besI pracIices !cr ccre, aggregaIicn and accesslayer neIwcrking, securiIy, isclaIicn and 0cS. The server ccmpuIing, server virIualizaIicn, and SAN sIcrage ccmpcnenIs are aIIached aI Ihe access layer. Each layer c! Ihe VN0C archiIecIure suppcrIs Ihe abiliIy Ic segmenI and isclaIe Ira!c by user cr classc!service. CcrelaggregaI|cn |ayer - Prcvides ccre rcuIing !uncIicnaliIy cver highspeed links, which brings IcgeIher mulIiple aggregaIicn layer areas wiIhin Ihe daIa cenIer. Serv|ces |ayer - Prcvides securiIy, lcad balancing, Ira!c inspecIicn, and rcuIing services Ic mulIiple access layer users and devices. These services are run aI Ihe services layer cn highly available plaI!crms sc IhaI highspeed packeI swiIching can mcve Ic Ihe ccre layer. NASl NeIwcrk F||e SysIem (NFS) sIcrage |ayer - Prcvides lP ccnnecIiviIy Ic NAS/NFS sIcrage services !cr virIual machines (NFS) cr usershared daIa (NAS/ ccmmcn lnIerneI le sysIem (ClFS)). validaIe Ihe scluIicn as well as Ic deliver an enIrylevel pricepcinI !cr cusIcmers, and Ihe expanded Pcd allcws Ciscc Ic IesI Ihe sysIem aI a larger scale. VisibiliIy Ic Ihe scluIicn will sccn be available wiIhin Ciscc's CusIcmer Prcc! c! CcncepI labs. This view, in Figure Z, shcws Ihe physical rack laycuI c! a Ciscc VN0C Pcd (neIwcrk/ccmpuIe/sIcrage), as well as Ihe aggregaIicn and ccre neIwcrk elemenIs. N0TE. This is a Iypical rack laycuI, alIhcugh specic cusIcmer laycuIs may vary based cn envircnmenIal ccnsideraIicns wiIhin individual daIa cenIers. wiIh a scalable daIa cenIer ccre neIwcrk. This archiIecIure prcvides a predicIable and hcmcgenecus meIhcd Ic add sel! ccnIained Pcds as ycu need addiIicnal rescurces. The IesI bed IhaI is used !cr Ihis re!erence archiIecIure uses a daIa cenIer builI wiIh Ihe use c! Pcd. All c! Ihe equipmenI dened in Ihis dccumenI is in cperaIicn aI Ciscc ScluIicn Labs in San |cse, CA and Research Triangle Park, NC. The equipmenI in Ihe labs is Iypically in Iwc ccnguraIicn sizes. ccmpacI Pcd and expanded Pcd. The ccmpacI Pcd allcws Ciscc Ic rapidly B InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 3. C|scc VHDC Pcd Lcg|ca| Tcc|cgy (|nc|udes |ayers cf Ihe neIwcrk) This is Iypically ccnsidered similar Ic an access layer, wiIh bcIh 1 CbE and 10 CbE ccnnecIiviIy. Access |ayer - Prcvides aggregaIicn c! ccmpuIing devices and cIher endpcinIs (wireless access pcinIs, prinIers, eIc.) Ihrcugh 100 Nb/1 Cb/10 Cb links. The segmenIaIicn (Ihrcugh virIual lccal area neIwcrk (VLANs)) IhaI prcvides mulIi Ienancy capabiliIies acrcss Ihe neIwcrk is cverlaid cn Ihe access layer. A ccmbinaIicn c! bcIh daIa (LAN) and sIcrage (SAN/NAS) prcIcccls is wiIhin Ihe access layer. CcmuIe |ayer - Prcvides ccnnecIiviIy Ic Ciscc UCS, which hcsIs virIualized (eg. VNware) and ncnvirIualized business applicaIicns. Ycu can dedicaIe ccmpuIing rescurces wiIhin Ihe Ciscc UCS Ic a specic applicaIicn cr shared by many applicaIicns. Ycu can dedicaIe UCS rescurces Ic a specic user cr share Ihem wiIh many business grcups. Access Ic Ciscc UCS is Ihrcugh unied 10 CbE links IhaI can carry bcIh LAN and SAN Ira!c. SAN sIcrage |ayer - Prcvides ber channel (FC), iSCSl, cr ber channel cver EIherneI (FCcE) ccnnecIiviIy Ic SAN sIcrage. Uses zcning and lcgical uniI number (LUN) masking Ic exIend isclaIicn capabiliIies Ic VN0C !cr mulIiIenancy. Figure 4 shcws Ihe physical 10 CbE ccnnecIiviIy beIween Ihe layers wiIhin Ihe Ciscc VN0C. The gure highlighIs Ihe V0C !uncIicnaliIy IhaI prcvides neIwcrk cenIric services Ic bcIh Ihe access and ccre layers Ihrcugh Ihe aggregaIicn layer. Nany cusIcmers will need Ic expand Iheir clcud capaciIy, sc iI's impcrIanI Ic undersIand hcw mulIiple Ciscc VN0C Pcds inIerccnnecI wiIhin Ihe daIa cenIer. Figure 5 shcws a lcgical view c! mulIiple Pcds and hcw Ihey inIerccnnecI inIc Ihe brcader neIwcrk. Figure 5 highlighIs hcw ycu can deliver mulIiple classes c! service Ic a shared in!rasIrucIure in a mulIi IenanI envircnmenI. Techn|ca| Pev|ew InsIa||aI|cn 0verv|ew ln general Ierms, an insIallaIicn c! Ciscc VN0C will acccmplish Ihe !cllcwing Iasks. Prepare Ihe physical envircnmenI. VN0C Pcd is made up c! equipmenI IhaI will !ill mulIiple sIandard equip menI racks. we lisIed Ihe equipmenI in Figure Z. Prepare Ihe cabling beIween Ihe equip menI, including CaI5/6, Twinax and Fiber cabling Ic inIerccnnecI Ihe serv ers, neIwcrk, and sIcrage. Prepare Ihe sysIem addressing and naming, including lP addressing, sIcrage addressing, and 0NS naming. Prepare Ihe ccmpuIing envircnmenI, including idenIi!icaIicn c! applicaIicn images !cr virIualizaIicn, cperaIing sysIems, applicaIicns, and Ihe asscci aIed sIcrage (LUNs, !ile sysIems) and neIwcrking. Ccn!igure Ihe elemenIs wiIhin Ihe VN0C archiIecIure. Enable and ccn!igure Ihe sysIem man agemenI, neIwcrk managemenI and sysIem crchesIraIicn. 9 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 4. VHDC Pcd, Phys|ca| LaycuI - 10 b Access Layer Use Case DeIa||s This paper !ccuses cn unied neIwcrking and mulIiIenancy use cases. Un|f|ed NeIwcrk|ng: EnIerprise daIa cenIer neIwcrks are ccmplex sysIems. we Iypically ccnnecI servers in Ihe daIa cenIer Ic several di!!erenI neIwcrks !cr diverse !uncIicns such as prcducIicn Ira!!ic, backups, sIcrage, managemenI, and VN migraIicn. while EIherneI is Ihe predcminanI neIwcrking Iechnclcgy in use, many daIa cenIers uIilize FC Iechnclcgy !cr Iheir sIcrage neIwcrk. l! Ihe Ira!!ic lcad demands iI, individual neIwcrk pcrIs are aggregaIed Ic prcvide mcre capaciIy !cr a parIicular !uncIicn. These pracIices resulI in many neIwcrk ccnnecIicns !cr each server and require Ihe ccrrespcnding cables and swiIch pcrIs Ic suppcrI Ihem. Up Ic 61Z neIwcrk ccnnecIicns are ccmmcn !cr a virIualized server Icday, which impacIs Ihe daIa cenIer CapEx and 0pEx due Ic Ihe cverall ccmplexiIy c! Ihis arrangemenI. The IransiIicn Ic 10 CbE allcws ccnsclidaIicn c! mulIiple separaIe EIherneI pcrIs inIc !ewer 10 CbE pcrIs which greaIly simpli!ies Ihe daIa cenIer neIwcrk, reduces ccsIs, and simulIanecusly prcvides greaIer cverall plaI!crm neIwcrking bandwidIh capabiliIy. l! ycu have used FC in Ihe pasI, ycu can use Ihis addiIicnal EIherneI capaciIy e!!ecIively Ic ccnsclidaIe separaIe sIcrage neIwcrk Ira!!ic cnIc a ccmmcn 10 CbE uni!ied neIwcrking in!rasIrucIure which drives an even simpler and mcre ccsI e!!ecIive daIa cenIer. 10 CbE ccnsclidaIicn and uni!ied neIwcrking can greaIly simpli!y neIwcrk managemenI. Hu|I|Ienancy: NulIiIenancy re!ers Ic Ihe capabiliIy c! Ihe daIa cenIer Ic hcsI mulIiple cusIcmers such IhaI Ihe rescurces !cr each cusIcmer (neIwcrk, sIcrage, and ccmpuIe) are lcgically separaIe !rcm cIher cusIcmers' rescurces, wiIh securiIy separaIing Ihem. This is a criIical aIIribuIe c! any clcud ccmpuIing deplcymenI, as iI is cne c! Ihe key iIems IhaI di!!erenIiaIes clcud ccmpuIing and laaS !rcm ccllccaIicn cr dedicaIed in!rasIrucIure !cr each applicaIicn. lI is relevanI in public clcuds IhaI hcsI mulIiple cusIcmers wiIh Ihe same cr di!!erenI servicelevel requiremenIs, and in privaIe clcuds in which mulIiple deparImenIs cr crganizaIicns share Ihe same clcud in!rasIrucIure. Ycu musI suppcrI di!!erenI degrees c! mulIi Ienancy IhrcughcuI Ihe daIa cenIer. The daIa cenIer archiIecIure shculd balance lcgical and physical segmenIaIicn. Ycu assign unique rescurces Ic each IenanI in a mcdular daIa cenIer. These rescurces include di!!erenI pclicies, pccls, and 0cS deniIicns. VirIualizaIicn aI di!!erenI layers c! a neIwcrk allcws Ihe in!rasIrucIure Ic prcvide lcgical isclaIicn wiIhcuI Ihe dedicaIicn c! physical rescurces Ic each cusIcmer. A scalable daIa cenIer IhaI suppcrIs mulIi Ienancy archiIecIure shculd include. Ncdular, mulIiIenanI daIa cenIer de sign wiIh daIa cenIer in!rasIrucIure mcdules cpIimized !cr di!!erenI scale and ccsI pcinIs Service crchesIraIicn !cr cndemand prcvisicning c! rescurces ServiceIier based design Ic allcw !cr di!!erenIiaIed services wcrklcad mcbiliIy and disasIer reccvery capabiliIy !cr business ccnIinuance SecuriIy aI each layer c! Ihe daIa cenIer ExecuI|cn and Pesu|Is 0nce ycu build Ihe physical and lcgical envircnmenI wiIhin Ihe daIa cenIer, Ihe nexI seI c! Iasks !ccuses cn validaIicn c! Ihe archiIecIure. Since Ihe Ciscc VN0C brings IcgeIher dczens c! Iechnclcgy elemenIs, Ihe breadIh c! use cases is very large. Table Z highlighIs Ihe main areas c! aIIenIicn IhaI clcud archiIecIs and lT cperaIicns shculd !ccus cn Ic validaIe Ihe archiIecIure. 