no way to determine which IP address should be used for the destination host (VXLAN termination point) at which the desired MAC address can be found. VXLAN traditionally resort to IP Multicast (e.g., flooding and dynamic MAC-learning) to determine which IP address the packet should be sent to given only the destination MAC address. This leads to a lot of extra set-up, excessive network traffic, and some dependence on the physical network to be an IP Multicast enabled core. Now Cisco has introduced Enhanced-VXLAN technology. VXLAN Encapsulated Frame Format Each VEM is assigned an IP address, which is used as the source IP address when encapsulating MAC frames to be sent on the network. This is accomplished by creating vmknics on each VEM. You can have multiple vmknics per VEM that are used as sources for this encapsulated traffic. The encapsulation carries a VXLAN identifier, which is used to scope the MAC address of the payload frame. VEM VMKNIC Interface with VXLAN Capability The connected VXLAN is specified within the port-profile configuration of the vnic and is applied when the VM connects. VXLAN frames are originated and terminated on the VXLAN tunnel end points called VTEPs and VM is unaware of the encapsulation. Page 5

6 In Enhanced VXLAN mode, instead of flooding to multicast destination, VEM will perform ingress replication of packets and send it over to other VEMs. Each VEM has intelligence of membership information of other VEMs and associated VTEPs for a given VXLAN segment. When a VM joins a VXLAN segment a VEM will publish its VTEP and segment membership information to VSM. Each VEM will publish its own information to VSM. VSM will then build a database of all VTEPs for each VXLAN segment and distribute this to all VEMs. This information is dynamically updated on all the VEMs and each VEM uses this membership list for flooding instead of using Multicast. VSM, in addition, maintains a complete MAC forwarding table for all hosts and distributes it to all the VEMs to enhance security by dropping unknown unicast packets, and eliminates traditional flood and learn forwarding methods. This allows control-plane based forwarding and also eliminates unknown unicast scenarios leading to security gaps. Page 6

7 vcloud Director Networking and Cisco Nexus 1000V VMware vcloud Director provides three classes of networks. The network class defines the boundaries and respective service levels for each function within a given cloud s network architecture. External Networks External networks provide transport between organizations or to networks outside of a single-tenant network, such as the Internet. External networks are managed by the vcloud Director administrator and are not directly visible to a tenant organization. This network type is also sometimes called a provider or data center network. Organization Networks A network allocated to a single organization or tenant and backed by the managed allocation of network resources for that organization. A single organization may have many types of organization networks. Organization networks provide network segments within a single tenant, and allow connectivity between vapps assigned to the same organization network. vapps that are on different organization networks, even within the same tenant organization, are not in the same broadcast domain. The resources to create the isolation are managed by the vcloud administrator and are provided to organizations as a managed allocation. The organization administrator has the ability to create isolated networks as needed. Internal Network Like an organization network, a vapp network is a segment that is created for the particular application stack within the organization s network to enable multi-tier applications to communicate with each other, and at the same time, to isolate the intra-vapp traffic from other applications within the organization. It is important to understand the relationship between the virtual networking constructs, features of the Cisco Nexus 1000V, and the classes of networks defined and implemented in a vcloud Director environment. Most often a network class (organization and vapp, specifically) is described as being backed by an allocation of isolated Page 7

8 networks. In other words, in order for an organization administrator to create an isolated vapp network, the administrator must have a free isolation resource to consume and to use in order to provide that isolated network for the vapp. vcloud Director employs three different networks to create managed pools of isolation that can be allocated between and within tenant organizations. All three classes of networks can be supported using the virtual networking features of the Cisco Nexus 1000V Series. The network pool type used to provision organization network is of type: vcloud Network Isolationbacked A vcloud Network Isolation-backed (VCNI) network pool provides isolated Layer-2 networks for multiple tenants of a cloud without consuming the VLAN IDs. This isolationbacked network pool does not require pre-existing VLAN IDs in vsphere. It uses portgroups that are dynamically created. A Cloud isolated network spans hosts, provides traffic isolation from other networks, and is the best source for vapp networks. When leveraging Cisco Nexus 1000V Series Switches to provide a network pool that is backed by vcloud Network Isolation, the underlying layer, Layer 2 isolation technology is Enhanced-VXLAN. Page 8

