IaaS Architecture 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 2 Housekeeping We value your feedback don't forget to complete your online session evaluations after each session & complete the Overall Conference Evaluation which will be available online from Thursday Visit the World of Solutions Please remember this is a 'non-smoking' venue! Please switch off your mobile phones Please make use of the recycling bins provided Please remember to wear your badge at all times including the Party 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 3 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 4 Journey Towards Cloud Virtualization Automation Utility Cloud Unified Fabric Unified Computing Enterprise Cloud Inter-Cloud HW Freedom Provisioning Freedom Data Center Networking Consolidation Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 5 Journey Towards Cloud Automation Utility Cloud Data Center Networking Unified Computing Enterprise Cloud Inter-Cloud Consolidation Unified Fabric Virtualization HW Freedom Provisioning Freedom Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 6 Unified Fabric Virtualization Journey Towards Cloud Utility Cloud Data Center Networking Enterprise Cloud Inter-Cloud Consolidation Automation Unified Computing HW Freedom Provisioning Freedom Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 7 Unified Fabric Virtualization Journey Towards Cloud Cloud Data Center Networking Inter-Cloud Consolidation Automation Unified Computing Enterprise Cloud Utility HW Freedom Provisioning Freedom Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 8 Enterprise Cloud Utility Unified Fabric Virtualization Journey Towards Cloud Data Center Networking Consolidation Automation Unified Computing Cloud Inter-Cloud HW Freedom Provisioning Freedom Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 9 Enterprise Cloud Utility Unified Fabric Virtualization Journey Towards Cloud Data Center Networking Consolidation Automation Unified Computing Cloud Inter-Cloud HW Freedom Provisioning Freedom Location Freedom 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 10 What Is Cloud Computing? A model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or Service Provider interaction. Cloud Computing definition by NIST (National Institute of Standards and Technology) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 11 Inter-Cloud Phased Evolution of Cloud 11 Public Clouds External, Off-Premise Internal On-Premise Standalone/Private Clouds 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 12 Cloud Service Delivery Models Software as a Service (Application) Infrastructure as a Service Platform as a Service IT Foundation Ciscos Focus 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 13 Cloud Infrastructure as a Service The capability provided to the business (customer) to rent processing, storage, networks and other fundamental computing resources where the business is able to deploy and run arbitrary software, which can include operating systems and applications. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 14 IaaS Security Challenges 14 Shared Resources Network infrastructure Compute resources Storage Data Governance Compliance Reliability Management Monitoring Identity Management 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 15 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 16 Orchestration/Operations/Management Architecture Cloud - IaaS End User Demand Supply Network Storage Compute L2 Agg and Services L2 Access L2 Virtual Access Applications Virtualized Data Center Architecture Core and WAN People Process Quality Management Cost Management CMDB Infrastructure Management Service Delivery SLA Management Tools Management Dashboard Chargeback Customer Portal Cloud Service Orchestration Applications (1 to n) Applications (n+1) to (n+m) ++ ++ ++ ++ ++ ++ ++ ++ ++ ++ What Is Cloud IaaS Architecture? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 17 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 18 IaaS Infrastructure and Virtualization Virtualization is the catalyst to enablement of IaaS Core Layer VDC, VRF Aggregation/Services Layer vPC, VSS, Virtual Contexts Access Layer Hypervisor Nexus 1000v Unified Computing System (UCS) 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 19 Device Pooling Many to one device Primary use case is maximum availability & density Reduces management plane Examples: VSS, vPC, GSLB, FHRP Virtualized Interconnect Multiple wires within a wire Primary use case is link consolidation Logical Tennant isolation Examples: 802.1q, VPN, MPLS, Unified I/O FCoE Device Partitioning One to many devices Primary use case is infrastructure reduction Increases service agility & flexibility Improves asset utilization Examples: VLAN, VRF, VSAN, VDC, Firewall Context, LB Context, Hypervisor IaaS Virtualization Building Blocks Single Logical Switch Switch 1 + Switch 2 Si Si Si Si 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 20 Software Separation Software fault isolation domains Addressing domains Service differentiation domains Management domains Resource allocation Security domains Hardware Separation Individual Physical Ports Layer 2 Layer 3 Port Channels Entire Linecards Shared Resources Software Infrastructure Kernel Power Supplies Fans Chassis Virtual Device Context (VDC) VDC is key to maximizing resource utilization while providing strong security and software fault-isolation via logical device partitioning. IaaS Virtualization Core Layer Layer-2 Protocols Layer-3 Protocols VLAN mgr STP OSPF BGP MSDP GLBP HSRP VRRP UDLD CDP 802.1Q IGMP snoop LACP PIM SCH SNMP