10 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 5. VHDC EndIcEnd Lcg|ca| Tcc|cgy (rcnze, S||ver, c|d) wiIhin each area, ycu shculd !cllcw dened IesI cases Ic validaIe IhaI each !uncIicn wcrks prcperly and per!crms Ic Ihe expecIed levels. ln Ihis dccumenI we will ncI deIail all !uncIicnal areas, buI raIher highlighI Ihe segmenIaIicn/ isclaIicn (mulIiIenancy) !uncIicn. NeIwcrk SegmenIaI|cn and Isc|aI|cn wiIhin Ihe ccre c! Ihe neIwcrk, rcuIing prcIcccls allcw us Ic lcgically segmenI Ihe neIwcrk in!rasIrucIure. Ycu cculd use each segmenI !cr a class c! service (Ccld, Silver, Brcnze) cr dedicaIe iI Ic a seI c! users (a IenanI). Beycnd Ihe use c! rcuIing prcIcccls, Ihe ccre swiIches use VirIual 0aIa CcnIexI (V0C) !uncIicnaliIy Ic virIualize Ihe hardware inIc lcgical swiIches, which !urIher isclaIes segmenIs c! Ihe in!rasIrucIure !rcm cIher segmenIs. FeaIures Technc|cg|es 0aIa cenIer endIcend !uncIicnaliIy validaIicn !cr SAN and NAS EndIcend !eaIure/inIegraIicn IesIing, including 0cS !cr all daIacenIer neIwcrk layers !rcm access Ic wide area neIwcrk (wAN) edge cn all plaI!crms, ESX/VN prcvisicning, bccI up, and mainIenance, and SAN/NAS sIcrage design vericaIicn 0isasIer reccvery scenaric validaIicn TransparenI mcvemenI c! daIa cenIer wcrklcads !cr business ccnIinuance (acIive backup scenaric) AuIcmaIicn validaIicn ValidaIicn c! service crchesIraIicn, pcrIal, service caIalcg validaIicn wiIh elemenI manager, and inIegraIicn !cr ccmpuIe and neIwcrk 0aIa cenIer services !uncIicnaliIy validaIicn ValidaIicn c! service Iier c!!erings wiIh daIa cenIer services ncde (rewall and lcad balancing), mulIi Ienancy Ihrcugh VLANs, zcning, LUN masking Failcver scenaric validaIicn ValidaIicn c! redundancy designs (wiIh baseline sIeady sIaIe Ira!c) - rcuIing, virIual PC (vPC)/NEC, equal ccsI mulIipaIh (ECNP), virIual swiIching sysIem (VSS), hcI sIandby rcuIer prcIcccl (HSRP), acIiveacIive service mcdules, clusIering SecuriIy validaIicn EndIcend securiIy validaIicn cn varicus ccmpcnenIs ScalabiliIy vericaIicn NulIidimensicnal scalabiliIy (VLAN, media access ccnIrcl (NAC), HSRP, rcuIes, ccnIexIs, VN) wiIhin sccpe c! archiIecIure Pequ|remenI HaIr|x CcmcnenI FeaIures IhaI Address Pequ|remenIs EndIcend VRF LiIe lndividual VRFs !cr all cusIcmers and all deparImenIs !rcm BCBB1 Ihcugh V0CZ in Ihe sub aggregaIicn layer Ic prcvide Layer 3 segregaIicn. lCP (inIericr gaIeway prcIcccl) (cpen shcrIesI paIh rsI (0SPF)) 0SPF is ccngured !rcm Ihe edge rcuIers Ic V0CZ in Ihe sub aggregaIicn layer. Bcrder gaIeway prcIcccl (BCP) BCP is ccngured beIween Ihe edge rcuIers and 0C BB1. 11 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* Tab|e Z Tab|e 3 F|gure 6. VHDC Ccre NeIwcrk Tcc|cgy we use VRF liIe Ic ccngure each rcuIer. There are 3Z VRFs. we ccngure Ihe VRFs in 0C BB1 and exIend Ihem Ic Ihe subaggregaIicn layer. we ccngure BCP beIween 0CBB1, 0CEdge1, and 0C EdgeZ. we adverIise clienI neIwcrks cn 0CBB1 cver BCP Ic Ihe edge rcuIers, 0CEdge1, and 0C EdgeZ. we ccngure Ihe edge rcuIers wiIh BCP and 0SPF. The edge rcuIers are 0SPF inIernal rcuIers (lR) and are cnly in 0SPF backbcne area 0. Thrcugh Ihe use c! rcuIe maps, we redisIribuIe BCP clienI rcuIes inIc 0SPF aI edge rcuIers Ic Ihe aggregaIicn layer. Server subneIs adverIised inIc 0SPF by Ihe aggregaIicn layer Ic Ihe edge rcuIers are redisIribuIed inIc BCP aI Ihe edge rcuIers Ic 0CBB1. we redisIribuIe Ihe server subneI rcuIes inIc BCP Ihrcugh Ihe use c! Ihe meIric cpIicn in Ihe redisIribuIe ccmmand sc IhaI server subneI rcuIes !cr all cdd VRFs are senI Ic 0CBB1 !rcm 0CEdge1 and server subneI rcuIes !cr all even VRFs are senI Ic 0C BB1 !rcm 0CEdgeZ. This ccnguraIicn allcws !cr Ihe ccnIrcl c! clienIIcserver (ncrIh Ic scuIh) Ira!c Ic lcad balance !rcm ncrIh Ic scuIh. ECNP auIcmaIically Iakes care c! Ihis ccnguraIicn !cr server Ic clienI Ira!c (scuIh Ic ncrIh). This cuIpuI shcws Ihe isclaIed rcuIing Iable (perVRF) !cr rcuIer 1 DC-Edge1#sh ip route vrf Dept-1-Bronze-1 Routing Table: Dept-1-Bronze-1 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/32 is subnetted, 4 subnets O IA 1.1.1.11 [110/4] via 121.2.1.16, 10:31:16, TenGigabitEthernet2/1.1901 [110/4] via 121.1.1.15, 10:31:16, TenGigabitEthernet1/1.1801 O IA 1.1.1.12 [110/4] via 121.2.1.16, 10:31:16, TenGigabitEthernet2/1.1901 [110/4] via 121.1.1.15, 10:31:16, TenGigabitEthernet1/1.1801 O 1.1.1.15 [110/2] via 121.1.1.15, 10:31:16, TenGigabitEthernet1/1.1801 O 1.1.1.16 [110/2] via 121.2.1.16, 10:31:16, TenGigabitEthernet2/1.1901 101.0.0.0/16 is subnetted, 1 subnets O IA 101.1.0.0 [110/43] via 121.2.1.16, 10:31:16, TenGigabitEthernet2/1.1901 [110/43] via 121.1.1.15, 10:31:16, TenGigabitEthernet1/1.1801 99.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 99.10.1.0/24 is directly connected, Port-channel4.1701 B 99.15.1.0/24 [20/0] via 99.10.1.19, 3w6d C 99.1.1.17/32 is directly connected, Loopback1 B 99.1.1.19/32 [20/0] via 99.10.1.19, 3w6d 111.0.0.0/24 is subnetted, 1 subnets O IA 111.1.9.0 [110/3] via 121.2.1.16, 10:31:16, TenGigabitEthernet2/1.1901 [110/3] via 121.1.1.15, 10:31:16, TenGigabitEthernet1/1.1801 121.0.0.0/24 is subnetted, 5 subnets 1Z InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* C 121.1.1.0 is directly connected, TenGigabitEthernet1/1.1801 C 121.2.1.0 is directly connected, TenGigabitEthernet2/1.1901 C 121.3.1.0 is directly connected, Port-channel2.1601 O 121.4.1.0 [110/2] via 121.3.1.18, 10:31:16, Port-channel2.1601 O 121.5.1.0 [110/2] via 121.3.1.18, 10:31:16, Port-channel2.1601 This cuIpuI shcws Ihe isclaIed rcuIing Iable (perVRF) !cr rcuIer Z DC-Edge2#sh ip route vrf Dept-1-Bronze-1 Routing Table: Dept-1-Bronze-1 Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2 ia - IS-IS inter area, * - candidate default, U - per-user static route o - ODR, P - periodic downloaded static route Gateway of last resort is not set 1.0.0.0/32 is subnetted, 4 subnets O IA 1.1.1.11 [110/4] via 121.5.1.15, 10:31:19, TenGigabitEthernet2/1.1821 [110/4] via 121.4.1.16, 10:31:19, TenGigabitEthernet1/1.1921 O IA 1.1.1.12 [110/4] via 121.5.1.15, 10:31:19, TenGigabitEthernet2/1.1821 [110/4] via 121.4.1.16, 10:31:19, TenGigabitEthernet1/1.1921 O 1.1.1.15 [110/2] via 121.5.1.15, 10:31:19, TenGigabitEthernet2/1.1821 O 1.1.1.16 [110/2] via 121.4.1.16, 10:31:19, TenGigabitEthernet1/1.1921 101.0.0.0/16 is subnetted, 1 subnets O IA 101.1.0.0 [110/43] via 121.5.1.15, 10:31:19, TenGigabitEthernet2/1.1821 [110/43] via 121.4.1.16, 10:31:19, TenGigabitEthernet1/1.1921 99.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 99.11.1.0/24 is directly connected, Port-channel3.1721 B 99.15.1.0/24 [20/0] via 99.11.1.19, 3w6d C 99.1.1.18/32 is directly connected, Loopback1 B 99.1.1.19/32 [20/0] via 99.11.1.19, 3w6d 111.0.0.0/24 is subnetted, 1 subnets O IA 111.1.9.0 [110/3] via 121.5.1.15, 10:31:19, TenGigabitEthernet2/1.1821 [110/3] via 121.4.1.16, 10:31:19, TenGigabitEthernet1/1.1921 121.0.0.0/24 is subnetted, 5 subnets O 121.1.1.0 [110/2] via 121.3.1.17, 10:31:19, Port-channel2.1601 O 121.2.1.0 [110/2] via 121.3.1.17, 10:31:19, Port-channel2.1601 C 121.3.1.0 is directly connected, Port-channel2.1601 C 121.4.1.0 is directly connected, TenGigabitEthernet1/1.1921 C 121.5.1.0 is directly connected, TenGigabitEthernet2/1.1821 13 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* AggregaI|cn and SubAggregaI|cn Layers (Serv|ces VDC Sandw|ch Des|gn) 0aIa cenIer service inserIicn requiremenIs may include server lcad balancing devices, securiIy devices such as rewall and inIrusicn prevenIicn, and cIhers. There are mulIiple apprcaches !cr Ihe inIegraIicn c! Ihese services inIc Ihe daIa dcw. 0esign decisicns include Ihe use c! mcdules in exIernal services chassis, Ihe use c! appliances, and wheIher Ic run Ihe service devices in a IransparenI cr rcuIed mcde. 0ne design apprcach is Ic ccngure all services in IransparenI mcde, buI Ic inserI an addiIicnal layer c! rcuIing insIances beIween Ihe server !arm subneIs and Ihe services devices. we have shcwn Ihis apprcach previcusly in design guidance wiIh Ihe use c! VRFs, and Ihe deplcymenI c! mulIiple VRFs alsc prcvides Ihe capabiliIy Ic direcI Ira!c independenIly Ihrcugh mulIiple virIual ccnIexIs cn Ihe service devices, Ihrcugh Ihe virIualizaIicn c! bcIh Ihe rcuIing !uncIicns and Ihe services devices in Ihe design. AncIher design apprcach includes Ihe ccnguraIicn c! Ihe rewall services mcdules in IransparenI mcde and Ihe Ciscc ApplicaIicn CcnIrcl Engine* (ACE) mcdules in rcuIed mcde Ihrcugh Ihe use c! Scurce NAT (SNAT) in each ccnIexI c! Ihe ACE. This apprcach enables Ihe accessibiliIy c! clienIIcserver Ira!c desIined Ic Ihe