Cisco Nexus 1000V Technical Overview

Slides:



Advertisements
Similar presentations
© 2006 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Cisco Nexus 1000V Ralf Eberhardt
Advertisements

Ethernet Switch Features Important to EtherNet/IP
Chapter 1: Introduction to Scaling Networks
Mitigating Layer 2 Attacks
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
Chapter 3: Link Aggregation
Virtual LANs.
Multi-Layer Switching Layers 1, 2, and 3. Cisco Hierarchical Model Access Layer –Workgroup –Access layer aggregation and L3/L4 services Distribution Layer.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 W. Schulte Chapter 5: Inter-VLAN Routing Routing And Switching.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing & Switching.
© 2009 Cisco Systems, Inc. and VMware 1 Accelerating Cloud Computing Infrastructure: Cisco Nexus 1000V Phil Veniot Systems Engineer
© 2010 Cisco Systems, Inc. All rights reserved. 1 Nexus 1000V Switch Nexus 1010 Appliance.
Introducing VMware vSphere 5.0
© 2009 Cisco Systems, Inc. All rights reserved. 1 Cuong Tran SAVBU – TME August 2009 Nexus 1000V and HP’s Virtual Connect.
Server Access and Virtualization Business Unit Cisco Nexus 1010.
Microsoft Virtual Academy Module 4 Creating and Configuring Virtual Machine Networks.
VMware vCenter Server Module 4.
Microsoft delivers a complete datacenter solution with Windows Server 2012 R2 out-of-the-box Cloud OS Development Management Identity Virtualization.
Virtual LANs. VLAN introduction VLANs logically segment switched networks based on the functions, project teams, or applications of the organization regardless.
Connecting LANs, Backbone Networks, and Virtual LANs
© 2009 Cisco Systems, Inc. All rights reserved. SWITCH v1.0—2-1 Implementing VLANs in Campus Networks Applying Best Practices for VLAN Topologies.
VLAN Trunking Protocol (VTP) W.lilakiatsakun. VLAN Management Challenge (1) It is not difficult to add new VLAN for a small network.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 5: Inter-VLAN Routing Routing And Switching.
InterVLAN Routing Design and Implementation. What Routers Do Intelligent, dynamic routing protocols for packet transport Packet filtering capabilities.

Voice VLANs Lecture 7 VLANs.ppt 21/04/ Apr-17
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: Implementing VLAN Security Routing And Switching.
© 2006 Cisco Systems, Inc. All rights reserved.1 Microsoft Network Load Balancing Support Vivek V
Sybex CCNA Chapter 11: VLAN’s Instructor & Todd Lammle.
VLAN Trunking Protocol (VTP)
Virtualization Infrastructure Administration Network Jakub Yaghob.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public ITE PC v4.0 Chapter 1 1 Connecting to the Network Networking for Home and Small Businesses.
VLAN V irtual L ocal A rea N etwork VLAN Network performance is a key factor in the productivity of an organization. One of the technologies used to.
Chapter 8: Virtual LAN (VLAN)
Cisco 3 - LAN Perrine. J Page 110/20/2015 Chapter 8 VLAN VLAN: is a logical grouping grouped by: function department application VLAN configuration is.
Microsoft Virtual Academy Module 8 Managing the Infrastructure with VMM.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Windows Server 2012 Hyper-V Networking
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 1: Introduction to Scaling Networks Scaling Networks.
Switching Basics and Intermediate Routing CCNA 3 Chapter 8.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 9 Virtual Trunking Protocol.
1 © 2003, Cisco Systems, Inc. All rights reserved. CCNA 3 v3.0 Module 8 Virtual LANs Cisco Networking Academy.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved. CNIT 221 Security 2 ver.2 Module 8 City College.
Managing Networks and Network Devices
© 2006 Cisco Systems, Inc. All rights reserved.Presentation_ID 1 Transforming Server Virtualization with Cisco VN-Link Belmont Chia Consulting System Engineer.
VMware vSphere Configuration and Management v6
Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.
Switching Topic 2 VLANs.
Virtual LAN (VLAN) W.lilakiatsakun. VLAN Overview (1) A VLAN allows a network administrator to create groups of logically networked devices that act as.
Chapter 4 Version 1 Virtual LANs. Introduction By default, switches forward broadcasts, this means that all segments connected to a switch are in one.
VLAN Design Etherchannel. Review: Private VLANS  Used by Service providers to deploy host services and network access where all devices reside in the.
CPUMEMHDNIC Bare Metal OS: windows, Linux, … App: Typically 1 server External Switch Resources to support Applications Bare Metal OS: VMkernel/Hypervisor.
© 2008 Cisco Systems, Inc. All rights reserved.Cisco ConfidentialPresentation_ID 1 Chapter 3: VLANs Routing & Switching.
+ Routing Concepts 1 st semester Objectives  Describe the primary functions and features of a router.  Explain how routers use information.
LAN Switching Virtual LANs. Virtual LAN Concepts A LAN includes all devices in the same broadcast domain. A broadcast domain includes the set of all LAN-connected.
Instructor Materials Chapter 1: LAN Design
© 2002, Cisco Systems, Inc. All rights reserved.
Instructor Materials Chapter 6: VLANs
Virtual Local Area Networks (VLANs) Part I
Introduction to the Junos Operating System
Chapter 5: Inter-VLAN Routing
Virtual LANs.
Oracle Solaris Zones Study Purpose Only
Advanced Network Training
Routing and Switching Essentials v6.0
20409A 7: Installing and Configuring System Center 2012 R2 Virtual Machine Manager Module 7 Installing and Configuring System Center 2012 R2 Virtual.
HC Hyper-V Module GUI Portal VPS Templates Web Console
Chapter 2: Scaling VLANs
CISCO SWITCHING Hussein Salameh Network Administrator
Presentation transcript:

