Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer mailme@cisco.com
Agenda Application requirements in virtualized DC The Anatomy of Nexus 1000V Virtual Services with Prime NSC Service Chaining Summary 2
Server Virtualization Issues Port Group Server Admin 1. vmotion moves VMs across physical ports the network policy must follow vmotion 2. Must view or apply network/ security policy to locally switched traffic 3. Need to maintain separation of duties while ensuring non-disruptive operations Security Admin Network Admin 3
Application Requirements for Network Services Current generation network capabilities are driven by physical network topology. Example, If the firewall is plugged into the Internet connection and then the load balancer into firewall, the path of traffic must always flow in that order. Application driven requirements that change the relationship (load balancing, then firewall) cannot be supported without physically changing the layout of the network. Application Proxy Server Core Router/ Switch Load Balancer Firewall
Virtual Services Architectural Approach Requirement Virtualisation Virtualization Awareness Dynamic policy-based provisioning Support VM mobility (e.g. vmotion) Multi-tenant / Scale-out deployment Separation of Duties Non-disruptive to server team Efficient deployment Performance optimisation optimization Broad mobility diameter DC-wide, DC-to-DC, DC-to-Cloud Solution Virtual (SW) form-factor Integration with VM mgmt tools (e.g. vcenter, SC-VMM in future) Policies bound to vnic/vm Integration with N1KV () (*) Virtual service: multi-instance deployment Management: Multi-tenant N1KV : Multi-tenant Profile-based provisioning for services Integration with N1KV port profile Optional hosting on Nexus 1010 HW appliance Integration with N1KV DC-wide: VXLAN** DC-to-DC: OTV** *: Virtual Service Datapath **VXLAN: Virtual Extensible LAN **OTV: Overlay Transport Virtualisation 5
Network Services Options for Virtualized/Cloud DC Redirect VM traffic via VLANs to external (physical) firewall Apply hypervisor-based virtual network services Web Server App Server Database Server Web Server App Server Database Server Hypervisor Hypervisor VLANs Virtual Contexts VSN VSN This Session Dedicated Service Nodes Virtual Service Nodes 6
The Anatomy of Nexus 1000V
Nexus 1000V - Consistent Cloud Networking Multi Hypervisors and Multi Orchestration strategy Cloud Portal and Orchestration L4-7 Virtual Network Infrastructure L2-3 Hypervisor Computing Platform Physical Network vcloud Director/ Automation Center vwaas System Center vsphere Hyper-V XenServer UCS Citrix CloudPlatform Cloud Network Services Nexus 1000V Unified Fabric (Nexus) CIAC/ OpenStack/ Partners ASA 1000V VSG NAM NetScaler1000V Partners KVM Storage Platform 8
Cisco Nexus 1000V Cisco Virtual Machine Networking Policy-Based VM Connectivity Mobility of Network and Security Properties Non-Disruptive Operational Model Port Profile / Defined Policies WEB Apps HR DB DMZ VM VM VM VM VM VM VM VM Nexus 1000V VEM Nexus 1000V VEM VM Connection Policy Defined in the network Applied in Virtual Centre Linked to VM UUID vcenter Nexus 1000V VSM 9
Cisco Nexus 1000V Cisco Virtual Machine Networking VMs Need to Move VMotion DRS Policy-Based VM Connectivity SW upgrade/patch Hardware failure Property Mobility VMotion for the network Ensures VM security Maintains connection state Mobility of Network and Security Properties VM VM VM VM Nexus 1000V VEM Non-Disruptive Operational Model VM VM VM VM VM VM VM VM Nexus 1000V VEM vcenter Nexus 1000V VSM 10
Nexus 1000V Architecture Respects DC Operational Model for Pà V Network Admin Virtual Appliance VSM-1 (active) VSM-2 (standby) NX-OS Control Plane Back Plane Supervisor-1 (Active) Supervisor-2 (StandBy) Linecard-1 Linecard-2 Linecard-N NX-OS Data Plane Modular Switch VEM-1 VEM-2 VEM-N VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module Server Admin Hypervisor Hypervisor Hypervisor 11