Protocol Stack (IPv4 / IPv6 / L2) RIB 1 RIB n VDC 1 VDC 2 VDC n Cisco Nexus 7K 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 21 Some Infosec departments are still reluctant about collapsed infrastructure. Concerns around change management. Infrastructure misconfiguration could bypass policies. VDC Use Case Security Partitioning Appliance Model VDC Firewall Inside Outside VDC Firewall Outside Inside Ideally they want to have physically separate infrastructure. Not cost effective in larger deployments. VDC provides logical separation simulating air gap. Extremely low possibility of configuration bypassing security path Must be physically bypassed. Model can be applied for any DC services. Service Module Model 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 22 IP Switching IP Switching SVI or Sub-Interface (Layer 3) SVI or Sub-Interface (Layer 3) 802.1q 802.1q VRF VRF VRF IaaS Virtualization Core Layer Virtual Routing and Forwarding (VRF) VRF allows multiple instances of a routing table to co-exists within the same router. Due to the fact that routing instances are independent, they play a very crucial role in end-to-end separation of tenant traffic flows in a multi-tenant environment. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 23 Gigabit Ethernet 10 Gigabit Ethernet 10 Gigabit DCE 4/8Gb Fiber Channel 10 Gigabit FCoE/DCE Blade Servers with FCoE ToR FCoE End-of-Row ToR Access Nexus 7000 10GbE Agg Catalyst 6500 DC Services SAN/Storage End-of-Row IP+MPLS WAN Blade Servers Catalyst 6500 10GbE VSS Agg DC Services FC SAN Fabric Core Aggregation IaaS Virtualization Aggregation Layer WAN Embedded Service Modules One-Arm Service Switches 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 24 Virtual Port Channel (vPC) Allow a single device to use a port channel across two upstream switches Separate physical switches with independent control and data plane Eliminate STP blocked ports. Uses all available uplink bandwidth Dual-homed server operate in active- active mode Provide fast convergence upon link/ device failure Active/Active L3 core routing. Efficient use of L3 core links Logical Topology without vPC Logical Topology with vPC IaaS Aggregation Layer High Availability Services 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 25 Virtual Switch System (VSS) Two physical Catalyst 6500 switches joined via a special link called a Virtual Switch Link (VSL) running special hardware and software that allows the two switches to operate as a single logical switch providing high availability for security services. VSS based services-chassis along with vPC at the Aggregation Layer provides high availability and aggregated throughput. Highly available services layer with Firewall, Load balancing and IPS for non-stop security Integrated security with DHCP Snooping, Dynamic ARP inspection and IP Source Guard VSS - Single Logical Switch Active Control Plane Active Data Plane Hot Standby Control Plane Active Data Plane Switch 1 + Switch 2 Virtual Switch Domain Virtual Switch Link Si Si Si Si IaaS Aggregation Layer High Availability Services 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 26 Switch-1 (VSS Active) Switch-2 (VSS Standby) Data Plane Active Control Plane Active ACE Active FWSM Standby Data Plane Active Control Plane Hot Standby ACE Standby FWSM Active VSL Failover/State Sync VLAN Virtual Switch System (VSS) IaaS Aggregation Layer Security Services 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 27 IaaS Virtualized Services Security Services Use Case Front-End VRFs (MSFC) Firewall Contexts ACE Contexts Back-End VRFs (MSFC) Server Side VLANs v5 v105 v6 v206 v206 BU-2 v105 BU-1 1 2 VRF VRF v7 v107 v207 BU-3 3 v207 3 VRF v2081 v2082 v2083 ... BU-4 v108 4 v208 4 v8 VRF VRF 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 28 Value Proposition Reduced Power and Cooling Reduced Management Rapid Deployment and Agility Increased Availability Reduced Rack space Reduced CAPEX Reduced OPEX After Virtualization Hardware-independence of operating system and appliances Virtual machines can be provisioned to any system Can manage OS and application as a single unit by encapsulating them into virtual machines Before Virtualization Single OS image per machine Software and hardware tightly coupled Running multiple applications on same machine often creates conflict Inflexible and costly infrastructure DC Server Consolidation One Application Per Server x86 Architecture Operating System Application CPU Memory NIC Disk Many Applications Per Server