Cisco Cisco Prime Network Services Controller 3.0 Livre blanc
© 2014 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 24
Firewall rules apply dynamically from zone to zone or/and from users to zones. Virtual firewalls use a link to each
zone it is protecting or to external connections. Connectivity details are embedded into the zone type.
Virtual Load Balancer
A virtual load balancer (VLB) is an isolated load balancer instance that can contain multiple load-balanced pools,
multiple VIPs (Virtual IPs), multiple server pools. A VLB is associated to a zone and can perform server load
balancing functions for any of the networks in that zone, using VIP addresses from any IP pool assigned to that
zone. The VLB is using the zone’s VR as a default gateway (this is a crucial design best practice to allow the
zone. The VLB is using the zone’s VR as a default gateway (this is a crucial design best practice to allow the
adding and removing of a VLB without affecting the other VDC services running at the time of that change).
Load Balanced Pool
A load balanced pool is a group of servers and/or a group of VMs that are part of the same application or the same
service in load-balanced server resources.
When a load balancer instance is used, clients connect to a single destination IP (the VIP) and then get redirected
to the most available real server resource on the server pool.
Route
A route is an IaaS atomic object that defines a traffic path for traffic packets that are sent through the VDC on a
specific IaaS device, commonly the VFW or the VR. It is used to define the next-hop destination for particular traffic
flow. Each zone can have multiple routes, and multiple routes can point to different links on zones. The devices
can use dynamic routing protocols to allow automatic route provisioning by the networking devices themselves;
however, running multiple instances of dynamic routing protocols on many Layer 3 devices can be less scalable
than defining static routes. Automatic provisioning of routes (static route automation) might provide better scale as
well as still maintaining control on the VDCs in the IaaS facilities. This can be referred to as dynamically automated
static routes (DASR).
IP Address Space
This IaaS atomic object is associated with servers or VMs, networks, and links. IP address space is assigned for
link endpoints and for VMs and their VR gateway in the specific network.
Each zone defines an isolated address space, used for the zone’s networks. Private zones can have overlapping
IP address spaces across different tenants. In some cases, such as the private zone connection to an enterprise
using a private VPN link, the end user will want to define the address space to use per network per zone. Public
zones will have a pool of public IP addresses that may be allocat
ed based on the IaaS service provider’s policies,
or can be assigned by the customer for their public zone networks. IP address space is allocated for links and for
networks. Each IP address space is tagged with the link name and the network name per zone.
Remote Access Resources
This IaaS atomic object is associated with servers or VMs that needs to be accessed through VPN devices (SSL
VPN and other forms of overlay VPNs). Once a VDC has been constructed for a specific tenant, remote access
should be provi
ded to the tenant’s specific resources (VMs and network components). Normally a VPN device will
be used to accomplish this access in a secure manner. The VPN device requires information about the list of VMs
and other resources (VFW and vSLB) built for the user on his or her VDC. Per tenant resources are handed to the
VPN device to configure an isolated path from the public Internet to the tenant’s VDC.