Presentation is loading. Please wait.

Presentation is loading. Please wait.

Technical Overview Cisco Validated Design: Secure Multi-Tenancy Architecture.

Similar presentations

Presentation on theme: "Technical Overview Cisco Validated Design: Secure Multi-Tenancy Architecture."— Presentation transcript:

1 Technical Overview Cisco Validated Design: Secure Multi-Tenancy Architecture

2 Agenda  Introduction – Architecture, Four Pillars, Components, and Documentation  Availability  Secure Separation  Service Assurance  Management

3 Silos to Secure Multi-tenancy Architecture HRHR BUBU AP P HR AppsBU AppsCore Apps HRBUAPP VMware Traditional Data Centers Secure Multi-tenancy Architecture

4 Secure Multi-tenancy – Four Pillars Service Assurance Deliver consistent SLA across Compute Network Storage Secure Separation Enable separation across tenants Increase security and access control Availability Build resilient architecture High Availability Fault Tolerance Redundancy Management Simplify management End-to-end manageability Secure Multi-tenancy Architecture

5 Secure Multi-tenancy Components NetApp SANscreen Network Comput e SAN Cisco Nexus 7000 Cisco Nexus 5000 Cisco UCS 6100 Fabric Interconnect Cisco UCS 5100 Blade Server Cisco MDS VMware vSphere Cisco Nexus 1000V VMware vShield Storage NetApp MultiStore NetApp FAS VMware vSphere NetApp FilerView NetApp Provisioning Manager NetApp Protection Manager NetApp Operations Manager Cisco UCS Manager Cisco Data Center Network Manager VMware vShield Manager VMware vCenter NetApp SnapManager Compute  VMware vShield  VMware vSphere  Cisco Unified Computing System Network  Cisco Nexus 1000V  Cisco Nexus 5000  Cisco Nexus 7000  Cisco MDS Storage  NetApp FAS  NetApp Multistore Management  VMware vShield Manager  VMware vCenter  Cisco UCS Manager  Cisco DC Network Manager  NetApp Operations Manager  NetApp Provisioning Manager  NetApp SANscreen & SnapManager

6 Documentation Usage Guideline Designing Secure Multi-tenancy into Virtualized Data Center Design Guide Cisco Validated Design (CVD)  Solution Brief (4 pages)  Architecture Overview (25 pages)  CVD: Design Guide (90 pages)  Design Considerations  Best Practice  Bill of Material  CVD: Deployment Guide (100+ pages)  Configuration  Software Recommendation

7 Agenda  Introduction - Architecture, Four Pillars, Components, Documentation  Availability  Secure Separation  Service Assurance  Management

8 Resilient End-to-End Architecture Core/ Aggregation Access Compute SAN/Storag e Cisco Nexus 7000 Cisco Nexus 5000 Cisco UCS 6100 Fabric Interconnect UCS 5100 Blade Server Cisco MDS NetApp FAS vPC 4x10GE FC 10GE vPC Ether Channel Ether Channel FC Compute  vCenter Heartbeat  VMware HA  vMotion/Storage vMotion  UCS Fabric Redundancy Network  vPC  EtherChannel  N1KV Active/Standby VSM  Link/Device Redundancy Storage  RAID-DP  NetApp HA  Snapshot  SnapMirror/SnapVault VMware vSphere Nexus 1000V VMware vCenter

9 Network and UCS Availability x4 AABB UCS 1 Aggregation Layer UCS 2 VSM Active VEM Nexus 7000 and Nexus 5000  Loopless Topology with vPC  Port-Channel  RPVST+ Nexus 1000V  Supervisor Availability (VSM)  Forwarding Path Availability (VEM) Nexus 1000V VSM Standby Unified Computing System  Fabric Availability  Control Plane Availability  Forwarding Path Availability  Blade Server Path Availability vPC Access Layer vPC

10 VMware HA and vCenter Heartbeat  VMware HA  Protection against server failure  Configurable VM restart priority  Protection against VM guest OS failure  Configurable VM heartbeat monitor sensitivity  Primary vs. Secondary Nodes  vCenter Heartbeat  Primary and Secondary vCenter server in replication and synchronization  Protection against hardware and application failure

