Cisco Virtualization Experience Infrastructure Architecture Overview

June 30, 2011

What You Will Learn

Enterprise IT departments are being pressured to control costs, improve manageability, enhance security, and accelerate the deployment of new capabilities, while providing a consistent user experience across a wide range of endpoints. Desktop virtualization (DV) has become a popular solution for addressing these needs. With hosted DV, end user desktop images (operating system, applications, and associated data) are hosted as virtual machines on data center servers. Users can access hosted virtual desktops from many locations through DV appliances, smart phones, tablet computers, laptop and desktop computers, and other clients. To facilitate the deployment of virtual desktop solutions, Cisco has developed the Cisco Virtualization Experience Infrastructure (VXI) system, an end-to-end architecture for virtualization. Cisco VXI integrates and extends proven Cisco architectures for data centers, borderless networks, and collaboration to provide a comprehensive system for deploying virtualization across the enterprise. Cisco VXI offers a superior collaboration and rich media experience with best-in-class return-on-investment (ROI), by delivering a fully integrated, open, and validated desktop virtualization system. Cisco VXI also leverages strong ecosystem partners for storage, virtualization, and client technology. This document describes the building blocks and services of the Cisco VXI architecture. Enterprises evaluating desktop virtualization can use this reference architecture to identify the critical products and technologies needed to deploy a successful DV system. This reference architecture is a companion to the Cisco Validated Design (CVD) Guide for Cisco VXI, and provides a foundation for understanding the best practices and design techniques described in that document. Information contained in these documents is derived from extensive end-to-end testing of the Cisco VXI system. The Cisco VXI architecture provides enterprises with a template that facilitates deployment, reduces risk, and accelerates adoption.

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright 2011 Cisco Systems, Inc. All rights reserved

What You Will Learn

Cisco VXI System

The Cisco VXI system provides an optimized end-to-end infrastructure for desktop virtualization deployments. This system architecture comprises three fundamental building blocks Virtualized Data Center, Virtualization-Aware Network, and Virtualized Collaborative Workspace (Figure 1). The Virtualized Data Center is based on Ciscos Data Center Business Advantage architecture, which is designed to create data centers that are efficient, agile, and transformative. Data Center Business Advantage enables enterprises to consolidate data center infrastructure, reduce energy costs, improve workforce productivity, and ensure business continuity. CiscosVirtualized Data Center provides the compute, switching, storage, and virtualization capabilities needed to support a hosted virtual desktop solution. Note: The Cisco VXI Virtualized Data Center supports Vblock Type 1 (Cisco/EMC/VMware) and Flexpod (Cisco/NetApp/VMware) data center infrastructure packages. The Virtualization-Aware Network is based on the Cisco Borderless Networks architecture, which reduces operational complexity and provides the services needed to connect anyone, anywhere, on any device. The Virtualization-Aware Network connects data centers, enterprise campuses, branch offices, and teleworkers to ensure that traffic flowing between end users and their hosted desktops is transported securely, reliably, and efficiently. To that end, it employs bandwidth optimization, load balancing, quality of service, security, and other technologies from Ciscos industry-leading networking portfolio. The Virtualized Collaborative Workspace builds on the Cisco Collaboration architecture, extending the reach of the virtual desktop to a wide range of end points while supporting critical collaboration capabilities hosted in the cata center. End points can be zero clients, thin clients, or thick clients, and may include USB-based print and storage capabilities. The Virtualized Collaborative Workspace includes unique capabilities for integrating Cisco Unified Communications endpoints with hosted virtual desktops, including the control of Cisco IP phones from virtualized desktops. Cisco VXI also supports management tools for both Cisco and ecosystem partner products, as well as a rich services portfolio that helps enterprises make the most of their virtualization investments.

Cisco VXI Virtualized Data Center

Figure 1

Cisco VXI System Architecture

Cisco VXI Virtualized Data Center

Data centers continue to evolve from cost centers to strategic assets for business transformation. Many organizations have already turned to virtualization as a way to consolidate servers, lower IT costs, and accelerate the delivery of new services. These organizations are now looking to add hosted virtual desktops as a data center service to simplify manageability, improve security, enhance availability, and reduce desktop ownership costs. By implementing virtual desktops, organizations enable users to access workspaces from almost anywhere, at almost any time. However, desktop virtualization places new demands on the data center, as these solutions depend upon the effective centralization of processing, applications, and data. As a foundational element in any desktop virtualization solution, the virtualized data center must be scalable, efficient, and readily adaptable. The Cisco VXI Virtualized Data Center provides the resources needed to host virtual desktops and applications. It leverages the Cisco Data Center Business Advantage framework, a portfolio of products, technologies, and services integrating network, compute, storage, and virtualization platforms to deliver a high quality end user experience. The Cisco VXI data center is based upon the Cisco Unified Computing, Unified Networking, and Unified Fabric solutions, along with industry-leading ecosystem partner storage and virtualization products. From an architectural perspective, then, the primary building blocks of the Cisco VXI Virtualized Data Center are:

Compute Fabric Interconnect and Switching Hypervisor Storage

Cisco VXI Virtualized Data Center

Figure 2

Cisco VXI Virtualized Data Center

Data Center Virtual Application machine pools

WWW

Desktop Virtualization machine pools

Unified Email, web Directory services Service Communications Manager Virtual switch

User Hosted Virtual Desktops Virtual switch

Hypervisor Network and storage traffic Compute Network and storage traffic

Hypervisor

Fabric Interconnect

Compute FC Storage traffic

Compute

IP Storage & network traffic

Ethernet Switching Network traffic Switching IP storage traffic Fiber Channel Switch

