There is no Internet connectivity in this session, so I’ll have to publish this after the session has concluded.
The Cisco Nexus 1000V is, of course, a Layer 2 distributed virtual switch for VMware vSphere built on Cisco NX-OS (the same operating system that drives the physical Nexus switches). It’s compatible with all switching platforms, meaning that it doesn’t require physical Nexus switches upstream in order to work. The Nexus 1000V brings policy-based VM connectivity, network and security property mobility, and a non-disruptive operational model.
The Nexus 1000V has two components: the Virtual Supervisor Module (VSM). Interestingly enough, the slide shows that the VSM can be a virtual or physical instance of NX-OS; there has been no formal announcement of which I know that has discussed using a physical instance of NX-OS as the VSM for the Nexus 1000V. The second component is the Virtual Ethernet Module (VEM), which is a per-host switching module that resides on each ESX/ESXi host. A VSM can support up to 64 VEMs in a distributed logical switch model, meaning that all VEMs are centrally managed by the VSM. Each VEM appears as a remote line card to the VSM.
The VEM is deployed using vCenter Update Manager (VUM) and supports both ESX and ESXi. The Nexus 1000V supports both 1Gbps and 10Gbps Ethernet uplinks and works with all types of servers (everything on the HCL) and upstream switches.
The Nexus 1000V supports a feature called virtual port channel host mode (vPC-HM). This feature allows the Nexus 1000V to use two uplinks (NICs in the server) connected to two different physical switches and treat them as a single logical uplink. This does not require any upstream switch support. Multiple instances of vPC-HM can be used; for example, you could use four Gigabit Ethernet uplinks, two to each physical switches, could be used to create two different vPC-HM uplinks for redundancy and separation of traffic.
For upstream switches that support VSS or VBS, you can configure the Nexus 1000V to use all uplinks as a single logical uplink. This requires upstream switch support but provides more bandwidth across all upstream switches. Of course, users can also create multiple port channels to upstream switches for traffic separation. There are lots of flexiblity in how the Nexus 1000V can be connected to the existing network infrastructure.
These network designs can be extrapolated to six NICs (uplinks), eight NICs, and more.
One interesting statement from the presenter was that Layer 8 (the Human layer) can create more problems than Layers 1 through 7.
Next, the presenter went through the use and configuration of the Cisco Nexus 1000V in DMZ environments. Key features for this use case include private VLANs (private VLANs can span both physical and virtual systems). Network professionals can also use access-conrol lists (ACLs) and remote port mirroring (ERSPAN) improve visibility and control over the virtual networking environment.
At this point, I left the session because it was clear that this session was more about educating users on the features of the Nexus 1000V and not about best practices on how to deploy the Nexus 1000V.
Tags: Cisco, Networking, Nexus, Virtualization, VMware, VMworld2009, vSphere
-
“One interesting statement from the presenter was that Layer 8 (the Human layer) can create more problems than Layers 1 through 7.”
… I see it every day unfortunately not only on Nexus 1KV
-
“One interesting statement from the presenter was that Layer 8 (the Human layer) can create more problems than Layers 1 through 7.”
That’s pretty safe to say.
Has anyone directly fully addressed/explained security across VLANs on the distributed switch? I have had several people express concern over network security in a virtual environment and unwilling to mix DMZ servers and production servers on the same hosts.
I presume that the 1000v functions similarly to what Cisco provides on their physical hardware. Is this the case or does something like traffic inspecition with vShield make this more risky with vSphere and the new switching options?
I feel comfortable with mixing networks on ESX hosts, but I am looking for other validated resources to either support or dissent my opinion.
-
Scott:
Have you seen the N1KV deployment guide–I just put it up last week: http://bit.ly/eg95 There is also the guide for setting up a DMZ with vSphere and N1KV, but that has been set up for a while: http://bit.ly/2zMHEf.
Regards,
Omar
-
Thank you Omar, that is extremely helpful and answered some other questions I had about the 1000v. Definitely looking forward to putting it in our lab later this month / early October.
-
Josh:
Cool–glad you found it helpful. One other site folks might find helpful is the N1KV Community http://www.cisco.com/go/1000vcommunity. Outside of docs and the like, there is a forum that is staffed by the product managers and engineers, so if you have questions, its a good place to get answers from the source.
Regards,
Omar
Cisco -
A couple of non-trivial caveats with the 1000v that don’t seem to be brought up much:
* The VSM must be run in the same vSphere cluster, but you can’t run it on a host that is using a VEM. Basically, you need to “waste” a host on the 1000v VSM.
* Host profiles cannot be used on hosts with the VEM installed. -
Here is a great interview that was released this week. The article reviews the emergence of VEPA as a base standard for exposing VM traffic beyond the NIC and it specifically points out the proprietary nature of Cisco’s plans with VNtag. I found this article extremely interesting. Any of your customers contemplating Cisco UCS (and VNTag) will definitely benefit from reading this article. It also does a great job outlining the need for this technology.
http://www.eweekeurope.co.uk/interview/hp-claims-victory-in-virtualisation-standards–1734?page=1
Interesting sections are captured below:
“Cisco has a proprietary packet format, that modifies the Ethernet frame to integrate UCS servers with switches,” said Congdon. “That was more intrusive than the Industry wanted to see. Modifying the frame is usually a bad thing, because it can make everyone’s silicon obsolete, and customers have to buy new equipment, to address an incremental problem. If we can avoid that, it is a good thing.”
