Scribd
Upload
60 views62 pages

Cisco Nexus 3000-Deploying

Deploying Virtual services in Vpath service chain with cisco nexus 3000

Uploaded by

sami abdalla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
60 views62 pages

Cisco Nexus 3000-Deploying

Deploying Virtual services in Vpath service chain with cisco nexus 3000

Uploaded by

sami abdalla
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 62

Deploying virtual services in vPath service chain

with Cisco Nexus 1000V


LTRVIR-2963

Sonali Kalje
Jazib Frahim
Larry Edie
Agenda

 Application requirements in virtualized DC


 The Anatomy of Nexus 1000V
 Virtual Services with vPath
 Prime NSC
 vPath Service Chaining
 Summary

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Application Trends

 Multitenancy

 Agility

 Mobility

 Visibility

 Programmability

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Server Virtualization Issues

1. vMotion moves VMs across


physical ports—the network
policy must follow vMotion
2. Must view or apply
Port network/security policy to
Group
locally switched traffic
3. Need to maintain separation
of duties while ensuring
Server Admin non-disruptive operations

Security
Admin Network Admin
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Application Requirements for Network Services

 Current generation network capabilities are driven by physical network


topology. Example, If the firewall is plugged into the Internet connection and
then the load balancer into firewall, the path of traffic must always flow in that
order.
 Application driven requirements that change the relationship (load balancing,
then firewall) cannot be supported without physically changing the layout of the
network. Application

Proxy Server Core


Load Balancer
Router/Switch

Firewall

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Services – Architectural Approach
Requirement
Requirement Solution
Solution
Virtualisation Awareness
Virtualization • Virtual (SW) form-factor
• Dynamic policy-based provisioning • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future)
• Support VM mobility (e.g. vMotion) • Policies bound to vNIC/VM
• Integration with N1KV (vPath*)
(vPath)

Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment


• Management: Multi-tenant
• N1KV vPath: Multi-tenant
Separation of Duties • Profile-based provisioning for services
• Non-disruptive to server team • Integration with N1KV port profile
• Optional hosting on Nexus 1010 HW appliance
• Efficient deployment Integration with N1KV vPath
• Performance optimization
optimisation
Broad mobility diameter • DC-wide: VXLAN**
• DC-wide, DC-to-DC, DC-to-Cloud • DC-to-DC: OTV**

*vPath: Virtual Service Datapath


**VXLAN: Virtual Extensible LAN
**OTV: Overlay Transport Virtualisation
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 7
Network Services Options for Virtualized/Cloud DC

Redirect VM traffic via VLANs to Apply hypervisor-based


external (physical) firewall virtual network services

Web App Database Web App Database


Server Server Server Server Server Server

Hypervisor Hypervisor

VLANs

Virtual Contexts This Session


VSN
VSN

Dedicated Service Nodes Virtual Service Nodes


LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
The Anatomy of Nexus 1000V
Nexus 1000V - Consistent Cloud Networking
Multi Hypervisors and Multi Orchestration strategy

vCloud Director/ CIAC/


Cloud Portal System Citrix
Automation OpenStack/
and Orchestration Center CloudPlatform
Center Partners
L4-7
Virtual Network Cloud Network Services
vWAAS ASA 1000V VSG NAM NetScaler1000V Partners
Infrastructure vPath
L2-3 Nexus 1000V
Hypervisor vSphere Hyper-V XenServer KVM

Computing Platform UCS

Physical Network Unified Fabric (Nexus)

Storage Platform

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco Nexus 1000V
Cisco Virtual Machine Networking
Policy-Based Mobility of Network and Security Non-Disruptive
VM Connectivity Properties Operational Model

Port Profile /
VM VM VM VM VM VM VM VM
Defined Policies
WEB Apps
Nexus Nexus
HR
1000V 1000V
DB VEM VEM

DMZ

VM Connection Policy
• Defined in the network
• Applied in Virtual Centre
• Linked to VM UUID

vCenter Nexus 1000V VSM

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco Nexus 1000V
Cisco Virtual Machine Networking
Policy-Based Mobility of Network and Security Non-Disruptive
VM Connectivity Properties Operational Model

VM VM VM VM
VM VM VM VM VM VM VM VM
VMs Need to Move
• VMotion Nexus Nexus
• DRS 1000V 1000V
VEM VEM
• SW upgrade/patch
• Hardware failure