Port-Profile Configuration n1000v# show port-profile name WebProfile port-profile WebServers description: status: enabled capability uplink: no system vlans: port-group: WebServers config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10 Support Commands Include: ü Port management ü VLAN ü PVLAN ü Port-Channel ü ACL ü Netflow ü Port security ü QoS ü vservice 12
Port Groups: VI Admin View 13
Nexus 1000V Architecture service insertion in the hypervisor Network Admin Virtual Appliance VSM-1 (active) VSM-2 (standby) NX-OS Control Plane Back Plane Supervisor-1 (Active) Supervisor-2 (StandBy) Linecard-1 Linecard-2 Linecard-N NX-OS Data Plane Modular Switch VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module Server Admin VEM-1 VEM-2 VEM-N Hypervisor Hypervisor Hypervisor 14
Policy Based Service Enablement is Nexus 1000V dataplane component: 1. Distributed Service insertion architecture, with Intelligent traffic intercept and redirection mechanism 2. Topology agnostic service insertion model 3. Service Chaining across multiple virtual services 4. Performance acceleration with e.g. VSG flow offload 5. Efficient and Scalable Architecture 6. VM Policy mobility with VM mobility Nexus 1000V Any Hypervisor Cloud Network Services (CNS) Evolve the Network for the next wave of application requirements
Virtual Services
Cisco Virtual Networking and Cloud Network Srvs PHYSICAL INFRASTRUCTURE WAN Router Switches Servers Cloud Services Router 1000V vwaas CLOUD NETWORK SERVICES Network Analysis Module (vnam) ASA 1000V Cloud Firewall Citrix NetScaler 1000V Cisco Virtual Security Gateway Imperva SecureSphere WAF Full Portfolio of Best in Class Virtualized Network Service Enhanced VXLAN Nexus 1000V Nexus 1000V Distributed switch NX-OS consistency VSG Distributed Zonebased FW vwaas WAN optimization Application traffic Multi-Hypervisor (VMware, Microsoft, KVM* Xen*) ASA 1000V Edge firewall, VPN Protocol Inspection *KVM in beta, Xen prototype CSR VSG 1000V Ecosystem (Cloud Router) Services WAN L3 gateway Routing and VPN Citrix NetScaler VPX virtual ADC Imperva Web App. Firewall
Cisco Cloud Services Platform Dedicated Cloud Services appliance Flexible, on-demand allocation of resources Allows policy management by network teams Nexus 1000V Any Hypervisor Cisco Cloud Network Services (CNS) Citrix NetScaler 1000V Prime virtual NAM Imperva SecureSphere WAF Virtual Security Gateway VM VM VM VSM VSM DCNM* * 2H CY13 VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center Nexus 1110 Cloud Services Platform 10G and SSL Ready
Virtual Security Gateway
Cisco Virtual Security Gateway Distributed, Zone Based Firewall Prime NSC Virtual Security Gateway (VSG) Context aware Security Zone based Controls Dynamic, Agile Best-in-class Architecture VM context aware rules Establish zones of trust Policies follow vmotion Efficient, Fast, Scale-out SW (with intelligence)
Virtual Security Gateway Intelligent Traffic Steering with VM VM VM PNSC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM 4 Nexus 1000V Distributed Virtual Switch Decision Caching 3 VSG 1 Initial Packet Flow 2 Flow Access Control (policy evaluation) Log/Audit 21
Virtual Security Gateway Intelligent Traffic Steering with VM VM VM VNMC VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Nexus 1000V Distributed Virtual Switch 5 Remaining packets from flow Decision offloaded to Nexus 1000V (policy enforcement) VSG Log/Audit 22
Decoupled Deployment Across Applications and Virtual Services Cisco VSG VM VM VM VM VM VM VM VM Virtualized Infrastructure with Cisco Nexus 1000V Deployment VEM VEM VEM VEM VEM No need to deploy virtual services on every host Plan CPU capacity independently across application workloads and virtual services Solution is simpler to deploy with multiple operations teams (server, network, and security)
Deployment in Multitenant Environment Active VSG (Tenant A) Web Zone Tenant A Standby VSG App Zone Tenant B Standby VSG QA Zone Dev Zone VM VM VM VM VM VM VM VM Active VSG (Tenant B) Cisco Nexus 1000V VEM vsphere Cisco Nexus 1000V VEM Cisco Nexus 1000V VEM vsphere vsphere 1000V VSM Data Center Network Cisco VMWare Prime vcenter Network Service Server Controller
