660 likes | 1.08k Views
Cisco Virtual Networking Solutions for Hyper-V. Appaji Malla, Sr. Product Manager Chakri Avala, Sr. Product Manager Data Center Group, Cisco Systems. IM-B291. Legal Disclaimer.
E N D
Cisco Virtual Networking Solutions for Hyper-V Appaji Malla, Sr. Product Manager Chakri Avala, Sr. Product Manager Data Center Group, Cisco Systems IM-B291
Legal Disclaimer Many of the products and features described herein remain in varying stages of development and will be offered on a when-and-if-available basis. This roadmap is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
Cisco Virtual Networking Solutions Cisco Nexus 1000V for Hyper-V Product Overview Public Beta Nexus 1000V Demo Cisco VM-FEX for Hyper-V Product Overview Demo Agenda
Customer Issues in virtualized environments Resource Utilization Maturing Hypervisor market Operational Complexity Public Cloud Virtual Services • Security concerns for public cloud • Mobility concerns • VM Mobility across DC • Mobility across DCs and across clouds • Secure virtual environment • Rich network services • Managing networks across physical & virtual environments • Economics • Use-cases requiring different hypervisors Consistent Operational Model Multi-hypervisor Support Multi-services support with vPath Multi-cloud support Overlay Technology Support Diverse Virtualization Requirements for DataCenter Customers
Cisco Vision PHYSICAL WORKLOAD VIRTUAL WORKLOAD CLOUD WORKLOAD • One app per Server • Static • Manual provisioning • Many apps per Server • Mobile • Dynamic provisioning • Multi-tenant per Server • Elastic • Automated Scaling HYPERVISOR VDC-1 VDC-2 CONSISTENCY: Policy, Features, Security, Management Switching Nexus 7K/5K/3K/2K Nexus 1000V, VM-FEX Routing ASR Cloud Services Router (CSR 1000V) Services WAAS, ASA, NAM Virtual WAAS, VSG, ASA 1000V, vNAM* Compute UCS for Bare Metal UCS for Virtualized Workloads
Cisco Virtual Networking & Services Vision Nexus 1000V Multi-Cloud Multi-Services Multi-Hypervisor
Cisco Delivers Optimum IT Infrastructure For Your Microsoft Windows Server 2012 Environment Networking Manageability Compute • Cisco Unified Computing (UCS) • Cisco Nexus 1000V • Cisco UCS VM-FEX • Cisco UCS Manager • Cisco UCS PowerTool Certified for various Microsoft applications
Cisco Virtual Networking Solutions Cisco Nexus 1000V and UCSVM-FEX Bring network to the hypervisor (Cisco Nexus 1000V Switch) Bring VM awareness to physical network (Cisco UCSVM-FEX) VM VM VM VM VM VM VM VM Cisco Nexus 1000V VM-FEX UCS VIC UCS Server Adapter Server UCS Fabric Inter-connect IEEE 802.1Q Network
Cisco Nexus 1000V PricingTiered Licensing – Essential & Advanced Editions ** Only supports network-attributes
Cisco Nexus 1000V ArchitectureUtilizes Hyper-V Extensible Switch Platform Forwarding Capture Extension Filter Extension VNICs Extensible vSwitch Nexus 1000V VSM Nexus 1000V VEM VM VM VM VM PNICs
Cisco Nexus 1000V ArchitectureConsistent operational model across physical and virtual Virtual Appliance VSM-1 (active) Network Admin NX-OS Control Plane VSM-2 (standby) Supervisor-1 (Active) Supervisor-2 (StandBy) Linecard-1 Back Plane Linecard-2 … NX-OS Data Plane Linecard-N Modular Switch VEM-2 VEM-1 VEM-N WS 2012 Hyper-V WS 2012 Hyper-V WS 2012 Hyper-V Server Admin VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
Cisco Nexus 1000V Architecture A simple Deployment Scenario VM VM VM VM VM VM VM VM VM VM VM VM Cisco Nexus 1000V VEM Cisco Nexus 1000V VEM Cisco Nexus 1000V VEM WS 2012 Hyper-V WS 2012 Hyper-V WS 2012 Hyper-V • Virtual Ethernet Module (VEM) • Enables advanced networking capability on the hypervisor • Provides each virtual machine with dedicated “switch port” • Collection of VEMs:1 virt. Distributed Switch Server Server Server • Virtual Supervisor Module (VSM) • Virtual or Physical appliance running Cisco NXOS (supports Hi-availability) • Performs management, monitoring, and configuration • Tight integration with management platforms Cisco Nexus 1000V VSM System Center Virtual Machine Manager
