Tenant traffic flow representation Figure 5 depicts the traffic flow through each layer of the solution, from the virtual machine level to the storage layer. Figure 5. Tenant traffic flow © 2013 <strong>VCE</strong> Company, LLC. All Rights Reserved. 26
Traffic flow in the data center is classified into the following categories: • Front-end—User to data center, Web, GUI • Back-end—Within data center, multi-tier application, storage, backup • Management—Virtual machine access, application administration, monitoring, and so <strong>for</strong>th Note: Front-end traffic, also called client-to-server traffic, trav erses the Nexus 7000 aggregation layer and a select number of network-based services. At the application layer, each tenant may have multiple vApps with applications and have different virtual machines <strong>for</strong> different workloads. The Cisco Nexus 1000V distributed virtual switch acts as the virtual access layer <strong>for</strong> the virtual machines. Edge LAN policies, such as quality of service marking and vNIC ACLs, can be implemented at the Nexus 1000V. Each ESXi server becomes a virtual Ethernet blade of Nexus 1000V, called Virtual Ethernet Module (VEM). Each vNIC connects to Nexus 1000V through a port group; each port group specifies one or more VLANs used by a virtual machine NIC. The port group can also specify other network attributes, such as rate limit and port security. The VM uplink port profile <strong>for</strong>wards VLANs belonging to virtual machines. The system uplink port profile <strong>for</strong>wards VLANs belonging to management traffic. The virtual machine traffic <strong>for</strong> different tenants traverses the network through different uplink port profiles, where port security, rate limiting, and quality of service apply to guarantee secure separation and assurance. VMware vSphere virtual machine NICs are associated to the Cisco Nexus 1000V to be used as the uplinks. The network interface virtualization capabilities of the Cisco adapter enable the use of VMware multi-NIC design on a server that has two 10 GB physical interfaces with complete quality of service, bandwidth sharing, and VLAN portability among the virtual adapters. vShield Edge controls all network traffic to and from the virtual data center and helps provide an abstraction of the separation in the cloud environment. Virtual machine traffic goes through the UCS FEX (I/O module) to the fabric interconnect 6120. If the traffic is aligned to use the storage resources and it is intended to use FC storage, it passes over an FC port on the fabric interconnect and Cisco MDS, to the storage array, and through a storage processor, to reach the specific storage pool or storage groups. For example, if a tenant is using a dedicated storage resource with specific disks inside a storage array, traffic is routed to the assigned LUN with a dedicated storage group, RAID group, and disks. If there is NFS traffic, it passes over a network port on the fabric interconnect and Cisco Nexus 5000, through a virtual port channel to the storage array, and over a data mover, to reach the NFS data store. The NFS export LUN is tagged with a VLAN to ensure the security and isolation with a dedicated storage group, RAID group, and di sks. Figure 5 shows an example of a few dedicated tenant storage resources. However, if the storage is designed <strong>for</strong> a shared traffic pool, traffic is routed to a specific storage pool to pull resources. ESXi hosts <strong>for</strong> different tenants pass the server-client and management traffic over a server port and reach the access layer of the Nexus 5000 through virtual port channel. Server blades on UCS chassis are allocated <strong>for</strong> the different tenants. The resource on UCS can be dedicated or shared. For example, if using dedicated servers <strong>for</strong> each tenant, VLANs are assigned <strong>for</strong> different tenants and are carried over the dot1Q trunk to the aggregation layer of the Nexus 7000, where each tenant is mapped to the Virtual Routing and Forwarding (VRF). Traffic is routed to the external network over the core. © 2013 <strong>VCE</strong> Company, LLC. All Rights Reserved. 27