1. © 2012 Cisco and/or its affiliates. All rights reserved. 1
Автоматизированое развертывание
виртуализированной инфраструктуры с
интегрированными сетевыми
сервисами на базе Nexus 1000V и VSG
с использованием UCS Director
Виктор Пустошилов
Системный инженер
Cisco
Апрель, 2014

2. © 2012 Cisco and/or its affiliates. All rights reserved. 2
- Cisco UCS Director overview
- Virtual Network Services
• Virtual Network Services and vPath
• Cisco VSG and Nexus 1000v
• Cisco Prime Network Services Controller overview
- Cisco UCS Director: PNSC and VSG Features
• Cisco PNSC Management
• Cisco VSG based Application Container support

3. © 2012 Cisco and/or its affiliates. All rights reserved. 3

4. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Развертывание на
основе политик
vFiler
СХД
Вирт.
машиныСеть Вычислит.
платформа
Безопасные контейнеры
для приложений
Self-Service
Infrastructure
Единая точка
управления
Сквозная
автоматизация
и управление
жизненным
циклом
СХД
Сеть
Вычисления
Tenant
B
Tenant
C
Tenant
A
A B C
Виртуализация
Storage
Manager
B CA
Virtualization
Manager
Network
Manager
Compute
Manager
Storage
Manager

5. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 5
Эксперты
задают политики
Политики
применяются
для создания
профилей
серверов и
конфигураций
LAN, SAN, CХД
2
Nexus 1000v
vSwitch
VI
SME
Storage
SME
Server
SME
Network
SME
Server Policy…
Storage Policy…
Network Policy…
Virtualization Policy…
Application Profiles…
Server Name
UUID, MAC,
WWN
Boot Information
LAN, SAN
Config
Firmware Policy
SAN Zoning
Create and
MAP LUN
Развертывание
физической и
виртуальной сред
3
Система готова к
использованию
4
Имя сервера,
UUID, MAC, WWN,
политика загрузки,
конфигурация
LAN, SAN
прошивки и т.д.
Конфигурация СХД
Конфигурация
виртуальной
инфраструктуры
Конфигурация сети

6. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
Портал
самообслуж
ивания
Cloupia
Unified
Infrastructure
Controller
Mul5-­‐tenant
&
integrated
cloud
pla9orm
Консоль
админист
ратора
Dashboard
Виртуальная среда
Amazon,
Rackspace,
…
VMware
Hyper-­‐V
vCenter SCVMM
Интеграция
с внешними
системами
IT
Admins
End
Users
IT
Opera5ons
LDAP,
CMDB,
Metering
DB
Blade
Server
Managers
Network
Manager
Storage
APIs
• Модульная
система
• Открыта
для
интеграции
• Устанавливается
как
appliance
Cisco UCS Director
Integrated Multi-tenant Cloud Platform
Cloupia
Network
Services
Agent
Cloupia
Network
Services
Agent
Cloupia
Network
Services Agent
KVM
Savvis
VPDC,
Terremark,
…
Other
Providers
Физическая среда
«Облака»
Provider
API
Mobile
Devices
Roll-­‐based
Access
RHEVM
Other
Other

7. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
NetApp Storage
Virtualization (VMware/
Hyper-V/KVM)
Cisco Nexus
Compute (UCS)
FlexPod
EMC Storage
Virtualization
(VMware/Hyper-V)
Cisco Nexus/MDS
Compute (UCS)
VSPEX
Системы хранения
Сеть
Другие
комбинации
Виртуализация
Одна система UCS Director может управлять
несколькими «интегрированными стеками»
EMC Storage
Virtualization
(VMware)
Cisco Nexus/MDS
Compute (UCS)
Vblock
Серверы
Поддержка CХД Hitachi – в
следующих релизах

8. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
UCS Director позволяет из единого окна
решать задачи по конфигурированию
инфраструктуры:
• Cisco UCS: cоздание политик,
профилей, пулов, шаблонов и другие
необходимые для работы задачи
• Дисковые массивы EMC и NetApp:
создание томов и LUN-ов,
регистрация инициаторов, LUN
masking/mapping и пр.
• Сетевое оборудование: создание
VLAN-ов, конфигурация trunk, port-
channel и др.
• Среды виртуализации: управление
кластерами, виртуальными машинами
и др.

9. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Более 400 преднастроенных
шаблонов для управления
различными устройствами:
• Платформа Cisco UCS
• СХД NetApp и EMC
• Сетевое оборудование
• Среды виртуализации
• Служебные задачи –
утверждение заявок, скрипты
и пр.
Создание собственных
сценариев с помощью
«Drag ‘n drop»
UCS Tasks
• Select UCS Server
• Reset UCS Server
• Power On UCS Server
• Power Off UCS Server
• Create UCS Service Profile from Template
• Create UCS Service Profile
• Select UCS Service Profile
• Modify UCS Service Profile Boot Policy
• Delete UCS Service Profile
• Associate UCS Service Profile
• Disassociate UCS Service Profile
• Create UCS Boot Policy
• Modify UCS Boot Policy LUN ID
• Clone UCS Boot Policy
• Modify UCS Boot Policy WWPN
• Add VLAN
• Delete UCS Boot Policy
• Delete UCS VLAN
• Add VLAN to Service Profile
• Add iSCSI vNIC to Service Profile
• Add vNIC to Service Profile
• Delete vNIC from Service Profile
• Create Service Profile iSCSI Boot Policy
• Modify Service Profile Boot Policy to Boot from iSCSI

10. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10

11. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
• Автоматическое
выделение
ресурсов
• Запуск
процесса в один
«клик»
• Контроль всех
операций
Быстрое и
простое
предоставление
ИТ сервисов
Минуты

12. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 12

13. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 13
• Набор ресурсов (сетевых, вычислительных, СХД),
выделяемых пользователю на общей инфраструктуре
ЦОД
• В рамках VDC осуществляется взаимодействие
физических и виртуальных сред
• Выделение ресурсов для VDC как правило
осуществляется на основе политик в рамках POD (Point of
Delivery)
• VDC также может включать выделенные сетевые сервисы
– FW, Load Balancing и тд
• VDC является основой для развертывания
многоуровневых приложений в облаке

14. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
• Самостоятельный запрос / получение ресурсов
• Доступ к ресурсам / функционалу на основании профилей
пользователей

15. © 2013 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
Self-Service
• Что?
• Как?
• Для кого?
Запрос на сервисАвтоматизация
выполнения запроса на
сервис
Автоматизация
значит:
ü Быстро
ü Целостно
Сеть
Серверы
СХД
«Хочу!»

16. © 2012 Cisco and/or its affiliates. All rights reserved. 16

17. © 2012 Cisco and/or its affiliates. All rights reserved. 17
Сценарий 1: Сервисы на физических устройствах
vPath: VSN Data Path
VM VM VM VM
Физические
Сервисные узлы
Физическая
сеть
Виртуальные
коммутаторы
Плюсы
- Сеть работает, как мы
привыкли. Старые-добрые
ASA, FWSM J
- Выделенные
производительные
системы для сервисных
задач
Минусы
- Физические устройства
ничего не знают о
виртуализации
- Трафик ходит
извилистыми путями

18. © 2012 Cisco and/or its affiliates. All rights reserved. 18
Сценарий 2: Сервисы на отдельных виртуальных машинах
vPath: VSN Data Path
VM VM VM VM
Виртуальные
Сервисные узлы
Физическая
сеть
Виртуальные
коммутаторы
Плюсы
- VSN управляются из общей
среды виртуализации
- Выделенные системы для
сервисных задач
- Виртуальные узлы легко
создавать и удалять
- Снижение стоимости
- Меньше проблем с
логистикой
VSN
VSN

