Cisco Virtualization Experience Infrastructure (VXI) Reference Architecture
October 5, 2010

What You Will Learn
Enterprise IT departments are pressured to control costs, improve manageability, enhance security, and speed-up the deployment of new capabilities while supporting a consistent user experience across diverse endpoints. Desktop virtualization (DV) has become a popular solution for addressing these needs. With hosted DV, the end-user’s desktop experience (operating system, applications, and associated data) is abstracted from the physical endpoint and centralized. The user’s desktop image is hosted as a virtual machine on a data center server. Users can access hosted virtual desktops from anywhere through DV appliances, smart phones, tablet computers, laptop and desktop computers, and other clients. Organizations deploying DV face many challenges, as the DV technologies potentially affect the entire IT infrastructure. To address these challenges, Cisco has developed Cisco® Virtualization Experience Infrastructure (VXI), a comprehensive architecture for desktop virtualization. Cisco VXI, which uses three existing Cisco architectures, includes designs for virtualized data centers, virtualization-aware borderless networks, and virtualized workspaces, and the critical services needed to support these architectures. Cisco VXI reduces the total cost of ownership (TCO), streamlines operations, simplifies management, and positions organizations for growth. This document describes the major elements of the Cisco VXI architecture and is a companion to the Cisco Validated Design guide, which provides detailed design best practices. The system is modular, which means that the Cisco VXI design can adapt and grow as new capabilities are brought to market. The reference architecture uses best practices derived from extensive end-to-end testing of the Cisco VXI system. The result is a Cisco Validated Design that facilitates deployment, reduces risks, accelerates adoption, and positions organizations for the future See Figure 1 and Figure 2.

Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA

Copyright © 2010 Cisco Systems, Inc. All rights reserved

What You Will Learn

Figure 1

Cisco VXI Architecture Conceptual Overview

Data Center Business Advantage

Borderless Networks

Collaboration

Rich Media Security Performance Acceleration High Availability Energy Efficiency Location Awareness Mobility Policy Management Ecosystem
254765

Virtualized Data Center

Virtualization Aware Network

Virtualized Workspace

Figure 2

Cisco VXI End to End System

End-to-End Security, Management and Automation Virtualized Workplace Cisco Clients Zero Client & IP Phone Thin Clients Cius Business Tablets Tandberg Endpoints Cisco WAAS Ecosystem Thin Clients Cisco ISR Router Cisco WAN Cisco Nexus Connection Broker Virtualization Aware Network Branch Data Center Network Cisco ACNS and Cisco WAAS Virtualized Data Center App App App

Operating System Desktop Virtualization Software Hypervisor

Cisco Unified Computing System
254773

Cisco ACE SAN NAS

2

Cisco VXI Virtualized Data Center

Cisco VXI Virtualized Data Center
Today’s data centers are no longer viewed as cost centers but as critical assets for achieving strategic business goals. This vision prevails especially among organizations that want to deploy desktop virtualization. The data center is in many ways the center of these systems, because desktop virtualization relies heavily on the efficient centralization of processing, applications, and data. The optimum data center provides a robust, scalable, integrated, and manageable environment for hosting desktop virtualization, while optimizing both operational and capital expenditures.
Figure 3 Cisco VXI Virtualized Data Center Overview

Virtualized Data Center App App App

Operating System Desktop Virtualization Software Hypervisor

Cisco Unified Computing System

SAN

NAS

The building blocks of the Cisco VXI Virtualized Data Center include (Figure 4):
• • •

Compute Fabric interconnect and switching Storage

254795

3

Cisco VXI Virtualized Data Center

Figure 4

Cisco VXI Virtualized Data Center Detail

Data Center Virtual Application machine pools
WWW

Desktop Virtualization machine pools

Unified Email, web Directory services Service Communications Manager Virtual switch

User Hosted Virtual Desktops Virtual switch

Hypervisor Network and storage traffic Compute Network and storage traffic

Hypervisor

Fabric Interconnect

Compute Compute FC Storage traffic

IP Storage & network traffic

Ethernet Switching Switching Network traffic IP storage traffic Fiber Channel Switch

Storage

Compute

The compute block provides the processing resources needed to host virtual desktops and applications such as Cisco UCS Manager. In the Cisco VXI architecture, the Cisco Unified Computing System™ (UCS) delivers a high-performance computing resource built especially for virtualized environments. The UCS’ extended memory architecture provides enhanced scalability and VM density per server blade, and service profiles enable rapid server provisioning, easy resource pooling, and policy management. The Cisco Unified Computing System supports converged network adapters (CNAs) that accommodate both network-attached storage (NAS) and Fibre Channel–based SANs. Each Cisco UCS server has a hypervisor installed to allow virtualized desktops and servers to run as independent virtual machines. Hypervisors facilitate the creation, deployment, and operation of virtual machines, helping ensure that all virtual machines receive a fair share of CPU, memory and I/O resources. The Cisco VXI architecture supports industry-leading hypervisors from ecosystem partners. These hypervisors provide tools for increasing virtual machine density, resource sharing, and migration. The hypervisor also manages storage access for virtual machines.

