Post on 22-Oct-2020
Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo
Cisco Expo
2012
HW virtualizace a podporahypervizorů různých výrobců
René Raeber
Datacenter Architect
IEEE 802.1DCB Architect
2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2cisco www.talk2cisco.cz/dotazy
• SMS 721 994 600
http://www.twitter.com/CiscoCZhttp://www.talk2cisco.cz/dotazy
3© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
Cisco Public© 2010 Cisco and/or its affiliates. All rights reserved. 5
Unified
Fabric
Primary
Network
Secondary
Network
Universal I/O
Ubiquitous Connectivity
Complexity,
Cost, Power
Data Center Framework
6© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
UCSLegacy
Server = ResourceServer = Application
Inefficient Complex High Cost Fragile Efficient Agile Transformative
Management and Control
Primary Network
Secondary Network
SAN A
SAN B
The Right Solution at the Right Time
7© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
From ad hoc and
inconsistent…
…to structured, but siloed,
complicated and costly…
…to simple, optimized and
automated
8© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Complex
Inefficient
Inflexible
Costly
72%Maintain
28%Invest
9© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
1,240,036,374,697,152,065,225
Data Created Since Jan 1 2010
Bytes.
10 up21 aka sextillion aka trilliard
10© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
75,000,000,000 iPads
125,000,000 years
11© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
12© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
The Tipping Point
17,500,000
Physical Hosts
2006 2007 2008 2009 2010 2011 2012 20132005
VM Cross Over
15,000,000
12,500,000
10,000,000
7,500,000
5,000,000
2,500,000
Virtual Machines
13© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Value
Waste
Value55%
Waste45%
14© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
?IT impedes growth IT spends too muchor,
Deploy this Much?
But, need this?
Deploy this Much?
But, need this?
15© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Fixed Cost
Variable Cost
16© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
SAN LAN
Dynamic resource provisioning
Virtualization at scale
17© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
WAN / SP
18© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Servers directly connected to access layer switches
Very little virtualization
Network configuration and policy enforcement for the server done at the switch
All management primarily at the physical element level
Management of Physical ( ) Elements
19© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Shift towards server virtualization
Multiple VMs inside each physical server, connected by virtual switches
Rapid proliferation of logical elements that need to be managed
Feature parity issues between virtual and physical elements
Separate management of physical ( ) and logical ( ) elements
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
Management Challenges Policy Enforcement Issues
20© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Switch lacks visibility into packets originated by vNICs
Can’t tie packet back to VM, forcing reliance on the software switch for policy enforcement
Leads to policy enforcement and network management issues
Access layer switch lacks visibility into virtual network elements
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
Management Challenges Policy Enforcement Issues
21© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Virtual Interfaces within VMs are now visible to the switch
Both network configuration and policy enforcement for these interfaces can now be driven from the switch
This allows consolidated management of physical and virtual elements
Consolidated management of physical ( ) and logical elements
VSwitch VSwitch
VN-Link: Consolidated Management
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VMs
vNICs
22© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
VN-Link allows the packets to be tagged
Switch has full visibility into which vNIC originated the packet
Allows switch to forward packets between both physical and virtual elements
VN-Link capable adapters allow bypassing software based switches
Full visibility into the virtual network elements from switch
VSwitch VSwitch
VN-Link: Consolidated Policy Enforcement
VMs
vNICs
VSwitch
VMs
vNICs
VSwitch
VMs
vNICs
VMs
vNICs
23© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
Cisco Public© 2010 Cisco and/or its affiliates. All rights reserved. 24
Many Bridges !!
25© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
26© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
IEEE P802.1BR
27© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
•
28© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• VEB (Virtual Embedded Bridge)
• VEPA (Edge Virtual Bridging) IEEE-802.1Qbg
• VBE (Virtual Bridge Port Extension) IEEE-802.1BR
Relevant IEEE Datacenter Standards:
802.1Qau Congestion Notification
802.1Qaz Enhanced Transmission Selection
802.1Qbb Priority based Flow Control
802.1Qbg Edge Virtual Bridging
802.1BR Virtual Bridge Port Extension
802.1aq Shortest Path Bridging
IEEE Bridge Port Extender = Cisco FEX (Fabric Extender)
29© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo29
30© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo30
31© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
32© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
33© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Identifies and isolates traffic between ports within an Extended Bridge
Specifies a tag format for this identification
Establishes an Extended Bridge consisting of a Controlling Bridge and one or more Bridge Port Extenders
Specifies the functionality and the specific requirements of a Bridge Port Extender
Extends the MAC service of a Bridge Port across the interconnected Bridge Port Extenders, including support of Customer Virtual Local Area Networks (C-VLANs)
Establishes the requirements of bridge components and systems for the attachment of Bridge Port Extenders
Specifies a protocol to provide for the configuration and monitoring of Bridge Port Extenders by a Controlling Bridge
Establishes the requirements for Bridge Management to support Port Extension, identifying the managed objects and defining the management operations.
34© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
The purpose of this standard is to extend a bridge, and the management of its objects, beyond its physical enclosure using 802 LAN technologies and interoperable interfaces.
Micro & Macro
Cosmos
35© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Aggregating Port Extender: A Bridge Port Extender that supports the full E-CID space and is capable of aggregating base Port Extenders.
• Base Port Extender: A Bridge Port Extender that supports a subset of the E-CID space.
• Cascade Port: A Port of a Controlling Bridge or Bridge Port Extender which connects to an Upstream Port. In the case of the connection between two Bridge Port Extenders, the Cascade Port is the Port closest to the Controlling Bridge.
• Controlling Bridge: A Bridge that supports one or more Bridge Port Extenders.
• Extended Bridge: A Controlling Bridge and at least one Bridge Port Extender under the Controlling Bridge's control.
• Extended Port: A Port of a Bridge Port Extender that is not operating as a Cascade Port or Upstream Port. This includes the Ports of a Bridge Port Extender connected via internal LANs to the Port of a C-VLAN component within a Controlling Bridge
36© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• E-channel: An instance of the MAC service supported by a set of two E-paths forming a bidirectional service. An E-channel is point-to-point or point-to-multipoint.
• E-path: A configured unidirectional connectivity path between an internal Extended Port and one or more external Extended Ports and/or Upstream Ports. E-paths initiating from the Internal Bridge Port Extender can be point-to-point or point-to-multipoint. E-paths can be point-to-point or multipoint-to-point.
• E-channel Identifier (E-CID): A value conveyed in a E-TAG that identifies an E-channel.
• E-TAG: A tag header with a Tag Protocol Identification value allocated for ―802.1BR E-Tag Type.‖
• External Extended Port: An Extended Port that is part of an External Bridge Port Extender. External Bridge Port Extender: A Bridge Port Extender that is not physically part of a Controlling Bridge but is controlled by the Controlling Bridge.
• Internal Extended Port: An Extended Port that is part of an Internal Bridge Port Extender.
37© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Internal Bridge Port Extender: A Bridge Port Extender that is physically part of a Controlling Bridge.
• Bridge Port Extender: A device used to extend the MAC service of a C-VLAN component to form a Controlling Bridge and to extend the MAC service of a Controlling Bridge to form an Extended Bridge.
• Port Extender Control and Status Agent: The entity within a Bridge Port Extender that implements the Port Extender Control and Status Protocol.
• Port Extender Control and Status Protocol (PE CSP): A protocol used between a Controlling Bridge and Bridge Port Extenders that provides the ability of the Controlling Bridge to assert control over and retrieve status information from its associated Bridge Port Extenders.
• Replication Group: Within a Controlling Bridge, the set of C-VLAN component Ports connected to a single Bridge Port Extender.
