July 2011

You are currently browsing the monthly archive for July 2011.

VMworld 2011 Spousetivities

Tuesday, July 26, 2011 in Virtualization by slowe | 2 comments

Spousetivities is now in its fourth year at VMworld, and Crystal (my wife and the founder of Spousetivities) has some great stuff planned for VMworld US this year. Thanks to her sponsors (in alphabetical order: eGroup, EMC, HP, HyTrust, Train Signal, and VMUG), she’s been able to pull together a great collection of activities for spouses or significant others traveling with you to VMworld in Las Vegas.

Here’s a quick look at some of the stuff she has planned:

  • There’s the usual “Get to Know You” breakfast on Monday, 8/29
  • Walking tours of The Strip (north end and south end) on both Monday 8/29 and Thursday 9/1
  • Grand Canyon West Rim tour on Tuesday, 8/30
  • Spa treatments at the Canyon Ranch Spa on Tuesday, Wednesday, and Thursday (8/29, 8/30, and 8/31)
  • Lake Mead riverboat cruise on Wednesday, 8/31
  • Combination Lake Mead/Hoover Dam tour on Thursday, 9/1
  • Gourmet cooking classes with Chef Bev Lee in the afternoon/evenings on Monday, Tuesday, Wednesday, and Thursday

Registration is required for all events, so if you haven’t registered for these activities yet you’ll want to head over to the registration page ASAP. Space is limited in these activities, and registration will be closing before VMworld starts. Don’t wait until the last minute or you’ll very likely miss out!

To stay up-to-date on the latest happenings with Spousetivities, I recommend you read the Spousetivities blog, subscribe to the Spousetivities RSS feed, visit the Spousetivities Facebook page, and/or follow Spousetivities on Twitter.

Tags: , ,

Some Useful UNIX Commands on your Mac

Monday, July 25, 2011 in Macintosh, UNIX by slowe | 9 comments

Over the last day or so I’ve been messing around at the UNIX command line on my Mac, trying to find a workaround for a VPN policy that doesn’t allow split tunneling. (Just as a stupid side question, what is the security issue with split tunneling, anyway?) Along the way, I uncovered some handy commands for gathering information about the networking configuration of your Mac.

I can’t take credit for all of these; most of them were shared with me by Matt Cowger, fellow VCDX and vSpecialist.

If anyone has any additional commands they’d like to share, I encourage you to add them to the comments on this post. Enjoy!

To find the IP address of the default gateway:

netstat -nr -f inet | grep default | grep en | awk '{print $2}'

To find the interface name of the default route:

netstat -nr -f inet | grep default | grep en | awk '{print $6}'

To find the IP address assigned to the interface for the default gateway:

ORGGWIF=`netstat -nr -f inet | grep default | grep en | awk '{print $6}'`
ifconfig $ORGGWIF | grep "inet " | awk '{print $2}'

To find the default gateway network:

ORGGWIF=`netstat -nr -f inet | grep default | grep en | awk '{print $6}'`
netstat -I $ORGGWIF -n | grep -v : | grep $ORGGWIF | awk '{print $3}'

To find the subnet mask for the default gateway network:

ORGGWIF=`netstat -nr -f inet | grep default | grep en | awk '{print $6}'`
system_profiler SPNetworkDataType | grep -A 15 $ORGGWIF | grep "Subnet Masks" | awk '{print $3}'

To convert the subnet mask into CIDR format:

ORGGWIF=`netstat -nr -f inet | grep default | grep en | awk '{print $6}'`
ORGGWMASK=`system_profiler SPNetworkDataType | grep -A 15 $ORGGWIF | grep "Subnet Masks" | awk '{print $3}'`
echo obase=2.$ORGGWMASK | tr . \; | bc | tr -d 0\\n | wc -c | awk '{print $1}'

To determine the wireless SSID to which your Mac is currently associated:

/System/Library/PrivateFrameworks/Apple80211.framework/Versions/A/Resources/airport -I | grep SSID | tail -n 1 | awk '{print $2}'

CLI gurus and wizards are encouraged to share other useful commands in the comments below. Thanks!

Tags: , , ,

Essential Apps for New Mac Owners

Sunday, July 24, 2011 in Macintosh by slowe | 28 comments

A few of my colleagues are switching from Windows to Mac OS X thanks to the recent release of the new MacBook Air models. As a Mac user for more than 8 years now (since well before the Intel switch), I thought it might be handy to post a list of what could be considered some essential apps for new Mac users.

