BRKDCT 2121

Virtual Device Context (VDC) Design and Implementation Considerations with Nexus 7000
Ron Fuller CCIE #5851 (R&S/Storage) Technical Marketing Engineer, Nexus 7000 rfuller@cisco.com
BRKDCT-2121
Follow us on Twitter for real time updates of the event:
@ciscoliveeurope, #CLEUR
Housekeeping
We value your feedback- don't forget to complete your online session evaluations after each session & the Overall Conference Evaluation which will be available online from Thursday
Visit the World of Solutions and Meet the Engineer
Visit the Cisco Store to purchase your recommended readings

Please switch off your mobile phones After the event dont forget to visit Cisco Live Virtual: www.ciscolivevirtual.com Follow us on Twitter for real time updates of the event: @ciscoliveeurope, #CLEUR
Presentation_ID
2012 Cisco and/or its affiliates. All rights reserved.
Cisco Public
Course Objective
What you will learn..

VDC Configuration Guidelines Common VDC Use Cases How to use VDCs with Advanced Applications
BRKDCT-2121
Cisco Public
Agenda
Virtual Device Context (VDC) Overview

- What are VDCs? - VDC Types - Resource Allocation
- Interface Allocation
- VDC Operation and Management - Leading practices
Consolidation with VDCs Segmentation with VDCs Advanced Applications and VDCs Q&A
BRKDCT-2121
Cisco Public
What are Virtual Device Contexts (VDCs)?
What is a switch?
Control plane
Data plane Management plane
VDCs enable the virtualization of these planes and hardware resources Enables collapsing of multiple logical networks into single physical infrastructure Helps scale physical resources of device Appropriate for typical silo designs such as: -Production, Dev, Test -Intranet, DMZ, Extranet -Organization A, B C -Application A, B, C -Customer A, B, C
BRKDCT-2121 2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
VDC Prod VDC Extranet VDC DMZ
Different network islands virtualized onto common data center networking infrastructure
6
Virtual Device Contexts (VDCs)

VDC A Layer-2 Protocols
VLAN mgr STP IGMP sn. LACP RIB UDLD CDP 802.1X CTS
VDC B Layer-3 Protocols

OSPF BGP EIGRP PIM RIB GLBP HSRP VRRP SNMP
Layer-2 Protocols
Layer-3 Protocols
OSPF BGP EIGRP PIM GLBP HSRP VRRP SNMP
VDC A VDC B
VLAN mgr STP IGMP sn. LACP
UDLD CDP 802.1X CTS RIB
VDC n
RIB
Protocol Stack (IPv4 / IPv6 / L2)
Protocol Stack (IPv4 / IPv6 / L2)
Infrastructure Kernel
VDCVirtual Device Context

Flexible separation/distribution of Software Components Flexible separation/distribution of Hardware Resources Securely delineated Administrative Contexts
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
VDCs are not

The ability to run different OS levels on the same box at the same time based on a hypervisor model; there is a single infrastructure layer that handles h/w programming
BRKDCT-2121
Virtualization Hierarchy
Nexus 7000 VDC1
Where are VDCs reside in the Big Picture

VLAN VLAN VLAN VRF VRF VRF
VLAN VLAN VLAN

VDC2
VRF VRF VRF
VLAN VLAN VLAN VLAN VLAN VLAN
VRF VRF VRF VRF VRF VRF
VDC3
VLAN VLAN VLAN VLAN VLAN VLAN
VRF VRF VRF VRF VRF VRF
VDC4
VLAN VLAN VLAN

VLAN VLAN VLAN
BRKDCT-2121 2012 Cisco and/or its affiliates. All rights reserved.
VRF VRF VRF

VRF VRF VRF
Cisco Public
Virtual Device Contexts VDC Resources

When creating VDCs, certain resources are shared across VDCs while others must be dedicated to a VDC
Global Resources
Resources that can only be allocated, set, or configured globally for all VDCs from the master VDC are referred to as Global Resources i.e.: boot image configuration, Ethanalyzer session, CoPP Resources that are allocated to a particular VDC are referred to as dedicated resources - examples include Layer 2 and Layer 3 ports, VLANs, IP address space, etc Some resources are shared between VDCs for example the OOB Ethernet management port.
Dedicated Resources
Shared Resources
BRKDCT-2121
Cisco Public
NX-OS Software Packaging

Licenses Overview
VDCs are in Advanced
MPLS
XL
Transport Services Advanced Enhanced L2 FCoE SAN Enterprise
Enterprise
Base
Simplified Software Management
8 NX-OS enforceable licenses enable full suite of functionalities for any switching deployment
Grace Period License

120 days of full feature use with ample warning as grace period comes to the end
Non-Disruptive Licensing
No disruption in service when moving from grace license to purchased licenses
Licenses are associated with chassis S/N#
BRKDCT-2121
Cisco Public
10
VDC Certification
VDC separation is industry certified NSS Labs for PCI Compliant Environments FIPS 140-2 Common Criteria Evaluation and Validation Scheme Certification #10349
BRKDCT-2121
Cisco Public
11
Agenda
- What are VDCs?
- VDC Details
- Resource Allocation
- Interface Allocation - VDC Operation and Management - Leading practices
Consolidation with VDCs Segmentation with VDCs
Advanced Applications and VDCs

Q&A
BRKDCT-2121
Cisco Public
12
VDC Details The Default VDC

Fully functional VDC with all capabilities
VDC 1
Some tasks can only be performed in the default VDC

