2. Agenda
• What is Virtualization
• Why Nexus 1000V. What problems does it solve
• Nexus 1000V Architecture
• Nexus 1000V Switching
• Nexus 1000V Port-Profiles
• Nexus 1000V Security Features
• Nexus 1000V Quality of Service
• Nexus 1000V Network Management
• Nexus 1010 /1110x
3. Training Prerequisites
• Understanding the normal Network Design
• Understanding of Virtualization
• Understanding & Experience with VMware
• Understanding & Experience with NXOS
• Understanding & Experience with Layer2 Switching
5. Virtualization
• Virtualization is the creation of a virtual (rather than actual)
version of something, such as an operating system, a server, a
storage device or network resources.
– Server virtualization
– Network virtualization
– Storage virtualization
• Never seen before? You did ;)
– Hard disk Partitioning is an example over which you could run
multiple OS
– Creating Switch Virtual Interface (SVI) is an example
6. • Server virtualization Component s:
– Hypervisor - Virtual machine manager, is a program that allows
multiple operating systems to share a single hardware host.
– Virtual Machine (VM) - A virtual machine (VM) is a software
implementation of a computing environment in which an operating
system (OS) or program can be installed and run.
Virtualization
7. Virtualization (Cont.)
• ESX/vSphere: A virtualization platform used to create the virtual
machines as a set of configuration and disk files that together perform
all the functions of a physical machine.
• DRS (Distributed Resource Scheduler): Feature that
allocates and balances computing capacity dynamically across collections
of hardware resources for virtual machines. This feature includes
distributed power management (DPM) capabilities that enable a
datacenter to significantly reduce its power consumption.
• DVS (Distributed virtual switch): This is a logical switch that
spans one or more VMware ESX servers.
• Virtual Center: An, API to manage the VMs - a central management
control point for virtual infrastructure services.
8. Virtualization (Cont.)
• vMotion: Embedded tool set in the vCenter application suite that
leverages the virtualized storage, network and server infrastructure to
move an entire running virtual machine instantaneously from one server
to another.
• VMkernel: The VMkernel is the hypervisor layer of a ESX server that
provides the virtualization interface for hardware to virtual machines.
• vSwitch: Software Virtual Switch.
11. Nexus Switch Family
ProductTechnology
Cisco Nexus 7000Cisco Nexus 5000Cisco Nexus 1000V
Cisco Nexus 1010
Cisco Nexus 2000
NX-OS: Unified
OS for the data
center
Unified Fabric: Lossless
10Gb transport for next-
generation DC
Fibre Channel over
Ethernet (FCoE): Unified
transport for LAN and FC
VN-Link: Virtual Machine
Aware Network
RAB, DAL: High
performance for HPC
environments
10GbE: Enhanced
speed
for growing demand
Access Access CoreServer
13. Networking Challenges to
Scaling Server Virtualization
Applied at physical
server—not the
individual VM
Impossible to enforce
policy for VMs in
motion
Security and Policy
Enforcement
Lack of VM visibility,
accountability, and
consistency
Inefficient
management model
and inability to
effectively
troubleshoot
Operations and
Management
Muddled ownership
as server admin
must configure
virtual network
Organizational
redundancy creates
compliance challenges
Organizational
Structure
14. Cisco Nexus 1000V
Policy-Based
VM Connectivity
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Non-Disruptive
Operational Model
vSphere
Nexus
1000V
Nexus 1000V
VM VM VM VM
Industry’s most advanced software switch for
VMware vSphere
Built on Cisco NX-OS
Compatible with all switching platforms
Maintain vCenter provisioning model
unmodified for server administration; allow
network administration of virtual network via
familiar Cisco NX-OS CLI
15. Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
VM VM VM VM VM VM VM VM
vCenter
Policy-Based
VM Connectivity
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
16. Cisco Nexus 1000V
Nexus 1000V VSMvCenter
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
Port Profiles
WEB Apps
HR
DB
DMZ
Port Profiles
WEB Apps
HR
DB
DMZ
VM Connection Policy
• Defined in the network
• Applied in Virtual Center
• Linked to VM UUID
VM Connection Policy
• Defined in the network
• Applied in Virtual Center
• Linked to VM UUID
Faster VM Deployment
Policy-Based
VM Connectivity
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
17. Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
Property Mobility
• VMotion for the network
• Ensures VM security
• Maintains connection state
Property Mobility
• VMotion for the network
