1. No category

København
18. April, 2013
Software Defined
Networking (SDN) i
datacenteret
Hans Donnerborg, [email protected]
CCIE #1486
© 2013
2011 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
1
“ Med SDN i datacentret er kanten af netværket flyttet fra
at være noget, der styres på en fysisk switch, til at være
en virtuel enhed inde i en server. Det har i flere år
været muligt at anvende en Nexus 1000v switch med
VMware’s hypervisor. Vi har nu support for Microsoft
Hyper og yderligere hypervisors kommer til over den
næste periode. Kom og hør om planerne samt hvilke
features der tilbydes.”
© 2013
2011 Cisco and/or its affiliates. All rights reserved.
Cisco
Cisco
Confidential
Connect
2
Hvad er Software Defined Networking?
Many Definitions
•  Openflow
•  Controller
•  Openstack
•  Overlays
•  Network virtualization
•  Automation
•  APIs
•  Application oriented
•  Virtual Services
•  Open vSwitch
•  …
Kundesegmenter for programmérbare netværk
  Test/forsøg med
OpenFlow/SDN
komponenter til
fremtidens
produktion
© 2012 Cisco and/or its affiliates. All rights reserved.
  Programmérbare
API’er til indsigt i
og kontrol af
netværkstrafik
  Automatisering og
programmérbare
overlay netværk
OpenStack
  Ensartet politik og
en ensartet
service leverance
  Virtuelle
workloads, VDI,
Styring af
sikkerhedsprofiler
Cisco Connect
4
Cisco Open Network Environment
Overlay Virtuelle
Netværk
Platform APIs
Controller/Agenter
onePK
(One Platform Kit)
Controller software
til SDN udvikling
Nexus 1000V
OpenFlow Agent
Catalyst Serien (3K)
OpenStack
Åben API
Udvikling til platforme
IOS, IOS-XR og NX-OS
© 2012 Cisco and/or its affiliates. All rights reserved.
Multi-Hypervisors
Security
Cisco Connect
5
Cisco’s differentiering: Multi-lag Programmérbar
Application Developer Environment
Analyse og Monitorering, Performance og Sikkerhed
Open
Network
Environment
OpenFlow/
SDN
z
Netværkselementer
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
6
Definitioner
“…I SDN er kontrol og data plane dekoblet.
Netværksintelligens er logisk centraliseret,
Netværksinfrastruktur er ikke synlig for
applikationerne…”
Source: www.opennetworking.org
Opensource software anvendes i offentlige eller
private Clouds; herunder Compute, Netværk og
Storage services.
“…åben standard for udviklere til at eksperimentere
med protokoller i netværk. Leverer standard tilgang,
uden at kompromitere producentens operativ
system…”
Source: www.opennetworking.org
Overlay netværk etableres på eksisterende
infrastruktur (fysisk og / eller virtuel) ved brug af
netværksprotokoller.
Source: www.openstack.org
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
7
OpenStack Core Projects
OpenStack Compute (Nova)
Software to provision virtual machines on commodity hardware at massive
scale
OpenStack Object Storage (Swift)
Software to reliably store billions of objects distributed across commodity
hardware
OpenStack Image Service (Glance)
Services for discovering, registering, and retrieving virtual machine images
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
8
OpenStack Core Projects
OpenStack Dashboard (Horizon)
A self-service web portal to allow administrators and users to manage
OpenStack resources
OpenStack Identity (Keystone)
Provides “unified authentication” across all OpenStack projects and
integrates with 3rd party authentication systems
OpenStack Network Service (Quantum)
Provides “network connectivity as a service” between devices managed by
other OpenStack services
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
9
OpenStack APIs
Basic Quantum API Abstractions
Enables Multi Tier Network
“External_
Network”
Router
VM 1 (Host A)
Web Server
VM 2 (Host A)
Application
VM 3 (Host B)
Database
“App_Network”
“DB_Network”
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
12
Physical | Virtual | Cloud Journey
PHYSICAL
WORKLOAD
VIRTUAL
WORKLOAD
•  One app per Server
•  Static
•  Manual provisioning
•  Many apps per Server
•  Mobile
•  Dynamic provisioning
CLOUD
WORKLOAD
•  Multi-tenant per Server
•  Elastic
•  Automated Scaling
HYPERVISOR
VDC-1
CONSISTENCY: Policy, Features, Security, Management, Separation of Duties
Nexus 7K/5K/3K/2K
Nexus 1000V, VM-FEX
Routing
ASR, ISR
Cloud Services Router (CSR 1000V)
Services
WAAS, ASA, NAM
vWAAS, VSG, ASA 1000V, vNAM*
Switching
VDC-2
Server Virtualization Issues
1. vMotion moves VMs across physical
ports—the network policy must follow
vMotion (across racks, PODS, DCs)
2. Must view or apply network/security
policy to locally switched traffic
Port
Group
Security
Admin
3. Need to maintain segregation of duties
while ensuring non-disruptive
operations
Server Admin
Network Admin
Where do we fit in that?