Compute
The Compute subsystem provides the processing capabilities needed to host virtual machines and desktops, collaboration software, and other applications in the data center, and interfaces with the Fabric Interconnect and Switching subsystem. In the Cisco VXI architecture, the Cisco Unified Computing System (UCS) servers deliver a high-performance computing resource built especially for virtualized environments. The Cisco UCS system comprises a broad range of Intel Xeon x86-based servers offering a variety of memory, storage, interface, and form factor options. Several of these servers have been validated as part of the Cisco VXI system (see Figure 3). Key elements of the Compute subsystem are:

Cisco UCS B-Series Blade Servers Cisco UCS 5100 Series Blade Server Chassis Cisco UCS 2100 Series Fabric Extenders Cisco UCS C-Series Rack Mount Servers

254766

Switching Fabric Interconnect & switching

Storage array Storage

Cisco VXI Virtualized Data Center

Cisco UCS servers are ideally suited for virtualized environments, and include several advanced technologies that enhance performance, scalability, and manageability. Cisco Extended Memory Technology provides more than twice the memory of traditional two-socket servers (scaling up to 384 GB using low-cost memory components), for increased performance and higher VM densities. Cisco UCS server processors deliver state-of-the-art performance, and intelligently adjust to application needs. The entire Cisco Unified Computing System is managed as a single entity by Cisco UCS manager (embedded in the UCS 6100 Fabric Interconnect), and service profiles facilitate implementation of roles and policies. The Cisco VXI system supports both UCS B-series blade servers and C-Series rack mount servers for maximum flexibility. Cisco UCS B-Series blade servers are available in both half-width and full-width versions. Cisco VXI has tested and validated four versions of the B-Series: B200 M1 and M2, B250 M2, and B230 M1. Each of these provides two multicore Intel Xeon Series processors, DDR3 memory, and an I/O bridge. Each blade servers front panel provides direct access for video, USB ports, and console connections.
Figure 3 Cisco UCS Servers for VXI

Cisco UCS B-Series servers are designed to be installed in the Cisco UCS 5100 Series Blade Server Chassis (Figure 4). Each chassis provides four slots to support up to four full-width (or eight half-width) servers. The UCS 5100 Series provides four power supply bays, and redundant-capable, hot swappable power supplies. The chassis connects to the Cisco UCS Unified Fabric by means of two UCS 2100 Series Fabric Extender modules, which are installed on the back of the chassis. The fabric extenders multiplex traffic from the blade servers onto as many as four 10 GB connections to the unified fabric. Each fabric extender provides eight connections to the UCS 5100 midplane to accommodate blade server traffic.

Cisco VXI Virtualized Data Center

Figure 4

Cisco UCS 5100 Series Blade Server Chassis

Cisco UCS B-Series server blades connect to the chassis (and thus to the fabric extenders) by means of network adapters that plug into the UCS 5100 midplane. These network adapters are installed on the blade servers as mezzanine cards. Half width server blades support a single mezzanine card for up to 20 Gbps of I/O throughput. Full width blades support up to two mezzanine connectors for up to 40 Gbps of I/O throughput. Each adapter provides two connections to the midplane, one for each fabric extender slot. The UCS B Series offers a choice of adapter types, including:

Cisco UCS M81KR Virtual Interface Card: this adapter can be provisioned to present up to 128 virtual interfaces. Eight of these virtual interfaces are reserved for system use. Each virtual adapter appears to the operating system as a unique physical adapter. Virtual NICs are individually programmable as Ethernet NICs or Fibre Channel Host Bus Adapters (HBAs). Cisco UCS M71KR-E and M71KR-Q Converged Network Adapters: these adapters present two 10 GE NICs and either two Emulex or two QLogic HBAs to the operating system. These adapters are especially applicable for organizations needing compatibility with existing data center solutions. Cisco UCS 82598KR-CI 10 Gigabit Ethernet Adapter: this adapter presents two 10 GE NICs to the operating system, with each NIC connected to one of the two fabric extender slots.

Cisco UCS C-Series servers extend Cisco Unified Computing System innovations, such as Cisco Extended Memory Technology and unified network fabric, to an industry standard rack-mount form factor. The C-Series servers operate in both standalone environments and as part of the Cisco Unified Computing System. The C-Series servers can be deployed incrementally according to an organizations timing and budget. These servers support a range of network adapters, including Converged Network Adapters and the UCS P81E Virtual Interface Card, and integrate easily with existing networks and storage solutions.

Fabric Interconnect and Switching

The Fabric Interconnect and Switching subsystem handles traffic flows between servers, between the compute and storage subsystems, and between the Virtualized Data Center and the Virtualization Aware Network. This subsystem provides network connectivity and efficient traffic handling, as well as management capabilities for all UCS components. The Fabric Interconnect and Switching subsystem leverages the Cisco Unified Fabric, which integrates data and storage networking to provide transparent convergence and high levels of scalability. Key elements of this subsystem include:

Cisco VXI Virtualized Data Center

Nexus 5000 and 7000 Switches Cisco UCS 6100 Fabric Interconnect Cisco UCS Manager