x86 Architecture VMware Virtualization Layer Application Operating System IMAGES Application Operating System IMAGES CPU Memory NIC Disk IaaS Virtual Access Layer Server Virtualization 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 29 Server Virtualization Network Challenges Security & Policy Enforcement Applied at physical server - not the individual VM Impossible to enforce policy for VMs in motion Operations & Management Lack of VM visibility, accountability, and consistency Inefficient management model and inability to effectively troubleshoot Organizational Structure Muddled ownership as server admin must configure virtual network Organizational redundancy creates compliance challenges 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 30 Problems VMotion VMotion may move VMs across physical ports. Security policies must follow. Impossible to view or apply security policies to locally switched traffic. Security Risk: Cannot correlate traffic on physical links from multiple VMs. VLAN 101 VN-Link Extends network to the VM Consistent services Coordinated coherent management Server Virtualization VN-Link 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 31 Virtual Supervisor Module (VSM) Control Plane for VEMs Central point for policy enforcement Can be deployed in HA pair for availability Virtual Ethernet Module (VEM) Enables advanced networking capability on the hypervisor Collection of VEMs = 1 Distributed Virtual Switch vSphere vSphere vSphere Nexus 1000v VSM Nexus 1000v VEM Nexus 1000v VEM Nexus 1000v VEM V M V M V M V M V M V M V M V M V M V M V M V M vCenter Policy-Based VM Connectivity Mobility of Network & Security Properties Non-Disruptive Operational Model Server Virtualization Nexus 1000v 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 32 Nexus 1000v Virtual Chassis Cisco VSMs Cisco VEM VM1 VM2 VM3 VM4 Cisco VEM VM5 VM6 VM7 VM8 prod-vsm# show module Mod Ports Module-Type Model Status 1 0 Virtual Supervisor Module Nexus1000V active * 2 0 Virtual Supervisor Module Nexus1000V ha-standby 3 248 Virtual Ethernet Module NA ok 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 33 Secure Management UCS Manager Stateless Computing Service Profiles Resource Pools QoS Role-Based Access Control Unified Fabric FCoE Virtualized Adapter M81KR Extended Memory Blades B250 M1 IaaS Virtual Access Layer Unified Compute System Uplink Port Configuration, Pinning, VLAN, VSAN, QoS, and EtherChannels VN-Link Virtual Ports Link Virtual Ethernet and Fibre Channel Links to Switch Server Port Configuration Including Cisco DCE and FCoE Settings Fabric Extender Configuration is Implicitly Configured Based on the Server Slot Chosen During Service Profile Association and the Physical Connectivity Between the Fabric Extender and the Fabric Interconnect NIC Configuration, MAC Address, VLAN, and QoS Settings; HBA Configuration, WWNs, VSANs, and Bandwidth Constraints; and Firmware Revisions UUID, Firmware Revisions, and RAID Controller Settings Blade Specified Explicitly by Slot, or by Pool Membership OS Provisioning and Patching Through Higher-Level Software Cisco UCS 6100 Series Fabric Interconnects Cisco UCS 2100 Series Fabric Extenders Cisco UCS Network Adapters Cisco UCS B-Series Blade Server 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 34 Single point of device management Adapters, blades, chassis, LAN & SAN connectivity Embedded manager GUI & CLI Standard APIs for systems management XML, SMASH-CLP, WSMAN, IPMI, SNMP SDK for commercial & custom implementations Designed for multi-tenancy RBAC, Organizations, Pools & Policies UCS Manager XML API Standard APIs CLI GUI Secure Management UCS Manager Custom Portal Systems Management Software 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 35 Stateless Computing Service Profiles Separate firmware, addresses, and parameter settings from server hardware Physical servers become interchangeable hardware components Easy to move OS & applications across server hardware State abstracted from hardware LAN Connectivity SAN Connectivity OS & Application BMC Firmware MAC Address NIC Firmware NIC Settings Drive Controller F/W Drive Firmware UUID BIOS Firmware BIOS Settings Boot Order WWN Address HBA Firmware HBA Settings Chassis-1/Blade-2 Chassis-8/Blade-5 LAN SAN UUID: 56 4d cd 3f 59 5b MAC : 08:00:69:02:01:FC WWN: 5080020000075740 Boot Order: SAN, LAN 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 36 Hierarchical model Roles, Users, Resources, Actions, Privileges, Locales Resource pools assigned to groups within the hierarchy Groups control and manage their own resources Role-Based access Access limited to authorized groups and resources Policies can be applied at a group level of granularity within the organization UCS Role-Based Access Control Company HR Finance Policies Policies Network Management Finance MAC Finance MAC Finance MAC Finance MAC Finance MAC Finance Blades Finance MAC Finance MAC HR WWN Finance MAC Finance MAC HR Blades 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 37 Application Software Virtual Machine Virtual Access