Cisco Virtual Networking Solution Nexus 1000v and Virtual Services Abhishek Mande Engineer [email protected]
Cisco Virtual Networking Solution Nexus 1000v and Virtual Services
Abhishek Mande Engineer
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Agenda
2
§ Application requirements in virtualized DC § The Anatomy of Nexus 1000V § Virtual Services with vPath § Prime NSC § vPath Service Chaining § Summary
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Server Virtualization Issues
3
1. vMotion moves VMs across physical ports—the network policy must follow vMotion
2. Must view or apply network/security policy to locally switched traffic
3. Need to maintain separation of duties while ensuring non-disruptive operations
Port Group
Server Admin
Network Admin Security Admin
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Application Requirements for Network Services
§ Current generation network capabilities are driven by physical network topology. Example, If the firewall is plugged into the Internet connection and then the load balancer into firewall, the path of traffic must always flow in that order.
§ Application driven requirements that change the relationship (load balancing, then firewall) cannot be supported without physically changing the layout of the network.
Core Router/Switch
Firewall
Load Balancer Proxy Server
Application
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Services – Architectural Approach
5
**VXLAN: Virtual Extensible LAN **OTV: Overlay Transport Virtualisation
*vPath: Virtual Service Datapath
Requirement Solution
Virtualisation Awareness • Dynamic policy-based provisioning • Support VM mobility (e.g. vMotion)
• Virtual (SW) form-factor • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) • Policies bound to vNIC/VM
• Integration with N1KV (vPath)
Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment • Management: Multi-tenant • N1KV vPath: Multi-tenant
Separation of Duties • Non-disruptive to server team
• Profile-based provisioning for services • Integration with N1KV port profile • Optional hosting on Nexus 1010 HW appliance
• Efficient deployment • Performance optimisation
Integration with N1KV vPath
Broad mobility diameter • DC-wide, DC-to-DC, DC-to-Cloud
• DC-wide: VXLAN** • DC-to-DC: OTV**
Requirement Solution
Virtualisation Awareness • Dynamic policy-based provisioning • Support VM mobility (e.g. vMotion)
• Virtual (SW) form-factor • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) • Policies bound to vNIC/VM
• Integration with N1KV (vPath)
Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment • Management: Multi-tenant • N1KV vPath: Multi-tenant
Separation of Duties • Non-disruptive to server team
• Profile-based provisioning for services • Integration with N1KV port profile • Optional hosting on Nexus 1010 HW appliance
• Efficient deployment • Performance optimization
Integration with N1KV vPath
Requirement Solution
Virtualisation Awareness • Dynamic policy-based provisioning • Support VM mobility (e.g. vMotion)
• Virtual (SW) form-factor • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) • Policies bound to vNIC/VM
• Integration with N1KV (vPath)
Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment • Management: Multi-tenant • N1KV vPath: Multi-tenant
Separation of Duties • Non-disruptive to server team
• Profile-based provisioning for services • Integration with N1KV port profile • Optional hosting on Nexus 1010 HW appliance
Requirement Solution
Virtualisation Awareness • Dynamic policy-based provisioning • Support VM mobility (e.g. vMotion)
• Virtual (SW) form-factor • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) • Policies bound to vNIC/VM
• Integration with N1KV (vPath)
Multi-tenant / Scale-out deployment • Virtual service: multi-instance deployment • Management: Multi-tenant • N1KV vPath: Multi-tenant
Requirement Solution
Virtualization Awareness • Dynamic policy-based provisioning • Support VM mobility (e.g. vMotion)
• Virtual (SW) form-factor • Integration with VM mgmt tools (e.g. vCenter, SC-VMM in future) • Policies bound to vNIC/VM
• Integration with N1KV (vPath*)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Network Services Options for Virtualized/Cloud DC
6
Hypervisor
Dedicated Service Nodes
Virtual Contexts
