Nexus 1000_ver 1.1

Aakash AgarwalEmail: [email protected]

Agenda

• What is Virtualization• Why Nexus 1000V. What problems does it solve• Nexus 1000V Architecture• Nexus 1000V Switching• Nexus 1000V Port-Profiles• Nexus 1000V Security Features• Nexus 1000V Quality of Service• Nexus 1000V Network Management• Nexus 1010 /1110x

Training Prerequisites

• Understanding the normal Network Design• Understanding of Virtualization• Understanding & Experience with VMware• Understanding & Experience with NXOS • Understanding & Experience with Layer2 Switching

Virtualization

Virtualization • Virtualization is the creation of a virtual (rather than actual)

version of something, such as an operating system, a server, a storage device or network resources.– Server virtualization– Network virtualization– Storage virtualization

• Never seen before? You did ;)– Hard disk Partitioning is an example over which you could run

multiple OS– Creating Switch Virtual Interface (SVI) is an example

• Server virtualization Component s:– Hypervisor - Virtual machine manager, is a program that allows

multiple operating systems to share a single hardware host.

– Virtual Machine (VM) - A virtual machine (VM) is a software implementation of a computing environment in which an operating system (OS) or program can be installed and run.

Virtualization

Virtualization (Cont.)

• ESX/vSphere: A virtualization platform used to create the virtual machines as a set of configuration and disk files that together perform all the functions of a physical machine.

• DRS (Distributed Resource Scheduler): Feature that allocates and balances computing capacity dynamically across collections of hardware resources for virtual machines. This feature includes distributed power management (DPM) capabilities that enable a datacenter to significantly reduce its power consumption.

• DVS (Distributed virtual switch): This is a logical switch that spans one or more VMware ESX servers.

• Virtual Center: An, API to manage the VMs - a central management control point for virtual infrastructure services.

Virtualization (Cont.)

• vMotion: Embedded tool set in the vCenter application suite that leverages the virtualized storage, network and server infrastructure to move an entire running virtual machine instantaneously from one server to another.

• VMkernel: The VMkernel is the hypervisor layer of a ESX server that provides the virtualization interface for hardware to virtual machines.

• vSwitch: Software Virtual Switch.

Virtualization

1 vMotion Moves VMs Across Physical Ports -from one Physical Hardware to another

Server Virtualization Issues

2 VM moved to different hardware with no downtime

Nexus Switch FamilyPr

oduc

tTe

chno

logy

Cisco Nexus 7000Cisco Nexus 5000Cisco Nexus 1000VCisco Nexus 1010

Cisco Nexus 2000

NX-OS: Unified OS for the data center

Unified Fabric: Lossless 10Gb transport for next-generation DC

Fibre Channel over Ethernet (FCoE): Unified transport for LAN and FC

VN-Link: Virtual Machine Aware Network

RAB, DAL: High performance for HPC environments

10GbE: Enhanced speed for growing demand

Access Access CoreServer

Network VirtualizationNexus 1000v?

Networking Challenges to Scaling Server Virtualization

Applied at physical server—not the individual VM

Impossible to enforce policy for VMs in motion

Security and Policy Enforcement

Lack of VM visibility, accountability, and consistency

Inefficient management model and inability to effectively troubleshoot

Operations andManagement

Muddled ownership as server admin must configure virtual network

Organizational redundancy creates compliance challenges

OrganizationalStructure

Cisco Nexus 1000V

Policy-Based VM Connectivity


Mobility of Network & Security Properties


Non-DisruptiveOperational Model


vSphere

Nexus1000V

Nexus 1000V

VM VM VM VM

Industry’s most advanced software switch for VMware vSphere

Built on Cisco NX-OS Compatible with all switching platforms Maintain vCenter provisioning model

unmodified for server administration; allow network administration of virtual network via familiar Cisco NX-OS CLI

