hp flexfabric virtual switch 5900v technology white · pdf fileit is applicable to the vmware...
TRANSCRIPT
HP FlexFabric Virtual Switch 5900v Technology White Paper
Part number: 5998-4548
Document version: 6W100-20131220
© Copyright 2013 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
i
Contents
Overview ······································································································································································ 1 Technical background ······················································································································································ 1 Benefits ··············································································································································································· 1
5900v virtual switch implementation ·························································································································· 2 5900v virtual switch components ···································································································································· 2
Virtual Forwarding Engine (VFE) ····························································································································· 2 Virtual Control Engine (VCE) ··································································································································· 3 Plug-in ········································································································································································ 3
5900v virtual switch deployment flow ···························································································································· 3 VCE deployment ······················································································································································· 3 VFE deployment ························································································································································ 4 Plug-in deployment ··················································································································································· 5
Workflow ··········································································································································································· 5 Port-group based VM connections ·································································································································· 6 Automatic deployment of network policies for VM migration ······················································································ 7 Clear boundary between virtual computing and network control ··············································································· 8
Application scenarios ·················································································································································· 9
1
Overview The HP FlexFabric virtual switch 5900v (5900v virtual switch) is designed for virtualized environments such as data centers. It is applicable to the VMware vSphere ESXi Enterprise Plus Edition. The 5900v virtual switch integrates with VMware vCenter Server and VMware ESXi to provide the enhanced distributed virtual bridging function.
Technical background The fast development of server virtualization brings more and more virtual machines (VMs) to deployment. With the virtualization software Virtual Machine Monitor (VMM) installed on a physical server, the server can create at least one VM. VMM includes VMware vSphere and Microsoft Hyper-V.
Each VM operates independently and has its own operating system, applications, and virtual hardware environments. The virtual hardware environments include virtual CPUs, memories, storage media, IO devices (virtual NICs, for example), and Ethernet switches (bridges), as shown in Figure 1.
Figure 1 Server virtualization
VMs on a physical server communicate with each other or with the outside network through a Virtual Ethernet Bridge (VEB). Each VM is assigned a virtual NIC with a unique MAC address for the VEB to implement packet forwarding.
Benefits The 5900v virtual switch operates on the VMware ESXi management program and supports the IEEE 802.1Qbg (EVB) standard and the OpenFlow framework. It has the following advantages:
2
• Port-group based VM connections.
• Automatic deployment of network service policies for VMs after a VM migration.
• Clear boundary between virtual computing and network control.
5900v virtual switch implementation
5900v virtual switch components The 5900v virtual switch complies with the OpenFlow framework and implements the programmable network technology that separates the control plane and forwarding plane. It has three components, including the VCE, VFE, and plug-in, as shown in Figure 2.
Figure 2 5900v virtual switch system framework
VMware ESXi
Station 1
VMware ESXi
Station 2
VMware ESXi
Station 3
VM #1
VM #4
VM #3
VM #2
VM #5
VM #8
VM #7
VM #6
VM #9
VM #12
VM #11
VM #10
VFE VFE VFE
EVB Switch 5900v
VCE
VCE (Virtual Control Engine)• Operates on VMs.• Serves as the OpenFlow controller, and
implements unified VFE management and configuration
• Closely related to VMware vCenter Server.
vCenter Server
Plug-in Plug-in• Installed and operates in the vCenter Server
through VCE.• Enhances the network control capability (such as
PVLAN, VEPA, and link aggregation) of vNICports.
VFE (Virtual Forwarding Engine)• Operates on VMware ESXi, and can
be used as a virtual switch in the VMware environment.
• Serves as the forwarding plane to implement the traffic control and forwarding for the virtual ports.
• Multiple VFEs serve a distributed virtual switch.
Virtual Forwarding Engine (VFE)
Operating on the ESXi host, a VFE is part of the VMware ESXi kernel. The VFE can be used as a virtual switch in the VMware environment.
The VFE serves as the forwarding plane to implement traffic control and forwarding for the virtual ports. After receiving data, the VFE searches the local flow entries for the destination port. If no port is matched, it forwards the data to the VCE, which determines the forwarding policy and destination port.
VFEs deployed on multiple ESXi hosts serve as a distributed virtual switch. When a VM migrates to other ESXi hosts, the network policies on the virtual NIC can be synchronized to all these hosts, under the supervision of both the VCE and IMC.