VLANs
Redirect VM traffic via VLANs to external (physical) firewall
App Server
Database Server
Web Server
App Server
Database Server
Web Server
VSN
VSN
Apply hypervisor-based virtual network services
Hypervisor
Virtual Service Nodes
This Session
The Anatomy of Nexus 1000V
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 1000V - Consistent Cloud Networking Multi Hypervisors and Multi Orchestration strategy
8
Physical Network
vSphere Hyper-V XenServer
Unified Fabric (Nexus)
UCS Computing Platform
Hypervisor KVM
vCloud Director/ Automation
Center System Center
Citrix CloudPlatform
Cloud Portal and Orchestration
Storage Platform
CIAC/ OpenStack/
Partners
Virtual Network Infrastructure
L4-7
L2-3 vPath
Nexus 1000V
Cloud Network Services vWAAS NAM ASA 1000V NetScaler1000V Partners VSG
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Nexus 1000V
9
Port Profile / Defined Policies
WEB Apps HR DB DMZ
Policy-Based VM Connectivity
Mobility of Network and Security Properties
Non-Disruptive Operational Model
Cisco Virtual Machine Networking
Nexus 1000V VEM
Nexus 1000V VEM
VM Connection Policy • Defined in the network • Applied in Virtual Centre • Linked to VM UUID
VM VM VM VM VM VM VM VM
vCenter Nexus 1000V VSM
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Nexus 1000V
10
VMs Need to Move • VMotion • DRS • SW upgrade/patch • Hardware failure
Policy-Based VM Connectivity
Mobility of Network and Security Properties
Non-Disruptive Operational Model
VM VM VM VM
VM VM VM VM
vCenter Nexus 1000V VSM
VM VM VM VM
Property Mobility • VMotion for the network • Ensures VM security • Maintains connection state
Nexus 1000V VEM
Nexus 1000V VEM
Cisco Virtual Machine Networking
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 1000V Architecture Respects DC Operational Model for PàV
11
Hypervisor Hypervisor Hypervisor
Modular Switch
…Linecard-N
Supervisor-1 (Active) Supervisor-2 (StandBy)
Linecard-1 Linecard-2
Bac
k P
lane
VEM-N VEM-1 VEM-2
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
VSM-1 (active)
VSM-2 (standby)
Virtual Appliance
Network Admin
Server Admin
NX-OS Control Plane
NX-OS Data Plane
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port-Profile Configuration
12
n1000v# show port-profile name WebProfile port-profile WebServers description: status: enabled capability uplink: no system vlans: port-group: WebServers config attributes: switchport mode access switchport access vlan 110 no shutdown evaluated config attributes: switchport mode access switchport access vlan 110 no shutdown assigned interfaces: Veth10
Support Commands Include: ü Port management
ü VLAN
ü PVLAN
ü Port-Channel
ü ACL
ü Netflow
ü Port security
ü QoS
ü vService
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Port Groups: VI Admin View
13
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Nexus 1000V Architecture vPath – service insertion in the hypervisor
14
Hypervisor Hypervisor Hypervisor
Modular Switch
…Linecard-N
Supervisor-1 (Active) Supervisor-2 (StandBy)
Linecard-1 Linecard-2
Bac
k P
lane
VEM-N VEM-1 VEM-2
VSM: Virtual Supervisor Module VEM: Virtual Ethernet Module
VSM-1 (active)
VSM-2 (standby)
Virtual Appliance
Network Admin
Server Admin
NX-OS Control Plane
NX-OS Data Plane
vPath vPath vPath
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Network Services
(CNS)
Any Hypervisor
Nexus 1000V vPath
vPath is Nexus 1000V dataplane component:
1. Distributed Service insertion architecture, with Intelligent traffic intercept and redirection mechanism
2. Topology agnostic service insertion model
3. Service Chaining across multiple virtual services
4. Performance acceleration with vPath e.g. VSG flow offload
5. Efficient and Scalable Architecture
6. VM Policy mobility with VM mobility
Evolve the Network for the next wave of application requirements
vPath – Policy Based Service Enablement
Virtual Services
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Virtual Networking and Cloud Network Srvs CLOUD NETWORK SERVICES
WAN Router
Switches Servers
PHYSICAL INFRASTRUCTURE Cisco Virtual
Security Gateway
Multi-Hypervisor (VMware, Microsoft, KVM* Xen*)
Nexus 1000V vPath Enhanced VXLAN
Full Portfolio of Best in Class Virtualized Network Service
Imperva SecureSphere
WAF
vWAAS Cloud Services
Router 1000V
ASA 1000V Cloud Firewall