VDC creation/deletion/suspend Resource allocation interfaces, memory NX-OS Upgrade across all VDCs EPLD Upgrade As directed by TAC or to enable new features Ethanalyzer captures control plane traffic Feature-set installation for Nexus 2000, FabricPath and FCoE Control Plane Policing (CoPP) Port Channel load balancing Hardware IDS checks control ACL Capture feature enable VDC 1
Layer 2 Protocols
VLAN
PVLAN STP
Layer 3 Protocols
OSPF
BGP EIGRP
UDLD
CDP 802.1X
GLBP
HSRP IGMP
LACP
CTS
PIM
SNMP
Default VDC can be used for production traffic with no issues

Some customers may choose to reserve it for administrative functions
BRKDCT-2121
Cisco Public
13
VDC Details Non-Default VDC

Fully functional VDC with all capabilities Changes in nondefault VDC only affect that particular VDC
VDC 2, 3 or 4 Layer 2 Protocols

VLAN PVLAN UDLD CDP 802.1X CTS
Layer 3 Protocols
OSPF BGP EIGRP PIM GLBP HSRP IGMP SNMP
Independent processes started for each protocol in each VDC

Discrete configuration file per VDC Discrete checkpoints per VDC Discrete RBAC, TACACS, SNMP, etc.
VDC 2 VDC 3 VDC 4
STP LACP
BRKDCT-2121
Cisco Public
14
VDC Types Module-Type Modes

In release 5.1, module-type parameter defines the behavior for each VDC Different I/O module types can be specified:
-
M1-F1 Mixed VDC
m1 specifies VDC can contain M1 modules m1-xl specifies VDC can contain M1-XL modules m2-xl - specifies VDC can contain M2-XL modules f1 specifies VDC can contain F1 modules f2 specifies VDC can contain F2 modules
M1-XL Only VDC
limit-resource module-type f1 m1 m1-xl m2-xl (default) Allows mix of M1, M1-XL, M2 and F1 modules in the VDC
F1 Only VDC
15
VDC Types F2 VDCs

F2 Modules cannot coexist in the same VDC as other non-F2 modules Require the creation of a F2 only VDC using limitresource module-type f2 In a new configuration where only F2 modules are present system will automatically set the default VDC to F2 mode* When F2 is added to an existing configuration, ports are placed in VDC0 to be allocated to F2 VDCs by the admin
M1-F1 Mixed VDC
M1-XL Only VDC
*This check is only done once when no configuration exists

F2 Only VDC
16
VDC Types Examples of Limiting Module Type

Want F1-only VDC limit-resource module-type Want F2-only VDC limit-resource module-type Want M1/M1-XL-only VDC limit-resource module-type Want M1-XL with F1 VDC limit-resource module-type Want M2-XL-only VDC limit-resource module-type f1 f2 m1 m1-xl m1-xl f1 m2-xl
In a VDC in one of these modes, conflicting modules are placed in suspended state on OIR Power is applied, module is in ok status, but interfaces are not available for configuration Only VDC allocation is allowed for such interfaces (e.g., to move F1 interfaces from an M1-only VDC to an F1 or mixed-mode VDC)
17
VDC Types Storage VDC

Enables separation of job functions for LAN and SAN Admin Creates a virtual MDS within the Nexus 7000
Participates as a full Fibre Channel Forwarder (FCF) in the network Zoning, FC alias, fcdomains, IVR, Fabric Binding, etc
Fibre Channel
FCoE Target Support FCoE ISLs to other switches Nexus 7000, 5000, MDS Only one storage VDC per chassis
Does not require Advanced License (VDCs)
Ethernet VDC Storage VDC
Does count towards total VDC count 4 per Nexus 7000
BRKDCT-2121
Cisco Public
18
Agenda
- What are VDCs? - VDC types
- Interface Allocation - VDC Operation and Management - Leading practices

Q&A
BRKDCT-2121
Cisco Public
19
Resource Allocation
Ability to allocate resources as needed Different VDCs may have different requirements Production vs. Test/Dev Multi-tenancy into shared infrastructure
BRKDCT-2121
Cisco Public
20
Resource Allocation Dedicated Resources that can be Allocated

Certain resources can be allocated and limited to a given VDC:
m4route-mem m6route-mem module-type monitor-session monitor-session-erspan-dst port-channel u4route-mem u6route-mem vlan vrf Set ipv4 route memory limits Set ipv6 route memory limits Controls which type of modules are allowed in this vdc Monitor local/erspan-source session Monitor erspan destination session Set port-channel limits Set ipv4 route memory limits Set ipv6 route memory limits Set VLAN limits Set vrf resource limits
How much RAM do I allocate for my routing tables?

Routing table memory limits are in MB. For an idea of MB to routes you can use the command show routing ipv4|ipv6 memory estimate routes <1000-1000000> next-hops <1-16>
u4route-mem and u6route-mem limits are only applied after a switchover or reload they are not hot updates.
BRKDCT-2121
Cisco Public
21
Resource Allocation Default Resource Allocation

Default allocations allow for majority of deployment scenarios 8MB of memory allows for approx 6000 routes with 16 next hops Can be modified by using VDC templates as needed
N7K1-VDC1# show vdc N7K1-VDC2 resource
Resource -------vlan monitor-session
Min --16 0
Max --4094 2
Used ---35 0
Unused -----0 0
Avail ----4059 2
monitor-session-erspan-dst
vrf port-channel u4route-mem u6route-mem m4route-mem m6route-mem
0
2 0 8 4 8 5
23
4096 768 8 4 8 5
0
2 0 1 1 1 1
0
0 0 7 3 7 4
23
4086 752 7 3 7 4
BRKDCT-2121
Cisco Public
22
Agenda
- What are VDCs? - VDC Types
- VDC Operation and Management - Leading practices