Cisco Nexus 1000V Technical Overview

Agenda Introduction System Overview Switching Overview Policy Management Advanced Features Network Management Troubleshooting & Diagnostics Design Examples Installation

Transparency in the Eye of the Beholder With virtualization, VMs have a transparent view of their resources…

Transparency in the Eye of the Beholder …but its difficult to correlate network and storage back to virtual machines

Transparency in the Eye of the Beholder Scaling globally depends on maintaining transparency while also providing operational consistency

Scaling Server Virtualization Networking Challenges Applied at physical server—not the individual VM Impossible to enforce policy for VMs in motion Security & Policy Enforcement Lack of VM visibility, accountability, and consistency Inefficient management model and inability to effectively troubleshoot Operations & Management Muddled ownership as server admin must configure virtual network Organizational redundancy creates compliance challenges Organizational Structure VM environments are mobile & increasingly complex Higher % of virtual workloads are mission critical Disparate operation models are inefficient Lack of visibility impacts problem resolution Security & Compliance enforcement is missing 6

VN-Link Brings VM Level Granularity Problems: VMotion VMotion may move VMs across physical ports—policy must follow Impossible to view or apply policy to locally switched traffic Cannot correlate traffic on physical links—from multiple VMs VLAN 101 VN-Link: Extends network to the VM Consistent services Coordinated, coherent management Cisco VN-Link Switch

VN-Link With the Cisco Nexus 1000V Cisco Nexus 1000V Software Based VM VM VM VM Industry’s first 3rd-party vNetwork Distributed Switch for VMware vSphere Built on Cisco NX-OS Compatible with all switching platforms Maintain vCenter provisioning model unmodified for server administration; allow network administration of virtual network via familiar Cisco NX-OS CLI vSphere Nexus 1000V Nexus 1000V Policy-Based VM Connectivity Mobility of Network & Security Properties Non-Disruptive Operational Model

Cisco Nexus 1000V System Overview

Cisco Nexus 1000V Components Cisco VSMs vCenter Server Virtual Ethernet Module(VEM) Replaces Vmware’s virtual switch Enables advanced switching capability on the hypervisor Provides each VM with dedicated “switch ports” Virtual Supervisor Module(VSM) CLI interface into the Nexus 1000V Leverages NX-OS 4.04a Controls multiple VEMs as a single network device Cisco VEM VM1 VM2 VM3 VM4 Cisco VEM VM5 VM6 VM7 Cisco VEM VM9 VM10 VM11 VM12

Cisco Nexus 1000V ‘Virtual Chassis’ pod5-vsm# show module Mod Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 1 0 Virtual Supervisor Module Nexus1000V active * 2 0 Virtual Supervisor Module Nexus1000V ha-standby 3 248 Virtual Ethernet Module NA ok Cisco VSMs Cisco VEM VM1 VM2 VM3 VM4 Cisco VEM VM5 VM6 VM7 VM8

Single Chassis Management Upstream-Switch#show cdp neighbor Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone Device ID Local Intrfce Holdtme Capability Platform Port ID N1KV-Rack10 Eth 1/8 136 S Nexus 1000V Eth2/2 N1KV-Rack10 Eth 2/10 136 S Nexus 1000V Eth3/2 A single switch from control plane and management plane perspective Protocols such as CDP and SNMP operate as a single switch Cisco VSMs Cisco VEM Cisco VEM

Virtual Supervisor Modules Options VSM-PA VSM - Physical Appliance 2HCY09 Cisco Branded Physical Server Hosts 4 VSM Virtual Appliance Deployed in pairs for redundancy VSM - Virtual Appliance ESX Virtual Appliance Supports 64 VEMs Installable via ISO or OVA file Cisco VEM VM4 VM5 VM6 VM7 Cisco VEM VM8 VM9 VM10 VM11 Cisco VEM VM1 VM2 VM3 VSM-VA

Cisco Nexus 1000V Scalability A single Nexus 1000V supports: 2 Virtual Supervisor modules (HA) 64* Virtual Ethernet modules 512 Active VLANs 2048 Ports (Eth + Veth) 256 Port Channels Nexus 1000V A single Virtual Ethernet module supports: 216 Ports Veths 32 Physical NICs 8 Port Channels * 64 VEMs pending final VMware/Cisco scalability testing ** Overall system limits are lower than VEM limit x 64 Cisco VEM

