Design Guide To Run VMware NSX For VSphere With Cisco ACI .
2y ago
106 Views
1 Downloads
5.06 MB
65 Pages
Report/dmca
Download PDF

Transcription

White PaperDesign Guide to run VMware NSXfor vSphere with Cisco ACIFirst published: January 2018 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 1 of 65

ContentsIntroduction . 4Goal of this document . 4Cisco ACI fundamentals. 7Cisco ACI policy model . 8Cisco ACI policy-based networking and security . 9Cisco ACI VMM domains . 12VMware NSX fundamentals. 14NSX for vSphere . 14NSX for vSphere network requirements . 14Running vSphere Infrastructure as an application with Cisco ACI . 16vSphere infrastructure . 16Physically connecting ESXi hosts to the fabric. 17Mapping vSphere environments to Cisco ACI network and policy model . 19Obtaining per-cluster visibility in APIC . 21Securing vSphere Infrastructure . 23VMware vSwitch design and configuration considerations . 25Option 1. Running NSX-v security and virtual services using a Cisco ACI integrated overlay for networkvirtualization . 29Using NSX Distributed Firewall and Cisco ACI integrated overlays . 29Option 2. NSX-v overlays as an application of the Cisco ACI fabric . 36NSX-v VXLAN architecture . 36NSX VXLAN—Understanding BUM traffic replication . 38NSX transport zones . 39NSX VTEP subnetting considerations . 39Running NSX VXLAN on a Cisco ACI fabric . 39Bridge domain–EPG design when using NSX hybrid replication . 40Bridge domain–EPG design when using NSX unicast replication . 43Providing visibility of the underlay for the vCenter and NSX administrators . 44Virtual switch options: Single VDS versus dual VDS . 45NSX Edge Clusters—NSX routing and Cisco ACI . 47Introduction to NSX routing . 47Connecting ESG with NAT to the Cisco ACI fabric . 50ESG routing through the fabric . 51ESG peering with the fabric using L3Out. 55Bridging between logical switches and EPGs . 60Conclusion . 63Do you need NSX when running an Cisco ACI fabric? . 64 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 2 of 65

THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECTTO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THISMANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANYPRODUCTS.THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SETFORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATEDHEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITEDWARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.The Cisco implementation of TCP header compression is an adaptation of a program developed by the Universityof California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rightsreserved. Copyright 1981, Regents of the University of California.NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OFTHESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMEDSUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION,THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT ORARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL,CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS ORLOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IFCISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actualaddresses and phone numbers. Any examples, command display output, network topology diagrams, and otherfigures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phonenumbers in illustrative content is unintentional and coincidental.This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit.(http://www.openssl.org/)This product includes software written by Tim Hudson (tjh@cryptsoft.com).Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and othercountries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-partytrademarks mentioned are the property of their respective owners. The use of the word partner does not imply apartnership relationship between Cisco and any other company. (1110R) 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 3 of 65

Introduction With the launch of the Cisco Application Centric Infrastructure (Cisco ACI ) solution in 2013, Cisco continued thetrend of providing best-in-class solutions for VMware vSphere environments. Cisco ACI is a comprehensiveSoftware-Defined Networking (SDN) architecture that delivers a better network, implementing distributed Layer 2and Layer 3 services across multiple sites using integrated Virtual Extensible LAN (VXLAN) overlays. Cisco ACIalso enables distributed security for any type of workload, and introduces policy-based automation with a singlepoint of management. The core of the Cisco ACI solution, the Cisco Application Policy Infrastructure Controller(APIC), provides deep integration with multiple hypervisors, including VMware vSphere, Microsoft Hyper-V, andRed Hat Virtualization; and with modern cloud and container cluster management platforms, such as OpenStackand Kubernetes. The APIC not only manages the entire physical fabric but also manages the native virtualswitching offering for each of the hypervisors or container nodes.Since its introduction, Cisco ACI has seen incredible market adoption and is currently deployed by thousands ofcustomers across all industry segments.In parallel, some vSphere customers may choose to deploy hypervisor-centric SDN solutions, such as VMwareNSX, oftentimes as a means of improving security in their virtualized environments. This leads customers towonder how to best combine NSX and Cisco ACI. This document is intended to help those customers byexplaining the design considerations and options for running VMware NSX with a Cisco ACI fabric.Goal of this documentThis document explains the benefits of Cisco ACI as a foundation for VMware vSphere, as well as how it makesNSX easier to deploy, more cost effective, and simpler to troubleshoot when compared to running NSX on atraditional fabric design.As Cisco ACI fabrics provide a unified overlay and underlay, two possible NSX deployments options are discussed(Figure 1): Option 1. Running NSX-V security and virtual services with a Cisco ACI integrated overlay: In thismodel, Cisco ACI provides overlay capability and distributed networking, while NSX is used for distributedfirewalling and other services, such as load balancing, provided by NSX Edge Services Gateway (ESG). Option 2. -Running NSX overlay as an application: In this deployment model, the NSX overlay is used toprovide connectivity between vSphere virtual machines, and the Cisco APIC manages the underlyingnetworking, as it does for vMotion, IP Storage, or Fault Tolerance. 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 4 of 65