Storage & SAN Virtual Compute Access Aggregation / Services Core WAN Edge WWW Applications Hypervisor, VMs Virtual Access Layer, DVS SAN Fabric, Storage Arrays UCS Manager, Stateless Server Provisioning, FCoE Unified I/O FCoE, Fabric Services Services (LB, FW, IPS, SSL, VPN), VSS, vPC, VLANs VDC, VRFs, VLANs, Global Load Balancing Internet Edge, MPLS World Wide Web WAAS AXG AVS GSS GSLB Cluster Internet IP-NGN Partners 10G Ethernet 10G FCoE 4G FC 1G Ethernet VM to vSwitch vSwitch to HW App to HW / VM IaaS Infrastructure & Virtualization End-to-End 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 38 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 39 Technology Architecture Storage Compute Network End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 40 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA User logs onto the self-service portal IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 41 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA Allocate/Entitlement CUSTOMER CREDENTIALS VERIFICATION Existing User Login / Password New User Login / Password, Credit Card, Address etc. User is Verified, Updates Customer Portal IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 42 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA Based on Customers entitlement, Service Catalog selects a subset of services Service Catalog verifies with Capacity Planning IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 43 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA Capacity Planning access Assets Inventory (CMDB) to verify service can be met Subset of services are presented at the Customer Portal for selection IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 44 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment End User Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA End User selects the services needed Triggers msg to Selection for resource reservation IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 45 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment End User Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA Selection reserves the resources 1. Resources are marked reserved in Assets Inventory 2. Opens a new service request in Commission / Decommission Selection (SDLC/BCP) IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 46 Technology Architecture Network Storage Compute End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA Triggers Domain Controllers for Individual Domain Provisioning Commission / Decommission IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 47 Technology Architecture Storage Compute Network End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA NETWORK PROVISIONING UCS Manager for Network parameters (VLAN, QoS, Traffic, Adapters, FEX uplinks, SpringField Uplinks: Pinning, VLAN, Trunking) DNS for IP/FQDN ACE for Load Balancer (Mapping of Real Servers to VIP) FWSM/ASA for Firewall (ACL, ports, IP) WAAS at customer site (exception to trigger Capacity Activation) Network Provisioning sends provisioning completion notification to Commission / Decommission STORAGE PROVISIONING UCS Manager for Network parameters (VSAN, FC speed, Adapters/HBA, FEX uplinks, SpringField Uplinks: NPV/Switching, Pinning, VSAN, Trunking Core SAN config: VSAN, LUNs Provision of Back-up Infrastructure (snapshot to storage) Storage Provisioning sends provisioning completion notification to Commission / Decommission IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 48 Technology Architecture Storage Compute Network End-to-End Security CMDB Infrastructure Architecture Abstraction (Includes EMS & Domain Managers) Service Catalogue Asset Inventory Mappings / Relationships Human Resources Service Orchestration End User INFRASTRUCTURE MANAGEMENT SERVICE DELIVERY SERVICE MANAGEMENT Optimization Selection (SDLC/BCP) Quality Cost SLA Capacity Planning Allocate/Entitlement Performance Compute, Network, Storage Usage RTO/RPO HW/SW Management Commission/ Decommission Problem Detection-RCA Facilities Usage Maintenance / Avail. Windows Audits Enablement (on/off) Security & Governance CAPEX/OPEX (time unit hrs) Penalties Operations Fulfillment Assurance Metering & Billing Commitment Customer Portal Scheduling Ordering Price Management Dashboard Financial Quality SLA COMPUTE PROVISIONING (Blade Logic, UCS Manager) Blade Logic - Create/Clone Customer Service Profile (UUID, MAC, IP/Subnet, WWN, VLAN, Adapter properties, VSAN, Boot policy) Blade Logic selects the blade from available pool and binds the profile to Blade UCS Manager: Boot the blade/system Deploy OS image using Standard tools (Altiris, ADS, HP-SAS, BladeLogic Prov) IaaS Orchestration Framework 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 49 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 50 External Inter-Tenant Intra-Tenant Security Zones Infrastructure Infrastructure Zone Most Secure, only Provider access Network, compute, storage, management End user instances should not have direct access to the infrastructure Intra-Tenant Zone Sub Security Zone for a given tenant