The Cisco Nexus 5000 Series and 7000 Series switches provide high-speed Ethernet switching for this subsystem. These switches, which run the NX-OS operating system, are generally installed as redundant pairs. The Nexus 5000 Series switches are typically deployed in enterprise-class data center server access layers, or in smaller scale data center aggregation layer environments. The Nexus 7000 Series switches, which are available in 10 slot and 18 slot versions, are used in large scale enterprise core and aggregation layer deployments. Both switches offer high performance, virtualized services, and unified fabric support. The Cisco UCS 6100 Fabric Interconnect, based on the same switching technology as the Nexus 5000 Series Switches, provides line rate, low-latency, lossless 10 GE and Fibre Channel over Ethernet capabilities. The fabric interconnect is designed to consolidate LAN and SAN traffic onto a single switch fabric, thus reducing the costs and complexity associated with parallel networks, adapters, switches, and cables. The Cisco UCS 6100 Series terminates Fibre Channel over Ethernet (FCoE) traffic flows from the UCS servers, with Ethernet traffic separated and forwarded to Network-Attached Storage, and Fibre Channel traffic directed to the appropriate Storage Area Network. The Cisco UCS 6100 Series devices are typically deployed in redundant pairs to provide uniform access to both networks and storage (Figure 5). These devices provide network connectivity and management capabilities for all attached Cisco UCS chassis and servers, so that all elements appear as a single management domain. The Cisco UCS 6100 Series offers both 20 port and 40 port models. Both models deliver a high performance unified fabric, centralized management with Cisco UCS Manager, and virtual machine-optimized services with support for VN-Link technologies. With VN-Link, the fabric interconnects can provide policy-based virtual machine connectivity, mobility of network policies on a VM basis, and a consistent operation model for both physical and virtual networks. Cisco UCS Manager, which is integrated with the fabric interconnect, provides centralized management capabilities for all hardware and software elements of the Cisco Unified Computing System. Cisco UCS Manager is embedded device management software that provides end to end management of the system as a single logical entity. It implements role-based and policy-based management with service profiles and templates for faster provisioning. Service profiles facilitate provisioning of both servers and their I/O requirements. The service profile provides a software definition of a server and its associated LAN and SAN connectivity requirements. When the profile is deployed on a particular server, the Cisco UCS Manager automatically configures the server, adapters, fabric extenders, and fabric interconnects to match the profile. Cisco UCS Manager resides on a pair of Cisco UCS 6100 Series Fabric Interconnects deployed in an active/stand-by configuration for high availability.

Cisco VXI Virtualized Data Center

Figure 5

Cisco UCS 6100 Series Fabric Interconnect

Hypervisor
The hypervisor is virtualization software that enables a single physical server to host multiple operating systems. Hypervisors facilitate the creation, deployment, and operation of virtual machines (Figure 6). Hypervisor software helps ensure that all virtual machines receive a fair share of the servers processor, memory, and I/O resources. The hypervisor often provides specialized tools for increasing virtual machine density, managing resource sharing, and facilitating migration. Hypervisors typically enable virtual resources to be grouped, or pooled, according to a wide range of parameters. Virtual servers might be grouped according to organizational boundaries, or according to worker profile. Each pool contains a like set of VMs with common policies and a common set of resources. Hypervisors also provide access to storage for virtualized desktops and applications. Storage can be physically located on the server (e.g., Direct-Attached Storage) or remotely (i.e., shared storage). Advanced features such as VM migration and resource scheduling, which require common storage for a given set of users/servers, will generally require a remote shared storage solution. The Cisco VXI system has validated three hypervisors for use in the Virtualized Data Center:

Citrix XenServer Microsoft Hyper-V VMware vSphere

Cisco VXI Virtualized Data Center

Figure 6

Cisco VXI Virtualized Data Center - Hypervisor

APPS

APPS

APPS

APPS

Guest OS

Guest OS

VM

VM

VM

VM

Hypervisor/Virtual Network

Compute Platform Storage Pool CPU Pool Memory Banks

The hypervisor also enables support for desktop virtualization solutions, in which virtual desktops are hosted on data center servers as virtual machines. Desktop virtualization abstracts the end user experience (operating systems, applications, and content) from the physical endpoint. Users can access their virtual desktops across the network using zero clients, thin clients, laptop computers, mobile devices, and more. A desktop virtualization session requires an endpoint, a hosted desktop running on a virtual machine housed in a data center, and a software agent running inside the virtual desktop. The client initiates a connection to the virtual desktop agent, and interfaces with the desktop by means of a display protocol. Virtual desktop deployments also may position a connection broker between the endpoint and the desktop. The connection broker authenticates client requests and connect user to appropriate desktops. For desktop virtualization, Cisco VXI has validated solutions from Citrix (XenDesktop 4, 5; XenApp) and from VMware (View 4.5, 4.6).
Figure 7 Desktop Virtualization

Display protocol DV endpoint

Network

Display protocol Virtual Desktop host in Virtual Data Center

254329

As the virtualized environment grows, networks are evolving to extend functionality to each VM. Network switching, security, bandwidth optimization and other services that have been applied to physical devices now need to be applied to individual VMs. Consequently the hypervisor increasingly plays a critical role in hosting these virtualized network functions. Cisco VXI virtualized networking solutions include the following (currently supported on the VMware vSphere hypervisor):

254612

Cisco VXI Virtualized Data Center

Cisco Nexus 1000v: a virtual machine access switch that leverages Cisco VN-Link server virtualization technology to deliver policy-based VM connectivity, mobile VM security and network policy, and a non-disruptive operational model. It provides a consistent networking feature set and provisioning process from the VM access layer to the data center network core.