Policy Rule Construct Cisco VSG supports policies based on network attribute and virtual machine (VM) attributes Rule Source Condition Destination Condition Action Condition Operator Operator Attribute Type Network VM Custom VM Attributes Instance Name Guest OS full name Zone Name Parent App Name VM Attributes Port Profile Name Cluster Name Hypervisor Name Network Attributes IP Address Network Port eq neq gt lt range Not-in-range Prefix member Not-member Contains
Citrix NetScalar1000V
Citrix NetScaler 1000V Nexus 1000V Any Hypervisor Citrix NetScaler 1000V Citrix Best-in-Class virtual application delivery controller (vadc) Sold and supported by Cisco (Q3) Integrated with Nexus 1100, NetScaler 1000V = VPX (Cloud Bridge, Cloud Connect, SSL VPN ) Cisco Cloud Network Services (CNS) Citrix NetScaler 1000V Prime virtual NAM Imperva SecureSphere WAF Virtual Security Gateway VM VM VM VSM VSM DCNM* * 2H CY13 VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center Nexus 1110 Cloud Services Platform
SLB : With and Without Without vpath Source NAT (SNAT) - Client/ Source Obscured Policy Based Routing (PBR) - Complex Inline ADC s Performance bottleneck Selective traffic Optimal implementation
SLB - why? Without vpath Source NAT (SNAT) - Client/ Source Obscured Policy Based Routing (PBR) - Complex Inline ADC s Performance bottleneck Selective traffic Optimal implementation With Preserve Source IP with ; redirects server-return traffic to SLB Easy deployment Topology agnostic Service Chaining Optimal use of Performance Enable New east-west flow use cases
NetScalar 1000V without East-West / Distributed Services Client IP 172.50.20.10 1 Data Web Tier App Tier DB Tier Virtual Services 1 Web Server initiates connection to App Server with LB services enabled, now destination IP is VIP DST IP: 192.168.20.10 Src IP: 192.168.20.100
NetScalar 1000V without East-West / Distributed Services Client IP 172.50.20.10 Web Tier App Tier DB Tier Data 2 Virtual Services VIP selects App Server for the destination; sends packet with destination IP of App Server, and Source IP of its SNIP 2 DST IP: 192.168.30.10 Src IP: 192.168.20.200
NetScalar 1000V without East-West / Distributed Services Client IP 172.50.20.10 Web Tier App Tier DB Tier 3 Data 3 Distributed Firewall policy for App Server receives packet, but lacks visibility of Source information for policy evaluation. Policy fails! Firewall needs to know Source/Client IP for policy evaluation
NetScalar 1000V with Enabling East-West flow use-case for SLB Client IP 172.50.20.10 Web Tier App Tier DB Tier Cisco Cisco 3 Data Data 3 Distributed Firewall enabled for App Server receives packet, and has full visibility of Source information for policy evaluation 5 Firewall has visibility of Source and destination for Policy evaluation
NetScalar 1000V with Enabling East-West flow use-case for SLB - East-West Services and Application Servers ready to delivers best in class services J Client IP 172.50.20.10 Web Tier Data App Tier 4 DB Tier Cisco Cisco Data 4 Packet is forward to App Server on Policy evaluation Firewall has visibility of 5 Source and destination for Policy evaluation
Deployment Network Topologies One-Arm One-armed topologies have several benefits Simple, one physical interface and no risk of bridge loops Can make use of Link Aggregation to satisfy bandwidth requirements SLB does not have to be default gateway for application VM s Very few failure modes, easing HA failure analysis Web NetScaler 1000V interface Logical Topology 35
Service-Chaining and why it is important
Service Chaining Benefits Intelligent policy-based traffic steering through multiple network services Decouples network services from underlying network topology with Overlays Dynamic Service chains enabled per VM port Programmability Transparent Services Insertion Multi-Tenancy VxLAN Virtual Service A Virtual Service B Virtual Service C Web VM Tenant #2 (Policy 2) Client Cisco Nexus 1000V Embedded (Policy 1 & Policy 2 defined for each tenant) Web VM Tenant #1 (Policy 1) Expanded Ecosystem: VSG, ASA 1000V, vwaas, & NetScaler 1000V