Security grouping such as presentation layer, application layer, database layer Tiered levels of security and associated services available from the catalog Inter-Tenant Zone Secure Zone, authorized to tenants and Providers Tenants in the Multi-Tenant Cloud Customers, business units, and other tenants sharing the same physical infrastructure Tenants should be isolated from one another External Zone External to the Cloud, Public, User Community, Open, No Security Controls should be in place to protect the Cloud against external threats 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 51 Hierarchical network design consists of the following layers: Core Aggregation / Services Access / Virtual Access Each layer needs to be secured individually to achieve Defense-in-Depth security mechanism. Infrastructure security features must be enabled to protect device, data plane and control plane. Device virtualization provides control, data and management plane segmentation. IaaS Security Zones Infrastructure 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 52 Infrastructure Zone Security Device Hardening Device hardening best practices: CoPP Secure Management Access Restricted SNMP with ACLs AAA/RBAC Centralized logging NTP Configuration Management Device Banners Disabling Unwanted Services 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 53 Perimeter Firewall to secure ingress and egress traffic. DDOS Detection and Mitigation Routing Protocol authentication Separate VDC Anti-Spoofing ACL Unicast RPF Infrastructure Zone Security Core Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 54 Aggregation Layer provides connectivity to different blocks e.g. Tenants Blocks access to Common Services Block. Aggregation Block Filtering e.g. access control between Tenant Blocks and Common Services Block is done via Firewall at Aggregation Layer. Can be implemented by a stateful packet filtering firewall like Cisco ASA 5500 Infrastructure Zone Security Aggregation Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 55 VPN Services are provided at Aggregation Layer IPSec Site-to-Site / Remote Access SSL Virtual Private Data Center - VPN Services for extending customer sites to their virtualized environment. Remote Management of VMs through a separate out of band management network. Infrastructure Zone Security Aggregation Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 56 Server Load Balancing Server Load Balancing masks servers and applications. Application Firewall Application Firewall mitigates XSS, HTTP, SQL, XML based attacks. Network Intrusion Prevention IPS/IDS: Provides traffic analysis and forensics. Flow Based Traffic Analysis Network Analysis for traffic monitoring and data analysis. XML based Application Control XML Gateway to protect and optimize Web-based services. Infrastructure Zone Security Services Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 57 Enhanced Layer 2 Security features like: Access Lists Dynamic ARP Inspection DHCP Snooping IP Source Guard Port Security Private VLANs STP Extensions Layer 2 Storm Control Layer 2 Flow Monitoring using: NetFlow SPAN ERSPAN ACL Logs Infrastructure Zone Security Access Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 58 Security within the Hypervisor Hypervisor VMWARE DVS Nexus 1000v VMWare VShield Firewall VMSAFE API based Virtual Security Appliances Infrastructure Zone Security Virtual Access Layer 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 59 Common Services Block A central management and monitoring tool can be used to manage and monitor the Infrastructure security. Event are sent out by Host IPS, Network IPS, Firewalls, LB, Routers and Switches in terms of Syslogs, NetFlow, SNMP traps and IPS alerts. All events are sent to a central repository to perform Anomaly Detection, Event Correlation and Forensics Analysis. Infrastructure Zone Security Security Management 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 60 Physical Firewall Instance Intra-Tenant zone is created when traditional three-tiered application model is used: Front End or WEB Middle Tier or APP Backend or DB These applications tiers have different security affinities and requirements. Traffic flow between tiers is controlled via policies at the firewall. VMWare ESX Server Cisco Nexus 1KV WEB 1 WEB 2 APP DB OS App OS App OS App OS App INTERNET VLAN 10 VLAN 20 VLAN 30 IaaS Security Zones Intra-Tenant 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 61 Virtual Firewall Instance 3rd party VM based solutions can also be implemented via virtual security firewall appliances to secure inter VM traffic. All traffic to and from the VMs is passed through a virtual firewall Traffic based on the policies configured on vFW is permitted or denied Scalable solution, per Tennant virtual firewall provisioning possible No dependency on proprietary firewalling solutions VMware VMsafe makes it possible for security providers to develop security virtual appliances that monitor and control network activity across all virtual machines Virtual-Switch (Internal-only) Virtual