With the adoption of overlay networks as the standard deployment for multi-tenant network, Layer2 over Layer3 protocols have been the favorite among network engineers. One of the Layer2 over Layer3 (or Layer2 over UDP) protocols adopted by the industry is VXLAN. Now, as with any other overlay network protocol, its scalability is tied into how well it can handle the Broadcast, Unknown unicast and Multicast (BUM). That is where the evolution of VXLAN control plane comes into play.
The standard does not define a “standard” control plane for VXLAN. There are several drafts describing the use of different control planes. The most commonly use VXLAN control plane is multicast. It is implemented and supported by multiple vendors and it is even natively supported in server OS like the Linux Kernel.
This post tries to summarize the three (3) control planes currently supported by some of the Cisco NX-OS/IOS-XR. My focus is more towards the Nexus 7k, Nexus 9k, Nexus 1k and CSR1000v.
Each control plane may have a series of caveats in their own, but those are not covered by this blog entry. Let’s start with some VXLAN definitions:
(1) VXLAN Tunnel Endpoint (VTEP): Map tenants’ end devices to VXLAN segments. Used to perform VXLAN encapsulation/de-encapsulation.
(2) Virtual Network Identifier (VNI): identify a VXLAN segment. It hast up to 224 IDs theoretically giving us 16,777,216 segments. (Valid VNI values are from 4096 to 16777215). Each segment can transport 802.1q-encapsulated packets, theoretically giving us 212 or 4096 VLANs over a single VNI.
(3) Network Virtualization Endpoint or Network Virtualization Edge (NVE): overlay interface configured in Cisco devices to define a VTEP
As a Gold Sponsor of AWS re:Invent this year, Cisco will be showcasing hybrid cloud solutions that enable you to combine the control, security, and performance of private clouds with the scale, economics, and speed that public clouds can offer.
Cisco cloud portfolio, including Intercloud Fabric, ApplicationCentric Infrastructure, Cloud Services Routers, and Adaptive Security Appliances, gives you the power of choice and agility.
Learn more about how your business can unleash hybrid IT, and be sure not to miss the following Cisco solution demos at re:Invent 2014. We will be raffling many exciting prizes on all days during the event. You’re automatically entered when you visit the Cisco booth and have your badge scanned.
Cisco Intercloud Fabric is a highly secure, open, and flexible solution that provides complete freedom in workload placement. It is hypervisor and cloud provider independent, giving you the desired flexibility. All the traffic between your data center and cloud provider as well as traffic inside the public cloud is cryptographically encrypted. Your network and security policies are migrated consistently and transparently over Layer 2 extension. A unified management portal gives you a single interface for workload management and automation across heterogeneous cloud environments.
Get a free 90 days evaluation license for Cisco Intercloud Fabric when you visit Cisco Intercloud Fabric booth.
It supports a business-relevant application policy language, greater scalability through a distributed enforcement system, and greater network visibility through the integration of physical and virtual environments across networks, servers, storage, security, and services. For more details, check out a special edition of Unleashing IT.
Cloud Services Router
Cisco Cloud Services Router (CSR1000V) sets the standard for enterprise-class networking and security services in a virtual form factor. The CSR1000V is the first platform to deliver multigigabit IPSec performance in Amazon Web Services cloud.
It helps enterprises transparently extend their private networks to the public cloud using the familiar Cisco IOS XE Software CLI and RESTful API, which make sure of easy deployment, monitoring, troubleshooting, and service orchestration.
Security continues to be a top concern for organizations looking to expand their network into the cloud. It needs to be a transparent extension of local network and data center policies, allowing data to move securely between those environments. To address this need, Cisco has engineered new versions of our market-leading Cisco Adaptive Security Appliance Next-Generation Firewall (ASA NGFW) and FirePOWER NGIPS solutions specifically for AWS environments.
Now you can create dynamically encrypted tunnels between your local or distributed networks and the cloud; apply consistent security for physical, virtual, and cloud environments; make sure local policies are understood and enforced in the cloud; and deploy a single security strategy across traditional, NFV, SDN, ACI, and cloud architectures.
See you in Vegas!
Stop by Cisco Booth #112 to have 1:1 meetings with Cisco product experts and discuss your use cases. We look forward to seeing you at re:Invent.
The next stable OpenStack release codenamed “Juno” is slated to be released October 16, 2014. From improving live upgrades in Nova to enabling easier migration from Nova Network to Neutron, the OpenStack Juno release will address operational challenges in addition to providing many new features and enhancements across all projects.
As indicated in the latest Stackalytics contributor statistics, Cisco has contributed to seven different OpenStack projects including Neutron, Cinder, Nova, Horizon and Ceilometer as part of the Juno development cycle. This is up from five projects in the Icehouse release. Cisco also ranks first in the number of completed blueprints in Neutron as well.
In this blog post, I’ll focus on Neutron contributions, which are the major share of contributions in Juno from Cisco.
Cisco OpenStack team lead Neutron Community Contributions
An important blueprint that Cisco collaborated on and implemented with the community was to develop the Router Advertisement Daemon (radvd) for IPv6. With this support, multiple IPv6 configuration modes including SLAAC and DHCPv6 (both Stateful and Stateless modes) are now possible in Neutron. The implementation provides for running a radvd process in the router namespace for handling IPv6 auto address configuration.