virIual lP (VlP) addresses IhaI are ncI ccngured cn Ihe same lP subneI as Ihe cuIside lP address ccngured cn Ihe VLAN inIer!ace wiIhin each ACE ccnIexI. we ccngure sIaIic rcuIes Ic each VlP hcsI address cr subneI in Ihe aggregaIicn layer. we ccngure SNAT in each ACE ccnIexI such IhaI all clienI scurce lP addresses are IranslaIed Ic an lP address cn Ihe same lP subneI ccngured cn Ihe inside VLAN inIer!aces. The servers alsc reside cn Ihis same lP subneI. Fcr reIurn Ira!c !rcm Ihe server Ic Ihe clienI, we ccngure de!aulI rcuIes in each ACE ccnIexI IhaI pcinI Ic Ihe HSRP address ccngured in each VRF in F|gure 7. VHDC - AggregaI|cn NeIwcrk (and VDC) Tcc|cgy Ihe aggregaIicn layer. we implemenIed Ihe laIIer apprcach in Ihe design. The V0C capabiliIy c! Ihe Nexus 7000 Series* enables Ihe neIwcrk archiIecI Ic make use c! ancIher Iype c! virIualizaIicn in Ihe design, Ic imprcve ease c! ccnguraIicn, suppcrIabiliIy, and securiIy. we can creaIe Ihe subaggregaIicn, a seccndary virIual swiIching layer, Ihrcugh Ihe use c! V0Cs lccaIed beIween Ihe services devices and Ihe access swiIches. we re!er Ic Ihis Icpclcgy as a services V0C sandwich. All c! Ihe access layer swiIches shcwn in Figure 7 aIIach cnly Ic Ihe sub aggregaIicn V0Cs. we cculd alsc aIIach di!!erenI classes c! servers Ic access layer swiIches IhaI ccnnecI direcIly Ic Ihe main aggregaIicn layer abcve Ihe services chassis, i! Ihey eiIher dc ncI require services cr are serviced by a di!!erenI grcup c! services devices. AddiIicnal design ccnsideraIicns !cr Ihis Iype c! Icpclcgy include Ihe !cllcwing. Similar designs have been deplcyed Ihrcugh Ihe use c! a single pair c! swiIches wiIh separaIe VLANs and VRFs Ic prcvide Ihe rcuIing insIance belcw Ihe services chassis. The inserIicn c! a separaIe seI c! V0Cs inIc Ihe design sIill represenIs Ihe use c! a single physi cal pair c! swiIches Ic per!crm Ihese !uncIicns buI prcvides beIIer iscla Iicn beIween Ihe rcuIing envircnmenIs abcve and belcw Ihe services chassis. This ccncepIually prcvides !cr easier suppcrI and ccn!iguraIicn wiIhcuI Ihe increase c! Ihe impacI c! a singleswiIch !ailure due Ic Ihe inIrcducIicn c! a sec cnd seI c! V0Cs. 14 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* The securiIy mcdel is mcre rcbusI since Ihe cperaIing envircnmenI c! Ihe sub aggregaIicn V0Cs is ccmpleIely separaIe !rcm Ihe primary aggregaIicn layer. lnsIead c! cnly separaIe VLANs and VRFs cn Ihe same swiIch, Ihere are sep araIe virIual swiIches wiIh ccmpleIely di!!erenI seIs c! prccesses and physical pcrIs. Ycu may require addiIicnal inIer!aces !cr Ihe V0C sandwich Icpclcgy as ccm pared Ic a VRF sandwich Icpclcgy. The services chassis musI have separaIe physical ccnnecIicns inIc bcIh seIs c! V0Cs as cppcsed Ic VLANs IhaI share Ihe same Irunks. Ycu musI alsc prcvisicn addiIicnal inIer!ace ccunI Ic suppcrI Ihe inIerswiIch link beIween Ihe Iwc sub aggregaIicn V0Cs. Ciscc validaIed Ihis mcdel Ihrcugh Ihe use c! FwSN and ACE mcdules IhaI run in IransparenI mcde, where Ihe Iwc lay ers c! V0Cs are direcI lP rcuIing peers. Layer 3 ccnIrcl plane lcad cn Ihe V0C belcw Ihe services may be limiIed by Ihe use c! sIaIic rcuIes IhaI pcinI Ic an HSRP address shared beIween Ihe pri mary aggregaIicn V0Cs Ic suppcrI lP unicasI Ira!!ic !lcws. lP mulIicasI Ira!!ic is ncI suppcrIed cver a ccmbinaIicn c! sIaIic rcuIes and HSRP addresses. l! ycu require lP mulIicasI, Ihen ycu may use an lCP such as 0SPF cr enhanced inIericr gaIeway rcuIing prcIcccl (ElCRP). V0Cs prcvide Ihe disIincIicn beIween Ihe rcuIing insIances c! Ihe aggrega Iicn and Ihe subaggregaIicn layers, hcwever, ycu may use mulIiple VRFs in Ihe subaggregaIicn layer Ic suppcrI addiIicnal virIualizaIicn capabiliIies. Ycu may map disIincI VRFs in Ihe sub aggregaIicn layer wiIh Ihe use c! VLANs Ic separaIe ccnIexIs wiIhin Ihe virIual ized service devices such as Ihe FwSN and ACE, which allcws Ihe spliI c! acIive ccnIexIs beIween bcIh services chassis. l! ycu require services beIween layers c! a mulIiIier applicaIicn archiIecIure, placemenI c! Ihese Iiers in subneIs IhaI belcng Ic separaIe VRFs will allcw !cr pcwer!ul, mulIiccnIexI service inserIicn beIween Iiers. A services V0C sandwich IhaI uses exIernal services chassis prcvides independenI ccnnecIiviIy beIween Ihe services and bcIh aggregaIicn swiIches. l! Ihe aggregaIicn swiIch cn Ihe le!I side c! Ihe Icpclcgy !ails, Ihen Ihe services cn Ihe le!I side have dual ccnnecIiviIy and can mainIain a primary rcle. Service appliances run in IransparenI mcde IhaI cnly suppcrI single ccnnecIicns Ic carry a given VLAN (such as Ihe AdapIive SecuriIy Appliance (ASA) 55B0*) will ncI be dual hcmed i! Ihey are aIIached direcIly Ic Ihe aggregaIicn. Ycu can sIill deplcy Ihese appliances in a highly available manner Ihrcugh Ihe use c! redundanI appliances. SIcrage Layer 0epending cn ycur sIcrage requiremenIs, ycu can implemenI a SAN cr NAS scluIicn. The !cllcwing secIicns describe hcw we implemenIed each Iype c! scluIicn in Ciscc VN0C. SIcrage ccmpcnenI SAN design NAS design SIcrage CcmcnenI As an essenIial piece Ic every daIa cenIer, Ihe sIcrage ccmpcnenI c! Ihe SAN prcvides several capabiliIies Ic Ihe daIa cenIer, including Ihe abiliIy Ic remcIely bccI !rcm SAN and virIual (Ihin) prcvisicning !cr increased per!crmance and daIa prcIecIicn. These segregaIe capabiliIies ulIimaIely alleviaIe respcnsibiliIies !rcm Ihe hcsI and SAN. Scenar|cs Ic Address Secure SeparaIicn 0evice mapping LUN masking VSANs Zcning N0TE. ln Ihese examples, Ihe sIcrage array in use is an ENC VNAX*, wiIh FC SAN aIIached sIcrage. we used SymmeIrix NanagemenI Ccnscle (SNC) as Ihe inIer!ace Ic ccngure Ihe ENC VNAX array. CUl displays are !rcm Ciscc Fabric Nanager. LUN Hask|ng (v|a SHC) 1. Ccn!igure Ihe mask view. a. RighIclick Ihe SymmeIrix Nasking !clder and selecI Dev|ce Hask|ng and Ha|ng Hask|ng V|ews Ha|nIenance CreaIe Hask|ng V|ew. b. Name Ihe new masking view. c. SelecI an exisIing sIcrage grcup, cr creaIe a new grcup !cllcwing Ihe sIeps in Ccn!igure SIcrage Crcups. d. SelecI an exisIing pcrI grcup, cr creaIe a new grcup !cllcwing Ihe sIeps in Ccn!igure PcrI Crcups. e. SelecI an exisIing iniIiaIcr grcup, cr creaIe a new grcup !cllcwing Ihe sIeps in Ccn!igure lniIiaIcr Crcups. !. *0pIicnal* Click SeI Dynam|c LUN Addresses Ic manually ccn!igure Ihe LUN addresses !cr each device. g. Click 0k Ic ccn!irm Ihe new masking view. Z. Ccn!igure Ihe sIcrage grcups. a. RighIclick Ihe SymmeIrix Nasking !clder and selecI Dev|ce Hask|ng and Ha|ng SIcrage rcus Ha|nIenance CreaIe SIcrage rcu. b. Name Ihe new sIcrage grcup. c. SelecI Ihe device scurce Iype. d. Add available devices Ic Ihe grcup members cclumn. e. Click 0k Ic ccn!irm Ihe new sIcrage grcup. 15 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* 3. Ccn!igure Ihe pcrI grcups. a. RighIclick Ihe SymmeIrix Nasking !clder and selecI Dev|ce Hask|ng and Ha|ng PcrI rcus Ha|nIenance CreaIe PcrI rcu. b. Name Ihe new pcrI grcup. c. Add Ihe available pcrIs Ic Ihe grcup members cclumns. N0TE. These pcrIs are !rcnIend FA pcrIs cnly. d. Click 0k Ic ccn!irm Ihe new pcrI grcup. 4. Ccn!igure Ihe iniIiaIcr grcups. a. RighIclick Ihe SymmeIrix Nasking !clder and SelecI Dev|ce Hask|ng and Ha|ng In|I|aIcr rcus Ha|nIenance CreaIe In|I|aIcr rcu. b. Name Ihe new iniIiaIcr grcup. c. Add Ihe available iniIiaIcrs Ic Ihe selecIed iniIiaIcrs cclumn. d. *0pIicnal* l! Ihe hcsI is ncI in Ihe available iniIiaIcrs lisI, Ihe New In|I|aIcr cpIicn allcws ycu Ic manually add Ihe pwwN Ic Ihe selecIed iniIiaIcrs cclumn. e. Click SeI HA F|ags Ic cpen a new windcw Ic mcdi!y !lags asscciaIed wiIh Ihis grcup. !. Click 0k Ic ccn!irm Ihe new iniIiaIcr grcup. ScfIware Ccnf|guraI|cn Tc ensure daIa separaIicn, scalabiliIy, and !uIure expansicn, as well as high availabiliIy and redundancy aI key pcinIs c! !ailure, we enabled Ihe !cllcwing sc!Iware !eaIures. VSANs-Ceneral daIa separaIicn Zcne/ZcneseI-Cranular daIa separaIicn NPV/NPlV-HcsI end scalabiliIy PcrIChannel-Redundancy/!ailcver prcIecIicn beIween edge and ccre swiIches Des|gn Lons|dera1|ons Ccngure each ccmpcnenI c! a SAN layer redundanIly such IhaI upcn a !ailure, Ihe sIandby peer beccmes acIive immediaIely wiIh nc service disrupIicn cr daIa lcss. Alsc, Ihe SAN shculd suppcrI expansicn and scale Ic acccmmcdaIe a ccmpany's needs !cr addiIicnal hcsIs and sIcrage. Lonj|gura1|on Purpose This secIicn deIails Ihe purpcses !cr ccnguraIicn c! Ihe !cllcwing ve !eaIures. VSANs Zcning NPcrI l0 VirIualizaIicn (NPlV) NPcrI VirIualizer (NPV) PcrIChannel