In the past, we have pointed out that configuring network services and security policies into an application network has traditionally been the most complex, tedious and time-consuming aspect of deploying new applications. For a data center or cloud provider to stand up applications in minutes and not days, easily configuring the right service nodes (e.g. a load balancer or firewall), with the right application and security policies, to support the specific workload requirements, independent of location in the network is a clear obstacle that has to be overcome.
Let’s say, for example, you have a world-beating best-in-class firewall positioned in some rack of your data center. You also have two workloads that need to be separated according to security policies implemented on this firewall on other servers a few hops away. The network and security teams have traditionally had a few challenges to address:
If traffic from workload1 to workload2 needs to go through a firewall, how do you route traffic properly, considering the workloads don’t themselves have visibility to the specifics of the firewalls they need to work with. Traffic routing of this nature can be implemented in the network through the use of VLAN’s and policy-based routing techniques, but this is not scalable to hundreds or thousands of applications, is tedious to manage, limits workload mobility, and makes the whole infrastructure more error-prone and brittle.
The physical location of the firewall or network service largely determines the topology of the network, and have historically restricted where workloads could be placed. But modern data center and cloud networks need to be able to provide required services and policies independent of where the workloads are placed, on this rack or that, on-premises or in the cloud.
Whereas physical firewalls might have been incorporated into an application network through VLAN stitching, there are a number of other protocols and techniques that generally have to be used with other network services to include them in an application deployment, such as Source NAT for application delivery controllers, or WCCP for WAN optimization. The complexity of configuring services for a single application deployment thus increases measurably.
There has been some seismic activity happening in Bay Area and the epicenter for all Virtual Networking shifts is right here at Cisco HQ in San Jose. (Our sympathies go to all those affected by the real earthquake further to the north.) At Cisco, it’s all about the applications and the shift to dynamic network virtualization. Cisco pioneered virtual networking with Nexus 1000V virtual switch and recently incorporated it in the application aware Application Virtual Switch (AVS), for Cisco ACI-enabled networks. Cisco is excited to announce the availability of Nexus 1000 Release 3.1 of Nexus1000V for vSphere (available for download here). We are showing the upcoming generation of the virtual switch at VMworld in San Francisco this week.
Nexus1000V is the edge switch for virtual environments, bringing the network edge right up to the virtual machine, and connecting virtual ports to the physical network and beyond. The Nexus 1000V is the foundation for our virtual network overlay portfolio, including all of our virtual L4-7 application and security services, our cloud orchestration software, VXLANs and more. It is also at the heart of AVS, a purpose-built, hypervisor-resident virtual network edge switch designed for the Application Centric Infrastructure.
Release 3.1 is a new major release enabling enterprise and cloud provider customers running the vSphere hypervisor to leverage the distributed virtual firewall VSG, expand VXLAN footprint in the datacenter, improve secure isolation thru Cisco TrustSec and dramatically simplify updates through Cisco VSUM (Virtual Switch Update Manager). Most of the new features are value add to the Advanced Edition. New customers will need a Ver 3 specific license to use the full functionality of Ver 3. Existing customers with support contract are automatically entitled to free upgrade to Ver 3. AVS incorporates Nexus 1000V capabilities with consistent application policy enforcement for virtual workloads and unprecedented end-to-end visibility for applications in your data center.
Increased Scalability (Advanced Edition)– More than doubles the scale from the previous release. The virtual switch now supports 250 hosts/servers per switch with 10,000 ports per switch. In addition it supports 4094 active VLANs and 16 million VXLAN (6144 active VXLANs) per switch across 6144 port profiles.
VXLAN control plane: BGP based control plane across multiple virtual switches provide expanded Layer 2 domain footprint that can potentially support nearly 40,000 VMs in a single domain
Increased Resiliency – Supports headless Port bring up where Virtual Machines can be bought up on the host even if VEM is offline i.e. the VSM is not reachable by VEM. Both VSM headful and headless VM vMotion is supported.
Cisco TrustSec 2.0 (Advanced Edition) – Continues to extended Cisco TrustSec solutions for network based segmentation of users and physical workloads, leveraging Security Group Tags (SGT) for defining security segments and SGACL support (Enforcement) and Native(in-line) SGT tagging.
BPDU Guard -- Keeps virtual network safe from misconfigured VLANs and strictly enforces VLAN boundries. It prevents Misconfigured VLAN Rogue devices from flooding the network
Storm Control -- Prevent network disruptions from a broadcast, multicast, or unknown-unicast traffic storm.
Simplified Deployment, upgrade and visibility with Cisco VSUM – Cisco VSUM is a FREE virtual appliance that enables Server and Network administrators to Deploy, Upgrade and Monitor Nexus1000V and to Deploy and Upgrade Cisco AVS from within their vCenter web interface.
Customer Experience -Here’s what one of our Beta customers, Josh Coen says about Cisco VSUM. Josh is a Principal Cloud Architect with Varrow and has been working in the IT industry since 1999, with a heavy focus on virtualization and storage since 2008.