Cisco Nexus 1000V

Nexus 1000V VSM

vSphere

Nexus1000VVEM

vSphere

Nexus1000VVEM

VM VM VM VM VM VM VM VM

vCenter







Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link

Cisco Nexus 1000V

Nexus 1000V VSMvCenter

vSphere

Nexus1000VVEM

vSphere

Nexus1000VVEM

Port ProfilesWEB Apps

HR

DB

DMZ

Port ProfilesWEB Apps

HR

DB

DMZ

VM Connection Policy• Defined in the network

• Applied in Virtual Center

• Linked to VM UUID

VM Connection Policy• Defined in the network

• Applied in Virtual Center

• Linked to VM UUID

Faster VM Deployment









Cisco Nexus 1000V

Nexus 1000V VSM

vSphere

Nexus1000VVEM

vSphere

Nexus1000VVEM

Property Mobility• VMotion for the network

• Ensures VM security

• Maintains connection state

Property Mobility• VMotion for the network

• Ensures VM security

• Maintains connection state

VMs Need to Move• VMotion

• DRS

• SW Upgrade/Patch

• Hardware Failure

VMs Need to Move• VMotion

• DRS

• SW Upgrade/Patch

• Hardware Failure

vCenter

Richer Network Services








VM VM VM VM VM VM VM VMVM VM VM VM

Cisco Nexus 1000V

Nexus 1000V VSM

vSphere

Nexus1000VVEM

vSphere

Nexus1000VVEM

vCenter

Network Admin Benefits• Unifies network mgmt and ops• Improves operational security• Enhances VM network features• Ensures policy persistence• Enables VM-level visibility

Network Admin Benefits• Unifies network mgmt and ops• Improves operational security• Enhances VM network features• Ensures policy persistence• Enables VM-level visibility

VI Admin Benefits• Maintains existing VM mgmt• Reduces deployment time• Improves scalability• Reduces operational workload• Enables VM-level visibility

VI Admin Benefits• Maintains existing VM mgmt• Reduces deployment time• Improves scalability• Reduces operational workload• Enables VM-level visibility

Increased Operational Efficiency









VMware Vswitch• VMware vSwitch is a

very basic L2 switch• vSwitch is managed by

Server Administrator through VMware’s Virtual Center

• vSwitch doesn’t offer functionality offered by Cisco Access Switches

• Configured independently on each ESX server

VMW ESX

Server 1

VMware vSwitch VMW ESX

VMware vSwitch

Server 2

VM #4

VM #3

VM #2

VM #1

VM #8

VM #7

VM #5

VM #5

Virtual Center

Nexus 1000VArchitecture

Overview

Cisco Nexus 1000V Components

Cisco VEM

VM1 VM2 VM3 VM4

Cisco VEM

VM5 VM6 VM7 VM7

Cisco VEM

VM9 VM10 VM11 VM12

Virtual Ethernet Module(VEM) Replaces Vmware’s virtual switch

Enables advanced switching capability on the hypervisor

Provides each VM with dedicated “switch ports”

vCenter Server

Virtual Supervisor Module(VSM) CLI interface into the Nexus 1000V

Leverages NX-OS 4.04a7

Controls multiple VEMs as a single network device

Cisco VSMs

Cisco Nexus 1000V ‘Virtual Chassis’

Cisco VEM

VM1 VM2 VM3 VM4

Cisco VEM

VM5 VM6 VM7 VM8

pod5-vsm# show moduleMod Ports Module-Type Model Status--- ----- -------------------------------- ------------------ ------------1 0 Virtual Supervisor Module Nexus1000V active *2 0 Virtual Supervisor Module Nexus1000V ha-standby3 248 Virtual Ethernet Module NA ok

Cisco VSMs

Cisco Nexus 1000V Scalability

Cisco VEM

A single Nexus 1000V supports:2 Virtual Supervisor modules (HA)64* Virtual Ethernet modules512 Active VLANs 2048 Ports (Eth + Veth)256 Port Channels

A single Virtual Ethernet module supports:216 Ports Veths32 Physical NICs8 Port Channels

Nexus 1000V

Traffic Classifications

Cisco VSMs

Cisco Nexus 1000V Component Communication L2

Cisco VEM

Two distinct virtual interfaces are used to communicate between the VSM and VEM

ControlCarries low level messages to ensure proper configuration of the VEM. Maintains a 1 sec heartbeat with the VSM to the VEM (timeout 6 seconds)Maintains synchronization between primary and secondary VSMs

Packet Carries any network packets from the VEM to the VSM such as CDP, ERSPAN, or IGMP control