19. © 2012 Cisco and/or its affiliates. All rights reserved. 19
Cisco Cloud Network Services (CNS)
Multi-Hypervisor
(VMware, Microsoft,
RedHat*)
Nexus 1000V vPath
Virtual
Security
Gateway
Cloud Services
Router 1000V
Prime
virtual
NAM
ASA
1000V
Virtual
WAAS
Citrix
NetScaler
1000V
Imperva
SecureSphere
WAF
Nexus 1000V
(Dist. Virtual Switch)
• Distributed
switch
• NX-OS
consistency
VSG
(Zone-based FW)
• VM-level
controls
• Zone-based
FW
ASA 1000V
(Cloud FW)
• Edge firewall,
VPN
• Protocol
Inspection
vWAAS
(WAN Optimization)
• WAN
optimization
• Application
traffic
CSR 1000V
(Cloud Router)
• WAN L3
gateway
• Routing and
VPN
Partner
Services
• Citrix NetScaler
1000V virtual ADC
• Imperva Web App.
FW
vNAM
(Network Analytics)
• App Visibility (L2-
L7)
• Overlay Intelligence
(OTV, VXLAN,
FP**)
• Широкий набор сервисов
• Технология vPath для traffic stearing
• Мультигипервизорная платформа

20. © 2012 Cisco and/or its affiliates. All rights reserved. 20
• Виртуальная машина на
каждом хосте,
использующая API
гипервизора для перехвата
трафика
Гипервизор
VM VM VSN
• Виртуальная машина на несколько
хостов, использующая распределенный
коммутатор для перехвата трафика
Гипервизор
VM VM VM
Гипервизор
VM VM VM
Гипервизор
VM VM VSN
vSwitch
vSwitchvSwitch
Гипервизор
VM VM VSN
Гипервизор
VM VM VSN

21. © 2012 Cisco and/or its affiliates. All rights reserved. 21
Архитектура для интеграции виртуальных сервисов
• Пакет перенаправляется на VSN
• VSN принимает решение об обработке пакета
• Правило по обработке пакета устанавливается в VEM
Nexus
1000V
VEM
Nexus
1000V
VEM
VM VM VM VM VM VM VM VSN VSN VSNVSN
vPath vPath vPath
Nexus
1000V
VEM

22. © 2012 Cisco and/or its affiliates. All rights reserved. 22
Production VMs Virtual Service Nodes
Виртуальные сервисы + VPath
Nexus
1000V
VEM
Nexus
1000V
VEM
Nexus
1000V
VEM
VM VM VM VM VM VM VM VSN VSN VSNVSN
vPath vPathvPath
Трафик обрабатывается локально
Вычислительные ресурсы тратятся экономно
Требуется меньше VSN

23. © 2012 Cisco and/or its affiliates. All rights reserved. 23

24. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
vCenter
Port ProfileVM
Context
Security Profile
24
Серверный
администратор
Среда управления
VSM
Среда управления
Сетевой
администратор
Объекты управления
VM VM VM
Объекты управления
Администратор ИБ
Средство управления Средство управления
PNSC
Среда управления
Объекты управления
Средство управления

25. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
Сетевой администратор регистрирует VSN на Nexus 1000v
VSM(config)# vservice node vsg1 type vsg
VSM(config-vservice-node)# ip address 192.168.21.9
VSM(config-vservice-node)# adjacency l2 vlan 21
VSM(config)# port-profile WevSrv
VSM(config-port-prof)# vservice node vsg-tenant1 profile Web-Sec-profile
VSM(config-port-prof)# end
Сетевой администратор добавляет профиль безопасности
к профилю порта
Администратор ИБ добавляет профиль безопасности

26. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Обработка трафика с VPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
PNSC
Log/Audit
Первый пакет
сессиии
VSG
Проверка политики
безопасности
Установка
правила

27. © 2010 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 27
Performance Acceleration with vPath
Nexus 1000V
Distributed Virtual Switch
VM VM VM
VM VM
VM
VM VM VM
VM
VM
VM VM VM
VM VM VMVM
VM
vPath
Оставшиеся
пакеты потока
Политика загружена
на Nexus 1000v
PNSC
Log/Audit
VSG

