Deploying network services in virtual data centers is extremely challenging. Traditionally, such Layer 4 through 7 services relied on intrusive, inline deployment and static network topologies. They were thus completely at odds with highly scalable virtual data center designs with mobile workloads, on-demand virtual machine (VM) provisioning, and strict service-level agreements (SLAs).
® Unified Network Services (UNS) addresses all of these problems by creating a framework for multiple services that can be configured and provisioned on demand, dynamically, to suit the service needs of enterprise applications and cloud users. This dramatically reduces network management overhead, allowing for a much more agile data center and business while providing improved application performance and a secure infrastructure. Cisco UNS comprises Cisco's industry-leading solutions for virtual data centers that deliver:
• Load balancing and application controllers
• WAN acceleration
• Network security
• Network analysis and monitoring
Application networking services, such as load balancers and WAN accelerators, have become required building blocks in modern data center designs. These Layer 4 through 7 services provide scalability, improve application performance, enhance end-user productivity, and help reduce infrastructure costs.
Deploying Layer 4 through 7 services in virtual data centers is extremely challenging, however. Traditional service deployments are completely at odds with highly scalable virtual data center designs, with mobile workloads, dynamic networks, and strict SLAs. Security, as just one required service, is frequently cited as the biggest challenge to enterprises adopting cost-saving virtualization and cloud computing architectures.
When services could be deployed effectively, they frequently undermined the benefits of virtualization by adding cost and complexity to the network and reducing flexibility. Services also tended to conflict with each other, with poor integration and completely separate policy management platforms, further increasing costs and management overhead.
Server Virtualization and Standardized Capabilities: A Challenge for Network Services
According to a July 2010 Forrester Research white paper, "You're Not Ready for Internal Cloud," data center resource commoditization (that is, cloud computing) is extremely appealing from a cost savings and efficiency perspective, but organizations must overcome a number of challenges to be able to take advantage of this cost model. Forrester defines "cloud computing" as "a standardized IT capability (services, software, or infrastructure) delivered in a pay-per-use, self-service way," which can be either internal (private cloud) or external to the enterprise (public cloud).
Providing security and application services as a "standardized" IT capability is particularly challenging due to the varying requirements and policies of different applications and organizations. Deploying, provisioning, and maintaining services in a modular, easily customized fashion has been too daunting for many data center operators to viably address. One data center application will need particular security policies and application controller features, and another will need a completely different set of services and policies, arranged in a different order on the network.
Cloud services that are "self-service" are, according to Forrester, "highly automated" in their provisioning. Forrester states, "With cloud, services require provisioning upon request-usually within 5 to 15 minutes." This type of rapid deployment is incompatible with the traditional complexity of configuring service paths, creating policies, and configuring devices, which Cisco UNS seeks to alleviate.
In addition, network services, particularly load balancers, WAN accelerators, and firewalls, have typically required being inline with the application servers they are supporting. Clearly this is a challenge when you have a large number of applications with varying policy requirements, as well as virtualized applications that move around and between data centers, confounding physical service offerings. Network services that can accommodate server virtualization and provide support for the migration of application and security policies along with the mobile workloads are a crucial but challenging requirement.
The Cisco UNS Vision
The Cisco UNS vision is to give customers a better way to deliver security and Layer 4 through 7 services in a contemporary data center with de facto virtualization and cloud computing. Cisco UNS allows customers to consistently deliver services across both physical and virtual infrastructures, as well as to flexibly allow services to be delivered as either physical or virtual instances themselves.
One element of this approach is the concept of a virtual service node (VSN), which is essentially a virtual form factor of a network security service running in a virtual machine. Cisco's Virtual Security Gateway (VSG) for the Cisco Nexus® 1000V virtual switch is an example of a VSN enabling service policy creation and enforcement at the VM level. Integrated with the Cisco Nexus 1000V in a virtual host, a VSN provides:
• VM-level granularity: Apply, manage, and audit policy at the VM context level
• Support for vMotion: Policy stays intact across manual and automated vMotion events
• Nondisruptive operations: Server administrators apply policy to VMs via vCenter-ownership of security policy stays with the security team
Conversely, Cisco UNS also consists of physical services-that is, traditional network service appliances and modules. The combination of VSNs and dedicated appliances or servers provides customers the flexibility to take full advantage of existing resource investments and to scale easily as new capacity is required. Cisco UNS thus provides the ability to integrate and manage both virtual and physical services into a common, consistent framework.
