Cisco's Unified Network Services Embeds Security, Optimization In The Network

As part of Cisco's Data Center Business Advantage, the company is announcing two virtual services products, the Virtual Security Gateway (VSG), originally announced at VMworld 2010, and virtual Wide Area Application Services (vWAAS). VSG and vWAAS are Cisco's first offerings that provide application services embedded in the virtual network. They are tightly coupled to individual virtual machines through a policy-based management framework that can be applied to both virtual machines in the loca

September 14, 2010

4 Min Read
NetworkComputing logo in a gray background | NetworkComputing

As part of Cisco's Data Center Business Advantage, the company is announcing two virtual services products, the Virtual Security Gateway (VSG), originally announced at VMworld 2010, and virtual Wide Area Application Services (vWAAS). VSG and vWAAS are Cisco's first offerings that provide application services embedded in the virtual network. They are  tightly coupled to individual virtual machines through a policy-based management framework that can be applied to both virtual machines in the local data center as as well as in a cloud service.

Both theVSG and vWAAS are the first entries into Cisco's Unified Network Services. Other vendors like Juniper and Citrix are also integrating their respective products into a network fabric, and we expect other vendors like Brocade and HP to follow suit. Having a fast, robust Ethernet network is only part of the solution to provide rapid application delivery. The data center has to send and receive that traffic beyond its borders. With the drive to Infrastructure as a Service (IaaS) and possibly Software as a Service (SaaS), the ability to optimize your traffic between clients and servers is necessary and with virtual appliances, possible.

Virtual Security Gateway (VSG) is a zone-based, virtual security appliance that places virtual machines (VM) into a security zone based on policy and behavior. For example, you can create zones based on business unit so that sales can't access engineering resources. The zones automatically follow the VM as it moves from one hypervisor to another. The access controls can be applied to network traffic based on on TCP/UDP ports, VM, or even custom attributes, making policy definition much more context-aware than stateful packet filtering firewalls. The VSG runs within Cisco's Nexus 1000v virtual switch and leverages Cisco vPath, which dynamically steers packets to a Virtual Service Node (VSN) that makes a decision about how the flow should be handled and then lets the local Nexus 1000v implement the decision.

vPath is part of the Nexus 1000v 1.4 virtual switch, and it decouples the VM from the policy enforcement. In the case of VSG, the first few packets of a network session are transparently forwarded to the VSN, which makes a policy decision, such as allowing or denying the flow, and then the policy and the flow are pushed to the Nexus 1000v connected to the target VM. You only need one VSG in your network to make access control decisions, but policies can only be enforced by Nexus 1000v switches; if VMs will migrate to other switches, the policy can't travel with them. VSG policies are implemented in Cisco's Virtual Network Management Center (VNMC), which interacts with vCenter to gather VM information. The VSG doesn't support VPN functionality.

Multi-tenant support is implemented in the VNMC using a container-style design. You can create tenants based on company, business units, function, or any other taxonomy that makes sense for your network. Tenants can also have subtenants if necessary. For example, Acme Corp. can be subdivided into Sales, Engineering and Human Resources.Each tenant requires at  least one VSG assigned to it. The tenant's VSG keeps tenants separate and makes traffic decisions based on the policies defined by the VNMC. The policies are applied by the individual Nexus 1000v virtual switches, which are by nature multi-tenant. The multi-tenant feature can support most business requirements.

Cisco's virtual Wide Area Application Services (vWAAS) is a virtual instance of Cisco's WAAS product that performs application delivery functions such as compression, caching and data deduplication. While Cisco is claiming the first cloud WAN optimizer, I think that claim goes to Expand Networks, which announced is Virtual Accelerator in 2009. vWAAS functions munch like its physical counterpart: it remains in the data path between the client and server to optimize connections based on application policies. vWAAS can even take advantage of the local SAN to store cached objects and byte patterns, much like the appliance does with local storage.

Unlike the VSG, vWAAS doesn't require a Nexus 1000v, but when one is present, you gain the benefit of transparently redirecting traffic to the proper vWAAS. Otherwise, you will need to redirect traffic to the vWAAS using traditional methods such as Cisco's Web Cache Control Protocol (WCCP) or policy-based routing (PBR), both of which forward traffic to be optimized to the vWAAS while traffic that doesn't need optimization is unaffected. The Nexus 1000v integration is another redirection option. Alternatively, you can put the vWAAS virtually in-line, but then all traffic is processed by the vWAAS appliance.

SUBSCRIBE TO OUR NEWSLETTER
Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like


More Insights