3
Virtual Control Engine (VCE) A VCE is installed on a separate VM through the open virtualization format (OVF) template deployment function provided by the VMware vCenter Server. The VCE implements unified VFE management and configuration.
Plug-in A plug-in is a third-party management interface that the 5900v virtual switch customizes for VMware. It operates on the VMware vCenter Server and mainly provides a configuration interface for port groups.
5900v virtual switch deployment flow The 5900v virtual switch components operate on different physical or virtual entities. Figure 3 shows the deployment flow and method for each component.
Figure 3 Deployment flow for 5900v virtual switch components
VMware ESXi
Station 1
VMware ESXi
Station 2
VMware ESXi
Station 3
VM #1
VM #4
VM #3
VM #2
VM #5
VM #8
VM #7
VM #6
VM #9
VM #12
VM #11
VM #10
VFE VFE VFE
H3C iMC
5900v
VCE
vCenter server
Plug-in
Install a VCE:1. Log in to the vCenter Server.2. Click File, and select Deploy OVF Template from
the shortcut menu.3. Specify an ESXi host on which the VCE resides.4. Configure the IP address, username, and
password for accessing the vCenter Server.5. Configure the IP address, username, and
password for accessing the HP IMC.
1Install a VFE:1. Log in to the vCenter Server through the vSphere
client, and enter the HP 5900v configuration page.2. Click VFE Configuration.3. Select the ESXi host where the VFE is to be installed,
and click Install.
2Install a plug-in:The plug-in is automatically installed to thevCenter Server after the VCE is installed.
3
VCE deployment
To deploy a VCE:
1. Log in to VMware vSphere Client.
2. In the toolbar of VMware vSphere Client, select Deploy OVF Template from the File menu.
3. Select a VCE file path from the list to deploy the OVF template from the file.
4. Accept the end user license agreements.
4
5. Specify a name (the VM on which the VCE resides) and location (the cluster or data center on which the VCE resides) for the deployed template.
6. Specify an ESXi host on which you want to run the deployed template, and a destination storage location and disk format for the VM files.
7. Configure properties (such as IP address, subnet mask, and default gateway) for the VCE.
8. Click Finish after verifying the configurations to complete VCE deployment.
VCE is based on the standard B/S framework. To enter the VCE configuration page (as shown in Figure 4), log in to http://IP:8080/gui, where IP is the IP address or domain name of a VM with a VCE installed.
Figure 4 VCE configuration page
The VCE configuration is performed on a Web browser. The following browsers are supported:
• IE 8.0 and later versions.
• Firefox 3.6 and later versions.
• Google Chrome 9.0 and later versions.
VFE deployment To deploy a VFE:
1. Launch the VMware vSphere Client, connect your VMware vCenter Server, and click the HP VDS tab.
2. Click VFE Configuration in the VFE area.
3. As shown in Figure 5, select a host on which you want to install a VFE, and click Install.
Figure 5 VFE installation page
5
Plug-in deployment A plug-in is integrated into the vCenter Server, and it provides configurations and management for port groups. You can add the plug-in to the vCenter Server on the global configuration page.
To deploy a plug-in:
1. Log in to http://IP:8080/gui, where IP is the IP address or domain name of a VM with a VCE installed.
2. Configure the IP address, username, and password for accessing the vCenter Server.
3. Click the icons for connecting the vCenter Server and installing the plug-in.
4. Log in to VMware vSphere Client after the plug-in is installed, and select datacenter from the navigation tree. The HP 5900v VDS tab appears on the page, as shown in Figure 6.
Figure 6 Plug-in configuration page
For the installation procedures of the HP 5900v virtual switch, see HP FlexFabric Virtual Switch 5900v Installation Guide.
Workflow As shown in Figure 7, the 5900v virtual switch workflow is as follows:
1. The network administrator logs in to HP IMC VCM to configure VSI type and VLAN attributes.
2. The server administrator creates and configures a port group by using the 5900v virtual switch plug-in in VMware vCenter Server. The plug-in communicates with HP IMC VCM through the REST interface to obtain the VSI type of the VLAN to which the port group belongs.
3. The server administrator does the following:
Creates a VM through VMware vCenter Server.
Specifies a virtual NIC for the VM.