Cisco Nexus 1000V Component Communication (cont.) Two distinct virtual interfaces are used to communicate between the VSM and VEM Control Extended AIPC such as those within a physical chassis (6k, 7k, MDS). Carries low level messages to ensure proper configuration of the VEM. Maintains a 2sec heartbeat with the VSM to the VEM (timeout 6 seconds) Maintains syncronization between primary and secondary VSMs Packet Carries any network packets from the VEM to the VSM such as CDP or IGMP control Separate VLANs recommended Requires layer 2 connectivity Cisco VSMs C P L2 Cloud C P Cisco VEM

Cisco Nexus 1000V Component Communication (cont.) Cisco VSMs vCenter Server Communication using the VMware VIM API over SSL Connection is setup on the VSM Requires installation of vCenter plug-in (downloaded from VSM) Once established the Nexus 1000V is created in vCenter pod5-vsm# show svs connections connection VC: hostname: phx2-dc-pod5-vc ip address: 10.95.5.158 protocol: vmware-vim https certificate: default datacenter name: Phx2-Pod5 DVS uuid: df 11 38 50 0a 95 83 4e-95 69 d6 a7 f4 76 4a 7f config status: Enabled operational status: Connected

Cisco Nexus 1000V Opaque Data Each Nexus 1000V requires global setting on the VSMs and VEMs called Opaque Data Contains such data as control/packet VLAN, Domain ID, System Port Profiles VSM pushing the opaque data to vCenter Server vCenter Server pushes the opaque data to each VEM when they are added Cisco VSMs vCenter Server OD OD OD Cisco VEM Cisco VEM Cisco VEM OD OD OD

Cisco Nexus 1000V Domain Each VSM is assigned a unique ‘Domain ID’ Domain ID ensures that VEMs do not respond to commands from non-participating VSMs. Each packet between VSM and VEM is tagged with the appropriate Domain ID Domain range from 1-4095 Active VSM Other VSM DID 15 CMD DID 25 CMD Cisco VEM DID 15 Cisco VEM DID 15 Cisco VEM DID 15 DID 25 CMD

Cisco Nexus 1000V Switching

Distributed Data Plane Each Virtual Ethernet Module forwards packets independent of each other. No address learning/synchronization across VEMs No concept of Crossbar/Fabric between the VEMs Virtual Supervisor Module is NOT in the data path No concept of forwarding from an ingress linecard to an egress linecard (another server) No Etherchannel across VEMs Cisco VSMs Cisco VEM Cisco VEM Cisco VEM

Cisco Nexus 1000V Switch Interfaces Ethernet Port (eth) 1 per physical NIC interface Specific to each module vmnic0 = ethx/1 Up to 32 per host Po1 Eth3/1 Eth3/2 Port Channel (po) Aggregation of Eth ports Up to 8 Port Channels per host Veth1 Veth2 VM1 VM2 Virtual Ethernet Port (veth) 1 per VNIC (including SC and VMK) Notation is Veth(port number). No module number is assigned to enable consistent naming when moved 216 per host

Cisco Nexus 1000V vEth Interface Virtual Ethernet Port vEths are assigned sequentially VM vNICs are statically bound to a vEth Assignment persistent through reboots May change if the vNIC is reassigned to another port profile vEths will move between modules when a VM is moved (HA, Vmotion, etc…) Default virtual ‘speed’ is Gigabit as negotiated with the guest OS By default performance is un-gated (i.e 1Gb vNIC can run faster than 1Gb) 2048 vEths supported system wide

Loop Prevention without STP X BPDU X Cisco VEM VM1 VM2 VM3 VM4 Cisco VEM VM5 VM6 VM7 Cisco VEM VM9 VM10 VM11 VM12 Eth4/1 Eth4/2 X BPDU are dropped No Switching From Physical NIC to NIC Local MAC Address Packets Dropped on Ingress (L2)

MAC Learning Each VEM learns independently and maintains a separate MAC table VM MACs are statically mapped Other vEths are learned this way (vmknics and vswifs) No aging while the interface is up Devices external to the VEM are learned dynamically Cisco VEM VM1 VM2 Eth3/1 Cisco VEM VM3 VM4 Eth4/1 VEM 3 MAC Table VM1 Veth12 Static VM2 Veth23 Static VM3 Eth3/1 Dynamic VM4 Eth3/1 Dynamic VEM 4 MAC Table VM1 Eth4/1 Dynamic VM2 Eth4/1 Dynamic VM3 Veth8 Static VM4 Veth7 Static

Port Channels Standard Cisco Port Channels Behaves like EtherChannel Link Aggregation Control Protocol (LACP) Support 17 hashing algorithms available Selected either system wide or per module Default is source MAC Automated creation using Port Profiles Po1 Po2 Cisco VEM VM1 VM2 VM3 VM4