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco Cisco 1 1 Client Initiates Flow to Web Server (VIP as Server IP) Client LB-VIP
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 2 Cisco 2 NS1000V load balance web request, selects Web Server 1 (Client S1)
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 3 Cisco 3 Based on policy, redirect traffic to service chain, starting with zone-based firewall, VSG
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 4 Cisco 4 Traffic returns to Virtual Ethernet Module ready for next network service
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 5 Cisco 5 WAF inspects packets for web attacks; prevents attack and generate alerts
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 6 Cisco 6 Forwards packet to Web Server VM
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier 7 VM VM VM DB Tier Cisco Cisco 7 Web to DB Tier Connection
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 8 Cisco 8 Web to DB Tier Connection : Database tier security policy
Services Chaining with Intelligent Policy-based Traffic Steering Through Multiple Network Services APP OS APP APP OS OS Web Tier VM VM VM DB Tier Cisco 9 Cisco 9 Apply VSG policy and forward packet to database
3.0 VM Virtualized Network Service Non Virtualized Network Service Physical Network Service Non Physical Network Service Nexus 1000V Any Hypervisor Service chaining with and non- network services Virtual and physical network services Any network service can now be distributed, not just firewalls Submitted to IETF for standardization* Supporting Multiple hypervisors *http://tools.ietf.org/html/draft-quinn-nsh-00
Service-Chaining Use-cases
Enterprise: Multi-Tier Applications Web Intelligent service chaining Network topology agnostic Flat network: VM s are on same VLAN 100 segment, still each have different set of Services enabled Service chain stays attached to VM on VM mobility WAN Optimization + Edge Firewall + NAT + Load Balancer + Web Application Firewall + Zone based Firewall Load Balancer + Zone based Firewall VSG Zone based Firewall VLAN 100 VLAN 100 VLAN 100 49
3-Tier Server zone NetScaler 1000V Server Load Balancer ASA 1000V - Edge Security Profile VSG - Compute Security Profile ASA: Permit Only Port 80(HTTP) to Web Servers ASA1000v: NAT VIP:10.10.25.100 NS1000V: Web Server LB ASA ASA: Block All External Access to Database Servers Web-Zone Database-Zone App-Zone Web" DB" Server" Web" Server" Client" Server" IP 192.168.1.1 IP 192.168.1.2 IP 192.168.1.203 VSG Tenant-A VSG: Only Permit Web Servers Access to Database Servers VSG: Only Permit Client Access to Web Server and Deny access to DB server
Cloud Provider s Data Center Multi-Tenancy Enterprise A Internet WAN Router Switches MPLS DC Branch Enterprise B Physical Infrastructure CSR1kV VSG Tenant A NS1KV Virtual Infrastructure Tenant B Servers CSR1kV VSG NS1KV Cloud Provider Multi- Tenancy Use Cases Secure VPN Gateway MPLS Extension Tenant SLB East-West Firewall
Cloud Provider s Data Center Multi-Tenancy Server Load-Balancer and East-West Firewall offered as a Service Physical by CSP Infrastructure CSR1kV VSG Tenant A Enterprise A NS1KV Internet Virtual Infrastructure CSR1kV VSG WAN Router Switches Tenant B Servers NS1KV MPLS DC Branch Enterprise B Cloud Provider Multi- Tenancy Use Cases Secure VPN Gateway Tenant SLB East-West Firewall
Prime Network Service Controller Simple Yet Powerful Virtual Network Services Management Centralized Manager for all Virtual Services Multi-Tenant XML API Third-party integration Role-Based Access Controls Cisco Nexus 1000V, VMware vcenter, SCVMM Dynamic Provisioning Custom created to manage virtualization-specific workflows
Summary Cisco Provides Consistent Layer 2-7 Networking for Physical, Virtual, and Cloud Deployments: Design Once, Run Everywhere Hypervisor Agnostic Single Network for Physical, Virtual, and Cloud Consistent Operational Model and Troubleshooting, especially with ACI 3 for Standardized Service Chaining for Virtual and Physical Network Services Orchestration Tool of Your Choice: SCVMM, OpenStack, UCS Director and more