Nexus 1000V has already reached the 10,000 customer milestone with some customers purchasing 1000+ CPU licenses. Nexus 1000V continues to provide the foundation for the most advanced virtual networks by supporting, 1) multiple hypervisor environments, such as VMware vSphere, Microsoft Hyper-V and Openstack KVM 2) the most extensive set of virtual network services, including ASA 1000V Cloud Firewall, distributed zone-based virtual firewall, vWAAS WAN optimization, the Cloud Services Router (CSR) 1000V, Cisco Prime Network Analysis Module (NAM) and advanced service insertion and chaining technology, vPath and 3) a true management control plane that provides greater policy and control features for richer networking functionality.
We’ll be showing a lot of these features this week. Come by our booth and check it out. If you are around #VMworld this week, give us a shout out on twitter using Cisco hash tag #ciscovmw. For those of you that can’t make it out to VMworld, listen to the review of these new features in Ver 3.1 in this webcast.
In case you didn’t notice , the partnership between Citrix and Cisco has been growing nicely over the part 2 years in many areas .
Amongst numerous areas of collaboration here are some common solutions that will be highlighted at the coming conference Citrix Synergy
Cisco Enterprise Mobility solution for business to employee with Citrix XenMobile
Cisco Desktop Virtualization with Citrix Xen Desktop 7.1 on Cisco UCS
Cisco DaaS with Citrix (CloudPlatform or UCS director on UCS)
Cisco’s Citrix NetScaler 1000V (vPath and RISE)
Cisco ACI strategy and how Citrix integrates OpFlex.
The last bullets point, especially the endorsement by Citrix of RISE , the new protocol for Nexus 7000 have been amply covered over the past weeks in blogs from Gary Kinghorn as well as video – You will find links at the bottom of this blogs. But check also Citrix page on Netscaler 1000V.
Cisco and Citrix have been also working diligently to offer the best solutions in terms of mobility . You may want to check this blog from Jonathan Gilad on Cisco strategy and solutions around mobile workplace . Check his recent blog Beyond BYOD to Workspace mobility
vPath, a Cisco innovative technology developed within Cisco Nexus 1000V, has been shipping for more than 2 years, enabling customers to seamlessly create policy-based multi-tenant / multi-container Data Centers across multiple hypervisor environment. Increasingly, customers are implementing network services into their virtualization and cloud networks in order to meet regulatory, security and service levels. To this end we are seeing increased deployments of virtual firewalls, load balancing, routing, WAN optimization & monitoring tools. Cisco’s vPath technology allows customers to deploy these best-in-class network services seamlessly in their Data Center and Cloud deployments. So, what makes vPath so unique in this industry?
#1 -- vPath Powered Service Chaining at a tenant level: For customers to create multi-tenancy architecture today, they have to configure the different network services and manually “stitch” them together for every unique combination. While this method provides the goals for regulatory compliance, security and service levels it often increases application provision time, and does not easily support application mobility. Additionally most applications have to follow the same manually stitched network services.
With Cisco Nexus 1000V vPath technology, the customer’s Data Center becomes very agile by enabling policy based services chaining at the application or tenant level. Customers can create policies and select the L3-7 virtual services appropriate for the application at the time of VM or Tenant creation. These policies are then dynamically instantiated and fulfilled in the Nexus 1000V distributed virtual switch. If the particular application VM moves, the Nexus 1000V network policy moves with it and hence the service chain remains intact.
Figure 1: Policy based dynamic service chaining through vPath
#2 -- vPath enables Distributed Cloud Network Services: As noted in the picture above, vPath controls the packet flow through all Services that are chained for that particular policy. Once the first few packets of the flow is inspected by each Service node, vPath offers the capability to off load flow decisions of the particular Service to the local host such that the subsequent packets of the same flow are locally inspected at the host. Through this mechanism, vPath improves the performance of the particular service since the subsequent packets of the flow are no longer required to be inspected by the individual Service node and hence enabling distributed behavior of the particular service.
Figure 2: Distributed Cloud Network Services through vPath Fast Path Offload
#4 -- vPath to become a standard based Network Services Header: In traditional fashion, Cisco creates innovative solutions to help solve our customer’s IT challenges. Once proven, we offer these technologies such as VXLAN through standards bodies to allow greater interoperability and choice. Recently, vPath header format has been submitted to the IETF as a Network Service Header draft. In the future customers will be able to leverage dynamic policy based services chaining including both virtual and hardware based solutions that support Network Services Header!
To learn more about Cisco Nexus 1000V and Cloud Network Services, please visit our community site. Create a Cloud Lab account and checkout out the vPath in action today!
Lastly, if you are at VMworld, make a point to attend our sessions PHC6409 and NET6380, or stop by at the Cisco booth.
Cisco live is here and the news and awards around the Nexus 1000V cloud networking and services platform just keep rolling in. Last week we announced the Citrix NetScaler 1000V virtual application delivery controller, which will be sold by Cisco. The Microsoft Hyper-V version of Nexus 1000V was officially released this month, and just like its VMware vSphere companion, there is a free version users can download and deploy. On the heels of its release the Nexus 1000V for Microsoft Hyper-V won the Best of Show in the virtualization category at Microsoft’s Tech Ed Conference.
There’s lots of new stuff to talk about Cisco live as well. If you recall, in February I discussed enhancements that Cisco was making in the Nexus 1000V portfolio to eliminate the requirement in VXLAN for IP Multicast. [Those enhancements are now shipping in a new Nexus 1000V release 2.2, full code string 4.2(1)SV2(2.1).] This new version even supports virtual switching for up to 128 hosts and 4096 virtual ports for greater scalability.