Академический Документы
Профессиональный Документы
Культура Документы
BRKDCT-2840
David Jansen CCIE 5952 Technical Solutions Architect Data Center dajansen@cisco.com
Reference Sessions
BRKDCT-2011 - Design and Deployment of Data Center Interconnects using (Advanced) A-VPLS, Amit Singh. BRKDCT-2048 - Deploying Virtual Port Channel in NXOS, Francis Guillier.
BRKDCT-2049 - Introduction to Overlay Transport Virtualization: Extending the Data Center Layer 2 Connectivity, Natale Ruello.
BRKDCT-2081 - Cisco FabricPath Technology and Design, Tim Stevenson. BRKSAN-2704 - Storage Area Network Extension Design and Operation, Mark Allen. BRKDCT-3060 - Deployment Challenges with Interconnecting Data Centers, Max Ardica & Patrice Bellagamba. BRKDCT-3103 - Advanced OTV - Configure, Verify and Troubleshoot OTV in Your Network, Bhanu Vemula. BRKCRS-3045 LISP, Dino Farinacci, & Greg Schudel. BRKDCT-9131 - Mobility and Virtualization in the Data Center with LISP and OTV, Victor Moreno.
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
BRKDCT-2840
Cisco Public
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
BRKDCT-2840
Cisco Public
77
Layer 2 Risks
Flooding of packets between data centers
Spanning Tree (STP) is not easily scalable and risk grows as diameter grows STP has no domain isolation issue in single DC can propagate First hop resolution and inbound service selection can cause verbose inter-data center traffic
BRKDCT-2840
Cisco Public
10
Redesign data center STP domain using Multiple Spanning Tree (MST) regions
STP domain concept Fundamental change requiring large time investment
BRKDCT-2840
Cisco Public
11
BRKDCT-2840
Cisco Public
12
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
13
BPDU Guard
Root Guard Loop Guard Bridge Assurance (Catalyst 6500, Nexus 5000/5500 and 7000)
BRKDCT-2840
Cisco Public
15
Nexus 7000 with Virtual Port-Channels (Supported distances at 80km (ZR-X2) Dark Fiber)
All traffic flows to a vPC/VSS member node Hub-and-spoke topology from a layer 2 perspective Dedicated links to vPC/VSS members from each data center aggregation switch Can consume lambda or fiber strands quickly
BRKDCT-2840
Cisco Public
16
Data Center #1
Data Center #2
vPC / VSS
vPC / VSS
BRKDCT-2840
Cisco Public
17
L2 LH Fiber/DWDM
L2 Local Fiber
BPDU-Filtering
BPDU-Filtering
vPC/VSS
vPC/VSS
vPC/VSS Domain ID for facing vPC/VSS layers should be different BPDU Filter on the edge devices to avoid BPDU propagation STP Edge Mode to provide fast failover times No Loop must exist outside the vPC/VSS domain No L3 peering between Nexus 7000 devices (i.e. pure layer 2)
BRKDCT-2840
Cisco Public
18
Data Center #1
Data Center #2
VSS/vPC
vPC / VSS
vPC / VSS
BRKDCT-2840
Cisco Public
19
L2 Local Fiber
BPDU Filtering
Data Center #1
Data Center #2
BPDU Filtering
BPDU Filtering
VSS vPC/VSS
VSS
BRKDCT-2840
Cisco Public
20
Data Center #1
P
Data Center #2
P
vPC
vPC
Nexus 7000 configured for L2 Transport only SVI passive-interface (no IGP peering)
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
21
Data Center #1
P
Data Center #2
P
vPC
P
vPC
P
Peering over a vPC inter-connection on parallel routed interfaces SVI passive-interface (no IGP peering)
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
22
Data Center #3
Leverage vPC+ Brownfield / Greenfield DC STP Integration
