端到端数据中心虚拟化
数据中心解决方案部
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
1
日程
•
Data Center Virtualization Overview
• Front-End Data Center Virtualization
Core Layer
Aggregation Layer
Networking Services
Access Layer
•
Server Virtualization
Hypervisors
Virtual Access Layer
Virtualized Services
Server IO Virtualization
•
Back-End Virtualization
Virtual HBA & NPV
Unified IO & FCoE
SAN & Storage
•
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
2
影响IT和数据中心的关键趋势
The need to reduce costs
and/or maximize profits
IT as business
enabler
Applications
availability
Drive for Green—power,
cooling and space
Server Virtualization —
higher performance
LAN and Storage
convergence
VM-Level
awareness
Workload
provisioning
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
3
Virtualization Touches Half (at Least …)
The need to reduce costs
and/or maximize profits
IT as business
enabler
Applications
availability
Drive for Green—power,
cooling and space
Server Virtualization —
higher performance
LAN and Storage
convergence
VM-Level
awareness
Workload
provisioning
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
4
虚拟化数据中心方法论
© 2010 Cisco and/or its affiliates. All rights reserved.
•
The Application Services
provided by the Network
need to respond and be
aligned to meet the new
geometry of the VMs
•
Close interaction required
between the assets
provisioning Virtualized
infrastructure and the
Application Services
supporting the Virtual
Machines.
Cisco Confidential
5
迈向统一网络
Moving to a fully virtualized Data Center, with Any to Any Connectivity
•
Fully unified I/O delivers
the following
characteristics:
Ultra High Capacity 10Gbps+
Low latency
Loss Free (FCoE)
•
© 2010 Cisco and/or its affiliates. All rights reserved.
True ―Any to Any‖
Connectivity is possible as
all devices are connected
to all other devices.
Cisco Confidential
6
Access Layer
SAN Edge
Aggregation
Layer
SAN Core
Core Layer
虚拟化数据中心 架构(3 层)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
7
数据中心架构演化
对传统网络设计的挑战
 Hypervisor based server virtualization
and the associated capabilities (vMotion,
Live Migration, etc.) are changing
multiple aspects of the Data Center
design
Data Center Row 1
 Where is the server now?
 Where is the access port?
 Where does the VLAN exist?
 Any VLAN Anywhere?
 How large do we need to scale
Layer 2?
Data Center Row 2
 What are the capacity planning
requirements for flexible workloads?
 Where are the policy boundaries with
flexible workload (Security, QoS, WAN
acceleration, …)?
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
8
虚拟化网络架构
演进和考虑点
Typical DC Challenges
What are the implications…
L2 Fate-sharing
Dynamic ―routing protocol‖ for L2 (e.g.: IS-IS)
VLAN Location
Any VLAN anywhere resonates well
L2 Adjacency
Lower oversubscription
Higher Scale
Larger subnet sizes
L3 Access
Global VLANs
App Environments
Specific app environments Designs
Density & quantity of
aggregation
switches
Density and
Capabilities of
access switch
Classic Pod
© 2010 Cisco and/or its affiliates. All rights reserved.
Access Ports in
management domain
Modern Pod
Cisco Confidential
9
DR Data
Center
虚拟化数据中心 架构(2 层)
VDC: Virtual
Device ACE
Contexts
ACE
NX-OS – Modular
Operating System common
across the DC
vPC – Between Nexus
layers for bi-sectional
bandwidht use (no STP
loops)
DCNM – Consolidated
Configuration and
Management
ASA
5500
FEX
Architecture
FET + FEX:
Cabling cost
efficiencies
Host
Facing
vPC
Nexus 1000v &
vPATH
VSG, vWAAS
© 2010 Cisco and/or its affiliates. All rights reserved.
FC
VM
#2
VM
#3
VM
#4
Leaf Layer
ISSU – True non-stop
operations
FCoE
Spine Layer
OTV: Layer 2
Extension
Virtualized Interfaces
Adapter FEX, VM-FEX
& FCoE
Unified Fabric:
Multi-Hop FCoE
Unified Ports
1 / 10GE
FC
Converged
FCoE link
Dedicated
FCoE link
Cisco Confidential
10
虚拟化数据中心 架构(2 层)
用二层多路径（FabricPath)来支持双网SAN架构
1 / 10GE
FC
Converged
FCoE link
Dedicated
FCoE link
FabricPath enabled for LAN traffic
Fabric ‗A‘
•
Dual Switch core for SAN A & SAN B
Fabric ‗B‘
•
All Access and Aggregation switches are
FCoE FCF switches
•
Dedicated links between switches are
VE_Ports
•
Storage VDC (Nexus 7000 only) for
additional operation separation at high
function agg/core (aka spine)
Spine Layer
•
FabricPath
L3
L2
FCF
FCF
VE
RPF, … and N+1 redundancy)
 SAN can utilize higher performance, higher
density, lower cost Ethernet switches
(including unified ports)
 (*) FC connectivity to storage only available
on Nexus 5000/5500. FCoE target and
NAS / iSCSI target connectivity to any
Nexus switch.