9 Solution Architecture Key components of the solution to integrate Cisco Nexus 1000V with VMware vcloud Director VMware vcloud Director and vcns Manager Communication Cisco Nexus 1000V VSM and vcns Manager Communication VMware vcns Manager and vcenter Communication vcenter and Cisco Nexus 1000V VSM Communication vcloud Director and vcns Manager Communications vcloud Director provides network services to the Cloud via VMware vcns Manager. vcns Manager interacts with Cisco Nexus 1000V VSM to make the 1000V available to vcloud Director to build any type of network when building a tenant cloud. Each vcloud Director cell requires access to a vcns Manager host, which in turn provides network services to the cloud. You must have a unique instance of vcns Manager for each vcenter server you add to vcloud Director. NexusCisco Nexus 1000V VSM and vcns Manager Communications vcloud Director interacts with the Cisco Nexus 1000V using vcns Manager. Cisco Nexus 1000V VSM implements a REpresentational State Transfer (REST) API that allows the user to create all types of networks supported by vcloud Director. This allows the user to design and implement networks in vcloud Director which then get created on the Cisco Nexus 1000V Series Switch. VMware VCNS Manager needs the following information to manage the VSM. a) VSM connectivity details b) Number of VXLANs which that can be consumed by vcloud Director c) Multicast Group address associated with Network Pool in vcns manager. This is ignored and not used by Nexus 1000V for Enhanced-VXLAN Networks VCNS Manager and vcenter Communications This communication will occur when an organization routed network is required for an organization. vcns Manager will instantiate a VCNS Edge appliance dynamically to Page 9

10 provide Network Address Translation (NAT), and IP Gateway gateway service for an organization network. vcenter and Cisco Nexus 1000V VSM Communications vcenter provides centralized control and visibility to VMware vsphere virtual infrastructure and is tightly integrated with the Cisco Nexus 1000V. This integration enables the network administrator and the server administrator to collaborate efficiently. While the networking policies can be enforced in the virtual access layer just like as in the physical network, Cisco Nexus 1000V helps maintain separation of duties for the network and server teams.. Page 10

11 Verify Cisco Nexus 1000V and vcloud Director Integration Page 11

12 Verify Cisco Nexus 1000V in vcloud Director In this lesson you'll review and learn Enhanced VXLAN configuration on Nexus 1000V and how Nexus 1000V registers with vcns Manager as an external switch provider. In addition you'll verify the configuration of the network policy for an organization in vcloud Director. The configuration will be verified through the Nexus 1000V CLI. Page 12

13 Open a PuTTY connection to the Nexus 1000V VSM Note: Refer to " Key-In help" text file on your Control Center Desktop to find or Copy/Paste Login details and Commands used in this lab guide. Click on Start -> PuTTY, this will open up the PuTTY client. Or alternately double click on Putty icon on Desktop. Login to Nexus 1000V VSM console Scroll down the list of saved sessions and select the host, Nexus 1000V VSM host, vsm.corp.local from the saved sessions. Click on the Open button to open the session. The login credentials are: User name: admin Page 13

14 Password: Cisco123 Page 14

15 Verify Features on Nexus 1000V VXLAN functionality on the Ciso Nexus 1000V is enabled by configuring the feature segmentation.theintegration with vcns Manager is enabled by configuring the network-segmentation feature. These features have already been enabled while preparing this lab. The "show feature" command output shows that both of these features have been enabled. On the Nexus 1000V console, run the command: show feature Page 15

16 View the capability vxlan Port-Profile To view the port-profile configured to carry VXLAN traffic, run the command: show run port-profile vmk-vxlan The port-profile configured for VXLAN traffic will have capability vxlan configured on it. This port-profile is attached to a vmkernel interface on each ESXi host which will serve as the source of VXLAN traffic. We will verify this in the next step. Page 16

17 VXLAN Port-Profile Deploying VXLAN requires the creation of a VMkernel interface on each ESXi host that will be sending VXLAN traffic. In this lab we have two ESXi hosts, a VMkernel interface has been created for each host and configured to use the vmk-vxlan port-group. To see the VMkernel interfaces that are attached to the the vmk-vxlan port-profile, run the following command: show port-profile name vmk-vxlan Here we see that Vethernet3 and Vethernet4 are attached to the vmk-vxlan portprofile. Network Policy for vcloud Director Organization Network Nexus 1000V provides an easy way to define and apply a network policy at an organization level in vcloud Director. In the output below, the policy SilverGroup- Policy is tied to the organization in vcloud Director that is representing SilverGroup by means of the organization ID. Any internal networks that are created for this organization will have this network policy applied to them by default. The networksegment policy is also configured to import a port-profile that can be configured with QoS policies or ACLs that will be applied on an organization-wide level. Page 17

