HW virtualizace a podpora hypervizorůrůznýchvýrobců · Cisco Expo © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco Expo 2012 HW virtualizace a podpora

Cisco Public© 2012 Cisco and/or its affiliates. All rights reserved. 1Cisco Expo

Cisco Expo

2012

HW virtualizace a podporahypervizorů různých výrobců

René Raeber

Datacenter Architect

IEEE 802.1DCB Architect

2© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo Cisco Public© 2011 Cisco and/or its affiliates. All rights reserved.Cisco Expo

• Twitter www.twitter.com/CiscoCZ

• Talk2cisco www.talk2cisco.cz/dotazy

• SMS 721 994 600

http://www.twitter.com/CiscoCZhttp://www.talk2cisco.cz/dotazy


Introduction

Architecture Evolution

Implementation

Security Capabilities

Use Case Example

Conclusion

VMware

Cisco Public© 2010 Cisco and/or its affiliates. All rights reserved. 5

Unified

Fabric

Primary

Network

Secondary

Network

Universal I/O

Ubiquitous Connectivity

Complexity,

Cost, Power

Data Center Framework


UCSLegacy

Server = ResourceServer = Application

Inefficient Complex High Cost Fragile Efficient Agile Transformative

Management and Control

Primary Network

Secondary Network

SAN A

SAN B

The Right Solution at the Right Time


From ad hoc and

inconsistent…

…to structured, but siloed,

complicated and costly…

…to simple, optimized and

automated


Complex

Inefficient

Inflexible

Costly

72%Maintain

28%Invest


1,240,036,374,697,152,065,225

Data Created Since Jan 1 2010

Bytes.

10 up21 aka sextillion aka trilliard


75,000,000,000 iPads

125,000,000 years


The Tipping Point

17,500,000

Physical Hosts

2006 2007 2008 2009 2010 2011 2012 20132005

VM Cross Over

15,000,000

12,500,000

10,000,000

7,500,000

5,000,000

2,500,000

Virtual Machines


Value

Waste

Value55%

Waste45%


?IT impedes growth IT spends too muchor,

Deploy this Much?

But, need this?

Deploy this Much?

But, need this?


Fixed Cost

Variable Cost


SAN LAN

Dynamic resource provisioning

Virtualization at scale


WAN / SP


Servers directly connected to access layer switches

Very little virtualization

Network configuration and policy enforcement for the server done at the switch

All management primarily at the physical element level

Management of Physical ( ) Elements


Shift towards server virtualization

Multiple VMs inside each physical server, connected by virtual switches

Rapid proliferation of logical elements that need to be managed

Feature parity issues between virtual and physical elements

Separate management of physical ( ) and logical ( ) elements

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

Management Challenges Policy Enforcement Issues


Switch lacks visibility into packets originated by vNICs

Can’t tie packet back to VM, forcing reliance on the software switch for policy enforcement

Leads to policy enforcement and network management issues

Access layer switch lacks visibility into virtual network elements

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

Management Challenges Policy Enforcement Issues


Virtual Interfaces within VMs are now visible to the switch

Both network configuration and policy enforcement for these interfaces can now be driven from the switch

This allows consolidated management of physical and virtual elements

Consolidated management of physical ( ) and logical elements

VSwitch VSwitch

VN-Link: Consolidated Management

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VMs

vNICs


VN-Link allows the packets to be tagged

Switch has full visibility into which vNIC originated the packet

Allows switch to forward packets between both physical and virtual elements

VN-Link capable adapters allow bypassing software based switches

Full visibility into the virtual network elements from switch

VSwitch VSwitch

VN-Link: Consolidated Policy Enforcement

VMs

vNICs

VSwitch

VMs

vNICs

VSwitch

VMs

vNICs

VMs

vNICs


Introduction


Implementation


Use Case Example

Conclusion

VMware


Many Bridges !!


IEEE P802.1BR


•


• VEB (Virtual Embedded Bridge)

• VEPA (Edge Virtual Bridging) IEEE-802.1Qbg

• VBE (Virtual Bridge Port Extension) IEEE-802.1BR

Relevant IEEE Datacenter Standards:

802.1Qau Congestion Notification

802.1Qaz Enhanced Transmission Selection

802.1Qbb Priority based Flow Control

802.1Qbg Edge Virtual Bridging

802.1BR Virtual Bridge Port Extension

802.1aq Shortest Path Bridging

IEEE Bridge Port Extender = Cisco FEX (Fabric Extender)


Identifies and isolates traffic between ports within an Extended Bridge

Specifies a tag format for this identification

Establishes an Extended Bridge consisting of a Controlling Bridge and one or more Bridge Port Extenders

Specifies the functionality and the specific requirements of a Bridge Port Extender

Extends the MAC service of a Bridge Port across the interconnected Bridge Port Extenders, including support of Customer Virtual Local Area Networks (C-VLANs)

Establishes the requirements of bridge components and systems for the attachment of Bridge Port Extenders

Specifies a protocol to provide for the configuration and monitoring of Bridge Port Extenders by a Controlling Bridge

Establishes the requirements for Bridge Management to support Port Extension, identifying the managed objects and defining the management operations.