28. Cisco Confidential© 2010 Cisco and/or its affiliates. All rights reserved. 28

29. © 2014 Cisco and/or its affiliates. All rights reserved. 29
• Address cloud management networking challenges
– Network virtualization
– New operational models
– Multitenancy
• Virtual and physical services support
• Hybrid cloud management
• Multivendor, multiplatform, multiservice
• Ecosystem – integration point to northbound management and
orchestration systems
• SDK
– Infrastructure to support third-party network services
– Increased feature customization and velocity
DHCP
NAT
DNS
IPSec
VPN
Fire-
wall
Virtualization
ACL OSPF
StaticEIGRP
LB
BGP
IKE

30. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
Amazon
Azure
Terremark
Cisco Intelligent Automation for
Cloud
Cisco UCS Director
N1KV
InterCloud
VSG (Zone-
Based
Firewall)
Virtual
ASA(Edge
Firewall)
CSR1000V
(L3 Router)
Third-Party
Load
Balancers
(VPX)
Image
Management
Policy
Management
Service
Configuration
System
Administration
License
Management
Cisco Prime Network Services Controller
Service
Chaining
Config Archive VM Lifecycle Change Audit Monitoring
Single API
IP Address
Management
Capacity
Management
Performance
Management
vSphere HyperV KVM Xen
Multi-Hypervisor
OpenStack CloudStack
BMC CLM Other
Policy Driven, Template Based
3rd Party
vSwitch
Nexus 1000v

31. © 2011 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
Tenant
Virtual Datacenter
Tier
• Up to 5 levels can be created in the Org hierarchy
• Configuration Objects can be attached at any level
• Segregate VMs and Scales to SP grade
Universe
DC1 DC2
T2
root
Z2Z1
T2T1
T1
Zone
vApp across levels …etc

32. © 2012 Cisco and/or its affiliates. All rights reserved. 32

33. © 2012 Cisco and/or its affiliates. All rights reserved. 33
- PNSC Management
• Add PNSC account
• Collect PNSC inventory and provide inventory reports
• Actions and workflow task support
- VSG based Application Container support
• Integrate VSG into existing Applications Containers

34. © 2012 Cisco and/or its affiliates. All rights reserved. 34
- PNSC Account management involves
1. Add PNSC account
2. Collect PNSC object inventory
3. Provide PNSC object inventory reports
4. Support PNSC object actions
5. Support for PNSC object workflow tasks

35. © 2012 Cisco and/or its affiliates. All rights reserved. 35
Administration -> Physical Account

36. © 2012 Cisco and/or its affiliates. All rights reserved. 36
Physical -> Network -> Network Accounts
The PNSC accounts added will be visible in this location.

37. © 2012 Cisco and/or its affiliates. All rights reserved. 37
Drilldown into PNSC account to view the inventory reports.

38. © 2012 Cisco and/or its affiliates. All rights reserved. 38
Tenants Report
• Select a Tenant to see the supported actions on the tenant

39. © 2012 Cisco and/or its affiliates. All rights reserved. 39
vDCs

40. © 2012 Cisco and/or its affiliates. All rights reserved. 40
VM Mangers

41. © 2012 Cisco and/or its affiliates. All rights reserved. 41
Clients

42. © 2012 Cisco and/or its affiliates. All rights reserved. 42
Drilldown vDC to see the vDC child objects.
Like Compute Firewall, Zones, Compute Security Profile, ACL Policy
Sets & ACL Policies.

43. © 2012 Cisco and/or its affiliates. All rights reserved. 43
Drilldown the Zone to see the Zone conditions configured for the Zone.

