Virtual Switching with Nexus 1000V

Yann Bouillon
DC Technical Marketing Engineer

2009 Cisco. Confidential.

Server Virtualization Issues

1. vMotion moves VMs across physical portsthe network policy must follow vMotion

2. Must view or apply network/security policy to locally switched traffic

Port Group

3. Need to maintain segregation of duties while ensuring non-disruptive operations

Server Admin Network Admin

Security Admin

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Nexus 1000V

Cisco Nexus 1000V

VM

VM

VM

VM

Industrys most advanced software switch for VMware vSphere

Built on Cisco NX-OS Compatible with all switches Compatible with all servers on the VMware Hardware Compatibility List Winner of VMworld Best in Show 2008 and Cisco Most Innovative Product of 2009
Nexus 1000V vSphere

Nexus 1000V

2006 Cisco Systems, Inc. All rights reserved.

Cisco Confidential

Nexus 1000V Architecture

Virtual Appliance Nexus 1010
VSMA1 VSMA4 VSMB4

Modular Switch
B L2 A C K

VSMB1

Supervisor-1 VSM-1 L3 Supervisor-2 VSM-2 Linecard-1 VEM-1 M O Linecard-2 VEM-2 D E Linecard-N VEM-N
200+ vEth ports per VEM 64 VEMs per 1000V 2K vEths per 1000V Multiple 1000Vs can be created per vCenter
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
2009 Cisco. Confidential.

M PO L AD NE
E

ESX

ESX

ESX

Embedding Intelligence for Virtual Services

vPath Virtual Service Datapath
Virtual Appliance
vWAAS VSG VSM

Nexus 1010
VSM-1

VSM-4

VSM-1

VSM-4

L2 M O D E

L3 M O D E

VEM-1
vPath

VEM-2
vPath

ESX
2009 Cisco. Confidential.

ESX
vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS 6

Nexus 1010 hosting platform for services

Virtual Appliance
vWAAS VSG VSM

Nexus 1010
VSM-1

VSM-4

NAM VSG

VSM-1

VSM-4

NAM VSG

L2 M O D E

L3 M O D E

VEM-1
vPath

VEM-2
vPath

ESX
2009 Cisco. Confidential.

ESX

*VSG on 1010 target: 2Q CY11

vPath: Virtual Service Datapath VSG: Virtual Security Gateway for 1000V vWAAS: Virtual WAAS 7

Why 1000V?
Nexus 1000V Differentiators
Feature & operational consistency
NX-OS across physical and virtual networks (Nexus 7K/5K/2K/1KV) Cisco CLI experience Standards based, IEEE 802.1Q

Advanced NX-OS switching features

Security, QoS, Monitoring, Management,

VM

VM

VM

VM

Non-disruptive administration
Network team manages virtual network, creates port profiles Server team assigns port profiles to VMs
Nexus 1000V VEM vSphere

Intelligent integration with virtual services (vPath)

Transparent insertion (topology agnostic) Efficient deployment no need to deploy on every host Dynamic policy-based operation Performance acceleration

Nexus 1000V VSM

2009 Cisco. Confidential.

88

Cisco Nexus 1000V

Faster VM Deployment Cisco VN-Link: Virtual Network Link
Policy-Based VM Connectivity Mobility of Network & Security Properties VM Port Profiles
WEB Apps HR DB DMZ
Nexus 1000V VEM vSphere Nexus 1000V VEM vSphere

Non-Disruptive Operational Model VM VM VM VM

VM

VM

VM

VM Connection Policy
Defined by network Admin

Applied in Virtual Center

Linked to VM UUID vCenter
2009 Cisco. Confidential.

Nexus 1000V VSM

9

Cisco Nexus 1000V

Richer Network Services Cisco VN-Link: Virtual Network Link
Policy-Based VM Connectivity Mobility of Network & Security Properties VM
VMs Need to Move
VMotion DRS SW Upgrade/Patch Hardware Failure
Nexus 1000V VEM vSphere Nexus 1000V VEM vSphere

Non-Disruptive Operational Model VM VM VM VM VM VM VM VM

VM

VM

VM

Property Mobility
VMotion for the network

Ensures VM security
Maintains connection state vCenter
2009 Cisco. Confidential.