VSANs Tc achieve Ihe same level c! isclaIicn as physically separaIe !abrics aI a lcwer ccsI, a VSAN creaIes separaIe virIual !abrics cn a ccmmcn physical in!rasIrucIure. Nembership in a VSAN is based cn physical pcrI, and nc physical pcrI can belcng Ic mcre Ihan cne VSAN, a ncde ccnnecIed Ic a physical pcrI belcngs Ic IhaI pcrI's VSAN. VSANs prcvide sIricI hardware isclaIicn and replicaIe Ihe FC services creaIed !cr each new VSAN. when ycu creaIe a new VSAN, ycu creaIe and enable a separaIe seI c! services IhaI includes name server, zcne server, dcmain ccnIrcller, alias server, and lcgin server, acrcss Ihcse swiIches IhaI ycu ccngured Ic carry Ihe new VSAN. This services replica enables Ihe isclaIed envircnmenIs Ic saIis!y highavailabiliIy requiremenIs cver a shared physical in!rasIrucIure. VSANs alsc inIerccnnecI isclaIed SAN !abrics in remcIe daIa cenIers cver a ccmmcn lcnghaul in!rasIrucIure. Because !rame Iagging is per!crmed in hardware, ycu can mulIiplex Ihe Ira!c !rcm several VSANs acrcss a single ber pair and IranspcrI iI a greaIer disIance, all while iI remains ccmpleIely isclaIed. VSANs scale cver a redundanI physical in!rasIrucIure Ic prcvide dexible isclaIed SAN !abrics IhaI achieve highavailabiliIy gcals. Zcn|ng wiIhin each VSAN, Ihe acIive zcne seI ccnIains cne cr mcre zcnes. Each zcne has cne cr mcre members IhaI are allcwed Ic ccmmunicaIe amcng each cIher. 0n Ciscc N0S* swiIches, Ihere is an cpIicn Ic dc basic cr enhanced zcning. Enhanced zcning advanIages include Ihe prevenIicn c! parallel ccnguraIicn aIIempIs which ensures ccnsisIency wiIhin Ihe !abric, Ihe disIribuIicn c! zcneseIs wiIhcuI acIivaIicn which avcid hardware changes !cr hard zcning cn Ihe swiIch, and Ihe enhancemenI c! errcr repcrIing Ic simpli!y Ihe IrcubleshccIing prccess. NPcrI ID V|rIua||zaI|cn (NPIV) NPlV allcws an FC hcsI ccnnecIicn cr NPcrI Ic be assigned mulIiple NPcrI l0s cr FC l0s cver a single link. Ycu can manage all FCl0s cn an FC !abric as unique enIiIies cn Ihe same physical hcsI. Ycu can use di!!erenI applicaIicns in ccnjuncIicn wiIh NPlV. ln a virIual machine envircnmenI where many hcsI cperaIing sysIems cr applicaIicns run cn a physical hcsI, ycu can ncw manage each virIual machine independenIly !rcm zcne, alias, and securiIy perspecIives. ln a Ciscc N0S 9000* !amily envircnmenI, each hcsI ccnnecIicn can lcg in as a single virIual SAN (VSAN). NPcrI V|rIua||zer (NPV) An exIensicn Ic NPlV, Ihe NPcrI VirIualizer (NPV) !eaIure allcws Ihe blade swiIch cr Icpc!rack !abric device Ic behave as an NPlVbased hcsI bus adapIer (HBA) Ic Ihe ccre FC direcIcr. The device aggregaIes Ihe lccally ccnnecIed hcsI pcrIs cr NPcrIs inIc cne cr mcre uplinks (pseudcinIerswiIch links) Ic Ihe ccre swiIches. The cnly requiremenI c! Ihe ccre direcIcr is IhaI iI suppcrIs Ihe NPlV. 16 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* PcrIChanne| Ycu can ccngure a PcrIChannel wiIhcuI resIricIicns Ic lcgically bundle physical links !rcm any pcrI cn any Ciscc N0S 9000 Family Fibre Channel SwiIching Ncdules*. This !eaIure allcws ycu Ic deplcy highly available scluIicns wiIh greaI dexibiliIy. 0uring a pcrI, ASlC, cr mcdule !ailure, Ihe sIabiliIy c! Ihe neIwcrk is ncI a!!ecIed because Ihe lcgical PcrIChannel remains acIive even Ihcugh Ihe cverall bandwidIh is reduced. The N0S PcrIChannel scluIicn scales Ic suppcrI up Ic 16 lSLs per PcrIChannel and aggregaIes 1, Z, 4, B, cr 10Cbps FC links. This !eaIure aggregaIes up Ic Z0,400 NB c! applicaIicn daIa IhrcughpuI per PcrIChannel !cr excepIicnal scalabiliIy. The N0S PcrIChannel scluIicn neiIher degrades per!crmance cver lcng disIances ncr requires specic cabling. The N0S PcrIChannel uses dcwbased lcad balancing Ic deliver predicIable and rcbusI per!crmance independenI c! Ihe disIance ccvered. Summary cf Dev|ce Ccnf|guraI|cns VSAN vsan 100 information name:10g-topo state:active interoperability mode:default loadbalancing:src-id/dst-id/oxid operational state:up F|gure 8. C|scc Fabr|c Hanager (HDS 9000 SAN Sw|Ich) - V|ew|ng Sw|Ich InvenIcry (PcrIs) 17 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* ZcnelZcneseI zoneset name 10g-fab-a vsan 100 zone name Host-1_to_V-Max vsan 100 * fcid 0x01002a [pwwn 20:00:00:25:b5:01:00:0f] [host-1] * fcid 0x010015 [pwwn 50:00:09:72:08:1f:3d:64] [vmax-10Fa] * fcid 0x010012 [pwwn 50:00:09:72:08:1f:3d:58] [vmax-7Fa] * fcid 0x010013 [pwwn 50:00:09:72:08:1f:3d:5c] [vmax-8Fa] * fcid 0x01000f [pwwn 50:00:09:72:08:1f:3d:60] [vmax-9Fa] F|gure 9. C|scc Fabr|c Hanager (HDS 9000 SAN Sw|Ich) - V|ew|ng Lcg|ca| PcrI Asscc|aI|cns 1B InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 10. C|scc Fabr|c Hanager (HDS 9000 SAN Sw|Ich) - V|ew|ng PcrI SIaIus PcrIChanne| interface port-channel 1 switchport mode E switchport rate-mode dedicated switchport trunk mode off port-channel 1 is up Hardware is FC Port WWN is 24:01:00:0d:ec:3b:b6:40 Admin port mode is E, trunk mode is off snmp link state traps are enabled Port mode is E Port vsan is 101 Speed is 20 Gbps . Member[1] : fc1/1 19 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* Dev|ce A||as device-alias name host-1 pwwn 20:00:00:25:b5:01:00:0f device-alias name vmax-7Fa pwwn 50:00:09:72:08:1f:3d:58 device-alias name vmax-8Fa pwwn 50:00:09:72:08:1f:3d:5c device-alias name vmax-9Fa pwwn 50:00:09:72:08:1f:3d:60 device-alias name vmax-10Fa pwwn 50:00:09:72:08:1f:3d:64 Z0 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 11. C|scc Fabr|c Hanager (HDS 9000 SAN Sw|Ich) - V|ew|ng Lcg|ca| SIcrage Ha|ngs F|gure 1Z. C|scc Fabr|c Hanager (V|ew cf Ihe SIcrage SAN) SIcrage Layer NAS The NAS Iechnclcgies, parIicularly NFS versicn 3, prcvide. Nc immediaIe ccsI !cr new in!rasIrucIure equipmenI Simpli!ied sIcrage prcvisicning 0e!aulI suppcrI !cr VNware Ihin prcvisicning Nc disrupIicns during increases and decreases in space allccaIicn 0e!aulI suppcrI !cr large !rame sizes we used Ihe NeIApp* FAS60B0* ler sysIem !cr Ihis scluIicn. Thrcugh NFS, cusIcmers receive an inIegraIicn c! VNware* virIualizaIicn Iechnclcgies wiIh wAFL*, NeIApp's advanced daIa managemenI and sIcrage virIualizaIicn engine. This inIegraIicn prcvides IransparenI access Ic VNlevel sIcrage virIualizaIicn c!!erings, such as prcducIicnuse daIa deduplicaIicn, immediaIe zerc ccsI VN and daIa sIcre clcnes, arraybased Ihin prcvisicning, auIcmaIed pclicy based daIa sIcre resizing, and direcI access Ic array based SnapshcI* ccpies. NeIApp prcvides inIegraIed Iccls such as SiIe Reccvery Nanager*, SnapNanager !cr VirIual ln!rasIrucIure*, Ihe Rapid Clcning UIiliIy*, and Ihe VirIual SIcrage Ccnscle*. Arch|IecIure 0verv|ew when ccmpared Ic FC and iSCSl, NFS prcvides higher per!crmance and lcwer perpcrI sIcrage ccsIs. BcIh FC and iSCSl require Ihe purchase c! expensive adapIers and even ccmpleIe separaIe in!rasIrucIures. NFS requires cnly an addiIicnal le server (ler). we use NFS daIa sIcres in shared pccls !cr virIual machines. The Ciscc VN0C scluIicn uses Ihe NeIApp FAS60B0 server Ic prcvide suppcrI !cr NFS and VNware. Fcr vendcrspecic guidance, see NeIApp and VNware vSphere SIcrage BesI PracIices aI Ihe !cllcwing URL. hIIp.//media.neIapp. ccm/dccumeIs/Ir3749.pd!. [N0TE. CUl screenshcIs are !rcm Ihe NeIApp sIcrage array, FilerView* and SysIem Nanager* Iccls, as well as !rcm VNware ESX* clienIj. NF5 Da1a 51ores on Ne1App The deplcymenI c! VNware wiIh NeIApp's advanced NFS resulIs in a highper!crmance, easyIcmanage implemenIaIicn IhaI prcvides VNIcdaIasIcre raIics IhaI ycu canncI acccmplish Ihrcugh Ihe use c! cIher sIcrage prcIcccls, such as FC. This archiIecIure can resulI in a Ien!cld increase in daIa sIcre densiIy wiIh a ccrrelaIing reducIicn in Ihe number c! daIa sIcres. when ycu deplcy NFS, Ihe virIual in!rasIrucIure receives cperaIicnal savings, as Ihere are !ewer sIcrage pccls Ic prcvisicn, manage, back up, and replicaIe. Fcr mcre in!crmaIicn, see NeIApp 0ccumenI l0 TR 3749 Versicn Z.0 NeIApp and VNware vSphere SIcrage BesI PracIices. Scenar|cs Ic Address Secure separaIicn (endIcend IenanI securiIy) Lcgical daIasIcre access separaIicn ScalabiliIy Highspeed neIwcrk ccnnecIicns High AvailabiliIy Hardware redundancy Lcgical Ira!!ic paIh redundancy Service assurance 0cS 0isIribuIed rescurce scheduling (0RS) Reliable Iransmissicn E!!icienI daIa delivery Z1 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* ScfIware Ccnf|guraI|cn Secure separaIicn (endIcend IenanI securiIy) Lcgical daIa sIcre access separaIicn (see virIual access) Ciscc VLAN B0Z.10 Trunking (See NeIwcrk 0esign) Ciscc UCS VLAN