• Upstream Port: A Port on a Bridge Port Extender that connects to a Cascade Port. In the case of the connection between two Bridge Port Extenders, the Upstream Port is the Port furthest from the Controlling Bridge.
38© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• E-CID E-Channel Identifier
• PCID Port E-CID
• PE CSP Port Extender Control and Status Protocol
• PEISS Port Extender Internal Sublayer Service
39© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
A simple two-port Bridge that is capable of acting as a Controlling Bridge
40© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Attachment of a physical Bridge Port Extender to the top port of the two-port Bridge.
At this point, the Bridge and the Bridge Port Extender execute LLDP.
The Bridge learns that a Bridge Port Extender is directly attached
when it receives the Port Extension TLV from the Bridge Port Extender.
41© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Upon detection of the directly attached Bridge Port Extender, the Controlling Bridge
instantiates an Internal Bridge Port Extender between the C-VLAN component and
the External Bridge Port Extender. An E-channel is established for communication
between the Bridge Port Extender and the C-VLAN component. The E-channel used
for communication between the C-VLAN component and the Bridge Port Extender is
identified as E-channel ―a‖ in this example.
42© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Next both the C-VLAN component and the Bridge Port Extender initiate
communication with each other using the Bridge Port Extender Control and Status
Protocol (PE CSP). This is accomplished using the CSP Open message.
Note that prior to completion of the CSP Open message, the Bridge Port Extender
does not know the E-CID of the E-channel to be used for this communication.
It therefore uses a default E-CID of one. Since the E-channel is not tagged, the
communication is established even though the Controlling Bridge and the
Bridge Port Extender are using a different E-CID. After completion of the CSP Open,
the Controlling Bridge informs the Bridge Port Extender of the proper E-CID,
which is ―a‖ in this example, using the E-channel Register message.
43© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
The Extended Ports have not been instantiated.
Extended Ports are not necessarily instantiated at the same time the
Bridge Port Extender itself is instantiated. For example, the Extended Ports may be
instantiated coincident with the instantiation of virtual machines.
44© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
The instantiation of the virtual machines and the corresponding Extended Ports. When the Extended
Ports are instantiated, the new Bridge Port Extender informs the controlling bridge by issuing an
Extended Port create message for each extended Port. The Controlling Bridge allocates a Port on
the C-VLAN component and an E-channel for each new Extended Port and informs the new Bridge Port
Extender of the E-CID for these E-channels.E-CIDs ―d‖ and ―e‖ are established in this example. In addition,
the Controlling Bridge issues E-channel Register messages to the first Bridge Port Extender to establish the
new E-channels through the first Bridge Port Extender. At this point, the virtual machines have connectivity
to the network.
45© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
46© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
47© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
48© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Server
Hypervisor
VM VMVM VM VMVM
Adapter
Switch
EthPort Extension
802.1BR
Port
Extender
PE Tag
802.1BR
PE Tag
802.1BR
1 2 3 4 5
Nexus 5K
5
1 2 3 4 5
Port 5
vNIC
3
vNIC
2
vNIC
1
vNIC
5
vNIC
4
Port 0
FEX
(Nexus 2K)1 2 3
1
6 7 8
NIV Capable
Adapter
IEEE-802.1BR Bridge Port Extender = Cisco FEX (Fabric Extender)
49© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo49
• VEB (Virtual Embedded Bridge)
• VEPA (Virtual Ethernet Port Aggregator) IEEE-802.1Qbg
• PE (Virtual Bridge Port Extension) IEEE-802.1BR
Other Datacenter Standards:
IEEE-802.1Qau Congestion Notification
IEEE-802.1Qaz Enhanced Transmission Selection
IEEE-802.1Qbb Priority based Flow Control
IEEE-802.1Qbg Edge Virtual Bridging
IEEE-802.1BR Virtual Bridge Port Extension
IEEE-802.3bd MAC Control Frame for Priority based Flow control
…
50© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
51© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
Cisco Public© 2010 Cisco and/or its affiliates. All rights reserved. 52
53© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Modular Switch
…
Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Ba
ck P
lan
e