Port Channel Hashing Options pod5-vsm(config)# port-channel load-balance ethernet ? dest-ip-port Destination IP address and L4 port dest-ip-port-vlan Destination IP address, L4 port and VLAN destination-ip-vlan Destination IP address and VLAN destination-mac Destination MAC address destination-port Destination L4 port source-dest-ip-port Source & Destination IP address and L4 port source-dest-ip-port-vlan Source & Destination IP address,L4 port and VLAN source-dest-ip-vlan Source & Destination IP address and VLAN source-dest-mac Source & Destination MAC address source-dest-port Source & Destination L4 port source-ip-port Source IP address and L4 port source-ip-port-vlan Source IP address, L4 port and VLAN source-ip-vlan Source IP address and VLAN source-mac Source MAC address source-port Source L4 port source-virtual-port-id Source Virtual Port Id vlan-only VLAN only

virtual Port Channel - Host Mode Allows a single PC to span multiple upstream switches using ‘subgroups’ Forms up to two subgroups based on Cisco Discovery Protocol (CDP) Subgroups can be manually defined outside of a Port Profile vEths are round robin assigned to a subgroup and then hashed within a subgroup Does not support LACP Does not require EtherChannel upstream when using source hashing EtherChannel is recommended upstream Required when connecting to multiple switches (only supports two upstream switches when using flow based hashing) SG0 Po1 SG1 Cisco VEM VM1 VM2 VM3 VM4

Cisco Nexus 1000V Policy Management

What is a Port-Profile? A port-profile is a container used to define a common set of configuration commands for multiple interfaces Define once and apply many times Simplifies management by storing interface configuration Key to collaborative management of virtual networking resources Why is it not like a template or SmartPort macro? Port-profiles are ‘live’ policies Editing an enabled profile will cause config changes to propagate to all interfaces using that profile (unlike a static one-time macro)

Port Profile Configuration n1000v# show port-profile name WebProfile port-profile WebProfile description: status: enabled capability uplink: no system vlans: port-group: WebProfile config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: assigned interfaces: Veth10 Support Commands Include: Port management VLAN PVLAN Port-channel ACL Netflow Port Security QoS

Port Profile Policy Distribution n1000v(config)# port-profile WebServers n1000v(config-port-prof)# switchport mode access n1000v(config-port-prof)# switchport access vlan 100 n1000v(config-port-prof)# no shut Cisco VSM PP vCenter Server

Overriding Port Profile Configuration Administrators can interact with individual switchports, overriding a port profile Use to isolating problems with one or two interfaces without changing the port-profile and affecting other ports Manual configuration always takes precedence over a port profile configuration The ‘no’ command can remove the override and restore the profile’s config by doing: n1000v(config)# int vethernet 2 n1000v(config-if)# switchport access vlan 250 n1000v(config)# int vethernet 2 n1000v(config-if)# no switchport access vlan

Port Profile Inheritance Profile inheritance allows the construction of profile hierarchies ‘Parent’ profiles pass configuration to ‘child’ profiles Only the child profiles need to be visible within VC Updates to the parent filter to the child Child profiles can be updated independently n1000v(config)# port-profile Web n1000v(config-port-prof)# switchport mode access n1000v(config-port-prof)# switchport access vlan 100 n1000v(config-port-prof)# no shut n1000v(config)# port-profile Web-Gold n1000v(config-port-prof)# inherit port-profile Web n1000v(config-port-prof)# service-policy output Gold n1000v(config-port-prof)# vmware port-group Web-Gold n1000v(config)# port-profile Web-Silver n1000v(config-port-prof)# inherit port-profile Web n1000v(config-port-prof)# service-policy output Silver n1000v(config-port-prof)# vmware port-group Web-Silver Effective Port Profile – Web-Gold Access Port VLAN 100 Gold QoS Policy Effective Port Profile – Web-Silver Access Port VLAN 100 Silver QoS Policy

Uplink Port Profiles Special profiles that define physical NIC properties Usually configured as a trunk Defined by adding ‘capability uplink’ to a port profile Uplink profiles cannot be applied to vEths Non-uplink profiles cannot be applied to NICs Only selectable in vCenter when adding a host or additional NICs Cisco VEM VM1 VM2 VM3 VM4 n1000v(config)# port-profile DataUplink n1000v(config-port-prof)# switchport mode trunk n1000v(config-port-prof)# switchport trunk allowed vlan 10-15 n1000v(config-port-prof)# system vlan 51, 52 n1000v(config-port-prof)# channel-group mode auto sub-group cdp n1000v(config-port-prof)# capability uplink n1000v(config-port-prof)# no shut

Cisco Nexus 1000V System VLANs System VLANs enable interface connectivity before an interface is programmed i.E VEM can’t communicate with VSM during boot Required System VLANs Control Packet Recommended System VLANs IP Storage Service Console VMKernel Management Networks Cisco VSM C P L2 Cloud C P Cisco VEM