The purpose of this standard is to extend a bridge, and the management of its objects, beyond its physical enclosure using 802 LAN technologies and interoperable interfaces.

Micro & Macro

Cosmos


• Aggregating Port Extender: A Bridge Port Extender that supports the full E-CID space and is capable of aggregating base Port Extenders.

• Base Port Extender: A Bridge Port Extender that supports a subset of the E-CID space.

• Cascade Port: A Port of a Controlling Bridge or Bridge Port Extender which connects to an Upstream Port. In the case of the connection between two Bridge Port Extenders, the Cascade Port is the Port closest to the Controlling Bridge.

• Controlling Bridge: A Bridge that supports one or more Bridge Port Extenders.

• Extended Bridge: A Controlling Bridge and at least one Bridge Port Extender under the Controlling Bridge's control.

• Extended Port: A Port of a Bridge Port Extender that is not operating as a Cascade Port or Upstream Port. This includes the Ports of a Bridge Port Extender connected via internal LANs to the Port of a C-VLAN component within a Controlling Bridge


• E-channel: An instance of the MAC service supported by a set of two E-paths forming a bidirectional service. An E-channel is point-to-point or point-to-multipoint.

• E-path: A configured unidirectional connectivity path between an internal Extended Port and one or more external Extended Ports and/or Upstream Ports. E-paths initiating from the Internal Bridge Port Extender can be point-to-point or point-to-multipoint. E-paths can be point-to-point or multipoint-to-point.

• E-channel Identifier (E-CID): A value conveyed in a E-TAG that identifies an E-channel.

• E-TAG: A tag header with a Tag Protocol Identification value allocated for ―802.1BR E-Tag Type.‖

• External Extended Port: An Extended Port that is part of an External Bridge Port Extender. External Bridge Port Extender: A Bridge Port Extender that is not physically part of a Controlling Bridge but is controlled by the Controlling Bridge.

• Internal Extended Port: An Extended Port that is part of an Internal Bridge Port Extender.


• Internal Bridge Port Extender: A Bridge Port Extender that is physically part of a Controlling Bridge.

• Bridge Port Extender: A device used to extend the MAC service of a C-VLAN component to form a Controlling Bridge and to extend the MAC service of a Controlling Bridge to form an Extended Bridge.

• Port Extender Control and Status Agent: The entity within a Bridge Port Extender that implements the Port Extender Control and Status Protocol.

• Port Extender Control and Status Protocol (PE CSP): A protocol used between a Controlling Bridge and Bridge Port Extenders that provides the ability of the Controlling Bridge to assert control over and retrieve status information from its associated Bridge Port Extenders.

• Replication Group: Within a Controlling Bridge, the set of C-VLAN component Ports connected to a single Bridge Port Extender.

• Upstream Port: A Port on a Bridge Port Extender that connects to a Cascade Port. In the case of the connection between two Bridge Port Extenders, the Upstream Port is the Port furthest from the Controlling Bridge.


• E-CID E-Channel Identifier

• PCID Port E-CID

• PE CSP Port Extender Control and Status Protocol

• PEISS Port Extender Internal Sublayer Service


A simple two-port Bridge that is capable of acting as a Controlling Bridge


Attachment of a physical Bridge Port Extender to the top port of the two-port Bridge.

At this point, the Bridge and the Bridge Port Extender execute LLDP.

The Bridge learns that a Bridge Port Extender is directly attached

when it receives the Port Extension TLV from the Bridge Port Extender.


Upon detection of the directly attached Bridge Port Extender, the Controlling Bridge

instantiates an Internal Bridge Port Extender between the C-VLAN component and

the External Bridge Port Extender. An E-channel is established for communication

between the Bridge Port Extender and the C-VLAN component. The E-channel used

for communication between the C-VLAN component and the Bridge Port Extender is

identified as E-channel ―a‖ in this example.