Citrix NetScaler
1000V
Network Analysis Module (vNAM)
Nexus 1000V
• Distributed switch
• NX-OS consistency
VSG
• Distributed • Zone-
based FW
ASA 1000V
• Edge firewall, VPN
• Protocol Inspection
vWAAS
• WAN optimization
• Application traffic
CSR 1000V (Cloud Router)
• WAN L3 gateway
• Routing and VPN
Ecosystem Services
• Citrix NetScaler VPX virtual ADC
• Imperva Web App. Firewall
*KVM in beta, Xen prototype VSG
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
10G and SSL Ready
Cisco Cloud Services Platform
VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13
Nexus 1000V
vPath
Any Hypervisor
VM VM VM
• Dedicated Cloud Services appliance • Flexible, on-demand allocation of resources • Allows policy management by network teams
Cisco Cloud Network Services (CNS) Citrix
NetScaler 1000V
Prime virtual NAM
Imperva SecureSphere
WAF
Virtual Security Gateway
Nexus 1110 Cloud Services Platform
VSM VSM DCNM*
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Virtual Security Gateway Distributed, Zone Based Firewall
VM context aware rules Context aware Security
Establish zones of trust Zone based Controls
Policies follow vMotion Dynamic, Agile
Efficient, Fast, Scale-out SW (with vPath intelligence)
Best-in-class Architecture
Virtual Security Gateway (VSG)
Prime NSC
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway Intelligent Traffic Steering with vPath
21
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
PNSC
Log/Audit Initial Packet Flow
VSG
1 Flow Access Control (policy evaluation)
2
Decision Caching 3
4
1 2
3
4
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Virtual Security Gateway Intelligent Traffic Steering with vPath
22
Nexus 1000V Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VM VM
VM
vPath
Remaining packets from flow
Decision offloaded to Nexus 1000V
(policy enforcement)
VNMC
Log/Audit
VSG 5 3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Decoupled Deployment Across Applications and Virtual Services
VM
Virtualized Infrastructure with Cisco Nexus® 1000V Deployment VEM VEM VEM VEM VEM
VM VM VM VM VM VM VM
Cisco VSG
No need to deploy virtual services on every host
Plan CPU capacity independently across application workloads and virtual services
Solution is simpler to deploy with multiple operations teams (server, network, and security)
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
vSphere
Cisco Nexus 1000V VEM
vSphere vSphere
Cisco Nexus 1000V VEM
Cisco Nexus 1000V VEM
VM VM VM VM VM VM VM VM
Active VSG (Tenant B)
Active VSG (Tenant A) Web Zone App Zone
Tenant A Tenant B Dev Zone QA Zone
VMWare vCenter Server
Data Center Network
vPath vPath
1000V VSM
Deployment in Multitenant Environment
Standby VSG Standby VSG
vPath
Cisco Prime Network Service Controller
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Cisco VSG supports policies based on network attribute and virtual machine (VM) attributes
Rul
e Source Condition
Destination Condition Action
Attribute Type Network VM Custom
VM Attributes Instance Name Guest OS full name Zone Name Parent App Name
VM Attributes Port Profile Name Cluster Name Hypervisor Name
Network Attributes IP Address
Network Port
Operator eq
neq
gt
lt
range
Operator Not-in-range
Prefix
member
Not-member
Contains
Con
ditio
n
Policy Rule Construct
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Citrix NetScalar1000V
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Citrix NetScaler 1000V
VSM = Virtual Supervisor Module DCNM = Data Center Mgt. Center * 2H CY13
Nexus 1000V
vPath
Any Hypervisor
VM VM VM
• Citrix Best-in-Class virtual application delivery controller (vADC)
• Sold and supported by Cisco (Q3) • Integrated with Nexus 1100, vPath • NetScaler 1000V = VPX – (Cloud Bridge, Cloud Connect,
SSL VPN )
Cisco Cloud Network Services (CNS) Citrix
NetScaler 1000V
Prime virtual NAM
Imperva SecureSphere
WAF
Virtual Security Gateway
Nexus 1110 Cloud Services Platform
VSM VSM DCNM*
Citrix NetScaler
1000V
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Without vpath
§ Source NAT (SNAT) - Client/ Source Obscured
§ Policy Based Routing (PBR) - Complex § Inline ADC’s – Performance bottleneck
§ Selective traffic – Optimal implementation
SLB : With and Without vPath
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
SLB - why vPath ?
