Cisco Cisco Prime Network Services Controller 3.0 White Paper
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 18 of 24
End-to-End Isolation and Security
A virtual data center for a certain tenant should be private, isolated from other tenants. This is made possible by
using dedicated overlay interconnects (NSIs) and dedicated network services devices. Many times the tenants’ IP
using dedicated overlay interconnects (NSIs) and dedicated network services devices. Many times the tenants’ IP
address schemes will overlap across different tenants (private IP schemes), while the shared network offered by
the provider needs to be unique. In enterprise facilities this depends on the business unit’s deployment
the provider needs to be unique. In enterprise facilities this depends on the business unit’s deployment
requirements; in general overlapping IP is possible even in enterprise cloud facilities.
The challenge of keeping tenant isolation remains an issue on shared networks (shared storage, shared
management access, and so on). For example, the cloud provider will still need a way to access all customer VMs
and their services through an out-of-band network, and the tenants themselves will need to use this network to
access their virtual data center resources. This network might be shared across different customers in order to
provide unique IP schemes for the cloud provider network itself. Privacy of the tenant resources needs still to be
provided through this provider network, while allowing the provider to access all tenant resources (for maintenance,
automation, shared services, and so on).
Overlay networks are great for total isolation but may have challenges with multitenant shared networks for use
cases like shared storage areas and shared networks for management purposes where IP uniqueness is required
by the cloud provider itself.
To keep tenant resources secure even on shared IP domains, a set of network isolation technics and
authentication, authorization, and accounting (AAA) technologies needs to be deployed. Typically shared networks
are needed also for allowing remote access services for tenant users, in order to allow them actually to use their
VMs hosted on the cloud facility. Apart from allowing this access on the front-end self-service portal, it needs to be
secure on the infrastructure, physical and virtual side separated and fully authenticated across all devices.
Cisco has provided those solutions for many cloud providers, using several technologies embedded into Cisco
Nexus 1000v virtual switches, SSL-VPN security appliances, as well as on the Cisco UCS
®
servers and the Cisco
Nexus physical networking appliances.
The out-of-band management network should be deployed on each hosted VM on a dedicated secondary vNIC,
while the port profile attached to that vNIC should support:
●
Dynamic Address Resolution Protocol (ARP) inspection, DHCP snooping, and IP Source Guard
●
Gateway serv
ices for that profile that would deploy NAT to avoid the need for static routes on the VMs’ OS
level
●
DNS guard with technical hostnames used for cloud provider communication with VMs