Cisco Nexus 1000V Features • L2 Switching, 802.1Q Tagging, Rate Limiting (TX) • IGMP Snooping, QoS Marking (COS & DSCP) Switching • Policy Mobility, Private VLANs w/ local PVLAN Enforcement • Access Control Lists (L2–4 w/ Redirect), Port Security • Dynamic ARP inspection*, IP Source Guard*, DHCP Snooping* Security • Virtual Services Datapath (vPath) support for traffic steering & fast-path off-load [leveraged by Virtual Security Gateway (VSG) and other services] Network Services • Full integration with System Center – VM Manager (SCVMM) • Faster network policy provisioning through port profiles Provisioning • Live Migration Tracking, NetFlowv.9 w/ NDE, CDPv.2 • VM-Level Interface Statistics • SPAN & ERSPAN (policy-based) Visibility • VM Network Provisioning (port-profiles), CiscoWorks, Cisco DCNM • Cisco CLI, Radius, TACACs, Syslog, SNMP (v.1, 2, 3) • Hitless upgrade, SW Installer Management * Only with Advanced Edition
Port Profiles: Faster VM Deployment Cisco Virtual Networking Policy-Based VM Connectivity Mobility of Network and Security Properties Non-Disruptive Operational Model VM VM VM VM VM VM VM VM Port Profiles Defined Policies WEB Apps HR DB DMZ Nexus 1000V VEM Nexus 1000V VEM Hypervisor Hypervisor • VM Connection Policy • Defined in the network • Applied in SCVMM Server Server VMMgmt Station Nexus 1000V VSM
Port Profiles: Policy Mobility with VM Migration Cisco Virtual Networking Policy-Based VM Connectivity Mobility of Network and Security Properties Non-Disruptive Operational Model VM VM VM VM VM VM VM VM VM VM VM VM • VMs Need to Move • VMMigration • Resource Scheduling • SW upgrade/patch • Hardware failure Nexus 1000V VEM Nexus 1000V VEM Hypervisor Hypervisor • VM Networking • Mobility • Live Migration • Ensures VM security • Maintains connection state Server Server VMMgmt Station Nexus 1000V VSM
Microsoft SCVMM Networking Concepts Logical Networks Network Sites VM Networks Port Classification IP-Pools
Logical Network Logical Network represents a network with a certain type of connectivity characteristics (for eg. DMZ network, intranet, isolation) Microsoft SCVMM Networking Concepts Logical Networks and Network Sites San Jose Seattle Host3 Host6 Host5 Host1 Host4 Host2 Network Site Network Site Network Site VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM An instantiation of a Logical network on a set of host-groups (for eg. hosts in a POD) is called a Network Site
Microsoft SCVMM Networking Concepts Virtual Machine Networks VMs are Connected to VM-networks; these can be backed by either VLANs or other overlay mechanisms (e.g. NVGREsegments). The first release of the Cisco Nexus 1000V Switch only supports VLAN-backed VM-networks.
Microsoft SCVMM Networking Concepts Port-Classifications Forwarding Capture Filtering VNICs Extensible vSwitch Bundling of profiles from each extension is the port-classification VM VM VM VM PNICs
Choose network VM Network VM Subnet is tied to the Network (1:1) Choose IP address type Can be dynamic (DHCP) or statically assigned Choose IP pool for static IPs Choose Port Profile Classification Policy (QoS, Security, Monitoring) A Classification refers to a Port Profile Microsoft SCVMM Networking Concepts Associating VMVNICsto VM Networks & Port-classifications
Microsoft SCVMM Networking Concepts Logical Network ‘DMZ’ Putting everything together Port-profiles Servers Guests Clients VMNetwrk:DMZ_Pod1_Subn1 DMZ_Pod2_Subnet1 VM VM VM VM VM VM VM Network Site ‘DMZ_POD2’ Network Site ‘DMZ_POD1’ DMZ_Pod2_Subnet2 VMNetwrk:DMZ_Pod1_Subn2 VMNetwrk:DMZ_Pod1_Subn3 DMZ_Pod2_Subnet3 IP-Pool4 IP-Pool5 IP-Pool6 IP-Pool1 IP-Pool2 IP-Pool3 Application Server Privileged Client Intranet Client Guest Access