Nexus 1000V VSM

10

Cisco Nexus 1000V

Increased Operational Efficiency Cisco VN-Link: Virtual Network Link
Policy-Based VM Connectivity Mobility of Network & Security Properties VM
VI Admin Benefits
Maintains existing VM mgmt Reduces deployment time Improves scalability Reduces operational workload Enables VM-level visibility
Nexus 1000V VEM vSphere Nexus 1000V VEM vSphere

Non-Disruptive Operational Model VM VM VM VM

VM

VM

VM

Network Admin Benefits

Unifies network mgmt and ops Improves operational security Enhances VM network features Ensures policy persistence Enables VM-level visibility
2009 Cisco. Confidential.

vCenter

Nexus 1000V VSM

11

Advanced Features of the Nexus 1000V

Switching

L2 Switching, 802.1Q Tagging, VLAN Segmentation, Rate Limiting (TX) IGMP Snooping, QoS Marking (COS & DSCP), Class-based WFQ Policy Mobility, Private VLANs w/ local PVLAN Enforcement Access Control Lists (L24 w/ Redirect), Port Security Dynamic ARP inspection, IP Source Guard, DHCP Snooping Virtual Services Datapath (vPath) support for traffic steering & fast-path off-load [leveraged by Virtual Security Gateway (VSG) and vWAAS] Automated vSwitch Config, Port Profiles, Virtual Center Integration Optimized NIC Teaming with Virtual Port Channel Host Mode VMotion Tracking, NetFlow v.9 w/ NDE, CDP v.2 VM-Level Interface Statistics

Security
Network Services Provisioning Visibility Management
2009 Cisco. Confidential.

SPAN & ERSPAN (policy-based)

Virtual Center VM Provisioning, Cisco Network Provisioning, CiscoWorks Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3) Hitless upgrade, SW Installer
12

Nexus 1000V in Cisco Validated Solutions

Ciscos network-centric virtualized data center is best positioned to enable the journey to the networked cloud

Vblocks
Imagine:

1000V

Secure R Multi-tenancy
Imagine:
Securely sharing servers between multiple users/groups without having to add another server

1000V

30 racks reduced down to 3 racks Provisioning applications in hours instead of weeks

Flexpod
Imagine:

1000V

Predesigned, validated, Flexible infrastructure that can grow and scale to meet cloud computing requirements

Virtual 1000V R Desktop

Imagine:
Over 4000 desktops in a single rack! Savings up to 60+% per PC per year Significant savings in operations

2009 Cisco. Confidential.

13

Installing Nexus 1000V

Flexible Deployment Options

All servers on VMware Compatibility List

All switches, including all Cisco switches

1G & 10G NICs

2009 Cisco. Confidential.

15

Deploying the Nexus 1000V

Collaborative Deployment Model
1. VMW vCenter & Cisco Nexus 1000V relationship established 2. Network Admin configures Nexus 1000V to support new ESX hosts
Nexus 1000V VEM

3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter

3.

vSphere

2.

vCenter

Nexus 1000V VSM

1.
2009 Cisco. Confidential.

16

Deploying the Nexus 1000V

Collaborative Deployment Model
1. VMW vCenter & Cisco Nexus 1000V relationship established 2. Network Admin configures Nexus 1000V to support new ESX hosts
Nexus 1000V VEM vSphere Nexus 1000V VEM vSphere

3. Server Admin plugs new ESX host into network & adds host to Cisco switch in vCenter
4. Repeat step three to add another host and extend the switch configuration

4.

vCenter

Nexus 1000V VSM

2009 Cisco. Confidential.

17

Policy Based VM Connectivity

Enabling Policy
1. Nexus 1000V automatically enables port groups in VMware vCenter Server Admin uses vCenter to assign vnic policy from available port groups Nexus 1000V automatically enables VM connectivity at VM power-on

VM

VM

VM

VM

2.

3.

Nexus 1000V VEM vSphere

3.

2.
1.
Defined Policies
WEB Apps
vCenter

WEB Apps:
PVLAN 108, Isolated Security Policy = Port 80 and 443 Rate Limit = 100 Mbps QoS Priority = Medium Remote Port Mirror = Yes
2009 Cisco. Confidential.