Q&A
BRKDCT-2121
Cisco Public
23
Interface Allocation Interface Allocation N7K-M206QF-23L
VDC A
Ports are assigned on a per VDC basis and cannot be shared across VDCs
VDC C
6 port 40GE module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC Each port on a N7K-M206QF-23L has its own ASIC.
VDC B
VDC D
24
Interface Allocation Interface Allocation N7K-M202CF-22L
VDC A
VDC C
2 port 100GE module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC Each port on a N7K-M202CF-22L has its own ASIC.
VDC B
VDC D
25
Interface Allocation Interface Allocation N7K-M132XP-12 and L
VDC A
VDC C
32 port 10GE M1 module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC N7K-M132XP-12 & L require allocation in port groups of four to align ASIC resources.
VDC B
VDC D
26
Interface Allocation Interface Allocation N7K-F132XP-15
VDC A
Ports are assigned on a per VDC basis and cannot be shared across VDCs unless using FCoE
VDC C
32 port 10GE F1 module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC N7K-F132XP-15 Requires allocation in port groups of two to align ASIC resources.
VDC B
VDC D
27
Interface Allocation Interface Allocation N7K-F248XP-25
VDC A
VDC C
48 port 10GE F2 module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC N7K-F248XP-25 Requires allocation in port groups of four to align ASIC resources.
VDC B
VDC D
28
Interface Allocation Interface Allocation N7K-M108X2-12L
VDC A
VDC C
8 port 10GE module Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC Each port on a N7K-M108X2-12L has its own ASIC.
VDC B
VDC D
29
Interface Allocation Interface Allocation 10/100/1000 Modules

Ports are assigned on a per VDC basis and cannot be shared across VDCs Once a port has been assigned to a VDC, all subsequent configuration is done from within that VDC
VDC A
VDC C
48-port 10/100/1000
VDC B
*Note The M1 48 port line cards have 4 port groups of 12 ports. Recommendation is to have all members of a port group in the same VDC
VDC D
BRKDCT-2121
Cisco Public
30
Interface Allocation VDC and Interface Allocation

Ports are allocated in VDC config mode
N7K1-VDC1# confi t Ports being Enter configuration commands, one per line. End with CNTL/Z. allocated N7K1-VDC1(config)# vdc N7K1-VDC2 N7K1-VDC1(config-vdc)# allocate interface e8/1-12 Moving ports will cause all config associated to them in source vdc to be removed. Are you sure you want to move the ports (y/n)? [yes] yes
N7K1-VDC1(config-vdc)# show vdc membership

vdc_id: 4 vdc_name: N7K1-VDC2 Ethernet8/1 Ethernet8/4 Ethernet8/7 Ethernet8/10 interfaces: Ethernet8/2 Ethernet8/5 Ethernet8/8 Ethernet8/11
Disruptive warning!
Ethernet8/3 Ethernet8/6 Ethernet8/9 Ethernet8/12
N7K1-VDC1(config-vdc)# allocate interface ethernet 4/1 Entire port-group is not present in the command. Missing ports will be included automatically Moving ports will cause all config associated to them in source vdc to be removed. Are you sure you want to move the ports (y/n)? [yes]
Note that FEX ports only exist in the VDC where their parent interfaces reside
Easier allocation in NX-OS 5.2
BRKDCT-2121
Cisco Public
31
Interface Allocation Shared Interfaces

Exception to the rule allowing an interface to exist in only one VDC Splits traffic based on Ethertype Ethernet VDC owns interface Storage VDC sees the interface as well
Ethernet VDC
Storage VDC
FCoE Initialization Protocol (FIP) Ethertype 0x8914 and FCoE 0x8906 only are directed to the storage VDC. All other Ethertypes are directed toward the Ethernet VDC
CNA
32
Interface Allocation Requirements for Shared Interfaces

Interfaces must be on N7K-F132XP-15 modules Shared between Default VDC and Storage VDC Shared between non-default VDC and Storage VDC Ethernet VDC is where interface is allocated
- Must be configured as a 802.1q trunk in the Ethernet VDC - Both ports on the ASIC must be configured for sharing
Storage VDC is allocated shared interfaces
BRKDCT-2121
Cisco Public
33
Interface Allocation Configuring Shared Interfaces

Allocate VLANs and Interfaces
Interfaces already allocated to N7K1-VDC1

N7K1-VDC1# config N7K1-VDC1(config)# vdc fcoe N7K1-VDC1(config-vdc)# allocate fcoe-vlan-range 2000-2100 from vdc N7K1-VDC1 N7K1-VDC1(config-vdc)# allocate shared interface e3/25-26
Ports that share the port group of the interfaces you have specified will be affected as well. Continue (y/n)? [yes] yes N7K1-VDC1(config-vdc)# end
N7K1-VDC1# switchto vdc fcoe FCoE# show int brief
Eth3/25
Eth3/26 FCoE#
1
1
eth trunk down

eth trunk down
Administratively down
Administratively down
auto(D) -auto(D) --
Interfaces can be controlled per VDC

34
Communicating Between VDCs

Must use front panel port to communicate between VDCs
- No soft cross-connect or backplane inter-VDC communications

Storage shared ports can communicate with each other *within* their respective VDC Front panel ports align security models, ensure QoS, ACL, Netflow, etc. resources No restrictions on L2/L3 or linecard models When using vPC or vPC+ between VDCs, ensure domain IDs are unique
VDC2
VDC3
35
Virtual Device Contexts VDC Resource Utilization (Layer 2)