Defining “Network sites” and “VM Networks” Logical network “DMZ” # logical-network DMZ ….. # network-segment-poolDMZ_POD1 ….. # network-segment DMZ_POD1_SUBNET1 switchport mode access switchport access vlan20 ip-pool DMZ_POD1_Pool1 network-segment-pool DMZ_POD1 # network-segment DMZ_POD1_SUBNET2 switchport mode access switchport access vlan21 ip-pool DMZ_POD1_Pool2 network-segment-pool DMZ_POD1 # network-segment DMZ_POD1_SUBNET3 switchport mode access switchport access vlan22 ip-pool DMZ_POD1_Pool2 network-segment-pool DMZ_POD1 Network Site “DMZ_POD1” VM Network DMZ_POD1_SUBNET1 VM Network DMZ_POD1_SUBNET2 VM Network DMZ_POD1_SUBNET3
Networks and Profiles are Two Different Things Different ports need different protection on the same network Network Segments and Port Profiles Port-profiles Clients Guests Servers Intranet VM VM VM VM VM VM VM Network Segment Application Server Privileged Client Intranet Client One network, multiple profiles for access Guest Access
And many networks can share the same protection requirements Network Segments and Port Profiles Port-profiles Clients Clients Clients Guests Guests Guests Servers Servers Servers Tenant C Intranet Tenant B Intranet Tenant A Intranet VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Application Server Privileged Client Intranet Client Guest Access Multiple networks use the same profiles
Defining Port-profiles Application Network (VLAN 10) Application Clients Application Servers VM VM VM VM Cisco Nexus 1000V for Microsoft Hyper-V Cisco Nexus 1000V for VMware vSphere # network-segment application-network switchport mode access switchport access vlan 10 # port-profile application-client switchport mode access switchport access vlan 10 ip port access-group applicatoin-client in no shut state enabled # port-profile applicatoin-client ip port access-group application-client in no shut state enabled # port-profile intranet-server switchport mode access switchport access vlan 10 ip port access-group application-server in no shut state enabled # port-profile application-server ip port access-group application-server in no shut state enabled
Cisco Nexus 1000V Operational Model Server Admin Network Admin SCVMM manages the placement and live-migration of the VMs based on the constraints between VM networks and the network sites. VM VM VM VM 4 Adds hosts to N1KV Connects VMs (VNICs) to VM Networks 3 Nexus 1000V VEM WS 2012 Hyper-V 5 2 Networks & policies synced to SCVMM Configuration data and policies sent to N1KV VEM Server Nexus 1000V VSM Create networks and policies (logical networks, network sites, VMnetworks) SCVMM 1
Cisco Nexus 1000V REST API Support URI: http://<VSM-IP-address>/api/<object-locator> *Objects can be VM networks, Port-profiles, IP-Pools etc. Write/Update Operations are only supported on limited set of objects
#Set up the basic Parameters Required for API Calls $User = "admin" $Password = ConvertTo-SecureString –String "Secret123" –AsPlainText -Force $VSMIPaddress = "10.105.228.108" $URI = "http://"+ $VSMIPaddress + “/api/” $Credentials = New-Object –TypeNameSystem.Management.Automation.PSCredential –ArgumentList $User, $Password #Create IP-Pool Information - HTTP POST $IPPURI=$URI +"hyper-v/ip-address-pool" $IPPArg = '{"name":"pool1", "addressRangeStart":"192.168.0.2", "addressRangeEnd":"192.168.0.16"}‘ ConvertFrom-Json-InputObject $IPPArg Invoke-RestMethod -Uri $IPPURI -Credential $Credential -Method Post -Body $IPPArg Accessing Cisco Nexus 1000V from Powershell
#Update IP-Pool Information - HTTP POST $IPPURI=$URI +"hyper-v/ip-address-pool/pool1" $IPPArg = '{ "addressRangeStart":"192.168.0.5", "addressRangeEnd":"192.168.0.20"}‘ ConvertFrom-Json -InputObject $IPPArg Invoke-RestMethod -Uri $IPPURI -Credential $Credential -Method Post -Body $IPPArg #Read VSEM Information - HTTP GET $VersionURI = $URI + "/api/hyper-v/vsem-system-info“ Invoke-RestMethod-Uri $VersionURI -Credential $Credential -Method Get -Outfiletestout.xml #Delete VM Network – HTTP DELETE $VMNURI = $URI +"hyper-v/vm-network-definition/vmn4" $VMNArg = '{"name":"VMN4"}‘ ConvertFrom-Json -InputObject $VMNArg Invoke-RestMethod -Uri $VMNURI -Credential $Credential -Method Delete -Body $VMNArg Accessing Cisco Nexus 1000V from Powershell
