København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A...
Transcript of København 18. April, 2013 Software Defined Networking (SDN ......OpenStack Dashboard (Horizon) A...
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 1 © 2013 Cisco and/or its affiliates. All rights reserved.
København 18. April, 2013
Software Defined Networking (SDN) i datacenteret Hans Donnerborg, [email protected]
CCIE #1486
© 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2 Cisco Confidential Cisco Connect 2 © 2013 Cisco and/or its affiliates. All rights reserved.
“ Med SDN i datacentret er kanten af netværket flyttet fra at være noget, der styres på en fysisk switch, til at være en virtuel enhed inde i en server. Det har i flere år været muligt at anvende en Nexus 1000v switch med VMware’s hypervisor. Vi har nu support for Microsoft Hyper og yderligere hypervisors kommer til over den næste periode. Kom og hør om planerne samt hvilke features der tilbydes.”
Hvad er Software Defined Networking?
Many Definitions
• Openflow • Controller • Openstack • Overlays • Network virtualization • Automation • APIs • Application oriented • Virtual Services • Open vSwitch • …
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 4
Test/forsøg med OpenFlow/SDN komponenter til fremtidens produktion
ProgrammérbareAPI’er til indsigt i og kontrol af netværkstrafik
Ensartet politik og en ensartet service leverance
Virtuelle workloads, VDI, Styring af sikkerhedsprofiler
Kundesegmenter for programmérbare netværk
Automatisering og programmérbare overlay netværk OpenStack
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 5
Cisco Open Network Environment
Åben API
Udvikling til platforme
IOS, IOS-XR og NX-OS
onePK (One Platform Kit)
Platform APIs
OpenFlow Agent Catalyst Serien (3K)
Controller software til SDN udvikling
Controller/Agenter
OpenStack
Nexus 1000V
Multi-Hypervisors
Overlay Virtuelle Netværk
Security
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6
z
Cisco’s differentiering: Multi-lag Programmérbar
Netværkselementer
Analyse og Monitorering, Performance og Sikkerhed
OpenFlow/ SDN
Application Developer Environment
Open Network
Environment
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7
Definitioner
“…I SDN er kontrol og data plane dekoblet. Netværksintelligens er logisk centraliseret, Netværksinfrastruktur er ikke synlig for applikationerne…”
Source: www.opennetworking.org
Opensource software anvendes i offentlige eller private Clouds; herunder Compute, Netværk og Storage services.
Source: www.openstack.org
Overlay netværk etableres på eksisterende infrastruktur (fysisk og / eller virtuel) ved brug af netværksprotokoller.
“…åben standard for udviklere til at eksperimentere med protokoller i netværk. Leverer standard tilgang, uden at kompromitere producentens operativ system…”
Source: www.opennetworking.org
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8
OpenStack Core Projects
OpenStack Compute (Nova) Software to provision virtual machines on commodity hardware at massive scale
OpenStack Object Storage (Swift) Software to reliably store billions of objects distributed across commodity hardware
OpenStack Image Service (Glance) Services for discovering, registering, and retrieving virtual machine images
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9
OpenStack Core Projects
OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources
OpenStack Identity (Keystone) Provides “unified authentication” across all OpenStack projects and integrates with 3rd party authentication systems
OpenStack Network Service (Quantum) Provides “network connectivity as a service” between devices managed by other OpenStack services
OpenStack APIs
Basic Quantum API Abstractions
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12
Enables Multi Tier Network
VM 1 (Host A) Web Server
“External_ Network”
“App_Network”
“DB_Network”
VM 2 (Host A) Application VM 3 (Host B)
Database
Router
Physical | Virtual | Cloud Journey PHYSICAL
WORKLOAD VIRTUAL
WORKLOAD CLOUD
WORKLOAD
• One app per Server • Static • Manual provisioning
• Many apps per Server • Mobile • Dynamic provisioning
• Multi-tenant per Server • Elastic • Automated Scaling
HYPERVISOR VDC-1 VDC-2
CONSISTENCY: Policy, Features, Security, Management, Separation of Duties
Nexus 1000V, VM-FEX
vWAAS, VSG, ASA 1000V, vNAM*
Nexus 7K/5K/3K/2K
WAAS, ASA, NAM
Cloud Services Router (CSR 1000V) ASR, ISR
Switching
Routing
Services
Server Virtualization Issues
1. vMotion moves VMs across physical ports—the network policy must follow vMotion (across racks, PODS, DCs)
2. Must view or apply network/security policy to locally switched traffic
3. Need to maintain segregation of duties while ensuring non-disruptive operations
Port Group
Server Admin
Network Admin
Security Admin
Where do we fit in that?
Physical Network
Hyper-V
Computing Platform
Hypervisor Multiple (vSphere, KVM,
Xen, open source)
System Center
Cloud Portal and Orchestration
Storage Platform
CIAC/ OpenStack/
Partners
Virtual Network Infrastructure
vPath
Nexus 1000V
Cloud Network Services L4-7
L2-3
WAAS NAM ASA 1000V NetScaler Partners VSG
VM VM VM VM
Nexus 1000V VEM
VM VM VM VM
Nexus 1000V VEM
Nexus 1000V VSM
WS 2012 Hyper-V Nexus 1000V VSM
VMware vSphere
VMware vCenter SCVMM 2012 SP1
Consistent architecture, feature-set & network services ensures operational transparency across multiple hypervisors.