Layer 2 learning with multiple active VDCs also has a positive impact on resource utilization MAC addresses learnt in a VDC are only propagated to other linecards when that linecard has a port in that VDC
Switch Fabric
X
Linecard 1
MAC Table
Linecard 2
MAC Table
Linecard 3
MAC Table
MAC A
1/1 1/2 1/3 1/4 2/1
MAC A
2/2 2/3 2/4 3/1 3/2 3/3 3/4
VDC 10
VDC 20
VDC 20
VDC 10
VDC 30
VDC 20
MAC Address A
MAC A is propagated to linecard 2 and 3 but only linecard 2 installs MAC due to local port being in VDC 10
Cisco Public
BRKDCT-2121
VDC 30
36

When only the default VDC is active, the FIB and ACL TCAM on each linecard is primed with forwarding prefixes and policies associated with that default VDC as shown below
Linecard 1
FIB TCAM
Linecard 2
FIB TCAM
Linecard 3
FIB TCAM
Linecard 4
FIB TCAM
Linecard 5
FIB TCAM
Linecard 6
FIB TCAM
Linecard 7
FIB TCAM
Linecard 8
FIB TCAM
128K
128K
128K
128K
128K
128K
128K
128K
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
64K
64K
64K
64K
64K
64K
64K
64K
BRKDCT-2121
Cisco Public
37

VDC 10
Linecard 1
FIB TCAM
VDC 20
Linecard 3
FIB TCAM
VDC 30
Linecard 4
FIB TCAM
FIB and ACL TCAM resources are more effectively utilized

Linecard 6
FIB TCAM
Linecard 2
FIB TCAM
Linecard 5
FIB TCAM
Linecard 7
FIB TCAM
Linecard 8
FIB TCAM
128K ACL TCAM
128K ACL TCAM
128K
128K
128K
128K
128K
128K
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
ACL TCAM
64K
64K
64K
64K
64K
64K
64K
64K
BRKDCT-2121
Cisco Public
38
Control Plane Policing and VDCs

CoPP works per forwarding engine, as such it is VDC "agnostic If ports for the same forwarding engine are shared between VDCs and CoPP thresholds are violated, CoPP will start dropping matching traffic for all ports of this forwarding engine, This behavior might break the separation of VDCs If ports of one forwarding engine belong to different VDCs you can limit this effect:
The ACL e.g. for ARP and ICMP are use "match protocol" but didn't specify networks.
If VDCs using different IP ranges, it is possible to define different CoPP policies based on IP ACLs per protocol
BRKDCT-2121
Cisco Public
39
Agenda
- What are VDCs? - VDC Types
- VDC Operation and Management

- Leading practices

Q&A
BRKDCT-2121
Cisco Public
40
VDC Types VDC Creation - Ethernet

Name of New VDC
N7K1-VDC1# conf t N7K1-VDC1(config)# vdc N7K1-VDC4 Note: Creating VDC, one moment please ... N7K1-VDC1(config-vdc)# show vdc
vdc_id -----1 2 3 4
vdc_name -------N7K1-VDC1 N7K1-VDC2 N7K1-VDC3 N7K1-VDC4
state ----active active active active
mac ---------00:26:51:c7:34:41 00:26:51:c7:34:42 00:26:51:c7:34:43 00:26:51:c7:34:44
type --------Ethernet Ethernet Ethernet Ethernet
lc -----m1 f1 m1xl m1 f1 m1xl m1 f1 m1xl m1 f1 m1xl
N7K1-VDC1(config-vdc)# show vdc N7K1-VDC4 detail vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc id: 4 name: N7K1-VDC4 state: active mac address: 00:26:51:c7:34:44 ha policy: RESTART dual-sup ha policy: SWITCHOVER boot Order: 1 create time: Mon May 16 00:12:38 2011 reload count: 0 restart count: 0 type: Ethernet supported linecards: m1 f1 m1xl
VDC Details
BRKDCT-2121
Cisco Public
41
VDC Types VDC Creation Ethernet F2 Module

Limiting Resources
N7K1-VDC1# conf t N7K1-VDC1(config)# vdc N7K1-VDC4 limit-resource module-type f2 Note: Creating VDC, one moment please ... N7K1-VDC1(config-vdc)# show vdc
vdc_id -----1 2 3 4
vdc_name -------N7K1-VDC1 N7K1-VDC2 N7K1-VDC3 N7K1-VDC4
state ----active active active active
mac ---------00:26:51:c7:34:41 00:26:51:c7:34:42 00:26:51:c7:34:43 00:26:51:c7:34:44
type --------Ethernet Ethernet Ethernet Ethernet
lc -----m1 f1 m1xl m1 f1 m1xl m1 f1 m1xl f2
N7K1-VDC1(config-vdc)# show vdc N7K1-VDC4 detail vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc id: 4 name: N7K1-VDC4 state: active mac address: 00:26:51:c7:34:44 ha policy: RESTART dual-sup ha policy: SWITCHOVER boot Order: 1 create time: Mon May 16 00:12:38 2011 reload count: 0 restart count: 0 type: Ethernet
VDC Details
vdc supported linecards: f2