11 vMotion and Storage vMotion  vMotion  Continuously availability to tenants during planned server outages  Zero downtime migration of VM between servers  Storage vMotion  Continuously availability to tenants during migration to different tiers of storage  Supports all three protocols: NFS, iSCSI, FCP

12 Protecting Data  A key focus in providing a 100% resilient infrastructure  NetApp protection requires less overhead, more usable storage and resources available for valuable data.  Mix and match data protection features to create a customized data protection plan ✔ NetApp RAID-DP ✔ NetApp SnapShot ✔ NetApp SnapRestore ✔ NetApp SnapMirror Storage Overhead Usable Resources

13 NetApp SnapShot Data Protection  A reference to a complete “point-in-time” image of a NetApp volume, captured as read-only, residing within the active volume.  reference to the original data blocks, not a copy of them  complete image, not incremental  within the volume, not on a separate set of disks  Taken manually or automatically on a schedule  hourly, nightly, weekly  Revert current volume to any “point-in-time” captured in a SnapShot with NetApp SnapRestore

14 Agenda  Introduction - Architecture, Four Pillars, Components, Documentation  Availability  Secure Separation  Service Assurance  Management

15 Secure Separation Compute  UCS & vSphere RBAC  VM Security with vShield and Nexus 1000V  UCS Resource Pool Separation Network  Access Control List  VLAN Segmentation  QoS - Classification Storage  vFiler units  IP Spaces  VLAN Segmentation

16 Access Control Define Roles  Cloud Administrator  Tenant Administrator  Tenant User Access Control List  Nexus 1000V, 5000, 7000 Role Based Access Control  UCS Manager  Server Admin  Network Admin  Storage Admin  Customized Admin  vCenter  Privilege Assignment  User Group Association  Permission Assignment Tenant B NetApp MultiStore vFiler Tenant ATenant CTenant DTenant B Cloud Administrator

17 VLAN Consolidation VLAN TypesFunctionRoutable Control Plane VLANTo Mange control PlaneNo Management VLANTo Mange ManagementYes Engineering VLANTo separate for Engineering.No Marketing VLANTo service Marketing team.Depends HR VLANTo to service HR group.No Data Center VLANTo separate Data Center from other places.Depends Storage VLANVLAN only for SANNo Complexity Data VLAN?? VLAN #200 Which VLAN?? VLAN #201?? Which VLAN for VM #2? Management VLAN?

18 18 VM Security with vShield and Nexus 1000V Secure Isolation Simple container-based rule creation leveraging vCenter inventory objects Point of enforcement close to VM Policy based separation between tenants Policy based separation for multi- tier application Full integration with N1KV Virtual Service Domain (VSD) feature leveraged by vShield to intercept VM-destined flows vMotion awareness vShield session state tables follow the VM Cisco VN-Link maintains VM protection policy consistency during vMotion Protected (VSD Inside) Unprotected (VSD Outside) Physical Adapters Nexus 1000V Tenant ATenant BTenant C Members of VSD

19 Compute Resource Separation vSphere Resource Pool Design Best Practice  Dedicated resource pools for infrastructure and tenants  Separate sub-resource pool for individual tenants  Combined with RBAC to securely isolate access between tenants Storage Pool Interconnect Pool Tenant A Resource Pool Tenant B Resource Pool Tenant Resource Pool Infrastructure Resource Pool Tenant B Resource Pool

20 NetApp Secure Multi-Tenancy Partitioning clients & workloads Challenges  Resource utilization  Secure separation  Resource hogs Secure multi-tenancy MultiStore  Secure partition of storage and networking  Proven technology: 16,000 licenses  Third-party valid security testing Virtual Storage Partition Customer B Virtual Storage Partition Customer C Data Virtual Storage Partition Customer A Data MultiStore ®

21 Agenda  Introduction - Architecture, Four Pillars, Components, Documentation  Availability  Secure Separation  Service Assurance  Management

