Nexus 1000V in Context of SDN Martin Divis, CSE, mdivis@cisco.com
Why Cisco Nexus 1000V Losing the Edge Server Admin Host Host Host Host Server Admin manages virtual switching! vswitch vswitch vswitch vswitch Unsupervised VM to VM communication VMs on the wrong VLANs No Network visibility or control No policy and vlan control The rest of the network Network Admin
Why Cisco Nexus 1000V Finding it back! Server Admin Host Host Host Host Server Admin freed from managing network Nexus 1000V Distributed virtual switch Virtual switching managed by Network Admin Full network policy control, visibility Network Admin
Cisco Nexus 1000V Overview Network Admin Modular Switch Virtual Appliance VSM1 VSM2 Back Plane Supervisor-1 Supervisor-2 Linecard-1 Linecard-2 Linecard-N VEM-1 VEM-2 VEM-N VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module Server Admin Hypervisor Hypervisor Hypervisor
Why Not Configure Virtual Ports? Too many ports, and they move too fast Network admin needs sanity Server admin needs freedom To deploy and move virtual machines To deploy and move physical hosts switch # int gi1/0/35 switchport switch # int mode gi1/0/47 access switchport # int mode gi1/0/21 access switchport access # int mode gi1/0/17 vlan access 23 access vlan 23 etc switchport mode access switchport access vlan 23 etc switchport access vlan 23 etc etc Source: http://images.webmagic.com/klov.com/screens/s/wspace_invaders.png 6
Cisco Nexus 1000V Architecture Virtual Appliance ASA 1000V N1KV VSM Cisco VSG Cisco vwaas CSR1000V Citrix VPX* Imperva WAF* Virtual Service Data Path (vpath) Embedding intelligence for virtual services Ethernet/IP Network Fabric Virtual Extensible LAN (VXLAN) Scaling LAN segments DC-wide VM Mobility Service chaining (traffic steering) Fast-path offload VXLAN aware Nexus 1000V vpath Hypervisor ESX, Hyper-V VXLAN Nexus 1000V vpath Hypervisor KVM, Xen VXLAN LAN segment across Layer 3 Works with existing network infrastructure 16 million segments * To be released in CY13
vpath Service Chaining Nexus 1000V vpath 3 2 1 Service Path defines the service chain an ordered list of service profiles (e.g. security profile, edge profile, slb profile etc.) Traffic Selector rules are used to configure Service Table in vpath An endpoint VM is associated with Service Path via Port-Profile Binding
VxLAN Deep Dive Overlays Why Overlays? Robust Underlay/Fabric High Capacity Resilient Fabric Intelligent Packet Handling Programmable & Manageable Flexible Overlay Virtual Network Mobility Track end-point attach at edges Scale Reduce core state Distribute and partition state to network edge Flexibility/Programmability Reduced number of touch points
VxLAN Deep Dive Overview Virtual extensible LAN (VXLAN) Virtual extensible LAN (VXLAN) is a Layer 2 overlay scheme over a Layer 3 network. A 24-bit VXLAN Segment ID or VXLAN Network Identifier (VNI) is included in the encapsulation to provide up to 16M VXLAN segments for traffic isolation/ segmentation, in contrast to the 4K segments achievable with VLANs. Each of these segments represents a unique Layer 2 broadcast domain, and can be administered in such a way that it can uniquely identify a given tenant s address space or subnet Ethernet Header Payload FCS Outer Ethernet Outer IP Outer UDP VXLAN Inner Ethernet Payload New FCS 8 Bytes Flags Reserved Segment ID Reserved 1 Byte Rsvd 1 Rsvd Outer UDP Destination Port = VXLAN (originally 8472, recently updated to 4789) Outer UDP Source Port = Hash of Inner Frame Headers (optional)
VxLAN Deep Dive Overview VTEP Handling of Multi-Destination Traffic Since a control/signaling protocol has not been defined, emulation of Multi- Destination traffic (Broadcast, Multicast, Unknown Unicast) is handled through the VXLAN IP underlay through the use of segment control multicast groups VTEP implemented in software or hardware. Required for VxLAN gateway. VTEP 3 IP-3 End System VTEP-3 End System Note: VxLAN 1.1 added control/signaling mechanism via centralized agent, in case of Nexus1000V, it is VSM End System A MAC-A IP-A VTEP-1 VTEP 1 IP-1 Mcast Group IP Network VTEP-2 VTEP 2 IP-2 End System B MAC-B IP-B
VxLAN implementations today Nexus 1000V (L2) network virtualization in server virtualization context vcenter, Hyper-V, KVM, OpenStack Nexus 3100 (L2), 5600 (L2, L3), 9000 (L2, L3) - gateway Cisco ASR 1000(L2, L3), 9000 (L2, L3) - gateway VMware vshield & DVS (L2) VMware NSX (L2, L3) alternatively can use STT can use limited number of switch models for HW gateway (L2) Many other chipset & HW vendors (L2) 12
REST API Open RPC API Extensible to support REST HTTP GET http://192.168.133.131/api/vlan { } "1": { "url": "/api/vlan/1", "properties": { "id": 1, "state": "active", "name": "default", "shutdown": false } }, "5": { "url": "/api/vlan/5", "properties": { "id": 5, "state": "active", "name": "dbs", "shutdown": false } } HTTP Programmability
Nexus 1000v REST API Services VLAN, VXLAN Port-Profiles Virtual Service Nodes, vpath Span Ports User access Hypervisor dependent operations, mostly read only License Connectivity vnic, uplinks, port-profiles Inventory 14
Warning, warning, warning Nexus 1000v available for: vsphere Hyper-V KVM And while features and CLI is almost the same for all platforms......rest API is totaly different 15
OpenStack Neutron Architecture Core API Network Port Subnet Resource and Attribute Extension API ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS. Type Drivers VLAN GRE VXLAN ML2 Neutron Core plugins Cisco Nexus OVS Cisco (Nexus, N1Kv) REST API Neutron Server More vendor plugins Mechanism Drivers OVS OpenDayLight Southbound interfaces APIC More vendor drivers Neutron Service plugins Load Balancer HA Proxy Firewall IPTables VPN OpenSwan Message Queue L3 Services Futures DHCP Agent L3 Agent IPTables on Network Node L2 Agent OVS on Compute Node Core + Extension REST API s Message Queue for communicating with Neutron Agents Core and Service Plugins Different vendor core plugins Different network technology support ML2 plugin with Type and Mechanism Drivers Service plugins with backend drivers 16
Neutron Cisco Nexus1000v Plugin (KVM) Neutron N1Kv specific API extensions usage Neutron Server Neutron Core plugin (Cisco) Cisco N1Kv Plugin REST API N1Kv VSM Network Profile:Network Segment Pool Policy Profile:Port Profile, Nova VM VM VMs on Compute Node N1Kv VEM Compute Nodes neutron network- profile- create PROFILE_NAME vlan - - segment_range 400-499 Network Profile (admin) neutron net- create NETWORK_NAME - - n1kv:profile_id PROFILE_ID neutron policy- profile- list Network Profiles VLAN, VXLAN (multicast/unicast), Trunk Policy Profiles ACLs, QoS VXLAN Gateway Service VM Policy Profile defined in VSM (periodic neutron port- create NETWORK_NAME - - polling) n1kv:profile_id PROFILE_ID Policy Benefits: Profile 17
Prosíme, ohodnoťte tuto přednášku Děkujeme