© 2010 Cisco and/or its affiliates. All rights reserved.
Leaf Layer
 Improved HA and scale over vPC (ISIS,
FCF
CNA
FCF
FCoE
FC (*)
NAS
iSCSI
Cisco Confidential
11
日程
•
Data Center Virtualization Overview
• Front-End Data Center Virtualization
Core Layer
Aggregation Layer
Networking Services
Access Layer
•
Server Virtualization
Hypervisors
Virtual Access Layer
Virtualized Services
Server IO Virtualization
•
Back-End Virtualization
Virtual HBA & NPV
Unified IO & FCoE
SAN & Storage
•
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
12
前端：核心层
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
13
13
虚拟交换机@ Nexus 7000
Protocol Stack
…
Process XYZ
Process DEF
Process ABC
…
VDC B
Process XYZ
Process DEF
Process ABC
VDC A
Process ―DEF‖ in VDC B
Crashes
Process DEF in VDC A Is
Not Affected and Will
Continue to Run
Unimpeded
Protocol Stack
VDCA
VDCB
A
B
Infrastructure
Kernel
Nexus 7000 Physical Switch
© 2010 Cisco and/or its affiliates. All rights reserved.
C
D
B D
C A
Cisco Confidential
14
虚拟交换机
1:N
隔离的资源分配域(3层)
VDC-2
Linecard 1
Linecard 2
IP routes: 100K
ACL entries: 50K
ACL TCAM
Size 64K
ACL TCAM
Size 64K
FIB TCAM
Size 128K
FIB TCAM
Size 128K
VDC-1
IP routes: 20K
ACL entries: 10K
Linecard 4
ACL TCAM
Size 64K
FIB TCAM
Size 128K
© 2010 Cisco and/or its affiliates. All rights reserved.
Linecard 3
VDC-3
IP routes: 100K
ACL entries: 50K
ACL TCAM
Size 64K
FIB TCAM
Size 128K
Cisco Confidential
15
前端: 汇聚层
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
16
16
Catalyst 6500 虚拟交换系统(VSS）
转发运作
Switch 1—Control Plane Active
Switch 2—Control Plane Hot Standby
Virtual Switch Domain
Switch 1—Data Plane Active
Switch 2—Data Plane Active
Virtual Switch Domain
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
17
Virtual Port Channel (vPC)
双活2层连接
L2
Si
Si
Non-vPC
vPC
Physical Topology
Logical Topology
Virtual Port Channel
Bi-sectional BW with vPC



vPC is a Port-channeling concept extending link aggregation to 
two separate physical switches

Allows the creation of resilient L2 topologies based on Link

Aggregation.

Eliminates the need for STP in the access-distribution Layer

© 2010 Cisco and/or its affiliates. All rights reserved.
Enable seamless VM Mobility, Server HA Clusters
Scale Available Layer 2 Bandwidth
Dual-homed server operate in active-active mode
Simplify Network Design
Available on Nexus 7000 and Nexus 5000 / 5500
Cisco Confidential
18
双vPC 域实现与设计
32-Way Port-Channel – Double-sided VPC
• Multilayer vPC can join eight active
Double-sided vPC
architecture
member ports of the port-channels in
a unique 16-way port-channel*
• vPC peer load-balancing is LOCAL
to the peer device
• Each vPC peer has only eight active
links, but the pair has 16 active load
balanced links (M-series LC)
Nexus
7000
32-way port
channel
Nexus
5000
• F-series Nexus 7000 line cards
support 16 way active port-channel
load balancing, providing for a 32
way vPC port channel
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
19
Layer 3 and vPC 设计
Router/Firewall on a stick with VDC
P
P
Router/Firewall
Router/Firewall
Po1
Po1
7k4
7k1
P
P
7k2
7k1
7k2
7k3
P
P
Po2
Po2
Switch
Switch
Physical Device
P
Routing Protocol Peer
Dynamic Peering
Relationship
vPC Domain
© 2010 Cisco and/or its affiliates. All rights reserved.