• Ensures VM security
• Maintains connection state
VMs Need to Move
• VMotion
• DRS
• SW Upgrade/Patch
• Hardware Failure
VMs Need to Move
• VMotion
• DRS
• SW Upgrade/Patch
• Hardware Failure
vCenter
Richer Network Services
Policy-Based
VM Connectivity
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
VM VM VM VM
18. Cisco Nexus 1000V
Nexus 1000V VSM
vSphere
Nexus
1000V
VEM
vSphere
Nexus
1000V
VEM
vCenter
Network Admin Benefits
• Unifies network mgmt and ops
• Improves operational security
• Enhances VM network features
• Ensures policy persistence
• Enables VM-level visibility
Network Admin Benefits
• Unifies network mgmt and ops
• Improves operational security
• Enhances VM network features
• Ensures policy persistence
• Enables VM-level visibility
VI Admin Benefits
• Maintains existing VM mgmt
• Reduces deployment time
• Improves scalability
• Reduces operational workload
• Enables VM-level visibility
VI Admin Benefits
• Maintains existing VM mgmt
• Reduces deployment time
• Improves scalability
• Reduces operational workload
• Enables VM-level visibility
Increased Operational Efficiency
Policy-Based
VM Connectivity
Policy-Based
VM Connectivity
Mobility of Network &
Security Properties
Mobility of Network &
Security Properties
Non-Disruptive
Operational Model
Non-Disruptive
Operational Model
Cisco VN-Link: Virtual Network LinkCisco VN-Link: Virtual Network Link
VM VM VM VM VM VM VM VM
19. VMware Vswitch
• VMware vSwitch is a
very basic L2 switch
• vSwitch is managed by
Server Administrator
through VMware’s
Virtual Center
• vSwitch doesn’t offer
functionality offered by
Cisco Access Switches
• Configured
independently on
each ESX server
VMW ESX
Server 1
VMware vSwitch
VMW ESX
VMware vSwitch
Server 2
VM
#4
VM
#3
VM
#2
VM
#1
VM
#8
VM
#7
VM
#5
VM
#5
Virtual
Center
25. Cisco VSMs
Cisco Nexus 1000V Component
Communication L2
Cisco VEM
Two distinct virtual interfaces are used to
communicate between the VSM and VEM
Control
Carries low level messages to ensure proper
configuration of the VEM.
Maintains a 1 sec heartbeat with the VSM to the
VEM (timeout 6 seconds)
Maintains synchronization between primary and
secondary VSMs
Packet
Carries any network packets from the VEM to the
VSM such as CDP, ERSPAN, or IGMP control
Requires layer 2 connectivity
C P
C P
L2 Cloud
26. Cisco Nexus 1000V Component
Communication – VSM to vCenter
• Communication using the VMware VIM API over SSL
– Port 80 and 443
• Connection is setup on the VSM
• Requires installation of vCenter plug-in (downloaded from VSM)
• Once established the Nexus 1000V is created in vCenter
pod5-vsm# show svs connections
connection VC:
hostname: phx2-dc-pod5-vc
ip address: 10.95.5.158
protocol: vmware-vim https
certificate: default
datacenter name: Phx2-Pod5
DVS uuid: df 11 38 50 0a 95 83 4e-95 69 d6 a7 f4 76 4a 7f
config status: Enabled
operational status: Connected
vCenter Server
Cisco VSMs
27. Cisco VSMs
Cisco Nexus 1000V Opaque Data
Cisco VEMCisco VEMCisco VEM
Each Nexus 1000V requires global setting on the VSMs and VEMs called
Opaque Data
Contains such data as control/packet VLAN, Domain ID, System Port Profiles
VSM pushes the opaque data to vCenter Server
vCenter Server pushes the opaque data to each VEM when they are added
vCenter Server
ODODOD
OD OD OD
28. Cisco Nexus 1000V Domain
Cisco VEM DID 15
Each VSM is assigned a unique ‘Domain ID’
Domain ID ensures that VEMs do not respond to commands from non-participating
VSMs.
Each packet between VSM and VEM is tagged with the appropriate Domain ID
Domain range from 1-4095
Active VSM Other VSM
DID 15 CMD
Cisco VEM DID 15 Cisco VEM DID 15
DID 25 CMD
DID 25 CMD
30. Distributed Data Plane
Cisco VEMCisco VEMCisco VEM
Each Virtual Ethernet Module forwards packets independent of each
other.
No address learning/synchronization across VEMs
No concept of Crossbar/Fabric between the VEMs
Virtual Supervisor Module is NOT in the data path
No concept of forwarding from an ingress linecard to an egress linecard (another server)
No Etherchannel across VEMs
Nexus 1000V does not participate in STP
Cisco VSMs
31. Cisco Nexus 1000V vEth Interface
Virtual Ethernet Port
vEths are assigned sequentially
VM vNICs are statically bound to a vEth
Assignment persistent through reboots
May change if the vNIC is reassigned to another port profile
vEths will move between modules when a VM is moved (HA, Vmotion, etc…)
Delete or reassign vnic to unlink VM to veth mapping
Default virtual ‘speed’ is Gigabit as negotiated with the guest OS
By default performance is not gating (i.e 1Gb vNIC runs faster than 1Gb)
Default MTU is determined from physical NIC
Like speed, MTU is not gating. For large MTU VMware nic .