Cloud Portal
and Orchestration
Cloud Network Services
L4-7
Virtual Network
Infrastructure
L2-3
Hypervisor
Computing Platform
Physical Network
Storage Platform
CIAC/
OpenStack/
Partners
System
Center
WAAS
ASA 1000V
VSG
NAM
NetScaler
Partners
vPath
Nexus 1000V
Hyper-V
Multiple (vSphere, KVM,
Xen, open source)
Cisco Nexus 1000V for Hyper-V
VM
VM
VM
VM
VM
VMware vCenter
VM
VM
Nexus
1000V
VEM
Nexus
1000V
VEM
Nexus 1000V
VSM
VM
VMware vSphere
Nexus 1000V
VSM
WS 2012 Hyper-V
SCVMM 2012 SP1
Consistent architecture, feature-set & network services ensures operational transparency across
multiple hypervisors.
Cisco Nexus 1000V for Hyper-V
Operational Model with SCVMM
VM
VM
VM
VM
SCVMM manages the placement and
live-migration of the VMs based on
the constraints between VM
networks and the network sites.
SCVMM
Nexus
1000V
VEM
Adds hosts to N1KV
Connects VMs (VNICs) to
VM Networks
Windows server 2012 Hyper-V
Server
Networks & policies
synced to SCVMM
Nexus 1000V
VSM
© 2012 Cisco and/or its affiliates. All rights reserved.
Create networks and
policies (logical
networks, network sites,
VMnetworks)
Cisco Connect
17
Cisco Nexus 1000V Architecture
Utilizes Hyper-V Extensible Switch Platform
• Extensions process all network traffic,
including VM-to-VM on the same host
• Forwarding Extensions can Capture and Filter
Traffic as well
Capture Extension
Filtering Extension
Nexus 1000V is is a Forwarding
Extension
• Nexus 1000V will work with other 3rd party
Capture and Filtering Extensions as well
• Live Migration and NIC Offloads continue to
work even when the extensions are present
Microsoft SCVMM Networking Concepts
Logical Networks and Network Sites
San Jose
Host
Host
Network Site
Host
Seattle
Host
Network Site
Host
Host
Network Site
Logical Network
•  Logical Network represents a network with a certain type of connectivity characteristics (for eg. DMZ network,
intranet, isolation)
•  An instantiation of a Logical network on a set of host-groups (for eg. hosts in a POD) is called a Network Site
•  Network sites can be defined based on physical network connectivity or based on isolating traffic to specific host-
groups
19
Microsoft SCVMM Networking Concepts
Associating VNICs to VM Networks & Port-classifications
•  Choose network
VM Network
VM Subnet is tied to the Network (1:1)
•  Choose IP address type (DHCP or statically
assigned)
Choose IP pool for static IPs
•  Choose Port Profile Classification
Policy (QoS, Security, Monitoring)
A Classification refers to a Port Profile
2
0
DB Clients
DB Servers
VM
VM
VM
VM
DB Network
Current N1KV/ESX Version
# port-profile db-client
switchport mode access
switchport access vlan 10
ip port access-group dbclient in
no shut
state enabled
# port-profile db-server
switchport mode access
switchport access vlan 10
ip port access-group dbserver in
no shut
state enabled
N1KV/Hyper-V Version
# network-segment db-network
switchport mode access
switchport access vlan 10
# port-profile db-client
ip port access-group dbclient in
no shut
state enabled
# port-profile db-server
ip port access-group dbserver in
no shut
state enabled
# network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET1
switchport mode access
switchport access vlan 20
ip-pool DMZ_POD1_Pool1
network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET2
switchport mode access
switchport access vlan 21
ip-pool DMZ_POD1_Pool2
network-definition DMZ_POD1
# network-segment DMZ_POD1_SUBNET3
switchport mode access
switchport access vlan 22
ip-pool DMZ_POD1_Pool2
network-definition DMZ_POD1
© 2012 Cisco and/or its affiliates. All rights reserved.