42
VDC Types VDC Creation - Storage
Name of VDC and type Storage

N7K1-VDC1(config)# vdc FCoE type storage Note: Creating VDC, one moment please ...
N7K1-VDC1(config-vdc)# show vdc vdc_id -----1 2 3 4 vdc_name -------N7K1-VDC1 N7K1-VDC2 N7K1-VDC3 FCoE state ----active active active active mac ---------00:26:51:c7:34:41 00:26:51:c7:34:42 00:26:51:c7:34:43 00:26:51:c7:34:44 type --------Ethernet Ethernet Ethernet Storage lc -----m1 f1 m1xl m1 f1 m1xl m1 f1 m1xl f1
N7K1-VDC1(config-vdc)# show vdc FCoE detail vdc vdc vdc vdc vdc vdc vdc vdc vdc vdc id: 4 name: FCoE state: active mac address: 00:26:51:c7:34:44 ha policy: RESTART dual-sup ha policy: SWITCHOVER boot Order: 1 create time: Mon May 16 00:28:33 2011 reload count: 0 restart count: 0
VDC Details
vdc type: Storage vdc supported linecards: f1

43
Navigating Between VDCs
From the default VDC, use the switchto vdc <name> command
N7K1-VDC1# switchto vdc N7K1-VDC2 N7K1-VDC2#
To return to the default VDC use the switchback

N7K1-VDC2# switchback N7K1-VDC1#
Tip Use the cli alias command

cli alias name agg1 switchto vdc N7K1-VDC2 cli alias name agg2 switchto vdc N7K1-VDC3 cli alias name fcoe switchto vdc FCOE
BRKDCT-2121
Cisco Public
44
Reload and Suspend VDCs
Only non-default VDCs can be suspended, resumed, reloaded or restarted

Reload is just like reloading a box clean boot for that VDC
N7K1-VDC1# reload vdc N7K1-VDC4

Suspend performs config save and graceful cleanup before suspending N7K1-VDC1# (config-vdc)# vdc N7K1-VDC4 suspend
BRKDCT-2121
Cisco Public
45
Nexus 7000 Operational Management

Providing Powerful and Flexible User Control
Role Based Access Control Framework to create ad hoc roles for any type of user Very flexible and powerful control over users Upon login, every user gets assigned a role that defines the privileges of the user that gained access to system The roles are groups of rules that permit or deny a set of operations on NX-OS components
New Hire VDC Admin Network Operator Network Admin
BRKDCT-2121
Cisco Public
46
Virtual Device Contexts VDC Administration 4 Named Default Roles

- network-admin
- network-operator - vdc-admin
- vdc-operator
Admin has all rights (read-write) Operator has read only rights
Roles defined for Priv-15 through 0

- Ease integration into TACACS structure
BRKDCT-2121
Cisco Public
47
VDC Leading Practices

VDC1 Admin VDC2 Agg1 VDC3 Acc1
Reserve VDC 1 (default) as the administrative VDC

On VDC 1, assign accounts with minimum privileges necessary to accomplish operational tasks
VDC4 Test
Utilize a linecard per VDC for improved HA and VDC isolation Customize VDC HA policy and resource configurations as necessary
Dual-sup default is switchover and single-sup default is restart
Nexus7K(config-vdc)# ha-policy dual-sup <policy> single-sup <policy> Nexus7K(config-vdc)# limit-resource vlan minimum <#> maximum <#>
8GB of RAM may be required depending on number of VDCs and features enabled Reference URL at the end
BRKDCT-2121
Cisco Public
48
Out-of-Band Management Network

Use the management VRF on the Nexus 7000 for all management system connectivity
Core1
Mgmt0 x2
Core2
Mgmt0 x2
Use mgmt0 or Connectivity Management Processor (CMP) portsor both!

Mgmt0 IP address for default and nondefault VDCs must be from same subnet Assign different IP address for redundant CMP (same IP address for redundant mgmt0 interface) Doesnt preclude the use of in-band management (Loopback, VLAN, etc)
OOB Mgmt Network
Mgmt0 Management VRF Default VRF Sys Mgmt server Mgmt0
L3 Agg1a
Mgmt0 x2 CMP x2
Agg1b
Mgmt0 x2 CMP x2
OOB Mgmt Dist
Acc1
Mgmt0
Acc2
Mgmt0
mgmt1 mgmt2
Separate physical infrastructure is ideal

Common segment in the box
VDC1 Admin VDC2 Agg1 VDC3 Agg2
VDC1 Admin VDC2 Agg1 VDC3 Agg3

49
Managing Virtualization: VDCs and DCNM
Wizard-based Configuration - Interfaces Allocation Across VDC - Resource Limit Enforcement with Templates - Resource consumption monitoring - IPv4 and IPv6 Capable
BRKDCT-2121 2012 Cisco and/or its affiliates. All rights reserved.
VDC aware Fault & Performance Monitoring VDC aware RBAC Topology Representation - VDC per Chassis - VDC to VDC Connectivity Cisco Public
50
Consolidation with VDCs
Hierarchical Network Design

Offers hierarchyeach layer has specific role Modular topologybuilding blocks
Access
Distribution
Easy to grow, understand, and troubleshoot

Creates small fault domains clear demarcations and isolation
Core
Promotes load balancing and redundancy

Promotes deterministic traffic patterns
Distribution
Incorporates balance of both Layer 2 and Layer 3 technology, leveraging the strength of both Utilizes Layer 3 routing for load balancing, fast convergence, scalability, and control
2012 Cisco and/or its affiliates. All rights reserved. Cisco Public
Access
BRKDCT-2121
Building Block
52
Consolidation with VDCs

