Post on 08-Aug-2015
Agenda
• What is Virtualization• Why Nexus 1000V. What problems does it solve• Nexus 1000V Architecture• Nexus 1000V Switching• Nexus 1000V Port-Profiles• Nexus 1000V Security Features• Nexus 1000V Quality of Service• Nexus 1000V Network Management• Nexus 1010 /1110x
Training Prerequisites
• Understanding the normal Network Design• Understanding of Virtualization• Understanding & Experience with VMware• Understanding & Experience with NXOS • Understanding & Experience with Layer2 Switching
Virtualization • Virtualization is the creation of a virtual (rather than actual)
version of something, such as an operating system, a server, a storage device or network resources.– Server virtualization– Network virtualization– Storage virtualization
• Never seen before? You did ;)– Hard disk Partitioning is an example over which you could run
multiple OS– Creating Switch Virtual Interface (SVI) is an example
• Server virtualization Component s:– Hypervisor - Virtual machine manager, is a program that allows
multiple operating systems to share a single hardware host.
– Virtual Machine (VM) - A virtual machine (VM) is a software implementation of a computing environment in which an operating system (OS) or program can be installed and run.
Virtualization
Virtualization (Cont.)
• ESX/vSphere: A virtualization platform used to create the virtual machines as a set of configuration and disk files that together perform all the functions of a physical machine.
• DRS (Distributed Resource Scheduler): Feature that allocates and balances computing capacity dynamically across collections of hardware resources for virtual machines. This feature includes distributed power management (DPM) capabilities that enable a datacenter to significantly reduce its power consumption.
• DVS (Distributed virtual switch): This is a logical switch that spans one or more VMware ESX servers.
• Virtual Center: An, API to manage the VMs - a central management control point for virtual infrastructure services.
Virtualization (Cont.)
• vMotion: Embedded tool set in the vCenter application suite that leverages the virtualized storage, network and server infrastructure to move an entire running virtual machine instantaneously from one server to another.
• VMkernel: The VMkernel is the hypervisor layer of a ESX server that provides the virtualization interface for hardware to virtual machines.
• vSwitch: Software Virtual Switch.
Nexus Switch FamilyPr
oduc
tTe
chno
logy
Cisco Nexus 7000Cisco Nexus 5000Cisco Nexus 1000VCisco Nexus 1010
Cisco Nexus 2000
NX-OS: Unified OS for the data center
Unified Fabric: Lossless 10Gb transport for next-generation DC
Fibre Channel over Ethernet (FCoE): Unified transport for LAN and FC
VN-Link: Virtual Machine Aware Network
RAB, DAL: High performance for HPC environments
10GbE: Enhanced speed for growing demand
Access Access CoreServer
Networking Challenges to Scaling Server Virtualization
Applied at physical server—not the individual VM
Impossible to enforce policy for VMs in motion
Security and Policy Enforcement
Lack of VM visibility, accountability, and consistency
Inefficient management model and inability to effectively troubleshoot
Operations andManagement
Muddled ownership as server admin must configure virtual network
Organizational redundancy creates compliance challenges
OrganizationalStructure
Cisco Nexus 1000V
Policy-Based VM Connectivity
Policy-Based VM Connectivity
Mobility of Network & Security Properties
Mobility of Network & Security Properties
Non-DisruptiveOperational Model
Non-DisruptiveOperational Model
vSphere
Nexus1000V
Nexus 1000V
VM VM VM VM
Industry’s most advanced software switch for VMware vSphere
Built on Cisco NX-OS Compatible with all switching platforms Maintain vCenter provisioning model
unmodified for server administration; allow network administration of virtual network via familiar Cisco NX-OS CLI
Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus1000VVEM
vSphere
Nexus1000VVEM
VM VM VM VM VM VM VM VM
vCenter
Policy-Based VM Connectivity
Policy-Based VM Connectivity
Mobility of Network & Security Properties
Mobility of Network & Security Properties
Non-DisruptiveOperational Model
Non-DisruptiveOperational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
Cisco Nexus 1000V
Nexus 1000V VSMvCenter
vSphere
Nexus1000VVEM
vSphere
Nexus1000VVEM
Port ProfilesWEB Apps
HR
DB
DMZ
Port ProfilesWEB Apps
HR
DB
DMZ
VM Connection Policy• Defined in the network
• Applied in Virtual Center
• Linked to VM UUID
VM Connection Policy• Defined in the network
• Applied in Virtual Center
• Linked to VM UUID
Faster VM Deployment
Policy-Based VM Connectivity
Policy-Based VM Connectivity
Mobility of Network & Security Properties
Mobility of Network & Security Properties
Non-DisruptiveOperational Model
Non-DisruptiveOperational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus1000VVEM
vSphere
Nexus1000VVEM
Property Mobility• VMotion for the network
• Ensures VM security
• Maintains connection state
Property Mobility• VMotion for the network
• Ensures VM security
• Maintains connection state
VMs Need to Move• VMotion
• DRS
• SW Upgrade/Patch
• Hardware Failure
VMs Need to Move• VMotion
• DRS
• SW Upgrade/Patch
• Hardware Failure
vCenter
Richer Network Services
Policy-Based VM Connectivity
Policy-Based VM Connectivity
Mobility of Network & Security Properties
Mobility of Network & Security Properties
Non-DisruptiveOperational Model
Non-DisruptiveOperational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VMVM VM VM VM
Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus1000VVEM
vSphere
Nexus1000VVEM
vCenter
Network Admin Benefits• Unifies network mgmt and ops• Improves operational security• Enhances VM network features• Ensures policy persistence• Enables VM-level visibility
Network Admin Benefits• Unifies network mgmt and ops• Improves operational security• Enhances VM network features• Ensures policy persistence• Enables VM-level visibility
VI Admin Benefits• Maintains existing VM mgmt• Reduces deployment time• Improves scalability• Reduces operational workload• Enables VM-level visibility
VI Admin Benefits• Maintains existing VM mgmt• Reduces deployment time• Improves scalability• Reduces operational workload• Enables VM-level visibility
Increased Operational Efficiency
Policy-Based VM Connectivity
Policy-Based VM Connectivity
Mobility of Network & Security Properties
Mobility of Network & Security Properties
Non-DisruptiveOperational Model
Non-DisruptiveOperational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
VMware Vswitch• VMware vSwitch is a
very basic L2 switch• vSwitch is managed by
Server Administrator through VMware’s Virtual Center
• vSwitch doesn’t offer functionality offered by Cisco Access Switches
• Configured independently on each ESX server
VMW ESX
Server 1
VMware vSwitch VMW ESX
VMware vSwitch
Server 2
VM #4
VM #3
VM #2
VM #1
VM #8
VM #7
VM #5
VM #5
Virtual Center
Cisco Nexus 1000V Components
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM7
Cisco VEM
VM9 VM10 VM11 VM12
Virtual Ethernet Module(VEM) Replaces Vmware’s virtual switch
Enables advanced switching capability on the hypervisor
Provides each VM with dedicated “switch ports”
vCenter Server
Virtual Supervisor Module(VSM) CLI interface into the Nexus 1000V
Leverages NX-OS 4.04a7
Controls multiple VEMs as a single network device
Cisco VSMs
Cisco Nexus 1000V ‘Virtual Chassis’
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM8
pod5-vsm# show moduleMod Ports Module-Type Model Status--- ----- -------------------------------- ------------------ ------------1 0 Virtual Supervisor Module Nexus1000V active *2 0 Virtual Supervisor Module Nexus1000V ha-standby3 248 Virtual Ethernet Module NA ok
Cisco VSMs
Cisco Nexus 1000V Scalability