With that in mind, here goes…

File Transfer: Cyberduck

On Windows, many people use Filezilla for their file transfer needs. Filezilla does have a Mac OS X version, but I’ve never used it; instead, new Mac users might prefer Cyberduck, a free and open source file transfer application that supports FTP, SFTP, WebDAV, Amazon S3, Windows Azure, and Google Storage. It’s not just an FTP client anymore! The nice thing about Cyberduck is that it leverages many of the features that drew you to Mac OS X in the first place: Spotlight, Quick Look, Bonjour, and Keychain.

Cyberduck is versatile, but for flat-out raw speed you’ll want to have a look at Interarchy. It’s not free, but it is powerful, and supports many of the same features as Cyberduck. Transmit, from Panic, is another option. Interarchy is my tool of choice.

Instant Messaging: Adium

Without a doubt, Adium is the king of the Mac OS X instant messaging world. With incredible protocol support (including Google Talk, Facebook Chat, MSN, AIM, MobileMe, Yahoo Messenger, ICQ, Bonjour/iChat, Twitter, IRC, MySpaceIM, Lotus Sametime, and Novell Groupwise), support for encryption (via OTR), integration with the Mac OS X Address Book, and a polished user interface, it’s hard to beat. Oh, did I mention it’s free and open source?

If you need integration into a corporate Microsoft Communicator-type environment, Microsoft has a Mac version of Communicator that will fill that need. For all other IM needs, use Adium.

Diagramming: OmniGraffle Professional

Need to create network diagrams (or any type of diagram, really)? Try OmniGraffle Professional. OmniGraffle Pro imports and exports Visio files (not just Visio drawings but also Visio stencils and templates), supports shared layers, custom data, and numerous other features. This is one app you’ll want to evaluate if you have a need for building diagrams of any sort. It’s not free and not open source, but still worth it in my opinion.

You can, of course, still run Microsoft Visio via a virtualization solution (see below).

Application Firewall: Little Snitch

Just because Mac OS X hasn’t yet seen as much malware and other stuff as other platforms doesn’t mean it isn’t coming. So be prepared: use an outbound application-level firewall like Little Snitch. Little Snitch will let you know about any outbound traffic that an application tries to initiate, and will let you approve or deny the traffic. Combine this with Mac OS X’s built-in inbound application-level firewall (enabled in the Security section of System Preferences) and the BSD-level ipfw firewall (which you’ll have to configure manually) and you’ve got the ability to keep network traffic into and out of your Mac locked up tight.

Traditional Productivity: Microsoft Office

Apple’s iWork suite (Pages, Numbers, and Keynote) are handy, but they haven’t quite caught up to Microsoft Office. If you need to exchange documents with other people using Microsoft Office (and let’s face it, who doesn’t?), this is your best choice (OpenOffice and LibreOffice come to mind). Is it the only choice? No, certainly not; there are numerous alternatives. But this choice saves you time sorting out conversion issues, giving more time to get real work done. Heads-up: I haven’t upgraded to Lion yet, and I’m hearing that there are some potential compatibility issues between Office 2011 and Lion.

Twitter Client: Twitterrific

While the 4.x branch of Twitterrific dropped some features I personally considered essential—namely, tweet filtering support and AppleScript support—I still find it to be a great Twitter client. I also find it handy to use the same client on my Mac, my iPhone, and my iPad.

Transition Support: VMware Fusion

Regardless of the new apps you might adopt, as a new Mac user you’re bound to find things that you still need to do in Windows. For those times, VMware Fusion is the way to go. Yes, there are other options (Parallels Desktop), but I’ve been using Fusion since the very earliest “Friends and Family” pre-beta releases in 2006 and have never experienced even the first problem with it.

SSH Client: OpenSSH, built-in!

As a former Windows user, you had to download and install an SSH client (typically PuTTY). No longer! Mac OS X comes with OpenSSH preinstalled, and all you need to do is open up Terminal (found in Applications > Utilities), use the ssh command, and you’re good to go.

There are plenty of other great apps that I use and support—Unison, Colloquy, Typinator, Yojimbo, Handbrake, MarsEdit, OmniFocus, and Skim, among others—but the seven applications listed above will certainly get you started.

Are there other apps that veteran Mac users would consider essential for a new Mac user? Please speak up in the comments!