Switch VMware ESX Inter-VM Traffic Secured VM Secured VM Secured VM Third-Party Security Virtual Appliance VMsafe OS App OS App OS App IaaS Security Zones Intra-Tenant 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 62 Core & Aggregation Layer At Core and Aggregation layer, customers can be separated based on VDCs and VRFs. Multiple customers can be part of the same VDC but separate VRF or a particular customer can be part of one VDC and one VRF. One VRF corresponds to a particular context on the Firewall. VMWare ESX Server Cisco Nexus 1KV VM1 VM2 VM3 VM4 OS App OS App OS App OS App INTERNET Nexus 7K VDCA VDCB VRF1 VRF2 VRF1 CTX3 CTX2 CTX1 Firewall IaaS Security Zones Inter-Tenant 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 63 Shared Firewall At the Services layer, all Tenants are sharing a single firewall. Tenants have their own distinct Layer 2 VLANs and Layer 3 subnets. Tenants are secured from External Zone by the Firewall. Security between the Tenants is provided by the Firewall. Inter-Tenant Zone Security Services Layer INTERNET FIREWALL VMWare ESX Server Cisco Nexus 1KV C1 C2 C3 App OS OS App OS App OS App OS App OS App 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 64 Dedicated Firewall A physical Firewall partitioned into separate contexts, each with its own data and management interfaces. One virtual context or firewall instance serves a single customer. Tenants are secured by their own firewall context from other Tenants and from External Zone. Tennant management access to their dedicated firewall instance Inter-Tenant Zone Security Services Layer Context 3 Context 2 Context 1 Firewall INTERNET VMWare ESX Server Cisco Nexus 1KV VM1 VM2 VM3 OS App OS App OS App 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 65 Tenants separation based on L2 VLANs. Implement standard L2 best practices to protect customers at Access Layer e.g. Access Lists Dynamic ARP Inspection DHCP Snooping IP Source Guard Port Security Private VLANs STP Extensions Layer 2 Storm Control Hardware Rate-Limiters Inter-Tenant Zone Security Access Layer VMWare ESX Server Cisco Nexus 1KV VM1 VM2 VM3 VM4 OS App OS App OS App OS App INTERNET Nexus 7K VDCA VDCB VRF1 VRF2 VRF1 Context 3 Context 2 Context 1 Firewall 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 66 VRF and VDCs are used to segregate at Core and Aggregation layers. Firewall, ACE, IPS and WAFs can be utilized to provided security services to Tenants. Nexus 1000v is used at Virtual Access Layer to provide L2 security. VMWare VMSAFE API for 3 rd party vFW Integration or VMWare VShield based solution. Segregation based on VDC, VRF and Virtual Contexts provides complete end- to-end security domains and traffic separation. Inter-Tenant Zone Security End-to-End VMWare ESX Server Cisco Nexus 1KV VM1 VM2 VM3 VM4 OS App OS App OS App OS App INTERNET Nexus 7K VDCA VDCB VRF1 VRF2 VRF1 Context 3 Context 2 Context 1 Firewall 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 67 External to the Cloud. Public Zone e.g. Internet User Community. Open, No Security Controls should be in place to protect the Cloud against external threats. External Zone could also be Virtual Private Data Center (VPDC) or Virtual Private Cloud (VPC) which is the extension of Tenants existing Infrastructure via VPN, MPLS etc. Security and Other Controls to leverage Tenants pre-existing security infrastructure. IaaS Security Zones External Zone 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 68 Evolution of Cloud Computing IaaS Architecture Infrastructure & Virtualization Orchestration Framework IaaS Architecture Security Infrastructure Security Virtual Machine Security Summary What Well Cover 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 69 Hypervisor has access to all resources Manages all system resources Manages LAN & SAN access Any exploit or vulnerability can compromise the hypervisor. vSwitch lacks standard network functions No visibility into VM-to-VM traffic on a port group No visibility into VM-to-Hypervisor calls Virtual Machine Security Hypervisor Security pNIC VMKernel VMotion pNIC pNIC !! !! !! !! 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 70 Limit connectivity to both VMKernel and VMotion segments VMotion and VMkernel interfaces should be unreachable from outside the data center Limit VMkernel management access to DC Operations only using firewall & ACLs. VMotion interface & VLAN should be isolated for a given cluster Use Firewall (Virtual Context) to control access Secure the VMs using Host IPS pNIC VMKernel VMotion pNIC pNIC CSA CSA CSA Virtualized Server Hypervisor Security Security Best Practices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 71 Disable local and remote root access to the hypervisor. Manage the Hypervisor through Virtual Center. Consider vShield Zones for Hypervisor level protection Apply Updates and Patches to the Hypervisor. Disable Unauthorized Device Access / Connectivity. Hypervisor Security Security Best Practices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 72 Protect the Endpoints Apply