Hardware NICs effectively now include an Ethernet switch, and Congdon wants to see a “small evolutionary step” that exposes the network traffic to the outside world. Cisco wanted a new tag format, new addresses, and new hardware structures, he said.
The end result wasn’t a battle to the death (unlike all too many IEEE standards spats) says Congdon: “Cisco and HP started out at odds with each other, but finally came to a compromise.”
That compromise is for VEPA to form a base standard, while Cisco addresses extensions that it thinks are necessary.
-
I usually refer to Layers 8-11 (Financial, Legal, Political, Religious). Since they all cause different problems.
-
Chris Smith,
I think you’re incorrect about not being able to run the VSM on a host with the VEM–I’ve seen a couple of references to the necessary configuration although I’ve not yet done it myself.
-
Steve,
Please be sure to provide full vendor disclosure. Since your message originated from an IP address block that belongs to HP, I can only assume that you work for HP. If that is not the case, please let me know.
-
Scott:
That requirement was essentially from the horse’s mouth - the Cisco-recommended people who have just finished installing our new Nexus(incl. 1000v)+UCS+VMWare infrastructure.I haven’t actually had time to make it to the 1000v docs myself, so if you have information otherwise, I’d love to know - since we’ve currently got an 8-core/48GB RAM blade that doesn’t do anything more than vCenter and the 1000v VSM.
-
Scott/Chris:
Just checked with the product team to make sure, but you can currently put a VEM and VSM on the same host. What we don’t currently recommend is VMotioning your VSM. An upcoming update will offer more robust support for VSM VMotion.
Omar
Cisco -
So.. can anybody tell me if there is a technical design that drives the use of 1000V over the Vsphere VDS or is it strictly to give the network folkes visibility into the virtual networking layer?
-
Will the Cisco 1000V allow me to use multiple 1Gbps NIC’s to create more bandwidth to my iSCSI Target?
If not then I guess I’m stuck with moving to 10GbE.
-
After several weeks of testing with “self-hosted” VSMs (ie: VSMs running on top of VEMs), I’ve pretty much given up on the idea. The setup “works” - most of the time - but is far too fragile for production, in my opinion. I found probably half the time during my failure and disaster testing (ie: rebooting random things, shutting down the VSMs and trying to bring them back up, etc), that the whole shebang would eventually, and inevitably, get twisted up so badly it was necessary to essentially start over from scratch - unlink all the vmnics from the Nexus 1000V, set them up on regular vSwitches, reconfigure the VSMs to use those vSwitches, then migrate everything back to the 1000V DVS again. My feeling from that was that if you have a disaster that shuts down both VSMs, there’s about a 20% chance you’ll need to do some _serious_ recovery work to get them (and hence the entire cluster) running properly again.
For the moment, I’ve moved the VSMs out onto a couple of independent, low-end ESXi hosts, which has at least improved things dramatically from a disaster recovery perspective (haven’t been able to break it yet). However, I can only hope the rumblings I’ve heard about integrating the VSM functionality into the Nexus 5000 are true, and planned for the near future, because at the moment the 1000V doesn’t really deliver what it promises, and that is in no small part because you effectively “need” separate server(s) for the VSM(s).
I’ve also had trouble with vPC-HM in my UCS chassis, with the hardware and configuration described in this “Best Practices” document: http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/white_paper_c11-558242.html (M71KR-Q CNAs). In particular, whenever I link the second vmnic to the DVS, connectivity becomes extremely unpredictable and unreliable (sometiems it breaks immediatley, sometimes it takes an hour - but it always breaks eventually). I think this might be something to do with the pinning within the UCS, and I’m about to open up a TAC with Cisco to try and figure out what’s wrong.
CS
-
Hi there,
After a lot of weird behaviours, i have tested the nexus 1000V in deep and my conclusion is that you should NEVER use cdp to create your sub-group in a critical environment.
The reason is that cdp can take at least 5s to advertise a link coming up and my tests show that you can loose about 7-8 pings when a link come up ine a vPC-HM config.
Use the manual or mac-pinning config. (cisco community thread https://www.myciscocommunity.com/thread/8023;jsessionid=BB9B9668B537623B904EB675C62B3523.node0)
By the way i try the same thing with vsphere standard vSwitches and the fact is that when you link a standard virtual switch to 2 cards on 2 physical switches (virtual port id LB), nothing is lost when failing-over, but if you choose reverting back to the link when it comes up, you loose 6-7 pings.
That was not the case with 3.5.
After some tests, it does not happen with beacon probing activated, of course.
So i would recommand to activate beacon probing by default when configuring the type of LB!! (or do not choose to revert back to the original link)
Site Sponsors
17 comments
Comments feed for this article
Trackback link: http://blog.scottlowe.org/2009/09/02/ta2384-deploying-the-nexus-1000v/trackback/