Tags: , ,

vSphere Networking Design Presentation

Thursday, July 21, 2011 in Networking, Virtualization by slowe | 12 comments

It seems this is the week for catching up on stuff that I should have done a long time ago! Earlier in the week it was posting a video of the stretched cluster presentation I gave back in May at the Carolina VMware User Summit; this time it’s finally getting around to posting the presentation I gave at the Denver VMUG back at the end of June.

The presentation is on vSphere network design considerations and discusses some of the more commonly-encountered questions/issues regarding vSphere network designs. I hope that you get something useful from it.

As always, I welcome any questions, suggestions, or other feedback in the comments. Thank you for reading!

Tags: , , ,

Time for a Fresh Start

Tuesday, July 19, 2011 in Personal by slowe | 24 comments

I’ll bet that when you saw the title for this post, your first thought was that I was leaving EMC and starting a new job with a new employer. C’mon, admit it! No, I’m staying at EMC; this post is about getting a fresh start in a new location. That’s right; I’m relocating to the Denver, CO area. In fact, I signed lease papers on a house in the Castle Pines North area, just south of Denver, yesterday afternoon.

I’m pretty excited about this move. I’ve lived in the Raleigh-Durham area for a really long time, and it’s been a great location for a technology guy like me. Even so, I’m looking forward to settling into the Denver area. Crystal and I want to make some lifestyle changes—get into shape and spend more time being active—and I’m confident that the new neighborhood and new area will encourage those lifestyle changes. If you follow me on Twitter, you might have noticed me inquiring about mountain bikes; mountain biking is a sport I intend to take up after the move to Denver. My two youngest sons (the only two kids still at home with Crystal and me) are also looking forward to learning to snow ski and snowboard, something I also plan to join them in. All in all, everyone in the family is really looking forward to the move. Certainly, there are close friends that we will miss, but we’re anticipating new friends and new experiences in a new region.

The move won’t affect my job; I’ll still continue in my role as field CTO for the vSpecialist team. My function isn’t tied to any particular geographical region (my role is global, actually), so as long as I live within a reasonable distance of an airport I’m fine. I have to say that I really appreciate the vSpecialist team and team management; they’ve been awesome and completely supportive of the move.

Given my current work schedule and other responsibilities, the move isn’t actually going to take place until early September, after we wrap up VMworld US in Las Vegas. So, between now and then, it’s all about uncluttering and packing for the move! If any readers are Denver residents, I’d love to hear any “tips and tricks” you’d care to share. Thanks!

Tags:

Video of Stretched Cluster Presentation

Monday, July 18, 2011 in Networking, Storage, Virtualization by slowe | 1 comment

David Davis (of Train Signal and VMwareVideos.com) was kind enough to record my stretched clusters presentation at the Carolinas VMware User Summit back in May. That video recording has now made its way online, so if you are interested in watching/hearing the presentation you’re in luck! I’ve embedded the YouTube video below, or you can follow this link to view it at the YouTube site.

If you’re also interested in seeing the slide deck that accompanied my presentation, that’s available via this blog post.

Enjoy!

Many thanks to David Davis and Train Signal for recording the session and making the recording available.

Tags: , ,

Summary of Cisco Live 2011 Blog Posts

Friday, July 15, 2011 in Networking by slowe | 2 comments

This past week I had the opportunity to attend Cisco Live 2011 in Las Vegas. Along the way, I was blogging the sessions that I attended. To help make it easy to find the material, I thought I’d provide a quick “roll-up” post that summarizes not only the posts I published but also some posts from other bloggers. I’m sure that this list will not be comprehensive, but if you have additional posts/links you think I should add, let me know in the comments and I’ll update the post.

My Session Blogs

Here’s a list of the sessions I attended and blogged about:

BRKCRS-2031: Multilayer Campus Architectures and Design Principles
BRKMPL-1101: Introduction to MPLS
BRKCOM-3002: Network Redundancy and Load Balancing Designs for UCS Blade Servers
BRKDCT-2081: Cisco FabricPath Technology and Design
BRKDCT-2121: Virtual Device Context Design and Implementation Considerations
BRKDCT-3060: Deployment Considerations with Interconnecting DCs
BRKSAN-3707: Advanced SAN Services
BRKDCT-9131: Mobility and Virtualization with LISP and OTV

Other Cisco Live 2011 Blog Posts

Here are some other blog posts about Cisco Live 2011 that I found:

Cisco Live 2011 – Day 1 (Jason Nash)
Cisco Live 2011 – Day 2 (Jason Nash)
Cisco Live 2011 – Day 3 (Jason Nash)
BRKNMS-1032 Network Management KPI’s and ITIL (Trace McQuaig)
BRKARC-3471 Cisco NX-OS Software Architecture (Trace McQuaig)

If you have other posts that you think I should add, let me know in the comments below. Thanks!