Host based FW or IPS to the VMs e.g. Iptables, Windows FW and Cisco CSA Host IPS can be integrated with Network based IPS to quarantine and black hole or filter the infected VM at the network level. Apply Anti-viruses, Anti-Spywares. Secure Inter-VM traffic using L2, L3 Controls and virtualized solution like Nexus 1000v or vShield. Host Posture & Event Information Network IPS CSA Management Center SDEE Host Posture & Quarantine Events ERSPAN Management Console VM KERNEL NEXUS 1000V ESX VM VM VM VM Cisco Security Agent Host IPS MANAGEMENT NETWORK Virtual Machine Security Guest OS Security 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 73 Secure Virtual Machines as You Would Secure Physical Machines Apply updates and patches Disable un-used Services. Implement multi-factor authentication. Disable remote ROOT access. Implement secure access like SSH, IPSEC. Use a separate vNIC for management access. Avoid using Non-Persistence Disks SDEE Host Posture & Quarantine Events ERSPAN Management Console VM KERNEL NEXUS 1000V ESX VM VM VM VM Cisco Security Agent Host IPS Guest OS Security Security Best Practices 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 74 Be aware of security affinities Would you place all your applications on the same VLAN? Challenging troubleshooting and monitoring environment ESX vSwitch lacks standard network functions No SNMP and NetFlow instrumentation to monitor flows between VMs No ACLs and PVLAN to limit inter-VM traffic No SPAN to enable forensic analysis of inter-VM traffic Recommendation: Do not consolidate servers with unlike security affinities onto a single VLAN DMZ Web Server Application Server Database Server !! !! !! Virtual Machine Security Application Tier Security 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 75 With VMWare vSwitch we can use Virtual Switch Tagging (VST) Use Port Groups to segment vSwitch & VMs. Assign VLAN to Port-group based upon security affinity, i.e., Web = Blue VLAN Port-groups also simplify policies that are applied to a VM, i.e. Web = VLAN101 (Blue) Use static MAC addresses per VM to simplify troubleshooting Intra-Tennant traffic between application tiers and Inter-Tenant communication is controlled via security firewall instance. vNIC pNIC Port Group: Web: Blue VLAN vSwitch Appln: Red VLAN 802.1Q Trunk Trunkfast Enabled DMZ Web Server Application Server Database Server DB: Green VLAN Application Tier Security VMWare vSwitch 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 76 Inter and Intra-Tenant Zone Security is provided by Nexus 1000v. Nexus 1000V provides enhanced VM switching for VMW ESX environments. Nexus 1000v features VN-Link capabilities like: Policy-based VM connectivity Mobility of network and security properties Non-disruptive operational model Ensures visibility and continued connectivity during VMotion Application Tier Security Nexus 1000v VMW ESX Nexus 1000V Server 1 VMware vSwitch VMW ESX VMware vSwitch Nexus 1000V Server 2 VM #4 VM #3 VM #2 VM #8 VM #7 VM #5 VM #5 Nexus 1000v VM #1 VM #2 VM #3 VM #4 VM #5 VM #6 VM #7 VM #8 VM #1 VM #1 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 77 Security Policies in Port Profile: ACL Port Security VLAN, PVLAN SPAN, RSPAN and ERSPAN NetFlow Collection Rate Limiting QoS Marking (COS/DSCP) Nexus 1000v Port Profiles Virtual Center VMW ESX Server Nexus 1000V - VEM VM #1 VM #4 VM #3 VM #2 Nexus 1000V VSM 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 78 Traffic Filtering Mechanism Provides filtering for ingress and egress VM traffic for additional network security Permit/Drop traffic based on ACL policies ACL types supported: IPv4 MAC ACLs Supported on Eth and vEth interfaces Configured via port profiles or directly on the interface Nexus 1000v Access Control List ACLs via Port-Profiles ACLs via Port-Profiles 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 79 Trusted Mac Addresses Port Security secures a port by limiting and identifying the MAC addresses that can access a port. Secure MACs can be manually configured or dynamically learnt Two security violation types are supported Addr-Count-Exceed Violation MAC Move Violation Port security can be applied to vEths Cannot be applied to physical interfaces Nexus 1000v Port Security 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 80 Secure MAC Type Source Aging Persistence through interface flaps Persistence through Switch reboot Static CLI Configuration No Yes Yes (with copy run start) Sticky Dynamically Learnt No Yes Yes (with copy run start) Dynamic Dynamically Learnt No (Default)/ Aging Time and Type Configurable No No Port Security Types of Secure MAC Addresses 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 81 Nexus 1000v Private VLANs Private VLANs divide a normal VLAN into sub-L2 domains Consist of a Primary VLAN and one or more secondary VLANs Used to segregate L2 traffic without wasting IP address space (smaller subnets) Three types of Ports: Promiscuous, Isolated, or Community Secondary VLAN access is restricted by setting community or isolated status 