Property Mobility
• VMotion for the network
• Ensures VM security
• Maintains connection state

vCenter Nexus 1000V VSM

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Network Services Options for Virtualized/Cloud
DC

Redirect VM traffic via VLANs to Apply hypervisor-based


external (physical) services appliance virtual network services

Web App Database Web App Database


Server Server Server Server Server Server

Hypervisor Hypervisor

VLANs

Virtual Contexts
VSN
VSN

Dedicated Service Nodes Virtual Service Nodes

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Nexus 1000V Architecture
Respects DC Operational Model for PV

Virtual Appliance
VSM-1 (active) NX-OS
Network
Control Plane
Admin
VSM-2 (standby)

Supervisor-1 (Active)
Back Plane

Supervisor-2 (StandBy)
Linecard-1
Linecard-2
… NX-OS
Linecard-N Data Plane

Modular Switch VEM-1 VEM-2 VEM-N

Hypervisor Hypervisor Hypervisor


VSM: Virtual Supervisor Module Server
VEM: Virtual Ethernet Module Admin
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Port-Profile Configuration

Support Commands Include:


n1000v# show port-profile name WebProfile
port-profile WebServers  Port management
description:
status: enabled  VLAN
capability uplink: no  PVLAN
system vlans:
port-group: WebServers  Port-Channel
config attributes:
switchport mode access  ACL
switchport access vlan 110  Netflow
no shutdown
evaluated config attributes:  Port security
switchport mode access
switchport access vlan 110  QoS
no shutdown
 vService
assigned interfaces:
Veth10

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Port Groups: VI Admin View

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Nexus 1000V Architecture
vPath – service insertion in the hypervisor

Virtual Appliance
VSM-1 (active)
Network
NX-OS
Admin Control Plane
VSM-2 (standby)

Supervisor-1 (Active)
Back Plane

Supervisor-2 (StandBy)
Linecard-1
Linecard-2
… NX-OS
Linecard-N Data Plane

VEM-1 VEM-2 VEM-N


Modular Switch
vPath vPath vPath
Hypervisor Hypervisor Hypervisor
VSM: Virtual Supervisor Module Server
VEM: Virtual Ethernet Module Admin
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
vPath – Policy Based Service Enablement
Cloud
vPath is Nexus 1000V dataplane component: Network
Services
1. Distributed Service insertion architecture, with (CNS)
Intelligent traffic intercept and redirection
mechanism

2. Topology agnostic service insertion model Nexus


1000V vPath
3. Service Chaining across multiple virtual services
Any Hypervisor
4. Performance acceleration with vPath e.g. VSG
flow offload

5. Efficient and Scalable Architecture

6. VM Policy mobility with VM mobility

Evolve the Network for the next wave of application requirements


LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Services
Cisco Virtual Networking and Cloud Network Srvs
PHYSICAL INFRASTRUCTURE CLOUD NETWORK SERVICES
ASA 1000V Cisco Virtual
Cloud Firewall Security
vWAAS Network Citrix Gateway Imperva
Cloud Analysis NetScaler SecureSphere
Services Module 1000V WAF
Router (vNAM)
Servers 1000V
WAN Switches
Router
Full Portfolio of Best in Class Virtualized Network Service

vPath Enhanced VXLAN Nexus 1000V

Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)


*KVM in beta, Xen prototype
VSG vWAAS ASA 1000V CSRVSG
1000V Ecosystem
Nexus 1000V
(Cloud Router) Services
• Distributed • Distributed • Edge firewall, • WAN L3 • Citrix
• WAN
switch • Zone- VPN gateway NetScaler VPX
optimization
• NX-OS based FW • Routing and virtual ADC
• Application • Protocol
consistency Inspection VPN • Imperva Web
traffic
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public App. Firewall
Cisco Cloud Services Platform
• Dedicated Cloud Services appliance
• Flexible, on-demand allocation of resources
• Allows policy management by network teams
vPath Cisco Cloud Network Services (CNS)
Nexus 1000V
Citrix Prime virtual Imperva Virtual
NetScaler NAM SecureSphere Security
1000V WAF Gateway
Any Hypervisor

VM VM VM
VSM
VSM DCNM*

10G and
SSL Ready
VSM = Virtual Supervisor Module
* 2H CY13 DCNM = Data Center Mgt. Center Nexus 1110 Cloud Services Platform

