Cisco Cisco Prime Virtual Network Analysis Module (vNAM) 6.3 白皮書
3-14
Cisco Virtualized Multiservice Data Center (VMDC) Virtual Services Architecture (VSA) 1.0
Design Guide
Chapter 3 VMDC VSA 1.0 Design Details
Network
Figure 3-10
Expanded Gold Container
It is important to note that because the CSR supports multiple logical interfaces, any virtual containers
featuring CSR as the L3 boundary support combined virtual and bare metal hosts, via VLAN stitching,
or alternatively, via the VXLAN gateway on the Nexus 1000V.
featuring CSR as the L3 boundary support combined virtual and bare metal hosts, via VLAN stitching,
or alternatively, via the VXLAN gateway on the Nexus 1000V.
Network
Network considerations are detailed in the following sections:
•
•
Layer 3 Design
In VMDC VSA 1.0, a combination of dynamic and static routing is used to communicate reachability
information across the L3 portions of the Data Center infrastructure. In this design, dynamic routing is
achieved using External Border Gateway Protocol (eBGP) from dedicated, per-tenant virtual routers
(CSRs) functioning as vCE routers to redundant, centralized routers (ASR 9000s or ASR 1000s)
functioning as PE routers.
information across the L3 portions of the Data Center infrastructure. In this design, dynamic routing is
achieved using External Border Gateway Protocol (eBGP) from dedicated, per-tenant virtual routers
(CSRs) functioning as vCE routers to redundant, centralized routers (ASR 9000s or ASR 1000s)
functioning as PE routers.
Note: static routes could alternatively be configured for the vCE to PE paths. This may be an acceptable
alternative from an operational standpoint if the routes will be configured using automation systems;
otherwise manually maintaining static routes could present a challenge in highly scaled environments.
alternative from an operational standpoint if the routes will be configured using automation systems;
otherwise manually maintaining static routes could present a challenge in highly scaled environments.
Depending upon the virtual private cloud container model, the CSR has either one (for example, Bronze,
Silver) or two (for example, Expanded Gold) northbound interfaces to the PE router: one connects to the
tenant private VRF and the second connects to the PE global routing table for routing over the Internet.
Because the CSR supports IPsec VPN termination, encrypted IPsec client traffic from the Internet can
be routed via the PE router to the CSR, where it is decrypted and routed to destination hosts in the
container. For Zinc containers, in which the ASA 1000V is the logical L3 perimeter, static routes
Silver) or two (for example, Expanded Gold) northbound interfaces to the PE router: one connects to the
tenant private VRF and the second connects to the PE global routing table for routing over the Internet.
Because the CSR supports IPsec VPN termination, encrypted IPsec client traffic from the Internet can
be routed via the PE router to the CSR, where it is decrypted and routed to destination hosts in the
container. For Zinc containers, in which the ASA 1000V is the logical L3 perimeter, static routes