SE Blue Equity investerer i Roll-o
København 18. April, 2013 Software Defined Networking (SDN) i datacenteret Hans Donnerborg, [email protected] CCIE #1486 © 2013 2011 Cisco and/or its affiliates. All rights reserved. Cisco Connect 1 “ Med SDN i datacentret er kanten af netværket flyttet fra at være noget, der styres på en fysisk switch, til at være en virtuel enhed inde i en server. Det har i flere år været muligt at anvende en Nexus 1000v switch med VMware’s hypervisor. Vi har nu support for Microsoft Hyper og yderligere hypervisors kommer til over den næste periode. Kom og hør om planerne samt hvilke features der tilbydes.” © 2013 2011 Cisco and/or its affiliates. All rights reserved. Cisco Cisco Confidential Connect 2 Hvad er Software Defined Networking? Many Definitions • Openflow • Controller • Openstack • Overlays • Network virtualization • Automation • APIs • Application oriented • Virtual Services • Open vSwitch • … Kundesegmenter for programmérbare netværk Test/forsøg med OpenFlow/SDN komponenter til fremtidens produktion © 2012 Cisco and/or its affiliates. All rights reserved. Programmérbare API’er til indsigt i og kontrol af netværkstrafik Automatisering og programmérbare overlay netværk OpenStack Ensartet politik og en ensartet service leverance Virtuelle workloads, VDI, Styring af sikkerhedsprofiler Cisco Connect 4 Cisco Open Network Environment Overlay Virtuelle Netværk Platform APIs Controller/Agenter onePK (One Platform Kit) Controller software til SDN udvikling Nexus 1000V OpenFlow Agent Catalyst Serien (3K) OpenStack Åben API Udvikling til platforme IOS, IOS-XR og NX-OS © 2012 Cisco and/or its affiliates. All rights reserved. Multi-Hypervisors Security Cisco Connect 5 Cisco’s differentiering: Multi-lag Programmérbar Application Developer Environment Analyse og Monitorering, Performance og Sikkerhed Open Network Environment OpenFlow/ SDN z Netværkselementer © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 6 Definitioner “…I SDN er kontrol og data plane dekoblet. Netværksintelligens er logisk centraliseret, Netværksinfrastruktur er ikke synlig for applikationerne…” Source: www.opennetworking.org Opensource software anvendes i offentlige eller private Clouds; herunder Compute, Netværk og Storage services. “…åben standard for udviklere til at eksperimentere med protokoller i netværk. Leverer standard tilgang, uden at kompromitere producentens operativ system…” Source: www.opennetworking.org Overlay netværk etableres på eksisterende infrastruktur (fysisk og / eller virtuel) ved brug af netværksprotokoller. Source: www.openstack.org © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 7 OpenStack Core Projects OpenStack Compute (Nova) Software to provision virtual machines on commodity hardware at massive scale OpenStack Object Storage (Swift) Software to reliably store billions of objects distributed across commodity hardware OpenStack Image Service (Glance) Services for discovering, registering, and retrieving virtual machine images © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 8 OpenStack Core Projects OpenStack Dashboard (Horizon) A self-service web portal to allow administrators and users to manage OpenStack resources OpenStack Identity (Keystone) Provides “unified authentication” across all OpenStack projects and integrates with 3rd party authentication systems OpenStack Network Service (Quantum) Provides “network connectivity as a service” between devices managed by other OpenStack services © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 9 OpenStack APIs Basic Quantum API Abstractions Enables Multi Tier Network “External_ Network” Router VM 1 (Host A) Web Server VM 2 (Host A) Application VM 3 (Host B) Database “App_Network” “DB_Network” © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 12 Physical | Virtual | Cloud Journey PHYSICAL WORKLOAD VIRTUAL WORKLOAD • One app per Server • Static • Manual provisioning • Many apps per Server • Mobile • Dynamic provisioning CLOUD WORKLOAD • Multi-tenant per Server • Elastic • Automated Scaling HYPERVISOR VDC-1 CONSISTENCY: Policy, Features, Security, Management, Separation of Duties Nexus 7K/5K/3K/2K Nexus 1000V, VM-FEX Routing ASR, ISR Cloud Services Router (CSR 1000V) Services WAAS, ASA, NAM vWAAS, VSG, ASA 1000V, vNAM* Switching VDC-2 Server Virtualization Issues 1. vMotion moves VMs across physical ports—the network policy must follow vMotion (across racks, PODS, DCs) 2. Must view or apply network/security policy to locally switched traffic Port Group Security Admin 3. Need to maintain segregation of duties while ensuring non-disruptive operations Server Admin Network Admin Where do we fit in that? Cloud Portal and Orchestration Cloud Network Services L4-7 Virtual Network Infrastructure L2-3 Hypervisor Computing Platform Physical Network Storage Platform CIAC/ OpenStack/ Partners System Center WAAS ASA 1000V VSG NAM NetScaler Partners vPath Nexus 1000V Hyper-V Multiple (vSphere, KVM, Xen, open source) Cisco Nexus 1000V for Hyper-V VM VM VM VM VM VMware vCenter VM VM Nexus 1000V VEM Nexus 1000V VEM Nexus 1000V VSM VM VMware vSphere Nexus 1000V VSM WS 2012 Hyper-V SCVMM 2012 SP1 Consistent architecture, feature-set & network services ensures operational transparency across multiple hypervisors. Cisco Nexus 1000V for Hyper-V Operational Model with SCVMM VM VM VM VM SCVMM manages the placement and live-migration of the VMs based on the constraints between VM networks and the network sites. SCVMM Nexus 1000V VEM Adds hosts to N1KV Connects VMs (VNICs) to VM Networks Windows server 2012 Hyper-V Server Networks & policies synced to SCVMM Nexus 1000V VSM © 2012 Cisco and/or its affiliates. All rights reserved. Create networks and policies (logical networks, network sites, VMnetworks) Cisco Connect 17 Cisco Nexus 1000V Architecture Utilizes Hyper-V Extensible Switch Platform • Extensions process all network traffic, including VM-to-VM on the same host • Forwarding Extensions can Capture and Filter Traffic as well Capture Extension Filtering Extension Nexus 1000V is is a Forwarding Extension • Nexus 1000V will work with other 3rd party Capture and Filtering Extensions as well • Live Migration and NIC Offloads continue to work even when the extensions are present Microsoft SCVMM Networking Concepts Logical Networks and Network Sites San Jose Host Host Network Site Host Seattle Host Network Site Host Host Network Site Logical Network • Logical Network represents a network with a certain type of connectivity characteristics (for eg. DMZ network, intranet, isolation) • An instantiation of a Logical network on a set of host-groups (for eg. hosts in a POD) is called a Network Site • Network sites can be defined based on physical network connectivity or based on isolating traffic to specific host- groups 19 Microsoft SCVMM Networking Concepts Associating VNICs to VM Networks & Port-classifications • Choose network VM Network VM Subnet is tied to the Network (1:1) • Choose IP address type (DHCP or statically assigned) Choose IP pool for static IPs • Choose Port Profile Classification Policy (QoS, Security, Monitoring) A Classification refers to a Port Profile 2 0 DB Clients DB Servers VM VM VM VM DB Network Current N1KV/ESX Version # port-profile db-client switchport mode access switchport access vlan 10 ip port access-group dbclient in no shut state enabled # port-profile db-server switchport mode access switchport access vlan 10 ip port access-group dbserver in no shut state enabled N1KV/Hyper-V Version # network-segment db-network switchport mode access switchport access vlan 10 # port-profile db-client ip port access-group dbclient in no shut state enabled # port-profile db-server ip port access-group dbserver in no shut state enabled # network-definition DMZ_POD1 # network-segment DMZ_POD1_SUBNET1 switchport mode access switchport access vlan 20 ip-pool DMZ_POD1_Pool1 network-definition DMZ_POD1 # network-segment DMZ_POD1_SUBNET2 switchport mode access switchport access vlan 21 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1 # network-segment DMZ_POD1_SUBNET3 switchport mode access switchport access vlan 22 ip-pool DMZ_POD1_Pool2 network-definition DMZ_POD1 © 2012 Cisco and/or its affiliates. All rights reserved. VM Network DMZt_POD1_SUBNET1 VM Network DMZt_POD1_SUBNET2 VM Network DMZ_POD1_SUBNET3 Network site “DMZ_POD1” • A Network Site is a grouping of VM Networks that are always available together on the same host simultaneously • A host uplink can be configured to carry one or more Network Sites Cisco Connect 22 vPath and Cloud Network Services vPath © 2012 Cisco and/or its affiliates. All rights reserved. Virtual Machine Attributes Port Profiles Port Profiles Virtual Machine Attributes vPath Cisco Connect 23 Cisco Nexus 1000V Pricing Will be consistent across hypervisors Advanced Edition • Cisco TrustSec SXP support • CISF: DHCP snooping, IP Source Guard, ARP Inspection • VSG Essential Edition • VLAN, ACL, QoS • VXLAN, vPath • LACP • Multicast • Netflow, ERSPAN • Management • vTracker • vCenter Plug-in Essential Edition • VLAN, ACL, QoS • VXLAN, vPath • LACP • Multicast • Netflow, ERSPAN • Management • vTracker • vCenter Plug-in Cisco Nexus 1000V Architecture vPath and VXLAN ASA 1000V N1KV VSM Cisco VSG Cisco vWAAS CSR1000V Citrix VPX* Imperva WAF* Ethernet/IP Network Fabric Nexus 1000V Hypervisor © 2012 Cisco and/or its affiliates. All rights reserved. Nexus 1000V Hypervisor * To be released in CY13 Cisco Connect 25 CSR Secure VPN Gateway Integrating Enterprise & Cloud VPN policies Backhaul to data center increases latency Data Center Cloud Provider Data Center CSR 1000V ASR Internet Branch Location ISR Branch Location ISR Each cloud imposes different VPN type and scale limits Common VPN Types: IPSec, DMVPN, EZVPN, FlexVPN Servers WAN Router Routing based VPNs and private addressing Distribution and ToR Switches Firewall, ACLs, AAA CSR 1000V Direct, secure access. Avoids backhaul to data center. Familiar, reliable, and scalable VPN Compatible with existing management tools Cisco’s Virtual Security Portfolio VMware vCenter Virtual Network Management Center (VNMC) • Virtual ASA provides consistent ASA feature set to secure the tenant edge Tenant B Tenant A VDC VDC vApp VSG VSG VSG • VSG complements Virtual ASA to secure intratenant VM-to-VM traffic vApp • Solution provides: VSG ASA 1000V ASA 1000V vPath Nexus 1000V Increase flexibility and operational efficiency via vPath (Nexus1000V) Dynamic, context-aware, multi-tenant management via VNMC vSphere © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 27 Overlays - VXLAN VM VM VM VM VM Nexus1000V InterCloud Securely Extend Enterprise Environment into Provider Cloud © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Connect 29 Cisco Cloud Lab - Hands On Training & Demos • Hands on labs available for Nexus 1000V and VSG in Cloud Lab https://cloudlab.cisco.com • Open to all Cisco employees • Customers/Partners require sponsorship from account team for access via CCO LoginID • Extended duration lab licenses for 1000V and VSG are available upon request Thank you. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Connect 31
© Copyright 2024