Cisco Nexus 1000V SCOM Plugin from Jalasoft • Xian SCOM Plugin for Nexus 1000V • Monitors various metrics: • Availability (ICMP and SNMP) • TCP Connections • Uptime • Traffic, total, error etc. • Bandwidth
Cisco Nexus 1000V: Customer Benefits Consistent Network Services • Leverage existing virtual services • Virtual Security Gateway, virtual NAM, NAM on Nexus 1010 • Services can be hosted on Nexus 1010 Consistent Networking Features • NX-OS feature across multiple hypervisors & across physical • Advanced NX-OS switching features, including security, visibility, QoS, segmentation, port channelling etc. Consistent Operational Model • NX-OS CLI across multiple hypervisors & across physical • Separation of duties between network & server admins • Dynamic provisioning and VM mobility awareness • Leverage existing monitoring and management tools
Intelligent Traffic Steering with vPath VM VM VM VM VM VM VM VM VM VM Virtual Security Gateway (VSG)* VM VM VM VM VM VM VM VM VM 4 Nexus 1000V Distributed Virtual Switch vPath DecisionCaching 3 Flow Access Control (policy evaluation) 2 Initial Packet Flow 1 Log/Audit * First version only supports network attributes
Performance Acceleration with vPath VM VM VM VM VM VM VM VM VM VM Virtual Security Gateway (VSG)* VM VM VM VM VM VM VM VM VM Nexus 1000V Distributed Virtual Switch vPath ACL offloaded to Nexus 1000V (policy enforcement) Remaining packets from flow Log/Audit * First version only supports network attributes
Beta Bundle on N1KV Community page • Cisco Nexus 1000V software • Virtual Supervisor Module (VSM) ISO • Virtual Ethernet Module (VEM) MSI package • VSEM Provider MSI Package • Cisco Nexus 1000V Installer Application • Beta Test-cases Document • Feature Documentation & Videos
Cisco Nexus 1000V Installater Application Provide SCVMM Credentials Provide Host info for Primary & Secondary VSM
Cisco Nexus 1000V Demo Topology Contractor Employee Web Server • Configure the port-profiles so that web-server access is restricted: • Employee can access • Contractor is restricted Nexus 1000V VEM Nexus 1000V VEM Win 2012 Hyper-V Win 2012 Hyper-V NAM (or any other monitoring tool) can be configured to analyze the VM-to-VM traffic using ERSPAN on N1KV. NAM Nexus 1000V VSM
Cisco Virtual Networking Solutions Cisco Nexus 1000V and UCS VM-FEX Bring network to the hypervisor (Cisco Nexus 1000V Switch) Bring VM awareness to physical network (Cisco UCSVM-FEX) VM VM VM VM VM VM VM VM Cisco Nexus 1000V VM-FEX UCS VIC UCS Server Adapter Server UCS Fabric Inter-connect IEEE 802.1Q Network
Cisco UCSVM-FEX Simplifying the Access Infrastructure Physical Network • Unify the virtual and physical network • Same Port Profiles for various hypervisors and bare metal servers • Consistent functions, performance, management Server Server Hypervisor Hypervisor VETH VNIC VM VM VM VM VM VM VM VM Virtual Network
Cisco UCSVM-FEX Traffic Forwarding Physical Network • Removing performance dependencies from VM location • Offloading software switching functionalities from host CPU • More on this in upcoming slides Hypervisor Hypervisor VETH VNIC VM VM VM VM VM VM VM VM
UCS VM-FEX Modes of Operation Enumeration vs. Hypervisor Bypass Hypervisor Bypass Emulated Mode VF VF VF VF PF PF Hyper-V 2012 • High Performance Mode • Co-exists with Standard mode • Bypasses Hypervisor layer • ~30% improvement in I/O performance • Appears as distributed virtual switch to hypervisor • Currently supported through SR-IOV with Hyper-V 2012 • Live Migration supported • Standard (Emulated) Mode • Each VM gets a dedicated PCIe device • ~12%-15% CPU performance improvement • Appears as distributed virtual switch to hypervisor • LiveMigration supported Hyper-V 2012 dvNIC dvNIC dvNIC dvNIC SvNIC SvNIC vEth vEth vEth vEth vEth vEth
VM-FEX Operational Model Live Migration with Hypervisor Bypass Temporary transition from SR- IOVto standard I/O Hyper-V 2012 LiveMigration to secondary host Hyper-V 2012 vSphere 4 vNIC vNIC vNIC vEth vEth 1 sec silent period vEth • VM Sending TCP stream (1500MTU) • UCS B200 M2 blades with UCS VIC card