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Virtual Security Gateway
Distributed, Zone Based Firewall

Context aware
Security
VM context aware rules
Prime NSC Zone based
Controls
Establish zones of trust

Dynamic, Agile Policies follow vMotion


Best-in-class Efficient, Fast, Scale-out SW
Architecture (with vPath intelligence)

Virtual Security Gateway


(VSG)

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway
Intelligent Traffic Steering with vPath

VM VM VM
PNSC

VM VM VM VM VM VM VM

VM VM VM VM VM VM VM VM VM

44
Nexus 1000V vPath
Distributed Virtual Switch
Decision VSG
3
Caching 3

Initial Packet 2 Flow Access Control


2
11 (policy evaluation) Log/Audit
Flow
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Virtual Security Gateway
Intelligent Traffic Steering with vPath

VM VM VM
VNMC

VM VM VM VM VM VM VM

VM VM VM VM VM VM VM VM VM

Nexus 1000V vPath


Distributed Virtual Switch

Decision offloaded to VSG


53 Nexus 1000V
(policy enforcement)
Remaining packets
from flow
Log/Audit
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Decoupled Deployment Across Applications
and Virtual Services
Cisco VSG

VM VM VM VM VM VM VM VM

Virtualized Infrastructure with Cisco Nexus® 1000V Deployment


VEM VEM VEM VEM VEM

No need to deploy virtual services on every host


Plan CPU capacity independently across application workloads and virtual
services
Solution is simpler to deploy with multiple operations teams (server, network, and
security)

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment in Multitenant Environment

Tenant A Standby VSG Standby VSG Tenant B


Active VSG Active VSG
Web Zone App Zone QA Zone Dev Zone
(Tenant A) (Tenant B)
VM VM VM VM VM VM VM VM

Cisco Cisco Cisco


Nexus Nexus Nexus
1000V vPath 1000V 1000V
vPath vPath
VEM VEM VEM
vSphere vSphere vSphere

Data Center
Network
1000V
VSM Cisco
VMWarePrime Network
vCenter
Service Controller
Server
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Policy Rule Construct
• Cisco VSG supports policies based on network attribute and virtual machine (VM) attributes

Source Destination
Rule

Condition Condition Action


Condition

Operator Operator
Attribute Type VM Attributes VM Attributes Network Attributes eq Not-in-range
Network Instance Name Port Profile Name IP Address neq Prefix
VM Guest OS full name Cluster Name Network Port gt member
Custom Zone Name Hypervisor Name lt Not-member
Parent App Name range Contains

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Citrix NetScalar1000V

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Citrix NetScaler 1000V
• Citrix Best-in-Class virtual application delivery controller
Citrix (vADC)
NetScaler
1000V • Sold and supported by Cisco (Q3)
• Integrated with Nexus 1100, vPath
• NetScaler 1000V = VPX – (Cloud Bridge, Cloud Connect,
SSL VPN )
vPath Cisco Cloud Network Services (CNS)
Nexus 1000V
Citrix Prime virtual Imperva Virtual
NetScaler NAM SecureSphere Security
1000V WAF Gateway
Any Hypervisor

VM VM VM
VSM
VSM DCNM*

VSM = Virtual Supervisor Module


* 2H CY13 DCNM = Data Center Mgt. Center Nexus 1110 Cloud Services Platform

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
SLB : With and Without vPath

Without vpath

 Source NAT (SNAT) - Client/ Source Obscured

 Policy Based Routing (PBR) - Complex

 Inline ADC’s – Performance bottleneck

 Selective traffic – Optimal implementation

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
SLB - why vPath ?
Without vpath With vPath

 Source NAT (SNAT) - Client/ Source • Preserve Source IP with vPath; vPath
Obscured redirects server-return traffic to SLB

 Policy Based Routing (PBR) - Complex • Easy deployment – Topology agnostic

 Inline ADC’s – Performance bottleneck • Service Chaining

 Selective traffic – Optimal implementation


• Optimal use of Performance

• Enable New east-west flow use cases

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScalar 1000V without vPath
East-West / Distributed Services