To support the distributed routing model introduced by Distributed Virtual Router (DVR), this Firewall as a Service (FWaaS) blueprint implementation handles firewalling North–South traffic with DVR. The fix ensures that firewall rules are installed in the appropriate namespaces across the Network and Compute nodes to support perimeter firewall (North-South). However, firewalling East-West traffic with DVR will be handled in the next development cycle as a Distributed Firewall use case.
Additional capabilities in the ML2 and services framework were contributed for enabling better plugin and vendor driver integration. This included the following blueprint implementations –
Vendor validation for service drivers improvements to proactively detect validation failure prior to persistence of service resources and provide a clear indication of failure to the user.
Idempotent database migration between Neutron deployments enabling upgrades/downgrades incase of different core and service plugins configuration.
Cisco device specific contributions in Neutron
Cisco added Application Policy Infrastructure Controller (APIC) ML2 MD and Layer 3 Service Plugin in the Juno development cycle. The ML2 APIC MD translates Neutron API calls into APIC data model specific requests and achieves tenant Layer 2 isolation through End-Point-Groups (EPG).
The APIC MD supports dynamic topology discovery using LLDP, reducing the configuration burden in Neutron for APIC MD and also ensures data is in-sync between Neutron and APIC. Additionally, the Layer 3 APIC service plugin enables configuration of internal and external subnet gateways on routers using Contracts to enable communication between EPGs as well as provide external connectivity. The APIC ML2 MD and Service Plugin have also been made available with OpenStack IceHouse release. Installation and Operation Guide for the driver and plugin is available here.
Enterprise-class virtual networking solution using Cisco Nexus1000v is enabled in OpenStack with its own core plugin. In addition to providing host based overlays using VxLAN (in both unicast and multi-cast mode), it provides Network and Policy Profile extensions for virtual machine policy provisioning.
The Nexus 1000v plugin added support for accepting REST API responses in JSON format from Virtual Supervisor Module (VSM) as well as control for enabling Policy Profile visibility across tenants. More information on features and how it integrates with OpenStack is provided here.
As an alternative to the default Layer 3 service implementations in Neutron, a Cisco router service plugin is now available that delivers Layer 3 services using the Cisco Cloud Services Router(CSR) 1000v.
The Cisco Router Service Plugin introduces a notion of “hosting device” to bind a Neutron router to a device that implements the router configuration. This allows the flexibility to add virtual as well as physical devices seamlessly into the framework for configuring services. Additionally, a Layer 3+ “configuration agent” is available upstream as well that interacts with the service plugin and is responsible for configuring the device for routing and advanced services. The configuration agent is multi-service capable, supports configuration of hardware or software based L3 service devices via device drivers and also provides device health monitoring statistics.
The VPN as a Service (VPNaaS) driver using the CSR1000v has been available since the Icehouse release, as a proof-of-concept implementation. The Juno release enhances the CSR1000v VPN driver such that it can be used in a more dynamic, semi-automated manner to establish IPSec site-to-site connections, and paves the way for a fully integrated and dynamic implementation with the Layer 3 router plugin planned for the Kilo development cycle.
The OpenStack team at Cisco has led, implemented and successfully merged upstream numerous blueprints for the Neutron Juno release. Clearly, some have been critical for the community and others enable customers to better integrate Cisco networking solutions with OpenStack Networking.
Stay tuned for more information on other project contributions in Juno and on Cisco lead sessions at the Kilo Summit in Paris !
Cisco Prime Network Services Controller 3.2.2 is available for download, follow this link to download the software and documentation. The 3.2.2 release incorporates a number of new features on top of 3.2.1 release. Refer to an earlier blog for the features introduced in 3.2.1 release. Following video provides a brief introduction to Prime Network Services Controller.
Following are some of the key capabilities introduced in Cisco Prime Network Services Controller 3.2.2 release:
Prime Network Services Controller operating in OpenStack environment supporting Edge Router and Load Balancer network services
License automation for CSR 1000V, Citrix NetScaler VPX and Citrix NetScaler 1000V
Automatic instantiation of Compute Firewall, Edge Router and Load Balancer network services with Dynamic Fabric Automation
The Cisco Prime Network Services Controller 3.2.1 supports Microsoft Hyper-V and VMware vSphere environments. Prime Network Services Controller 3.2.2 extends multi-hypervisor capabilities by introducing the support for OpenStack (KVM) in addition to Microsoft Hyper-V and VMware vSphere.
Let’s talk about one of the biggest IT trends out there: THE CLOUD. And, let’s talk about why it should matter to you as you’re poking around and researching Cisco products. As you probably know, “the cloud” is more than just one of the hottest buzzwords out there – it’s where the market is shifting towards, and quickly. But you might be wondering…why is Cisco, the market leader in networking hardware, talking about cloud?
One word: CSR1000V.
If you need a primer on the CSR, check out this quick video below. The Cliff Notes version is that Cisco basically took its IOS XE operating system from the ASR1000 and created a virtual router, and voila – behold the CSR1000V, providing virtualized routing and security capabilities in the cloud.
As you might’ve heard through the grapevine, the CSR can now be deployed in Amazon Web Services (AWS). Now that we’re one of the cool kids in the AWS ecosystem, it was a great time to launch the CSR1000V (AMI version) at the 2nd annual AWS re:Invent conference held on November 12-15. re:Invent is AWS’s global community (customer and partner) conference targeted at the developer crowd. This year’s attendance was 9,000 strong, evenly split amongst startups, midsize companies, and large enterprises. Read More »