cisco virtualized network services: ready for your cloud

Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 1

Cisco Virtualized Network Services: Ready for Your CloudSoumen ChatterjeeProduct Manager, Data Center Group

© 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2

Virtual Appliance Nexus 1010

vWAAS VSG VSM

NAM

NAM

VSG

VSG

Primary

Secondary

VSM

VSM

Cisco Nexus 1000 Portfolio

2

L3

Co

nn

ect

ivity

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

vPath: Virtual Service Data-path

VXLAN: Scalable Segmentation

VSG: Virtual Security Gateway

vWAAS: Virtual WAAS

ASA 1000V: Tenant-edge security

Virtual Service BladesVirtual Supervisor Module (VSM)

Network Analysis Module (NAM)

Virtual Security Gateway (VSG)

Data Center Network Manager (DCNM)

VEM-2

vPath

Win Server 2012

VXLAN

VEM-1

vPath

VMware ESX

VXLAN

ASA 1000V

VXLAN• 16M address space for LAN

segments

• Network Virtualization (Mac-over-UDP)

vPath• Service Binding (Traffic Steering)

• Fast-Path Offload

VEM-3

vPath

Open Source Hyp

VXLAN


External / multi-tenant edge deploymentZone based segmentation of VMs

Cisco’s Virtual Security PortfolioTenant edge and intra tenant firewall

Virtual Security Gateway ASA 1000V

Hypervisor Nexus 1000VVirtual Network Mgmt

Ctr (VNMC)

vPath


Virtual NetworkManagement Center

(VNMC)

Introducing Virtual Security GatewayStateful virtual FW for Nexus 1000V

VM context aware rulesContext aware Security

Establish zones of trustZone based Controls

Policies follow vMotionDynamic, Agile

Efficient, Fast, Scale-out SW(with vPath intelligence)

Best-in-class Architecture

Security team manages securityNon-Disruptive Operations

Central mgmt, scalable deployment, multi-tenancy

Policy Based Administration

Virtual SecurityGateway

(VSG)

XML API, security profilesDesigned for Automation


Virtual Security Gateway for Nexus 1000VContext-based, Virtualization-aware, Multi-tenant, Workload Segmentation for Data Centers and Clouds

Nexus 1000VDistributed Virtual Switch

VM VM VM

VM VM

VM

VM VM VM

VM

VM

VM VM VM

VM VM VMVM

VM

vPath

VNMC

Log/Audit

VSG(active)

Secure Segmentation(VLAN agnostic)

Efficient Deployment(secure multiple hosts)

Transparent Insertion(topology agnostic)

High Availability

Dynamic policy-based provisioning

Mobility aware(policies follow vMotion)

VSG(Stand-by)

VNMC: Virtual Network Management Center


Use Case – Secure Multi-tenancySecure zoning of 3-Tier Application Workload

WebServerWeb

Server

AppServerApp

Server

DBserverDB

server

Port 80 (HTTP)and 443 (HTTPS)of Web Serversopen

Only Port 22 (SSH) of App Servers open

All other traffic denied

Only Permit Web Servers access to App servers via HTTP/HTTPS

Only Permit App servers access to DB servers

Tenant_A

WebServerWeb

Server

AppServerApp

Server

DBserverDB

server

Tenant_B

ASA Firewall forInter-tenant Edge Control(VLAN based)

VSG for secure zoning

VSG for secure zoning


VSG Policy: Rule (ACE) Construct

Source

ConditionDestination Condition Action

Rule

Operator

eq

neq

gt

lt

range

Not-in-range

Prefix

Operator

member

Not-member

Contains

Condition

Attribute Type

Network

VM

User Defined

vZone

VM Attributes

Instance Name

Guest OS full name

Guest OS Host name

Parent App Name

Cluster Name

Hypervisor Name

Resource-pool

Port Profile Name

Zone Name

Network Attributes

IP Address

Network Port

ACE: Access Control Entry


Virtual Multi-Service Data Center Security Framework

Security Management

• Visibility• Event correlation, syslog, centralized

authentication• Forensics• Anomaly detection• Compliance

Infrastructure Security

• Infrastructure Security features are enabled to protect device, traffic plane and control plane

• 802.1ae and vPC provides internal/external separation

Services

• IPS/IDS provide traffic analysis and forensics

• Network Analysis provide traffic monitoring and data analysis

• Server load balancing masks servers and applications

Services

• Initial filter for DC ingress and egress traffic. Virtual Context used to split polices for server-to-server filtering