Applies the port group to the virtual NIC.
4. VCE initiates the VDP negotiation to the physical switch (EVB bridge) to associate VSIs on the VM with the ports on the physical switch after the VM is powered on.
6
5. The physical switch does the following:
Requests network policy configurations for the VSI type from IMC through HTTP or HTTPS.
Applies the configurations to the ports.
6. After receiving the data, the VFE searches the local OpenFlow flow entries for the destination port for data forwarding. If no port is matched, it forwards the data to the VCE component, which determines the forwarding policy and destination port.
7. When a VM migrates, the physical switch does the following:
Obtains the network policies from the NMS according to VM and VSI type information obtained through VDP.
Deploys the network policies to the VSI.
Figure 7 5900v virtual switch workflow
5900v virtual switch VFE
Physical server
5900v virtual switch VFE
Physical switch(EVB bridge)
App
VM
App
VM
App
VMVMware vCenter Server
5900v virtual switch Plug-in
Server administrator
Create a VM through VMware vCenter, specify a virtual NIC for the VM, and apply the port group to the virtual NIC.
VCE initiates the VDPnegotiation to the physical switch (EVB bridge) after the VM is powered on.
HP IMC VCM
Layer 2 networkCaaS
Designer VTDBConnection
Mgmt.
1 Configure VSI type and VLAN attributes.
Network administrator2’ Query available VSI types through the REST interface.
6
Request network policy configurations for the VSI type, and apply the configurations to the ports.
Physical serverApp
VM
App
VM
The physical switch obtains the network policies from the NMS according to VMand VSI type information through VDP, and deploys the network policies to the VSI.
5900v virtual switch VCE
3
Create and configure a port group by using the 5900v virtual switch plug‐in in VMware vCenter.
2
4
7
The VFE sends a packet without matched entries to the VCE. The VCE generates flow entries according to the packet, and applies the flow entries to the VFE.
5
VDP negotiation.
Port-group based VM connections A port group in the 5900v virtual switch is defined as a group of network policy attributes, such as VLAN, PVLAN, VEPA, and link aggregation. A port group allows for defining the same network policies for VMs in the same service, and applying the port group to the virtual NICs on the VMs through VMware vCenter Server. If a network policy in the port group changes, the new policy takes effect immediately without VM reboot. Service continuity and high availability of the system are ensured in this way.
7
Figure 8 Port-group based VM connections
VMware ESXiVMware ESXi
HP 5900v VDS
VM #5
VM #8
VM #7
VM #6
Station 1 Station 2
VM #1
VM #2
VM #3
VM #4
5900v
VCE
Network policies applied to VMs
HP iMC
vCenter Server
Plug-in
Port group:
• Web
• Emails
• Authentication
• Database
Automatic deployment of network policies for VM migration
In a virtualization environment, VM failures, dynamic resource scheduling (DRS), server failures, or planned server stoppage might result in VM migration. To ensure service continuity:
• Network policies for virtual NICs must be migrated.
• Network policies for ToR access switch ports that connect to the servers must be migrated.
Network policies for virtual NICs are stored on the local disk of a server, and they can be copied to the target server when a VM migration occurs.
Network policies for a ToR access switch port that connects to the server are stored on the ToR access switch. It is difficult to migrate network policies for a ToR access switch port to another ToR access switch port when a VM on a server migrates to another server.
To enable migration of network policies for ToR access switch ports, the IEEE 802.1 working group has drafted a standard called 802.1Qbg Edge Virtual Bridging (EVB) for data center virtualization. It includes the following:
• Formats and requirements for forwarding inter-VM traffic and traffic between VMs and the external network.
• A group of control and management protocols for the network with VMs and I/O virtualization environments.
EVB becomes the pipeline that connects computing resource scheduling and automatic network connection migration. EVB also passes the network traffic created in VMs to a physical switch attached to the server for processing. This greatly reduces costs for CPU usage and storage consumption, and provides more computing resources for services.
EVB is compliant with 802.1Qbg, which is drafted by HP. EVB includes VEB, VEPA, multichannel, and remote copy of broadcast or multicast traffic by the physical switch.