Client IP Data
172.50.20.10
1
Web Tier App Tier DB Tier

DST IP: 192.168.20.10


Src IP: 192.168.20.100

Virtual Services

1 Web Server initiates connection to App Server with LB


services enabled, now destination IP is VIP

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScalar 1000V without vPath
East-West / Distributed Services

Client IP
172.50.20.10

Web Tier App Tier DB Tier

Data

Virtual Services
2 DST IP: 192.168.30.10
Src IP: 192.168.20.200
2 VIP selects App Server for the destination; sends packet with destination
IP of App Server , and Source IP of its SNIP

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScalar 1000V without vPath
East-West / Distributed Services

Client IP
172.50.20.10

Web Tier App Tier DB Tier

Data
Data

Firewall needs to know


Source/Client IP for policy
Distributed Firewall policy for App Server receives packet, but lacks visibility of evaluation
3 Source information for policy evaluation. Policy fails !

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScalar 1000V with vPath
Enabling East-West flow use-case for SLB

Client IP
172.50.20.10

Web Tier App Tier DB Tier

Cisco vPath Cisco vPath


3

Data Data

Distributed Firewall enabled for App Server receives packet, Firewall has visibility of
3 5
Source and destination for
and has full visibility of Source information for policy Policy evaluation
evaluation
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
NetScalar 1000V with vPath
Enabling East-West flow use-case for SLB
- East-West Services and Application
Servers ready to delivers best in class
services 
Data
Client IP
172.50.20.10

Web Tier App Tier 4 DB Tier

Cisco vPath Cisco vPath

Data

4 Packet is forward to App Server on Policy evaluation Firewall has visibility of


5
Source and destination for
Policy evaluation

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Network Topologies
One-Arm

W NetScaler
 One-armed topologies have several benefits e 1000V
– Simple, one physical interface and no risk of bridge loops b
– Can make use of Link Aggregation to satisfy bandwidth vPath
requirements vPath interface
– SLB does not have to be default gateway for application
VM’s
– Very few failure modes, easing HA failure analysis
Logical Topology

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Deployment Network Topologies
Two-Arm

W
e
 NS1000V is inline between client and server (vPath). Can b
be L3 hops away from Server NetScaler 1000V
 vPath is configured on the Inside (server) Interface of
vPath configured
ns10000v
on this interface
 Allows layer 3 style deployments with split subnets
 Allow layer 2 style deployments with one subnet on both
sides vPath

Logical Topology

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
NetScalar 1000V
vPath Flow entry 1. VPATH creates a forward flow
record (Client to Server1– decap
and send packet to Server1) and
reverse flow (Server to Client –
redirect to NS1000V with vPath
VM VM VM
encap)
VM VM VM

Web Tier App Tier Virtual Services

Cisco vPath Cisco vPath


vPath Data
vPath Data
vPath Data
Hypervisor Hypervisor

- All communication between NetScaler1000V and Server VM’s happens with vpath
encapsulation

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
vPath Service-Chaining and why it is important
vPath Service Chaining Benefits
Intelligent policy-based traffic steering through multiple network services

• Decouples network services from underlying network topology with vPath Overlays

• Dynamic Service chains enabled per VM port

• Programmability

• Transparent Services Insertion

• Multi-Tenancy
Virtual Virtual Service Virtual
• VxLAN Service A B Service C Web VM Tenant
#2 (Policy 2)

Web VM Tenant
Client #1 (Policy 1)
Cisco Nexus 1000V – vPath Embedded
(Policy 1 & Policy 2 defined for each tenant)

Expanded vPath Ecosystem: VSG, ASA 1000V, vWAAS, & NetScaler 1000V
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath

Client Initiates Flow to Web Server (VIP as Server IP)


1
Client › LB-VIP
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath
2

2 NS1000V load balance web request, selects Web Server 1 (Client › S1)

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath
3

Based on policy, vPath redirect traffic to service chain, starting with


3
zone-based firewall, VSG
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath
4

4 Traffic returns to Virtual Ethernet Module ready for next network service

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath
5

WAF inspects packets for web attacks; prevents attack and


5
generate alerts
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath vPath
6

6 vPath Forwards packet to Web Server VM

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier


7
Cisco Cisco
vPath vPath

7 Web to DB Tier Connection

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath 8 vPath

8 Web to DB Tier Connection : Database tier security policy

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath
Intelligent Policy-based Traffic Steering Through Multiple Network Services