Tags: , ,

BRKDCT-9131: Mobility and Virtualization with LISP and OTV

Thursday, July 14, 2011 in Networking, Virtualization by slowe | 3 comments

This is BRKDCT-9131, Mobility and Virtualization in the Data Center with LISP and OTV. This is one of the last, if not the last, session at Cisco Live 2011.

The presenter, Victor Moreno, spends a few minutes at first talking about distributed data center clouds, the goals, and the challenges of building them. Some of the challenges or considerations include:

  • L2 domain elasticity (think FabricPath and LAN extensions)
  • Fabric consolidation (think Unified Fabric, VDCs)
  • Storage elasticity (think SAN extensions)
  • IP localization (Route optimization and route portability)
  • VM awareness (think VN-Link)

Victor next discusses why LAN extensions are necessary. From a virtualization perspective, it’s because a live migration requires for the IP address of the VM to remain the same. He also discusses some non-routable L2 traffic that certain applications, but to me this seems far less likely/important than maintaining IP addresses.

There are different ways of tackling LAN extensions; the session blog from BRKDCT-3060 has more information on the various methods. This session is clearly slanted toward OTV, as the discussion of L2 VPNs focuses on the complexity of that solution as opposed to the benefits (like extremely fast convergence).

The next section reviews the MAC-in-IP encapsulation mechanism that OTV uses to transport L2 frames across a routed transport. Victor also reviewed how the OTV control plane (which uses IS-IS) proactively advertises MAC reachability information, so that all OTV edge devices already know what MAC addresses are reachable via the overlay.

Regardless of the method used to perform the LAN extension, this interferes with ingress routing. Subnet usually implies location, but with LAN extension this mechanism is obscured—the network doesn’t know which side of the extension hosts the device to which we are communicating. This is the fundamental issue addressed by LISP.

LISP is Location Identity Separation Protocol. The idea is to separate the use of the IP address as a means of making routing decisions from the use of the IP address as a means of indicating location. We want to “split” these purposes apart. By splitting these apart, we can allow workloads to move yet still make efficient routing decisions.

So how does LISP operate? Consider this walkthrough:

  1. The source endpoint performs a DNS lookup to find the destination.
  2. Traffic is remote, so traffic is sent to the branch router.
  3. The branch router doesn’t know how to get to the destination’s specific address, but it is LISP-enabled so it performs a LISP lookup to find a locator address.
  4. The LISP mapping database informs the branch router how to get to the one (or more) available addresses that can get it to the destination. The LISP mapping database can return priority and weight as part of this lookup, to help with traffic engineering/shaping.
  5. The branch router performs an IP-in-IP encapsulation and transmits the data out the appropriate interface based on standard IP routing decisions.
  6. The receiving LISP-enabled router receives the packet, decapsulates the packet, and forwards the packet to the final destination.

To support routers that are not LISP-enabled, you use proxy tunnel routers. Proxy tunnel routers will encapsulate or decapsulate traffic from or to routers that are not LISP-enabled.

Some terminology of which you should be aware:

  • EID: End-point identifier (host IP or prefix)
  • RLOC: Routing locator (IP address of routers in the backbone)
  • Tunnel router: Edge devices that perform encapsulation/decapsulation
  • ETR: Egress tunnel router
  • ITR: Ingress tunnel router
  • PxTR: Proxy tunnel router (gateway between LISP backbone and non-LISP-aware routers)
  • EID to RLOC mapping DB: Contains all the EID-to-RLOC mapping, distributed across multiple map servers (MS)

LISP resolution (determining the appropriate ETR by an ITR) is performed by the MS, which forwards requests to ETRs that have registered with the MS as authoritative for a particular prefix. The ITR then caches the mapping for future use.

Future revisions of the LISP standard will add extra security to prefix registrations, to avoid the malicious introduction of prefix registrations (I believe it’s referred to as LISP-SEC).