STP (CE)
Classic Ethernet
BRKDCT-2840
Cisco Public
Data Center #2
23
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
24
MPLS Solutions
BRKDCT-2840
Cisco Public
26
PE
VFI
CE
MPLS
VFI
CE
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
27
Loop Prevention
Create full-mesh of Pseudo Wire VCs (EoMPLS)
Unidirectional LSP carries VCs between pair of N-PE Per VPLS Uses split horizon concepts to prevent loops
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
28
1500 1500
14 18
2 2
4 4
1522 1526
BRKDCT-2840
Cisco Public
29
EMC1 DC Core
EAgg2
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Loss of Link/Node Server Farm Server Farm
Access
BRKDCT-2840
Cisco Public
30
Agg
Server Farm
BRKDCT-2840
Cisco Public
31
DC Core
Agg
BRKDCT-2840
32
Metro Core
Metro Core
33
Metro Core
Metro Core
L3 Links (10GE)
BRKDCT-2840
Cisco Public
34
DC Core
METRO CORE
DC Core
PW Pseudo Wires
Agg Agg
EoMPLS
Metro Core
Metro Core
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Server Farm Server Farm
Access
BRKDCT-2840
Cisco Public
35
METRO CORE
DC Core DC Core
VFI
Agg Agg
PW Pseudo Wires
Metro Core Metro Core
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Server Farm Server Farm
Access
BRKDCT-2840
Cisco Public
36
l2 vfi vlan3700 manual vpn id 3700 neighbor 192.168.255.250 encapsulation mpls neighbor 192.168.255.251 encapsulation mpls neighbor 192.168.255.253 encapsulation mpls
DC Core
METRO CORE
Agg
Agg
PW Pseudo Wires
Metro Core Metro Core
l2 vfi vlan3700 manual vpn Accessid 3700 neighbor 192.168.255.250 encapsulation mpls neighbor 192.168.255.252 encapsulation mpls neighbor 192.168.255.253 encapsulation mpls
Server Farm
l2 vfi vlan3700 manual Access vpn id 3700 neighbor 192.168.255.250 encapsulation mpls L2 Links (GE or 10GE) neighbor 192.168.255.251 encapsulation mpls L3 Links (GE or 10GE) neighbor 192.168.255.252 encapsulation mpls
Server Farm
BRKDCT-2840
Cisco Public
37
METRO CORE
DC Core
Agg
VLAN 3700
PW Pseudo Wires
Metro Core Metro Core
Agg
Access
interface Vlan3700 no ip address load-interval 30 xconnect vfi vlan3700 L2 Links (GE or 10GE)
L3 Links (GE or 10GE)
Access
Server Farm
Server Farm
BRKDCT-2840
Cisco Public
38
Spanning Tree
Spanning-Tree BPDUs will NOT traverse between the Data Centers It isnt needed (and blocked) with VPLS We still need to control data plane layer 2 events (i.e., limit the traffic)
Since enterprises want dual N-PE devices, and VPLS blocks BPDUs, we require method to block within a local DC
BRKDCT-2840
Cisco Public
39
End-to-End L2 View
Broadcast, Multicast, Unknown Unicast
DC Core
DC Core
RSTP
X X
Metro Core Metro Core
RSTP
X X
Agg
Access
Access
Without layer 2 link between Metro Switches there is a loop. Each side has a U shape with Metro and Agg switches, broadcast storms.
Server Farm L2 Links (GE or 10GE) L3 Links (GE or 10GE)
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Server Farm
40
DC Core
MST
Agg
MST
X
Agg
RSTP
Metro Core Metro Core
RSTP
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Server Farm Server Farm
Access
BRKDCT-2840
Cisco Public
41
Spanning-Tree
MST (802.1s) represents Metro Cores as single bridge
Blue Layer 2 link is access port channel with a VLAN that represents the MST0 instance to make the MST group
