cisco virtualized network services: ready for your cloud
Post on 19-Jan-2015
816 Views
Preview:
DESCRIPTION
TRANSCRIPT
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1
Cisco Virtualized Network Services: Ready for Your CloudSoumen ChatterjeeProduct Manager, Data Center Group
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
Virtual Appliance Nexus 1010
vWAAS VSG VSM
NAM
NAM
VSG
VSG
Primary
Secondary
VSM
VSM
Cisco Nexus 1000 Portfolio
2
L3
Co
nn
ect
ivity
VSM: Virtual Supervisor Module
VEM: Virtual Ethernet Module
vPath: Virtual Service Data-path
VXLAN: Scalable Segmentation
VSG: Virtual Security Gateway
vWAAS: Virtual WAAS
ASA 1000V: Tenant-edge security
Virtual Service BladesVirtual Supervisor Module (VSM)
Network Analysis Module (NAM)
Virtual Security Gateway (VSG)
Data Center Network Manager (DCNM)
VEM-2
vPath
Win Server 2012
VXLAN
VEM-1
vPath
VMware ESX
VXLAN
ASA 1000V
VXLAN• 16M address space for LAN
segments
• Network Virtualization (Mac-over-UDP)
vPath• Service Binding (Traffic Steering)
• Fast-Path Offload
VEM-3
vPath
Open Source Hyp
VXLAN
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
External / multi-tenant edge deploymentZone based segmentation of VMs
Cisco’s Virtual Security PortfolioTenant edge and intra tenant firewall
Virtual Security Gateway ASA 1000V
Hypervisor Nexus 1000VVirtual Network Mgmt
Ctr (VNMC)
vPath
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Virtual NetworkManagement Center
(VNMC)
Introducing Virtual Security GatewayStateful virtual FW for Nexus 1000V
VM context aware rulesContext aware Security
Establish zones of trustZone based Controls
Policies follow vMotionDynamic, Agile
Efficient, Fast, Scale-out SW(with vPath intelligence)
Best-in-class Architecture
Security team manages securityNon-Disruptive Operations
Central mgmt, scalable deployment, multi-tenancy
Policy Based Administration
Virtual SecurityGateway
(VSG)
XML API, security profilesDesigned for Automation
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Virtual Security Gateway for Nexus 1000VContext-based, Virtualization-aware, Multi-tenant, Workload Segmentation for Data Centers and Clouds
Nexus 1000VDistributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
VNMC
Log/Audit
VSG(active)
Secure Segmentation(VLAN agnostic)
Efficient Deployment(secure multiple hosts)
Transparent Insertion(topology agnostic)
High Availability
Dynamic policy-based provisioning
Mobility aware(policies follow vMotion)
VSG(Stand-by)
VNMC: Virtual Network Management Center
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Use Case – Secure Multi-tenancySecure zoning of 3-Tier Application Workload
WebServerWeb
Server
AppServerApp
Server
DBserverDB
server
Port 80 (HTTP)and 443 (HTTPS)of Web Serversopen
Only Port 22 (SSH) of App Servers open
All other traffic denied
Only Permit Web Servers access to App servers via HTTP/HTTPS
Only Permit App servers access to DB servers
Tenant_A
WebServerWeb
Server
AppServerApp
Server
DBserverDB
server
Tenant_B
ASA Firewall forInter-tenant Edge Control(VLAN based)
VSG for secure zoning
VSG for secure zoning
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
VSG Policy: Rule (ACE) Construct
Source
ConditionDestination Condition Action
Rule
Operator
eq
neq
gt
lt
range
Not-in-range
Prefix
Operator
member
Not-member
Contains
Condition
Attribute Type
Network
VM
User Defined
vZone
VM Attributes
Instance Name
Guest OS full name
Guest OS Host name
Parent App Name
Cluster Name
Hypervisor Name
Resource-pool
Port Profile Name
Zone Name
Network Attributes
IP Address
Network Port
ACE: Access Control Entry
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
Virtual Multi-Service Data Center Security Framework
Security Management
• Visibility• Event correlation, syslog, centralized
authentication• Forensics• Anomaly detection• Compliance
Infrastructure Security
• Infrastructure Security features are enabled to protect device, traffic plane and control plane
• 802.1ae and vPC provides internal/external separation
Services
• IPS/IDS provide traffic analysis and forensics
• Network Analysis provide traffic monitoring and data analysis
• Server load balancing masks servers and applications