Requires layer 2 connectivityC P

C P

L2 Cloud

Cisco Nexus 1000V Component Communication – VSM to vCenter

• Communication using the VMware VIM API over SSL– Port 80 and 443

• Connection is setup on the VSM• Requires installation of vCenter plug-in (downloaded from VSM)• Once established the Nexus 1000V is created in vCenter

pod5-vsm# show svs connections

connection VC:hostname: phx2-dc-pod5-vcip address: 10.95.5.158protocol: vmware-vim httpscertificate: defaultdatacenter name: Phx2-Pod5DVS uuid: df 11 38 50 0a 95 83 4e-95 69 d6 a7 f4 76 4a 7fconfig status: Enabledoperational status: Connected

vCenter Server

Cisco VSMs

Cisco VSMs

Cisco Nexus 1000V Opaque Data

Cisco VEMCisco VEMCisco VEM

Each Nexus 1000V requires global setting on the VSMs and VEMs called Opaque Data

Contains such data as control/packet VLAN, Domain ID, System Port ProfilesVSM pushes the opaque data to vCenter ServervCenter Server pushes the opaque data to each VEM when they are added

vCenter Server

ODODOD

OD OD OD

Cisco Nexus 1000V Domain

Cisco VEM DID 15

Each VSM is assigned a unique ‘Domain ID’Domain ID ensures that VEMs do not respond to commands from non-participating

VSMs.

Each packet between VSM and VEM is tagged with the appropriate Domain ID

Domain range from 1-4095

Active VSM Other VSM

DID 15 CMD

Cisco VEM DID 15 Cisco VEM DID 15

DID 25 CMD

DID 25 CMD

Nexus 1000V Switching

Distributed Data Plane

Cisco VEMCisco VEMCisco VEM

Each Virtual Ethernet Module forwards packets independent of each other.

No address learning/synchronization across VEMsNo concept of Crossbar/Fabric between the VEMs

Virtual Supervisor Module is NOT in the data pathNo concept of forwarding from an ingress linecard to an egress linecard (another server)No Etherchannel across VEMs

Nexus 1000V does not participate in STPCisco VSMs

Cisco Nexus 1000V vEth Interface Virtual Ethernet Port

vEths are assigned sequentially

VM vNICs are statically bound to a vEthAssignment persistent through reboots

May change if the vNIC is reassigned to another port profile

vEths will move between modules when a VM is moved (HA, Vmotion, etc…)Delete or reassign vnic to unlink VM to veth mapping

Default virtual ‘speed’ is Gigabit as negotiated with the guest OSBy default performance is not gating (i.e 1Gb vNIC runs faster than 1Gb)

Default MTU is determined from physical NIC Like speed, MTU is not gating. For large MTU VMware nic .

2048 vEths supported system wide

Loop Prevention without STP

Cisco VEM

VM1 VM2 VM3 VM4

Cisco VEM

VM5 VM6 VM7 VM7

Cisco VEM

VM9 VM10 VM11 VM12

BPDU are dropped

Eth4/1 Eth4/2

X

No Switching From Physical NIC to NIC

Local MAC Address Packets Dropped on

Ingress (L2)

X

MAC Learning Each VEM learns

independently and maintains a separate MAC table

VM MACs are statically mapped

Other vEths are learned this way (vmknics and vswifs)

No aging while the interface is up

Devices external to the VEM are learned dynamically

VSM also keeps track of MAC addresses

Cisco VEM

VM3 VM4

Eth4/1

Cisco VEM

VM1 VM2

Eth3/1

VEM 3 MAC Table

VM1 Veth12 StaticVM2 Veth23 StaticVM3 Eth3/1 DynamicVM4 Eth3/1 Dynamic

VEM 4 MAC Table

VM1 Eth4/1 DynamicVM2 Eth4/1 DynamicVM3 Veth8 StaticVM4 Veth7 Static

Nexus 1000V Port-Profiles

What is a Port-Profile?

• A port-profile is a container used to define a common set of configuration commands for multiple interfaces

• Define once and apply many times• Simplifies management by storing interface configuration• Key to collaborative management of virtual networking resources • Why is it not like a template or SmartPort macro?