Layer 3 VDC
Layer 2 VDC
no Dynamic Routing
on vPC VLANs
Layer 2 vPC
Cisco Confidential
20
思科 FabricPath
扩展简化二层以太网
Up to 16 Agg
switches
160+ Tbps
switching capacity
Traditional Spanning Tree Based Network
-Blocked Links
Cisco FabricPath Network
-All Links Active

Eliminate Spanning tree limitations

Multi-pathing across all links, high cross-sectional bandwidth

High resiliency, faster network re-convergence

Any VLAN, any where in the fabric eliminate VLAN Scoping
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
21
思科Nexus 架构的灵活性
Spanning-Tree
vPC
FabricPath
Up to 16 Switches
Active Paths
Pod
Bandwidth
Single
Dual
16 Way
Up to 10 Tbps
Up to 20 Tbps
Up to 160 Tbps
Layer 2 Scalability
Infrastructure Virtualization and Capacity
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
22
前端:网络服务
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
Networking
Services
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
23
23
数据中心虚拟化服务
VRF
VRF
v5
VRF
v6
v7
1
v8
3
v107
v105
2
―Front-End‖ VRFs (MSFC)
VRF
4
Firewall Module Contexts
v108
3
4
ACE Module Contexts
v206
v207
v208
VRF
BU-1
v105
BU-2
v206
BU-3
v207
―Back-End‖ VRFs (MSFC)
BU-4
v2081
v2082
v2083
Server Side VLANs
...
* vX = VLAN X
**BU = Business Unit
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
24
三明治式的虚拟服务设计
 Services are ―Sandwiched‖ between
Nexus VDCs
 Stateful Firewall: Virtual Contexts,
Transparent mode
Agg
VDC
 ACE Load-balancer: Routed Two-arm mode,
Virtual Contexts
VDC 1
Rationale for VDC sandwich design
 Merging access/aggregation without
sacrificing the functional management of
each layer
Services
Contexts
Cat6500
VSS
 Inter Tenant (VM-to-VM and Multi-tier
Flows), policy Management (Security, QoS,
BW etc)
 Operational isolation (change mgmt, span
of control) of access-layer versus
core/aggregation
Sub-Agg
VDC
VDC 2
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
25
虚拟服务机箱设计
L3
 Reduced complexity with multi-tenant design.
 Network Multi-tenancy definition and scope
will not be limited to service blade.
 Container definition is not tied just to
services blade
Core
 Improved Convergence and Scalability
 Service will be isolated via L3 port-channel
to/from VSS.
 Isolation and flexibility on insertion of
appliance based model.
Aggregation
Services
 Reduced ―always inline‖ effect between
VSS and Aggregation-layer
 Better technology and feature integration
 Ease of Multicast support
VSS
 Separation of core VDC – freeing VDC
resources at the aggregation layer for
Storage & OTV
 Aggregation VDC will not be split (agg /
sub-agg) and will represent single L2/L3
boundary for all compute/storage flows
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
26
在FC刀片交换机上采用NPV
• Eliminates edge FC switch
Domain ID
• Edge FC switch acts as an
NPIV host
• Simplifies server and
SAN management and operations
• Increases fabric scalability
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
27
Overlay Transport Virtualization (OTV)
OTV at a Glance
• Ethernet traffic between sites is encapsulated in IP: ―MAC in IP‖
• Dynamic encapsulation based on MAC routing table
• No Pseudo-Wire or Tunnel state maintained
IP A  IP B
MAC1  MAC2
Encap
MAC
IF
MAC1
Eth1
MAC2
IP B
MAC3
IP B
MAC1  MAC2
MAC1  MAC2
Decap
OTV
OTV
Server 1
MAC 1
© 2010 Cisco and/or its affiliates. All rights reserved.
IP A
IP B
Communication between
2
MAC1 (site 1) and MAC2 Server
(site
2)
MAC 2
Cisco Confidential
28
OTV 数据平面: 单播
MAC Table contains
MAC addresses reachable through
IP addresses
MAC TABLE
OTV Inter-Site Traffic
1
Layer 2
Lookup
MAC TABLE
VLAN
MAC
IF
100
MAC 1
Eth 2
100
MAC 2
Eth 1
100
MAC 3
IP B
100
MAC 4
IP B
5
Layer 2
Lookup
OTV
OTV
MAC 2
Eth 2
MAC 1  MAC 3
MAC 1  MAC 3
L2
L3
2
Encap
MAC 1
MAC
100
MAC 1
IP A
100
MAC 2
IP A
100
MAC 3
Eth 3
100
MAC 4
Eth 4
External
IP B
External
IP A
Eth 1
VLAN
IP A  IP B
Core
3
IF
MAC 4
Eth 4
Eth 3
1  3MACIP
3 A  IP B
MAC 1MAC
 MAC
6
L3 L2
MAC 1  MAC 3
4
Decap
MAC 3
East
West
 No Pseudo-Wire state is maintained.
 The encapsulation is done based on a Layer 2 destination lookup.