LISP enables on-demand routing. Rather than requiring that all routers maintain a full routing table, LISP routers will determine LISP prefix mappings on an as-needed basis.

Some potential use cases for LISP:

  • IP portability
  • Ingress traffic engineering without BGP
  • IPv6 transition support (6-over-4, 4-over-6, etc.)
  • Multitenancy and VPNs
  • VM mobility

Victor now walks through some scenarios concerning the use of LISP with VM mobility use cases. One interesting note: using LISP to provide IP portability means that I could use SRM to failover to a DR site but not have to perform IP customization—LISP would handle the IP routing side of the house. That’s a pretty cool combination.

The session is still going, but I have to get back to the show floor and finish tearing down the EMC booth.

Tags: , , , ,

BRKSAN-3707: Advanced SAN Services

Thursday, July 14, 2011 in Networking, Storage by slowe | No comments

This is BRKSAN-3707, Advanced SAN Services, presented by Mike Dunn.

According to TIP’s Storage Research, the top five storage initiatives are deduplication, technology refresh, tiered storage build-out, archiving, and consolidation.

The three main sections of the presentation are SAN consolidation with virtualization, tiered storage and backup design, and Fibre Channel over Ethernet (FCoE).

The presentation starts with SAN consolidation using virtualization. This is really a discussion of virtual SANs (VSANs), which allow you to consolidate SANs onto the same hardware but still providing logical separation of fabrics. In order to move between VSANs, you need to use Inter-VSAN Routing (IVR).

When is IVR needed? When an initiator in one VSAN needs to talk to a target in another VSAN. IVR maintains isolation while allowing for resource sharing.

A common use for IVR is to provide common SAN services, like a shared tape library. IVR would allow media servers in individual VSANs to talk to a shared tape library in a “common” VSAN.

Setting up IVR involves creating an IVR topology. This means you need to manually define the VSANs that will be used for IVR on each switch (all switches that perform IVR will need identical configuration). After defining the IVR topology, you activate it. Then you create your IVR zones and IVR zoneset, just like creating regular zones and zoneset.

IVR works by creating a virtual domain in each VSAN that represents the other VSANs in the topology. Likewise, it creates virtual devices in each VSAN that represent the devices in the other VSANs. This means that logically the initiator thinks the target is in the same VSAN.

Keep in mind that IVR doesn’t perform FC ID translation, so domain IDs have to be unique across all VSANs.

IVR does have a Network Address Translation (NAT) mode (IVR NAT). With IVR NAT, the virtual switch is given a randomly available domain ID; this means that you don’t need unique domain IDs across all VSANs. IVR NAT is the preferred method of IVR moving forward.

Some operating systems or devices need persistent FC IDs, so IVR NAT allows for static definitions of domain IDs and FC IDs.

Another use case for IVR is SAN extension. You can use IVR to isolate the “remote site” VSAN from the production VSAN, limiting edge VSAN events to only that VSAN. The recommended configuration uses a transit VSAN that connects the two data centers. This keeps the VSANs in each data center isolated to only that data center. (Think of it like a /30 network between two routers.)

A question was asked about using FCIP and whether IVR is needed in this sort of situation. In this case, IVR would not be necessary.

Mike next launches into a quick review of SAN designs. In a core-edge design, there are core switches where storage is attached and edge switches where hosts are attached. This sort of design generally tops out at about 1,700 devices.

For larger environments, you can use an edge-core-edge design. Storage devices have their own edge switches, as do servers, and the edge-to-edge traffic passes through the core. This sort of design tops out at about 4,200 devices.

That discussion was a lead-in to a discussion of NPV/NPIV. This is a topic I’ve covered previously, so I didn’t take notes on this section.

Mike did share some good information on the maximum number of logins per port (42 in switch mode, 114 in NPV mode—watch this value if you are using nested NPIV, which is the term for NPIV hosts connecting to an NPV mode switch) and logins per switch (MDS 9124/9124e/9134/9148).

After discussing NPV/NPIV, Mike moves on to discuss a feature called FlexAttach. FlexAttach resolves the issue of needing to modify zoning and zonesets when an HBA or server needs to be replaced. Basically, any host connecting to an F-port configured as a FlexAttach port will assume the virtual WWPN assigned to that F-port. This eliminates the need to reconfigure zones or zonesets if you replace the server or HBA connected to that F-port. If you’re familiar with the behavior of HP VirtualConnect, this appears to be very similar in behavior. FlexAttach is supported on the MDS platform, but is not supported on the Nexus platform.

