Cisco Cisco Prime Virtual Network Analysis Module (vNAM) 6.3 White Paper
3-26
Cisco Virtualized Multiservice Data Center (VMDC) Virtual Services Architecture (VSA) 1.0
Design Guide
Chapter 3 VMDC VSA 1.0 Design Details
System Level Design Considerations
Security
Security best practices from previous VMDC releases are leveraged for tenancy separation and isolation.
The fact that dedicated network service resources are employed simplifies the isolation model so that
VRF isolation is not required in the data center.
The fact that dedicated network service resources are employed simplifies the isolation model so that
VRF isolation is not required in the data center.
Security related considerations include:
•
Remote Access—IPsec and MPLS VPNs provide secure remote access over the Internet or public
provider IP/NGN backbone.
provider IP/NGN backbone.
•
L3 Separation—BGP at the WAN edge/PE routing provides per-tenant routing to dedicated
per-tenant vCE routers. Policies can be applied on both devices to restrict inter-tenant
communication.
per-tenant vCE routers. Policies can be applied on both devices to restrict inter-tenant
communication.
•
Access and Virtual Access Layer (L2) Separation—VXLAN or VLAN IDs and the 802.1q tag
provide isolation and identification of tenant traffic across the Layer 2 domain.
provide isolation and identification of tenant traffic across the Layer 2 domain.
•
Network Services Separation (Compute)—Dedicated per-tenant virtual service appliances or
zones provide virtualized security, load balancing, NAT, and SSL offload services, and the
application of unique per-tenant policies at VLAN/VXLAN or VM granularity.
zones provide virtualized security, load balancing, NAT, and SSL offload services, and the
application of unique per-tenant policies at VLAN/VXLAN or VM granularity.
•
Storage—This VMDC design uses NetApp for NFS storage, which enables virtualized storage
space so that each tenant (application or user) can be separated using ipspace and VLANs mapped
to network layer separation. The vSphere hypervisor’s cluster file system management creates a
unique Virtual Machine Disk (VMDK) per VM, ensuring that multiple VMs cannot access the same
VMDK sub-directory within the Virtual Machine File System (VMFS) volume, and thus, isolating
one tenant's VMDK from another. In clustered Data ONTAP, a Storage Virtual Machine (SVM)
contains data volumes and one or more LIFs (logical interfaces which have IPs) through which it
serves data to the clients. An SVM securely isolates the shared virtualized data storage and network,
and appears as a single dedicated server to its clients. Each SVM has a separate administrator
authentication domain and can be managed independently by a SVM administrator. Secure
multi-tenancy is provided by network administration and control that is scoped to a particular SVM.
Multiple SVMs can coexist in a single cluster without being bound to any node in a cluster.
Additional methods for implementing secure customer separation within a FlexPod unit can be
found at:
space so that each tenant (application or user) can be separated using ipspace and VLANs mapped
to network layer separation. The vSphere hypervisor’s cluster file system management creates a
unique Virtual Machine Disk (VMDK) per VM, ensuring that multiple VMs cannot access the same
VMDK sub-directory within the Virtual Machine File System (VMFS) volume, and thus, isolating
one tenant's VMDK from another. In clustered Data ONTAP, a Storage Virtual Machine (SVM)
contains data volumes and one or more LIFs (logical interfaces which have IPs) through which it
serves data to the clients. An SVM securely isolates the shared virtualized data storage and network,
and appears as a single dedicated server to its clients. Each SVM has a separate administrator
authentication domain and can be managed independently by a SVM administrator. Secure
multi-tenancy is provided by network administration and control that is scoped to a particular SVM.
Multiple SVMs can coexist in a single cluster without being bound to any node in a cluster.
Additional methods for implementing secure customer separation within a FlexPod unit can be
found at:
design allows for Fiber Channel (FC) access separation at the switch port level (VSAN), Logical
path access separation on the path level (World Wide Name (WWN) or Device Hard Zoning), and
at the virtual media level in the storage array (LUN masking and mapping).
path access separation on the path level (World Wide Name (WWN) or Device Hard Zoning), and
at the virtual media level in the storage array (LUN masking and mapping).
Manageability
For service provisioning and orchestration, this architecture leverages Cisco Intelligent Automation for
Cloud (CIAC) and BMC Cloud Lifecycle Management (CLM) for automated service orchestration.
Information about CIAC can be found here:
Cloud (CIAC) and BMC Cloud Lifecycle Management (CLM) for automated service orchestration.
Information about CIAC can be found here:
. CLM was addressed in
previous system releases (VMDC 2.0 and updated in the VMDC 2.2 release). Additional documentation
can be found on Design Zone at
can be found on Design Zone at
From a storage/FlexPod automation perspective, OnCommand: Workflow Automation (WFA), NetApp's
storage automation product, makes common storage management processes simple and easy. Storage
experts can easily define common storage management processes like provisioning, setup, migration,
and decommissioning, and make them available for execution by approved users. WFA can leverage the
current automation policies to demonstrate the value of a "Storage Service Catalog" and can also
integrate with the existing orchestration systems. Refer to
storage automation product, makes common storage management processes simple and easy. Storage
experts can easily define common storage management processes like provisioning, setup, migration,
and decommissioning, and make them available for execution by approved users. WFA can leverage the
current automation policies to demonstrate the value of a "Storage Service Catalog" and can also
integrate with the existing orchestration systems. Refer to