Services
• Initial filter for DC ingress and egress traffic. Virtual Context used to split polices for server-to-server filtering
• Additional firewall services for server farm specific protection
UCSVirtualAccess
Storage
Access
Services
Aggregation
Core
Data security authenticate & access control
Port security authentication, QoS features
Virtual FirewallReal-time MonitoringFirewall Rules
ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Public/Shared
VRF
vPath
Protected VRF(control point)
Nexus1000v VSG
ASA Context(per tenant)
Public Zone (DMZ) Protected FE Zone 1 Zone 2 Zone 3
Sub-Zone W
Sub-Zone X
Sub-Zone Y
Sub-Zone Z
Private(Tenant VRF)
Less Trusted Zones
Front-end Zones Back-end Zones
Front-end Tenant Perimeter
Back-end Tenant Perimeter
Back-end ManagementPerimeter
Virtual Multi-Service Data Center Tiered Security in VMDC 2.2
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 10
ASA 1000V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Cisco’s Virtual Security Portfolio
•Virtual ASA provides consistent ASA feature set to secure the tenant edge
•VSG complements Virtual ASA to secure intra-tenant VM-to-VM traffic
•Solution provides:
Increase flexibility and operational efficiency via vPath (Nexus1000V)
Dynamic, context-aware, multi-tenant management via VNMC
Tenant BTenant AVDC
vApp
vApp
vSphere
Nexus 1000VvPath
VDC
Virtual Network Management Center (VNMC) VMware vCenter
VSGVSG
VSG
VSG
ASA 1000V ASA 1000V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12
IPSec VPN (Site-to-Site)
NAT
DHCP
Default Gateway
Static Routing
Stateful Inspection
IP Audit
Built using ASA technology
Support for VXLAN
Multi-tenant management via VNMC
Inter-operability with VSG via Service Chaining
ASA 1000V: Features and Capabilities
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 13
Virtual WAASAvailability: shipping
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Cisco Virtual WAASCloud-ready WAN Optimization
ESX ESXi Hypervisor w/Nexus 1000
UCS /x86 Servers
Virtual WAAS “Appliances”
vPath
Virtual WAAS on Nexus 1000V with vPath
FEATURES Allows Agile, Elastic, & Multi Tenant Deployment Supports DRE Cache in SAN Policy-based Provisioning w/ Nexus 1000V Extends WAAS Solution Portfolio
BUSINESS BENEFITS
Business Agility with on-demand orchestration Lower operational cost, reduced migration risk Fault-tolerance with VM mobility awareness
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
WAN or Internet
UCS Compute/Virtualized Servers
Nexus 2K/5K
UCS Compute/Physical servers
WCCP
VMware ESXi Server
UCS /x86 Server
vWAAS Provides Flexible Deployment Options
Stand-alone
• Traditional WAN Edge Deployment at Branch and DC
Gradual migration from Physical to Virtual
Multi-tenancy support
vPath-integrated
Re-direction using vPath @VM level
Elastic provisioning
Multi-tenancy support
1
2
VMware ESXi Server
Nexus 1000V
VMware ESXi
VMware ESXi Server
Nexus 1000V
UCS /x86 Server
vPATH
vPATH
vPATH
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
Cisco Virtual Networking and Security SolutionNexus 1000V, CSR 1000V, ASA 1000V, VSG, and vWAAS Deployment
Nexus 1000V
• Distributed switch
• NX-OS consistency
VSG
• VM-level controls
• Zone-based FW
ASA 1000V
• Edge firewall, VPN
• Protocol Inspection
vWAAS
• WAN optimization
• Application traffic
Multi-Hypervisor
WAN Router
SwitchesServers
Tenant A
ASA 1000V
Zone BZone A
Nexus 1000VvPath
Physical Infrastructure
Virtualized/CloudData Center
vWAAS
VSG
VXLAN
CSR 1000V(Cloud Router)
• WAN L3 gateway
• Routing and VPN
Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 17
CSR 1000V
© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
DC
ASR
Branch
ISR
Enterprise B
Enterprise A
Branch
ISR
Tenant A
WAN Router
Switches
Servers
Tenant B
CSR 1000V
Physical Infrastructure
Virtual Infrastructure
Cloud Provider’s Data Center
CSR 1000V
Enterprise Use Cases
• Secure VPN Gateway• L3 Extension• Tenant Firewall
Cloud Provider Use Cases
• Secure VPN Gateway• MPLS Extension• Tenant Firewall
MPLS
Internet
Single-Tenant WAN Gateway in Shared Multi-tenant CloudsCan be deployed by Enterprises or Cloud Providers
ASA 1000V
ASA 1000V
Thank you.
top related