Figure 1.VMware NSX deployment options 2018 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.Page 5 of 65

These two deployment options are not mutually exclusive. While Cisco ACI offers substantial benefits in both ofthese scenarios when compared to a traditional device-by-device managed data center fabric, the first option isrecommended, because it allows customers to avoid the complexities and performance challenges associated withdeploying and operating NSX ESGs for north-south traffic and eliminates the need to deploy any VXLAN-to-VLANgateway functions.Regardless of the chosen option, some key advantages of using Cisco ACI as a fabric for vSphere with NSX aresignificant, including: Best-in-class performance: Cisco ACI builds on best-in-class Cisco Nexus 9000 Series Switches toimplement a low-latency fabric that uses Cisco Cloud Scale smart buffering and provides the highestperformance on a leaf-and-spine architecture. Simpler management: Cisco ACI offers a single point of management for the physical fabric with fullFCAPS1 capabilities, thus providing for a much simpler environment for running all required vSphereservices with high levels of availability and visibility. Simplified NSX networking: Because of the programmable fabric capabilities of the Cisco ACI solution,customers can deploy NSX VXLAN Tunnel Endpoints (VTEPs) with minimal fabric configuration, asopposed to device-by-device subnet and VLAN configurations. In addition, customers can optimize, reduce,or completely eliminate the need for certain functions such as NSX ESGs. This contributes to requiringfewer computing resources and simplifying the virtual topology. Operational benefits: The Cisco ACI policy-based model with single point of management facilitates settingup vSphere clusters while providing better visibility, enhanced security, and easier troubleshooting ofconnectivity within and between clusters. Furthermore, Cisco ACI provides many built-in networkmanagement functions, including consolidated logging with automatic event correlation, troubleshootingwizards, software lifecycle management, and capacity management. Lower total cost of ownership: Operational benefits provided by Cisco ACI and the savings in resources andlicenses from enabling optimal placing of NSX ESG functions, along with faster time to recovery and easiercapacity planning, add up to reduced costs overall.This document is intended for network, security, and virtualization administrators who will deploy NSX on avSphere environment running over an Cisco ACI fabric. We anticipate that the reader is familiar with NSX forvSphere and with Cisco ACI capa

1 FCAPS is the ISO Telecommunications Management Network model and framework for network management. FCAPS is an acronym for fault, configuration, accounting, performance, security—the management categories the ISO model uses to define network management tasks.

Related Books

Hi, this is Brett, the author of - Mud Run Guide

Hi, this is Brett, the author of - Mud Run Guide

RUN Powered by ADP Custom Reporting - How to Guide

RUN Powered by ADP Custom Reporting - How to Guide

8-Week OFF SEASON Run & Strength Focus Training Plan

8-Week OFF SEASON Run & Strength Focus Training Plan

Deep Learning Cookbook: technology recipes to run deep .

Deep Learning Cookbook: technology recipes to run deep .

Spring 2018 21st Annual Putnam County Hospice Benefit Run .

Spring 2018 21st Annual Putnam County Hospice Benefit Run .

How To Run Statistical Tests in Excel

How To Run Statistical Tests in Excel

Start & Run a Computer Repair Service - Self-Counsel

Start & Run a Computer Repair Service - Self-Counsel

Getting Started with RUN Powered by ADP

Getting Started with RUN Powered by ADP

Tulsa County Clerk Run TCAP001 BOCC Meeting Date Purchase .

Tulsa County Clerk Run TCAP001 BOCC Meeting Date Purchase .

How to start and run a gardening and landscaping business .

How to start and run a gardening and landscaping business .

EVERYTHING S FREE! A PLAY BY SAM GRABER ESTIMATED RUN

EVERYTHING S FREE! A PLAY BY SAM GRABER ESTIMATED RUN

START & RUN A COPYWRITING BUSINESS - Self-Counsel

START & RUN A COPYWRITING BUSINESS - Self-Counsel

PopularTags

Recent Views