22 Service Assurance – Delivering SLA High PriorityMed Priority Platinum CoS Gold CoS Compute  Expandable Reservation  Dynamic Resource Scheduler  UCS QoS System Classes for Resource Reservation and Limit Network  QoS - Classification  QoS - Queuing  QoS - Bandwidth control  QoS - Rate Limiting Storage  FlexShare  Storage Reservations  Thin Provisioning 4 GE 2 GE

23 Network Service Assurance  QoS – Classification  Classification Capability  Identify Traffic Types  Classify at Source of Origin  QoS – Queuing  Packet Delivery Schedule  QoS - Bandwidth Control  QoS – Rate Limiting Back End Traffic Control & Management Traffic Types Best Effort Front End Traffic Bulk Data Network Management NFS Data Store/N1KV Service-Class Scavenger Best Effort CoS 6, Gold CoS 6 Gold CoS 4, Silver CoS 5 Platinum CoS & UCS Class CoS 0 & 1, Best Effort CoS 6, Gold CoS 5, Platinum CoS 4, Silver vMotion Transactional Application Storage IO App to App (multi-tier) CoS 4, Silver CoS 2, Bronze

24 Compute Resource Service Assurance  Built-in vCenter Resource Pool settings to provide:  resource guarantee for infrastructure and tenant services  Resource pool settings to be set based on tenant SLA:  VMware DRS provides fully automated load distribution across all UCS blades in the ESX Cluster  During VM/vApp power on  During steady and non-steady state Resource Pool Settings Platinum Tenant Gold Tenant Silver Tenant ReservationReserved No reservation LimitsUnlimitedLimited SharesHighMediumLow Expandable Reservation EnabledDisabled

25 Storage SLA Assurance  Set high priority for database (or Platinum) SLA  Five levels of prioritization available  Isolates tenant performance, other tenants will not impact properly provisioned SLAs. FAS Storage System Running Data ONTAP ® with FlexShare ™ Clients Database Server Switch Platinum SLA Gold SLA Medium Priority High Priority

26 Agenda  Introduction - Architecture, Four Pillars, Components, Documentation  Availability  Secure Separation  Service Assurance  Management

27 End-to-End Management Server Layer Network Layer Storage Layer vCenter Server vShield Manager Unified Computing System (UCS) Manager SANscreen Data Center Network Manager Flexible NetFlow Fabric Manager SANscreen Operations Manager Provisioning and Protection Manager SANscreen  Service Insight  Service Assurance  Application Insight  Capacity Manager  VM Insight

28 Cisco UCS Manager UCS Manager  Single point of management for UCS system of components  Adapters, blades, chassis, fabric extenders, fabric interconnects  Embedded device manager  Discovery, Inventory, Configuration, Monitoring, Diagnostics, Statistics Collection  Coordinated deployment to managed endpoints  APIs for integration with new and existing data center infrastructure  SMASH-CLP, IPMI, SNMP  XML-based SDK for commercial & custom implementations GUI Custom Portal or Tools Systems Management Software Systems Management Software CLI

29 Cisco Data Center Network Manager  Centralized management throughout the data center network  Ethernet, IP routing and Network Security domain awareness  Enables error-free provisioning  Configuration validation via syntax and semantics checks  Health monitoring  Real-time alarms and key traffic performance indicators  Facilitates the insertion of innovative network features  Network virtualization transparently supported  Powerful industry-standard SOAP/XML API  Stateful network information enabling network- aware 3rd party applications

30 vCenter Infrastructure Management Centralized Control and Visibility  Resource Allocation Overview  Performance Charts Overview  Datastore Utilization Overview Proactive Management  Default Alarms to monitor infrastructure health, resource and space utilization Extensibility  vShield Manager  NetApp Virtual Storage Console (VSC)

31 31 vShield Manager  Integrates with vCenter server  Policy Overview  Traffic flow  Historical flowchart  Real Time flowchart

32 NetApp Management  SANscreen allows providers and tenants visibility into full storage path  Provisioning Manager eases providers deployment  Protection manager makes backups and recovery a snap.  Operations Manager offers chargeback reporting and monitoring

33 Q & A

Download ppt "Technical Overview Cisco Validated Design: Secure Multi-Tenancy Architecture."

Similar presentations

Ads by Google