MST bridge priority set to 0 (Metro Core will be root of Inter-DC VLANs) Spanning tree root-guard enabled on Metro Cores toward aggregation switches (protects in case the blue MST link fails) Only inter-DC VLANs allowed on trunks to/from aggregation switches Set spanning-tree VLAN cost to set the priorities on the agg switches links to metro core will allow us to put some VLANs on upper Metro Core, some on lower by default
Single L2 MST Bridge
BRKDCT-2840
Cisco Public
42
DC Core
X X
Agg
MST
MST
X X
Agg
RSTP X
Access
X
Metro Core Metro Core
RSTP X
Access
interface Port-channel4 description Port Channel to WestMetroCore2 spanning-tree vlan 3700,3704,3712,3716 cost 8
Server Farm Server Farm
BRKDCT-2840
Cisco Public
43
Root Bridge in East DC for all VLANs that Go Between Data Centers
DC Core
DC Core
ICCP
vPC
ICCP
vPC
RSTP
Access
RSTP
Metro Core Metro Core
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Server Farm Server Farm
BRKDCT-2840
Cisco Public
44
BRKDCT-2840
Cisco Public
45
BRKDCT-2840
Cisco Public
46
BRKDCT-2840
Cisco Public
47
Agg
Agg
VSL
IP/MPLS Cloud
VSL
Agg
Agg
VSS system
VSS system
Leveraging VSS at the DCI edge provides nPE redundancy Use of VSS is transparent to the VPLS cloud Equivalent to having the sites single attached (single virtual PE)
BRKDCT-2840
Cisco Public
48
Agg
Agg
Agg
OSPF
VSL VSL
Agg
Agg
Agg
Loop0:1.1.1.1
Loop0:2.2.2.2
BRKDCT-2840
Cisco Public
49
PW Lbl2
VLAN20
Agg
Agg
Agg
Agg
Loop0:1.1.1.1
Loop0:2.2.2.2
BRKDCT-2840
Cisco Public
50
LSP/GRE Tunnel
nPE
Agg
Agg
Agg VSL
IP/MPLS Cloud
VSL
Agg
Agg
VSS system
VSS system
Up to 8 equal cost paths between any two sites A label is assigned to each equal cost path based on routing reachability of neighbor
Simplified CLI: Virtual Ethernet interface Loadbalancing at L2/L3/L4
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
51
A-VPLS Solution
Agg nPE nPE Agg
Agg
Agg VSL
VSL
Agg
Agg
VSS system
VSL
VSS system
Split horizon between Want all neighbors for loop avoidance, multipoint support.
BRKDCT-2840
Cisco Public
52
Configuration A-VPLS
pseudowire-class cl1 encap mpls
! enable ML PW (ECMP LB)
PE1 (1.1.1.1)
! enable FAT PW
interface virtual-ethernet 1
IP/MPLS
transport vpls mesh neighbor 2.2.2.2 pw-class cl1 neighbor 3.3.3.3 pw-class cl1 switchport switchport mode trunk switchport trunk allowed vlan 10, 20 PE2 (2.2.2.2)
PE3 (3.3.3.3)
BRKDCT-2840
Cisco Public
53
EMC1 DC Core
EAgg2
Access L2 Links (GE or 10GE) L3 Links (GE or 10GE) Loss of Link/Node Server Farm Server Farm
Access
BRKDCT-2840
Cisco Public
54
A-VPLS Routed/IRB PW
MPLS Cloud
WCore1 WCore2 ECore1 ECore2
SIP-400 Ten3/0/0
DC Core VSS
EAgg1
Agg
Access
A-VPLS with Integrated Routing and Bridging L2 Boundary does not extend beyond Aggregation layer
L2 Links (GE or 10GE) L3 Links (GE or 10GE) Server Farm Server Farm
Access
Loss of Link/Node
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
55
Storm Control
Traffic storms when packets flood the LAN Traffic storm control feature prevents LAN ports from being disrupted by broadcast or multicast flooding Rate limiting for unknown unicast (UU) must be handled at Data Center aggregation; unknown unicast flood ratelimiting (UUFRL):
mls rate-limit layer2 unknown rate-in-pps [burst-size]
Storm Control is configured as a percentage of the link that storm traffic is allowed to use.