(Side question: Is FlexAttach leveraged in UCS for vHBA configurations?)

That wraps up the first section; Mike now moves into a discussion of tiered storage and backup design. In this section he will discuss Data Mobility Manager (DMM), SANTap, and Storage Media Encryption (SME).

To perform data migrations, there are different approaches:

  • Server/software-based
  • Array-based
  • Appliance-based

Each of these approaches has advantages and disadvantages. Cisco’s solution is DMM, which is a SAN-based migration solution. DMM does both online and offline data migration, uses FC redirects to allow transparent insertion/removal, and is very fast (4.2TB/hr).

FC Redirect is a target-based mechanism for transparently redirecting traffic to a target. With regard to DMM specifically, when using DMM for data migration, FC redirect is used to redirect traffic to the DMM process itself. DMM then sends the I/Os to both the original (source) and destination locations on the SAN. In this regard, it sounds like DMM is performing a form of write-splitting.

In synchronous mode, when handling I/Os to a “migrated” area of the LUN, writes are mirrored. If I/Os are to a “in process” area, writes are queued temporarily until the region has been migrated. For I/Os to “unmigrated” areas are simply sent directly to the source LUN.

In a dual-fabric configuration, each fabric requires its own DMM. Each DMM can handle multiple VSANs.

DMM can also run in an asynchronous mode. In this mode, DMM uses Modified Region Logs (MRLs) to track changes to the source LUN. Any “dirty region” in the MRL is copied across to the target. There is no write penalty as there is with synchronous mode described earlier.

A question was raised about what happens when the data migration is complete. At that point, you’ll halt the I/O on the server, complete the job in DMM, and then rezone the fabric to point your host(s) to the new storage target.

You can use the DMM asynchronous mode to migrate data between data centers as well. To prevent having to span a VSAN to the remote site (generally not recommended), you can add another VSAN (a replication VSAN) and a third MSM (a module in the FC switch that runs DMM) to handle the inter-site traffic.

The 120 day evaluation licenses within NX-OS will enable DMM with full functionality for 120 days.

The presentation next shifts to Storage Media Encryption (SME). SME encrypts media for SAN-attached tapes, VTLs, and disk arrays. It uses AES-256 encryption and it is FIPS 140-2 certified. The solution can use a Cisco key management solution or RSA Key Manager. SME is a licensed feature and is only supported on certain platforms (requires certain modules, i.e., the MSM-18/4 or the SSN16).

SME uses FC redirects to transparently insert itself into the data stream to perform encryption.

Cisco’s key management solution, Key Management Center, is part of Cisco Fabric Manager. It handles archiving, replicating, recovering, and purging media keys.

Encrypting disks using SME will be available in NX-OS 5.2(1).

The next topic up is SANTap, which as many readers already know is leveraged by EMC RecoverPoint for heterogeneous storage replication. SANTap is a licensed feature but does not use FC redirects. Instead, SANTap uses a host VSAN and a target VSAN. In the host VSAN, SANTap creates a DVT (Data Virtual Target), which uses the WWPN of the real target port. In the target VSAN, SANTap creates a VI (Virtual Initiator), which uses the WWPN of the real host port. SANTAp issues I/Os (or splits I/Os) from the host to the DVT and passes a copy to an additional fabric-based appliance (i.e., a RecoverPoint appliance).

Mike did not have any information on SANTap support for the SCSI commands used by VMware for the VAAI/VAAIv2 offloads in vSphere 4 and vSphere 5. (Bummer!)

The last section of the presentation was on Fibre Channel over Ethernet (FCoE). The information contained in this section was review and stuff that I’ve already covered elsewhere.

Tags: , , , , ,

BRKDCT-3060: Deployment Considerations with Interconnecting DCs

Thursday, July 14, 2011 in Networking by slowe | 2 comments

This is BRKDCT-3060, Deployment Considerations with Interconnecting Data Centers, presented by Patrice Bellagamba (Distinguished SE) and Max Ardica (Solution Architect). Given that my role in virtualization and storage puts me squarely in the middle of these sorts of designs, I’m really looking forward to this session and gaining some valuable knowledge out of it.