– Port-profiles are ‘live’ policies– Editing an enabled profile will cause config changes to propagate to all

interfaces using that profile (unlike a static one-time macro)• Two types

– Type Ethernet used for physical NIC uplinks– Type Vethernet used for VM network connectivity

Port Profile Configuration

n1000v# show port-profile name WebProfileport-profile WebProfile

description:status: enabledcapability uplink: nosystem vlans:port-group: WebProfileconfig attributes:

switchport mode accessswitchport access vlan 110no shutdown

evaluated config attributes:switchport mode accessswitchport access vlan 110no shutdown

assigned interfaces:Veth10

Support Commands Include:

Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS

Support Commands Include:

Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS

Port Profile Policy Distribution

vCenter Server

n1000v(config)# port-profile WebServersn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shut

PP

Cisco VSM

• Administrators can interact with individual switchports, overriding a port profile

• Use to isolating problems with one or two interfaces without changing the port-profile and affecting other ports

• Manual configuration always takes precedence over a port profile configuration

• The ‘no’ command can remove the override and restore the profile’s config by doing:

n1000v(config)# int vethernet 2n1000v(config-if)# switchport access vlan 250

n1000v(config)# int vethernet 2n1000v(config-if)# no switchport access vlan

Overriding Port Profile Configuration

Port Profile Inheritance Profile inheritance allows the construction of profile hierarchies

‘Parent’ profiles pass configuration to ‘child’ profiles

Only the child profiles need to be visible within VC

Updates to the parent filter to the child

Child profiles can be updated independently

n1000v(config)# port-profile Webn1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 100n1000v(config-port-prof)# no shut

n1000v(config)# port-profile Web-Goldn1000v(config-port-prof)# inherit port-profile Webn1000v(config-port-prof)# service-policy output Goldn1000v(config-port-prof)# vmware port-group Web-Gold

n1000v(config)# port-profile Web-Silvern1000v(config-port-prof)# inherit port-profile Webn1000v(config-port-prof)# service-policy output Silvern1000v(config-port-prof)# vmware port-group Web-Silver

Effective Port Profile – Web-Gold

Access PortVLAN 100Gold QoS Policy

Effective Port Profile – Web-Silver

Access PortVLAN 100Silver QoS Policy

Uplink Port Profiles – Type Ethernet

Cisco VEM

VM1 VM2 VM3 VM4

Special profiles that define physical NIC properties

Usually configured as a trunk

Defined when creating the port-profile

port-profile type ethernet profile-name

Uplink profiles cannot be applied to vEths

Only selectable in vCenter when adding a host or additional NICs

n1000v(config)# port-profile type Ethernet DataUplink n1000v(config-port-prof)# switchport mode trunkn1000v(config-port-prof)# switchport trunk allowed vlan 10-15n1000v(config-port-prof)# no shutn1000v(config-port-prof)# system vlan 51, 52n1000v(config-port-prof)# channel-group mode auto sub-group cdp

VM Port Profiles – Type Vethernet

Cisco VEM

VM1 VM2 VM3 VM4

Special profiles that define VM NIC properties

Usually configured as an access port

Syntax

port-profile type vethernet profile-name

Uplink profiles cannot be applied to physical nics

Only selectable under a VMs network settings

n1000v(config)# port-profile type vethernet vm_vlan_152n1000v(config-port-prof)# switchport mode accessn1000v(config-port-prof)# switchport access vlan 152n1000v(config-port-prof)# no shutn1000v(config-port-prof)# state enabled

Cisco Nexus 1000V System VLANs

What is a System VLAN?A "system VLAN" means that the VEM will pass traffic on those VLANs even when the VEM cannot be programmed by the VSM (if, for example, the VSM is down and the VEM is reloaded).

