Information About the Cisco vPath and vServices
This section provides an overview of the Cisco vPath and vServices and includes the following topics:
Overview of vPath
Cisco Virtual Service Data Path (vPath) is the service intelligence embedded in the Cisco Nexus 1000V Series switch.
vPath provides the forwarding plane abstraction and programmability required to implement the Layer 3 to Layer 7 network services such as segmentation firewalls, edge firewalls, load balancers, WAN optimization, and others. It is embedded in the Cisco Nexus 1000V Series switch Virtual Ethernet Module (VEM). It intercepts the traffic whether external to the virtual machine or traffic from virtual machine to virtual machine and then redirects the traffic to the appropriate virtual service node (VSN) such as Cisco Virtual Security Gateway (VSG) for processing. vPath uses overlay tunnels to steer the traffic to the virtual service node and the virtual service node can be Layer 3 adjacent.
The basic functions of vPath includes traffic redirection to a virtual service node (VSN). Apart from the basic functions, vPath also includes advanced functions such as traffic off load, acceleration and others.
vPath steers traffic, whether external to the virtual machine or from a virtual machine to a virtual machine, to the virtual service node. Initial packet processing occurs in the VSN for policy evaluation and enforcement. Once the policy decision is made, the virtual service node may off-load the policy enforcement of remaining packets to vPath.
Figure 1-1 Virtual Service Datapath (vPath)
Overview of Virtual Services (vServices)
Virtual Services include the various Layer 4 through Layer 7 network services such as firewalls(VSG), edge firewalls, load balancers, WAAN optimization and others which are virtualized and delivered as virtual machines.
VSG: Povides trusted multitenant access with granular zone-based security policies for VMs. Cisco VSG delivers security policies across multiple servers. It supports VM mobility across physical servers for workload balancing, availability, or scale.
Virtual Services Architecture
Figure 1-2 Virtual Services Architecture
The Virtual Services Architecture provides a framework for delivering virtual services. vPath is the main component of the architecture and it is embedded in the Cisco Nexus 1000V Series switchVEM. It acts as a service traffic classifier and as a service dispatcher. It selects the traffic requiring service and steers it to the appropriate virtual service node for service delivery. vPath performs all its functions on tenant boundaries in order to provide tenant isolation.
The other components of the virtual service architecture includes:
- The Cisco Prime Network Services Controller (Prime NSC), a multi tenant policy manager responsible for device and policy management. The Cisco Prime NSC is the overall management and orchestration component of the virtual service architecture.
- The Cisco Nexus 1000V Series switch VSM, responsible for all the interactions with vPath and Prime NSC.The Virtual Service Agent on theCisco Nexus 1000V Series switch is responsible for all the control aspects of vPath such as traffic classification, traffic redirection, traffic off loading and accleration.
- Virtual Service Node (VSN), responsible for the service processing. The various virtual services supported include VSG. The VSNs can include many instances of the same virtual service or different virtual service types.
Benefits of vPath and Virtual Services Architecture
vPath and virtual services architecture include the following benefits:
Dynamic Service Provisioning
vPath supports dynamic provisioning of virtual machines via service profiles and ensures that the service profiles follow vMotion events. In a service profile you can configure the service parameters. In VSGthe service profiles map to a policy. In VSG, the service profile is referred to as a security profile.
The service parameters are configured in a service profile and then attached to a port profile. When the virtual machines get instantiated and attached to a port profile, the service profile also gets dynamically attached to the virtual machine.Once associated all the policies are dynamically provisioned to a virtual machine as the virtual machine comes up or moves from one server to another.
The virtual services architecture supports a collaborative management model where the roles and responsibilities of network administrator, server administrator and service administrator are clearly defined.
Figure 1-3 Dynamic Service Provisioning
Due to dynamic service provisioning, a service profile is associated with the virtual machines as they are instantiated. vPath then assigns a service profile identifier to the service profile. vPath thus enables different service profile bindings on traffic associated with the different virtual machines. Virtual service nodes then use the service profile identifier to choose the appropriate policy to apply to the traffic or deliver the service.
vPath uses overlay tunnels to steer the traffic to the virtual service node and the virtual service node can be either Layer 2 or Layer 3 adjacent. As shown in the following figure, the tunnels can be L2 or L4. MAC-in-MAC encapsulation is used in the L2 tunnel and MAC in UDP encapsulation is used in the L4 tunnel.
In L4 tunnel, UDP encapsulation enables load balancing of the packets onto the links at the network elements and enables NICs to support Receive Side Scaling (RSS).
Figure 1-4 Service Overlay
The virtual services architecture enables the mobility of the virtual machine as well as the virtual service node. Dynamic service provisioning ensures that the virtual machine traffic flow continues to be handled by the appropriate virtual service node. This is possible since the service profile remains the same in the port profile and the port profile moves along with the virtual machine. As a result the virtual machine in the new host will continue to use the same virtual service node for service processing.
Service overlay ensures that the virtual service node is reachable on the new host and the virtual machines continue to forward traffic to the same virtual service node.
vPath is tenant aware and it can serve virtual service nodes belonging to different tenants. The virtual services architecture enables vPath to support overlapping IP addresses among different tenants. vPath steers traffic from the virtual machines to the virtual service nodes in the same tenant thus enabling tenant separation.
Figure 1-5 Multi-tenancy
Service Acceleration and Programmability
vPath steers traffic, whether external to the virtual machine or from a virtual machine to a virtual machine, to the virtual service node. The virtual service node can either continue to process the redirected traffic or off load the traffic to vPath. The off loaded traffic is processed by vPath leading to increased performance in service delivery of the Cisco Nexus 1000V Series switch.
vPath also has the ability to enforce the actions on the traffic as specified by the virtual service node. Virtual service nodes can then choose to intercept reverse traffic without any static configurations on the switch or choose to off load some traffic.
Figure 1-6 Service Accleration
Obtaining Documentation and Submitting a Service Request
For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What’s New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at:
Subscribe to the What’s New in Cisco Product Documentation as a Really Simple Syndication (RSS) feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service and Cisco currently supports RSS version 2.0.