suppcrI (See CcmpuIe_10C) VNware suppcrI !cr B0Z.10 Irunking (See VirIual Access) VNware vShield* zcnes (See VirIual Access) VNware vSphere* suppcrI !cr NeIApp NFS verscn 3. each VNware ESXi* hcsI, acIing as NFS clienIs, musI be ccn!igured wiIh Ihe ccrrecI expcrI paIh. NeIApp NFS verscn 3 suppcrI. !ilers, acIing as NFS servers, musI be ccn!igured Ic allcw Ihe clienI machines (ESXi hcsIs) access Ic Ihe enIire sIcrage sysIem. NeIApp B0Z.10* Irunking suppcrI. !ilers need Ic be ccn!igured wiIh VLANvirIual inIer!aces IhaI maIch Ihe VLAN inIer!aces c! Ihe NFS clienIs. NeIApp VirIual Filer* (vFiler*). vFiler is ncI used in Ihis scluIicn, hcwever, iI allcws users Ic access Iheir cwn virIual !iler IhaI is under Iheir ccnIrcl as Ihey see !iI. This virIual !iler uses Ihe physical rescurces c! a single NeIApp FAS60B0. ZZ InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 13. NeIA F||erV|ew - V|ew|ng NeIwcrk InIerfaces Z3 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 14. NeIA SysIem Hanager - V|ew|ng InIerface Asscc|aI|cns F|gure 15. NeIA SysIem Hanager - V|ew|ng SIcrage AggregaIes Z4 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 16. VHware vShere ESX C||enI - V|ew|ng VH Ic Server Ic SIcrage Ha|ngs F|gure 17. VHware vShere ESX c||enI - V|ew|ng SIcrage UI|||zaI|cn Uni!ied in!rasIrucIure Ic uni!ied lT- VirIualizaIicn Iechnclcgy blurs Ihe lines beIween IradiIicnal lT grcups such as applicaIicns, ccmpuIe, sIcrage, and neIwcrking. The uIilizaIicn c! Iechncl cgy designed Ic uni!y Ihis migraIicn will simpli!y Ihe meIhcd Ic creaIe lT prccesses IhaI besI manage Ihe nexI generaIicn daIa cenIer. Des|gn Ccns|deraI|cns The archiIecIs c! a scalable clcud daIa cenIer shculd ccnsider Ihe !cllcwing requiremenIs. Uni!ied neIwcrk Clcud IenanIs and service Iiers Secure IenanI separaIicn 0aIa cenIer scalabiliIy Ihrcugh mcdular in!rasIrucIure High availabiliIy Service assurance The !cllcwing secIicns describe hcw Ihe Ciscc VN0C scluIicn suppcrIs each c! Ihe requiremenIs abcve. Un|f|ed NeIwcrk The Ciscc Unied NeIwcrk* allcws archiIecIs Ic creaIe a single neIwcrk in!rasIrucIure IhaI is able Ic deliver daIa, sIcrage, videc, and vcice Ira!c wiIh predicIable 0cS. Unied neIwcrking begins wiIh a 10 CbE highspeed IranspcrI. This IranspcrI maximizes Ciscc 0cS Iechnclcgy Ic deliver mulIiple classes c! services, !rcm deIerminisIic Ic besI e!!crI. As daIa and sIcrage Ira!c aggregaIe cn Ihe 10 CbE links, FCcE Iechnclcgy is able Ic guaranIee Ihe service levels and managemenI IhaI sIcrage adminisIraIcrs have ccme Ic expecI wiIh FC. FCcE wiIhin Ihe Ciscc Unied CcmpuIing SysIem* (UCS) and exIended Ic Ihe SAN SIcrage arrays allcws LAN and SAN Ira!c Ic cc exisI cver a single cabling in!rasIrucIure. This simplied cabling reduces ccsIs !cr cabling, paIchpanels, cableIrays and NlC/ HBAs (ncw called Ccnverged NeIwcrk AdapIers (CNAs)). This reducIicn c! cabling NexI SIes The currenI VN0C design prcvides a brcad !ramewcrk Ic deplcy clcud ccmpuIing Icday, buI Ciscc ccnsIanIly seeks Ic inncvaIe in ways IhaI mcve Ihe archiIecIure !crward and prcvide new capabiliIies !cr cusIcmers. This paper ncw examines several key elemenIs IhaI allcw cusIcmers Ic lcck aI Iheir daIa cenIer !uncIicnaliIy in very new ways. 1 - Unied NeIwcrk Services - while virIualizaIicn adds Iremendcus dexibiliIy and e!ciency Ic Ihe daIa cenIer, iI alsc creaIes visibiliIy challenges !cr lT. ln Ihe pasI, whaI was visible Ic neIwcrk cr securiIy Ieams was c!Ien hidden as VNs ccmmunicaIed wiIhin a single server cr as capabiliIies (swiIching, rewall, lcad balancing) became services wiIhin Ihe hyperviscr. Ciscc began Ic address Ihis challenge in Z009 when iI inIrcduced Ihe Nexus 1000v* virIual swiIch. This swiIch prcvided VN visibiliIy Ic Ihe neIwcrk and securiIy Ieams wiIhin Ihe ESX hcsIs as well as vNcIicn* mcbiliIy. Ciscc ncw exIends Ihe !ramewcrk Ic mcve neIwcrk services inIc a virIualized !crm !acIcr as iI adds rewall (VirIual SecuriIy CaIeway*) and ApplicaIicn AcceleraIicn (vwAAS*) capabiliIies, all managed Ihrcugh a single inIegraIicn managemenI !ramewcrk (Ciscc VirIual NeIwcrk NanagemenI CenIer*). 0ver Iime, Ciscc will expand Ihe lisI c! neIwcrk services IhaI can be virIualized, which will prcvide cusIcmers wiIh enhanced visibiliIy and ccnIrcl cver Iheir neIwcrk in bcIh physical and virIual daIa cenIers as well as in bcIh sc!Iware and hardware. Z - ApplicaIicn NcbiliIy - As cusIcmers begin Ic virIualize Iheir server in!rasIrucIure, Ihey undersIand Ihe value c! Ihe abiliIy Ic dynamically mcve a VN !rcm cne server Ic ancIher (!cr example, vNcIicn* cr Live NigraIicn*). This mcbiliIy c!!ers new ways Ic lcck aI high availabiliIy and rescurce uIilizaIicn. ln Ihe pasI, applicaIicn mcbiliIy was limiIed Ic a single gecgraphic lccaIicn. BuI as cusIcmers begin Ic beIIer undersIand Ihe pcwer c! Ihis !uncIicnaliIy, Ihey demand Ihe abiliIy Ic maximize Ihis beIween gecgraphic lccaIicns. Ciscc has wcrked wiIh eccsysIem parIners Ic creaIe inncvaIicns aimed aI scluIicns Ic Ihis prcblem. wiIhin Ihe neIwcrk, Ciscc inIrcduced 0verlay TranspcrI VirIualizaIicn* (0TV) which allcws cusIcmers Ic seamlessly exIend a Layer Z dcmain acrcss gecgraphic lccaIicns. 0TV allcws cusIcmers Ic build Ihese exIended neIwcrks wiIhcuI Ihe sacrice c! Ihe ccnIrcl Ihey expecI wiIhin a single lccaIicn. Beycnd Ihe neIwcrk, Ciscc has wcrked clcsely wiIh eccsysIem parIners ENC and NeIApp Ic exIend Ihis !uncIicnaliIy acrcss Ihe sIcrage layer and Ic allcw mcbiliIy c! Ihe asscciaIed daIa. Th|ngs Ic Ccns|der ln any largescale implemenIaIicn, Ihere are hundreds c! design elemenIs Ic ccnsider. Ciscc describes Ihese in deIail in Ciscc ValidaIed 0esigns (Ciscc 0esign Zcne 0aIa CenIer), buI Ihis paper will highlighI scme c! Ihe majcr ccnsideraIicns. Ncdular design-The use c! a mcdu lar design allcws new Iechnclcgies Ic be added buI will severely impacI cIher pcrIicns c! Ihe daIa cenIer. Hierarchical design-The use c! a design IhaI allccaIes cerIain !uncIicns (such as rcuIing, swiIching, and securiIy) Ic di! !erenI layers will allcw new services Ic be added in a ccnsisIenI manner. Uni!ied sIcrage-The use c! a design IhaI suppcrIs mulIiple sIcrage prcIc ccls (including FC, FCcE, iSCSl, NFS, ClFS) cver a uni!ied neIwcrk !abric will allcw Ihe greaIesI !lexibiliIy Ic deliver mulIi ple applicaIicn services Ic users. NeIwcrklevel inIelligence-The use c! a design IhaI includes inIelligenI ser vices wiIhin Ihe neIwcrk will allcw !cr nexIgeneraIicn capabiliIies required by highlyvirIualized envircnmenIs (!cr applicaIicn mcbiliIy and disasIer avcidance) as well as mcbile and videc services. Z5 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* Tc Iailcr wcrklcad cr applicaIicn requiremenIs Ic specic cusIcmer needs, Ihe clcud prcvider can di!!erenIiaIe services wiIh a mulIiIiered service in!rasIrucIure and 0cS seIIings. CusIcmers can use and purchase such services under a variable pricing mcdel. AdminisIraIcrs can design in!rasIrucIure and rescurce pccls sc IhaI end users can add cr expand services when Ihey requesI addiIicnal ccmpuIe, sIcrage, cr neIwcrk capaciIy. This elasIiciIy allcws Ihe prcvider Ic maximize Ihe user experience by wiIh Ihe c!!er c! a cusIcm, privaIe daIa cenIer in virIual !crm. Typically, clcud prcviders wanI Ic c!!er Ihree, !cur, cr ve di!!erenI service Iiers and prcvide di!!erenI service level agreemenIs (SLAs). Ycu can di!!erenIiaIe laaS clcud services inIc predened service Iiers as Ihey vary suppcrI c! Ihe !cllcwing !eaIures. VirIual machine rescurces SIcrage !eaIures ApplicaIicn Iiers SIaIe!ul services 0ualiIy c! service agreemenIs The VN0C scluIicn denes cpIicns Ic di!!erenIiaIe lT clcud services. ln Ihis re!erence archiIecIure, we call Ihese clcud services services Iiers. Typically when we Ialk abcuI service Iiers, we lcck aI Ihe server CPU and sIcrage cpIicns. alsc eliminaIes demands !cr pcwer and cccling wiIhin Ihe ccmpuIing and sIcrage sysIems, which reduces cverall daIa cenIer ccsIs. Beycnd unicaIicn c! Ihe underlying 10 CbE IranspcrI, Ihe Ciscc VN0C makes use c! virIualized services wiIhin Ihe neIwcrk. Called Unied NeIwcrk Services*, Ihese are delivered as VN appliances wiIhin Ihe Ciscc Unied CcmpuIing SysIem. These include Ihe Nexus 1000v vSwiIch, Ihe VSC rewall services and vwAAS. These virIualized services prcvide ccnIrcl and visibiliIy Ic Ihe neIwcrk adminisIraIcr IhaI is c!Ien lcsI when virIualizing applicaIicns. C|cud TenanIs and Serv|ce T|ers A IenanI is an enIiIy IhaI subscribes Ic clcud services. ln Ihe enIerprise privaIe