Next both the C-VLAN component and the Bridge Port Extender initiate

communication with each other using the Bridge Port Extender Control and Status

Protocol (PE CSP). This is accomplished using the CSP Open message.

Note that prior to completion of the CSP Open message, the Bridge Port Extender

does not know the E-CID of the E-channel to be used for this communication.

It therefore uses a default E-CID of one. Since the E-channel is not tagged, the

communication is established even though the Controlling Bridge and the

Bridge Port Extender are using a different E-CID. After completion of the CSP Open,

the Controlling Bridge informs the Bridge Port Extender of the proper E-CID,

which is ―a‖ in this example, using the E-channel Register message.


The Extended Ports have not been instantiated.

Extended Ports are not necessarily instantiated at the same time the

Bridge Port Extender itself is instantiated. For example, the Extended Ports may be

instantiated coincident with the instantiation of virtual machines.


The instantiation of the virtual machines and the corresponding Extended Ports. When the Extended

Ports are instantiated, the new Bridge Port Extender informs the controlling bridge by issuing an

Extended Port create message for each extended Port. The Controlling Bridge allocates a Port on

the C-VLAN component and an E-channel for each new Extended Port and informs the new Bridge Port

Extender of the E-CID for these E-channels.E-CIDs ―d‖ and ―e‖ are established in this example. In addition,

the Controlling Bridge issues E-channel Register messages to the first Bridge Port Extender to establish the

new E-channels through the first Bridge Port Extender. At this point, the virtual machines have connectivity

to the network.


Server

Hypervisor

VM VMVM VM VMVM

Adapter

Switch

EthPort Extension

802.1BR

Port

Extender

PE Tag

802.1BR

PE Tag

802.1BR

1 2 3 4 5

Nexus 5K

5

1 2 3 4 5

Port 5

vNIC

3

vNIC

2

vNIC

1

vNIC

5

vNIC

4

Port 0

FEX

(Nexus 2K)1 2 3

1

6 7 8

NIV Capable

Adapter

IEEE-802.1BR Bridge Port Extender = Cisco FEX (Fabric Extender)


• VEB (Virtual Embedded Bridge)

• VEPA (Virtual Ethernet Port Aggregator) IEEE-802.1Qbg

• PE (Virtual Bridge Port Extension) IEEE-802.1BR

Other Datacenter Standards:

IEEE-802.1Qau Congestion Notification

IEEE-802.1Qaz Enhanced Transmission Selection

IEEE-802.1Qbb Priority based Flow Control

IEEE-802.1Qbg Edge Virtual Bridging

IEEE-802.1BR Virtual Bridge Port Extension

IEEE-802.3bd MAC Control Frame for Priority based Flow control

…


Introduction


Implementation


Use Case Example

Conclusion

VMware


Modular Switch

…

Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Ba

ck P

lan

e

Server 1 Server 2 Server 3

Comparison to a Physical Switch


ESX ESX ESX

Modular Switch

…

Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Ba

ck P

lan

e

Moving to a Virtual Environment


ESX ESX ESX

Modular Switch

…

Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Ba

ck P

lan

e

Supervisors Virtual Supervisor Modules (VSMs)

VSM1

VSM2

Virtual Appliance


ESX ESX ESX

Modular Switch

…

Linecard-N

Supervisor-1

Supervisor-2

Linecard-1

Linecard-2

Ba

ck P

lan

e

VSM1

VSM2

Virtual Appliance

Linecards Virtual Ethernet Modules (VEMs)

VEM-NVEM-1 VEM-2


ESX ESX ESX

VSM1

VSM2

Virtual Appliance

VSM + VEMs = Nexus 1000V Virtual Chassis

VEM-NVEM-1 VEM-2

VSM: Virtual Supervisor Module

VEM: Virtual Ethernet Module

• 64 VEMs per 1000V (connected by L2 or L3)

• 200+ vEth ports per VEM

• 2K vEths per 1000V

• Multiple 1000Vs can be created per vCenter

L2

Mo

de

L3

Mo

de


ESX ESX ESX

VSM1

VSM2

Virtual Appliance

Customer Request: Host VSMs on a Physical Appliance

VEM-NVEM-1 VEM-2



L2

Mo

de

L3

Mo

de


• 64 VEMs per 1000V



Physical Appliance?