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
29
跨POD网络扩展
Cisco Innovation towards an end-end Fabric:
• Cisco FabricPath: Scalable Fabric for Application Deployment Flexibility
• OTV : Layer 2 extensions over Layer 3 for distributed Clustered Applications
• LISP: IP mobility, optimized routing
Data Center Interconnect Extension
Overlay Transport Virtualization (OTV)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
30
前端: 接入层
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
31
31
架顶@ 1/10GE/FCoE:
Nexus 2200 (网络扩展器— FEX)
Nexus
2200
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
32
Cisco Nexus 2000 Unified Server
Access Architecture
• N2K inherits the features from parent switch
Nexus 7000
Nexus 5000
Unified
Access
Layer
Direct Attach
10GE
Nexus
2000
1GE Rack
Mount Servers
Nexus
2000
10GE Rack
Mount Servers
© 2010 Cisco and/or its affiliates. All rights reserved.
Nexus
2000
1 & 10GE
Blade Servers
w/ Pass-Thru
10GE Rack
Mount Servers
Nexus
4000
10GE Blade
Switch w/ FCoE
(IBM/Dell)
Cisco
UCS
UCS Compute
Blade & Rack
Cisco Confidential
33
To2R: Nexus 2200 部署举例
Nexus 7000
Nexus 7000
Aggregation Layer
vPC
Nexus 5500
Nexus 2200
Rack
Rack
11
x4
x4
Rack22
Rack
© 2010 Cisco and/or its affiliates. All rights reserved.
Access Layer
vPC
x4
Rack 1
x4
Rack
Rack
122
Nexus 5500
x4
x4
x4
Rack11
Rack
Nexus 2200
x4
Rack22
Rack
Rack 1
Rack12
2
Rack
Cisco Confidential
34
虚拟接入交换机POD
• Cisco Nexus 5x00 and 2200
VPC pair
represent a virtual access
switch POD
• Nexus 7000 at Aggregation
Layer
NO Loop
Nexus 5x00/2200
Virtualized Access
Switch PODs
© 2010 Cisco and/or its affiliates. All rights reserved.
...
NO STP
Cisco Confidential
35
采用FabricPath的逻辑图:
无二层环路的分布式拓扑
S10
S20
L5
L1
L2
S100
Virtual Blade Switching
(VBS)
L6
L3
L4
S101
S30
S40
L7
L8
L9
L10
FabricPath
L11
L12
S200
Virtual Access
Switch POD
(Nexus 7000 / 5x00
+ Nexus 2200)
Server
Unified Computing System
(UCS)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
36
日程
•
Data Center Virtualization Overview
• Front-End Data Center Virtualization
Core Layer
Aggregation Layer
Networking Services
Access Layer
•
Server Virtualization
Hypervisors
Virtual Access Layer
Virtualized Services
Server IO Virtualization
•
Back-End Virtualization
Virtual HBA & NPV
Unified IO & FCoE
SAN & Storage
•
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
37
前端: 服务器层
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
Servers Layer
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco UCS
Cisco Confidential
38
38
什么是思科UCS?
• UCS = Unified Computing System
 Network + compute Virtualization
• Single, scalable integrated system
 Dynamic resource provisioning
Mgmt
LAN
SAN A
SAN B
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
39
网络对服务器完全可见
•UCS Service Profiles Capture more than MAC & WWN
MAC, WWN, Boot Order, Firmware, network & storage policy
•Stateless compute where network & storage see all movement
Better diagnostics and QoS from network to blade, policy follows
Server Name: SP-A
UUID: 56 4d cd 3f 59 5b 61…
MAC : 08:00:69:02:01:FC
WWN: 5080020000075740
Boot Order: SAN, LAN
LAN
Chassis-1/Blade-5
Chassis-9/Blade-2
© 2010 Cisco and/or its affiliates. All rights reserved.
Service Profiles deliver Service Agility
regardless of Physical or Virtual Machine
SAN
Cisco Confidential
40
以Service Profiles构建弹性数据中心
Workload
Server Capacity Needed
Server HW HA
Total Servers
Oct
Nov
Dec
Jan
Web Servers
5
7
6
5
1 hot spare
8
Oracle RAC
3
3
3
4
1 hot spare
5
VMware
3
3
4
4
1 hot spare
5
Web Servers
Today‘s Deployment:
Oracle RAC
VMware
Blade
Blade
Blade
Provisioned for peak capacity
Blade
Blade
Blade
Spare node per workload
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Total Server Deployment
18 Servers
Blade
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
41
无状态计算@ UCS
Old Deployment:
Web Servers
Oracle RAC
VMware
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Total Server Deployment
14 Servers
Reduction of 4 Servers
22% CapEx Savings
Blade
Blade
Blade
Cisco’s Deployment:
• Resources provisioned based
on business need
• Still HA with fewer spares
Cisco UCS Deployment: (still 18 Service Profiles)
Web Servers
Oracle RAC
VMware
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Blade
Burst
Capacity
Blade
HA Spare
Blade
Blade
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
42
What Happens When
We Mix Network and
Server Virtualization ?