18 To view the network-segment policy that is tied to Silver Group enter the following command: show run network-segment policy SilverGroup-Policy Subsequent lessons in the lab will illustrate the network-segment policy being automatically applied to a new organization network, and QoS configuration on the SilverGroup-Profile being applied to VXLAN traffic. Integrating Nexus 1000V with vcns Manager Nexus 1000V Network Segmentation Manager (NSM) integrates with vcns Manager to provision a pool of network segments that are backed by VXLAN. The configuration includes registering the Nexus 1000V NSM and configuring the range of multicast addresses and associated VXLAN segment identifiers. In this lesson we will log in to the VCNS Manager web interface and verify the VSM and vcenter status. Page 18

19 Login to the vcns Manager Web Interface Double-click the desktop shortcut called vcns Manager and accept the security certificate error if prompt, to proceed to the login screen for VCNS Manager. Use the following login credentials: User name: admin Password: default Page 19

20 Verify Nexus 1000V is successfully registered Navigate to Settings & Reports -> Configuration -> Networking. You'll see Nexus 1000V registered as a External Switch Provider. Page 20

21 Verify Network Pool Configuration Navigate to Datacenters->Datacenter-Site A-> Network Virtualization- >Preparation->SegmentID. The network pool configuration will show the multicast addresses and VXLAN segments in to pool. In this lab we have configured VXLAN segments from to Please ignore Multicast group values here, as these are ignored by the Nexus 1000V switch for Enhanced VXLAN networks. DataCenter-Site-A and Cluster-Site-B is pre-provisioned for you in this lab. Network segments created here will be consumed by VM's in this Datacenter. Page 21

22 Nexus 1000V networking in vcloud Director Next step is to verify that the VXLAN backed network pools are available to use in vcloud Director. This is verified by logging into vcloud Director using the Umbrella IT administrator's credentials. Double-click on vcloud Director shortcut on your Desktop and login to vcloud Director. vcloud Login: administrator Password: VMware1! Page 22

23 Verify Network Pool provider VSM Navigate to Manage & Monitor > Cloud Resources> Network Pools. You will see a network pool called SilverGroup-vDC-VXLAN, this network pool is backed by VXLAN on the Nexus 1000V In Network Pools Pane, SilverGroup-vDC-VXLAN shows - vds providing the network is the Nexus 1000V as indicated by the switch name VSM. Page 23

24 Create organization networks leveraging Enhanced VXLAN in Cisco Nexus 1000V Page 24

25 Create Organization vdc internal network leveraging Enhanced VXLAN The previous chapters introduced the basic configuration to deploy a VXLAN backed organization network in vcloud Director. Silver Group Organization vdc has one internal network created for it to host their web application. They have now made a request to Umbrella IT for a new network segment for their test environment. The actions in this lab chapter are performed by the Umbrella IT administrator through the vcloud Director system portal that was accessed in the previous chapter. In this lesson we will create a new internal network for Silver Group using Nexus 1000V Enhanced VXLAN network pool. Viewing SilverGroup Organization vdc Properties Double-click on the vcloud Director shortcut on your Desktop and login to vcloud Director. vcloud User name: administrator Password: VMware1! Page 25

26 SilverGroup Organization vdc Properties Once logged into the vcloud Director administrator GUI: Select System -> Manage & Monitor -> Organization vdcs -> Click on SilverGroup link Page 26

27 Organization Networks Configuration Navigate to Org VDC Networks in SilverGroup vdc Top Menu Here you will see that Silver Group already has two networks configured for it. These networks are created as part of the lab preparation and are consumed by SilverGroup vapp VMs. The organization has been set up with one external network, which is a Direct Network and one Internal isolated network, which is using the VXLAN Network Pool. We now want to add another internal network to Silver Group to support the new vapp requirements. Click on the + button to add an organization network. Page 27

28 Configure a new Internal Network for SilverGroup Select Create an isolated network within this virtual datacenter in Network Type. Then Click Next Page 28

29 Configure organization network details This screen allows the administrator to define network mask, default gateway and range of IP addresses that can be used by VMs on the network. Enter values as shown in the screen and click on the Next button to proceed. Enter Values as shown here: Gateway address: Network mask: Static IP Pool: Name Organization vdc Network This is the last step in the creation of the internal network, provide a name SilverGroup_Test_Net_1 and an optional description and click on the Next button. Then Click Finish on next Screen Page 29