Cisco UNS forms a critical product foundation of the Data Center Business Advantage architecture (Figure 1), along with Cisco's Unified Fabric and Unified Computing Services. Tighter integration with both the underlying network infrastructure and the virtualization layer of the compute servers allows Cisco UNS greater visibility to the virtual machines and applications, as well as enabling it to more flexibly route data center traffic through the network services in a transparent fashion with minimal configuration effort.
• Cisco Branch Routers and Catalyst 6500 Series Network Analysis Module (NAM)
• Cisco NAM 2200 Series Appliances
• Cisco Nexus 1000V NAM Virtual Service Blade
• Cisco WAAS NAM Virtual Blade
Figure 1. Data Center Business Advantage Architecture
Cisco UNS Architectural Features and Benefits
Transparent service insertion: Cisco UNS fundamentally simplifies the insertion of security and application delivery services into enterprise networks by removing the requirement that services be deployed at certain points in a physical network, transforming them into centralized service delivery nodes. These service delivery nodes can be implemented as virtual machines themselves, as network-embedded modules, or as physical appliances, allowing greater flexibility in service delivery options and the ability to use existing resources during data center evolution. Virtual service nodes can be transparently and instantly inserted into a network, on demand, by steering traffic to the appropriate services, as defined by policies for each type of traffic. Service delivery and provisioning can thus be customized for each type of client, application, group, or cloud tenant quickly and easily, with minimal use of resources.
Cisco UNS transparent service insertion greatly reduces the cost and complexity of deploying network services, as well as reducing the operational costs of managing them in dynamic data centers and cloud environments. It allows customers to take full advantage of virtualization, further reducing costs, and to deliver services at a more reliable level, allowing potentially greater revenue from strict SLA offerings.
Traffic steering (service routing) framework: Traffic steering is the process of routing network traffic from a direct path between the source and destination IP to pass through a particular network service. For example, traffic is intercepted in a Cisco Nexus 1000V switch on the way to the host application VM and routed (via vPath) to the VSG for security policy enforcement. This traffic steering mechanism is transparent to the hosts, the application, and the virtualization software, allowing services to be deployed and to provisioned easily and quickly as new applications and hosts come online. It also allows policies to follow VMs as they are moved throughout and between data centers, without the need for additional service-oriented appliances or new service software VMs.
Policy-based provisioning: Cisco UNS services are at the heart of a dynamic, agile data center environment, allowing services to be expanded and created on demand based on defined policies for quality of service (QoS) and security requirements. Policy-based provisioning of Cisco UNS services reduces the time, cost, and complexity of configuration to meet the needs of a particular application or tenant. Policies that are applied to a particular VM or service node are location independent, and migrate with the VM. For example, QoS policies may require that server loads for a particular tenant not exceed a particular threshold, automatically kicking off new servers and application workloads to accommodate increased demand, with automatic provisioning of the required services for expanded capacity. In addition, security policies for traffic to or between virtual workloads are automatically applied to newly provisioned application servers, with traffic steered to an appropriate security gateway for policy enforcement purposes.
Flexible deployment options: Cisco UNS products align with cost-saving trends in the data center. The primary attribute across the portfolio is the flexibility to deploy network services in the most cost-effective form factor. Nearly all services can be deployed in one or more physical appliances, as network-integrated service modules, as software on dedicated servers, or as virtual services. Customers can use their existing equipment and add modules and capacity as their service needs grow. Cisco UNS on service modules or virtual instances saves data center space and power costs over dedicated hardware appliances. Some Cisco UNS appliances can be partitioned into virtual contexts, allowing a single appliance to support logically separated deployments for multitenancy and other policy compliance requirements. Running in VMs, Cisco UNS solutions can be configured, provisioned, and expanded on demand for scalable, just-in-time capacity growth to meet constantly evolving data center and business needs.
Virtualization-aware services: Perhaps the most important attribute of Cisco UNS products is that they are designed to adapt to highly virtualized and scalable data center and cloud infrastructures with visibility to VMs and mobile workloads. Cisco UNS provides a portfolio of application delivery controllers, WAN acceleration devices, security services, and network management solutions that adapt easily to mobile workloads, virtual hosts, and on-demand provisioning. Service policies and service nodes can be untethered from network location, allowing policies and services to migrate fluidly between servers, along with their corresponding applications.