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
43
43
服务器虚拟化时网络面临的问题
Problems:
• Dynamic Migration of VMs may move
them across physical server ports—
policy must follow
• Impossible to view or apply policy to
locally switched traffic
VLAN
101
• Need collaboration between network
and Virtualization admin
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
44
虚拟接入层 @ 虚拟化服务器
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
Virtual Access Layer
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Nexus 1000v
Cisco Confidential
45
45
Cisco Nexus 1000V 架构
VM
VM
VM
VM
Nexus
1000V
VEM
VM
VM
VM
Physical Server
VM
VM
VM
VM
Nexus
1000V
VEM
Nexus
1000V
VEM
vSphere
VM
vSphere
vSphere
Physical Server
Physical Server
Virtual Supervisor Module (VSM)

Virtual or Physical appliance running Cisco
NXOS
Virtual(supports
EthernetHA)
Module (VEM)

Performs
management,
monitoring,capability
&
 Enables
advanced networking
on the
configuration
hypervisor
Cisco
Nexus
1000V
Installation
Tight
integration
with
VMware
vCenter ―switch port‖
 Provides
each
VM
with dedicated



ESX & ESXi

VEM is installed/upgraded like an ESX
patch
Nexus 1000V VSM
Nexus 1000V VSM
Collection of VEMs = 1 vNetwork distributed
Switch
VUM & Manual Installation
© 2010 Cisco and/or its affiliates. All rights reserved.
vCenter
Cisco Confidential
46
单一的控制和管理平面
 Even if the Nexus 1000V is a distributed
switch. It looks like a single switch from
control plane and management plane
perspective
A
B
C
 Protocol like CDP, Netflow, SNMP are
manage from one location the VSM
(Virtual Supervisor Module)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
47
Nexus 1010: ―Virtual Service Blade‖ Manager
Network Analysis
Module*
Nexus 1000V VSM
Nexus 1000V VSM
Nexus 1000V VSM
Nexus 1000V VSM
Nexus 1010 Manager
Nexus 1010 Manager: Cisco management experience
Manages virtual service blades
© 2010 Cisco and/or its affiliates. All rights reserved.
* Optional virtual service blade add-onCisco Confidential
48
分布式数据平面
 The Virtual Ethernet Module (VEM) is in the Data path
 The Virtual Supervisor Module is only doing control plane and management
function
 Each Virtual Ethernet Module forwards packets independent of each other
A
B
C
© 2010 Cisco and/or its affiliates. All rights reserved.
A
B
C
D
E
F
Cisco Confidential
49
虚拟服务节点 @ 虚拟化服务器
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
vWAAS
Nexus 1000v
© 2010 Cisco and/or its affiliates. All rights reserved.
Virtualized Services (VSN)
Virtual Service Gateway
Cisco Confidential
50
50
VSN部署模式
(Virtual Service Nodes)
1
Redirect VM traffic via VLANs to
external (physical) appliances
Web
Server
App
Server
Database
Server
Hypervisor
2
Apply hypervisor-based
network services
Web
Server
App
Server
Database
Server
Hypervisor
VLANs
Virtual Contexts
VSN
VSN
Virtual Service Nodes
Traditional Service Nodes
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
51
Single VNMC Manager
Tenant 2
Tenant 1
VDC
vApp
VDC
vApp
Nexus 1000V
VMWare Hypervisor
UCS (physical web servers)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
52
Nexus 1000v的vPATH 截取
VSN
 vPATH Interception is configured
on Server VM‘s Port Profile in both
directions to redirect to a VSN
Server
VM
vPATH
Interception
In/Out
VEM
 Server traffic is intercepted by
vPATH interception in VEM and
redirected to a VSN
 VSN egress traffic forwarded
without further vPATH interception.
Upstream
Switch
VSM
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
53
Cisco 虚拟安全网关(VSG)
以vPATH智能导引流量
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
vPATH
Distributed Virtual Switch
VSG
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Initial Packet Flow
Log/Audit
Cisco Confidential
54
Cisco 虚拟安全网关(VSG)
以vPATH智能导引流量
VM
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
vPATH
Distributed Virtual Switch
VSG
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Initial Packet
Flow
2
Flow
Access Control
Log/Audit
Cisco Confidential
55
Cisco 虚拟安全网关(VSG)
以vPATH智能导引流量
VM
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
vPATH
Distributed Virtual Switch
Decision
Caching
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Initial Packet
Flow
2
3
VSG
Flow
Access Control
Log/Audit
Cisco Confidential
56
Cisco 虚拟安全网关(VSG)
以vPATH智能导引流量
VM
VM
VM
VM
VM
VM
VM
VM
VM
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
4
Nexus 1000V
vPATH
Distributed Virtual Switch
Decision
Caching
1
© 2010 Cisco and/or its affiliates. All rights reserved.