The primary objectives of the session are to identify the business requirements driving DCI (Data Center Interconnect) deployments; understanding the functional components of the Cisco DCI solution; and get a full knowledge of Cisco LAN extension technologies and associated considerations. The session does NOT consider path optimization (ACE/GSS, LISP), storage extension considerations, and workload mobility application-specific considerations.

So what are some of the business drivers and solutions? There are several:

  • Business continuity (disaster recovery, HA framework)
  • Operational cost containment (DC maintenance or migration)
  • Business resource optimization (disaster avoidance, workload mobility)
  • Cloud services (inter-cloud networking, XaaS)

It is important, when extending VLANs between sites, to preserve STP domain isolation and storm control in order to keep fault domain as small as reasonably possible. A key part of a DCI model is path optimization, but that is not something that will be covered in this session.

In a VLAN extension environment, there are 5 different types of VLANs you might deploy in your data center:

  • Type T0: Limited to a single access layer device
  • Type T1: Extended within an aggregation block/pod
  • Type T2: Extended between aggregation blocks/pods within a single data center site
  • Type T3: Extended between aggregation blocks/pods as part of “twin DC sites” (usually connected via dark fiber; think metro/synchronous distances)
  • Type T4: Extended between aggregation blocks/pods as part of remote DC sites (think geo/asynchronous distances)

Note that these classifications are just for understanding the different ways VLANs are extended; this is not a configuration class or type.

There are three basic types of VLAN extensions: Ethernet-based, IP-based, or MPLS-based.

The Ethernet-based solution leverages dark fiber/DWDM connections between DCs. In this configuration, make sure to filter BPDUs on one site and enable broadcast storm control. You can leverage technologies like vPC or VSS to avoid loops and take advantage of redundant links between the DC sites. If you use vPC, you will need separate (dedicated) Layer 3 links for inter-DC routing.

There was a question about the distances supported for an Ethernet solution. According to Max, it’s less about distance and more about the dark fiber/DWDM/direct fibre connectivity requirements. Up to 60km is probably a reasonable distance for this solution.

The Ethernet-based solution is a viable solution, but Max prefers OTV.

OTV is Overlay Transport Virtualization and is something I’ve discussed on my site before. The OTV edge device (ED) is the device that performs the OTV encapsulation (MAC-in-IP encapsulation). The internal interfaces are the interfaces on the ED that face the site. The join interface is the interface of the ED that faces the core. The overlay interface is a logical entity that encapsulates the traffic.

Some considerations:

  • Join interfaces and internal interfaces are only supported on M1 modules.
  • The join interface can’t be an SVI or loopback interface, but it can be a port-channel interface or a routed physical interface (or sub-interface).

There were some other considerations but I couldn’t capture them in time.

OTV encapsulation adds 42 bytes to the packet IP MTU size. Be sure to keep this consideration in mind; ensure that you have the appropriate MTU size support end-to-end. The OTV control plane uses IS-IS to learn MAC address reachability information from remote OTV peers. In the current release of NX-OS, OTV requires multicast support in the transport network connecting the sites. NX-OS 5.2 will add unicast (Adjacency Server mode) support.

The adjacency server (or daemon) is “just an OTV edge device” that advertises the IP of each ED to all other EDs (in something called the OTV Neighbor List, or the oNL). All subsequent communications happen directly between EDs without going through the adjacency server/daemon.

By default OTV will isolate STP domains, which is an important part of any DCI solution. OTV also does not flood unknown unicast frames. OTV relies on the OTV control plane in order to ensure MAC address reachability information is in the MAC address table of edge OTV ED.

Some current limitations:

  • Up to 3 sites for OTV
  • Up to 128 extended VLANs
  • 12K MAC addresses

In NX-OS 5.2 these values increase to 6 sites, 256 VLANs, and 16K MAC addresses.

Max now shifts into a discussion of OTV deployment considerations. The first topic is where to place the OTV ED.

One option is to deploy the OTV ED in the core. This is an easy deployment in brownfield scenarios. In this case, the L2-L3 boundary remains at aggregation. You could have core devices perform both L3 and OTV functions, or you could use separate core devices, or you could use Nexus 7000 VDCs (see my VDC session blog for more information).

However, Max prefers deploying OTV at the aggregation layer. This preserves “pure” L3 functionality at the core and is consistent with OTV’s role as an “overlay” functionality.

Traffic on a Nexus 7000 belonging to a given VLAN can either be routed or extended, but not both. You must use dual VDCs to do both routing and OTV extension on the same Nexus 7000 physical device (either at the core or the aggregation layer).