Enables consolidation while maintaining hierarchy Reduction of physical footprint
- 4:1 is possible
Maintains majority of change and failure domain separation Provides consistent functionality and features across the network
- ISSU, QoS, Netflow, etc
BRKDCT-2121
Cisco Public
53
Consolidation with VDCs (cont)
Considerations
- VDC to forwarding engine mapping - Single chassis is still a single point of failure Highly available yes, but still a single chassis
- EPLD Upgrade impact on VDCs multiple modules recommended

- MAC table sizing bound to lowest common denominator - Limited number of SPAN sessions ACL Capture can help in many instances
BRKDCT-2121
Cisco Public
54
Vertical Consolidation 1
Consolidation of Core and Aggregation while maintaining network hierarchy
No reduction in port count or links but fewer physical switches
Core
Core
Core
Agg
Aggregation
Agg
Access
BRKDCT-2121
Cisco Public
55
Vertical Consolidation 2
Consolidation of Core, Aggregation and Access while maintaining network hierarchy
Plan accordingly for port/ASIC allocation might need more cards than you think!
Core
Core
Core
Aggregation
Agg
Agg
Access
Access
Access
BRKDCT-2121
Cisco Public
56
Segmentation with VDCs
Internet Edge/DMZ/Core
Option to meet multiple needs XL VDC, DMZ and Core Maintains security model with logical separation
Internet
Internet
Internet Edge (XL)
Internet Edge(XL)
Internet Edge (XL)
DMZ
DMZ
DMZ
Core
Core
Core
BRKDCT-2121
Cisco Public
58
MPLS and VDCs Key considerations

Secure and flexible way of software process partitioning
All MPLS features are VDC aware Each VDC operates as separate MPLS router (LSR):
No internal communication between VDCs Multiple logical P / PE routers can be configured Each VDC has independent label space for prefix labels: LDP, VPN, TE
VDC 1 VDC 2 VDC 3 VDC 4
Note: per-VRF VPN labels - globally significant for whole chassis, all others are locally significant to VDC
59
MPLS and VDCs Use cases Vertical consolidation collapse layers of P/PE routers
PE3 (VDC 2) P1 (VDC 3) PE1 (VDC 4) PE4 (VDC 2) POD 1 P2 (VDC 3) PE2 (VDC 4)
Server Server Server Server Server Server Server Server Server Server Server
Horizontal consolidation collapse PEs from several PODs

MPLS Core
POD 2
PE1 (VDC 2)
PE2 (VDC 2)
PE3 (VDC 3)
PE4 (VDC 3)
BRKDCT-2121
Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server Server
Cisco Public
Server Server Server Server Server Server Server Server Server Server Server
60
Advanced Applications with VDCs
VDC Functionality with Features
Using VDCs resolves some hardware restrictions required for features like OTV
VDCs can provide a migration strategy to new hardware and line cards
VDCs provide consolidation and separation that makes storage administrators comfortable virtual MDS
VDC allows us to do things that allow us to solve layer 8-10 issues
BRKDCT-2121
Cisco Public
62
Overlay Transport Virtualization (OTV)
Overlay Transport Virtualization

OTV is a MAC in IP technique to extend Layer 2 domains OVER ANY TRANSPORT
Dynamic Encapsulation
No Pseudo-Wire State Maintenance Optimal Multicast Replication Nexus 7000 First platform to support OTV!
Protocol Learning
Preserve Failure Boundary
Built-in Loop Prevention
Multipoint Connectivity
Point-to-Cloud Model
Automated Multi-homing
Site Independence
64
OTV at the Aggregation Layer

OTV Design Options
No universal response where to place the OTV Edge Device

Main Options:
- OTV at the Core Layer - OTV at the Aggregation Layer (most common discussed in this presentation)
Transport Infrastructure
OTV Edge Device
OTV
OTV
L3 L2
BRKDCT-2121
Cisco Public
65
OTV and SVI Separation

Guideline: The current OTV implementation on the Nexus 7000 requires the separation between SVI routing and OTV encapsulation for a given VLAN
This separation can be achieved with having two separate devices to perform these two functions An alternative, cleaner and less intrusive solution is the use of Virtual Device Contexts (VDCs) available with Nexus 7000 platform:
- A dedicated OTV VDC to perform the OTV functionalities - The Aggregation-VDC used to provide SVI routing support
L3 L2
OTV VDC OTV VDC
Aggregation
BRKDCT-2121
Cisco Public
66
OTV and SVI Separation

VDC Models
Two different deployment models:
OTV Appliance on a Stick
Inline OTV Appliance
Common Uplinks for Layer3 and DCI

Join Interface
Dedicated Uplink for DCI

Internal Interface
OTV VDC
Uplinks to the Layer3 Transport
OTV VDC
SVIs
L3 L2
SVIs
L3 L2
OTV Appliance on a Stick
Inline OTV Appliance
No difference in OTV functionality between the two models The Inline OTV Appliance requires availability of Core downstream links
67

DC Core performs only Layer 3 role STP and unknown unicast domains isolated between PODs Intra-DC and inter-DC LAN extension provided by OTV Ideal for single aggregation block topology
Join Interface Internal Interface Virtual Overlay Interface
Recommended for Greenfield

Core
OTV VDC
SVIs VPC
SVIs
OTV VDC
OTV VDC
SVIs VPC
SVIs
OTV VDC
Aggregation Access
BRKDCT-2121
Cisco Public
68
BRKDCT-2121
Cisco Public
69
CTS Encrypted
OTV VDC
OTV VDC
OTV VDC
OTV VDC
VPC
VPC
Data Center A
Data Center B
OTV VDC
OTV VDC
VPC
Branch Office
70

