The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This chapter provides an overview of the Cisco vPath and vServices and includes the following sections:
•Information About the Cisco vPath and vServices
This section provides an overview of the Cisco vPath and vServices and includes the following topics:
•Overview of Virtual Services (vServices)
•Virtual Services Architecture
•Benefits of vPath and Virtual Services Architecture
Cisco Virtual Service Data Path (vPath) is the service intelligence embedded in the Cisco Nexus 1000V Series switch.
vPath provides the forwarding plane abstraction and programmability required to implement the Layer 2 to Layer 7 network services such as segmentation firewalls, edge firewalls, load balancers, WAN optimization, and others. It is embedded in the Cisco Nexus 1000V Series switch Virtual Ethernet Module (VEM). It intercepts the traffic whether external to the virtual machine or between virtual machines and then redirects the traffic to the appropriate virtual service node (VSN) such as Cisco Virtual Security Gateway (VSG), Cisco ASA 1000V, Cisco Virtual Wide Area Application Services (vWAAS) for processing. vPath uses overlay tunnels to steer the traffic to the virtual service node and the virtual service node can be either Layer 2 or Layer 3 adjacent.
The basic functions of vPath includes traffic redirection to a virtual service node (VSN) and service chaining. Apart from the basic functions, vPath also includes advanced functions such as traffic off load, accleration and others.
vPath steers traffic, whether external to the virtual machine or from a virtual machine to a virtual machine, to the virtual service node. Initial packet processing occurs in the VSN for policy evaluation and enforcement. Once the policy decision is made, the virtual service node may off-load the policy enforcement of remaining packets to vPath.
Figure 1-1 Virtual Service Datapath (vPath)
Virtual Services include the various Layer 4 through Layer 7 network services such as firewalls, edge firewalls, load balancers, WAAN optimization and others which are virtualized and delivered as virtual machines.
The following virtual services are supported by Cisco Nexus 1000V Series switch using the vPath:
•Cisco Virtual Security Gateway (VSG): provides trusted multitenant access with granular zone-based security policies for VMs. Cisco VSG delivers security policies across multiple servers. It supports VM mobility across physical servers for workload balancing, availability, or scale.
•Cisco Virtual Wide Area Network Application Services (vWAAS): a WAN optimization solution, helps deliver assured application performance acceleration to IT users connected to enterprise data centers and enterprise private clouds.
•Cisco ASA for 1000V: provides trusted security to multi-tenant virtual and cloud infrastructures at the edge. When implemented with the Cisco Nexus 1000V Switch, it provides consistent security across physical, virtual, and cloud infrastructures.
Figure 1-2 Virtual Services Architecture
The Virtual Services Architecture provides a framework for delivering virtual services. vPath is the main component of the architecture and it is embedded in the Cisco Nexus 1000V Series switchVEM. It acts as a service traffic classifier and as a service dispatcher. It selects the traffic requiring service and steers it to the appropriate virtual service node for service delivery. vPath performs all its functions on tenant boundaries in order to provide tenant isolation.
The other components of the virtual service architecture includes:
•The Virtual Network Management Center (VNMC), a multi tenant policy manager responsible for device and policy management and integration with VMware vCenter. VNMC is the overall management and orchestration component of the virtual service architecture.
•The Cisco Nexus 1000V Series switchVSM, responsible for all the interactions with vPath and with VNMC.The Virtual Service Agent on theCisco Nexus 1000V Series switch is responsible for all the control aspects of vPath such as traffic classification, traffic redirection, service chaining, traffic off loading and accleration.
•Virtual Service Node (VSN), responsible for the service processing. The various virtual services supported include VSG, vWAAS, ASA for 1000V and others. The VSNs can include many instances of the same virtual service or different virtual service types.
vPath and virtual services architecture include the following benefits:
•Service Accleration and Programmability
vPath supports dynamic provisioning of virtual machines via service profiles and ensures that the service profiles follow vMotion events. In a service profile you can configure the service parameters. In VSG and ASA 1000V the service profiles map to a policy. In VSG, the service profile is referred to as a security profile. In ASA 1000V, the service profile is called edge profile.
The service parameters are configured in a service profile and then attached to a port profile. When the virtual machines get instantiated and attached to a port profile, the service profile also gets dynamically attached to the virtual machine.Once associated all the policies are dynamically provisioned to a virtual machine as the virtual machine comes up or moves from one server to another.
The virtual services architecture supports a collaborative management model where the roles and responsibilities of network administrator, server administrator and service administrator are clearly defined.
Figure 1-3 Dynamic Service Provisioning
Due to dynamic service provisioning, a service profile is associated with the virtual machines as they are instantiated. vPath then assigns a service profile identifier to the service profile. vPath thus enables different service profile bindings on traffic associated with the different virtual machines. Virtual service nodes then use the service profile identifier to choose the appropriate policy to apply to the traffic or deliver the service.
vPath uses overlay tunnels to steer the traffic to the virtual service node and the virtual service node can be either Layer 2 or Layer 3 adjacent. The overlay tunnel model enables the mobility of the virtual service nodes and is independent of the transport technologies such as VLAN or VXLAN used in Layer 2 deployments. As shown in the following figure, the tunnels can be L2 or L4. MAC-in-MAC encapsulation is used in the L2 tunnel and MAC in UDP encapsulation is used in the L4 tunnel.