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 82 Isolated ports can only communicate with the promiscuous port. Community ports can communicate with other ports in the same community and the promiscuous port. Promiscuous port can communicate with all isolated ports and community ports and vice versa. Nexus 1000v Private VLANs Isolated Community Promiscuous Po1 Po3 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 83 Private VLAN Configuration Vlan 202 private-vlan primary vlan 303 private-vlan isolated vlan 202 private-vlan association add 303 port-profile type ethernet Promiscuous-Trunk vmware port-group switchport mode private-vlan trunk promiscuous switchport private-vlan mapping trunk 202 303 switchport private-vlan trunk allowed vlan all no shutdown state enabled port-profile type vethernet Customer-Data vmware port-group switchport mode private-vlan host switchport private-vlan host-association 202 303 no shutdown state enabled 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 84 ERSPAN Remote monitoring of multiple switches across your network ERSPAN uses a GRE tunnel to carry traffic between switches. ERSPAN consists of a source session routable GRE-encapsulated traffic destination session An ERSPAN destination is specified by an IP address Source SPAN interface and destination SPAN interface may be on different devices interconnected by an IP network. Nexus 1000v ERSPAN Management Console Services IDS1 NAM ERSPAN DST ID:1 ID:2 VM KERNEL NEXUS 1000V ESX VM VM VM VM 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 85 Comprehensive view of VM traffic via ERSPAN to two network analysis devices simultaneously NAM and IDS provides clarity In this example, port scan of VM detected on IDS and visible on NAM ERSPAN Use Case ERSPAN Management Console Services IDS1 NAM ERSPAN DST ID:1 ID:2 VM KERNEL NEXUS 1000V ESX VM VM VM VM 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 86 ERSPAN Use Case 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 87 port-profile erspan capability l3control vmware port-group switchport access vlan 3000 no shutdown system vlan 3000 state enabled ! monitor session 1 type erspan-source description - to SS1 NAM via VLAN 3000 source interface Vethernet8 both destination ip 10.8.33.4 erspan-id 1 no shut ! monitor session 2 type erspan-source description - to SS1 IDS1 via VLAN 3000 source interface Vethernet8 both destination ip 10.8.33.4 erspan-id 2 no shut ERSPAN Configuration 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 88 NetFlow gathers data that can be used in accounting, network monitoring, and network planning Nexus 1000v requires NetFlow source interface Defaults to Mgmt0 Support v9 format Port profiles afford easy deployment Nexus 1000v NetFlow 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 89 flow exporter exporttest description exportv9 destination <IP ADDRESS> use-vrf management transport udp 3000 surce mgmt0 version 9 template data timeout 1200 option exporter-stats timeout 1200 flow monitor NAMTest description default flow to NAM record netflow-original exporter exporttest port-profile vm180 vmware port-group pg180 switchport mode access switchport access vlan 180 ip flow monitor NAMTest input ip flow monitor NAMTest output NetFlow Configuration 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 90 Summary Virtualization is the catalyst to enablement of IaaS. Cisco provides end-to-end Cloud infrastructure device virtualization that is a key requirement in a multi-tenant environment. Virtualization technologies like VDC, VRF, VLAN and Virtual Contexts on services like FW, LB & Intrusion Prevention Systems are key to deploying a Cloud infrastructure. Cisco Nexus 1Kv DVS in the Hypervisor provide enhance Security and Switching capabilities to virtual machines. When using device virtualization access to each management plane should be limited and enforced based on user authentication and role. Virtualization introduces new security challenges but the traditional security problems remain unchanged and security policies still need to be enforced. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 91 Questions? 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 92 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Preferred Access points for each session evaluation you complete. Complete your session evaluation online now (open a browser through our wireless network to access our portal) or visit one of the Internet stations throughout the Convention Center. Dont forget to activate your Cisco Live and Networkers Virtual account for access to all session materials, communities, and on-demand and live activities throughout the year. Activate your account at any internet station or visit www.ciscolivevirtual.com. 2010 Cisco and/or its affiliates. All rights reserved. Cisco Public BRKDCT-2078_c1 93 Check the Recommended Reading brochure for suggested products available at the Cisco Store Enter to Win a 12-Book Library of Your Choice from Cisco Press Visit the Cisco Store in the World of Solutions, where you will be asked to enter this Session ID code