Initial Packet
Flow
2
Flow
Access Control
3
VSG
Log/Audit
Cisco Confidential
57
Cisco 虚拟安全网关(VSG)
以vPATH智能导引流量
VNMC
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Nexus 1000V
vPATH
Distributed Virtual Switch
ACL offloaded to
Nexus 1000V
VSG
Remaining packets
from flow
Log/Audit
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
58
Cisco 虚拟安全网关(VSG)
更优的安全解决方案
Virtual Security
Gateway (VSG)
Context aware
Security
VM context aware rules
Zone based Controls
Establish zones of trust
Dynamic, Agile
Policies follow vMotion
Best-in-class
Architecture
Virtual Network
Management Center
(VNMC)
Non-disruptive
Operations
Security team manages security
Policy Based
Administration
Central mgmt, scalable deployment, multi-tenancy
Designed for
Automation
© 2010 Cisco and/or its affiliates. All rights reserved.
Efficient, Fast, Scale-out Software
XML API, security profiles
Cisco Confidential
59
vWAAS vPATH截取
• Interception based on port-profile policy
Web
Server 1
vWAAS
App
Server
configured in Nexus 1000v
• Bidirectional Interception - (no IN/OUT
configuration)
• Pass-through traffic automatic bypass
Nexus 1000V
vPATH
VMware ESXi Server
Cisco UCS x86 Server
Nexus 1000v VSM
© 2010 Cisco and/or its affiliates. All rights reserved.
vCenter Server
Cisco Confidential
60
服务器 IO 虚拟化
Gigabit Ethernet
10 Gigabit Ethernet
10 Gigabit DCB
4/8Gb Fiber Channel
10 Gigabit FCoE/DCB
FIP
FIP
Nexus 5500
5000 &
Nexus 2200
2000
Top-of-Rack
Nexus 5500 &
Nexus 4000
Cisco UCS
Server IO Virtualization
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
61
61
网络扩展器演进
分布式模块化系统
One Network
Parent Switch to Top of Rack
Network
Administrator
Many applications
require
multiple interfaces
FEX Architecture
IEEE 802.1 Qbh*
FEX
 Consolidates network management
 FEX managed as line card of parent
switch
 Uses Pre-standard IEEE 802.1Qbh
Legacy
*IEEE 802.1Qbh Pre-Standard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
62
网络扩展器演进
分布式模块化系统
One Network
Parent Switch to Adapter
Network
Administrator
IEEE 802.1 Qbh*
FEX
Many applications
require
multiple interfaces
Adapter FEX
 Consolidates multiple 1Gb interface
into a single 10Gb interface
 Extends network into server
 Uses Pre-standard IEEE 802.1Qbh
IEEE 802.1 Qbh*
Legacy
Adapter FEX
*IEEE 802.1Qbh Pre-Standard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
63
网络扩展器演进
分布式模块化系统
One Network
Virtual Same As Physical
Network
Administrator
IEEE 802.1 Qbh*
FEX
VM-FEX
 Consolidates virtual and physical
network
IEEE 802.1 Qbh*
IEEE 802.1 Qbh*
 Each VM gets a dedicated port on
switch
 Uses Pre-standard IEEE 802.1Qbh
Hypervisor
Legacy
Adapter FEX
VM network
managed by
Server
administrator
VM-FEX
*IEEE 802.1Qbh Pre-Standard
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
64
网络扩展器演进
分布式模块化系统
One Network
Parent Switch to Application
Single Point of Management
Network
Administrator
FEX Architecture
 Consolidates network management
 FEX managed as line card of parent
switch
IEEE 802.1 Qbh*
Manage network all
the way to
the OS interface –
Physical and
Virtual
FEX
IEEE 802.1 Qbh*
IEEE 802.1 Qbh*
Hypervisor
Legacy
© 2010 Cisco and/or its affiliates. All rights reserved.
