Cisco Cisco Prime Virtual Network Analysis Module (vNAM) 6.1 White Paper
3-21
Cisco Virtualized Multiservice Data Center (VMDC) Virtual Services Architecture (VSA) 1.0
Design Guide
Chapter 3 VMDC VSA 1.0 Design Details
Services
•
For HA scenarios, two redundancy options are available: Active/standby failover between
redundant VPX pairs, or clustering. It is important to note that load balancing distribution across
multiple VPX appliances is supported only in the clustered case. Given that a virtual appliance is a
dedicated rather than shared resource, and that the failure domain is thus minimized, in this release
we focused on active/standby failover as the most applicable use case. Setting up HA pairs is fairly
simple: one assigns a unique node ID number to the primary and secondary nodes, and points each
node to the NSIP (management interface) address of the other node in the pair. In HA mode,
heartbeat packets are sent on all active interfaces, eliminating the need for a dedicated peer link
between primary and secondary systems. Failover from a primary to a secondary occurs when the
dead-interval timer is exceeded, at which time connections are reestablished on the new primary
VPX instance. Note: in practice it may also be useful to define a SNIP on the NSIP (management)
subnet, in order to allow continued communication with the primary VPX appliance, regardless of
whether it is in active or standby state.
redundant VPX pairs, or clustering. It is important to note that load balancing distribution across
multiple VPX appliances is supported only in the clustered case. Given that a virtual appliance is a
dedicated rather than shared resource, and that the failure domain is thus minimized, in this release
we focused on active/standby failover as the most applicable use case. Setting up HA pairs is fairly
simple: one assigns a unique node ID number to the primary and secondary nodes, and points each
node to the NSIP (management interface) address of the other node in the pair. In HA mode,
heartbeat packets are sent on all active interfaces, eliminating the need for a dedicated peer link
between primary and secondary systems. Failover from a primary to a secondary occurs when the
dead-interval timer is exceeded, at which time connections are reestablished on the new primary
VPX instance. Note: in practice it may also be useful to define a SNIP on the NSIP (management)
subnet, in order to allow continued communication with the primary VPX appliance, regardless of
whether it is in active or standby state.
Direct Server Return (DSR), also known as “direct routing”, “nPath” or “SwitchBack” is another
possible mode of load balancer operation that offers the following benefits versus one-arm mode:
possible mode of load balancer operation that offers the following benefits versus one-arm mode:
•
Preservation of client source addresses (e.g., SNAT loses them).
•
Performance—In many cases, inbound client traffic is typically much smaller than outbound traffic
(e.g., 1:8 for Yahoo, per NANOG 2010 reports). In DSR, the load balancer only handles inbound
packets, as servers respond directly to clients, bypassing the load balancer. Thus this mode of
operation may offer better performance than one-arm mode.
(e.g., 1:8 for Yahoo, per NANOG 2010 reports). In DSR, the load balancer only handles inbound
packets, as servers respond directly to clients, bypassing the load balancer. Thus this mode of
operation may offer better performance than one-arm mode.
Some limitations of DSR (in layer 2 mode) are that PAT is not possible and servers cannot respond
directly to ARP requests for the VIP (e.g., non-ARPing loopback interfaces must be configured on the
servers).
directly to ARP requests for the VIP (e.g., non-ARPing loopback interfaces must be configured on the
servers).
ASA 1000V
If only perimeter firewalling is required, without multiple inside and outside interfaces, dynamic routing
or other multi-service L3 features, the ASA 1000V provides an alternative to CSR. Like VSG, the ASA
1000V is integrated with the Nexus 1000V DVS, leveraging vPath for service chaining and fast-path
traffic offload, and presently supporting up to a maximum 500 Mbps throughput.
or other multi-service L3 features, the ASA 1000V provides an alternative to CSR. Like VSG, the ASA
1000V is integrated with the Nexus 1000V DVS, leveraging vPath for service chaining and fast-path
traffic offload, and presently supporting up to a maximum 500 Mbps throughput.
Each ASA 1000V instance is installed as a virtual machine with the following characteristics: 1 vCPU
at 1 GHz; 1.5 GB vRAM; and 2.5 GB vHD. Four interfaces are provided per virtual appliance: one
management, one failover, and two for data (for example, one “inside” protected and one “outside”
interface). As with VSG, VNMC provides hierarchical, policy-driven domain management.
at 1 GHz; 1.5 GB vRAM; and 2.5 GB vHD. Four interfaces are provided per virtual appliance: one
management, one failover, and two for data (for example, one “inside” protected and one “outside”
interface). As with VSG, VNMC provides hierarchical, policy-driven domain management.