Nexus 1000V in Context of SDN

Martin Divis, CSE, [email protected] Why Cisco Nexus 1000V Losing the Edge Server Admin Host Host Host Host

Server Admin manages virtual switching ! vSwitch vSwitch vSwitch vSwitch

Unsupervised VM to VM communication VMs on the wrong VLANs

No Network visibility or control No policy and vlan control The rest of the network… Network Admin

Server Admin freed from managing network

Nexus 1000V Distributed virtual switch

Virtual switching managed by Network Admin Network Admin Full network policy control, visibility

Cisco Nexus 1000V Overview

Virtual Appliance Network VSM1 Admin

VSM2 Modular Switch

Supervisor-1 Supervisor-2 Linecard-1 Linecard-2

BackPlane … Linecard-N

VEM-1 VEM-2 VEM-N

Hypervisor Hypervisor Hypervisor VSM: Virtual Supervisor Module Server VEM: Virtual Ethernet Module Admin

§ Too many ports, and they move too fast § Network admin needs sanity § Server admin needs freedom – To deploy and move virtual machines – To deploy and move physical hosts

switch # int gi1/0/35 switchportswitch # intmode gi1/0/47 access switchportswitch # intmode gi1/0/21 access switchportswitchportswitch access# intmode gi1/0/17 vlanaccess 23 switchportswitchport access mode vlanaccess 23 etc…switchport access vlan 23 etc…switchport access vlan 23 etc… etc…

Virtual Appliance

ASA 1000V N1KV VSM Cisco VSG Cisco vWAAS CSR1000V Citrix VPX* Imperva WAF*

Virtual Service Data Path Virtual Extensible LAN (vPath) Ethernet/IP (VXLAN) Embedding intelligence for Network Fabric Scaling LAN segments virtual services DC-wide VM Mobility

• Service chaining (traffic • LAN segment across Layer steering) Nexus 1000V Nexus 1000V 3 • Works with existing network • Fast-path offload vPath VXLAN vPath VXLAN infrastructure • VXLAN aware Hypervisor Hypervisor • 16 million segments ESX, Hyper-V KVM, Xen

Nexus 1000V vPath 2 1

§ Service Path defines the service chain – an ordered list of service profiles (e.g. security profile, edge profile, slb profile etc.) § Traffic Selector rules are used to configure Service Table in vPath § An endpoint VM is associated with Service Path via Port-Profile Binding

Robust Underlay/Fabric Flexible Overlay Virtual Network • High Capacity Resilient Fabric • Mobility • Intelligent Packet Handling • Track end-point attach at edges • Scale • Programmable & Manageable • Reduce core state • Distribute and partition state to network edge • Flexibility/Programmability • Reduced number of touch points

Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public VxLAN Deep Dive – Overview Virtual eXtensible LAN (VXLAN) • Virtual eXtensible LAN (VXLAN) is a Layer 2 overlay scheme over a Layer 3 network. • A 24-bit VXLAN Segment ID or VXLAN Network Identifier (VNI) is included in the encapsulation to provide up to 16M VXLAN segments for traffic isolation/ segmentation, in contrast to the 4K segments achievable with VLANs. • Each of these segments represents a unique Layer 2 broadcast domain, and can be administered in such a way that it can uniquely identify a given tenant’s address space or subnet… Ethernet Payload FCS Header

Outer Outer Outer Inner New VXLAN Payload Ethernet IP UDP Ethernet FCS

8 Bytes Flags Reserved Segment ID Reserved

1 Byte Outer UDP Destination Port = VXLAN (originally 8472, recently updated to 4789) Rsvd 1 Rsvd Outer UDP Source Port = Hash of Inner Frame Headers (optional) Presentation_ID Cisco and/or its affiliates. All rights reserved. Cisco Public VxLAN Deep Dive – Overview VTEP – Handling of Multi-Destination Traffic • Since a control/signaling protocol has not been defined, emulation of Multi- Destination traffic (Broadcast, Multicast, Unknown Unicast) is handled through the VXLAN IP underlay through the use of segment control multicast groups…

End System End System VTEP – implemented in Note: VxLAN 1.1 added software or hardware. control/signaling Required for VxLAN mechanism via centralized gateway. agent, in case of

VTEP 3 VTEP-3 Nexus1000V, it is VSM IP-3

Mcast Group VTEP-1 VTEP-2 IP Network End System A VTEP 1 VTEP 2 End System B MAC-A IP-1 IP-2 MAC-B IP-A IP-B

§ Nexus 1000V (L2) – network virtualization in server virtualization context – vCenter, Hyper-V, KVM, OpenStack § Nexus 3100 (L2), 5600 (L2, L3), 9000 (L2, L3) - gateway § Cisco ASR 1000(L2, L3), 9000 (L2, L3) - gateway § VMware vShield & DVS (L2) § VMware NSX (L2, L3) – alternatively can use STT – can use limited number of switch models for HW gateway (L2) § Many other chipset & HW vendors (L2)

HTTP GET http://192.168.133.131/api/vlan

{ "1": { "url": "/api/vlan/1", "properties": { "id": 1, "state": "active", "name": "default", "shutdown": false } Programmability }, HTTP "5": { "url": "/api/vlan/5", "properties": { "id": 5, "state": "active", "name": "dbs", "shutdown": false } Presentation_ID } Cisco and/or its affiliates. All rights reserved. Cisco Public } Nexus 1000v REST API Services

§ VLAN, VXLAN § Port-Profiles § Virtual Service Nodes, vPath § Span Ports § User access § Hypervisor dependent operations, mostly read only – License – Connectivity – vNIC, uplinks, port-profiles – Inventory

§ Nexus 1000v available for: – vSphere – Hyper-V – KVM § And while features and CLI is almost the same for all platforms...... REST API is totaly different

Core API Resource and Attribute Extension API Network Port Subnet ProviderNetwork PortBinding Router Quotas SecurityGroups AgentScheduler LBaaS FWaaS VPNaaS ….

REST API DHCP Agent Neutron Server Message Queue • Core + Extension REST API’s Neutron Core Neutron Service L3 Agent plugins plugins IPTables on Network • Message Queue for communicating with Node Neutron Agents

ML2 • Core and Service Plugins

OVS OVS VPN N1Kv)

plugins L2 Agent Firewall L3Services Morevendor

Cisco(Nexus, OVS on LoadBalancer Compute • Different vendor core plugins

Node • Different network technology support Type Drivers Mechanism Drivers Futures

IPTables HA Proxy HA

OpenSwan • ML2 plugin with Type and Mechanism Drivers

OVS OVS GRE APIC VLAN drivers VXLAN • Service plugins with backend drivers CiscoNexus Morevendor OpenDayLight Southbound interfaces

neutron network-profile-create PROFILE_NAME Neutron Server vlan --segment_range 400-499 Network Profile (admin) Nova neutron net-create NETWORK_NAME -- n1kv:profile_id PROFILE_ID Neutron Core Policy Profile

plugin (Cisco) defined in neutron policy-profile-list VSM (periodic neutron port-create NETWORK_NAME --polling) n1kv:profile_id PROFILE_ID Cisco N1Kv Plugin Policy Benefits: Profile VM VM VMs on Compute Node § Network Profiles – VLAN, VXLAN REST API (multicast/unicast), Trunk N1Kv VEM N1Kv VSM § Policy Profiles – ACLs, QoS Compute Nodes Network Profile:Network Segment Pool § VXLAN Gateway Service VM

Prosíme, ohodnoťte tuto přednášku

• Děkujeme