The Firewalls host the Default Gateway
No SVIs at the Aggregation Layer

No Need for the OTV VDC
Core OTV OTV Def GWY
L3 L2
Def GWY
Aggregation
Firewall Firewall
BRKDCT-2121
Cisco Public
71
Fibre Channel over Ethernet (FCoE)
Fibre Channel over Ethernet (FCoE)

FCoE Benefits
Mapping of FC frames over Ethernet Enables FC to run on a lossless Ethernet
Wire Server Once

Fewer cables and adapters Software Provisioning of I/O Interoperates with existing SANs
Ethernet Fibre Channel
No gatewaystateless Standard June 3, 2009
BRKDCT-2121
Cisco Public
73
Traditional Data Center Design

Ethernet LAN and Fibre Channel SAN
Physical and Logical separation of LAN and SAN traffic Additional Physical and Logical separation of SAN fabrics Purposely Built Networks
LAN: Loss and Out of Order Tolerant SAN: Loss and Out of Order Intolerant
Ethernet FC
FC
Fabric A L3 L2
Fabric B
MDS 9000
Limited in Scale
NIC HBA
Isolation
Convergence
74
Converged Access
Shared Physical, Separate Logical LAN and SAN traffic at Access Layer Physical and Logical separation of LAN and SAN traffic at Aggregation Layer Additional Physical and Logical separation of SAN fabrics Storage VDC (Nexus7000 only) for additional management / operation separation Higher I/O, HA, fast re-convergence for host LAN traffic Edge-Core Topology Use where Core switch is required to provide Storage services to many Edge devices
CNA Ethernet FC Converged FCoE link Dedicated FCoE link
FCoE
FC
Fabric A L3
MDS 9000
L2
Fabric B
Isolation
Convergence
75
Converged Network Fabrics w/ Dedicated Links

LAN and SAN traffic share physical switches and traffic uses dedicated links between switches All Access and Aggregation switches are FCoE FCF switches Storage VDC (Nexus7000 only) for additional operation separation at high function Aggregation/Core Improved HA, load sharing and scale for LAN vs. traditional STP topologies
VE
Ethernet FC Converged FCoE link Dedicated FCoE link
LAN/SAN
Fabric A Fabric B
L3
L2
FCF
SAN can utilize higher performance, higher density, lower cost Ethernet switches for the aggregation/core Edge-Core-Edge Topology connectivity to existing SAN Use where future growth has number of Storage devices exceeding ports in the Core
CNA
FCF
FCF
FCoE
FC
Isolation
Convergence
76
Converged Network Fabrics with Dedicated Links

LAN and SAN traffic share physical switches and traffic use dedicated links between switches All Access and Aggregation switches are FCoE FCF switches Storage VDC (Nexus7000 only) for additional operational separation at high function Aggregation/Core Improved HA, load sharing and scale for LAN vs. traditional STP topologies
VE
Ethernet
FC
LAN/SAN
Fabric A Fabric B
Converged FCoE link Dedicated FCoE link
L3
L2
FCF
SAN can utilize higher performance, higher density, lower cost Ethernet switches for the Edge, Aggregation/Core Standardize on platform, OS and I/O Edge-Core-Edge Topology with scalable and dense Ethernet switches at the Edge
CNA
FCF
FCF
FCoE
FC
FC connectivity only available on Nexus 5000 Isolation

Convergence
77
Data Center Design with E-SAN

Same topologies as existing networks, but using Nexus Unified Fabric Ethernet switches for SANs Physical and Logical separation of LAN and SAN traffic Additional Physical and Logical separation of SAN fabrics Ethernet SAN Fabric carries FC/FCoE & IP based storage (iSCSI, NAS, ) Common components: Ethernet Capacity and Cost Standardize on OS, I/O and Platform Storage administrators in Large Data Centers almost always prefer this model (distinct storage management plane)
Fabric B
NIC or CNA CNA
Ethernet
FCoE
Fabric A L3 L2
Isolation
Convergence
78
Converged Network with Dedicated Links

Ethernet FC Converged FCoE link Dedicated FCoE link FabricPath
FabricPath enabled for LAN traffic Dual Switch core for SAN A & SAN B All Access and Aggregation switches are FCoE FCF switches Dedicated links between switches are VE Ports Fabric A Fabric B L3
Storage VDC (Nexus 7000 only) for additional operation separation at high function agg/core
Improved HA and scale over vPC (ISIS, RPF, and N+1 redundancy)
VE
L2
FCF
FCF
FCF
FCF
SAN can utilize higher performance, higher density, lower cost Ethernet switches
FC connectivity only available on Nexus 5000
CNA
FCoE FC
Isolation
Convergence
79
FabricPath
Introducing Cisco FabricPath

An NX-OS Innovation for Layer 2 Networks
Layer 2 strengths
Simple configuration Flexible provisioning Low cost
Fabric Path
Resilience
Layer 3 strengths
Leverage bandwidth Fast convergence Highly scalable
Simplicity
Flexibility
Bandwidth
Availability
Cost
BRKDCT-2121
Cisco Public
81
Architecture Flexibility Through NX-OS

Spanning-Tree vPC FabricPath
16 Switches
Active Paths Pod Bandwidth
Single Up to 10 Tbps
Dual Up to 20 Tbps
16 Way Up to 160 Tbps
Layer 2 Scalability Infrastructure Virtualization and Capacity

