Cisco Nexus 1000V Virtual Network Services: The Next Generation

Arya MirΔίκτυα και Επικοινωνίες

12 Οκτ 2013 (πριν από 4 χρόνια και 2 μήνες)

261 εμφανίσεις

As server virtualization advances in data centers, fulfilling promises such as dynamic workloads and cloud computing, the importance of virtual networking increases in these environments. Responsible for handling virtual machine (VM) traffic, this young branch of networking materializes the new perimeter of a data center network; therefore, it defines one of the more critical components of this structure.

13-10-12 2:15 AM
Articles
Page 1 of 5
http://www.ciscopress.com/articles/printerfriendly.asp?p=2131140
Cisco Nexus 1000V Virtual Network Services:
The Next Generation
Date: Sep 19, 2013 By
Gustavo A. A. Santana
.
Gustavo A. A. Santana, author of
Data Center Virtualization Fundamentals:
Understanding Techniques and Designs for Highly Efficient Data Centers with Cisco
Nexus, UCS, MDS, and Beyond
, highlights how Cisco's Nexus 1000V Layer 2 distributed
virtual switch can unlock potential in server virtualization environments, boldly going
where no switch has gone before.
As server virtualization advances in data centers, fulfilling promises such as dynamic
workloads and cloud computing, the importance of
virtual networking
increases in these
environments. Responsible for handling virtual machine (VM) traffic, this young branch of
networking materializes the new perimeter of a data center network; therefore, it defines one
of the more critical components of this structure.
In recent years, an even brighter spotlight has shone on virtual networking, simply because it
can also be seen as another flavor of
software-defined networking
(SDN). Consequently, in
addition to providing a centralized management point for thousands of virtual access ports,
virtual switches can grant a programmable interface to multiple applications.
Cisco offered its first virtual networking solution in 2009 with
Nexus 1000V
, a Layer 2
distributed virtual switch that deploys the same features from physical Nexus platforms,
consequently bridging the gap between physical and virtual network administration. Its
success has demonstrated how visibility and control spanning two different management
domains (server virtualization and networking) can help to solve problems that usually arise
when these clusters scale.
As I have detailed in my book
Data Center Virtualization Fundamentals: Understanding
Techniques and Designs for Highly Efficient Data Centers with Cisco Nexus, UCS, MDS,
and Beyond
, Cisco's virtual networking portfolio has evolved in subsequent years with
features such as the following:
Virtual Extensible LAN (VXLAN).
Bridging domains that overcome VLAN limitations
such as number of segments, data center Layer 2 extensions, and MAC address
table sizes.
Virtual Services Data Path (vPath).
Technology that transparently inserts virtual
network services (such as firewalls, accelerators, and so on) in VM traffic.
Virtual Security Gateway (VSG).
A firewall that deploys security policies between
VMs from the same tenant.
ASA 1000V.
A firewall that can provide edge protection for a tenant's VMs.
CSR 1000V.
A fully functional IOS-XE router within a VM that can bring advanced
routing services such as MPLS VPN and LISP to server virtualization clusters.
In addition to these features, Cisco has recently unveiled improvements and new solutions
that further widen its virtual networking portfolio. This article explores these enhancements.
Nexus 1000V for Microsoft Hyper-V
First deployed with VMware vSphere, Nexus 1000V recently extended its capabilities to
Microsoft Hyper-V
. After one of the most popular beta programs in Cisco's history, Nexus
1000V can now deploy uniform network policies across heterogeneous hypervisor
environments.
In such versions, Nexus 1000V relies on the deployment of Microsoft's
System Center
13-10-12 2:15 AM
Articles
Page 2 of 5
http://www.ciscopress.com/articles/printerfriendly.asp?p=2131140
Virtual Machine Manager
(SCVMM). Syncing its policies with this VM manager software,
Nexus 1000V appears as an extensible virtual switch within a Microsoft Windows 2012
virtualization cluster.
Figure 1
depicts the main components from Nexus 1000V for Microsoft Hyper-V.
Figure 1
Nexus 1000V for Microsoft Hyper-V architecture.