Cisco VEM
A single Nexus 1000V supports:2 Virtual Supervisor modules (HA)64* Virtual Ethernet modules512 Active VLANs 2048 Ports (Eth + Veth)256 Port Channels
A single Virtual Ethernet module supports:216 Ports Veths32 Physical NICs8 Port Channels
Nexus 1000V
Cisco VSMs
Cisco Nexus 1000V Component Communication L2
Cisco VEM
Two distinct virtual interfaces are used to communicate between the VSM and VEM
ControlCarries low level messages to ensure proper configuration of the VEM. Maintains a 1 sec heartbeat with the VSM to the VEM (timeout 6 seconds)Maintains synchronization between primary and secondary VSMs
Packet Carries any network packets from the VEM to the VSM such as CDP, ERSPAN, or IGMP control
Requires layer 2 connectivityC P
C P
L2 Cloud
Cisco Nexus 1000V Component Communication – VSM to vCenter
• Communication using the VMware VIM API over SSL– Port 80 and 443
• Connection is setup on the VSM• Requires installation of vCenter plug-in (downloaded from VSM)• Once established the Nexus 1000V is created in vCenter
pod5-vsm# show svs connections
connection VC:hostname: phx2-dc-pod5-vcip address: 10.95.5.158protocol: vmware-vim httpscertificate: defaultdatacenter name: Phx2-Pod5DVS uuid: df 11 38 50 0a 95 83 4e-95 69 d6 a7 f4 76 4a 7fconfig status: Enabledoperational status: Connected
vCenter Server
Cisco VSMs
Cisco VSMs
Cisco Nexus 1000V Opaque Data
Cisco VEMCisco VEMCisco VEM
Each Nexus 1000V requires global setting on the VSMs and VEMs called Opaque Data
Contains such data as control/packet VLAN, Domain ID, System Port ProfilesVSM pushes the opaque data to vCenter ServervCenter Server pushes the opaque data to each VEM when they are added
vCenter Server
ODODOD
OD OD OD
Cisco Nexus 1000V Domain
Cisco VEM DID 15
Each VSM is assigned a unique ‘Domain ID’Domain ID ensures that VEMs do not respond to commands from non-participating
VSMs.
Each packet between VSM and VEM is tagged with the appropriate Domain ID
Domain range from 1-4095
Active VSM Other VSM
DID 15 CMD
Cisco VEM DID 15 Cisco VEM DID 15
DID 25 CMD
DID 25 CMD
Distributed Data Plane
Cisco VEMCisco VEMCisco VEM
Each Virtual Ethernet Module forwards packets independent of each other.
No address learning/synchronization across VEMsNo concept of Crossbar/Fabric between the VEMs
Virtual Supervisor Module is NOT in the data pathNo concept of forwarding from an ingress linecard to an egress linecard (another server)No Etherchannel across VEMs
Nexus 1000V does not participate in STPCisco VSMs
Cisco Nexus 1000V vEth Interface Virtual Ethernet Port
vEths are assigned sequentially
VM vNICs are statically bound to a vEthAssignment persistent through reboots
May change if the vNIC is reassigned to another port profile
vEths will move between modules when a VM is moved (HA, Vmotion, etc…)Delete or reassign vnic to unlink VM to veth mapping
Default virtual ‘speed’ is Gigabit as negotiated with the guest OSBy default performance is not gating (i.e 1Gb vNIC runs faster than 1Gb)
Default MTU is determined from physical NIC Like speed, MTU is not gating. For large MTU VMware nic .
2048 vEths supported system wide
Loop Prevention without STP
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM7
Cisco VEM
VM9 VM10 VM11 VM12
BPDU are dropped
Eth4/1 Eth4/2
X
No Switching From Physical NIC to NIC
Local MAC Address Packets Dropped on
Ingress (L2)
X
MAC Learning Each VEM learns
independently and maintains a separate MAC table
VM MACs are statically mapped
Other vEths are learned this way (vmknics and vswifs)
No aging while the interface is up
Devices external to the VEM are learned dynamically
VSM also keeps track of MAC addresses
Cisco VEM
VM3 VM4
Eth4/1
Cisco VEM
VM1 VM2
Eth3/1
VEM 3 MAC Table
VM1 Veth12 StaticVM2 Veth23 StaticVM3 Eth3/1 DynamicVM4 Eth3/1 Dynamic
VEM 4 MAC Table
VM1 Eth4/1 DynamicVM2 Eth4/1 DynamicVM3 Veth8 StaticVM4 Veth7 Static
What is a Port-Profile?