30 Page 30

31 Verify Org Network creation The network status for SilverGroup-Test-net-1 will show Creating for a few seconds while the network is created and the associated port-profiles created on Nexus 1000V. Once the network has been created successfully it will show up with a green check mark against it. In case you do not see green check mark for the newly created network, hit the Refresh button in vcd. This network can now be utilized for the test vapps that the Silver Group wants to deploy, however this lab will not cover creating and deploying a new vapp. For the rest of the lab we will be using the previously created SilverGroup_Web1 internal network for the SilverGroup-Web-vApp. Verify Nexus 1000V Port-Profile created for new organization vdc network The creation of a new organization network will result in a port-profile being created on the Nexus 1000V VSM through the vcloud Director interface to the vcns Manager. This new port-profile will inherit the port-profile SilverGroup-Profile that was imported into the network-segment policy SilverGroup-Policy tied to this organization. To verify the new network on the Nexus 1000V, login to the Nexus 1000V console : 1. Double click on Putty icon on desktop and open session to vsm.corp.local Page 31

32 Nexus 1000V console login credentials: User: admin Password: Cisco To view the newly created port-profile, From Nexus 1000V console, run this command : show port-profile brief The port-profile is auto-generated and it may not exactly match the output above. However, it will contain the name of the test network created SilverGroup_Test_Net1. Verify SilverGroup-Profile for new organization network To view the details of the port-profile configuration, copy the name of the port-profile from the previous command and provide it as input to: show run port-profile <Test-profile-name> The output of this command shows the port-profile inheriting SilverGroup port-profile which will be used to configure network policies for this organization network. Page 32

33 Note: The port-profile name might be different in your specific setup. Deploying Web vapp for Silver Group The Silver Group has created a web application to run on the SilverGroup_Web1 network. In this exercise you'll deploy the Web-vApp and verify that it is running successfully. The steps in this lesson are carried out by the Silver Group administrators (admin) through a organization-specific portal provided to them by Umbrella IT. Page 33

34 Logging into vcloud Director Double Click on SilverGroup vcloud IE Shortcut icon on your Desktop to Open the vcloud Director Web GUI. Page 34

35 SilverGroup Admin Login Use SilverGroup administrators (admin) credentials to login to SilverGroup Cloud Portal. User name : admin Password: VMware1! Page 35

36 Managing the Cloud for the SilverGroup Select the My Cloud tab to view the vapps and VMs for an organization. To explore the vapp that has been created, click Open as indicated in Screenshot. Verify SilverGroup-Web-vApp VM's Networking details The vapp deployed for Silver Group consists of a web server and a client. The IP addresses on the VMs have been configured to use static addresses, and they are on the SilverGroup_Web1 network. Page 36

37 Verify Enhanced VXLAN capability on Nexus 1000V Verify Multicast-less, i.e Enhanced VXLAN configuration for logical networks in Nexus 1000V. Show bridge-domain verifies segmentation mode is unicast-only. Group-IP in the command output is ignored in Nexus 1000V. Verify Bridge-Domain Segment Mode Unicast-Only Segmentation Mode Unicast-Only can either be specified at Global level or for specific Bridge Domain. In the above example you see there are 2 Bridge Domains dynamically created in Nexus 1000V by VCNS Manager. 2nd Bridge Domain with Segment ID is consumed by 3 virtual ethernet ports, i.e its consumed by SilverGroup Web vapp VM's pre-provisioned for this lab. Verify VM's associated with VXLAN segments Show bridge-domain brief command on Nexus 1000V console shows all vethernet interfaces for a particular bridge-domain network, which is dynamically created by VCNS Page 37

38 manager, when create Org network in vcloud Director. Show interface virtual displays VM's associated with veth ports. Page 38

39 Verify VXLAN VTEPs As we've learned in previous Lab lessons, every VEM has a VMkernel interface with capability-vxlan port-profile attached. This vmkernel interface is a tunnel endpoint (VTEP) for for VXLAN segment. In this output, there are 2 VEM's, Module 3 and 4 with one VTEP each assigned IP address of & Page 39

40 Deploy Web vapp for SilverGroup Silver Group has created a web application to run on the SilverGroup_Web1 network. In this exercise we will deploy the vapp and verify that it is running successfully. The steps in this lesson are carried out by Silver Group administrators through a organizationspecific portal provided to them byumbrella IT. Start SilverGroup-Web-vApp To Open the vapp, Navigate to My Cloud -> vapps -> SilverGroup-Web-vApp. Select Start, if vapp is in Stopped State. Note: Continue to use vcloud Director open browser session. If you've closed your browser session, please follow previous Step # 26. Page 40