Following the structure of its vSphere counterpart, Nexus 1000V for Microsoft Hyper-V
consists of two main components:
Virtual Supervisor Modules
(VSMs), which deploy the
virtual switch control plane; and multiple
Virtual Ethernet Modules
(VEMs), which deploy the
control plane in each Windows 2012 physical server with Hyper-V service enabled. Together
these modules form a single instance of Nexus 1000V.
NOTE
vSphere and Hyper-V hosts cannot share the same VSM.
The VSM can be deployed as a VM within a cluster, or a "virtual blade" on a Nexus 1110
Cloud Services Platform, whereas a VEM can easily be installed in each physical server by
using a Microsoft Installer (MSI) file. Deploying an "installer app" for its installation, Nexus
1000V for Microsoft Hyper-V parallels the ease of installation from the VMware vSphere
version.
The following table illustrates the main differences between Nexus 1000V for vSphere and
Hyper-V at the time of this writing. Because more features and services will surely be added
during product development, always check Cisco online documentation for updated
information.
Nexus 1000V Version Comparison
Characteristic
VMware vSphere
Microsoft Hyper-V
VEMs per Nexus
1000V
128
64
Network
requirements for
Layer 2 or Layer 3
Layer 3 only
13-10-12 2:15 AM
Articles
Page 3 of 5
http://www.ciscopress.com/articles/printerfriendly.asp?p=2131140
VXLAN Unicast Mode
The most recent version of Nexus 1000V for VMware vSphere brought an interesting
variation of VXLAN to facilitate the adoption of this protocol in server virtualization clusters.
Avoiding the multicast requirements from the original IETF draft, Nexus 1000V raises the
possibility of IP unicast traffic between VEMs that share the same VXLAN segment.
In this model, a VEM doesn't have to learn MAC addresses from remote VMs through
flooding. In fact, the active VSM automatically publishes this information to all VEMs that
share that VXLAN segment. As a result, whenever traffic must be sent to a remote VM, each
VEM will simply encapsulate the original frame into a VXLAN packet destined for an already
known unicast IP address. As for multidestination traffic such as broadcast, the VEM will
provide local replication to other VEMs with the same VXLAN segment.
Nexus 1000V now also supports the integration of a
VXLAN Gateway
, which can "weld" a
VLAN and a VXLAN in a 1:1 association. In summary, the gateway permits Layer 2
connectivity between physical resources and VMs connected to a VXLAN segment.
However, note that designs joining VLANs to VXLAN in highly scalable environments might
undermine the scalability and independence VXLAN segments normally provide.
The VXLAN gateway is deployed as a virtual blade in the Nexus 1110 appliance and
logically works as an additional module on a Nexus 1000V instance.
NOTE
As I explain in
Data Center Virtualization Fundamentals: Understanding Techniques and
Designs for Highly Efficient Data Centers with Cisco Nexus, UCS, MDS, and Beyond
, ASA
1000V and CSR 1000V are also designed to function as Layer 3 VXLAN gateways for
VXLAN-connected VMs.
Third-Party Virtual Network Services
With its partnership announcements with Imperva and Citrix, Cisco extends the Nexus
1000V vPath to a true virtual network ecosystem.
The
Imperva SecureSphere Web Application Firewall
(WAF) nicely complements Cisco's
virtual security portfolio. With vPath steering HTTP and HTTPS traffic to Imperva's virtual
appliance, VMs hosting web applications are transparently protected from attacks such as
distributed denial-of-service (DDoS), phishing, and frauds. As a direct consequence, server
virtualization environments can become compliant with standards such as those of the
Payment Card Industry (PCI).
NOTE
For more information about such requirements, check out the PCI Security Standards
Council's
information supplement
.
On the other hand,
Citrix NetScaler 1000V
evolves the relationship between Cisco and Citrix
VSM-VEM traffic
vPath
Yes
Yes
Available vPath
Virtual Network
Services
VSG, ASA 1000V, Cisco
Virtual Wide Area
Application Services
(vWAAS), Citrix NetScaler
1000V, Imperva
SecureSphere Web
Application Firewall (WAF)
VSG
VXLAN
Yes
No
13-10-12 2:15 AM
Articles
Page 4 of 5
http://www.ciscopress.com/articles/printerfriendly.asp?p=2131140