2048 vEths supported system wide
32. Loop Prevention without STP
Cisco VEM
VM1 VM2 VM3 VM4
Cisco VEM
VM5 VM6 VM7 VM7
Cisco VEM
VM9 VM10 VM11 VM12
BPDU are dropped
Eth4/1 Eth4/2
X
No Switching From
Physical NIC to NIC
Local MAC Address
Packets Dropped on
Ingress (L2)
X
33. MAC Learning
Each VEM learns
independently and maintains
a separate MAC table
VM MACs are statically
mapped
Other vEths are learned this
way (vmknics and vswifs)
No aging while the interface is
up
Devices external to the VEM
are learned dynamically
VSM also keeps track of MAC
addresses
Cisco VEM
VM3 VM4
Eth4/1
Cisco VEM
VM1 VM2
Eth3/1
VEM 3 MAC Table
VM1 Veth12 Static
VM2 Veth23 Static
VM3 Eth3/1 Dynamic
VM4 Eth3/1 Dynamic
VEM 4 MAC Table
VM1 Eth4/1 Dynamic
VM2 Eth4/1 Dynamic
VM3 Veth8 Static
VM4 Veth7 Static
35. What is a Port-Profile?
• A port-profile is a container used to define a common set of configuration
commands for multiple interfaces
• Define once and apply many times
• Simplifies management by storing interface configuration
• Key to collaborative management of virtual networking resources
• Why is it not like a template or SmartPort macro?
– Port-profiles are ‘live’ policies
– Editing an enabled profile will cause config changes to propagate to all
interfaces using that profile (unlike a static one-time macro)
• Two types
– Type Ethernet used for physical NIC uplinks
– Type Vethernet used for VM network connectivity
36. Port Profile Configuration
n1000v# show port-profile name WebProfile
port-profile WebProfile
description:
status: enabled
capability uplink: no
system vlans:
port-group: WebProfile
config attributes:
switchport mode access
switchport access vlan 110
no shutdown
evaluated config attributes:
switchport mode access
switchport access vlan 110
no shutdown
assigned interfaces:
Veth10
Support Commands Include:
Port management
VLAN
PVLAN
Port-channel
ACL
Netflow
Port Security
QoS
Support Commands Include:
Port management
VLAN
PVLAN
Port-channel
ACL
Netflow
Port Security
QoS
37. Port Profile Policy Distribution
vCenter Server
n1000v(config)# port-profile WebServers
n1000v(config-port-prof)# switchport mode access
n1000v(config-port-prof)# switchport access vlan 100
n1000v(config-port-prof)# no shut
PP
Cisco VSM
38. • Administrators can interact with individual switchports, overriding a
port profile
• Use to isolating problems with one or two interfaces without changing
the port-profile and affecting other ports
• Manual configuration always takes precedence over a port profile
configuration
• The ‘no’ command can remove the override and restore the profile’s
config by doing:
n1000v(config)# int vethernet 2
n1000v(config-if)# switchport access vlan 250
n1000v(config)# int vethernet 2
n1000v(config-if)# no switchport access vlan
Overriding Port Profile Configuration
39. Port Profile Inheritance
Profile inheritance allows the construction of profile hierarchies
‘Parent’ profiles pass configuration to ‘child’ profiles
Only the child profiles need to be visible within VC
Updates to the parent filter to the child
Child profiles can be updated independently
n1000v(config)# port-profile Web
n1000v(config-port-prof)# switchport mode access
n1000v(config-port-prof)# switchport access vlan 100
n1000v(config-port-prof)# no shut
n1000v(config)# port-profile Web-Gold
n1000v(config-port-prof)# inherit port-profile Web
n1000v(config-port-prof)# service-policy output Gold
n1000v(config-port-prof)# vmware port-group Web-Gold
n1000v(config)# port-profile Web-Silver
n1000v(config-port-prof)# inherit port-profile Web
n1000v(config-port-prof)# service-policy output Silver
n1000v(config-port-prof)# vmware port-group Web-Silver
Effective Port Profile – Web-Gold
Access Port
VLAN 100
Gold QoS Policy
Effective Port Profile – Web-Silver
Access Port
VLAN 100
Silver QoS Policy
40. Uplink Port Profiles – Type Ethernet
Cisco VEM
VM1 VM2 VM3 VM4
Special profiles that define physical NIC
properties
Usually configured as a trunk
Defined when creating the port-profile
port-profile type ethernet profile-name
Uplink profiles cannot be applied to vEths
Only selectable in vCenter when adding a host
or additional NICs
n1000v(config)# port-profile type Ethernet DataUplink
n1000v(config-port-prof)# switchport mode trunk
n1000v(config-port-prof)# switchport trunk allowed vlan 10-15
n1000v(config-port-prof)# no shut
n1000v(config-port-prof)# system vlan 51, 52
n1000v(config-port-prof)# channel-group mode auto sub-group cdp
41. VM Port Profiles – Type Vethernet
Cisco VEM
VM1 VM2 VM3 VM4
Special profiles that define VM NIC properties
Usually configured as an access port
Syntax
port-profile type vethernet profile-name
Uplink profiles cannot be applied to physical
nics
Only selectable under a VMs network settings
n1000v(config)# port-profile type vethernet vm_vlan_152
n1000v(config-port-prof)# switchport mode access
n1000v(config-port-prof)# switchport access vlan 152
n1000v(config-port-prof)# no shut
n1000v(config-port-prof)# state enabled
42. Cisco Nexus 1000V System VLANs
What is a System VLAN?
