Virtualization brings numerous advantages to the data center, i.e. more efficient resource utilization, decreased level of management complexity, lower power and cooling demands, etc. However, it also introduced new challenges, especially when it comes to SAN deployments in virtualized environments, such as specific performance requirements, application isolation, security aspects, granularity in traffic engineering and access control, business continuance and disaster recovery implementations in virtualized environments, advanced connectivity options.
This document describes how Cisco MDS 9000 Family introduces innovative approach in addressing these challenges in the data center.
Challenge: Customers' need for predictable, consistent application performance in a virtualized environment with any-to-any connectivity
• In nonvirtualized deployments with a large number of physical servers hosting one application per server or cluster, traffic normally is predictable and can be engineered to achieve better performance.
• In VMware environments with a large number of virtualized servers organized in a hypervisor cluster and any-to-any connectivity, traffic becomes unpredictable, and therefore performance must be predictable across all SAN components regardless of their placement.
Solution: Cisco® MDS 9500 Series Multilayer Directors with cross-bar architecture and design to meet the most stringent performance requirements
Figures 1 and 2 illustrate the difference in traffic patterns in nonvirtualized (Figure 1) and virtualized (Figure 2) environments, resulting in new performance requirements to SAN infrastructure.
Figure 1. Traffic Pattern: 32 Physical Application Servers-No Virtualization; Performance Could Be Managed Through Local Switching
Figure 2. Traffic Pattern: 32-Node Hypervisor Cluster with Any-to-Any Connectivity-Predictable Performance Is Essential
Use of VSANs
Challenge: Customers' need for logical fault domain and security isolation in a consolidated physical SAN for end-to-end virtualization with the capability to share resources
Solution: Cisco MDS 9000 Family VSAN technology with integrated Inter-VSAN Routing (IVR)
The Cisco VSAN implementation is superior to that of competitors:
• VSANs are an integral part of all Cisco MDS 9000 Family products. On competing products, customers need to specifically enable virtual fabrics; only three models-one director and two fabric switches-in competitive offerings support VSANs.
• Straightforward single definition of VSANs (no LSANs (Logical SANs) or, Administrative Domains in addition to the Virtual Fabrics).
• Up to 4000 VSANs are supported in the Cisco physical fabric. A maximum of 8 are supported in a competitive director and a maximum of 4 in a competitive fabric switch-too few for a real-life situations, where a customer would typically need:
– 1 VSAN for backup
– 1 VSAN for data replication
– 1 VSAN for high-performance online transaction processing (OLTP)
– 1 VSAN for IBM Fiber Connection (FICON)
– 1 VSAN for the development environment to validate new applications
• Having only 8 VSANs available would leave the customer with just 3 for the entire VMware virtual environment, including virtualization of email, web and other applications and virtual desktop deployment, which is clearly not enough.
• Cisco VSANs have no feature limitations. In competing implementations, when Virtual Fabrics are enabled, Administrative Domains, Port-Mirroring, and Traffic Isolation Zoning are not supported, and encryption is limited to the default logical switch.
• The Cisco implementation of IVR is ASIC based and does not affect latency, nor does it require any physical reconfiguration, recabling, or additional cabling. Competitive solutions require external ports, Small Form-Factor Pluggables (SFPs), cabling, etc.
Figure 3 illustrates the use of Cisco VSANs in a virtual machine environment.
Figure 3. Cisco VSAN Use Advantage Over the Competition
Important Cisco MDS 9000 Family Differentiator for VMware Consolidated Backup
VMware Consolidated Backup (VCB) consolidates backup for a VMware ESX environment, exporting the VMware Virtual Disk Development Kit (VMDK) snapshot images to a dedicated physical machine, the VCB proxy server, that in most case coincides with the data mover (or media server) of the backup application of choice.
The VCB proxy server and media server must have SAN connectivity to each VMware ESX cluster data store; it must have SAN connectivity to the tape library as well.
Given that a large deployment of VMware ESX clusters spans multiple VSANs, and that the tape library, isolated on a separate VSAN, is likely shared with other applications located in other VSANs, flexible IVR is critical to enable VCB without compromising the isolation of users, group, and applications.
Figure 4 shows the Cisco MDS 9000 Family differentiation in its IVR implementation.
Figure 4. Cisco VSAN and IVR Use Advantage over the Competition in VCB Environments
All these features play pivotal roles when deploying virtual machines as they enable transparent end-to-end virtualization in customers' environments, from their servers to their SAN infrastructure to their storage arrays.
Quality of Service
Challenge: Customers' need for granular traffic prioritization tools for application management across all Enterprise applications in a virtualized, consolidated, physical SAN
Solution: Cisco implementation of quality of service (QoS) in Cisco MDS 9000 Family products
The Cisco implementation of QoS is transparently integrated with both N-port identifier virtualization (NPIV) and VSAN capabilities, and it has the following advantages over the competition:
• User-defined QoS values instead of preset levels
• Capability to configure QoS per VSAN as well within a specific VSAN at the same time
This capability allows users to prioritize their applications when building a tiered approach in virtualized environments within a certain tier (a storage tier fits well in a dedicated VSAN) as well as to configure prioritization within each tier.