• A port-profile is a container used to define a common set of configuration commands for multiple interfaces
• Define once and apply many times• Simplifies management by storing interface configuration• Key to collaborative management of virtual networking resources • Why is it not like a template or SmartPort macro?
– Port-profiles are ‘live’ policies– Editing an enabled profile will cause config changes to propagate to all
interfaces using that profile (unlike a static one-time macro)• Two types
– Type Ethernet used for physical NIC uplinks– Type Vethernet used for VM network connectivity
Port Profile Configuration
n1000v# show port-profile name WebProfileport-profile WebProfile
description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:
switchport mode accessswitchport access vlan 110no shutdown
evaluated config attributes:switchport mode accessswitchport access vlan 110no shutdown
assigned interfaces:Veth10
Support Commands Include:
Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS
Support Commands Include:
Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS
Port Profile Policy Distribution
vCenter Server
n1000v(config)# port-profile WebServersn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shut
PP
Cisco VSM
• Administrators can interact with individual switchports, overriding a port profile
• Use to isolating problems with one or two interfaces without changing the port-profile and affecting other ports
• Manual configuration always takes precedence over a port profile configuration
• The ‘no’ command can remove the override and restore the profile’s config by doing:
n1000v(config)# int vethernet 2n1000v(config-if)# switchport access vlan 250
n1000v(config)# int vethernet 2n1000v(config-if)# no switchport access vlan
Overriding Port Profile Configuration
Port Profile Inheritance Profile inheritance allows the construction of profile hierarchies
‘Parent’ profiles pass configuration to ‘child’ profiles
Only the child profiles need to be visible within VC
Updates to the parent filter to the child
Child profiles can be updated independently
n1000v(config)# port-profile Webn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shut
n1000v(config)# port-profile Web-Goldn1000v(config-port-prof)# inherit port-profile Webn1000v(config-port-prof)# service-policy output Goldn1000v(config-port-prof)# vmware port-group Web-Gold
n1000v(config)# port-profile Web-Silvern1000v(config-port-prof)# inherit port-profile Webn1000v(config-port-prof)# service-policy output Silvern1000v(config-port-prof)# vmware port-group Web-Silver
Effective Port Profile – Web-Gold
Access PortVLAN 100Gold QoS Policy
Effective Port Profile – Web-Silver
Access PortVLAN 100Silver QoS Policy
Uplink Port Profiles – Type Ethernet
Cisco VEM
VM1 VM2 VM3 VM4
Special profiles that define physical NIC properties
Usually configured as a trunk
Defined when creating the port-profile
port-profile type ethernet profile-name
Uplink profiles cannot be applied to vEths
Only selectable in vCenter when adding a host or additional NICs
n1000v(config)# port-profile type Ethernet DataUplink n1000v(config-port-prof)# switchport mode trunkn1000v(config-port-prof)# switchport trunk allowed vlan 10-15n1000v(config-port-prof)# no shutn1000v(config-port-prof)# system vlan 51, 52n1000v(config-port-prof)# channel-group mode auto sub-group cdp
VM Port Profiles – Type Vethernet
Cisco VEM
VM1 VM2 VM3 VM4
Special profiles that define VM NIC properties
Usually configured as an access port
Syntax
port-profile type vethernet profile-name
Uplink profiles cannot be applied to physical nics
Only selectable under a VMs network settings
n1000v(config)# port-profile type vethernet vm_vlan_152n1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 152n1000v(config-port-prof)# no shutn1000v(config-port-prof)# state enabled
Cisco Nexus 1000V System VLANs
What is a System VLAN?A "system VLAN" means that the VEM will pass traffic on those VLANs even when the VEM cannot be programmed by the VSM (if, for example, the VSM is down and the VEM is reloaded).