System VLAN Guidelines Port profiles that contain system VLANs are ‘system port profiles’ The system VLAN list must be a subset of the allowed VLAN list on trunk ports There must be only one system VLAN on an access port (the access VLAN) The ‘no system vlan’ command can be given only when no interface is using the profile. Once a system profile is in use by at least one interface, you can only add to the list of system vlans, but not delete any vlans from the list. For a profile with system VLANs, ‘no port-profile SysProfile’, ‘no vmware port-group’ and ‘no state enabled’ commands can be given only when no interface is using that profile

Automated Port Channel Configuration Port channels can be automatically formed using port profile Interfaces belonging to different modules cannot be added to same channel-group. E.g. Eth2/3 and Eth3/3 ‘auto’ keyword indicates that interfaces inheriting the same uplink port-profile will be automatically assigned a channel-group. Each interface in the channel must have consistent speed/duplex Channel-group does not need to exit and will automatically be created n1000v(config)# port-profile Uplink n1000v(config-port-prof)# channel-group auto

Cisco Nexus 1000V Security

Access Control List Overview ACLs provide traffic filtering mechanisms Provides filtering for ingress and egress VM traffic for additional network security Permit/Drop traffic based on ACL policies ACL types supported: IPv4 and MAC ACLs Ingress and Egress Supported on Eth and vEth interfaces Configured via port profiles or directly on the interface 39

Port Security Overview Port Security secures a port by limiting and identifying the MAC addresses that can access a port. Secure MACs can be manually configured or dynamically learnt Two security violation types are supported Addr-Count-Exceed Violation MAC Move Violation Port security can be applied to vEths Cannot be applied to physical interfaces Three types of secure MACs Static Sticky Dynamic

Types of Secure MAC Addresses Secure MAC Type Source Aging Persistence through interface flaps Persistence through Switch reboot Static CLI Configuration No Yes (with copy run start) Sticky Dynamically Learnt Dynamic No (Default)/ Aging Time and Type - Configurable

Cisco Nexus 1000V Private VLANs Private VLANs divide a normal VLAN into sub-L2 domains Consist of a Primary VLAN and one or more secondary VLANs Used to segregate L2 traffic without wasting IP address space (smaller subnets) Secondary VLAN access is restricted by setting ‘community’ or isolated’ status

PVLAN Definitions Primary VLAN: VLAN carrying downstream traffic from the router(s) to the host ports. Secondary VLAN: Can be either an isolated VLAN or a community VLAN. A port assigned to the isolated VLAN is a isolated port. A port assigned to a community VLAN is a community port. Isolated VLAN : Communicate only with the primary VLAN Community VLAN: Communicate within community and with primary VLAN

PVLAN Promiscuous Ports Promiscuous port: can communicate with all isolated ports and community ports and vice versa. Promiscuous ports are the boundary between the PVLAN domain and the rest of the network Secondary VLANs are remapped to the primary vlan at the promiscuous port. Nexus 1000V supports promiscuous trunk ports and promiscuous access ports Most deployments will use promiscuous trunk port

PVLAN Topology Examples Regular Trunk Port to Upstream switch Defines N1KV uplink as regular trunk port Defines PVLAN configuration in upstream switch PVLAN extends into upstream switch. Defines SVI promiscuous port in upstream switch Promiscuous Trunk Port to Upstream switch Defines N1KV uplink as promiscuous trunk PVLAN ends at the promiscuous trunk port. No PVLAN configuration in upstream switch

Cisco Nexus 1000V Quality of Service

Cisco Nexus 1000V Quality of Service Nexus 1000V provides traffic classification, marking and policing Police traffic to/from VMs Mark traffic leaving the ESX host Can be configured multiple ways Individual Eths or vEths Port-Channels Port Profiles Policies can be applied on input or output Statistics per policy (input/output) per interface Nexus 1000V does not implement queuing or full traffic shaping 47

QoS Classification Support Classification support based on: Access-group: ACL reference Class-map (hierarchical classes possible) Cos (L2 header) Discard-class: internal QoS value Dscp: From IP TOS Ip rtp: UDP port list Packet length: IP Datagram size; inclusive ranges Precedence: 3 bit value from within Dscp field Qos-group: Internal QoS value

QoS Marking Support Support for marking: Cos (L2 header) Discard-class: Internal QoS value Dscp: In IP TOS Precedence: 3 bit value from within Dscp field Qos-group: Internal QoS value Packets are only marked when leaving a VEM Intra-VEM traffic is not marked

QoS Feature Overview: Policing Standard MQC configuration Traffic categorized into Conforming traffic Exceeding traffic Violating traffic Policer Actions Set various fields Markdown DSCP Transmit or Drop

Cisco Nexus 1000V Network Management

Nexus 1000V Management Overview Tightly Integrated with Data Center Infrastructure Nexus 1000V offers a layered approach to device & solution management: Familiar Cisco NX-OS CLI for direct device configuration & seamless integration with TACACs, AAA & Radius Support for vCenter vNetwork Distibuted Switch API Syslog & SNMP MIB support for integration with centralized management tools from Cisco & other vendors. CiscoWorks LMS & Data Center Network Manager (Q1 2010) support via SNMP & XML API VM VM VM VM vSphere Nexus 1000V VEM CLI SNMP XML vCenter Nexus 1000V VSM VDS API

