Руководство По Проектированию для Cisco Cisco Nexus 5010 Switch
© 2012 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 3 of 32
Introduction
This chapter covers the design recommendations for a data center design deployment consisting of a Cisco
Nexus
®
7000 Series Switch at the aggregation layer and a Cisco Nexus 5000 Series Switch at the access layer.
The content of this chapter focuses on the aggregation layer design with the Cisco Nexus 7000 Series.
This chapter assumes that the reader is familiar with Virtual PortChannel (vPC) technology. If some portions of this
document aren’t clear, we suggest that you refer to Chapter 3, “Cisco NX-OS Software Virtual PortChannel:
Fundamental Concepts.” For more about Spanning Tree Protocol, see Chapter 4, “Spanning Tree Design
document aren’t clear, we suggest that you refer to Chapter 3, “Cisco NX-OS Software Virtual PortChannel:
Fundamental Concepts.” For more about Spanning Tree Protocol, see Chapter 4, “Spanning Tree Design
Guidelines for Cisco NX-
OS Software and Virtual PortChannels.”
Virtual Device Contexts
Most Nexus-based data center designs today use the concept of Cisco
®
virtual device context (VDC), which allows
the creation of separate control-plane domains in a single switch.
From a forwarding perspective, vPC is deployed in the context of a VDC. In other words, vPC as a feature and the
optimizations that are performed by vPC are fully contained within a VDC.
The Cisco virtual device context (VDC) feature allows the virtualization of a single physical device into one or more
logical devices. Each of the provisioned logical devices is configured and managed as if it were a separate physical
device. This logical partitioning of the device throughout control, data, and management planes observes similar
fault domain isolation.
VDC Versus VLANs
Cisco has provided the ability to separate data plane traffic broadcast domains by using VLANs. While VLANs
provide data plane security, they do not provide any segmentation at the control plane level. As an example, if a
router has a routed interface in multiple VLANs (such as VLAN A and VLAN B), and it has not been secured
properly, an attacker can log in to the switch virtual interface (SVI) of VLAN A (the gateway IP address on VLAN A)
and start changing configurations that may compromise VLAN B as well.
VDCs, on the other hand, provide control plane isolation. If VLAN A is on context VDC 2 and VLAN B is on context
VDC 3, an attacker managing to gain access to context VDC 2 through SVI A (gateway IP address for VLAN A) will
not be able to perform changes that could affect VLAN B.
This property makes VDCs particularly suitable in multi-tenant environments, and, in particular, on the device that
provides the default gateway function, which naturally exposes its control plane access by servers and clients. On
a Layer 2 device, having VDC is less important, considering that Layer 2 devices provide VLAN switching and do
not have routable interfaces in these VLANs.
VDCs are a finite resource and the Cisco Nexus 7000 Series provides a total of four VDCs.