Are Cisco Nexus 1000v, CSR 1000v and Vyatta the same thing?

Brief version: No, they are not.

Long version: No, they are not. Nexus 1000v is used for L2 interconnection of the VMs. On the other side, Cisco Cloud Services Router (CSR) 1000v is, in my opinion, a direct competitor of Vyatta /vi:áta/ (acquired by Brocade IN 2012). [Don't make a mistake of underestimating Vyatta, it's a nice and nifty product]. CSR 1000v was introduced by Cisco with the strong message that it will improve the multi-tenancy mechanisms in the Data Center architecture. Why are these improvements necessary, don't we already have VXLAN, NVGRE? Encapsulation can be done using these 3 mechanisms::
- NVGRE (GRE with the key)
- VXLAN (over UDP with proprietary header)
- STT (fake TCP header, so security tools generate alerts, also FW would drop it cause no SYN packets). It can be used between the Hypervisors only.

Well, there are two problems with these solutions. Number 1: None of these 3 has the security, and Number 2: Some clients just want to provide the multi-tenancy using the L3 tools.



CSR 1000v is just a VM, deployed under an ESXi as a Virtual Router. It’s not a structured web of relationships between VSM (Virtual Supervisor Module) and VEM (Virtual Ethernet Module) like the Nexus 1000v. It's a single VM, loaded as a single appliance, with multiple virtual NICs (vNIC), representing ROUTED interfaces. It's these interfaces that extend the L3 boundary into the Virtual Environment. Cool, right? Even more so when you realize it's actually adding a security boundary, with no latency impact.

Here are some interesting facts about the CSR 1000v:
- CSR 1000v supports DMVPN, one of the new features of CCIE RSv5 curriculum.
- Supports all the routing protocols from the CCIE RSv5 curriculum.
- Works with (almost) all the Hypervisors.
- Has the APIs to integrate with the OpenStack
- Cisco ASR 1000 Series Router was used as a "model"
- Multi-tenancy achieved by mapping VPN instances directly to VPC

Here are 2 diagrams that I found on the keepitclassless.net, and I think they perfectly "paint" how the CSR 1000v should NOT (1st pic) and SHOULD (pic 2) be deployed.

Pic 1: CSR 1000v, deployed using the classic non-virtual phylosophy


Pic 2: CSR 1000v deployed in accordance with Virtualization and Multi-Tenant requirements 

And now, some facts about the older Virtual L2 brother, Nexus 1000v:
- It's a SWITCH, so - L2, a product of a partnership with VMware.
- QoS, ACLs, NetFlow and ERSPAN are all supported. Also, VXLAN is supported :)
- Security Features are also supported (Dynamic ARP inspection, IP source guard, DHCP snooping)
- Provides advanced NX-OS features
- Cisco Nexus 1000V architecture follows the same hypervisor-agnostic architecture used across other hypervisors (VMware vSphere, and Microsoft Hyper-V). It has two components: Virtual Ethernet Module (VEM) is deployed on each physical host managed by Nexus 1000V as part of the KVM hypervisor, and Virtual Supervisor Module (VSM) can be deployed as a virtual appliance on any KVM host, or on a Cisco Cloud Services Appliance.
- Yes... It's VERY demanding, so better prepare a good hardware...

Now, I just couldn't finish the post without mentioning Vyatta.
- It's a single (Virtual) image that has Router, FW (State-full with NAT, but not DPI for now), VPN.
- Supports any hypervisor, and Amazon Cloud (and any other cloud), can run on bare-metal.
- Creates multiple tenant spaces, where each tenant has the complex space including the L3 and FW features.
- The entire deployment phylosophy that applies to the CSR 1000v - also applies to Vyatta. Let´s see how much of an open mind do the new era customers really have, and let´s see how the prices adjust.

3 comments:

  1. to be honest there are some drawbacks of VAYATTA like Virtualized networking also makes sense when firewall and routing functions are implemented as part of the virtual switch in each hyper visor. This could result in optimal traffic flow between virtual machines (regardless of whether they belong to the same IP sub-net or not) and solve the problem of traffic trombones.

    ReplyDelete
    Replies
    1. Thanks for your comment Irwin. Agree, Vyatta aint perfect and it still has a way to go till it reaches "perfection", but they'll get there...

      Delete

Most Popular Posts