Cisco Cisco Prime Virtual Network Analysis Module (vNAM) 6.3 White Paper
3-2
Cisco Virtualized Multiservice Data Center (VMDC) Virtual Services Architecture (VSA) 1.0
Design Guide
Chapter 3 VMDC VSA 1.0 Design Details
VMDC Building Blocks
VMDC Building Blocks
The following functional layers comprise the VMDC component building blocks:
Network Layer
The Network layer includes the WAN/provider edge (PE) router, which forms the data center perimeter
to the enterprise area or service provider (SP) IP/NGN backbone, and to the public Internet. These
perimeter nodes can be dedicated to Layer 3 (L3) routing functions, or can be multi-service in nature,
providing L2 interconnects between data centers along with L3 services. WAN/PE routers validated in
the VMDC reference system architecture include: Cisco CRS-1, Cisco ASR 9000, Cisco Catalyst 7600,
Catalyst 6500, Cisco ASR 1000, and Cisco ISRG2.
to the enterprise area or service provider (SP) IP/NGN backbone, and to the public Internet. These
perimeter nodes can be dedicated to Layer 3 (L3) routing functions, or can be multi-service in nature,
providing L2 interconnects between data centers along with L3 services. WAN/PE routers validated in
the VMDC reference system architecture include: Cisco CRS-1, Cisco ASR 9000, Cisco Catalyst 7600,
Catalyst 6500, Cisco ASR 1000, and Cisco ISRG2.
The Network layer includes either a two-layer Clos spine and leaf arrangement of switching nodes, or
the traditional three-layer hierarchical model described in previous (2.X) releases. While the Virtual
Services Architecture (VSA) introduced in VMDC VSA 1.0 works with both models, in this release the
Network layer comprises Nexus 7000 systems, serving as spine and aggregation-edge nodes, and Nexus
5000 or 7000 systems as leaf and access-edge nodes. As described in
the traditional three-layer hierarchical model described in previous (2.X) releases. While the Virtual
Services Architecture (VSA) introduced in VMDC VSA 1.0 works with both models, in this release the
Network layer comprises Nexus 7000 systems, serving as spine and aggregation-edge nodes, and Nexus
5000 or 7000 systems as leaf and access-edge nodes. As described in
,
validated VMDC 3.0 topologies feature several variants, enabling fine tuning of redundancy, port
capacity, and bandwidth to the level of service aggregation or access density required by current and
anticipated scale requirements.
capacity, and bandwidth to the level of service aggregation or access density required by current and
anticipated scale requirements.
VMDC VSA 1.0 introduces another network layer functional component, the Cloud Services Router
(CSR) which serves as the L3 boundary and logical perimeter for the tenant Virtual Private Cloud
container in the multi-tenant/shared cloud data center infrastructure. The CSR is a virtual router, so it
resides in the compute tier of the infrastructure. Supporting multiple services, such as IOS zone-based
firewalls (ZBFWs), IP security (IPsec) remote access virtual private network (VPN) termination and
network address translation (NAT), the CSR provides the flexibility to add additional services without
additional CAPEX.
(CSR) which serves as the L3 boundary and logical perimeter for the tenant Virtual Private Cloud
container in the multi-tenant/shared cloud data center infrastructure. The CSR is a virtual router, so it
resides in the compute tier of the infrastructure. Supporting multiple services, such as IOS zone-based
firewalls (ZBFWs), IP security (IPsec) remote access virtual private network (VPN) termination and
network address translation (NAT), the CSR provides the flexibility to add additional services without
additional CAPEX.
Services Layer
The Services layer comprises network and security services, such as firewalls, SLB, Secure Sockets Layer
(SSL) offload, intrusion prevention, network analysis, and gateway functions. A distinct difference arises
between the conventional data center services layer and "cloud" data center services layer: the solution
set for the latter must support L4 - L7 services at a per-tenant level through logical abstraction of
physical resources. Centralized services are most useful in applying policies that are broadly applicable
across a range of tenants (or workgroups, in the private case).
(SSL) offload, intrusion prevention, network analysis, and gateway functions. A distinct difference arises
between the conventional data center services layer and "cloud" data center services layer: the solution
set for the latter must support L4 - L7 services at a per-tenant level through logical abstraction of
physical resources. Centralized services are most useful in applying policies that are broadly applicable
across a range of tenants (or workgroups, in the private case).
In previous VMDC reference architectures (2.X, 3.0), the Data Center Services Node (DSN) provides
firewall and SLB services, in a service module form factor (for example, ACE30 and ASA-SM
modules). Alternatively, these services are available in appliance form factors (ACE 4710, ASA 5500).
This layer also serves as the termination point for remote access IPsec or SSL VPNs. In the VMDC
architecture, the Cisco ASA 5580 appliance connected to the aggregation, aggregation-edge switching
nodes or the DSN fulfills this function, securing remote tenant access to cloud resources.
firewall and SLB services, in a service module form factor (for example, ACE30 and ASA-SM
modules). Alternatively, these services are available in appliance form factors (ACE 4710, ASA 5500).
This layer also serves as the termination point for remote access IPsec or SSL VPNs. In the VMDC
architecture, the Cisco ASA 5580 appliance connected to the aggregation, aggregation-edge switching
nodes or the DSN fulfills this function, securing remote tenant access to cloud resources.
In the all-virtual service scenario of VMDC VSA 1.0, these services and more are embedded in the
virtual service subsystem of the Compute layer of the infrastructure.
virtual service subsystem of the Compute layer of the infrastructure.
Compute Layer
The Compute layer includes three subsystems: virtual access, virtual service, and compute. The first
subsystem is a virtual access switching layer, which extends the L2 network across multiple physical
compute systems. This virtual access switching layer is key because it also logically extends the L2
network to individual virtual machines (VMs) within physical servers. The feature-rich Cisco Nexus
subsystem is a virtual access switching layer, which extends the L2 network across multiple physical
compute systems. This virtual access switching layer is key because it also logically extends the L2
network to individual virtual machines (VMs) within physical servers. The feature-rich Cisco Nexus