• Additional firewall services for server farm specific protection

UCSVirtualAccess

Storage

Access

Services

Aggregation

Core

Data security authenticate & access control

Port security authentication, QoS features

Virtual FirewallReal-time MonitoringFirewall Rules

ACLs, Port Security, VN Tag, Netflow, ERSPAN, QoS, CoPP, DHCP snooping


Public/Shared

VRF

vPath

Protected VRF(control point)

Nexus1000v VSG

ASA Context(per tenant)

Public Zone (DMZ) Protected FE Zone 1 Zone 2 Zone 3

Sub-Zone W

Sub-Zone X

Sub-Zone Y

Sub-Zone Z

Private(Tenant VRF)

Less Trusted Zones

Front-end Zones Back-end Zones

Front-end Tenant Perimeter

Back-end Tenant Perimeter

Back-end ManagementPerimeter

Virtual Multi-Service Data Center Tiered Security in VMDC 2.2


ASA 1000V


Cisco’s Virtual Security Portfolio

•Virtual ASA provides consistent ASA feature set to secure the tenant edge

•VSG complements Virtual ASA to secure intra-tenant VM-to-VM traffic

•Solution provides:

Increase flexibility and operational efficiency via vPath (Nexus1000V)

Dynamic, context-aware, multi-tenant management via VNMC

Tenant BTenant AVDC

vApp

vApp

vSphere

Nexus 1000VvPath

VDC

Virtual Network Management Center (VNMC) VMware vCenter

VSGVSG

VSG

VSG

ASA 1000V ASA 1000V


IPSec VPN (Site-to-Site)

NAT

DHCP

Default Gateway

Static Routing

Stateful Inspection

IP Audit

Built using ASA technology

Support for VXLAN

Multi-tenant management via VNMC

Inter-operability with VSG via Service Chaining

ASA 1000V: Features and Capabilities


Virtual WAASAvailability: shipping


Cisco Virtual WAASCloud-ready WAN Optimization

ESX ESXi Hypervisor w/Nexus 1000

UCS /x86 Servers

Virtual WAAS “Appliances”

vPath

Virtual WAAS on Nexus 1000V with vPath

FEATURES Allows Agile, Elastic, & Multi Tenant Deployment Supports DRE Cache in SAN Policy-based Provisioning w/ Nexus 1000V Extends WAAS Solution Portfolio

BUSINESS BENEFITS

Business Agility with on-demand orchestration Lower operational cost, reduced migration risk Fault-tolerance with VM mobility awareness


WAN or Internet

UCS Compute/Virtualized Servers

Nexus 2K/5K

UCS Compute/Physical servers

WCCP

VMware ESXi Server

UCS /x86 Server

vWAAS Provides Flexible Deployment Options

Stand-alone

• Traditional WAN Edge Deployment at Branch and DC

Gradual migration from Physical to Virtual

Multi-tenancy support

vPath-integrated

Re-direction using vPath @VM level

Elastic provisioning

Multi-tenancy support

1

2

VMware ESXi Server

Nexus 1000V

VMware ESXi

VMware ESXi Server

Nexus 1000V

UCS /x86 Server

vPATH

vPATH

vPATH


Cisco Virtual Networking and Security SolutionNexus 1000V, CSR 1000V, ASA 1000V, VSG, and vWAAS Deployment

Nexus 1000V

• Distributed switch

• NX-OS consistency

VSG

• VM-level controls

• Zone-based FW

ASA 1000V

• Edge firewall, VPN

• Protocol Inspection

vWAAS

• WAN optimization

• Application traffic

Multi-Hypervisor

WAN Router

SwitchesServers

Tenant A

ASA 1000V

Zone BZone A

Nexus 1000VvPath

Physical Infrastructure

Virtualized/CloudData Center

vWAAS

VSG

VXLAN

CSR 1000V(Cloud Router)

• WAN L3 gateway

• Routing and VPN


CSR 1000V


DC

ASR

Branch

ISR

Enterprise B

Enterprise A

Branch

ISR

Tenant A

WAN Router

Switches

Servers

Tenant B

CSR 1000V

Physical Infrastructure

Virtual Infrastructure

Cloud Provider’s Data Center

CSR 1000V

Enterprise Use Cases

• Secure VPN Gateway• L3 Extension• Tenant Firewall

Cloud Provider Use Cases

• Secure VPN Gateway• MPLS Extension• Tenant Firewall

MPLS

Internet

Single-Tenant WAN Gateway in Shared Multi-tenant CloudsCan be deployed by Enterprises or Cloud Providers

ASA 1000V

ASA 1000V

Thank you.

cisco virtualized network services: ready for your cloud

Technology

virtual security gateway

cisco confidential5vnmc

cisco andor ace

tenant b virtual asa

virtual context ipsids

virtual appliance nexus

intra vsg tenant vm

virtual supervisor module