8
Figure 9 Automatic deployment of network policies for VM migration
VMware ESXiVMware ESXi
HP 5900v VDS
VM #5
VM #8
VM #7
VM #6
VM #4
VM #3
VM #2
VM #1
Station 1
VM #1
VM #2
VM #3
VM #4
Reasons for VM migration:• VM failures• Dynamic resource
scheduling (DRS)• Hardware maintenance• Hardware failures
5900v
VCE
Network policy migration:• Maintains network
policies for ports through the 802.1 Qbg standard.
• Makes sure network policies remain the same before and after VMmigration.
• Ensures service continuity.
vCenter Server
Plug-in
Station 2
HP iMC
• EVB protocol negotiation• VEPA traffic forwarding
SOAP/REST interface obtains network policies for ports
Clear boundary between virtual computing and network control
In a virtualized environment, vSwitch runs in stations to control inter-VM traffic. However, it is managed by the server administrator, which results in difficult vSwitch configuration management.
Figure 10 Clear boundary between virtual computing and network control
VMware ESXiVMware ESXi
5900v virtual switch VDS
VM #5
VM #8
VM #7
VM #6
Station 1
VM #1
VM #2
VM #3
VM #4
5900v
VCE
vCenter Server
Plug-in
Station 2
HP iMC
Network administrator• Manages virtual
switching policies
Server administrator• Manages computing
resource virtualization
As shown in Figure 10, when the 5900v virtual switch is integrated with VMware vCenter Server, it allows the server administrator to use the VMware tools for managing VMs. It also enables the network administrator to use the Web configuration tools for managing the VM network. Although server administration and network administration work independently, the 5900v virtual switch can implement the same configurations and policies in the virtualization environment on the EVB stations. This clarifies the boundary between virtual computing and network control.
9
Application scenarios The 5900v virtual switch provides granular control and management of traffic in virtualized environments, such as data centers deployed with the VMware ESXi Enterprise Plus Edition. The VEPA forwarding and traffic monitoring and management provided by the 5900v virtual switch enable you to implement automatic deployment of a VM network.
To deploy a VM network:
• Install an EVB bridge (such as an HP 5900 switch) on top of a standard 42U server rack.
• Connect a rack or blade server that supports hardware-assisted virtualization (Intel VT or AMD-V) to the EVB bridge through a standard Ethernet network cable. Connect the EVB bridge to an aggregation switch or core switch in the network through a copper cable or an optical fiber.
• Install the VMware vSphere 5.0 or later version on each EVB station, and manage EVB stations as a cluster, so they can share the iSCSI or FC storage.
• Deploy the virtualized management platform VMware vCenter Server, distributed vSwitch controller 5900v virtual switch VCE, and network management platform IMC VCE in the management center.
Figure 11 5900v virtual switch network topology
Management center
Server accessHP 5900
HP iMC VCM
OS
Service system
OS
Service system
OS
Service system
• VM network control through ACLs, QoS, Netstream, and mirroring
Storage accessHP 5900
CoreHP 12500
iSCSI storage arrayHP P4500
Internet
Internet access
Network administrator
Server administrator
VMware vCenter Server 5900v virtual switch
plug-in 5900v virtual switch VCE
• Unified management of server virtualization
• Port group configuration management
• VDP negotiation• OpenFlow flow
entry control
• Hardware virtualization• OpenFlow traffic
forwarding
As shown in Figure 11, the traffic control and management process by the 5900v virtual switch is as follows:
1. The server administrator logs in to the virtualized management platform VMware vCenter Server (the network must be reachable).
2. The server administrator manages and monitors the data center infrastructure (including cluster management, creation, deletion, startup, shutdown, clone, or migration for a VM) and port group configuration management.
3. The network administrator does the following:
Creates VSI type and network policy resources on IMC VCM.
10
Saves the network resource configurations to the VTDB database.
4. When a VM is created, started, or migrated, VDP negotiation is performed between the HP 5900 switch (EVB bridge) and the 5900v virtual switch VCE.
5. The HP 5900 switch does the following:
Obtains network policy configurations for the VSIs on the VM from IMC VCM through HTTP.
Applies the configurations to its ports.
6. The VFE that is integrated in VMware vSphere forwards traffic from the VMs. For traffic that cannot match any destination port, the VFE delivers it to the VCE, which determines the forwarding policy and destination port.
7. The HP 5900 switch does the following:
Controls the service traffic of VMs through ACLs, VLAN, DHCP snooping, and ARP detection.
Forwards the data to the destination.