In L4 tunnel, UDP encapsulation enables load balancing of the packets onto the links at the network elements and enables NICs to support Receive Side Scaling (RSS).
Figure 1-4 Service Overlay
The virtual services architecture enables the mobility of the virtual machine as well as the virtual service node. Dynamic service provisioning ensures that the virtual machine traffic flow continues to be handled by the appropriate virtual service node. This is possible since the service profile remains the same in the port profile and the port profile moves along with the virtual machine. As a result the virtual machine in the new host will continue to use the same virtual service node for service processing.
Service overlay ensures that the virtual service node is reachable on the new host and the virtual machines continue to forward traffic to the same virtual service node.
vPath is tenant aware and it can serve virtual service nodes belonging to different tenants. The virtual services architecture enables vPath to support overlapping IP addresses among different tenants. vPath steers traffic from the virtual machines to the virtual service nodes in the same tenant thus enabling tenant separation.
Figure 1-5 Multi-tenancy
vPath steers traffic, whether external to the virtual machine or from a virtual machine to a virtual machine, to the virtual service node. The virtual service node can either continue to process the redirected traffic or off load the traffic to vPath. The off loaded traffic is processed by vPath leading to increased performance in service delivery of the Cisco Nexus 1000V Series switch.
vPath also has the ability to enforce the actions on the traffic as specified by the virtual service node. Virtual service nodes can then choose to intercept reverse traffic without any static configurations on the switch or choose to off load some traffic.
Figure 1-6 Service Accleration
A service chain is an ordered list of services applied to a packet flow or traffic. A service path identifies a forwarding path used to implement a service chain.
The vPath intercepts traffic (packets/frames) originating from a virtual machine or destined to a virtual machine and directs the traffic through the service path delivering the traffic to each service along the path. vPath thus acts as an orchestrator of the chain to deliver multiple services and VNMC enables the provisioning of service chains.
Figure 1-7 Service Chaining
Currently vPath service chaining supports the following virtual service nodes:
•Cisco VSG
•ASA 1000V
•vWAAS
The service chain can have following path configuration:
•VSG -> ASA 1000V
•VSG -> vWAAS -> ASA 1000V
•ASA 1000V -> VSG
•ASA 1000V -> vWAAS -> VSG
For example, in case of VSG -> ASA 1000V vPath service chaining, you can configure service chaining by using the vservice command. When a vservice node is directly bound to a port profile, the Cisco Nexus 1000V considers this binding as a service path with a single service. Cisco Nexus 1000V supports two service options:
•Single service that is bound to a port profile
•Multiple services that are bound to a port profile
A virtual service node can be shared by different service chains and it can be applied at different positions in different chains. The vPath chained services are applied both at ingress and at egress, relative to cisco Nexus 1000V switch. The virtual service node sequence defined in the service path is the order of services that are applied to an ingress packet. For an egress packet, the order is reversed.
For example, if you have a virtual machine that has the following service path:
vservice path sp1
node vsg1 profile vsg-profile1
node asa1 profile asa-profile1
When the traffic is sent by the VM and it arrives at the switch (at ingress), the services get applied in this order:
VSG -> ASA
When traffic is destined to the VM and leaves the switch (at egress), the services are applied in this order:
ASA -> VSG
Note Because the Cisco ASA 1000V must be the last node in the chain, Cisco supports this order only for the current release.
The following table lists the version compatibility of the virtual service nodes with Cisco Nexus 1000V Series switch.
Table 1-1
Virtual Service Node and Nexus 1000V Release Compatibility
The following table lists the version compatibility of the vPath features with Cisco Nexus 1000V Series switch.
Table 1-2 vPath Features Compatibility with Nexus 1000V Release
Since Cisco Virtual Service Data Path (vPath) is the service intelligence embedded in the Cisco Nexus 1000V Series switch, one Cisco Nexus 1000V Series switch license is needed for each installed server CPU on every VEM in the distributed architecture.There is no limit to the number of cores per CPU. See Cisco Nexus 1000V License Configuration Guide, Release 4.2(1)SV1(5.1) for more information on Cisco Nexus 1000V Series switch license.
In addition to the Cisco Nexus 1000V Series switch license, you also require license for some of the virtual services such as VSG and ASA1000V.
See the Cisco Virtual Security Gateway for VMware vSphere License Configuration Guide, Release 4.2(1)VSG2(1.1) for more information on VSG license.
See the Cisco ASA 1000V documentation for more information on ASA1000V license.
Cisco Nexus 1000V Series switch does not require any licenses for vWAAS, but vWAAS may have its own licensing requirements.
See the Cisco vWAAS documentation for more information on vWAAS license.