I attended the Cisco Partner Virtual Summit the past few days and learned a great deal about existing and up-and-coming Cisco releases in the data center. One of the sessions detailed advancements in the Nexus 1000v and new Nexus 1010 appliance.
Security
Right now, you probably have a great many virtual machines in your data center. Imagine that an attacker (or disgruntled employee) gains access to one of your VMs. What’s to stop them from using gratuitous ARP or a spoofed MAC/IP addresses to make their VM “look” like the one holding all your company secrets? Cisco is bundling a handful of security features, supported in the 1000v, called Cisco Integrated Security that performs dynamic ARP inspection, port security, IP source guard, and DHCP snooping.
Here’s a brief run-down on what each feature in Cisco Integrated Security does:
| Feature | Capability | Prevents |
|---|---|---|
| Port Security | Restricting MAC addresses on a port | Rogue VM spoofing MAC addresses |
| IP Source Guard | Maps IP address to MAC address | IP/MAC spoofing |
| DHCP Snooping | Monitors DHCP transactions | Rogue DHCP server |
| Dynamic ARP Inspection | ARP: Maps IP address to MAC Monitors ARP transactions, used in vMotion |
ARP Attacks |
Myths
Cisco knows that there is a lot of mystery and misinformation surrounding the 1000v. They took the time during the session to address the most frequent questions that customers typically have.
| Question | Answer |
|---|---|
| How many VLANs for VSM and VEM communication? | 1 The initial release (SV1(1)) of the 1000v required three VLANs, but all subsequent releases support Management, Control, and Packet information using one VLAN. |
| Can VSM and VEMs communicate without VLANs? | Yes, over Layer 3 using IP. |
| Should VSM be placed on its own VEM? | Yes, this has been part of the best practices. When you migrate your VMs to the 1000v dvSwitch, you’ll migrate the VSM Management, Control, and Packet interfaces to the 1000v dvSwitch too. |
| Can the VSM be VMotioned? | Yes. |
| Traffic stops when the VSM is disconnected, right? | No. Traffic continues to flow even when active and standby VSMs are disconnected. |
| The 1000v only works with Nexus switches upstream, right? | No The 1000v works with any Ethernet switches. |
| The 1000v uses VNTags for VM operation, right? | Only in Hardware VN-Link mode with a Nexus 5000 will the 1000v VEM add VNTags. |
Nexus 1010
I’m excited about this one. Did you notice how there’s no “v” in the Nexus 1010 name? That’s because the 1010 is a physical appliance running NX-OS! It integrates into your virtual environment much the same way as you’ll install VEMs on the hosts, but instead of the VSMs running as VMs on the hosts, the VSMs will run on NX-OS on the 1010. This is huge for network admins who like their switches being something they can touch, feel, and rack.
The 1010 runs NX-OS — just like the Nexus 7000s. It is a physical appliance that is supported by CiscoWorks for management. The 1010 will host up to four VSMs; that’s 4 VSMs x 64 hosts/VSM = 256 hosts. That means that the 1010 will support “connecting” up to 256 hosts (and by host, I mean VEM running on the host). For redundancy, Cisco recommends purchasing a pair of 1010s, alternating primary and standby VSMs on each 1010. Keep in mind that with the 1010, you still must have VMware Enterprise Plus licensing to cover the VEMs on the hosts (just like you do with the 1000v).
Below is an architecture comparison between the 1000v and 1010:
This is just the beginning though. Cisco talked about how they’re working with partners for Layer 4 – 7 services. That means future virtual Firewalls for VMs, Network Analysis Module, and who knows what else!
Maintenance Release SV1(3)
Version 1.3 has been released and fixes some bugs. Not only that, but it has an enhanced installation application to facilitate putting the VSM on its own VEM and creating system port profiles. We’re anxious to set this up in the lab.
That’s all I’ve got!
– Andrew