storm-control broadcast level 1.00 (% of b/w may vary need to baseline) storm-control multicast level 1.00 (% of b/w may vary need to baseline)
BRKDCT-2840
Cisco Public
56
Limits dependant on amounts of L2 traffic especially multicast, as these are replicated on each PW
BRKDCT-2840
Cisco Public
57
Server Farm
Server Farm
Cisco Public
58
Server Farm
Server Farm 59
A-VPLS
Backwards Compatible Load Balancing Enhancements Simplified Configuration Single virtual nPE
BRKDCT-2840
Cisco Public
60
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions
BRKDCT-2840
Cisco Public
61
IP Based Solutions
GRE provides routing separation from metro core devices providing connectivity Customer Edge (CE) flapping routes wont propagate inside IP network
Point to point links between locations
63
VPLS connectivity over IP-only network. VPLS VCs are established over MPLSoGRE Tunnels. Requires SIP-400 on the 6500 with SUP720
VPLS instance VPLS instance
EoMPLS instance PE
PE
MPLSoGRE Tunnels
PE
MPLSoGRE Tunnels
PE
PE VPLS instance
BRKDCT-2840
Cisco Public
64
L3 nPE
MCEC with Nexus 7000 vPC
nPE
L2 Etherchannel as VSS is viewed as one device
Si
Si
nPE
L2
L2
Aggregation
Aggregation
Si
Si
Access
Si
VSL
Si
BRKDCT-2840
Cisco Public
65
66
L3 nPE
Si Si
L3 nPE nPE
Si Si
L3 nPE nPE
Si Si
nPE
L2 Etherchannel as VSS is viewed as one Device
L2
L2
L2 Etherchannel as VSS is viewed as one Device
Si
L2
L2 Etherchannel as VSS is viewed as one Device
Si
Aggregation
Aggregation
Si
Si
VSL
Aggregation
Access
Si
Si
Access
VSL
BRKDCT-2840
Cisco Public
67
interface Loopback0 description tunnel source ip address 10.10.10.2 255.255.255.0 interface Loopback1 description LDP Router ID ip address 11.11.11.2 255.255.255.255 Interface Tunnel 10 ip address 192.168.10.2 255.255.255.0 tunnel-source 10.10.10.2 tunnel-destination 10.10.10.1 mpls ip ip route 11.11.11.1 255.255.255.255 Tunnel 10 Interface gig 1/0 Switchport Switchport mode access Switchport access vlan10 mtu 9216 interface GigabitEthernet3/0/1 description SIP-400 Interface mtu 9216 ip address 192.168.33.4 255.255.255.0 bfd interval 100 min_rx 100 multiplier 3
l2 vfi vfi-vlan10 vpn id 10 neighbor 11.11.11.1 encapsulation mpls interface Vlan 10 xconnectvfi vfi-vlan10 mtu 9216
Cisco Public
68
High Resiliency
Failure domain isolation Seamless Multi-homing Maximizes available bandwidth Automated multi-pathing Optimal multicast replication
BRKDCT-2840
Cisco Public
69
Join Interface
Overlay Interface
L2 L3
Overlay Interface
Core
Join Interface
Internal Interfaces
BRKDCT-2840
Cisco Public
70
The neighbor relationship can be built over a transport infrastructure, that can be:
multicast-enabled unicast-only
Technology Benefit: OTV can leverage any networking capability provided by the transport infrastructure (multicast, fast-reroute, ECMP)
BRKDCT-2840
Cisco Public
71
Multicast-enable Transport
OTV Control Plane OTV OTV OTV Control Plane
IP A
West
IP B
East
The mechanism Edge Devices (EDs) join an multicast group in the transport, as they were hosts (no PIM on EDs) OTV hellos and updates are encapsulated in the multicast group
The end result Adjacencies are maintained over the multicast group A single update reaches all neighbors
BRKDCT-2840
Cisco Public
72
IP A
West
IP B
East
The mechanism
Edge Devices (EDs) register with an Adjacency Server ED EDs receive a full list of Neighbors (oNL) from the Adjacency Server OTV hellos and updates are encapsulated in IP and unicast to each neighbor
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
The outer OTV shim header contains information about the overlay (VLAN, overlay number) The 802.1Q header is removed from the original frame and the VLAN field copied over into the OTV shim header