41 SilverGroup vapp Client access Select SilverGroup-Web-vApp and click on the icon for Client VM. This will open VMRC console for the VM. Page 41

42 Login to Client VM Login to Client VM with credentials: User: vmware Password : VMware1! Page 42

43 Open Web Server in Browser Double Click "Cisco Systems" IE Shortcut on Client desktop. The web home page has been set up to access the web server at This vapp has been deployed successfully if the web page for Silver Group is visible. The VMRC console session for the Client can be left open since it will be used in the next two exercises Page 43

44 Port-Mirroring using ERSPAN on Cisco Nexus 1000V Page 44

45 Configure and verify ERSPAN on the Cisco Nexus 1000V After a few days in production the web vapp deployed by Silver Group is showing a performance degradation. They have opened a trouble ticket with Umbrella IT to troubleshoot the issue. The Umbrella IT administrator can enable ERSPAN on the Nexus 1000V to gain visibility into the vapp traffic. The ERSPAN session will mirror traffic on VXLAN to a VM on the network that is running a network analyzer. In this lesson, you'll act as an Umbrella IT administrator to enable ERSPAN for Web vapp traffic monitoring with Nexus 1000V. Page 45

46 Open PuTTY Session to Nexus 1000V On the Control Center Desktop, double-click on the PuTTY icon, this will open up the PuTTY client. Select Nexus 1000V VSM - vsm.corp.local and click Open to open console for Nexus 1000V. Login to Nexus 1000V VSM console using credentials: User: admin Password: Cisco123 Note: If you have kept the PuTTY session open after the last exercise involving the Nexus 1000V VSM, skip the steps of connecting to the Nexus 1000V VSM again. Page 46

47 Page 47

48 Identify virtual interface (vethernet) Interface for ERSPAN session Before creating the ERSPAN session, identify the vethernet port that will be used as the source of the span traffic. In this example we will be enabling ERSPAN for the traffic going to/from the Client VM. Issue the command from Nexus 1000V console: show interface virtual In the example output above, the Client VM is on Veth6. This may be different in your setup as the assignment of VM to Vethernet interfaces is dynamic. Note the Vethernet number specific to your lab, it will be used in the next step. Setting up ERSPAN on Nexus 1000V The monitor session we will configure in this exercise will mirror both Tx and Rx traffic from the Client_vApp VM. The VM running the network analyzer has an IP address of Enter the following commands to configure the ERSPAN session on the Nexus 1000V. NOTE: Make sure to use the Vethernet port identified in the previous step. config t monitor session 1 type erspan-source description MonitorClient source interface Vethernet 6 both destination ip Page 48

49 erspan-id 999 no shut end Page 49

50 Analyzing Network Traffic Double Click on "Wireshark VM " Icon on your desktop to open an RDP session to Windows sniffer Wireshark VM. Login credentials are: User: vmware Password: VMware1! The ERSPAN traffic is mirrored to the Windows7-Wireshark virtual machine at In this exercise we will first set up the traffic analyzer (Wireshark) and then start a HTTP request from the client. We will then verify that the packets are being captured in Wireshark. Page 50

51 Setup Wireshark to capture traffic Double-click on Wireshark shortcut on desktop to open Wireshark application. Configure Wireshark to match traffic Select a pre-configured filter from the drop-down filter menu. The IP address for the Client is After selecting the filter click on Apply. Note If no pre-configured filter is displayed, please enter following in the filter field: ip.addr== Page 51

52 Page 52

53 Set Capture Interface Select the interface "Local Area Connection 2" and Click on Start to start the capture Page 53

54 Access Web Page from Client VM On Client VM, access the web page with a double click on "Cisco Systems IE icon" on desktop. Page 54

55 View captured traffic Navigate to the Wireshark VM RDP session and the traffic that is captured by Wireshark. The IP addresses correspond to that of the Client( ) and the web server( ). Stop the capture by clicking on the Stop the running live capture button to stop capturing packets till the next exercise. Page 55