Adapter FEX
Adapter FEX
 Consolidates multiple 1Gb interface
into a single 10Gb interface
 Extends network into server
VM-FEX
 Consolidates virtual and physical
network
 Each VM gets a dedicated port on
switch
VM FEX
Cisco Confidential
65
Cisco UCS VIC 简介
Mezzanine Card for B-Series and C-Series
Converged Network Adapter (CNA) designed for
both single-OS and VM-based deployments
• Virtualized in Hardware
• PCIe compliant
10GbE / FCoE
High Performance
• 2x 10Gb
• 500K+ IOPS
The OS/Hypervisor sees up to ~58 distinct PCIe
devices
• Ethernet vNIC and FC vHBA
• Management from the network
Eth
FC
FC
Eth
User
Definable
vNICs
0
1
2
3
58
VM-FEX (aka VN-Link in Hardware): Ideal for
Virtualization Environments
• Bypass vSwitch to deliver VN-Link in
hardware
• Tight integration with Vmware vCenter
PCIe x16
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
66
VN-Link功能小结
Generic Adapter
+ Nexus 1000V
Generic
adapter
Cisco VIC + Nexus 1000V
(suggested deployment)
Cisco
VIC as
Adapter
FEX
Cisco
VIC as
VM-FEX
GREATER FLEXIBILITY/SCALABILITY, RICH
FEATURE SET AND FASTER TIME TO
MARKET
VN-Link in Software
Generic
Adapter &
Nexus
1000v
© 2010 Cisco and/or its affiliates. All rights reserved.
VIC &
Nexus
1000v
Cisco VIC + UCS
with VMDirectPath
Cisco VIC + UCS
Cisco
VIC as
VM-FEX
HIGHER PERFORMANCES & BETTER I/O
MANAGEMENT
VM-FEX (VN-Link in Hardware)
VIC +
UCS 6100
VIC +
UCS 6100
VMDirectPath
Cisco Confidential
67
优化虚拟环境下的IO
场景 1: 软件VN-LINK 和VIC
VM
VM
ooo
VM
VM
VM
Nexus 1000V hypervisor switch
Hypervisor
Cisco Virtualized Adapter
VN-LINK in SW = Nexus 1000V
• Each VM vnic connects to Nexus 1000V hypervisor switch
• Nexus 1000V switch uplinks connect to multiple distinct Cisco virtual interfaces (VIFs)
Likely Use Case:
• Customer has already standardized on Nexus 1000V
• Customer deployment needs higher scalability and number of VMs
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
68
优化虚拟环境下的IO
场景 2: 硬件VN-LINK（VM-FEX)
)
Cisco VIC adapter
VM-FEX
dVIF1
dVIF2
dVIF3
dVIF4
…
dVIF45 dVIF46 dVIF47 dVIF48 dVIF49 dVIF50 dVIF51 dVIF52
dVIF53-Veth5
Profile VMK
dVIF54-Veth10
Profile COS
Kernel
Service
Console
VM-FEX (aka VN-LINK in Hardware)
• Each VM vnic maps to a different virtual interface (VIF)
• IO to/from VM enters Cisco hypervisor switch module and passes thru to Cisco VIF (switching not done on
CPU)
Likely Use Case:
• Customer benefits from centralized Management through UCSM
• Customer needs higher performance
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
69
日程
•
Data Center Virtualization Overview
• Front-End Data Center Virtualization
Core Layer
Aggregation Layer
Networking Services
Access Layer
•
Server Virtualization
Hypervisors
Virtual Access Layer
Virtualized Services
Server IO Virtualization
•
Back-End Virtualization
Virtual HBA & NPV
Unified IO & FCoE
SAN & Storage
•
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
70
网络行为和特征
• Ethernet is non-deterministic.
Flow control is destination-based
Relies on TCP drop-retransmission / sliding window
• Fibre-Channel is deterministic.
Flow control is source-based (B2B credits)
Services are fabric integrated (no loop concept)
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
71
数据中心以太网(DCB) 特性
PFC
Priority-based Flow Control (PFC)
 Enables lossless Fabrics for each class of service
 PAUSE sent per virtual lane when buffers limit exceeded
 Network resources are partitioned between VL’s (E.g. input
buffer and output queue)
 The switch behavior is negotiable per VL
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
72
DCB / FCoE 相关标准
 FCoE is fully defined in the FC-BB-5 standard (since Jun/2009)
 FCoE works with additional technologies to make I/O Consolidation a reality
T11
IEEE 802.1
FCoE
DCB
FC on
FC on
Other
other
network
Network
media
PFC
ETS
DCBX
Lossless
Ethernet
Priority
Grouping
Configuration
Verification
802.1Qbb
802.1Qaz
802.1Qaz
Media
FC-BB-5
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
73
DCB / FCoE 相关标准
 FCoE is fully defined in the FC-BB-5 standard (since Jun/2009)
 FCoE works with additional technologies to make I/O Consolidation a reality
Standard / Feature
T11 BB-5
Status of the Standard
T11
Fibre Channel over Ethernet (FCoE)
IEEE 802.1
FCoE
Standard (Jun 3, 2009)
DCB
IEEE 802.1Qbb
Priority-based Flow
(PFC)
FCControl
on
FC on
Other
other
network
Network
media
IEEE 802.3bd
Media
Frame Format for PFC
Forwarded to RevCom for publication
in April 2011
PFC
© 2010 Cisco and/or its affiliates. All rights reserved.
