Cisco’s Virtual Multiservice Data Center (VMDC), is Cisco’s reference architecture for cloud deployment and has been widely adopted by numerous Solution Providers and enterprises worldwide. In this and previous releases, VMDC has provided design guidance for scalable, secure, resilient, public and private cloud infrastructures serving multiple consumers or tenants:

• In the data center portion of the architecture, VMDC 2.X designs were centered on traditional hierarchical infrastructure models incorporating leading Cisco platforms and Layer 2 (L2) resilience technologies such as Virtual Port Channel (vPC), providing network containers or tenancy models of different sizes and service profiles, with necessary network based services and orchestration and automation capabilities to accommodate the various needs of cloud providers and consumers.
• VMDC 3.X systems releases introduced Cisco FabricPath for intra-DC networks, as an optional L2 alternative to a hierarchical vPC-based design. FabricPath removes the complexities of Spanning Tree Protocol (STP) to enable more extensive, flexible, and scalable L2 designs. Customers leveraging VMDC reference architecture models can choose between vPC-based and FabricPath-based designs to meet their particular requirements.

VMDC VSA 1.0 is the first VMDC release dealing specifically with the transition to NFV (Network Function Virtualization) of IaaS network services in the data center. Such services comprise virtual routers, virtual firewalls, load balancers, network analysis and WAN optimization virtual appliances.

In this release, we focus mainly on public provider use cases, building a new logical topology model around the creation of virtual private cloud tenant containers in the shared data center infrastructure. Future releases will incorporate additional cloud consumer models specific to enterprise and private cloud use cases. In particular, future releases will address hybrid consumer models, comprising physical and virtual service appliances, used together as part of a per-consumer or per-tenant service set. These can be implemented on either a 2.X (classical Ethernet) or 3.X (FabricPath) VMDC infrastructure.

However, in this release we focus on fundamental implications of an all-virtual approach, and have opted to do so over a simple FabricPath data center topology previously validated in VMDC 3.0.

Services

Previous VMDC releases incorporated physical appliance-based and DSN module-based services, and virtual service appliance form factors. From VMDC 2.2 forward, two tiers of security policy enforcement points are featured in the enterprise-grade Expanded Gold container: the first perimeter firewall implemented on a physical form factor, and the second (VSG) implemented as a virtual appliance. The premise was that this hybrid model would best satisfy rigorous security requirements. As is traditional, with the exception of the VMDC 3.0 “Switched Data Center” FabricPath topology model, all physical form factors were attached at the aggregation or aggregation-edge nodes.

VMDC VSA 1.0 departs from tradition in that all IaaS network service functions are virtualized. In this model, services are attached via VLAN stitching at the virtual access edge in the compute layer of the infrastructure. The list of virtual service appliances includes: CSR; Citrix ADC, formerly NetScaler VPX, or Cisco Citrix ADC 1000v for SLB; ASA 1000V; VSG; Virtual Network Analysis Module (vNAM); and the Virtual WAN Acceleration Service Module (vWAAS). Running on general-purpose server hardware, these software-based form factors are ideal for cloud data centers in that they are software-defined and provide flexibility and agility through enhanced programmability.

Server Load Balancer

The Citrix ADC VPX and Cisco’s OEM product, Citrix ADC 1000v, are virtual appliances that perform SLB and SSL offload services in the VMDC VSA 1.0 architecture. As of this writing, the VPX is available in four models, ranging from 200 Mbps to 3 Gbps maximum throughput, suiting a broad range of performance requirements and use cases. This release leverages the 200 Mbps (VPX-200) model. Supported hypervisors as of this writing are: vSphere ESXi, Microsoft Hyper-V, and Citrix Hypervisor, formerly XenServer. This release is based on the vSphere ESXi hypervisor. The number of logical network interfaces supported by the VPX is determined by hypervisor limits. Currently, for vSphere 5.1 and ESXi hardware version VMX-09, this is a maximum of 10. The VPX supports IPv4 and IPv6 packets, and can operate in transparent or routed mode. Required VPX-200 resources are two vCPUs, 2 GB RAM, and 20 GB HD.

In this release we focus mainly on load balancing and resilience capabilities, however this virtual SLB (vSLB) implementation is quite feature-rich, supporting a broad range of use cases and functionality. The Citrix ADC may be installed from an OVF and configured via CLI, however further enhancing usability and ease of configuration is the browser-based VPX GUI. More detailed information about the Citrix ADC is available online.

To address the identified requirements, we modified the Unified Computing component of the VMDC architecture, shifting virtualized service functions from the Unified Fabric/Data Center Networking portions of the infrastructure.

In general, the solution comprises three modular layers:

• Unified Computing and Integrated Systems (UCIS), providing server and application virtualization, typically consisting of FlexPods and Vblocks.
• Unified Fabric and Data Center Networking (UFDC), providing network and network based services virtualization.
• Data Center Interconnect (DCI), providing seamless multi-site connectivity.

The solution is complemented by Cloud Service Management components that enable end to end provisioning and orchestration, along with monitoring and assurance.

Features

The architecture described in this guide addresses the following customer challenges:

• Tenancy Scale - Previous VMDC systems releases leveraged various abstraction technologies, for example, virtual LANs (VLANs) and virtual routing and forwarding (VRF), for tenant isolation, including separated routing and forwarding. Each abstraction technology impacts logical scale and control plane overhead. In a traditional hierarchical DC network model, the pressure point from a scalability and control plane perspective is at the aggregation layer of the infrastructure, with the number of route peers, VRFs, VLANs, and MAC capacity supported by aggregation nodes presenting key multi-dimensional scalability factors. The virtual services architectural (VSA) model introduced in this release presents an alternative, addressing tenancy scale using a centralized provider edge (PE) and distributed, per-tenant virtual customer edge (vCE) routing model. Tenancy scale is thus increased to the number of eBGP peers (or alternatively, static routes) supported by the PE nodes. As of this writing, this is 5000 per pair of redundant ASR 9000 Series PE routers.
• Complexity - Current VMDC architecture models feature a relatively high degree of management complexity because service appliances are shared across multiple tenants, and are allocated in logical “slices” (contexts) by automation systems. The VSA model reduces service orchestration complexity, removing cross-tenant dependencies for L4-L7 service allocation. The VSA model represents a simpler logical topology compared to the back-to-back VRF-Lite method employed in VMDC 2.X releases to create rigorous (VRF-based) tenant isolation.
• Customer Evolution to NFV for IaaS - For years, customers have seen the transition from physical to virtual services as a foundation for an evolution toward “next-gen” data center service-oriented architectures, providing increased flexibility and agility through greater “software definition”.
• Need for Virtual Appliance-Based Multi-Tenancy Design Guidance - VMDC VSA 1.0 is a starting point, representing an opportunity to initially consider one specific deployment model (the vCE model) out of several possible options for an “all-virtual” virtual private cloud instantiation, exploring end-to-end service differentiation, performance and impact on future automation requirements.
• Need to Address Logical Segmentation Constraints - of traditional 802.1q VLAN L2 domains through the application of virtual overlays. VMDC VSA 1.0 presents a first look at the use of VXLANs for logical segmentation.

VMDC VSA 1.0 addresses the following use cases:

• Data center and PoD design
• Split N-tiered applications
• Multi-tenancy (including Virtual Extensible LAN (VLXAN)-based logical segmentation)
• Application-centric instrumentation (statistics collection, network analysis, WAN optimization, Performance Agent)