Figure 8

VM

VM

VM

VM

Cisco Nexus 1000V VEM Hypervisor

Server Cisco Nexus 1000V VSM

Physical switches

Cisco Virtual Security Gateway for the Cisco Nexus 1000v: a virtual appliance that monitors and controls access to trust zones in enterprise and cloud provider environments. Cisco VSG provides secure segmentation of virtualized data center VMs using granular, zone-based control and monitoring with context-aware security policies. Controls can be applied across organizational zones, lines of business, MOVE-AV server deployments, or multitenant environments.

10

254770

Cisco VXI Virtualized Data Center

Figure 9

Server Zones

Server Zones Healthcare Portal Records Database Application

Virtual Security Gateway (VSG)

HVD Zones IT Admin Assistant Doctor Guest

Cisco Virtual WAAS (vWAAS): a virtual appliance that accelerates business applications delivered from private and virtual private clouds. It also can optimize flows to network printers and video streams. Cisco vWAAS runs on Cisco UCS servers with supported hypervisors, using the policy-based configurations in the Cisco Nexus 1000v switch. Cisco vWAAS can be associated with application server VMs as these are instantiated or moved. With Cisco vWAAS, cloud providers can rapidly provision WAN optimization services with little to no configuration or disruption.

Storage
In a desktop virtualization environment, information once stored on the users local PC is now stored in the data center. Shared storage is generally preferred in larger deployments as it offers high performance, resource sharing, centralized security, and supports advanced virtualization features. Shared storage solutions are provided by ecosystem partners EMC and NetApp. Cisco VXI has also validated the Atlantis ILIO solution for storageoptimization. Cisco VXI storage support includes:

Network-Attached Storage (NAS) Storage Area Networks (SAN) Direct-Attached Storage (DAS)

With Network-Attached Storage, IP-based traffic such as Small Computer System Interface over IP (iSCSI) or Network File System (NFS) is switched as Ethernet traffic to the storage array by Nexus 5000 or Nexus 7000 Series switches (Figure 10). The shared storage array is mapped to a hypervisor storage pool, and the hypervisor provides virtual desktop with simulated local storage. Storage traffic is assigned to a separate VLAN, and the storage array is usually placed in the same VLAN to eliminate the need for multiple default routes.

11

255379

Cisco VXI Virtualized Data Center

Figure 10

Network-Attached Storage

Cisco Nexus 7000

Ethernet Traffic Cisco Nexus 5000 Ethernet Traffic Ethernet Traffic

FCoE Traffic

NAS Storage

Compute

Storage Area Networks provide access to block-level storage. Fibre Channelbased storage traffic destined for a SAN-based array is switched by Cisco MDS 9000 Series switches. The Cisco MDS 9000 Family switches allow multiple arrays to communicate with multiple hosts in much the same manner as an Ethernet switch. The Cisco MDS 9000 Series switches connect to Fibre Channel uplinks on the Cisco UCS 6100 Fabric Interconnects. Traffic is encapsulated by the Cisco UCS 6100 in FCoE frames and passed to the Cisco UCS servers. Fibre Channel connections typically operate in active or standby mode. If SAN A is the primary array, then SAN B is a mirror copy (Figure 11).
Figure 11 Storage Area Network (SAN) Storage

SAN 1 FC Storage Arrays FC Traffic Cisco MDS FC Switches FC Traffic Cisco UCS 6100 Fabric Interconnects FCoE Traffic

SAN 2

FC Traffic

FC Traffic

FCoE Traffic Cisco UCS Blade Systems

254637

The Cisco VXI system also supports direct-attached storage. With DAS, storage for each server is managed separately and is dedicated for each server. While generally offering limited scalability and manageability compared to shared storage, DAS may be useful in small/medium businesses, lab or test environments, or simply where a lower-cost storage footprint is desired. Cisco UCS B-Series and

12

254638

Cisco VXI Virtualization-Aware Network

C-Series servers offer a range of Direct-Attached Storage options including SAS, SATA, and SSD. Cisco VXI has validated the Cisco UCS C250 M2 (which supports up to 4.8 TB) in two DAS configurations 2x100GB SSD with 6x300GB SAS, and 8x300GB SAS.

Cisco VXI Virtualization-Aware Network

The Virtualization Aware Network transports HVD traffic between the desktop and the end user. The network plays a critical role in desktop virtualization, as end users connect to the virtualized data center to access applications and information that formerly resided locally on their laptop computers. Delay-sensitive rich media traffic, such as collaborative video, can be severely degraded by network congestion, latency, jitter, and other factors. Assuring a high quality end user experience is further complicated by the fact that display protocols may encapsulate and hide traffic contents, and thus impair the networks ability to apply granular quality of service mechanisms. The Cisco VXI network architecture is based on Cisco's best practices for deploying infrastructure at specific Places-In-The-Network (PINs). This section discusses the components and features needed for:

Data Center Edge Campus WAN Branch Office Teleworker (Fixed and Mobile)

13

Cisco VXI Virtualization-Aware Network

Figure 12

Cisco VXI Virtualization Aware Network

VXI Ne twork Access

Endpoint with WAAS mobile Mobile teleworker

AnyConnect

Internet

Campus/DC Edge Network ASA WAE head-end Cisco ASR Data Center Hosted Virtual Desktop DCCore Connection Broker

IP

VPN

VXI E ndpoint

Fixed teleworker

Dotx1, Track PoE+, Dotx1, Track Campus Campus network Catalyst 4K/3K/2K Campus Core

IP

PoE+, Dotx1, Track Branch 1 ISRwith WAAS SRE

DMVPN Cisco ASR DMVPN

ACE

WAAS Central Manager

Branch 2

Data Center Edge Network

The Data Center Edge connects the data center to the rest of the network infrastructure. It supports the head end functionality required to enable end to end data security, availability, and optimization across the network. These head-end functions include VPN aggregation, performance acceleration, and load balancing. Key components for the Cisco VXI data center edge include:

Cisco ACE Cisco WAAS Cisco ASA 5500 Series

Cisco ACE provides load balancing (see Figure 13), SSL offloading, and health monitoring for connection brokers or other critical components in the Cisco VXI environment. The connection broker is particularly important as it authenticates and directs client request to the appropriate virtual desktops. These devices also maintain the state of connections in case of drops or disconnects, and can optionally power down or delete remote desktops. Connection brokers are often deployed in pairs for resilience, and load balancers such as Cisco ACE can be deployed at the front end to monitor health and maintain responsiveness.