Nexus 1000V Management NX-OS CLI Features Nexus 1000V VSM Cisco NX-OS CLI based management features are all accessible through the Nexus 1000V VSM Includes familiar Cisco CLI based “config” & “show” commands along with new features to simplify configuration and troubleshooting of a VM environment (ex. Port Profiles, Veth interfaces) Configure SNMP polling variables & permissions Review locally & export detailed network device SYSLOG messages Support for advanced network diagnostics like ERSPAN (remote port mirroring), NetFlow v.9 statistics gathering & WireShark for local CLI-based packet capture & analysis

Nexus 1000V Management SNMP & Supported MIBs Nexus 1000V VSM Device support for SNMP v.3 (read) through Nexus 1000V VSM Generic MIBs CISCO-TC SNMPv2-MIB SNMP-COMMUNITY-MIB SNMP-FRAMEWORK-MIB SNMP-NOTIFICATION-MIB SNMP-TARGET-MIB Configuration ENTITY-MIB IF-MIB CISCO-ENTITY-EXT-MIB CISCO-ENTITY-FRU- CONTROL-MIB CISCO-FLASH-MIB CISCO-IMAGE-MIB CISCO-CONFIG-COPY- MIB CISCO-ENTITY- VENDORTYPE-OID-MIB ETHERLIKE-MIB CISCO-LAG-MIB MIB-II Monitoring NOTIFICATION-LOG-MIB CISCO-PROCESS-MIB Security CISCO-AAA-SERVER-MIB CISCO-COMMON-MGMT- MIB CISCO-PRIVATE-VLAN- MIB Miscellaneous CISCO-CDP-MIB CISCO-LICENSE-MGR- MIB CISCO-ENTITY-ASSET- MIB

Data Center Network Manager (Q1 2010*) Nexus 1000V Management CiscoWorks & DCNM Plans Nexus 1000V VSM GUI-based network device management including Fault Monitoring, Topology, Inventory/Config Support & advanced Port Profile Management CiscoWorks LMS (May 2009) Resource Manager Essentials Inventory Management Configuration Management Campus Manager Network discovery Topology mapping VLAN Management Device Fault Manager Quickly and easily detect, isolate, and correct network device faults Data Center Network Manager (Q1 2010*) Discovery, Inventory Physical Topology Mapping Physical & VETH Ports Port Profiles Port Channel ( LACP ) VLAN PVLAN Local SPAN IPv4 ACL/MAC ACL Port Security Topology Mapping (Port Channel, VLAN) DCNM foundational capabilities: •          AAA Rules•          RADIUS•          TACACS+•          RBAC (Roles and Users)•          Device and Credentials•          DCNM Licensed Devices•          DCNM User management•          Auto Sync with Devices•          Statistical Data Collection•          DCNM Server log settings•          Event Browser•          AAA authentication for DCNM•          DCNM installer•          Oracle DB support•          Concurrent CDP Discovery * release still in planning

CiscoWorks & DCNM Plans GUI-based network device management including Fault Monitoring, Topology, Inventory/Config Support & advanced Port Profile Management CiscoWorks LMS (May 2009) Resource Manager Essentials Inventory Management Configuration Management Campus Manager Network discovery Topology mapping VLAN Management Device Fault Manager Quickly and easily detect, isolate, and correct network device faults Data Center Network Manager (Q1 2010*) Discovery, Inventory Physical Topology Mapping Physical & VETH Ports Port Profiles Port Channel ( LACP ) VLAN PVLAN Local SPAN IPv4 ACL/MAC ACL Port Security Topology Mapping (Port Channel, VLAN) * release still in planning

Cisco Nexus 1000V Troubleshooting & Diagnostics

Switched Port ANalyzer Similar to SPAN in physical Cisco switches (Cat6k, N7k) Configured as “sessions” One or more source ports and/or VLANs Ingress Egress Both One or more destinations Can define “Source VLAN Filters” SPANing is allowed only within the same host (ESX)

Local SPAN Src/Dst Interfaces Source Interface Characteristics: Can be Ethernet, virtual Ethernet, port-channel, or VLAN Cannot be a destination port Can be configured to monitor the direction of traffic —receive (ingress), transmit (egress), or both Source ports can be in the same or different VLANs For VLAN SPAN sources, all active ports in the source VLAN are included as source ports Destination Interface Characteristics Can be Ethernet, virtual Ethernet, or port-channel Cannot be a SPAN source port Must be on the same host as the source port(s) Is not monitored if it belongs to a source VLAN of any SPAN session

Encapsulated Remote SPAN ERSPAN mirrors traffic in an encapsulated envelope to a IP destination Designed to monitor the traffic on VEMs remotely Similar to local SPAN except ERSPAN supports sends packets outside an individual VEM Sources: Ethernet, Vethernet, Port-Channel, VLAN. Supports multiple sources from multiple VEMs IP destination Can define “Source VLAN Filters”