On-demand service deployment: Dynamic data center environments present a constant flux in service requirements, as dictated by business needs, application loads, and external events. Cisco UNS provides a framework for the dynamic creation and expansion of service workloads to adapt to these rapidly changing requirements. Cisco UNS gives IT organizations the ability to respond quickly to business requirements, increase revenue, and improve agility while reducing administrative costs.
Integrated (consistent) management: Cisco UNS includes consistent management between different form factors (both physical and virtual) and a drive toward federated management solutions. The goal is to enable a common, centralized platform for Layer 4 through 7 policy management and visibility. While this will be an evolution, integration can initially be accomplished by exporting management data through XML formats and APIs to enable a unified management console that can either integrate multivendor services, integrate physical services with their virtual counterparts, or integrate separate services, such as an application controller and WAN acceleration system, under a common policy umbrella. Cisco UNS products can reduce learning curves by using a common administrative interface, and can retain or establish clear separation of responsibilities for application, network, and security administrators.
Integrated orchestration across service offerings: Cisco UNS will give organizations the ability to finally consolidate and centralize policy-based orchestration across multiple service offerings, including security, application controllers, and WAN acceleration. Prior to Cisco UNS, instrumentation and monitoring generally had to be done on a service-by-service basis, and an administrator had to know each of the platforms. With Cisco UNS, administrators get a consistent view of the services. Today, that primarily means a common view of traffic patterns and packet counts on a per-service basis. As Cisco UNS matures and more products are plug-compatible with the architecture, it will deliver a centralized policy management framework for ensuring compliance and QoS policies that span applications and services. An integrated orchestration approach will greatly simplify data center management overhead and costs, and will allow networks to be much more agile in responding to business needs.
Cisco UNS: The Next Leap for the Agile Data Center
Compared to point service offerings from application controller vendors or security vendors, Cisco UNS is able to offer a network-integrated framework that allows network services to be deployed in a much more flexible fashion, one that allows organizations and data centers to tap into the full value of virtualization. Cisco UNS brings together application controllers, WAN acceleration, security, and network analysis, giving organizations the ability to rapidly deploy and deliver service chains and to customize network services uniquely to the needs of individual users and groups.
Cisco UNS can reduce network complexity, management overhead, and deployment costs while helping ensure maximum application performance and availability for end user clients. Application performance, latency, and reliability can be predictably delivered, even in scalable, virtualized environments, allowing for compliance with strict SLAs for the first time.
Point solution providers will find it challenging to agree on or deliver the required underlying framework that Cisco UNS is built on. This framework includes a common mechanism for steering traffic to the right services, in the right order, according to defined policies. To manage these traffic paths, features need to be built into the networking infrastructure (switches and routers) to ensure optimal traffic flow to the services, as well as into the virtualization layer (the hypervisor and virtual switches) so that network services are virtualization-aware, and can accommodate mobile workloads. With its own suite of application delivery solutions, visibility into and control of the network infrastructure, and integrated security and network management components, all of which are virtualization-ready, Cisco is the only vendor in the industry in a position to deliver on the unified network services vision.
Based on emerging open standards advocated by Cisco, including such proposed technology as VN-Link for improved traffic visibility and policy management in virtual switches, we expect a robust and healthy ecosystem to develop around Cisco UNS features, with compatible products that plug into the Cisco UNS framework. We are already seeing this in our close collaboration with VMware on virtualization aspects of the framework. Additionally, we expect integration with partners across the management plane for extended visibility and orchestration in third-party management solutions. This level of policy integration is already being enabled through extensible XML management and provisioning APIs in several of our products, including the Cisco Application Networking Manager (ANM), and the Cisco VSG's VNMC (integrated with VMware's vCenter).
Highly virtualized data center and cloud environments impose enormous complexity on the deployment and management of network services. Provisioning dynamic services and accommodating mobile workloads present challenges for layered services, such as security and application controllers, that traditionally have required inline deployment and static network topologies. Cisco's UNS overcomes these challenges with integrated application delivery and security solutions for these highly scalable, virtualized environments. Cisco UNS products provide flexible and consistent solutions, whether deployed as software, as an appliance, or as a virtual machine, and transparently provide traffic steering (service routing) for rapid policy-based provisioning and delivery.