14

255341

ISRwith WAAS Express

Cisco VXI Virtualization-Aware Network

Cisco ACE is deployed at the aggregation layer in the data center using one-armed mode. In one-arm mode, it is configured with a single VLAN that handles both client requests and servers responses. Routed and bridged ACE deployments also work in this design. A minimum of two Cisco ACE appliances are typically deployed for redundancy. Either the Cisco ACE Application Control Engine Module or Cisco ACE 4170 Application Control Engine Appliance can be used. When deploying the Cisco ACE Module, Cisco recommends technologies such as the Cisco Catalyst 6500 Virtual Switching System (VSS) 1440 with its multi-chassis EtherChannel. This can help improve the resiliency of the network design by delivering a sub-second network convergence in a failure recovery. Cisco ACE 4710 appliances are connected to the aggregation layer using a port channel and are enabled for high availability. The Cisco ACE Module or 4710 Appliance load-balances virtual desktop requests to the connection broker while providing session persistence.
Figure 13 Load Balancing with Cisco ACE

DV Endpoint

Cisco ACE

Client to Connection Broker (HTTPS) Display connection

Hypervisor

Connection Broker

Hypervisor containing virtual desktops

The Cisco WAE, along with the Cisco WAAS Central Manager, typically will be deployed as a head end device in the data center edge when bandwidth optimization is being used. Cisco vWAAS, a VM-based WAAS solution that runs on the Cisco Nexus 1000v virtual switch, also can be deployed by enterprises and service providers that offer private and virtual private cloud-based application delivery services. Cisco vWAAS supports two deployment options: (1) network edge with out-of-path interception, or (2) deep in the data center with vPath interception. The network edge is the traditional location for intercepting WAN traffic to be optimized. The out-of-path model uses Web Cache Communication Protocol (WCCP) to intercept traffic. In this model, VMware vSphere hosts with Cisco vWAAS virtual machines are connected to WCCP-enabled switches or routers. Multiple Cisco vWAAS VMs can operate in a cluster, optimizing all traffic intercepted by the router. The Cisco vWAAS VMs can be spread across single or multiple servers, and both physical and virtual vWAAS appliances can be mixed in a cluster. The Cisco ASA 5500 Series Adaptive Security Appliance is a purpose-built platform that combines best-in-class security and VPN services. The Cisco ASA 5500 Series enables customization for specific deployment environments and options, with special product editions for secure remote access

254399

15

Cisco VXI Virtualization-Aware Network

(SSL/IPsec VPN), firewall, content security, and intrusion prevention. The ASA can act as a VPN concentrator and/or a firewall and is the first point at the Data Center or Campus edge where all traffic is received. All VPN tunnels from VPN clients such as Cisco AnyConnect or IPSec enabled ISR 800 routers terminate on the ASA 5500 Series.

Campus Network
The campus network connects the end users and devices in the corporate network with the data center, WAN, and Internet. The Cisco Enterprise Campus 3.0 architecture provides an overview of the campus network architecture and includes descriptions of design considerations, topologies, technologies, configuration design guidelines, and other factors relevant to the design of a highly available, full-service campus switching fabric. In addition to the high-speed connectivity service, the campus network, with its direct interaction with end users and devices, provides a rich set of services, such as Power over Ethernet (PoE), secure access control using IEEE 802.1x, intelligent and dynamic provisioning of Cisco VXI endpoints into the correct VLANs (with appropriate QoS/Security policies), location tracking for endpoints, and traffic monitoring and management. To enable these services, Cisco VXI endpoints within the campus domain should be connected to a wiring closet switch such as a Cisco Catalyst 4000, 3000, or 2000 Series. Key technologies in the Cisco VXI campus include:

Power over Ethernet: provides high availability, high efficiency, and easy-to-manage power. With the introduction of PoE+ capable Cisco VXI clients, organizations now can transition the entire employee work environment to a single power source, saving on both wiring and energy costs. The Cisco Catalyst 4500E, Catalyst 2000S, and Catalyst 3000-X are recommended campus access platforms for Cisco VXI. The Cisco Catalyst 4500E supports Universal POE, a Cisco technology that extends the IEEE 802.3 PoE standard to provide up to 60 watts of power over Ethernet cabling. Cisco UPOE enables support for a broad range of end user devices, improves availability, consolidates backup power into the wiring closet, and eliminates the need for a power outlet for every endpoint. When used in conjunction with Cisco Energywise, it can lower energy costs and help organizations achieve sustainability goals. Auto SmartPorts: enable campus switches to dynamically provision Cisco VXI clients by automatically configuring a port based on device identification obtained through Cisco Discovery Protocol (CDP) or MAC addresses. Smartport macros are pre-defined customizable configuration scripts based on Cisco best practices that allow administrators to easily configure common switch port configurations. QoS: Display traffic is encapsulated in vendor proprietary protocols such as ICA, PCoIP and RDP. In the campus use DSCP marking and Class of Service values to prioritize traffic. 802.1x: Cisco Catalyst switches can authenticate users via 802.1x, and map them to appropriate ACLs based on their log-in credentials. For example, a contractor can connect to the network and be granted access to specific resourcesThe Cisco Catalyst 4500 E and Catalyst 3000 X switches provide 802.1X and port security features for endpoint level security in the campus. Location/Endpoint Tracking: Catalyst 4500E and Catalyst 3000 X switches provide wired location endpoint tracking services, and transmit location information of connected VXI endpoints to the Cisco Mobility Services Engine (MSE). Cisco MSE is an appliance-based platform for delivering mobility services in a centralized and scalable fashion across wired and wireless networks.