System VLANs enable interface connectivity before an interface is programmed
Required System VLANsControl
Packet
Highly Recommended System VLANsIP Storage
Service Console
VMKernel
Management Networks
System VLAN example Migrate VMware Service Console to VEM
SC interface uses VLAN 2
Uplink port-profile must define VLAN 2 as systemn1000v# show run port-profile uplink-pinning
port-profile type ethernet uplink-pinning
vmware port-group
switchport mode trunk
switchport trunk allowed vlan all
channel-group auto mode on mac-pinning
no shutdown
system vlan 2,10,150-151
Service Console Port-profile must also define system vlann1000v# show run port-profile SC
port-profile type vethernet SC
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
system vlan 2
Access Control List Overview
ACLs provide traffic filtering mechanisms
Provides filtering for ingress and egress VM traffic for additional network security
Permit/Drop traffic based on ACL policies
ACL types supported:IPv4 and MAC ACLs
Ingress and Egress
Supported on Eth and vEth interfacesConfigured via port profiles or directly on the interface
Port Security Overview
• Port Security secures a port by limiting and identifying the MAC addresses that can access a port.
• Secure MACs can be manually configured or dynamically learned• Two security violation types are supported
• Addr-Count-Exceed Violation• MAC Move Violation
• Port security can be applied to vEths– Cannot be applied to physical interfaces
• Three types of secure MACs– Static– Sticky– Dynamic
Private VLANs divide a normal VLAN into sub-L2 domains
Consist of a Primary VLAN and one or more secondary VLANs
Used to segregate L2 traffic without wasting IP address space (smaller subnets)
Secondary VLAN access is restricted by setting ‘community’ or isolated’ status
Cisco Nexus 1000V Private VLANs
• Primary VLAN: VLAN carrying downstream traffic from the router(s) to the host ports.
• Secondary VLAN: Can be either an isolated VLAN or a community VLAN. A port assigned to the isolated VLAN is a isolated port. A port assigned to a community VLAN is a community port.
• Isolated VLAN : Communicate only with the primary VLAN• Community VLAN: Communicate within community and with primary
VLAN
PVLAN Definitions
What Is the Nexus 1010? Allows network administrators to manage the Nexus 1000V Virtual
Supervisor Module (VSM) as a standard Cisco switch, with all 1000V features
Physical appliance for virtual network services (VSM, NAM, etc.) Supported by CiscoWorks LAN Management Solution (LMS) The Nexus 1010 is a networking appliance to host four Nexus 1000V
virtual supervisor modules (VSM) Available April/May 2010
Architecture Comparison
vSphere
Nexus1000V
VM VM VM1000VVSM x 1
Server
VSM on Virtual Machine
vSphere
Nexus1000VVEM
VM VM VM
Server
VM
Cisco Nexus 1010
1000VVSM x 4
VSM on Nexus 1010
Physical Switches Physical Switches
Benefits for Both TeamsServer Admin Network Admin
Offload VSM Install/Mgmt to Network Team
VSM Doesn’t Need VMware ESX Licensing
Install The VSM Like a Standard Cisco Switch
Prepare for VM Sprawl with Ample Scalability (256 Hosts Per Nexus 1010 Appliance)
Feature Comparison
VSM on Virtual Machine VSM on Nexus 1010
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
64 hosts per VSM
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
64 hosts per VSM, 4 VSMs, 256 hosts in total
Installation like a standard Cisco switch
Network Team manages the switch hardware
Dedicated services appliance (NAM, etc.)
Pure software deployment
Sources:• www.Cisco.com• http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/cloud
_services_platform/hw/installation/guide/n1010_install_hw_oview.html• http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4
_2_1_s_p_1_5_1/software/configuration/guide/n1010_vsvcs_cfg_1oview.html#wp1141014
• http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps12752/data_sheet_c78-297641.html
• http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/eol_C51-716591.html