Server 1 Server 2 Server 3
Comparison to a Physical Switch
54© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ESX ESX ESX
Modular Switch
…
Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Ba
ck P
lan
e
Moving to a Virtual Environment
55© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ESX ESX ESX
Modular Switch
…
Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Ba
ck P
lan
e
Supervisors Virtual Supervisor Modules (VSMs)
VSM1
VSM2
Virtual Appliance
56© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ESX ESX ESX
Modular Switch
…
Linecard-N
Supervisor-1
Supervisor-2
Linecard-1
Linecard-2
Ba
ck P
lan
e
VSM1
VSM2
Virtual Appliance
Linecards Virtual Ethernet Modules (VEMs)
VEM-NVEM-1 VEM-2
57© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ESX ESX ESX
VSM1
VSM2
Virtual Appliance
VSM + VEMs = Nexus 1000V Virtual Chassis
VEM-NVEM-1 VEM-2
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
• 64 VEMs per 1000V (connected by L2 or L3)
• 200+ vEth ports per VEM
• 2K vEths per 1000V
• Multiple 1000Vs can be created per vCenter
L2
Mo
de
L3
Mo
de
58© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
ESX ESX ESX
VSM1
VSM2
Virtual Appliance
Customer Request: Host VSMs on a Physical Appliance
VEM-NVEM-1 VEM-2
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
L2
Mo
de
L3
Mo
de
• 200+ vEth ports per VEM
• 64 VEMs per 1000V
• 2K vEths per 1000V
• Multiple 1000Vs can be created per vCenter
Physical Appliance?
59© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Virtual Appliance
ESX ESX ESX
Nexus 1010
VSM-A1 VSM-A4
VSM-B1 VSM-B4
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
• 200+ vEth ports per VEM
• 64 VEMs per 1000V
• 2K vEths per 1000V
• Multiple 1000Vs can be created per vCenter
VEM-NVEM-1 VEM-2
VSMs hosted on a Physical Appliance: Nexus 1010
• Up to 4 VSMs per Nexus 1010
• Nexus 1010s deployed in redundant pair
L2
Mo
de
L3
Mo
de
…
…
60© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
vPath – Virtual Service Datapath
Virtual Appliance
VSM
VEM-1
vPath
VEM-2
vPath
L2
Mo
de
L3
Mo
de
ESX ESX
vPath
• Virtual Service Datapath
VSG
• Virtual Security Gateway for 1000v
vWAAS
• Virtual WAAS
vWAAS VSG VSG and
vWAAS
available now
vPath
• Traffic Steering
• Fast -Path Offload
• Nexus 1000V ver 1.4
& above
61© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Virtual Appliance Nexus 1010
VSM-A1 VSM-A4
VSM-B1 VSM-B4
NAM
NAM
L2
Mo
de
L3
Mo
de
*VSG on 1010 target: 2Q CY11
vPath
• Virtual Service Datapath
VSG
• Virtual Security Gateway for 1000v
vWAAS
• Virtual WAAS
VEM-1
vPath
VEM-2
vPath
ESX ESX
vWAAS VSG
62© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
63© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
VM VM VM VM
IsolateIntel® Virtualisation and Intel® Trusted Execution
Technology (Intel® TXT) work together to better
isolate VMs
MeasureIntel® TXT measures vSphere 5.0 for launch
protection
EncryptIntel® New instructions in Intel® Xeon® processors
quickly encrypts data in flight and at rest
VMware vSphere 5.0
Intel® TXT* and AES New instructions in Intel® Xeon® processors
Make Multi-Tenancy More Secure
*Intel® TXT available on Cisco UCS M3 Servers
64© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
2x 4 Link80 Gbps per Chassis
2x 8 Links160 Gbps per Chassis
2x 2 Link40 Gbps per Chassis
2x 1 Link20 Gbps per Chassis
Wire Once Architecture
Policy-Driven Bandwidth Allocation
Virtual Interface Granularity
I/O On-Demand via
Service Profile
65© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Silver Pool
30% Bandwidth
FC with max burst 32k
Bronze Pool
20% Bandwidth
FC with max burst of 16K
Platinum Pool
50% Bandwidth
Lossless Ethernet NFS
Max burst 64K
• QoS controls for tuning Storage & Network flows—Platinum, Gold, Silver, Bronze, best effort, FC QoS Classes
• Multi-cast optimizations
• Bandwidth controls
• Lossless Ethernet—drop/no drop
• Burst size controls
UCS
Server
Blade
VMware vSphere
Cisco VIC
FEX 2200
FI 6200
VMVMVM VMVM VMVM Bronze PoolPlatinum Pool Silver Pool
66© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Up to 67%
reduction in
Application
latency
Near linear
deterministic
Application
delivery with
scale
Up to 50%
increase in
Application
performance
67Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
68Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
69Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
70Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
71Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
72Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
73Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
74Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
75Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
76Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
77Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
78Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
79Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
80Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
81Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
82Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
83© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
84Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
85Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
86Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
87Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
88Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
89Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
90Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
91Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
92Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
93Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
94Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
95Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
96Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
97Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
98Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
99Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
100Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
101Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
102© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Records Database
Server Zones
AssistantIT Admin Doctor Guest
Application
HVD Zones
Doctor
iT Admin
Network
Virtual Security Gateway (VSG)
Guest
Portal
103© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Records Database
Server Zones
AssistantIT Admin Doctor Guest
Application
HVD Zones
Doctor
iT Admin
Network
Virtual Security Gateway (VSG)
Guest
Portal
104© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Records Database
Server Zones
AssistantIT Admin Doctor Guest
Application
HVD Zones
Doctor
iT Admin
Network
Virtual Security Gateway (VSG)
Guest
Portal
105© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Records Database
Server Zones
AssistantIT Admin Doctor Guest
Application
HVD Zones
Doctor
iT Admin
Network
Virtual Security Gateway (VSG)
Guest
Portal
106© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Training Servers
VM VMVM VMVM VMVM VMVM VM
Source Destination Protocol Action
Zone=TRNG Zone=TRNG Any Permit
Any Zone=TRNG Any Permit
Zone=TRNG Any Any Drop
If vm-name contains “TRNG”, that VM belongs to TRNG zone
Database Servers
VM VMVM VMVM VMVM VMVM VM
DMZ Servers
VM VMVM VMVM VMVM VMVM VM
Exchange Servers
VM VMVM VMVM VMVM VMVM VM
R&D Servers
VM VMVM VMVM VMVM VMVM VM
Application Servers
VM VMVM VMVM VMVM VMVM VM
107© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Permit Only Port 80(HTTP)
of Web Servers
Permit Only Port 22 (SSH)
to Application Servers
Only Permit Web Servers
Access to Application Servers
Web-Zone
DBServer DB
Server
Database-ZoneApplication-Zone
Only Permit Application Servers
Access to Database Servers
Block All External Access
to Database Servers
Web Client
AppServer App
Server
WebServer Web
Server
108Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
109Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
110Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
111Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
112Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
113Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
114Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
115Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
116Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
117Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
118Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
119Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
120© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Introduction
Architecture Evolution
Implementation
Security Capabilities
Use Case Example
Conclusion
VMware
121Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
122Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
123Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
124Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
125Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
126© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
• Twitter www.twitter.com/CiscoCZ
• Talk2Cisco www.talk2cisco.cz/dotazy
• SMS 721 994 600
• Zveme Vás na Ptali jste se… v sále LEO 1.den 17:45 – 18:302.den 16:30 – 17:00
http://www.twitter.com/CiscoCZhttp://www.talk2cisco.cz/dotazy
127© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo
Prosíme, ohodnoťtetuto přednášku.
Kód přednášky