Virtual Appliance

ESX ESX ESX

Nexus 1010

VSM-A1 VSM-A4

VSM-B1 VSM-B4




• 64 VEMs per 1000V



VEM-NVEM-1 VEM-2

VSMs hosted on a Physical Appliance: Nexus 1010

• Up to 4 VSMs per Nexus 1010

• Nexus 1010s deployed in redundant pair

L2

Mo

de

L3

Mo

de

…

…


vPath – Virtual Service Datapath

Virtual Appliance

VSM

VEM-1

vPath

VEM-2

vPath

L2

Mo

de

L3

Mo

de

ESX ESX

vPath

• Virtual Service Datapath

VSG

• Virtual Security Gateway for 1000v

vWAAS

• Virtual WAAS

vWAAS VSG VSG and

vWAAS

available now

vPath

• Traffic Steering

• Fast -Path Offload

• Nexus 1000V ver 1.4

& above


Virtual Appliance Nexus 1010

VSM-A1 VSM-A4

VSM-B1 VSM-B4

NAM

NAM

L2

Mo

de

L3

Mo

de

*VSG on 1010 target: 2Q CY11

vPath

• Virtual Service Datapath

VSG

• Virtual Security Gateway for 1000v

vWAAS

• Virtual WAAS

VEM-1

vPath

VEM-2

vPath

ESX ESX

vWAAS VSG


Introduction


Implementation


Use Case Example

Conclusion

VMware


VM VM VM VM

IsolateIntel® Virtualisation and Intel® Trusted Execution

Technology (Intel® TXT) work together to better

isolate VMs

MeasureIntel® TXT measures vSphere 5.0 for launch

protection

EncryptIntel® New instructions in Intel® Xeon® processors

quickly encrypts data in flight and at rest

VMware vSphere 5.0

Intel® TXT* and AES New instructions in Intel® Xeon® processors

Make Multi-Tenancy More Secure

*Intel® TXT available on Cisco UCS M3 Servers


2x 4 Link80 Gbps per Chassis

2x 8 Links160 Gbps per Chassis



Wire Once Architecture

Policy-Driven Bandwidth Allocation

Virtual Interface Granularity

I/O On-Demand via

Service Profile


Silver Pool

30% Bandwidth

FC with max burst 32k

Bronze Pool

20% Bandwidth

FC with max burst of 16K

Platinum Pool

50% Bandwidth

Lossless Ethernet NFS

Max burst 64K

• QoS controls for tuning Storage & Network flows—Platinum, Gold, Silver, Bronze, best effort, FC QoS Classes

• Multi-cast optimizations

• Bandwidth controls

• Lossless Ethernet—drop/no drop

• Burst size controls

UCS

Server

Blade

VMware vSphere

Cisco VIC

FEX 2200

FI 6200

VMVMVM VMVM VMVM Bronze PoolPlatinum Pool Silver Pool


Up to 67%

reduction in

Application

latency

Near linear

deterministic

Application

delivery with

scale

Up to 50%

increase in

Application

performance


Introduction


Implementation


Use Case Example

Conclusion

VMware


Records Database

Server Zones

AssistantIT Admin Doctor Guest

Application

HVD Zones

Doctor

iT Admin

Network

Virtual Security Gateway (VSG)

Guest

Portal


Records Database

Server Zones


Application

HVD Zones

Doctor

iT Admin

Network


Guest

Portal


Training Servers

VM VMVM VMVM VMVM VMVM VM

Source Destination Protocol Action

Zone=TRNG Zone=TRNG Any Permit

Any Zone=TRNG Any Permit

Zone=TRNG Any Any Drop

If vm-name contains “TRNG”, that VM belongs to TRNG zone

Database Servers


DMZ Servers


Exchange Servers


R&D Servers


Application Servers



Permit Only Port 80(HTTP)

of Web Servers

Permit Only Port 22 (SSH)

to Application Servers

Only Permit Web Servers

Access to Application Servers

Web-Zone

DBServer DB

Server

Database-ZoneApplication-Zone

Only Permit Application Servers

Access to Database Servers

Block All External Access

to Database Servers

Web Client

AppServer App

Server

WebServer Web

Server


Introduction


Implementation


Use Case Example

Conclusion

VMware


• Twitter www.twitter.com/CiscoCZ

• Talk2Cisco www.talk2cisco.cz/dotazy

• SMS 721 994 600

• Zveme Vás na Ptali jste se… v sále LEO 1.den 17:45 – 18:302.den 16:30 – 17:00

http://www.twitter.com/CiscoCZhttp://www.talk2cisco.cz/dotazy


Prosíme, ohodnoťtetuto přednášku.

Kód přednášky

Documents

HW virtualizace a podpora hypervizorůrůznýchvýrobců · Cisco Expo © 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public 1 Cisco Expo 2012 HW virtualizace a podpora