802.1Q header removed
802.1Q
802.1Q
DMAC
SMAC
Ether Type
DMAC
SMAC
Ether Type
IP Header
OTV Shim
CRC 4B
6B
6B
2B
20B
8B
Original L2 Frame
VLAN
100 100 100 100
MAC
MAC 1 MAC 2 MAC 3 MAC 4
IF
Eth 2 Eth 1 IP B IP B
VLAN
100
IF
IP A IP A Eth 3 Eth 4
MAC 4
5 Layer 2 Lookup
OTV
External IP A
MAC 1 MAC 3 IP A IP B
OTV
External IP B
Eth 4 Eth 3
6
MAC 1 MAC 3
MAC 1 MAC 3
L2
L3
2 Encap
Core
3
L3 L2
4 Decap
MAC 1
MAC 3
West
East
BRKDCT-2840
Cisco Public
75
OTV
Core
BRKDCT-2840
Cisco Public
76
The AED for the VLAN is the only Edge Device that forwards b-cast/ m-cast packets onto the overlay network The b-cast/m-cast packet is replicated to all the Edge Devices on the overlay. Only the AED at each remote site will forward the packet from the overlay onto the site. Once sent into the site, the b-cast/m-cast packet is replicated per regular switching
OTV OTV
OTV OTV
Core
AED AED
BRKDCT-2840
Cisco Public
77
Multi-Homing
Per VLAN Authoritative Edge Device
OTV provides loop-free multi-homing by electing a designated forwarding device per site for each VLAN This forwarder is known as the Authoritative Edge Device (AED) The Edge Devices at the site peer with each other on the internal interfaces to elect the AED A hash based on the VLAN-ID and the number of edge Internal peering for devices on the site is usedAED election to elect the AED
OTV OTV
As sites merge and/or partition, internal peering is updated and AED re-election happens
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
AED
78
Multi-Homing
AED and Broadcast/Multicast Handling
Broadcast/M-cast packets reach all Edge Devices within a site. The AED for the VLAN is the only Edge Device that forwards b-cast/ m-cast packets onto the overlay network The b-cast/m-cast packet is replicated to all the Edge Devices on the overlay. Only the AED at each remote site will forward the packet from the overlay onto the site. Once sent into the site, the b-cast/m-cast packet is replicated per regular switching
OTV OTV
Bcast pkt
OTV
Core
AED AED
BRKDCT-2840
Cisco Public
79
Multi-Homing
AED and Unicast Forwarding
One AED is elected for each VLAN on each site Different AEDs can be elected for each VLAN to balance traffic load Only the AED forwards unicast traffic to and from the overlay Only the AED advertises MAC addresses for any given site/VLAN
Unicast routes will point to the AED on the corresponding remote site/VLAN
MAC TABLE VLAN
100 201
MAC
MAC 1 MAC 2
IF
IP A
OTV OTV
IP B
AED
AED IP A
OTV
OTV
Core
IP B
AED
AED
BRKDCT-2840
Cisco Public
80
BRKDCT-2840
Cisco Public
81
Configuration
OTV over a Multicast Transport
Minimal configuration required to get OTV up and running
feature otv feature otv otv site-vlan 600 otv site-vlan 602 interface Overlay1 interface Overlay1 description WEST-DC description EAST-DC otv join-interface e1/1 otv join-interface e1/1.10 otv control-group 239.1.1.1 otv control-group 239.1.1.1 otv data-group 232.192.1.0/24 otv data-group 232.192.1.0/24 OTV OTV otv extend-vlan 100-150 otv extend-vlan 100-150 feature otv otv site-vlan 601 IP A interface Overlay1 IP B description SOUTH-DC East West otv join-interface Po16 otv control-group 239.1.1.1 IP C otv data-group 232.192.1.0/24 OTV otv extend-vlan 100-150
South
BRKDCT-2840
Cisco Public
82
Configuration
OTV over an unicast-only transport
Establishing a DCI has never been this simple
feature otv otv site-vlan 600 interface Overlay1 description WEST-DC otv join-interface e1/1 otv adjacency-server local otv extend-vlan 100-150
OTV
feature otv otv site-vlan 602 interface Overlay1 description EAST-DC otv join-interface e1/1.10 otv adjacency-server 10.1.1.1 otv extend-vlan 100-150