System VLANs enable interface connectivity before an interface is programmed

Required System VLANsControl

Packet

Highly Recommended System VLANsIP Storage

Service Console

VMKernel

Management Networks

System VLAN example Migrate VMware Service Console to VEM

SC interface uses VLAN 2

Uplink port-profile must define VLAN 2 as systemn1000v# show run port-profile uplink-pinning

port-profile type ethernet uplink-pinning

vmware port-group

switchport mode trunk

switchport trunk allowed vlan all

channel-group auto mode on mac-pinning

no shutdown

system vlan 2,10,150-151

Service Console Port-profile must also define system vlann1000v# show run port-profile SC

port-profile type vethernet SC

vmware port-group

switchport mode access

switchport access vlan 2

no shutdown

system vlan 2

Nexus 1000V Security Features

Access Control List Overview

ACLs provide traffic filtering mechanisms

Provides filtering for ingress and egress VM traffic for additional network security

Permit/Drop traffic based on ACL policies

ACL types supported:IPv4 and MAC ACLs

Ingress and Egress

Supported on Eth and vEth interfacesConfigured via port profiles or directly on the interface

Port Security Overview

• Port Security secures a port by limiting and identifying the MAC addresses that can access a port.

• Secure MACs can be manually configured or dynamically learned• Two security violation types are supported

• Addr-Count-Exceed Violation• MAC Move Violation

• Port security can be applied to vEths– Cannot be applied to physical interfaces

• Three types of secure MACs– Static– Sticky– Dynamic

Private VLANs divide a normal VLAN into sub-L2 domains

Consist of a Primary VLAN and one or more secondary VLANs

Used to segregate L2 traffic without wasting IP address space (smaller subnets)

Secondary VLAN access is restricted by setting ‘community’ or isolated’ status

Cisco Nexus 1000V Private VLANs

• Primary VLAN: VLAN carrying downstream traffic from the router(s) to the host ports.

• Secondary VLAN: Can be either an isolated VLAN or a community VLAN. A port assigned to the isolated VLAN is a isolated port. A port assigned to a community VLAN is a community port.

• Isolated VLAN : Communicate only with the primary VLAN• Community VLAN: Communicate within community and with primary

VLAN

PVLAN Definitions

What Is the Nexus 1010? Allows network administrators to manage the Nexus 1000V Virtual

Supervisor Module (VSM) as a standard Cisco switch, with all 1000V features

Physical appliance for virtual network services (VSM, NAM, etc.) Supported by CiscoWorks LAN Management Solution (LMS) The Nexus 1010 is a networking appliance to host four Nexus 1000V

virtual supervisor modules (VSM) Available April/May 2010

Architecture Comparison

vSphere

Nexus1000V

VM VM VM1000VVSM x 1

Server

VSM on Virtual Machine

vSphere

Nexus1000VVEM

VM VM VM

Server

VM

Cisco Nexus 1010

1000VVSM x 4

VSM on Nexus 1010

Physical Switches Physical Switches

Benefits for Both TeamsServer Admin Network Admin

Offload VSM Install/Mgmt to Network Team

VSM Doesn’t Need VMware ESX Licensing

Install The VSM Like a Standard Cisco Switch

Prepare for VM Sprawl with Ample Scalability (256 Hosts Per Nexus 1010 Appliance)

Feature Comparison

VSM on Virtual Machine VSM on Nexus 1010

Nexus 1000V features and scalability

VEM running on vSphere 4 Enterprise Plus

NX-OS high availability of VSM

64 hosts per VSM

Nexus 1000V features and scalability

VEM running on vSphere 4 Enterprise Plus

NX-OS high availability of VSM

64 hosts per VSM, 4 VSMs, 256 hosts in total

Installation like a standard Cisco switch

Network Team manages the switch hardware

Dedicated services appliance (NAM, etc.)

Pure software deployment

Views of the 1010

Front Hardware View

Rear Hardware View


Cisco Nexus 1110(X/S)

Difference between 1010-1110

Views of the 1110

Front Hardware View

Rear Hardware View

Comparison Chart


Design and Command

Design Consideration

Installation and Configuration

Redundancy Status

Some Commands • Show SVS Domain

Some Commands

Sources:• www.Cisco.com• http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/cloud

_services_platform/hw/installation/guide/n1010_install_hw_oview.html• http://www.cisco.com/en/US/docs/switches/datacenter/nexus1000/sw/4

_2_1_s_p_1_5_1/software/configuration/guide/n1010_vsvcs_cfg_1oview.html#wp1141014

• http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps12752/data_sheet_c78-297641.html

• http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/eol_C51-716591.html

Nexus 1000_ver 1.1

Documents

Transcript of Nexus 1000_ver 1.1