APP VM
OS
APP APP VM VM
OS OS

Web Tier DB Tier

Cisco Cisco
vPath 9 vPath

9 Apply VSG policy and forward packet to database

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
vPath 3.0
vPath Non vPath vPath Non vPath
VM Virtualized Virtualized Physical Physical
Network Network Network Network
Service Service Service Service
vPath
Nexus 1000V

Any Hypervisor

vPath

• Service chaining with vPath and non-vPath network services


• Virtual and physical network services
• Any network service can now be distributed, not just firewalls
• Submitted to IETF for standardization*
• Supporting Multiple hypervisors *http://tools.ietf.org/html/draft-quinn-nsh-00
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Service-Chaining Use-cases
Enterprise: Multi-Tier Applications
Web
 Intelligent service chaining
 Network topology agnostic
 Flat network: VM’s are on same VLAN 100 segment, still
each have different set of Services enabled
 Service chain stays attached to VM on VM mobility

WAN Optimization + Edge Firewall + NAT + Load Balancer +


Web Application Firewall + Zone based Firewall
Load Balancer + Zone based Firewall
VSG Zone based Firewall
vPath

VLAN 100 VLAN 100 VLAN 100


LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
3-Tier Server zone
NetScaler 1000V – Server Load Balancer
ASA 1000V - Edge Security Profile
VSG - Compute Security Profile

ASA1000v: NAT
VIP:10.10.25.100 ASA ASA: Block All External Access
NS1000V: Web to Database Servers
Server LB
ASA: Permit Only
Port 80(HTTP) to Web Web-Zone Database-Zone App-Zone
Servers Web DB
Web
Server Server Client
Server
IP – 192.168.1.1 IP – 192.168.1.2 IP – 192.168.1.203

VSG
VSG: Only Permit Client Access
VSG: Only Permit Web Servers to Web Server and Deny access
Access to Database Servers to DB server
Tenant-A

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Provider’s Data Center
Multi-Tenancy

DC Branch
MPLS
Internet
Enterprise A Enterprise B
WAN
Router
Switches

Physical Servers
Infrastructure
Cloud Provider Multi-
CSR1kV Tenancy Use Cases
CSR1kV • Secure VPN
Gateway
• MPLS Extension
NS1KV VSG NS1KV
VSG • Tenant SLB
Virtual Tenant B • East-West Firewall
Tenant A Infrastructure
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Provider’s Data Center
Multi-Tenancy

DC Branch
MPLS
Internet
Enterprise A Enterprise B
WAN
Router
Switches
Server Load-Balancer and
East-West Firewall offered
Physical Servers
as a Service by CSP
Infrastructure
Cloud Provider Multi-
CSR1kV Tenancy Use Cases
CSR1kV • Secure VPN
Gateway
• Tenant SLB
NS1KV VSG NS1KV
VSG • East-West Firewall
Virtual Tenant B
Tenant A Infrastructure
LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prime Network Service Controller
Simple Yet Powerful Virtual Network Services Management
Centralized Manager for all Virtual Services
Multi-Tenant

XML API
Third-party integration

Role-Based Access Controls

Cisco Nexus® 1000V,


VMware vCenter, SCVMM

Dynamic Provisioning

Custom created to manage virtualization-specific workflows


LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary
Cisco Provides Consistent Layer 2-7 Networking for Physical,
Virtual, and Cloud Deployments: Design Once, Run Everywhere

Hypervisor Agnostic
Single Network for Physical, Virtual, and Cloud
Consistent Operational Model and Troubleshooting, especially with ACI

vPath 3 for Standardized Service Chaining for


Virtual and Physical Network Services
Orchestration Tool of Your Choice: SCVMM,
OpenStack, UCS Director and more

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Call to Action…
Visit the World of Solutions:-
 Cisco Campus
 Walk-in Labs
 Technical Solutions Clinics

 Meet the Engineer

 Lunch Time Table Topics, held in the main Catering Hall

 Recommended Reading: For reading material and further resources for this
session, please visit www.pearson-books.com/CLMilan2014

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 60
Complete Your Online Session Evaluation
 Complete your online session
evaluation
 Complete four session evaluations
and the overall conference evaluation
to receive your Cisco Live T-shirt

LTRVIR-2963 © 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public 61

You might also like