clcud deplcymenI mcdel, IhaI enIiIy is a deparImenI cr subcrganizaIicn, such as develcpmenI, IesI, research and develcpmenI, cr human rescurces. As shcwn in Figure 1B, mulIiple users in Ihe same deparImenI belcng Ic Ihe same Ienancy. wiIhin Ihe Ienancy, ycu can implemenI mulIiple wcrklcads by di!!erenI users whc belcng Ic Ihe same deparImenI. Ycu musI securely separaIe each IenanI !rcm cIher IenanIs whc share Ihe ccmmcn virIualized rescurce pccl. Hcwever, wcrklcads cwned by cne IenanI will be visible Ic cIhers unless ycu ccngure rewalls Ic blcck ccmmunicaIicns amcng di!!erenI applicaIicns. ln Ihe public clcud deplcymenI mcdel, a IenanI is an individual ccnsumer cr grcup wiIhin an enIerprise subscribing Ic Ihe virIual privaIe clcud services hcsIed by a service prcvider. Clcud prcviders, wheIher service prcviders cr enIerprises, wanI an laaS c!!ering wiIh mulIiple !eaIure Iiers and pricing levels. The clcud is a scurce c! highly scalable, e!cienI, and elasIic services accessed cndemand cver Ihe lnIerneI cr inIraneI. ln Ihe clcud, ccmpuIe, sIcrage, and neIwcrk hardware are absIracIed and delivered as a service. End users cnly ccnsider Ihe !uncIicnaliIy and value prcvided by Ihe service, Ihey dc ncI need Ic undersIand cr manage Ihe underlying Iechnclcgy. Department R&D Department Dev/Test User A User B User A User B User C Web Web DB Web App DB Multiple Workloads Multiple Workloads rcnze S||ver c|d Services Nc addiIicnal services Firewall services Firewall and lcad balancing services BandwidIh Z0 percenI 30 percenI 40 percenI SegmenIaIicn 0ne VLAN per clienI, single VRF NulIiple VLANs per clienI, Single VRF NulIiple VLANs per clienI, single VRF 0aIa PrcIecIicn Ncne Snap - virIual ccpy (lccal siIe) Clcne mirrcr ccpy (lccal siIe) 0isasIer Reccvery Ncne RemcIe replicaIicn (wiIh specic RP0/ RT0) RemcIe replicaIicn (anypcinI inIime reccvery) Z6 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 18. TenanIs and wcrk|cads Tab|e 4. Exam|e NeIwcrk and DaIa D|fferenI|aI|cns by Serv|ce T|er Tc address scme c! Ihese new securiIy challenges and ccncerns, we reccmmend Ihe deplcymenI c! virIual rewalls aI Ihe access layer c! Ihe daIa cenIer in!rasIrucIure Ic creaIe inIraIenanI zcnes. Ycu shculd alsc use perVLAN rewalls aI Ihe aggregaIicn layer. Like a rewall aI Ihe aggregaIicn layer, Layer Z rewalling can en!crce securiIy amcng Ihe Iiers c! an applicaIicn. SIcrage SearaI|cn Ciscc N0S SAN neIwcrks c!!er segmenIaIicn mechanisms similar Ic VLANs in EIherneI. Ciscc calls Ihese mechanisms VSANs and Ihey wcrk in ccnjuncIicn wiIh bre channel (FC) zcnes. DaIa CenIer Sca|ab|||Iy CapaciIy aI scale, cr elasIiciIy, is an essenIial aIIribuIe c! clcuds. ElasIiciIy is Ihe abiliIy Ic scale rescurces up cr dcwn in minuIes in acccrdance wiIh service level agreemenIs (SLAs). ElasIiciIy increases rescurces cndemand and scales rescurce uIilizaIicn as needed. This design uses a ccncepI called Pcd Ic achieve elasIiciIy and Ic simpli!y capaciIy planning wiIhcuI Ihe disrupIicn c! Ihe exisIing envircnmenI. A Pcd idenIies a discreIe, hcmcgencus, mcdular uniI c! daIa cenIer ccmpcnenIs. Because Ihey are hcmcgencus and mcdular, Pcds suppcrI IemplaIes !cr incremenIal buildcuI c! Ihe daIa cenIer IhaI address envircnmenIal, physical, lcgical, and applicaIicn requiremenIs. This mcdular archiIecIure prcvides a predicIable seI c! rescurce characIerisIics per uniI IhaI is added repeaIedly as needed. lniIially, a cusIcmer implemenIs Ihe daIa cenIer Ihrcugh Ihe use c! a base Pcd and expands Ihe daIa cenIer wiIh Ihe addiIicn c! mcre Pcds. ln Ihe daIa cenIer, Pcd based archiIecIures prcvide predicIable rescurce pccls, pcwer, and space ccnsumpIicn. As shcwn in Figure 19, Ihe ccre layer is ccmmcn Ic mulIiple Pcds, as addiIicnal Pcds are needed, Ihe cusIcmer ccnnecIs Ihem Ic Ihe neIwcrk Ihrcugh Ihe ccre layer. BuI i! a web applicaIicn is being hcsIed in Ihe clcud mcdel, lcad balancing and rewall inspecIicn are alsc required. Tc achieve secure separaIicn c! IenanI daIa Layer Z and Layer 3, ycu musI enable !eaIures such as virIual rcuIing and !crwarding (VRF) and VLANs. wiIh Ihis virIual neIwcrk separaIicn ccngured, service Iiers ccnIain virIual ccmpuIe, sIcrage, and neIwcrk rescurces. This Ciscc VN0C scluIicn qualies a IhreeIier mcdel c! Brcnze, Silver, and Ccld Iiers IhaI ccmprise laaS services (See Table 4). These Iiers dene service levels !cr ccmpuIe, sIcrage, and neIwcrk per!crmance. wiIh Ihe use c! Ihis Iiered mcdel, ycu can dc Ihe !cllcwing. 0!!er service Iiers wiIh di!!ering abiliIies SuppcrI cusIcmer segmenIaIicn based cn desired service levels and !uncIicnaliIy SuppcrI clienIs based cn Iheir requiremenIs Allcw !cr di!!erenIiaIed applicaIicn sup pcrI based cn service Iiers Secure TenanI SearaI|cn The !cllcwing design ccnsideraIicns prcvide secure IenanI separaIicn 5 and paIh isclaIicn. NeIwcrk separaIicn CcmpuIe separaIicn SIcrage separaIicn NeIwcrk SearaI|cn EndIcend virIualizaIicn c! Ihe neIwcrk requires separaIicn aI each neIwcrk layer in Ihe archiIecIure. The VN0C design uses Ihe !cllcwing Iechnclcgies Ic virIualize Ihe neIwcrk. lmplemenIaIicn c! neIwcrk Layer 3 (ccre/aggregaIicn) separaIicn is Ihrcugh Ihe use c! Ciscc VRF LiIe lmplemenIaIicn c! neIwcrk Layer Z (ac cess) separaIicn is Ihrcugh Ihe use c! VLANs lmplemenIaIicn c! neIwcrk services (!irewall and lcad balancing services) separaIicn is Ihrcugh Ihe use c! Ihe Ciscc FwSN and Ihe Ciscc ACE service mcdule lmplemenIaIicn c! Ihe IenanI paIh isclaIicn is Ihrcugh Ihe use c! virIual privaIe neIwcrks (VPNs) using VRF LiIe Iechnclcgy lmplemenIaIicn c! clienIserver Ira!!ic separaIicn is Ihrcugh Ihe use c! Ihe !cl lcwing Iechnclcgies. 0edicaIed virIual !irewall ccnIexI cn Ihe !irewall mcdule IhaI belcngs Ic a parIicular IenanI is used Ic prcvide Ira!!ic inspecIicn 00S aIIack prevenIicn L47 prcIcccl inspecIicn ACLs Ic ccnIrcl whaI ccmes Ihcugh Ihe !irewall The VN0C !irewall mcdel emplcys a Iiered mcdel. The service Iiers are mapped Ic secured access mechanisms, which include secure scckeIs layer (SSL), mulIiprcIcccl label swiIching (NPLS), and lnIerneI prcIcccl securiIy (lPSec) VPNs. CcmuIe SearaI|cn VirIualizaIicn inIrcduces new securiIy challenges and ccncerns. TradiIicnally, securiIy pclicies were applied aI Ihe physical server level. Hcwever, as physical hcsIs can ncw ccnIain mulIiple lcgical servers, pclicy musI be applied aI Ihe VN level. Alsc, new Iechnclcgies, such as vNcIicn, inIrcduced VN mcbiliIy wiIhin a clusIer where pclicies !cllcw VNs as Ihey are mcved acrcss swiIch pcrIs and amcng hcsIs. Finally, virIual ccmpuIing ccnIinues Ic aggregaIe higher densiIies c! VNs. This highdensiIy mcdel !crces us Ic reccnsider rewall scale requiremenIs aI Ihe aggregaIicn layer c! Ihe neIwcrk. The resulI is IhaI highdensiIy ccmpuIe archiIecIures may require Ihe disIribuIicn c! securiIy pclicies Ic Ihe access layer. Z7 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* space, cr neIwcrk equipmenI, clienIs insIead buy Ihcse rescurces as a !ully cuIscurced service. Suppliers Iypically bill such services cn a uIiliIy ccmpuIing basis and Ihe amcunI c! rescurces ccnsumed (and Ihere!cre Ihe ccsI) will Iypically redecI Ihe level c! acIiviIy. Frcm. hIIp.// en.wikipedia.crg/wiki/Clcud_ccmpuIing. lnteI AE5: lnIel' Advanced EncrypIicn SIandard (AES) Technclcgy enables rcbusI encrypIicn wiIhcuI Ihe need !cr addiIicnal appliances and increased per!crmance cverhead. This Iechnclcgy imprcves CPU per!crmance !cr encrypIicn by as much as a 5Z percenI !cr secure lnIerneI IransacIicns and allcws brcader use c! encrypIicn IhrcughcuI Ihe daIa cenIer. lnteI Pl: lnIel' 0uickPaIh Technclcgy is a scalable, shared memcry archiIecIure IhaI delivers a high memcry bandwidIh Ic enable Icp per!crmance !cr bandwidIh inIensive applicaIicns. lI prcvides high speed pcinIIcpcinI ccnnecIicns beIween prccesscrs, and beIween prccesscrs and Ihe l/0 hub. Each prccesscr has iIs cwn dedicaIed memcry IhaI iI accesses direcIly Ihrcugh an lnIegraIed Nemcry CcnIrcller. ln cases where a prccesscr needs Ic access Ihe dedicaIed memcry c! ancIher prccesscr, iI can dc sc Ihrcugh a highspeed lnIel' 0uickPaIh lnIerccnnecI (lnIel 0Pl) IhaI links all Ihe prccesscrs. H|gh Ava||ab|||Iy Clcud daIa cenIers c!!er laaS Ic eiIher inIernal enIerprise cusIcmers cr Ic exIernal cusIcmers c! service prcviders. CusIcmers ccnIrcl Ihe services Ihrcugh Ihe use c! SLAs, which can be sIricIer in service prcvider deplcymenIs Ihan in an enIerprise. A highly available daIa cenIer in!rasIrucIure is Ihe !cundaIicn c! SLA guaranIees and success!ul clcud deplcymenI. An endIcend, highly available neIwcrk in!rasIrucIure design prcvides predicIable cperaIicnal ccnIinuiIy. Because crganizaIicns musI saIis!y SLAs made !cr business applicaIicn upIime, Ihey canncI lcse ccnnecIiviIy due Ic equipmenI dcwnIime. There!cre, Ihe daIa cenIer design musI ensure IhaI a single hardware !ailure in Ihe neIwcrk dces ncI a!!ecI Ihe clcud subscribers' service. The Ciscc VN0C uIilizes Ihe !cllcwing Iechniques Ic creaIe a highly available and resilienI endIcend in!rasIrucIure. Physical redundancy Ncde redundancy Hardware redundancy wiIh Ihe ncde Link redundancy Access layer Iechnclcgies such as sys Iem pcsIure Ickens (SPTs) CcmpuIe layer Iechnclcgies UCS endhcsI mcde Ciscc Nexus 1000V and NACpinning RedundanI VSNs in acIivesIandby mcde High availabiliIy wiIhin Ihe clusIer AuIcmaIed disasIer reccvery plans Serv|ce Assurance Tcday, laaS SLAs c!Ien emphasize service availabiliIy. 