82
Cisco FabricPath
160+ Tbps switching capacity
FabricPath
Traditional Spanning Tree Based Network -Blocked Links
Cisco FabricPath Network -All Links Active
Eliminates Spanning Tree related limitations Multi-pathing across all links, high cross-sectional bandwidth High resiliency, faster network reconvergence Any VLAN anywhere in the fabric eliminates VLAN scoping
BRKDCT-2121
Cisco Public
83
Parallel FabricPath Core

Motivations: Consolidation and whole-network scale Removes access connections and aggregation mesh limitations Meshed agg model overly complex after a certain point Add FabricPath core parallel to L3 core to interconnect FabricPath Pods
L3
FabricPath Core
L3
VPC+ FabricPath
VPC+
VPC
BRKDCT-2121
Cisco Public
84
Parallel FabricPath Core with VDCs

FabricPath Core VDC Layer 3 Core VDC FabricPath Core VDC
L3
Layer 3 Core VDC
L3
Exact same model as prior slide but with VDCs instead of separate physical switches Note VDCs not required for FabricPath
L3
VPC+ FabricPath
VPC+
VPC
BRKDCT-2121
Cisco Public
85
Summary
VDCs Unlock the full potential of Nexus 7000

VDCs can be used for many uses
- Consolidation vertical and horizontal - Security and segmentations - Advanced applications Overlay Transport Virtualization (OTV) Fibre Channel over Ethernet (FCoE) FabricPath
BRKDCT-2121
Cisco Public
86
Course Objective
What we learned
VDC Configuration Guidelines Common VDC Use Cases How to use VDCs with Advanced Applications
BRKDCT-2121
Cisco Public
87
Additional References
VDC White Paper on CCO
http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9402/ps9512/White_Paper_Tech_Overview _Virtual_Device_Contexts.html
8GB RAM Flowchart

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/release/notes/51_nxos_release_note.html#wp86458
Common Criteria Certification #10349

http://www.niap-ccevs.org/st/vid10349/
FIPS 140-2
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140InProcess.pdf
NSS Labs
http://www.nsslabs.com/
Follow us on Twitter @CiscoNexus7000

88
Recommended Reading
Please complete your Session Survey

We value your feedback
Don't forget to complete your online session evaluations after each session. Complete 4 session evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt Surveys can be found on the Attendee Website at www.ciscolivelondon.com/onsite which can also be accessed through the screens at the Communication Stations Or use the Cisco Live Mobile App to complete the surveys from your phone, download the app at www.ciscolivelondon.com/connect/mobile/app.html
1. Scan the QR code (Go to http://tinyurl.com/qrmelist for QR code reader software, alternatively type in the access URL above) 2. Download the app or access the mobile site 3. Log in to complete and submit the evaluations
http://m.cisco.com/mat/cleu12/
90
Thank you.
BRKDCT-2121
Cisco Public
91

BRKDCT 2121

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

BRKDCT 2121

Uploaded by

Copyright:

Available Formats

Virtual Device Context (VDC) Design and Implementation Considerations with Nexus 7000

Follow us on Twitter for real time updates of the event:

Visit the Cisco Store to purchase your recommended readings

2012 Cisco and/or its affiliates. All rights reserved.

What you will learn..

2012 Cisco and/or its affiliates. All rights reserved.

Virtual Device Context (VDC) Overview

2012 Cisco and/or its affiliates. All rights reserved.

Virtual Device Context (VDC) Overview

What are Virtual Device Contexts (VDCs)?

VDC Prod VDC Extranet VDC DMZ

Virtual Device Contexts (VDCs)

VDC B Layer-3 Protocols

VLAN mgr STP IGMP sn. LACP

UDLD CDP 802.1X CTS RIB

Protocol Stack (IPv4 / IPv6 / L2)

Protocol Stack (IPv4 / IPv6 / L2)

VDCVirtual Device Context

VDCs are not

Where are VDCs reside in the Big Picture

VLAN VLAN VLAN

VRF VRF VRF

VLAN VLAN VLAN VLAN VLAN VLAN

VRF VRF VRF VRF VRF VRF

VLAN VLAN VLAN VLAN VLAN VLAN

VRF VRF VRF VRF VRF VRF

VLAN VLAN VLAN

VRF VRF VRF

Virtual Device Contexts VDC Resources

2012 Cisco and/or its affiliates. All rights reserved.

NX-OS Software Packaging

Transport Services Advanced Enhanced L2 FCoE SAN Enterprise

Grace Period License

Licenses are associated with chassis S/N#

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.

Consolidation with VDCs Segmentation with VDCs

Advanced Applications and VDCs

2012 Cisco and/or its affiliates. All rights reserved.

VDC Details The Default VDC

Some tasks can only be performed in the default VDC

Default VDC can be used for production traffic with no issues

2012 Cisco and/or its affiliates. All rights reserved.

VDC Details Non-Default VDC

VDC 2, 3 or 4 Layer 2 Protocols

Independent processes started for each protocol in each VDC

VDC 2 VDC 3 VDC 4

2012 Cisco and/or its affiliates. All rights reserved.

VDC Types Module-Type Modes

M1-F1 Mixed VDC

M1-XL Only VDC

VDC Types F2 VDCs

M1-F1 Mixed VDC

M1-XL Only VDC

*This check is only done once when no configuration exists

VDC Types Examples of Limiting Module Type

VDC Types Storage VDC

Does count towards total VDC count 4 per Nexus 7000

2012 Cisco and/or its affiliates. All rights reserved.

Consolidation with VDCs Segmentation with VDCs

Advanced Applications and VDCs

2012 Cisco and/or its affiliates. All rights reserved.

2012 Cisco and/or its affiliates. All rights reserved.