Cisco Nexus 1000V for Hyper-V
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 17
Cisco Nexus 1000V for Hyper-V Operational Model with SCVMM
Networks & policies synced to SCVMM
Adds hosts to N1KV Connects VMs (VNICs) to
VM Networks
Nexus 1000V VEM
Server
Nexus 1000V VSM
Windows server 2012 Hyper-V
SCVMM
Create networks and policies (logical networks, network sites, VMnetworks)
SCVMM manages the placement and live-migration of the VMs based on the constraints between VM networks and the network sites.
VM VM VM VM
Cisco Nexus 1000V Architecture Utilizes Hyper-V Extensible Switch Platform
• Extensions process all network traffic, including VM-to-VM on the same host
• Forwarding Extensions can Capture and Filter Traffic as well
• Nexus 1000V will work with other 3rd party Capture and Filtering Extensions as well
• Live Migration and NIC Offloads continue to work even when the extensions are present
Capture Extension
Filtering Extension Nexus 1000V is is a Forwarding
Extension
Host Host Host Host Host Host
Logical Network
Microsoft SCVMM Networking Concepts Logical Networks and Network Sites
• Logical Network represents a network with a certain type of connectivity characteristics (for eg. DMZ network, intranet, isolation)
• An instantiation of a Logical network on a set of host-groups (for eg. hosts in a POD) is called a Network Site
• Network sites can be defined based on physical network connectivity or based on isolating traffic to specific host-groups
19
Network Site
San Jose Seattle
Network Site Network Site
Microsoft SCVMM Networking Concepts Associating VNICs to VM Networks & Port-classifications • Choose network
VM Network VM Subnet is tied to the Network (1:1)
• Choose IP address type (DHCP or statically assigned)
Choose IP pool for static IPs
• Choose Port Profile Classification Policy (QoS, Security, Monitoring) A Classification refers to a Port Profile
20
Current N1KV/ESX Version N1KV/Hyper-V Version
# port-profile db-client ip port access-group dbclient in no shut state enabled
# port-profile db-server ip port access-group dbserver in no shut state enabled
# network-segment db-network switchport mode access switchport access vlan 10
DB Clients DB Servers
DB Network
VM VM VM VM
# port-profile db-client switchport mode access switchport access vlan 10 ip port access-group dbclient in no shut state enabled
# port-profile db-server switchport mode access switchport access vlan 10 ip port access-group dbserver in no shut state enabled
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 22
# network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET1 switchport mode access switchport access vlan 20 ip-pool DMZ_POD1_Pool1 network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET2 switchport mode access switchport access vlan 21 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET3 switchport mode access switchport access vlan 22 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1
Network site “DMZ_POD1”
VM Network DMZt_POD1_SUBNET1
VM Network DMZt_POD1_SUBNET2
VM Network DMZ_POD1_SUBNET3
• A Network Site is a grouping of VM Networks that are always available together on the same host simultaneously
• A host uplink can be configured to carry one or more Network Sites
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 23
vPath and Cloud Network Services
Virtual Machine Attributes
Por
t P
rofil
es
vPath
Virtual Machine Attributes
Por
t P
rofil
es
vPath
Cisco Nexus 1000V Pricing Will be consistent across hypervisors
Essential Edition • VLAN, ACL, QoS • VXLAN, vPath • LACP • Multicast • Netflow, ERSPAN • Management • vTracker • vCenter Plug-in
Advanced Edition • Cisco TrustSec SXP support • CISF: DHCP snooping, IP Source Guard,
ARP Inspection • VSG
Essential Edition • VLAN, ACL, QoS • VXLAN, vPath • LACP • Multicast • Netflow, ERSPAN • Management • vTracker • vCenter Plug-in
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 25
Cisco Nexus 1000V Architecture vPath and VXLAN
Nexus 1000V
Hypervisor
Nexus 1000V
Hypervisor
* To be released in CY13
Ethernet/IP Network Fabric
Cisco vWAAS N1KV VSM ASA 1000V Cisco VSG Citrix VPX* CSR1000V Imperva WAF*
CSR Secure VPN Gateway
CSR 1000V
ISR
Distribution and ToR Switches
Servers
Data Center
ASR
CSR 1000V
Cloud Provider Data Center
Integrating Enterprise & Cloud VPN policies
Backhaul to data center increases latency
Each cloud imposes different VPN type and scale limits
Common VPN Types: IPSec, DMVPN, EZVPN, FlexVPN
Routing based VPNs and private addressing
Firewall, ACLs, AAA
Direct, secure access. Avoids backhaul to data center.
Familiar, reliable, and scalable VPN Compatible with existing management
tools
Internet
Branch Location
WAN Router Branch
Location
ISR
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27
Cisco’s Virtual Security Portfolio
• Virtual ASA provides consistent ASA feature set to secure the tenant edge
• VSG complements Virtual ASA to secure intra-tenant VM-to-VM traffic
• Solution provides:
Increase flexibility and operational efficiency via vPath (Nexus1000V)
Dynamic, context-aware, multi-tenant management via VNMC
Tenant B Tenant A VDC
vApp
vApp
vSphere Nexus 1000V
vPath
VDC
Virtual Network Management Center (VNMC) VMware vCenter
VSG VSG
VSG
VSG
ASA 1000V ASA 1000V
Overlays - VXLAN
VM VM VM VM VM
© 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29
Nexus1000V InterCloud Securely Extend Enterprise Environment into Provider Cloud
Cisco Cloud Lab - Hands On Training & Demos • Hands on labs available for Nexus 1000V and VSG in Cloud Lab
https://cloudlab.cisco.com
• Open to all Cisco employees
• Customers/Partners require sponsorship from account team for access via CCO LoginID
• Extended duration lab licenses for 1000V and VSG are available upon request
© 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31
Thank you.