Exporting Logs from VC ESX system logs containing VEM details can be exported from VC

Cisco NetFlow Netflow is a Cisco technology that provides traffic accounting and monitoring on packet flowing through the network on a per-flow basis Netflow provides the following benefits: Traffic analysis and planning for Network planning Usage based billing The who, what, where, when and how much IP traffic questions are answered Typical use cases: Who are top N talkers? What % of traffic are they? How many users are on the network at any given time? When will service upgrades affect the least number of users? How does a flow stay active? Where do they come from? Alarm DOS attacks like Smurf, Fraggle and SYN floods

Cisco Nexus 1000V Design Examples

VSM - Virtual Appliance VSM VM Placement VSM - Virtual Appliance Primary and Secondary VSMs should remain on separate machines VMware anti-affinity rules can be applied VSM - Performance Requires 2GB dedicated RAM (not shared) 1Ghz vCPU VSM should not be VMotioned Cisco VEM VM4 VM5 VM6 VM7 Cisco VEM VM8 VM9 VM10 Cisco VEM VM1 VM2 VM3 VSM-VA-1 VSM-VA-2

Nexus 1KV & VMware Traffic VM Data – All data from VMs including the VSMs. Usually multiple VLANs VMkernel – Primarily used for Vmotion. Also used for IP storage Server Console – ESX management Control – N1KV switch control traffic. The most important interfaces on the switch! Packet – Carries CDP and IGMP control

Port Channel Hashing Classification Source Based Hashing Hashes all traffic from a single source down the same link vPC-HM requires no upstream special configuration (EtherChannel) Exmaples are source MAC, VLAN, Virtual Port Flow Based Hashing Each flow may take a different path vPC may require EtherChannel upstream Examples include any hash using dst, L4 port, or combinations or src/dst/port

Two NIC Configuration Access Layer Configuration N1K Port Channel Trunk port No EtherChannel N1K Port Channel Single PC (vPC-HM) VM Data, Service Console, VM Kernel, Control and Packet SG0 Po1 SG1 VEM Configuration Source Based Hashing Cisco VEM C P Use Case Small 1Gb servers (rack or blade) 10Gb (Ethernet or FCoE) VM Data SC VMK

Four NIC Configuration Access Layer Configuration Trunk port No EtherChannel N1KV Port Channel 1 vPC-HM VM Data SG0 SG1 SG0 SG1 N1KV Port Channel 2 vPC-HM Service Console, VM Kernel, Control and Packet Po1 Po2 Cisco VEM C P VEM Configuration Source Based Hashing Use Case Medium 1Gb servers (rack or blade) Need to separate VMotion from Data VM Data SC VMK

Four NIC Alternative-1 Configuration Clustered Switches Access Layer Configuration Trunk port Single EtherChannels spanning both switchs Port Channel 1 Standard EtherChannel VM Data, Service Console, VM Kernel, Control and Packet Po1 VEM Configuration Flow Based Hashing Cisco VEM C P Use Case ‘Clustered’ Switches (7K vPC, 6K VSS, 3K VBS) Maximizes VM bandwidth Shared links for VMotion and Data VM Data SC VMK

Four NIC Alternative-2 Configuration Clustered Switches Access Layer Configuration Trunk port Two EtherChannels spanning each switch N1KV Port Channel 1 Standard EtherChannel VM Data N1KV Port Channel 2 Standard EtherChannel Service Console, VM Kernel, Control and Packet Po1 Po2 Cisco VEM C P VEM Configuration Flow Based Hashing Use Case ‘Clustered’ Switches (7K vPC, 6K VSS, 3K VBS) Still maintains separation of Data and VMotion VM Data SC VMK

Six NIC Configuration Access Layer Configuration N1KV Port Channel 1 Trunk port Separate EtherChannels from each switch to Po1 only N1KV Port Channel 1 vPC-HM VM Data SG0 SG1 SG0 SG1 N1KV Port Channel 2 vPC-HM Service Console, VM Kernel, Control and Packet Po1 Po2 Cisco VEM C P VEM Configuration Flow Based Hashing Use Case High performance servers Greater than 1Gb VM bandwidth Seperate links for VMotion and Data VM Data SC VMK

Cisco Nexus 1000V Installation

Cisco Nexus 1000V Installation Overview Installing the Cisco Nexus 1000V is a five step process involving the server and network administrators 1) Install the primary and secondary VSMs 2) Define uplink and VM port profiles 3) Connect the primary VSM and VC 4) Install the VEM (manually or using VUM) 5) Adding the ESX host to the Nexus 1000V Repeat steps 4 and 5 for each additional ESX host

Creating the VSM VM using ISO Create VM Type: Other 64 bit Linux 1 Processor 2 GB RAM 3 vNICs (e1000 Driver) Minimum 3GB SCSI Hard Disk with LSI Logic adapter (default) Reserve 2GB RAM for the VM Configure VM network adapters Attach ISO to VM and power on