VM Network DMZt_POD1_SUBNET1
VM Network DMZt_POD1_SUBNET2
VM Network DMZ_POD1_SUBNET3
Network site “DMZ_POD1”
•  A Network Site is a grouping of VM
Networks that are always available
together on the same host
simultaneously
•  A host uplink can be configured to
carry one or more Network Sites
Cisco Connect
22
vPath and Cloud Network Services
vPath
© 2012 Cisco and/or its affiliates. All rights reserved.
Virtual Machine Attributes
Port
Profiles
Port
Profiles
Virtual Machine Attributes
vPath
Cisco Connect
23
Cisco Nexus 1000V Pricing
Will be consistent across hypervisors
Advanced Edition
•  Cisco TrustSec SXP support
•  CISF: DHCP snooping, IP Source Guard,
ARP Inspection
•  VSG
Essential Edition
•  VLAN, ACL, QoS
•  VXLAN, vPath
•  LACP
•  Multicast
•  Netflow, ERSPAN
•  Management
•  vTracker
•  vCenter Plug-in
Essential Edition
•  VLAN, ACL, QoS
•  VXLAN, vPath
•  LACP
•  Multicast
•  Netflow, ERSPAN
•  Management
•  vTracker
•  vCenter Plug-in
Cisco Nexus 1000V Architecture
vPath and VXLAN
ASA 1000V
N1KV VSM
Cisco VSG
Cisco vWAAS
CSR1000V
Citrix VPX*
Imperva WAF*
Ethernet/IP
Network Fabric
Nexus 1000V
Hypervisor
© 2012 Cisco and/or its affiliates. All rights reserved.
Nexus 1000V
Hypervisor
* To be released in CY13
Cisco Connect
25
CSR Secure VPN Gateway
  Integrating Enterprise & Cloud VPN
policies
  Backhaul to data center increases
latency
Data
Center
Cloud Provider Data Center
CSR
1000V
ASR
Internet
Branch
Location
ISR
Branch
Location
ISR
  Each cloud imposes different VPN type
and scale limits
  Common VPN Types: IPSec, DMVPN,
EZVPN, FlexVPN
Servers
WAN
Router
  Routing based VPNs and private
addressing
Distribution
and ToR
Switches
  Firewall, ACLs, AAA
CSR
1000V
  Direct, secure access. Avoids
backhaul to data center.
  Familiar, reliable, and scalable VPN
  Compatible with existing management
tools
Cisco’s Virtual Security Portfolio
VMware vCenter
Virtual Network Management Center (VNMC)
• Virtual ASA provides consistent ASA feature set to
secure the tenant edge
Tenant B
Tenant A
VDC
VDC
vApp
VSG
VSG
VSG
• VSG complements Virtual ASA to secure intratenant VM-to-VM traffic
vApp
• Solution provides:
VSG
ASA 1000V
ASA 1000V
vPath
Nexus 1000V
  Increase flexibility and operational efficiency
via vPath (Nexus1000V)
 Dynamic, context-aware, multi-tenant
management via VNMC
vSphere
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
27
Overlays - VXLAN
VM
VM
VM
VM
VM
Nexus1000V InterCloud
Securely Extend Enterprise Environment into Provider Cloud
© 2012 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
29
Cisco Cloud Lab - Hands On Training & Demos
•  Hands on labs available for Nexus 1000V and VSG in Cloud Lab
https://cloudlab.cisco.com
•  Open to all Cisco employees
•  Customers/Partners require sponsorship from account team for access via CCO LoginID
•  Extended duration lab licenses for 1000V and VSG are available upon request
Thank you.
© 2013 Cisco and/or its affiliates. All rights reserved.
Cisco Connect
31