56 Configure QOS for Enhanced VXLAN network on Cisco Nexus 1000V Page 56

57 Configure and verify QOS for Enhanced VXLAN network traffic Setup QOS for SilverGroup Web vapp Traffic After analyzing the traffic capture logs it was determined that the performance of the vapp could be improved by applying a QoS policy that will provide dedicated bandwith to the vapp. QoS will be configured on the Nexus 1000V to provide platinum service to the vapp network. Quality of Service (QoS) lets you classify network traffic so that it can be policed and prioritized in a way that prevents congestion. Traffic is processed based on the classification and the policies attached to the traffic class. The Cisco Nexus 1000V offers all the QoS features that can be found on other hardware switches in the Nexus product line. In addition the QoS can be applied on a port-profile level, as shown in this example or on a virtual ethernet interface level. This allows both a organization-wide policy application as well as a policies that are fine-tuned to specific traffic types like VM, vmotion or management traffic. Configuring the QoS policies will be done through the PuTTY session that is opened to the Nexus 1000VVSM. Page 57

58 Open PuTTY Session to Nexus 1000V On the Control Center Desktop, double-click on the PuTTY icon, this will open up the PuTTY client. Select Nexus 1000V VSM - vsm.corp.local and click Open to open console for Nexus 1000V. Login to Nexus 1000V VSM console using credentials: User: admin Password: Cisco123 Note: If you have kept the PuTTY session open after the last exercise involving the Nexus 1000V VSM, skip the steps of connecting to the Nexus 1000V VSM again. Traffic classification Execute the following commands on the Nexus 1000V CLI to configure an access-list that matches all traffic: Page 58

59 config t ip access-list QOS permit ip any any exit Configuring class-map for traffic Create a class-map called SilverGroup_Class to classify packets that match the QoS access-group configured in the previous step. Execute the following commands to configure a class-map: config t class-map type qos match-all SilverGroup_Class match access-group name QOS exit Page 59

60 Creating QOS Policy for the traffic class The policy defined for the SilverGroup_Class is marked with a DSCP value of cs7. Assigning cs7: "class selector 7 " value marks this traffic for a higher priority. To configure a policy-map for the SilverGroup_Class enter the following commands: config t policy-map type qos SilverGroup_QOS_Policy class SilverGroup_Class set dscp cs7 end Apply QOS policy to organization vapp As described earlier the SilverGroup-Profile port-profile is inherited by all organization networks that are created for Silver Group. Applying the QoS policy on this port-profile will result in the policy being applied to all virtual ethernet interfaces for the organization, including the Client and WebServer traffic. Enter the following commands to configure the QoS policy on thesilvergroup port-profile consumed by SilverGroup-Web-vApp VM's: config t port-profile type vethernet SIlverGroup-Profile service-policy type qos input SilverGroup_QOS_Policy service-policy type qos output SilverGroup_QOS_Policy exit Page 60

61 Verify configuration applied using command: show run port-profile SilverGroup-Profile Page 61

62 Verify QOS settings on vapp traffic Navigate back to the Wireshark application that is running in the RDP session for the Windows-Sniffer VM. Start a new capture and click on Continue without Saving to continue without saving the old capture file. Page 62

63 Access Web Page from Client VM Hit Browser Refresh or Close any existing browser windows on the Client VM. Repeat the steps to open the IE shortcut to Cisco Systems on the desktop. This will access the web page from the web server and should generate traffic towards the traffic analyzer. Page 63

64 Verify QOS with Wireshark packet capture 1. Stop Capture if running from previous steps. 2. Select filter in drop-down to ip.addr== Start Capture 4. Select a packet with a source of The outer encapsulation is the IP encapsulation for ERSPAN, and the inner packet contains the payload we want to analyze. 5. Expand the inner Internet Protocol field and verify the Class Selector (DSCP) value is 7. This confirms that the QoS settings have been applied on the packet. Page 64

65 Congratulations!! Page 65

66 Conclusion Congratulations! You have successfully integrated the Nexus 1000V using Enhanced VXLAN with vcloud Director, deployed a vapp and explored troubleshooting with ERSPAN and advanced features like QoS on the Nexus 1000V. In this Lab you've gained hands on experience deploying Enhanced VXLAN networks for VMs in a vcloud Director environment with Cisco Nexus1000V. Cisco Nexus 1000V is a feature rich distributed virtual switch for Multi-Hypervisor, Multi-Services and Multi- Cloud environments. Cisco Nexus 1000V provides you consistent Networking and Services experience across physical and network environments, as well as across multihypervisor environments. To get more information about Nexus 1000V, please visit : or stop by Cisco Data Center (Nexus 1000V) Booth. Thank You!!! Page 66

67 Conclusion Thank you for participating in the VMware Hands-on Labs. Be sure to visit to continue your lab experience online. Lab SKU: Version: Page 67