HR

Nexus 1000V VSM

DB
DMZ
18

Port Profile: Network Admin View

n1000v# show port-profile name WebProfile port-profile WebProfile description: status: enabled capability uplink: no system vlans: port-group: WebProfile config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10

Support Commands Include: Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS

2009 Cisco. Confidential.

19

Port Profile: Server Admin View

2009 Cisco. Confidential.

20

Server and Access Virtualization Business Unit

Cisco Nexus 1010

2009 Cisco. Confidential.

21

Nexus 1010: VSM on an Appliance

VSM on Virtual Machine VSM on Nexus 1010

1000V VSM x 1

VM

VM

VM

VM

VM

VM

VM

1000V VEM
vSphere

1000V VEM
vSphere

Server
1000V VSM x 4

Server

Cisco Nexus 1010

2009 Cisco. Confidential.

22

Feature Comparison

Network Team manages the switch hardware Installation like a standard Cisco switch NX-OS high availability of VSM VEM running on vSphere 4 Enterprise Plus Nexus 1000V features and scalability NX-OS high availability of VSM VEM running on vSphere 4 Enterprise Plus Nexus 1000V features and scalability

VSM on Virtual Machine

2009 Cisco. Confidential.

VSM on Nexus 1010

23

NAM Virtual Blade on Nexus 1010

Optimize Application Performance and Network Resources
VM VM VM VM

Application Performance Monitoring Traffic Analysis and Reporting

Applications, Host, Conversations, VLAN, QoS, etc. Per-application, per-user traffic analysis

Nexus 1000V VEM vSphere

View VM-level Interface Statistics Packet Capture and Decodes Historical Reporting and Trending

ERSPAN
NAM Virtual Blade on Nexus 1010

vCenter

Nexus 1000V VSM

NetFlow

2009 Cisco. Confidential.

24

Cisco Nexus 1000V: Version 4.2(1)SV1(4) Update

2009 Cisco. Confidential.

25

New in Nexus 1000V

Version 4.2(1)SV1(4) Cisco vPath Class-Based Weighted Fair Queuing LACP Offload to VEM Network State Tracking

Policy Based ERSPAN

Restricting Port Profile Visibility in vCenter Server Increased Scalability Other Features

2009 Cisco. Confidential.

26 26

Cisco vPath
For Virtual Network Services Integrated into Virtual Ethernet Module with
Intelligent Traffic Steering Decision Caching Performance Acceleration
vPath

Nexus 1000V VEM

Integrated policy with Port Profile and Security Profile

Supports Virtual Service Nodes
Virtual Security Gateway Virtual WAAS
2009 Cisco. Confidential.

27 27

Class-Based Weighted Fair Queuing on Nexus 1000V

VM VM VM VMK NIC vMotion

Provide bandwidth guarantee for up to 64 total queues on uplinks User defined Queues

vMotion VM_Platinum
15% 20%

8 Predefined traffic classes

For VMware and N1KV protocol traffic

VM_Gold
Default ESX_Mgmt

15% 5% 15%

30%

N1K_Control, N1K_Packet

Queuing configured via MQC

2009 Cisco. Confidential.

28 28

Class-Based Weighted Fair Queuing on Nexus 1000V

Configure up to 56 custom queuing classes of VM, vApp data and other traffic Each queue can have a queue limit (# of packets) Queuing is done per physical uplink outbound 8 predefined protocol classes:
vMotion FT-Logging iSCSI NFS ESX Management N1K Control N1K Packet N1K Management
29

2009 Cisco. Confidential.

 LACP is traditionally a control plane protocol run on the supervisor of a switch (VSM on N1KV)

LACP Offload to VEM

When VSM is down or disconnected, VEM operates in headless mode, without ability of LACP control plane operations LACP can not be run on a single link between a VEM and the upstream network

LACP PDU

Control Plane

Nexus 1000V VSM

Data Plane
Nexus 1000V VEM

LACP Offload solves this problem by offloading all LACP operations to the VEM
Makes data plane more robust and helps in FCoE deployments where VSM is behind VEM
2009 Cisco. Confidential.

30

Network State Tracking

Detect upstream Layer 2 network connectivity failure
VM VM VM VM

Automatically fail over to surviving connections for vPC Host Mode port channel
Makes use of Network Tracking packet to probe interfaces on other SubGroups

MAC A Sub-Group 0

MAC B Sub-Group 1

Data Center Network

2009 Cisco. Confidential.

31

Increase DMZ Visibility with ERSPAN

Port Mirroring ERSPAN allows VM traffic to be mirrored to traffic analyzer Mirrored traffic can traverse through Layer 3 Network Visibility through centralized L4-7 services
Firewall Intrusion Detection System
Intrusion Detection Firewall
32 32

VM

VM

VM

VM

2009 Cisco. Confidential.

Policy Based ERSPAN

VM VM VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

VM

Nexus 1000V
Distributed Virtual Switch

Intrusion Detection

ERSPAN all interfaces with same policy Troubleshoot applications in the cloud
2009 Cisco. Confidential.