that started with virtual desktop infrastructure (VDI) designs. Through this product,
customers can deploy advanced features from Citrix NetScaler application delivery
controllers in server virtualization environments. Ranging from Layer 4 server load-balance
techniques and link load-balance to application-aware decisions, this Cisco commercialized
virtual appliance uses vPath to simplify traffic steering within a tenant's virtual data center.
Through vPath service chaining, Nexus 1000V also can apply the following services to a
VM, in any desired order:
Compute firewall (VSG)
Edge firewall (ASA 1000V)
WAN acceleration (vWAAS)
Web application firewall (Imperva SecureSphere)
Application delivery controller (Citrix NetScaler 1000V)
NOTE
Instances from both Imperva SecureSphere WAF and Citrix NetScaler 1000V are deployed
on the virtual service appliance Nexus 1110.
Nexus 1000V InterCloud
While many customers desire the flexibility ingrained in the promises of the hybrid cloud, the
complexity and security issues related to this concept have always compromised such a
leap for IT departments. With
Nexus 1000V InterCloud
, Cisco intends to fulfill such promise
with simplicity, while leveraging its ever-expanding portfolio of virtual network services.
In summary, Nexus 1000V is composed of the following elements:
Cisco Prime Network Service Controller (NSC).
Formerly Cisco Virtual Network
Management Center (VNMC), this virtual appliance provides a control cockpit for the
hybrid cloud extension.
Nexus 1000V InterCloud Virtual Supervisor Module (VSM).
Provides the control
plane for the virtual switch that connects virtual machines on a server virtualization
cluster and a public cloud infrastructure.
Nexus 1000V InterCloud Extender (ICX).
Virtual machine deployed by NSC in the
private virtualization cluster. It accesses local VLANs and securely extends them to a
public cloud environment.
Nexus 1000V InterCloud Switch (ICS).
Virtual instance that represents a Nexus
1000V module "in the sky." It provides secure connections to ICX and to the cloud
virtual machines.
Figure 2
details how these elements relate to each other.
Figure 2
Nexus 1000V InterCloud architecture.
In Figure 2, NSC provides the orchestration between a VM manager (such as VMware
13-10-12 2:15 AM
Articles
Page 5 of 5
http://www.ciscopress.com/articles/printerfriendly.asp?p=2131140
vCenter) and the public cloud application programming interface (API). In this way, it can
install and configure both ICX and ICS with simplicity and speed. These elements are
controlled as Nexus 1000V modules and are connected with an encrypted Layer 2 extension
overlay through the Internet.
With Nexus 1000V InterCloud, server virtualization administrators can move workloads
between private and public domains, or "cloudburst" servers in the cloud, whenever the local
resources cannot handle peak IT needs. Moreover, with the advanced capabilities of CSR
1000V, Nexus 1000V can even transform cloud VMs into a simple disaster-recovery
infrastructure for its users.
The internal connectivity in the private portion of the hybrid cloud can be deployed with
virtual switches other than Nexus 1000V, although the latter offers several advantages. One
immediate benefit of using Nexus 1000V is the extension of vPath virtual network services
(such as VSG, ASA 1000V, vWAAS) to workloads installed on the public cloud.
At the time of this writing, Nexus 1000V supports VMware vSphere 5.x server virtualization
and Amazon Web Services (AWS) cloud services. Cisco also intends to include other
hypervisor and cloud provider options for its Nexus 1000V product.
Gustavo A. A. Santana, CCIE No. 8806, is a Cisco Technical Solutions Architect working in
enterprise and service provider data center projects that require a greater integration among
multiple technology areas such as networking, application optimization, storage, and
servers. In addition to holding two CCIE certifications (Routing & Switching and Storage
Networking), Gustavo is also a VMware Certified Professional (VCP) and an SNIA Certified
Storage Networking Expert (SCSN-E). A frequent speaker at Cisco and data center industry
events, he also
blogs on data center virtualization
.
© 2013 Pearson Education, Inc. Informit. All rights reserved.
800 East 96th Street Indianapolis, Indiana 46240