44. © 2012 Cisco and/or its affiliates. All rights reserved. 44
Drilldown ACL Policy to see the ACL Rules configured for the ACL
Policy

45. © 2012 Cisco and/or its affiliates. All rights reserved. 45
The PNSC supported workflow tasks can be found at
Physical Network Tasks -> PNSC Tasks

46. © 2012 Cisco and/or its affiliates. All rights reserved. 46

47. ©
2013
Cisco
and/or
its
affiliates.
All
rights
reserved.
Cisco
Confiden<al
47
Firewall
GW
(Firewall)
Public /
External
Network
Application Container
Network-1
10.10.10.x
Network-2
10.10.20.x
VM-nVM-1

48. ©
2013
Cisco
and/or
its
affiliates.
All
rights
reserved.
Cisco
Confiden<al
48
Application Container
Network-1
10.10.10.x
Network-2
10.10.20.x
VM-nVM-1
Public /
External
Network
Firewall
GW
(Firewall)

49. © 2012 Cisco and/or its affiliates. All rights reserved. 49
PNSC
UCS
Director

50. © 2012 Cisco and/or its affiliates. All rights reserved. 50
- VSG Integration into Applications Container
• Upload OVA file into UCSD (One time task)
• Create PNSC Firewall policy
• Create Physical Infrastructure policy
• Create Application Container template
Application Container Template
Physical Infrastructure Policy
External Gateway
Configuration
PNSC Firewall
policy

51. © 2012 Cisco and/or its affiliates. All rights reserved. 51
Physical
Infrastructure Policy
Inputs:
• Container Type (VSG)
• PNSC Account
• Physical Account
• PNSC FW Policy
• External GW
Application
Container Template
Inputs:
• Compute Policy
• Storage Policy
• Network Policy
• Cost Model
Container
InstancesContainer
Instances
PNSC FW Policy
Inputs:
• PNSC Account
• Zones
• ACLs
• VSG details,
Template

52. © 2012 Cisco and/or its affiliates. All rights reserved. 52
- Upload OVA file into UCSD
• Administration -> Integration -> Upload Files

53. © 2012 Cisco and/or its affiliates. All rights reserved. 53
- Create PNSC Firewall policyPhysical -> Network -> Network
Accounts -> PNSC Firewall Policy

54. © 2012 Cisco and/or its affiliates. All rights reserved. 54
- Create PNSC Firewall policy
• Physical -> Network -> Network Accounts -> PNSC Firewall Policy
Add Zones

55. © 2012 Cisco and/or its affiliates. All rights reserved. 55
- Create PNSC Firewall policy
• Physical -> Network -> Network Accounts -> PNSC Firewall Policy
Add ACL Rules

56. © 2012 Cisco and/or its affiliates. All rights reserved. 56
- Create PNSC Firewall policy
• Physical -> Network -> Network Accounts -> PNSC Firewall Policy
VSG Configuration

57. © 2012 Cisco and/or its affiliates. All rights reserved. 57
- Create Physical Infrastructure Policy
• Policies -> Application Containers -> Physical Infrastructure Policies
Provide container type and select Physical account

58. © 2012 Cisco and/or its affiliates. All rights reserved. 58
- Create Physical Infrastructure Policy
• Policies -> Application Containers -> Physical Infrastructure Policies
Provide the PNSC account and PNSC Firewall policy

59. © 2012 Cisco and/or its affiliates. All rights reserved. 59
- Create Physical Infrastructure Policy
• Policies -> Application Containers -> Physical Infrastructure Policies
Provide the External Gateway configuration

60. © 2012 Cisco and/or its affiliates. All rights reserved. 60
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Template details

61. © 2012 Cisco and/or its affiliates. All rights reserved. 61
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Physical Infrastructure policy selection

62. © 2012 Cisco and/or its affiliates. All rights reserved. 62
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Gateway Internal network configuration. Only one network for VSG
Containers

63. © 2012 Cisco and/or its affiliates. All rights reserved. 63
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Gateway VM Configuration

64. © 2012 Cisco and/or its affiliates. All rights reserved. 64
- Create Application Template
• Policies -> Application Containers -> Application Container Template
External Gateway security rules

65. © 2012 Cisco and/or its affiliates. All rights reserved. 65
- Create Application Template
• Policies -> Application Containers -> Application Container Template
UCSD Policies

66. © 2012 Cisco and/or its affiliates. All rights reserved. 66
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Container Options

67. © 2012 Cisco and/or its affiliates. All rights reserved. 67
- Create Application Template
• Policies -> Application Containers -> Application Container Template
Container Setup Workflow selection

68. Спасибо!