WAN
The WAN connects workers in branch and regional offices with their data center-based virtual desktops. Cisco VXI is designed to deliver a high-quality user experience across a wide range of WAN architectures. Many of the display protocols used with desktop virtualization are not optimized for

16

Cisco VXI Virtualization-Aware Network

wide-area networking and may not perform well in high-latency or bandwidth-constrained environments. At the same time, desktop virtualization users tend to be highly mobile, and they increasingly demand access across the WAN to their virtual desktops. To improve the performance and protect the integrity of virtual desktop traffic across a WAN, Cisco VXI leverages the following technologies:

Cisco WAAS for Bandwidth Optimization and WAN Acceleration Performance Routing Dynamic Multipoint VPN

Cisco WAAS technology is deployed on either side of the WAN to optimize the traffic that crosses it. Cisco WAAS technology can improve application response time by reducing bandwidth consumption, thereby increasing application performance. This has the dual benefit of improving the user experience while allowing more users to be served by a given WAN link. Cisco WAAS capabilities rely on transport flow optimization (TFO), data-redundancy elimination (DRE), and Lempel-Ziv (LZ) compression technologies, which combine to increase bandwidth consumption efficiency. Performance Routing (PfR) improves application performance by selecting the best path across the WAN. PfR takes into account network metrics such as reachability, delay, loss, and jitter to help select the best path based on the application needs. It measures network performance and dynamically re-routes the traffic when the metrics do not satisfy the application needs. PfR thus provides path optimization and advanced load balancing for VXI traffic over the WAN. PfR has two logical components, the Master Controller and the Border Router. Generally, these are separate routers, but the MC can run on a Border Router in smaller deployments. The MC acts as a central processor and data collection point and reports events and measurements. The MC gathers network metrics from all the BRs and determines whether traffic classes are performing in accordance with configured policy. Based on these metrics, the MC can instruct the BR to stay on the current WAN link or change to an alternate path if one is available. Routing and path selection is accomplished through traffic class optimization or link optimization. Site-to-Site VPNs between the branches and the corporate head offices are secured IP security (IPsec) encrypted tunnels across the WAN. These tunnels can be deployed by means of certificates or preshared passwords for authentication of the tunnel endpoints. This deployment model encrypts any site-to-site traffic to minimize data being captured along the route. Cisco VXI supports Easy VPN and Dynamic Multipoint VPN (DMVPN). The DMVPN solution supports a variety of WAN links such as T1/T3, WAN, xDSL etc. In a Cisco VXI system it can be implemented by configuring the ISR G2 router at each branch or fixed teleworker location to connect to a VPN head-end at the Data Center edge. Cisco Security Manager (CSM) is used to configure DMVPN.

Branch-Office Network
A remote branch office is an enterprise-controlled environment. The primary challenge in the delivery of hosted virtual desktops to branch offices is making sure that the WAN provides adequate performance to meet end-user experience expectations. When hosted virtual desktops are delivered over the WAN, the end user has to cope with limited WAN bandwidth, latency, and packet loss. Cisco VXI branch offices typically deploy:

Cisco Integrated Services Routers Cisco WAAS Catalyst Switches

In a branch office, the Cisco WAE appliance is connected to the local router, typically a Cisco Integrated Services Router (ISR). The branch-office Cisco WAAS deployment, together with the data center Cisco WAAS deployment, offers a WAN optimization service through the use of intelligent caching,

17

Cisco VXI Virtualization-Aware Network

compression, and protocol optimization. When end users access the virtual desktops through the connection broker, Cisco WAAS compresses the response and then efficiently passes it across the WAN at high speed and with little bandwidth use. Commonly used information is cached at both the Cisco WAAS solution in the branch office and in the data center, which significantly reduces the burden on the servers and the WAN. The branch typically will be connected to the data center by means of encrypted IPsec tunnels. Since the branch will typically service its own local DHCP requests, access layer switches should employ DHCP Snooping, dynamic ARP inspection, and IP source guard. For device authentication, IEEE 802.1x or MAC Authentication Bypass (MAB) should also be deployed locally, via branch switches or switch modules within the Cisco ISR. In some cases (e.g., unencrypted RDP), traffic between the endpoint and the access switch might travel in the clear over the local network. For enterprises concerned about link security from the branch endpoints to the branch access switches, Cisco VXI supports MacSec based link layer encryption.
Figure 14 Cisco VXI Branch-Office Deployment

Cisco WAAS Edge

Branch Router WAN

Data Center Router

Cisco WAAS Core

Branch switch

Nexus 7000 Core Aggregation Switch

Cisco WAAS Central Manager Local printer Branch Endpoints Network printer Cisco 6120 Nexus 5000

ACE in VSS chassis

Teleworkers
Teleworkers can be either fixed or mobile. A fixed teleworker uses a solution such as Cisco Virtual Office, which provides secure, rich network services to workers outside the traditional corporate office, including executives, contractors, and home workers. Cisco Virtual Office delivers extensible data, voice, video, and applications to create a complete office environment. The Cisco Virtual Office comprises the following:

A Cisco 800 series Integrated Services Router (ISR) and a Cisco Unified IP Phone. A data center presence that includes a VPN router and centralized management software for policy, configuration and identity controls.