Deploying OTV at the aggregation layer is recommended for greenfield deployments, but it does require Nexus 7000 at the aggregation layer.

A third option is to deploy OTV over dark fiber connections, much like the Ethernet-based solution described earlier. In this scenario you would not need separate L3 links as with the Ethernet-based solution. Because you are doing both routing and OTV extension at the same time, this solution would require dedicated OTV VDCs.

Max next covered the various scenarios of how you can actually connect the OTV VDC and L2/L3 VDCs. There are advantages and disadvantages to the various approaches: the simple appliance model uses fewer links but introduces other challenges; the most resilient model uses more links but provides faster convergence and better traffic flow.

Keep in mind that OTV is a pure IP encapsulation technology that does not include any L4 information (only L3 information wrapped around a MAC address), so IP hashing technologies (port-channel load balancing or ECMP hashing) won’t spread traffic across multiple links. In a two-site scenario, only one of two links will be used–always. In a three-site design, two links can be used (depends on the hashing). Future hardware updates will allow flow-based load balancing (F2 or F3 module, perhaps).

Native OTV support on F-series modules is targeted for a future hardware release. Neither F1 nor F2 modules support OTV currently.

In the event of various failure scenarios, only failures that cause an AED (Authoritative Edge Device) re-election cause extended outages for convergence. In NX-OS 5.2, convergence will be between 5 and 30 seconds for an AED re-election. Future releases will bring those values down. Failures that do not cause AED re-election will converge in sub-second timeframes.

Max still recommends configuring storm control (using the storm-control broadcast command) on the internal interface if you are concerned about broadcast storms with OTV.

Now Patrice takes over to discuss MPLS-based solutions (refer to my MPLS session blog for more information). There are three MPLS-based solutions: EoMPLS, A-VPLS, and H-VPLS.

EoMPLS is Ethernet-over-MPLS. To do this, you would use the xconnect command with MPLS encapsulation to create a point-to-point Ethernet over MPLS connection. In fact, a show cdp neighbor will show the remote port over the MPLS network.

This use of MPLS allows us to take advantage of all of MPLS’ features, like traffic engineering, for the traffic moving over this EoMPLS connection.

You can use LACP/vPC with multiple EoMPLS links.

You can also use MPLS over IP (using a GRE tunnel) and then create the EoMPLS pseudowires inside the GRE tunnels. (I think—this part got pretty complicated.) Because you are using GRE tunneling, you can apply an IPsec encryption profile against that tunnel to provide encryption for the EoMPLS traffic.

EoMPLS is point-to-point, so what about point-to-multipoint? VPLS can address this. With multiple devices connected across an MPLS core, each VSI (Virtual Switch Instance) will create multiple EoMPLS pseudowires to create a full mesh between all other VSIs.

There are considerations on attaching edge devices in this sort of configuration; best practices would be to make the MPLS-connected devices the STP root bridge (or avoid STP through vPC or equivalent). Patrice walks through a number of different deployment considerations and discussions of where to place the devices, but the focus of the discussion seemed to be more on VSS than A-VPLS. I’ll need to go back and review this information again in order to get a better understanding of the material.

Patrice now moves on to a discussion of H-VPLS.

H-VPLS is more suited for service providers (SPs) or SP-like enterprises. You might see this when interconnecting provider DCs, connecting enterprise DCs to provider DCs, or in high-end enterprise DCI scenarios.

ICCP is Inter-Chassis Communication Protocol that is in draft status with the IETF. I’m not clear on how this is related to vPC, vPC+ (since Patrice was talking about FabricPath), or other multi-chassis link aggregation solutions. I think the connection to H-VPLS is that you might use ICCP in connecting Layer 2 devices to the edge devices that will then be participating in the MPLS network.

Some terms:

  • mLACP Multi-Chassis Link Aggregation Protocol
  • MC-LAG: Multi-Chassis Link Aggregation Group
  • DHD: Dual-homed device (customer edge)
  • DHN: Dual-home network (customer edge)

Ah, here’s the information that helps me decipher the flow of the session. A-VPLS is only for certain devices (Catalyst 6500); H-VPLS is for high-end devices (7600, ASR-9K).

At this point I had to leave for a meeting so I wrapped up the session blog. Patrice was in the summary section of the presentation so no new information was going to be shared.

Tags: , , ,

« Older entries