DCBX
Forwarded to RevCom for publication
Lossless
Priority
in April
2011
Configuration
Ethernet
IEEE 802.1Qaz
Enhanced Transmission Selection (ETS) and Data
FC-BB-5
Center Bridging eXchange
protocol (DCBX)
ETS
Grouping
Verification
Forwarded to RevCom for publication
in April
2011
802.1Qbb
802.1Qaz
802.1Qaz
Cisco Confidential
74
以太网承载光纤通道（FCoE）一瞥
FCoE
Benefits
• Mapping of FC frames
• Wire Server Once
over Ethernet
• Fewer cables and adapters
• Enables FC to run
• Software Provisioning of I/O
on a lossless Data Center
Ethernet network
• Interoperates with
existing SANs
• No gateway—stateless
Ethernet
• Standard – June 3, 2009
Fibre
Channel
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
75
统一 I/O 架构整合
No Consolidated IO
LAN
SAN A
I/O Consolidation with FCoE
SAN B
LAN
SAN A
SAN B
Nexus
5000
Ethernet
© 2010 Cisco and/or its affiliates. All rights reserved.
FC
FCoE
Cisco Confidential
76
SAN Core
VSAN, NPIV, NPV, 及存储访问
SAN Edge
SAN &
Storage
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
77
虚拟存储区域网(VSAN)
•
Consolidation of SAN islands
Department A
Increased utilization of fabric ports with Just-InTime provisioning
•
SAN Islands
Deployment of large fabrics
Dividing a large fabric in
smaller VSANs
Disruptive events isolated
per VSAN
RBAC for administrative tasks
Zoning is independent per VSAN
•
Department B
Advanced traffic management
Department C
Defining the paths for each VSAN
VSANs may share the same EISL
Virtual SANs
(VSANs)
Cost effective on WAN links
•
Resilient SAN Extension
•
Standard solution (ANSI T11 FC-FS-2 section 10)
Department A
Department B
Department C
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
78
理解 VSANs (或 Virtual Fabrics)
Production SAN
Test SAN
Tape SAN
FC
FC
FC
FC
FC
FC
FC
FC
FC
FC
SAN A
DomainID=1
SAN B
DomainID=2
DomainID=7
DomainID=8
© 2010 Cisco and/or its affiliates. All rights reserved.
SAN C
DomainID=3
SAN D
DomainID=4
SAN E
DomainID=5
SAN F
Domain ID=6
Cisco Confidential
79
什么是NPIV?
•
N-Port ID Virtualization (NPIV) provides a means to assign multiple FC IDs to a single N port.
•
This feature was intended to allow multiple applications to share the same Fiber Channel HBA
•
The use of different pWWN allows access control, zoning, and port security to be implemented at the
application level.
•
Usage applies to applications such as Vmware vSphere, Microsoft Hyper-V and Citrix XenServer
Application Server
Email
Email I/O
N_Port_ID 1
Web
Web I/O
N_Port_ID 2
File Services
© 2010 Cisco and/or its affiliates. All rights reserved.
FC Switch
F_Port
File Services I/O
N_Port_ID 3
Cisco Confidential
80
什么是NPV?
•
N-Port Virtualizer (NPV) utilizes NPIV functionality to allow a ―switch‖ to act like a Server doing
multiple logins through 1 physical link
•
Real server connected (via CNAs) to Nexus 5x00 do not login to the Nexus 5x00 but to upstream FC
switch. The same applies to FC edge switches (ex.: MDS blade switches and MDS 91xx FC fabric
switches).
•
No local switching is done on an FC switch in NPV mode
•
FC edge switch in NPV mode Does NOT take up a Domain ID
Nexus 5x00, MDS 91xx, MDS blade switches,
UCS Fabric Interconnect
FC Core Switch
Server1
Eth1/1
Server1
N_Port_ID 1
Eth1/2
Server2
N_Port_ID 2
Eth1/3
Server3
N_Port_ID 3
Server2
Server3
© 2010 Cisco and/or its affiliates. All rights reserved.
F_Port
Cisco Confidential
81
在FC刀片交换机上采用NPV
• Eliminates edge FC switch
Domain ID
• Edge FC switch acts as an
NPIV host
• Simplifies server and
SAN management and operations
• Increases fabric scalability
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
82
Q&A
© 2010 Cisco and/or its affiliates. All rights reserved.
Cisco Confidential
83