§ Source NAT (SNAT) - Client/ Source Obscured
§ Policy Based Routing (PBR) - Complex § Inline ADC’s – Performance bottleneck § Selective traffic – Optimal implementation
• Preserve Source IP with vPath; vPath redirects server-return traffic to SLB
• Easy deployment – Topology agnostic
• Service Chaining
• Optimal use of Performance
• Enable New east-west flow use cases
With vPath Without vpath
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Tier DB Tier App Tier
Client IP 172.50.20.10
NetScalar 1000V without vPath East-West / Distributed Services
DST IP: 192.168.20.10 Src IP: 192.168.20.100
Data
1 Web Server initiates connection to App Server with LB services enabled, now destination IP is VIP
1
Virtual Services
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Tier DB Tier App Tier
Client IP 172.50.20.10
NetScalar 1000V without vPath East-West / Distributed Services
Data
DST IP: 192.168.30.10 Src IP: 192.168.20.200
2
VIP selects App Server for the destination; sends packet with destination IP of App Server , and Source IP of its SNIP
2
Virtual Services
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Tier DB Tier App Tier
Client IP 172.50.20.10
NetScalar 1000V without vPath East-West / Distributed Services
Firewall needs to know Source/Client IP for policy evaluation
Data
Distributed Firewall policy for App Server receives packet, but lacks visibility of Source information for policy evaluation. Policy fails !
3
Data
3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Tier DB Tier App Tier
Client IP 172.50.20.10
5
NetScalar 1000V with vPath Enabling East-West flow use-case for SLB
Firewall has visibility of Source and destination for Policy evaluation
Data
3
Distributed Firewall enabled for App Server receives packet, and has full visibility of Source information for policy evaluation
3
Data
Cisco vPath Cisco vPath
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Web Tier DB Tier App Tier
Client IP 172.50.20.10
5
Firewall has visibility of Source and destination for Policy evaluation
Data
Data
4
4 Packet is forward to App Server on Policy evaluation
Cisco vPath Cisco vPath
- East-West Services and Application Servers ready to delivers best in class services J
NetScalar 1000V with vPath Enabling East-West flow use-case for SLB
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Deployment Network Topologies One-Arm
§ One-armed topologies have several benefits – Simple, one physical interface and no risk of bridge loops – Can make use of Link Aggregation to satisfy bandwidth
requirements – SLB does not have to be default gateway for application
VM’s – Very few failure modes, easing HA failure analysis
35
vPath
Web NetScaler 1000V
Logical Topology
vPath interface
vPath Service-Chaining and why it is important
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Decouples network services from underlying network topology with vPath Overlays
• Dynamic Service chains enabled per VM port
• Programmability
• Transparent Services Insertion
• Multi-Tenancy
• VxLAN
Web VM Tenant #1 (Policy 1)
Virtual Service A
Virtual Service B
Virtual Service C
Client
Web VM Tenant #2 (Policy 2)
Cisco Nexus 1000V – vPath Embedded (Policy 1 & Policy 2 defined for each tenant)
vPath Service Chaining Benefits Intelligent policy-based traffic steering through multiple network services
Expanded vPath Ecosystem: VSG, ASA 1000V, vWAAS, & NetScaler 1000V
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
1
Cisco vPath
Cisco vPath
1Client Initiates Flow to Web Server (VIP as Server IP)
Client › LB-VIP 1
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
NS1000V load balance web request, selects Web Server 1 (Client › S1) 2
Cisco vPath
Cisco vPath
2
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
Cisco vPath
Cisco vPath
3
Based on policy, vPath redirect traffic to service chain, starting with zone-based firewall, VSG 3
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
4
Cisco vPath
Cisco vPath
Traffic returns to Virtual Ethernet Module ready for next network service 4
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