Creating the VSM VM using OVA From VC File menu, select “Deploy OVF Template…” OVA deployment automated the VSM VM configuration Configuration is limited to mapping portgroups to proper networks CPU and RAM still need to be reserved for the VM

VSM Dedicated Resources Each VSM requires dedicated resources (not shared) Set the RAM reservation to 2GB Set CPU reservation to 1Ghz

VSM Setup Wizard Automatically runs when the VSM VM is started for the first time Minimum configuration suggested: Switch name Out-of-band management configuration Default gateway Telnet/SSH service Domain parameters (domain ID, control/packet VLAN) Secondary VSM will reboot and gather configuration from the Primary VSM

Registering Nexus 1000V Plug-in Plug-in enables VC to communicate with the VSM and contains the security certificate Download http://<VSM-IP>/cisco_nexus1000v_extension.xml In VC client, go to Plug-ins menu and select “Manage plug-ins…” Right-click under “Available Plug-ins” and select “New Plug-in”

Connecting the VSM to the VC Nexus 1000V Plug-in must be registered first! Configure the connection on the VSM n1000v(config)# svs connection vc n1000v(config-svs-conn)# protocol vmware-vim n1000v(config-svs-conn)# remote ip address 172.28.15.111 n1000v(config-svs-conn)# vmware dvs datacenter-name WestDC n1000v(config-svs-conn)# connect The connection name (‘vc’ in the example) is arbitrary Protocol specifies the type of server to connect to (only VMware is supported) Remote IP address is the VC IP address Datacenter name is the name of the datacenter that will contain the Nexus 1000V Datacenter must be present on VC before connecting Connect command initiates the connection with the VC and creates the Nexus 1000V in VC

Connecting the VSM to the VC (cont.) Resulting output on VC after issuing connect command

Adding an Uplink Port Profile In order to insert a module into the VSM (i.e. add a host to the vDS on VC), you must configure an uplink port-profile for a host to use n1000v(config)# port-profile SystemUplinks n1000v(config-port-prof)# capability uplink n1000v(config-port-prof)# switchport mode trunk n1000v(config-port-prof)# switchport trunk allowed vlan 51-52 n1000v(config-port-prof)# system vlan 51, 52 n1000v(config-port-prof)# vmware port-group SystemUplinks n1000v(config-port-prof)# no shutdown n1000v(config-port-prof)# state enabled The third parameter of the “vmware port-group” command is optional Used to specify the name that is displayed in the VC If left blank, the port-profile name will be used

Adding an Uplink Port Profile (cont.) Resulting output on VC after issuing port-profile command

Manual VEM Installation The host VEM .VIB file must be installed before performing the “Add Host” operation on VC Steps to install VEM bits on host Copy the VEM package onto the ESX host using (SCP or through VC) SSH into the host and run esxupdate # esxupdate -b ./cross_cisco-vem-v100-4.0.4.1.0.42-0.4.2-release.vib --nosigcheck update cross_cisco-vem-v100-4.0.4.1.. ######################################## [100%] Unpacking cross_cisco-vem-v1.. ######################################## [100%] Installing cisco-vem-v100-esx ######################################## [100%] Running [/usr/sbin/vmkmod-install.sh]... ok. # After esxupdate completes, the “Add Host” operation can be performed on the VC

Automated Installation with VUM What is VUM? VMware Update Manager Used for patching/updating software on ESX Uses ‘esxupdate’ on application on ESX host to do the installation and management of software modules Starting the installation Simply click “Add Host”, and VUM will take care of loading the VEM onto the host The host pulls the packages from the VUM repository. The VSM web server is only used to populate the VUM repository

Adding a Host to the Nexus 1000V Right click on the Cisco Nexus 1000V and select ‘Add Host’

Verifying the Installation The ‘show module’ command on the VSM will display the VEM if the installation is completed successfully pod5-vsm# show module Mod Ports Module-Type Model Status --- ----- -------------------------------- ------------------ ------------ 1 0 Virtual Supervisor Module Nexus1000V active * 2 0 Virtual Supervisor Module Nexus1000V ha-standby 3 248 Virtual Ethernet Module NA ok Mod Sw Hw --- --------------- ------ 1 4.0(4)SV1(0.42) 0.0 2 4.0(4)SV1(0.42) 0.0 3 4.0(4)SV1(0.42) 0.4 Mod MAC-Address(es) Serial-Num --- -------------------------------------- ---------- 1 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8 NA 2 00-19-07-6c-5a-a8 to 00-19-07-6c-62-a8 NA 3 02-00-0c-00-03-00 to -2-00-0c-00-03-80 NA Mod Server-IP Server-UUID Server-Name --- --------------- ------------------------------------ -------------------- 1 10.95.5.159 NA NA 2 10.95.5.159 NA NA 3 10.95.5.151 41483531-3141-5553-4537-31324e353646 phx2-dc-pod5-hv1

Migrating to the Cisco Nexus 1000V Migration Wizard enables simple migration from the vSwitch to the Cisco Nexus 1000V