18

254398

Cisco UCS 5108 HVD Connection Broker Hypervisor

Cisco VXI Virtualized Collaborative Workspace

WAN optimization for teleworkers using thick/thin VXI endpoints that support WAAS mobile implementation. WAAS mobile pairs with the WAAS mobile server in the data center behind the VPN head-end. Deployment and ongoing services from Cisco and approved partners for successful deployment and integration as well as consultative guidance for automating the deployment.

A Cisco VXI enabled network provides additional benefits to the fixed teleworker using the CVO solution. These enhancements include a VXI endpoint behind the Cisco 800 ISR. The end-user can now access their virtual desktop secured through a VPN tunnel established between the Cisco 800 ISR and corporate edge router. Further, by using WAN optimization technologies offered by WAAS Mobile the VXI traffic is optimized to provide better user experience. The VXI virtual desktop will have Cisco Unified Personal Communicator (CUPC) installed. From the CUPC application the user can control an IP Phone on their desk. More information can be found at http://www.cisco.com/en/US/netsol/ns855/index.html Cisco VXI mobile teleworkers connect to their virtual desktop securely from any endpoint capable of running Cisco AnyConnect Secure Mobility client and WAAS mobile. There is no requirement for a Cisco IP phone in the mobile teleworker use case. Further, by using WAN optimization technologies offered by WAAS Mobile the VXI traffic is optimized to provide better user experience. WAAS mobile client is installed on the endpoint device connecting via a VPN or in a home office (CVO router) into the VXI data center. WAAS mobile has a small footprint and is supported on a majority of the thin and thick endpoints. The WAAS mobile client pairs with a WAAS mobile server positioned behind the VPN. Please note that the WAAS mobile server is not the same as a WAAS head-end appliance and so cant pair with WAVE, WAAS express or WAAS on the SRE products. WAAS mobile functionality is turned off when a teleworker endpoint is in Campus or Branch environments to allow for more feature rich WAN optimization. WAAS mobile deployments are managed by WAAS mobile manager which provides the ability to monitor performance and view bandwidth savings. Figure 15 shows the mobile teleworker connecting to a hosted virtual desktop from an unsecure location using a secure connection.
Figure 15 Mobile Teleworker Connecting via Secure VPN Tunnel

Virtual Desktop running on Hypervisor

WAN VPN tunnel Mobile Teleworker Endpoint

254401

Cisco ASA

Connection Broker

Cisco VXI Virtualized Collaborative Workspace

The Virtualized Collaborative Workspace enables highly mobile end users to access corporate data and applications from a wide range of thin, thick, and zero clients. The endpoint can be chosen from an ever-expanding list of devices, including tablet computing platforms, and laptop and desktop computers, spanning a multitude of operating systems. These devices enable typical user desktop interactions, and may also support USB-based print and storage functions.

19

Cisco VXI Virtualized Collaborative Workspace

With Cisco VXI, the enterprise can now offer a consistent user experience across multiple devices. Employees can access their desktop environments from different endpoints during the day: a desktop computer while working from headquarters, a thin-client endpoint when visiting a remote branch office, and a tablet when moving about the enterprise. Even if working from home, an employee can be provided with the means to attach to the enterprise through the use of a personal computer and a VPN client.
Figure 16 Cisco VXI Clients in Virtual Collaborative Workspace

Hypervisor

SIP

Endpoint devices can be characterized as zero clients, thin clients, or thick clients. Zero clients are relatively simple, limited-function devices with operating systems that are not exposed to the end user. These devices rely heavily on the capabilities in their hosted virtual desktops. The embedded OS makes the zero-client endpoint inherently more secure than other options. Task workers are the primary users of these devices. Thin-client devices use an embedded, locked-down operating system inside, and tend to be more feature rich than zero clients. These devices offer increased flexibility to access a broader range of servers and applications. Thin-client endpoints are usually customized by system administrators and then locked down. Thin clients tend to be used by power users. Thick-client devices are desktop or laptop computers running a standard OS, but with thin-client-type software installed as an application. Thick-client devices allow users to work offline and are often the choice of mobile users. Many organizations are re-purposing their refurbished laptops and PCs for use as thick client devices. Cisco VXI is designed to provide the greatest possible flexibility in terms of endpoint selection. Cisco VXI is ecosystem based, with an open and technology-agnostic approach to client selection. Cisco VXI clients include:

Cisco VXC 2100 Series Cisco VXC 2200 Series Cisco Cius Tablet Unified Communications Endpoints Ecosystem Partner Client Devices

Cisco VXC 2100 and 2200 Series Clients

The Cisco VXC 2100 and VXC 2200 Series are zero-client devices, with embedded device firmware that runs on the system and prompts for the necessary settings to launch a virtual desktop session. Cisco offers two versions of VXC client. The VXC 2100 Series clients physically attach to any Cisco 99XX, 89XX or 69XX IP phone by means of the phones PC port. The physical integration of client and IP phone provides an attractive small-footprint solution for environments in which desktop space is limited. The VXC 2100 Series devices provide four USB ports, 2 monitor ports, and two audio ports

