Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

More documents

Recommendations

Info

Tenant traffic flow representation Figure 5 depicts the traffic flow through each layer of the solution, from the virtual machine level to the storage layer. Figure 5. Tenant traffic flow © 2013 VCE Company, LLC. All Rights Reserved. 26
Traffic flow in the data center is classified into the following categories: • Front-end—User to data center, Web, GUI • Back-end—Within data center, multi-tier application, storage, backup • Management—Virtual machine access, application administration, monitoring, and so forth Note: Front-end traffic, also called client-to-server traffic, trav erses the Nexus 7000 aggregation layer and a select number of network-based services. At the application layer, each tenant may have multiple vApps with applications and have different virtual machines for different workloads. The Cisco Nexus 1000V distributed virtual switch acts as the virtual access layer for the virtual machines. Edge LAN policies, such as quality of service marking and vNIC ACLs, can be implemented at the Nexus 1000V. Each ESXi server becomes a virtual Ethernet blade of Nexus 1000V, called Virtual Ethernet Module (VEM). Each vNIC connects to Nexus 1000V through a port group; each port group specifies one or more VLANs used by a virtual machine NIC. The port group can also specify other network attributes, such as rate limit and port security. The VM uplink port profile forwards VLANs belonging to virtual machines. The system uplink port profile forwards VLANs belonging to management traffic. The virtual machine traffic for different tenants traverses the network through different uplink port profiles, where port security, rate limiting, and quality of service apply to guarantee secure separation and assurance. VMware vSphere virtual machine NICs are associated to the Cisco Nexus 1000V to be used as the uplinks. The network interface virtualization capabilities of the Cisco adapter enable the use of VMware multi-NIC design on a server that has two 10 GB physical interfaces with complete quality of service, bandwidth sharing, and VLAN portability among the virtual adapters. vShield Edge controls all network traffic to and from the virtual data center and helps provide an abstraction of the separation in the cloud environment. Virtual machine traffic goes through the UCS FEX (I/O module) to the fabric interconnect 6120. If the traffic is aligned to use the storage resources and it is intended to use FC storage, it passes over an FC port on the fabric interconnect and Cisco MDS, to the storage array, and through a storage processor, to reach the specific storage pool or storage groups. For example, if a tenant is using a dedicated storage resource with specific disks inside a storage array, traffic is routed to the assigned LUN with a dedicated storage group, RAID group, and disks. If there is NFS traffic, it passes over a network port on the fabric interconnect and Cisco Nexus 5000, through a virtual port channel to the storage array, and over a data mover, to reach the NFS data store. The NFS export LUN is tagged with a VLAN to ensure the security and isolation with a dedicated storage group, RAID group, and di sks. Figure 5 shows an example of a few dedicated tenant storage resources. However, if the storage is designed for a shared traffic pool, traffic is routed to a specific storage pool to pull resources. ESXi hosts for different tenants pass the server-client and management traffic over a server port and reach the access layer of the Nexus 5000 through virtual port channel. Server blades on UCS chassis are allocated for the different tenants. The resource on UCS can be dedicated or shared. For example, if using dedicated servers for each tenant, VLANs are assigned for different tenants and are carried over the dot1Q trunk to the aggregation layer of the Nexus 7000, where each tenant is mapped to the Virtual Routing and Forwarding (VRF). Traffic is routed to the external network over the core. © 2013 VCE Company, LLC. All Rights Reserved. 27
Page 1 and 2: Vbl oc k Sol uti on for Trus ted M
Page 3 and 4: Contents Introduction .............
Page 5 and 6: Design cons iderations for availabi
Page 7 and 8: Introduction The Vblock Solution fo
Page 9 and 10: Trusted multi-tenancy foundational
Page 11 and 12: Security and compliance Security an
Page 13 and 14: Technology overview The Vblock Syst
Page 15 and 16: Compute technologies Within the com
Page 17 and 18: EMC FA ST Cache EMC FAST Cache is a
Page 19 and 20: Cisco Data Center Netw ork Manager
Page 21 and 22: Figure 3. Trusted multi-tenancy des
Page 23 and 24: Netw ork layers Access layer Nexus
Page 25: The logical topology represents the
Page 29 and 30: Figure 7. Management cluster and re
Page 31 and 32: Resource groups A resource group is
Page 33 and 34: vSpher e cluster specifications Eac
Page 35 and 36: Security The RSA Archer eGRC Platfo
Page 37 and 38: Design considerations for managemen
Page 39 and 40: Configuration While UIM/P automates
Page 41 and 42: Figure 13 describes the provisionin
Page 43 and 44: Design considerations for secure se
Page 45 and 46: Figure 14 shows an example of how t
Page 47 and 48: UCS organizations The Cisco UCS org
Page 49 and 50: Figure 18 is an example of a UCS Se
Page 51 and 52: Figure 20 shows that VSAN 10 and VS
Page 53 and 54: A service provider may want to view
Page 55 and 56: Figure 25 shows an example of an in
Page 57 and 58: To deploy an organization or vApp n
Page 59 and 60: Figure 29 shows different quality o
Page 61 and 62: Figure 31. Organization virtual dat
Page 63 and 64: Element Role User Action Priv ilege
Page 65 and 66: VMw are vCloud Director Role-based
Page 67 and 68: VMw are vCenter Server VMware vCent
Page 69 and 70: Figure 41 shows how port channel 10
Page 71 and 72: VMware v Cloud Director cells VMwar
Page 73 and 74: Design considerations for tenant ma
Page 75 and 76: For example, in vCloud Director, th
Page 77 and 78:
Key Vblock System metrics When dete
Page 79 and 80:
Design scenarios of VSAN and zoning
Page 81 and 82:
Figure 49 is a graphical representa
Page 83 and 84:
Figure 50 shows a physical data mov
Page 85 and 86:
CIFS stack component CIFS Share ABE
Page 87 and 88:
Support for VLAN tagging in iSCSI V
Page 89 and 90:
Design considerations for service a
Page 91 and 92:
EMC FAST VP storage tiering There a
Page 93 and 94:
When a provider virtual data center
Page 95 and 96:
LUN masking component authorization
Page 97 and 98:
Network encryption The Storage Mana
Page 99 and 100:
Local and remote data protection It
Page 101 and 102:
Design considerations for service p
Page 103 and 104:
The following table lists example V
Page 105 and 106:
Use VLANs to achieve network separa
Page 107 and 108:
The traffic flow types break down i
Page 109 and 110:
The following table describes the h
Page 111 and 112:
Deployment recommenda tions Firewal
Page 113 and 114:
Cisco ACE provides a highly availab
Page 115 and 116:
The IPS deployment in the data cent
Page 117 and 118:
Cisco A CE, Cisco ACE Web Applic at
Page 119 and 120:
Figure 70. Data center access layer
Page 121 and 122:
When a network policy is defined on
Page 123 and 124:
Using a different ERSPAN-id for eac
Page 125 and 126:
A VLAN access control list (VACL) i
Page 127 and 128:
Virtual por t channel A vi rtual po
Page 129 and 130:
Design considerations for service p
Page 131 and 132:
Design considerations for secure se
Page 133 and 134:
Design considerations for security
Page 135 and 136:
RSA enV ision RSA enVision helps th
Page 137 and 138:
Conclusion The six foundational ele
Page 139 and 140:
Next steps To learn more about this
Page 141 and 142:
Acronym LACP LUN MAC NAM NAT NDMP N
Page 143:
ABOUT VCE VCE, formed by Cisco and
show all

Vblock Solution for Trusted Multi-Tenancy: Design Guide - VCE

Create successful ePaper yourself

Delete template?

Save as template?