Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

More documents

Recommendations

Info

Virtual access layer/v Sw itch Cisco Nexus 1000V distributed virtual switch acts as the virtual network access layer for the virtual machines. Edge LAN policies such as quality of service marking and vNIC ACLs are implemented at this layer in Nexus 1000V port-profiles. The following table describes the virtual access layer. Component One data center VMware ESXi serv ers Tenant Description One primary Nexus 1000V Virtual Superv isor Module (VSM) One secondary Nexus 1000V Virtual Superv isor Module Each running an instance of the Nexus 1000V Virtual Ethernet Module (VEM) Multiple v irtual machines, which hav e diff erent applications such as Web serv er, database, and so f orth, for each tenant Storage and SA N layer The trusted multi-tenancy design framework is based on the use of storage arrays supporting fibre channel connectivity. The storage arrays connect through MDS SAN switches to the UCS 6120 switches in the access layer. Several layers of security (including zoning, access controls at the guest operating system and ESXi level, and logical unit number (LUN) masking within the VNX) tightly control access to data on the storage system. Compute layer The following table provides an example of the components of a multi-tenant environment virtual compute farm. Note: A Vblock System may have more resources than what is described in the f ollowing table. Component Description Three UCS 5108 chassis • 11 UCS B200 servers (dual quad-core Intel Xeon X5570 CPU at 2.93 GHZ and 96 GB RAM) • Four UCS B440 serv ers (f our Intel Xeon 7500 series processors and 32 dual in-line memory module slots with 256 GB memory) • Ten GbE Cisco VIC conv erged network adapters (CNA) organized into a VMware ESXi cluster 15 serv ers (4 clusters) • Each serv er has two CNAs and are dual-attached to the UCS 6100 f abric interconnect • The CNAs provide: - LAN and SAN connectivity to the serv ers, which run VMware ESXi 5.0 hypervisor - LAN and SAN services to the hypervisor © 2013 VCE Company, LLC. All Rights Reserved. 22
Netw ork layers Access layer Nexus 5000 is used at the access layer and connects to the Cisco UCS 6120s. In the Layer 2 access layer, redundant pairs of Cisco UCS 6120 switches aggregate VLANs from the Nexus 1000V distributed virtual switch. FCoE SAN traffic from virtual machines is handed off as FC traffic to a pair of MDS SAN switches, and then to a pair of storage array controllers. FC expansion modules in the UCS 6120 switch provide SAN interconnects to dual SAN fabrics. The UCS 6120 switches are in N Port virtualization (NPV) mode to interoperate with the SAN fabric. Aggrega tion la yer Nexus 7000 is used at the aggregation layer. The virtual device context (VDC) feature in the Nexus 7000 separates it into sub-aggregation and aggregation virtual device contexts for Layer 3 routing. The aggregation virtual device context connects to the core network to route the internal data center traffic to the Internet and from the Internet back to the internal data center. Logical topology Figure 4 shows the logical topology for the trusted multi-tenancy design framework. © 2013 VCE Company, LLC. All Rights Reserved. 23
Page 1 and 2: Vbl oc k Sol uti on for Trus ted M
Page 3 and 4: Contents Introduction .............
Page 5 and 6: Design cons iderations for availabi
Page 7 and 8: Introduction The Vblock Solution fo
Page 9 and 10: Trusted multi-tenancy foundational
Page 11 and 12: Security and compliance Security an
Page 13 and 14: Technology overview The Vblock Syst
Page 15 and 16: Compute technologies Within the com
Page 17 and 18: EMC FA ST Cache EMC FAST Cache is a
Page 19 and 20: Cisco Data Center Netw ork Manager
Page 21: Figure 3. Trusted multi-tenancy des
Page 25 and 26: The logical topology represents the
Page 27 and 28: Traffic flow in the data center is
Page 29 and 30: Figure 7. Management cluster and re
Page 31 and 32: Resource groups A resource group is
Page 33 and 34: vSpher e cluster specifications Eac
Page 35 and 36: Security The RSA Archer eGRC Platfo
Page 37 and 38: Design considerations for managemen
Page 39 and 40: Configuration While UIM/P automates
Page 41 and 42: Figure 13 describes the provisionin
Page 43 and 44: Design considerations for secure se
Page 45 and 46: Figure 14 shows an example of how t
Page 47 and 48: UCS organizations The Cisco UCS org
Page 49 and 50: Figure 18 is an example of a UCS Se
Page 51 and 52: Figure 20 shows that VSAN 10 and VS
Page 53 and 54: A service provider may want to view
Page 55 and 56: Figure 25 shows an example of an in
Page 57 and 58: To deploy an organization or vApp n
Page 59 and 60: Figure 29 shows different quality o
Page 61 and 62: Figure 31. Organization virtual dat
Page 63 and 64: Element Role User Action Priv ilege
Page 65 and 66: VMw are vCloud Director Role-based
Page 67 and 68: VMw are vCenter Server VMware vCent
Page 69 and 70: Figure 41 shows how port channel 10
Page 71 and 72: VMware v Cloud Director cells VMwar
Page 73 and 74:
Design considerations for tenant ma
Page 75 and 76:
For example, in vCloud Director, th
Page 77 and 78:
Key Vblock System metrics When dete
Page 79 and 80:
Design scenarios of VSAN and zoning
Page 81 and 82:
Figure 49 is a graphical representa
Page 83 and 84:
Figure 50 shows a physical data mov
Page 85 and 86:
CIFS stack component CIFS Share ABE
Page 87 and 88:
Support for VLAN tagging in iSCSI V
Page 89 and 90:
Design considerations for service a
Page 91 and 92:
EMC FAST VP storage tiering There a
Page 93 and 94:
When a provider virtual data center
Page 95 and 96:
LUN masking component authorization
Page 97 and 98:
Network encryption The Storage Mana
Page 99 and 100:
Local and remote data protection It
Page 101 and 102:
Design considerations for service p
Page 103 and 104:
The following table lists example V
Page 105 and 106:
Use VLANs to achieve network separa
Page 107 and 108:
The traffic flow types break down i
Page 109 and 110:
The following table describes the h
Page 111 and 112:
Deployment recommenda tions Firewal
Page 113 and 114:
Cisco ACE provides a highly availab
Page 115 and 116:
The IPS deployment in the data cent
Page 117 and 118:
Cisco A CE, Cisco ACE Web Applic at
Page 119 and 120:
Figure 70. Data center access layer
Page 121 and 122:
When a network policy is defined on
Page 123 and 124:
Using a different ERSPAN-id for eac
Page 125 and 126:
A VLAN access control list (VACL) i
Page 127 and 128:
Virtual por t channel A vi rtual po
Page 129 and 130:
Design considerations for service p
Page 131 and 132:
Design considerations for secure se
Page 133 and 134:
Design considerations for security
Page 135 and 136:
RSA enV ision RSA enVision helps th
Page 137 and 138:
Conclusion The six foundational ele
Page 139 and 140:
Next steps To learn more about this
Page 141 and 142:
Acronym LACP LUN MAC NAM NAT NDMP N
Page 143:
ABOUT VCE VCE, formed by Cisco and
show all

Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?