20

266718

Cisco VXI Virtualized Collaborative Workspace

(microphone in, and headphone out). The clients draw inline power from the phones to which they are attached. The Cisco VXC 2100 Series offers two versions: the Cisco VXC 2111 supports PCoIP environments, whereas the Cisco VXC 2112 supports ICA/RDP deployments. The VXC 2200 Series client is a standalone appliance intended for use where older Cisco or 3rd party IP phones are installed. These clients require an available standard Ethernet port for connection to the network. The VXC 2200 Series clients provide four USB ports, two monitor ports , two audio ports, an RJ 45 jack, and a DC input jack. The VXC 2200 Series supports Power over Ethernet (802.3 AT, 802.3 AF), or can be connected to a Power Cube 4. Like the Cisco VXC 2100 Series, these clients are available in two versions: the Cisco VXC 2211 supports PCoIP, and the Cisco VXC 2212 supports ICA and RDP display protocols.

Cisco Cius Tablet

Cisco Cius is a mobile collaboration business tablet designed for knowledge workers, executives, and other mobile workers. Cisco Cius enables both on- and off-campus mobility, and provides anytime, anywhere access to Cisco collaboration applications and full interoperability with Cisco telepresence. It supports high definition streaming and real-time video. Cisco Cius runs the Android operating system, so users can access a broad range of applications. Developers can enable applications for collaboration by means of Cisco APIs. As a Cisco VXI endpoint, Cisco Cius offers thin-client access to hosted virtual desktops in VDI environments. Cisco Cius provides a seven inch, high resolution, color multi-touch display screen for user interaction. It supports 802.11a/b/g/n wireless connectivity for on-campus mobility, and 3G/4G for off-campus connectivity. Dual integrated front- and rear-facing cameras enable high-definition video calling and conferencing. The Cisco Cius can be operated as a standalone portable device, or can be docked in a media station. The media station provides three USB ports, two ethernet ports for wired connectivity, a speaker for hands free communications, and charging for the tablet's internal battery.

Unified Communications Endpoints

In a Cisco VXI system, Unified Communications is supported through desktop applications that can control a Cisco IP desktop phone. Cisco Unified Personal Communicator (CUPC), Cisco Unified Communications Integration for Webex Connect, and Cisco Unified Communications Integration for Microsoft Office Communicator are examples of such applications. These applications can run within the DV desktop, and can be used to control the user's local desktop hard phone. Soft phone mode, where the call is placed from the desktop and the audio is also via the desktop, and is not currently supported.

Cisco VXI Ecosystem Partner Clients

Collaborative workspace testing has validated a wide range of ecosystem partner products for use in the Cisco VXI system. Validated ecosystem partner client devices include:

IGEL UD7 DevonIT TC5XW DevonIT TC5DW Wyse R90LW Wyse R90L7 Wyse X90LW Wyse Xenith

21

Managing the Cisco VXI Environment

Managing the Cisco VXI Environment

An end-to-end Cisco VXI deployment requires a comprehensive management architecture that provides the ability to provision, monitor, and troubleshoot the service for a large number of users on a continuous basis. The task of managing a desktop virtualization system can be a challenge given the number of hardware and software components in the overall system (for example, data center, campus, branch office, Internet, desktop clients, applications). Main features of the Cisco VXI management architecture include:

Operations management - the process of monitoring the status of every element and its components and performing diagnostic testing. It includes the use of Simple Network Management Protocol (SNMP), syslog, and XML-based monitoring of elements as well as the use of HTTP-based interfaces to manage devices. Operations management also includes endpoint and virtual desktop inventory, and hardware and software asset management. Cisco EnergyWise Orchestrator is an example of an operations management tool. Service management - the process of monitoring and troubleshooting the status and quality of experience (QoE) of user sessions. It includes the use of packet capture and monitoring tools such as Cisco Network Analysis Module (NAM), and NetFlow to monitor a session. It also enables the desktop virtualization administrator to remotely access the endpoints and virtual desktops to observe performance and collect data (bandwidth and latency measurements). These tools include the ability to measure computing, memory, storage, and network resource utilization in real time to identify bottlenecks or causes of service degradation (e.g. Cisco Services for VXI). Session detail records for a virtual desktop session can help administrators diagnose any connection failures or quality problems. Service statistics management - the process of collecting quality and resource use measurements and generating reports that can be used for operations, infrastructure optimization, and capacity planning. Measurements can include session volume, service availability, session quality, session detail records, resource utilization, and capacity across the system. The reports can be used for billing purposes and to manage service levels. Provisioning management - the process of provisioning end users, virtual desktops, and endpoints using batch provisioning tools and templates. It can involve vendor-provided APIs (for instance, XML) that can be used for scripting, automation, and self-service provisioning. Provision management tools, such as Cisco VXC Manager, typically include software image and application management on endpoints and virtual desktops.

Conclusion
Cisco VXI is a fully integrated, open, and validated desktop virtualization system which delivers a superior collaboration and rich media experience with best-in-class Return on Investment. Cisco VXI facilitates rapid deployment of desktops and improves control and security by increasing visibility at the virtual machine level. Its modular, ecosystem-based architecture preserves customer flexibility and helps ensure long-term alignment with the industry. With Cisco VXI, customers can deploy a solution that enables agile and efficient service provisioning, provides personalized and pervasive user interactions, and creates a more open environment while increasing IT control.

For More Information

Cisco Virtualization Experience Infrastructure Design Zone:

22

For More Information

http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns1100/landing_vxi.html
CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)

23

For More Information

24