OTV
IP A
West
feature otv otv site-vlan 601 interface Overlay1 description SOUTH-DC otv join-interface Po16 otv adjacency-server 10.1.1.1 IP C otv extend-vlan 100-150
OTV
IP B
East
South
BRKDCT-2840
Cisco Public
83
Localized HSRP
ip access-list ALL_IPs 10 permit ip any any mac access-list ALL_MACs 10 permit any any ip access-list HSRP_IP 10 permit udp any 224.0.0.2/32 eq 1985 20 permit udp any 224.0.0.102/32 eq 1985 mac access-list HSRP_VMAC 10 permit 0000.0c07.ac00 0000.0000.00ff any 20 permit 0000.0c9f.f000 0000.0000.0fff any vlan access-map HSRP_Localization 10 match mac address HSRP_VMAC match ip address HSRP_IP action drop vlan access-map HSRP_Localization 20 match mac address ALL_MACs match ip address ALL_IPs action forward vlan filter HSRP_Localization vlan-list 100-104,1100,1200,1300 mac-list OTV_HSRP_VMAC_deny seq 10 deny 0000.0c07.ac00 ffff.ffff.ff00 mac-list OTV_HSRP_VMAC_deny seq 11 deny 0000.0c9f.f000 ffff.ffff.f000 mac-list OTV_HSRP_VMAC_deny seq 20 permit 0000.0000.0000 0000.0000.0000 route-map OTV_HSRP_filter permit 10 match mac-list OTV_HSRP_VMAC_deny otv-isis default vpn Overlay0 redistribute filter route-map OTV_HSRP_filter otv site-vlan 601
BRKDCT-2840
Cisco Public
84
OTV Summary
STP Isolation: BPDUs are not forwarded over the overlay Multi-homing support Optimal Multicast Replication
BRKDCT-2840
Cisco Public
85
1500
1500
MPLSoGRE PE to P
4 (1 label) 8 (2 labels) 30
24
24
1528
1532
24
24 42
Cisco Public
1554
1550 1542
* 6 -srcmacaddr 6 -dstmacaddr 4 -VLAN information 2 -Type field 4 -Control word 4 -VC label 4 -Tunnel label
86
1500 1500
26
n/a
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
87
Encryption
DC-1
N7000-1
DC-2
N7000-2
e1/25
55.5.5.1
e1/25
55.5.5.2
Nexus 7000
Nexus 7000
Nexus 7000 Trustsec can be used to secure data across remote data-center if Layer 2 and BPDU transparency is ensured (e.g. dark fiber or DWDM transport).
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
89
Encryption Solution
802.1AE Link
DC-1
N7000-1
DC-2
N7000-2
gi 0/0/0
e1/25
55.5.5.1
gi 0/0/3
gi 0/0/3
gi 0/0/0
e1/25
55.5.5.2
Nexus 7000
Nexus 7000
EoMPLS PW
90
DC1-Nexus7000-1
DC2-Nexus7000-1
vPC
vPC
DC1-Nexus7000-2
DC2-Nexus7000-2
91
Conclusions
TrustSec SAP (Security Association Protocol) control plane is preserved through the EoMPLS pseudowire. 802.1AE connectivity can be achieved between the two nexus 7000 through the ASR(s)/6500(s) devices with confidentiality and integrity. Such solution can be deployed to preserve data confidentiality and integrity through Nexus 7000 when interconnecting remote data-centers over an EoMPLS network.
BRKDCT-2840
Cisco Public
92
DC 1
MPLSoGREoIPSec
DC 2
Provide a high speed Layer 2 connection between two or more DCs.. Two or more redundant links are used between the DCs. VSPA Performance Three VSPAs can drive a 10 GE link with IMIX traffic. Single chassis can encrypt three 10 GE links at IMIX rates. ASR-1000 Performance ASR1000-ESP5-1.8Gbps IPSec ASR1000-ESP10-4Gbps IPSec
Leverage ECMP to load balance flows over multiple GRE/IPSec Duplicate tunnels per VSPA allow redundant 10GE links to be provisioned Inherent crypto engine HA: Traffic will rebalance in the event of a VSPA outage
ASR1000-ESP20-8Gbps IPSec
ASR1006-2/ESP20-16Gbps IPSec
ASR1006-2/ESP40 25.8Gbps IPSec ASA-5585-X Performance
IPSec 5Gbps
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
93
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
94
Flow Optimization and Symmetry Site Selection and Inbound Flows First Hop Outbound
Desire to keep flows symmetric in/out of a location for DC services (FW, LB, IPS, WAAS, etc.)