Cisco vPath
Cisco vPath
WAF inspects packets for web attacks; prevents attack and generate alerts 5
5
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
6
Cisco vPath
Cisco vPath
vPath Forwards packet to Web Server VM 6
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
Cisco vPath
7Cisco vPath
Web to DB Tier Connection 7
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
Cisco vPath
Cisco vPath
Web to DB Tier Connection : Database tier security policy 8
8
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Services Chaining with vPath Intelligent Policy-based Traffic Steering Through Multiple Network Services
DB Tier
VM
VM VM
Web Tier
OS
OS OS
APP
APP APP
Cisco vPath 9
Cisco vPath
Apply VSG policy and forward packet to database 9
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
vPath 3.0
• Service chaining with vPath and non-vPath network services • Virtual and physical network services • Any network service can now be distributed, not just firewalls • Submitted to IETF for standardization* • Supporting Multiple hypervisors
Any Hypervisor
VM
vPath
vPath
Virtualized Network Service
Non vPath
Virtualized Network Service
vPath
Physical Network Service
Non vPath
Physical Network Service
Nexus 1000V
vPath
*http://tools.ietf.org/html/draft-quinn-nsh-00
Service-Chaining Use-cases
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Enterprise: Multi-Tier Applications
§ Intelligent service chaining § Network topology agnostic
§ Flat network: VM’s are on same VLAN 100 segment, still each have different set of Services enabled
§ Service chain stays attached to VM on VM mobility
49
vPath
Web
WAN Optimization + Edge Firewall + NAT + Load Balancer + Web Application Firewall + Zone based Firewall Load Balancer + Zone based Firewall
VSG Zone based Firewall
VLAN 100 VLAN 100 VLAN 100
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
ASA: Permit Only Port 80(HTTP) to Web
Servers
VSG: Only Permit Web Servers Access to Database Servers
Tenant-A
Web-Zone Database-Zone
VSG: Only Permit Client Access to Web Server and Deny access
to DB server
ASA: Block All External Access to Database Servers
Web"Server"
DB"Server"
App-Zone Client"
IP – 192.168.1.1 IP – 192.168.1.2 IP – 192.168.1.203
ASA
VSG
ASA1000v: NAT VIP:10.10.25.100
NetScaler 1000V – Server Load Balancer ASA 1000V - Edge Security Profile VSG - Compute Security Profile
Web"Server"
NS1000V: Web Server LB
3-Tier Server zone
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Provider’s Data Center Multi-Tenancy
Tenant A
Switches
Servers
CSR1kV
Physical Infrastructure
Virtual Infrastructure
NS1KV VSG
Tenant B
NS1KV VSG
CSR1kV
WAN Router
Internet DC Branch MPLS
Enterprise B Enterprise A
• Secure VPN Gateway
• MPLS Extension • Tenant SLB • East-West Firewall
Cloud Provider Multi-Tenancy Use Cases
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Provider’s Data Center Multi-Tenancy
Tenant A
Switches
Servers
CSR1kV
Physical Infrastructure
Virtual Infrastructure
NS1KV VSG
Tenant B
NS1KV VSG
CSR1kV
WAN Router
Internet DC Branch MPLS
Enterprise B Enterprise A
Server Load-Balancer and East-West Firewall offered as a Service by CSP
• Secure VPN Gateway
• Tenant SLB • East-West Firewall
Cloud Provider Multi-Tenancy Use Cases
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Prime Network Service Controller Simple Yet Powerful Virtual Network Services Management
Custom created to manage virtualization-specific workflows
Centralized Manager for all Virtual Services
Multi-Tenant
XML API Third-party integration
Role-Based Access Controls
Cisco Nexus® 1000V, VMware vCenter, SCVMM
Dynamic Provisioning
© 2014 Cisco and/or its affiliates. All rights reserved. Cisco Public
Summary Cisco Provides Consistent Layer 2-7 Networking for Physical,
Virtual, and Cloud Deployments: Design Once, Run Everywhere
vPath 3 for Standardized Service Chaining for Virtual and Physical Network Services
Orchestration Tool of Your Choice: SCVMM, OpenStack, UCS Director and more
Hypervisor Agnostic
Single Network for Physical, Virtual, and Cloud Consistent Operational Model and Troubleshooting, especially with ACI