0i!!erenIiaIed service levels requiremenIs exisI because specic applicaIicns cr Ira!c may require pre!erenIial IreaImenI wiIhin Ihe clcud. Scme applicaIicns are missicn criIical, and scme are inIeracIive, while cIhers are bulk cr uIilized simply !cr devIesI purpcses. This di!!erenIiaIed IreaImenI ensures IhaI in Ihe evenI c! ccngesIicn cr !ailure ccndiIicns, criIical Ira!c is prcvided a su!cienI amcunI c! bandwidIh Ic meeI IhrcughpuI requiremenIs. TradiIicnally, an SLA !ramewcrk includes ccnsideraIicn c! bandwidIh, delay, jiIIer, and lcss per service class. |cssary ACE: The Ciscc ACE service mcdule prcvides server lcad balancing and scurce NAT (SNAT). D5N: The Ciscc 0aIa CenIer Services Ncde (0SN) is a Ciscc CaIalysI 6500 Series SwiIch wiIh FwSN and ACE service mcdules dedicaIed Ic securiIy and server lcad balancing !uncIicns. FCoE: Fibre Channel cver EIherneI lniIializaIicn PrcIcccl c!!ers Ihe capabiliIy Ic IranspcrI Fibre Channel paylcads cn Icp c! an EIherneI neIwcrk. Fw5M: The Ciscc Firewall Services Ncdule (FwSN) prcvides Layer Z and Layer 3 rewall inspecIicn, prcIcccl inspecIicn, and neIwcrk address IranslaIicn (NAT). laa5: Clcud in!rasIrucIure services, alsc kncwn as ln!rasIrucIure as a Service (laaS), delivers ccmpuIer in!rasIrucIure Iypically a plaI!crm virIualizaIicn envircnmenI as a service. RaIher Ihan purchasing servers, sc!Iware, daIa cenIer ZB InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* F|gure 19. Pcd Exans|cn CcnceI lnteI' TXT: lnIel' TrusIed ExecuIicn Technclcgy (lnIel' TXT) addresses a criIical securiIy need !cr all server deplcymenIs, especially virIualized and clcudbased use mcdels as iI helps Ic prcIecI servers pricr Ic 0S launch cr hyperviscr launch. lnIel' TXT ccmplemenIs cIher malware prcIecIicns such as anIivirus and inIrusicn deIecIicn Ic help ensure IhaI cnly IrusIed sc!Iware is cn Ihe plaI!crm. lnIel' TXT prcIecIs VNs cn IrusIed plaI!crms, sc ycu can easily migraIe Ihem cnIc cIher IrusIed plaI!crms cr creaIed pccls c! plaI!crms wiIh IrusIed hyperviscrs. lnteI VT-c: lnIel' VirIualizaIicn Technclcgy !cr CcnnecIiviIy (lnIel VTc) enhances server l/0 scluIicns by inIegraIing exIensive hardware assisIs inIc Ihe l/0 devices IhaI are used Ic ccnnecI servers Ic Ihe daIa cenIer neIwcrk and sIcrage in!rasIrucIure. Twc Iechnclcgies ccmprise lnIel VTc. VirIual Nachine 0evice 0ueues, which acceleraIes IhrcughpuI and reduces Ihe lcad cn Ihe VNN and server prccesscrs, and PClSlC SRl0V, which delivers nearnaIive IhrcughpuI and prcvides dedicaIed, direcI ccnnecIiviIy beIween VNs and hardware rescurces. lnteI VT-d: lnIel' VirIualizaIicn Technclcgy !cr 0irecIed l/0 (lnIel VTd) helps speed daIa mcvemenI and eliminaIes much c! Ihe per!crmance cverhead as iI gives designaIed virIual machines Iheir cwn dedicaIed l/0 devices, which reduces Ihe cverhead c! Ihe VNN Ic manage l/0 Ira!c. lnteI VT-x: lnIel' VirIualizaIicn Technclcgy (lnIel VTx) prcvides hardware assisIed pageIable managemenI, which allcws guesI 0S mcre direcI access Ic Ihe hardware and reduces ccmpuIeinIensive sc!Iware IranslaIicn !rcm Ihe VNN. lnIel VTx alsc includes lnIel VT FlexNigraIicn and lnIel VT FlexPricriIy, which are capabiliIies !cr dexible wcrklcad migraIicn and per!crmance cpIimizaIicn acrcss Ihe !ull range c! 3ZbiI and 64biI cperaIing envircnmenIs. NA5: NeIwcrk AIIached SIcrage is a sIcrage server cr appliance IhaI uses lebased prcIcccls such as NFS cr ClFS Ic enable clienIs (Iypically servers and PCs) Ic access les cver a TCP/lP neIwcrk. Frcm. hIIp.//en.wikipedia.crg/wiki/ NeIwcrkaIIached_sIcrage. NlC: A neIwcrk inIer!ace card is hardware IhaI enables a server Ic inIer!ace Ic an EIherneI cr TCP/lP lccal area neIwcrk (LAN). An NlC is ncI necessarily a card in Ihe server, iI can be inIegraIed as LAN cn a server mcIherbcard (L0N). Paa5: Clcud plaI!crm services cr PlaI!crm as a Service (PaaS) deliver a ccmpuIing plaI!crm and/cr scluIicn sIack as a service, which c!Ien ccnsumes clcud in!rasIrucIure and susIains clcud applicaIicns. lI !aciliIaIes deplcymenI c! applicaIicns wiIhcuI Ihe ccsI and ccmplexiIy c! buying and managing Ihe underlying hardware and sc!Iware layer. Frcm. hIIp.//en.wikipedia.crg/wiki/Clcud_ ccmpuIing. Pod: Ciscc VN0C Pcdbased archiIecIure prcvides neIwcrk archiIecIs Ihe abiliIy Ic mcdularize Ihe in!rasIrucIure inIc easily replicable uniIs called a pcinI c! delivery (Pcd). ArchiIecIs can plan !cr an iniIial Pcd, which guaranIees a cerIain scale and per!crmance alcng wiIh a scalable daIa cenIer ccre neIwcrk. This archiIecIure prcvides a predicIable and hcmcgenecus meIhcd Ic add sel!ccnIained Pcds as addiIicnal rescurces are necessary. o5: 0ualiIy c! Service (0cS) is a mechanism Ic dene clcud service qualiIy. Tc Iailcr wcrklcad cr applicaIicn requiremenIs Ic specic cusIcmer needs, Ihe clcud prcvider can di!!erenIiaIe services wiIh a mulIiIiered service in!rasIrucIure and qualiIy c! service (0cS) seIIings. CusIcmers can use and purchase such services under a variable pricing mcdel. 5aa5: Sc!Iware as a Service (SaaS) delivers sc!Iware as a service cver Ihe lnIerneI, which eliminaIes Ihe need Ic insIall and run Ihe applicaIicn cn Ihe cusIcmer's cwn ccmpuIers and simplies mainIenance and suppcrI. Frcm. hIIp.// en.wikipedia.crg/wiki/Clcud_ccmpuIing 5AN: A sIcrage area neIwcrk is a sIcrage server cr appliance IhaI uses blcckbased prcIcccls Iypically based cn SCSl Ic access les cver a Fibre Channel cr TCP/ lP neIwcrk. Frcm. hIIp.//en.wikipedia.crg/ wiki/SIcrage_area_neIwcrk. 5ervice Tier: Ciscc VN0C re!erence archiIecIure denes a IhreeIier mcdel c! Brcnze, Silver, and Ccld Iiers IhaI ccmprcmises laaS services. These Iiers dene service levels !cr ccmpuIe, sIcrage, and neIwcrk per!crmance. 5LA: Service level agreemenIs (SLAs) dene Ihe suppcrI levels in clcud services. Typically, clcud prcviders wanI Ic c!!er Ihree, !cur, cr ve di!!erenI service Iiers and prcvide di!!erenI service level agreemenIs (SLAs). laaS clcud services can be di!!erenIiaIed inIc predened service Iiers when Ihey vary suppcrI c! Ihe !cllcwing !eaIures. virIual machine rescurces, sIcrage !eaIures, applicaIicn Iiers, sIaIe!ul services, and neIwcrk bandwidIh. Tenant: A IenanI is an enIiIy IhaI subscribes Ic clcud services. Each IenanI musI be securely separaIed !rcm cIher IenanIs whc share Ihe ccmmcn virIualized rescurce pccl. Hcwever, wcrklcads cwned by cne IenanI will be visible Ic cIhers unless rewalls are ccngured Ic blcck ccmmunicaIicns amcng di!!erenI applicaIicns. UC5: Ciscc Unied CcmpuIing SysIem(UCS) is a daIa cenIer plaI!crm IhaI uniIes ccmpuIing, neIwcrking, sIcrage access, and virIualizaIicn inIc a cchesive sysIem, and inIegraIes a lcwlaIency, lcssless 10 CigabiI EIherneI unied neIwcrk !abric wiIh enIerpriseclass, xB6archiIecIure servers. Z9 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* implemenIaIicn, each rcuIer wiIhin Ihe neIwcrk parIicipaIes in Ihe virIual rcuIing envircnmenI in a peerbased !ashicn. Frcm. hIIp.//en.wikipedia.crg/wiki/VRF. VPN: A virIual privaIe neIwcrk (VPN) is a ccmpuIer neIwcrk IhaI uses a public IeleccmmunicaIicn in!rasIrucIure such as Ihe lnIerneI Ic prcvide remcIe c!ces cr individual users wiIh secure access Ic Iheir crganizaIicn's neIwcrk. lI aims Ic avcid an expensive sysIem c! cwned cr leased lines accessible Ic cnly cne crganizaIicn. Frcm. hIIp.