Mobility with Security
Challenge: Customers' need for granular and secure access in a virtualized, physically consolidated SAN
Solution: Cisco MDS 9000 Family integrated security and access-control mechanisms
A major Cisco MDS 9000 Family differentiator comes into play when virtualization and virtual machine mobility is considered with respect to security: the Cisco implementation of role-based access control (RBAC) is far superior to that of the competition:
• 64 user-definable roles in Cisco MDS 9000 Family compared to 9 predefined roles in competitive solution
• Configurable limits to the number of user login sessions in Cisco MDS 9000 Family compared to fixed number of user login sessions per role in competitive solution
• VSAN-aware roles in Cisco MDS 9000 Family compared to switch-based roles in competitive solution
This differentiator brings significant advantages to customers when virtual machines are deployed in conjunction with VSAN and IVR features.
Note that Cisco MDS 9000 Family RBAC is as flexible as the RBAC provided by VMware vCenter, allowing the creation of parallel groups of administrators with very specific focus, to support related areas of the virtual infrastructure and the fabric: for example, a human resources Virtual Desktop Infrastructure (VDI) admin group created on VMware vCenter and a human resources VSAN admin group created on Fabric Manager.
Fibre Channel over IP and SAN Extension
Challenge: Customers' need for extended-distance, secure, tiered business continuance and disaster recovery solutions in a virtualized SAN environment
Solution: Cisco integrated Fibre Channel over IP (FCIP) and SAN extension capabilities together with WAN traffic acceleration, optimization, and security mechanisms and end-to-end support for storage and optical product integration
Customers deploy SAN extension in two areas:
• Metropolitan area network (MAN)
In MAN deployments, the Cisco MDS 9000 Family delivers the following advantages over the competition:
• Dense Wavelength-Division Multiplexing (DWDM) SFP support on Cisco MDS 9000 Family
• Higher scalability for Fibre Channel Write Acceleration (FCWA)
• Fibre Channel Security Protocol (FC-SP) encryption on the link
• Superior VSAN, VSAN Trunking, and IVR to support fabric isolation
In WAN deployments, the Cisco MDS 9000 Family delivers the following advantages over the competition:
• Fabric administration and fault isolation through superior VSAN, VSAN Trunking, and IVR
• Empirically longer distances (as measured in a customer comparison test)
• Higher compression ratio
• High availability achieved through the use of PortChannel capabilities
All these general Cisco MDS 9000 Family advantages over the competition help customers deploying SAN extension, whether in a virtualized environment or not. Customers starting virtualization should be interested in the advantages that the Cisco MDS 9000 Family platform can bring to their solutions after they virtualize more critical applications.
Challenge: Customers' need for granular access control and security on the level of logical unit number (LUN) - in a virtualized, consolidated, physical SAN
Solution: Cisco MDS 9000 Family and Cisco NX-OS Software zoning implementation
The Cisco way of zoning SAN fabric provides customers with convenience and additional capability when deploying virtualization in their environments:
• It is easy and intuitive to implement.
• It provides fabricwide device aliases, an important feature when using NPIV.
• Read-only zones enable customers to help ensure data integrity in sensitive areas such as the store for the virtual machine Golden Image.(a template to be copied when building operating systems' partitions for new virtual machines).
• LUN-based zoning delivers additional protection and flexibility with respect to LUN mapping and masking on the SAN infrastructure side.
Small Computer System Interface over IP Connectivity
Challenge: Customers' need for advanced connectivity options in a virtualized, consolidated, physical SAN to lower the cost of Small Computer System Interface over IP (iSCSI) solutions while maintaining the same features and functions
The VMware ESX server supports iSCSI to provide virtual machines with block-level access to shared storage volumes. Many customers, who appreciate the relatively low cost in combination with a good feature set, have successfully adopted this option.
Solution: Cisco MDS 9000 Family integrated iSCSI support
The Cisco MDS 9000 Family offers a fully integrated Fibre Channel-to-iSCSI gateway solution that allows iSCSI clients to access the consolidated Fibre Channel storage.
The Cisco MDS 9000 Family iSCSI implementation provides all the capabilities available to a Fibre Channel initiator (including VSAN, advanced security, and zoning) to the iSCSI initiator, simplifying migration and enabling hybrid deployments.
The capability to have a single Cisco MDS 9000 Family switch to support iSCSI and Fibre Channel offers greater consolidation while providing a single management interface for both.
To streamline the deployment of a large number of initiators as would be needed in an enterprise-class virtual machine deployment, the Cisco MDS 9000 Family provides a unique feature called iSCSI server load balancing (iSLB), shown in Figure 5.
The most recent competitive products do not support iSCSI and cannot provide this popular option to the designer of a VMware ESX solution.
Figure 5. Deployment of Virtual Machines Using iSCSI
All these important features and functions allow the Cisco MDS 9000 Family to claim leadership in SAN infrastructure virtualization and in providing customers with virtual machine-aware SANs for end-to-end virtualization in their data centers.