33 33

Restricting Port Profile Visibility in vCenter Server

Based on vCenter Server users and user groups, Port Profiles can be configured to restrict access Prevent server administrators from large list of Port Groups Restrict access to sensitive Port Profiles to only privileged administrators Must define access on vCenter

Must enable new feature on VSM:

feature port-profile-role

Configure and assign visibility:

Example: port-profile-role adminUser description adminOnly user jsmith port-profile allaccess2 assign port-profile-role adminUser
2009 Cisco. Confidential.

34

Increased Scalability
64 VEMs per VSM 2048 Active VLANs per VSM 2048 vEths per VSM 2048 Port-Profiles per VSM

4K Mac Addresses per VLAN

16K Mac Address Table per VEM

Red Italicized Indicate Increased Scalability

2009 Cisco. Confidential.

35 35

Other Features
Updated Installer
Installs L2 or L3 communications between VSM and VEM

Configures active/standby VSM for HA

Access Control List on the VSM management interface Ephemeral Port Binding
Port ID is set and released upon VM power on/off Support virtual desktop deployments

Hardware iSCSI Multipathing

Leverage NIC based iSCSI multipathing

2009 Cisco. Confidential.

36 36

VIRTUALIZING THE DMZ

2009 Cisco. Confidential.

37

Virtualizing the DMZ

Mapping the Roles and Responsibilities
n1000v# show port-profile name WebProfile port-profile WebProfile description: status: enabled capability uplink: no system vlans: port-group: WebProfile config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10

Separation of duties for virtualization, security, and network administrators

Implement existing policies and procedures

Identical tools for physical network: Minimize miscommunication
2009 Cisco. Confidential.

38 38

DMZ with Virtual and Physical Servers

Maintaining Isolation and Protection with Private VLAN
VM VM VM VM VM

Nexus 1000V VEM vSphere

Nexus 1000V VEM vSphere

Private VLAN Community

Identical tools for physical and virtual machine network: Minimize miscommunication Less time for accurate configuration where mistakes are costly

Nexus 1000V VSM

2009 Cisco. Confidential.

39 39

Virtualize the DMZ

Access Control List Restrict production VM access to sensitive parts of data center
Segregate Traffic To/From Web Server
VMKernel VM FTP WWW

Protect Management Traffic

Protect Servers

vSphere

dcvsm(config)# ip access-list deny-vm-traffic-to-ftp-server dcvsm(config-acl)# deny tcp host 10.10.10.10 eq ftp any dcvsm(config-acl)# permit ip any any

2009 Cisco. Confidential.

40 40

Increase DMZ Visibility with ERSPAN

Port Mirroring ERSPAN allows VM traffic to be mirrored to traffic analyzer Mirrored traffic can traverse through Layer 3 Network Visibility through centralized L4-7 services
Firewall Intrusion Detection System
Intrusion Detection Firewall
41 41

VM

VM

VM

VM

2009 Cisco. Confidential.

Increase DMZ Visibility with NetFlow

Network Statistics NetFlow allows network statistics to be exported Anomaly detection
Across virtual to physical servers
VM VM VM VM

vSphere

Distributed network application monitoring

Both physical and virtual application

Network planning
Assist with growth and scaling of data center
Network Analysis
42 42

2009 Cisco. Confidential.

Recommendations for Securing Virtualized DMZ*

Nexus 1000V Secures Virtualized DMZ
1. Consistent security in physical and virtual environment 2. Secure the hypervisor using VMware recommendations 3. Limit VMs with different security affinities on same server 4. Limit connectivity Service Console and VMKernel 5. Secure VM-to-VM traffic flows 6. Use monitoring tools to increase visibility of VM traffic 7. Document virtual and physical network connections

8. Clear separation of roles and responsibilities

9. Enforce clearly defined change management controls 10. Perform ongoing auditing and monitoring
*http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf
2009 Cisco. Confidential.

43 43

Summary
Version 4.2(1)SV1(4) provides updated Nexus 1000V capabilities Virtualized network services with Cisco vPath Numerous features preparing cloud deployment

Enhanced scalability and stability

Are you ready for the cloud?

2009 Cisco. Confidential.

44

 2009 Cisco. Confidential.

45 45