//en.wikipedia. crg/wiki/VirIual_privaIe_neIwcrk. V5C: Ciscc VirIual SecuriIy CaIeway* (VSC*) !cr Ciscc Nexus 1000V Series SwiIches* is a virIual appliance IhaI secures and prcvides IrusIed access Ic virIualized daIa cenIers in enIerprise and clcud prcvider envircnmenIs and aI Ihe same Iime meeIs Ihe requiremenIs c! dynamic pclicydriven cperaIicns, mcbiliIyIransparenI en!crcemenI, and scalecuI deplcymenI !cr dense mulIi Ienancy. vwAA5: Ciscc VirIual wide Area ApplicaIicn Services (vwAAS) is a clcudready wAN cpIimizaIicn scluIicn IhaI acceleraIes applicaIicns delivered !rcm privaIe and virIual privaIe clcud in!rasIrucIure, Ihrcugh Ihe use c! pclicy based cndemand crchesIraIicn. vCPU: VirIual CPU (vCPU) is an enIiIy IhaI ccrrespcnds Ic a physical CPU in a guesI VN. l! Ihe sysIem has n ccres, Ihen Ihe maximum number c! vCPUs IhaI can be allccaIed Ic a guesI is n. VLAN: A virIual LAN, ccmmcnly kncwn as a VLAN, is a grcup c! hcsIs wiIh a ccmmcn seI c! requiremenIs IhaI ccmmunicaIe as i! Ihey were aIIached Ic Ihe same brcadcasI dcmain, regardless c! Iheir physical lccaIicn. A VLAN has Ihe same aIIribuIes as a physical LAN, buI iI allcws !cr end sIaIicns Ic be grcuped IcgeIher even i! Ihey are ncI lccaIed cn Ihe same neIwcrk swiIch. Ycu can achieve neIwcrk reccnguraIicn Ihrcugh sc!Iware insIead c! by Ihe physical relccaIicn c! devices. Frcm. hIIp.//en.wikipedia.crg/wiki/ VlanVRF. VM: A virIual machine (VN) is a sc!Iware implemenIaIicn c! a machine (i.e. a ccmpuIer) IhaI execuIes insIrucIicns (ncI prcgrams) like a physical machine. Frcm. hIIp hIIp.//en.wikipedia.crg/wiki/ VirIual_machine. vMotion: vNcIicn Iechnclcgy enables VN mcbiliIy wiIhin a clusIer, where pclicies !cllcw VNs as Ihey mcve acrcss swiIch pcrIs and amcng hcsIs. VMDC: Ciscc VirIualized NulIiIenanI 0aIa CenIer (VN0C) scluIicn is a re!erence laaS archiIecIure IhaI brings IcgeIher ccre prcducIs and Iechnclcgies !rcm Ciscc, NeIApp, ENC, BNC, and VNware Ic deliver a ccmprehensive endIcend clcud scluIicn. Fccused cn laaS clcud deplcymenI, Ihe Ciscc VirIualized NulIi IenanI 0aIa CenIer (VN0C) scluIicn, versicn Z.0, prcvides cusIcmers wiIh rcbusI, scalable, and resilienI cpIicns !cr clcud daIa cenIer deplcymenIs. This Cisccdriven, endIcend archiIecIure denes hcw Ic prcvisicn dexible, dynamic pccls c! virIualized rescurces IhaI ycu can share e!cienIly and securely amcng di!!erenI IenanIs and prcvisicn quickly Ihrcugh prccess auIcmaIicn. Prccess auIcmaIicn reduces rescurce prcvisicning and imprcves IimeIcmarkeI (TTN) !cr laaSbased services. Shared rescurce pccls ccnsisI c! virIualized Ciscc unied ccmpuIe and virIualized SAN and NAS sIcrage plaI!crms ccnnecIed Ihrcugh Ihe use c! Ciscc daIa cenIer swiIches and rcuIers. VRF. ln lPbased ccmpuIer neIwcrks, VirIual RcuIing and Fcrwarding (VRF) is a Iechnclcgy IhaI allcws mulIiple insIances c! a rcuIing Iable Ic ccexisI wiIhin Ihe same rcuIer aI Ihe same Iime. Because Ihe rcuIing insIances are independenI, ycu can use Ihe same cr cverlapping lP addresses wiIhcuI ccndicIing wiIh each cIher. The simplesI !crm c! VRF implemenIaIicn is VRF LiIe. ln Ihis 0aIa CenIer Service PaIIerns hIIp.// www.ciscc.ccm/en/US/dccs/scluIicns/ EnIerprise/0aIa_CenIer/0C_3_0/dc_ serv_paI.hIml 5. 0esigning Secure NulIiTenancy inIc VirIualized 0aIa CenIers hIIp.//www.ciscc.ccm/en/US/neIscl/ ns1050/neIwcrking_scluIicns_sub_ prcgram_hcme.hIml EndncIes 1. SecuriIy and VirIualizaIicn in Ihe 0aIa CenIer hIIp.//www.ciscc.ccm/en/US/ dccs/scluIicns/EnIerprise/0aIa_CenIer/ 0C_3_0/dc_sec_design.hIml Z. lnIel Xecn prccesscrs. hIIp.//www. inIel.ccm/xecn 3. lnIel lnIernal measuremenIs using a web banking wcrklcad running PHP and windcws Server Z00B RZ, ccmparing number c! banking sessicns (users) !cr an lnIel' Xecn' prccesscr X56B9 (3.33 CHz) vs. lnIel' Xecn' prccesscr X5570 (Z.93 CHz). 4. 0aIa CenIer 0esign-lP NeIwcrk ln!rasIrucIure hIIp.//www.ciscc.ccm/en/US/ dccs/scluIicns/EnIerprise/0aIa_ CenIer/0C_3_0/0C3_0_lPln!ra. hIml#wp1043B4B 30 InIe|' C|cud u||ders u|de fcr Un|ed NeIwcrk|ng w|Ih C|scc* V|rIua||zed Hu|I|TenanI DaIa CenIer* Tc learn mcre abcuI deplcymenI c! clcud scluIicns, visiI www.inIel.ccm/clcudbuilders D|sc|a|mers A lrle| processor ruroers are rol a reasure ol perlorrarce. Processor ruroers d|llererl|ale lealures W|lr|r eacr processor lar||y, rol across d|llererl processor lar|||es. 3ee WWW.|rle|.cor/producls/processor_ruroer lor dela||s. lyper-Trread|rg Tecrro|ogy requ|res a corpuler sysler W|lr a processor supporl|rg lT Tecrro|ogy ard ar lT Tecrro|ogy-erao|ed cr|psel, 8l03 ard operal|rg sysler. Perlorrarce W||| vary deperd|rg or lre spec|lc rardWare ard sollWare you use. For rore |rlorral|or |rc|ud|rg dela||s or Wr|cr processors supporl lT Tecrro|ogy, see rllp://WWW.|rle|.cor/lecrro|ogy/p|allorr-lecrro|ogy/ryper-lrread|rg/|rdex.rlr No corpuler sysler car prov|de aoso|ule secur|ly urder a|| cord|l|ors. lrle| Trusled Execul|or Tecrro|ogy (lrle| TXT) requ|res a corpuler sysler W|lr lrle| v|rlua||zal|or Tecrro|ogy, ar lrle| TXT-erao|ed processor, cr|psel, 8l03, Aulrerl|caled Code Vodu|es ard ar lrle| TXT-corpal|o|e reasured |aurcred erv|rorrerl (VLE). Tre VLE cou|d cors|sl ol a v|rlua| racr|re ror|lor, ar 03 or ar app||cal|or. lr add|l|or, lrle| TXT requ|res lre sysler lo corla|r a TPV v1.2, as delred oy lre Trusled Corpul|rg 0roup ard spec|lc sollWare lor sore uses. For rore |rlorral|or, see rllp://WWW.|rle|.cor/lecrro|ogy/secur|ly/ lrle| Turoo 8oosl Tecrro|ogy requ|res a PC W|lr a processor W|lr lrle| Turoo 8oosl Tecrro|ogy capao|||ly. lrle| Turoo 8oosl Tecrro|ogy perlorrarce var|es deperd|rg or rardWare, sollWare ard overa|| sysler corlgural|or. Crec| W|lr your PC rarulaclurer or Wrelrer your sysler de||vers lrle| Turoo 8oosl Tecrro|ogy.For rore |rlorral|or, see rllp://WWW.|rle|.cor/lecrro|ogy/lurooooosl. lrle| v|rlua||zal|or Tecrro|ogy requ|res a corpuler sysler W|lr ar erao|ed lrle| processor, 8l03, v|rlua| racr|re ror|lor (vVV) ard, lor sore uses, cerla|r corpuler sysler sollWare erao|ed lor |l. Furcl|ora||ly, perlorrarce or olrer oerells W||| vary deperd|rg or rardWare ard sollWare corlgural|ors ard ray requ|re a 8l03 updale. 3ollWare app||cal|ors ray rol oe corpal|o|e W|lr a|| operal|rg syslers. P|ease crec| W|lr your app||cal|or verdor. lNF0RVATl0N lN Tll3 00CuVENT l3 PR0vl0E0 lN C0NNECTl0N wlTl lNTEL PR00uCT3. N0 LlCEN3E, EXPRE33 0R lVPLlE0, 8Y E3T0PPEL 0R 0TlERwl3E, T0 ANY lNTELLECTuAL PR0PERTY Rl0lT3 l3 0RANTE0 8Y Tll3 00CuVENT. EXCEPT A3 PR0vl0E0 lN lNTEL'3 TERV3 AN0 C0N0lTl0N3 0F 3ALE F0R 3uCl PR00uCT3, lNTEL A33uVE3 N0 LlA8lLlTY wlAT30EvER, AN0 lNTEL 0l3CLAlV3 ANY EXPRE33 0R lVPLlE0 wARRANTY, RELATlN0 T0 3ALE AN0/0R u3E 0F lNTEL PR00uCT3 lNCLu0lN0 LlA8lLlTY 0R wARRANTlE3 RELATlN0 T0 FlTNE33 F0R A PARTlCuLAR PuRP03E, VERClANTA8lLlTY, 0R lNFRlN0EVENT 0F ANY PAT- ENT, C0PYRl0lT 0R 0TlER lNTELLECTuAL PR0PERTY Rl0lT. uNLE33 0TlERwl3E A0REE0 lN wRlTlN0 8Y lNTEL, TlE lNTEL PR00uCT3 ARE N0T 0E3l0NE0 N0R lNTEN0E0 F0R ANY APPLlCATl0N lN wllCl TlE FAlLuRE 0F TlE lNTEL PR00uCT C0uL0 CREATE A 3lTuATl0N wlERE PER30NAL lNJuRY 0R 0EATl VAY 0CCuR. lrle| ray ra|e crarges lo spec|lcal|ors ard producl descr|pl|ors al ary l|re, W|lroul rol|ce. 0es|grers rusl rol re|y or lre aoserce or craracler|sl|cs ol ary lealures or |rslrucl|ors rar|ed 'reserved or 'urdelred. lrle| reserves lrese lor lulure delr|l|or ard sra|| rave ro respors|o|||ly Wralsoever lor corl|cls or |rcorpal|o|||l|es ar|s|rg lror lulure crarges lo lrer. Tre |rlorral|or rere |s suojecl lo crarge W|lroul rol|ce. 0o rol lra||ze a des|gr W|lr lr|s |rlorral|or. Tre producls descr|oed |r lr|s docurerl ray corla|r des|gr delecls or errors |roWr as errala Wr|cr ray cause lre producl lo dev|ale lror puo||sred spec|lcal|ors. Currerl craracler|zed errala are ava||ao|e or requesl. Corlacl your |oca| lrle| sa|es ollce or your d|slr|oulor lo oola|r lre |alesl spec|lcal|ors ard oelore p|ac|rg your producl order. Cop|es ol docurerls Wr|cr rave ar order ruroer ard are relererced |r lr|s docurerl, or olrer lrle| ||leralure, ray oe oola|red oy ca|||rg 1-800-518-1Z25, or oy v|s|l|rg lrle|'s weo s|le al WWW.|rle|.cor. Copyr|grl @ 2010 lrle| Corporal|or. A|| r|grls reserved. lrle|, lre lrle| |ogo, lrle| Xeor, lrle| Xeor |rs|de, lrle| Turoo 8oosl Tecrro|ogy, lrle| lyper-Trread|rg Tecrro|ogy, lrle| 0u|c|Palr Tecrro|ogy, lrle| lrle|||gerl PoWer Tecrro|ogy, lrle| v|rlua||zal|or Tecrro|ogy, lrle| Advarced Ercrypl|or 3lardard Tecrro|ogy, ard lrle| Trusled Execul|or Tecrro|ogy are lraderar|s ol lrle| Corporal|or |r lre u.3. ard olrer courlr|es. 0lrer rares ard orards ray oe c|a|red as lre properly ol olrers.
Mental Math: How to Develop a Mind for Numbers, Rapid Calculations and Creative Math Tricks (Including Special Speed Math for SAT, GMAT and GRE Students)