A "system VLAN" means that the VEM will pass traffic on those VLANs even
when the VEM cannot be programmed by the VSM (if, for example, the VSM is
down and the VEM is reloaded).
System VLANs enable interface connectivity before an interface is
programmed
Required System VLANs
Control
Packet
Highly Recommended System VLANs
IP Storage
Service Console
VMKernel
Management Networks
43. System VLAN example
Migrate VMware Service Console to VEM
SC interface uses VLAN 2
Uplink port-profile must define VLAN 2 as system
n1000v# show run port-profile uplink-pinning
port-profile type ethernet uplink-pinning
vmware port-group
switchport mode trunk
switchport trunk allowed vlan all
channel-group auto mode on mac-pinning
no shutdown
system vlan 2,10,150-151
Service Console Port-profile must also define system vlan
n1000v# show run port-profile SC
port-profile type vethernet SC
vmware port-group
switchport mode access
switchport access vlan 2
no shutdown
system vlan 2
45. Access Control List Overview
ACLs provide traffic filtering mechanisms
Provides filtering for ingress and egress VM traffic for additional
network security
Permit/Drop traffic based on ACL policies
ACL types supported:
IPv4 and MAC ACLs
Ingress and Egress
Supported on Eth and vEth interfaces
Configured via port profiles or directly on the interface
46. Port Security Overview
• Port Security secures a port by limiting and identifying the MAC
addresses that can access a port.
• Secure MACs can be manually configured or dynamically learned
• Two security violation types are supported
• Addr-Count-Exceed Violation
• MAC Move Violation
• Port security can be applied to vEths
– Cannot be applied to physical interfaces
• Three types of secure MACs
– Static
– Sticky
– Dynamic
47. Private VLANs divide a normal VLAN into sub-L2
domains
Consist of a Primary VLAN and one or more secondary
VLANs
Used to segregate L2 traffic without wasting IP address
space (smaller subnets)
Secondary VLAN access is restricted by setting
‘community’ or isolated’ status
Cisco Nexus 1000V Private VLANs
48. • Primary VLAN: VLAN carrying downstream traffic from the router(s) to
the host ports.
• Secondary VLAN: Can be either an isolated VLAN or a community
VLAN. A port assigned to the isolated VLAN is a isolated port. A port
assigned to a community VLAN is a community port.
• Isolated VLAN : Communicate only with the primary VLAN
• Community VLAN: Communicate within community and with primary
VLAN
PVLAN Definitions
50. What Is the Nexus 1010?
Allows network administrators to manage the Nexus 1000V Virtual
Supervisor Module (VSM) as a standard Cisco switch, with all 1000V
features
Physical appliance for virtual network services (VSM, NAM, etc.)
Supported by CiscoWorks LAN Management Solution (LMS)
The Nexus 1010 is a networking appliance to host four Nexus 1000V
virtual supervisor modules (VSM)
Available April/May 2010
51. Architecture Comparison
vSphere
Nexus
1000V
VM VM VM1000V
VSM x 1
Server
VSM on Virtual Machine
vSphere
Nexus
1000V
VEM
VM VM VM
Server
VM
Cisco Nexus 1010
1000V
VSM x 4
VSM on Nexus 1010
Physical Switches Physical Switches
52. Benefits for Both Teams
Server Admin Network Admin
Offload VSM Install/Mgmt to
Network Team
VSM Doesn’t Need
VMware ESX Licensing
Install The VSM Like a Standard
Cisco Switch
Prepare for VM Sprawl with
Ample Scalability (256 Hosts
Per Nexus 1010 Appliance)
53. Feature Comparison
VSM on Virtual Machine VSM on Nexus 1010
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
64 hosts per VSM
Nexus 1000V features and scalability
VEM running on vSphere 4 Enterprise Plus
NX-OS high availability of VSM
64 hosts per VSM, 4 VSMs, 256 hosts in total
Installation like a standard Cisco switch
Network Team manages the switch hardware
Dedicated services appliance (NAM, etc.)
Pure software deployment