Site failure will allow failover, with IP mobility to resolve caching issues Single points of failure in gear wont cause site failover Indicate a location preference for a service to the Layer 3 network If broadcast storm in DC, limit impacts to other DCs If DCI Layer 2 adjacency fails Ability to connect to services in both DC locations (active/active per application) DNS to round-robin clients to DC Allow backup server farms with same service VIP (for backup connections on site fail) Localized HSRP (egress) Inbound traffic draw via LISP (ingress)
96
VLAN A
VLAN A
Cluster Node A Cluster VLAN C (L2 Only) Cluster VLAN D (L2 Only)
Cluster Node B
Data Center 1
Data Center 2
VLAN A
VLAN A
Cluster Node A Cluster VLAN C (L2 Only) Cluster VLAN D (L2 Only)
Cluster Node B
Layer3 Core
Data Center 1
Data Center 2
VLAN A
VLAN A
Cluster Node A Cluster VLAN C (L2 Only) Cluster VLAN D (L2 Only)
Cluster Node B
10.1.2.0/25 & 10.1.2.128/25 advertised into L3 -EEM or RHI can be used to get very granular
Data Center 1 Data Center 2
-Cluster VIP = 10.1.1.100 -Cluster VIP = 10.1.2.100 Preempt -Default GW = 10.1.1.1 -Default GW = 10.1.2.1
Cisco Public
100
10.1.2.0/25 & 10.1.2.128/25 advertised into L3 -EEM or RHI can be used to get very granular
Data Center 1 Data Center 2
-Cluster VIP = 10.1.1.100 -Cluster VIP = 10.1.2.100 Preempt -Default GW = 10.1.1.1 -Default GW = 10.1.2.1
Cisco Public
101
Layer3 Core
SNAT
VLAN A
SNAT
Access Access
102
Data Center 1
Data Center 2
VLAN B - Outside
VLAN B - Outside
VLAN C - Inside
VLAN C - Inside
ESX Node A
VLAN A 10.1.1.x
VLAN A 10.1.1.x
ESX Node B
BRKDCT-2840
Cisco Public
103
Data Center 1
Data Center 2
VLAN A 10.1.1.x
VLAN A 10.1.1.x
104
C1 D MR
Layer3 Core Layer3 Core
C2 E PxTR B
Server-to-Server L2 traffic
A
OTV
MS
VLAN A 10.1.1.0
VLAN A 10.1.1.0
FHRP: 10.1.1.1
ESX Server A
ESX Server B
FHRP: 10.1.1.1
-Virtual-Machine-A -IP Address = 10.1.1.100 -Mask: 255.255.255.0 -Default GW = 10.1.1.1 LISP: L3 Client-to-Server
Optimize L3 Routing providing granular location information Optimized mobility within or across subnets Scale the network so host routes are in mapping database
BRKDCT-2840 2011 Cisco and/or its affiliates. All rights reserved.
L3 Router
IP_DA = 10.10.10.1
IP_DA = B
ISP A
Data Center 1
ISP B
Data Center 2
10.10.10.1
B
ETR
3
Decap
10.10.10.2
A, B
7 Decap
C 5
ETR
IP_DA = 10.10.10.1
10.10.10.5 10.10.10.6
C, D C, D
IP_DA = 10.10.10.1
Agg
LAN Extension
Agg
Access
Access
4
VM= 10.10.10.1 Default GW = 10.10.10.1002011 Cisco and/or its affiliates. All rights reserved. BRKDCT-2840
Cisco Public
106
Session Agenda
Data Center Interconnection Common Scenarios and Terms Dark Fiber / DWDM Solutions Label Based Solutions
IP Based Solutions
Encryption Recommended Designs for Optimizing Traffic Flows
Q&A
BRKDCT-2840
Cisco Public
107
Summary
Discussed different deployment options and transport options Tightly coupled Data Center with FabricPath Spanning-tree isolation
BRKDCT-2840
Cisco Public
108
Q&A
2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Recommendations
Recommended Reading
NX-OS and Cisco Nexus Switching (ISBN: 1587058928), by David Jansen, Ron Fuller, Kevin Corbin. Cisco Press 2010. Interconnecting Data Centers Using VPLS (ISBN-10: 1-58705-992-4; ISBN-13: 978-158705-992-6), by Nash Darukhanawalla, Patrice Bellagamba . Cisco Press. 2009. MPLS Fundamentals (ISBN: 1-58705-319-5), by Luc De Ghein, Cisco Press. 2007. Layer 2 VPN Architectures (ISBN: 1-58705848-0), by Wei Luo, Carlos Pignataro, Anthony Chan, Dmitry Bokotey. Cisco Press. 2005. Cisco LAN Switching Configuration Handbook (2nd Edition) (ISBN-1587056100; ISBN-13: 978-1587056109), by Steve McQuerry, David Jansen, David Hucaby, Cisco Press. 2009.
110
Recommendations
Check the Recommended Reading flyer for suggested books
111
Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center.
Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and ondemand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com.
BRKDCT-2840
Cisco Public
112
BRKDCT-2840
Cisco Public
114
Thank you.
BRKDCT-2840
Cisco Public
115