4

254766

Switching Fabric Interconnect & switching

Storage array

Cisco VXI Virtualization-Aware Network

The Cisco Nexus® 1000V Series Virtual Ethernet Module (VEM) can be deployed alongside the ESXi hypervisor to position Ethernet switching traffic isolation and policy-insertion capabilities within the virtualized environment. Virtual switching enables virtual machines to communicate directly within the virtualized environment, without being switched through the physical switching infrastructure. The virtual switch also allows policies to be applied directly within the virtualized environment. Multiple VEMs can be deployed as a single virtual distributed switch (VDS), enabling for the movement of virtual machines across the boundaries of physical servers while keeping them in the same Layer 2 and 3 contexts. Since virtual switches are not bound to a physical server, multiple blades can be linked by the same virtual switch.
Fabric Interconnect and Switching

The fabric interconnect building block supports networking and storage data flows to and from the compute building block, as well as traffic between server blades. The Cisco UCS 6100 Series Fabric Interconnect terminates Fibre Channel over Ethernet (FCoE) traffic flows from the Cisco UCS blade chassis. Ethernet traffic is separated out and forwarded to Network-Attached Storage, and Fibre Channel traffic is forwarded to the appropriate SAN. The fabric interconnect also hosts Cisco UCS Manager, which manages computing and switch fabric resources. The high-speed Cisco Nexus Ethernet switches provide a tightly coupled switching infrastructure for desktop virtualization. Theses switches are generally installed as redundant pairs to increase availability.
Storage

External storage is used to aggregate the files systems of multiple virtual desktops. Information that used to be stored on the user’s local PC is now stored in a shared array in the data center. Each shared array is divided into partitions. These partitions can be shared among servers; however, most organizations isolate virtual machines from other virtualized payloads to enhance security and balance the traffic load. Cisco VXI supports NAS and SAN-based solutions from ecosystem partners EMC and NetApp. In either case, the hypervisor maps incoming storage data to a local storage pool and presents it to a virtual desktop as if it were a local hard drive. IP-based storage traffic, originating as Small Computer System Interface over IP (iSCSI) or Network File System (NFS) traffic, is switched as Ethernet traffic to the storage array through Cisco Nexus switches. This traffic terminates on the fabric interconnect, where it is encapsulated into FCoE and forwarded to the Cisco UCS servers. Fibre Channel–based storage traffic originates on a Fibre Channel Storage array attached to a Cisco MDS 9000 Family Fibre Channel switch. The Cisco MDS 9000 Family switch allows multiple arrays to talk to multiple hosts (servers) in much the same manner as an Ethernet switch. The Cisco MDS 9000 Family switch connects to Fibre Channel links on the fabric interconnect, which encapsulates traffic into FCoE and passes it to the Cisco UCS servers.

Cisco VXI Virtualization-Aware Network
The network plays a critical role in desktop virtualization, as end users now connect back to the virtualized data center to access applications and information that formerly resided on their laptop computers. The additional transit time across a WAN has the potential to degrade delay-sensitive traffic, such as collaborative video, so it is essential that IT departments carefully plan their network strategies. The network also has to cope with a range of display protocols such as Citrix Independent Computing Architecture (ICA), Microsoft Remote Desktop Protocol (RDP), and PC over IP (PCoIP). These protocols are opaque to the network, to varying degrees, so traditional quality-of-service (QoS) methods may be less effective. The network architecture for Cisco VXI is based on Cisco's best practices for deploying campus, WAN, and data center network infrastructures (Figure 5). The network infrastructure provides security, optimization, and availability for display protocol traffic flowing between virtual machines and end

5

Cisco VXI Virtualization-Aware Network

clients. This section discusses the components and features needed for the data center, WAN, campus, branch-office, and teleworker places in the network. The Services section of this document provides additional information about security, optimization, availability, and other essential services.
Figure 5 Cisco VXI Virtualization-Aware Network

Virtualization Aware Network Branch Office ISR Router Data Center Network Cisco ACNS and WAAS

Cisco WAN

Cisco Nexus

Connection Broker

WAAS

Cisco ACE

Data Center Network

The Cisco VXI architecture distinguishes between the compute, storage, and unified fabric functions located in the data center and the head-end networking functions that are also collocated there. These head-end functions include VPN aggregation, performance acceleration, and load balancing. For example, the Cisco Wide Area Application Engine (WAE) devices with Cisco Wide Area Application Services (WAAS) are at the network edge in both the data center and branch office. This arrangement enables Cisco WAAS to accelerate delivery while routing all traffic through a secure VPN tunnel set up by the Cisco Adaptive Security Appliance (ASA) or a Cisco router running Cisco IOS® Software (Figure 6)

6

254796

Cisco VXI Virtualization-Aware Network

Figure 6

Cisco VXI Virtualization-Aware Network Detail

Data Center

Hosted Virtual Desktop

Cisco WAE Cisco ASA Campus Branch office

VPN tunnel Cisco ASA Teleworker Cisco WAE Cisco ACE Connection Broker

VPN

Cisco WAAS Central Manager

The connection broker is a critical component of many desktop virtualization systems. Connection brokers authenticate and redirect end-user client requests to the appropriate virtual desktops. Connection brokers also provision new virtual desktops on demand and relay user credentials to the hosted desktop. The broker typically interacts with Microsoft Active Directory to authenticate users and apply user-specific policies. These devices also maintain the state of the connection in case of drops or disconnects and can optionally power down or delete the remote desktop. Connection brokers are typically deployed in pairs for resilience, and load balancers such as Cisco ACE can be deployed at the front end to monitor health and maintain responsiveness.
WAN

Cisco VXI is designed to deliver a high-quality user experience across a wide range of WAN architectures. Many of the display protocols used with desktop virtualization are not optimized for wide-area networking and may not perform well in high-latency or bandwidth-constrained environments. At the same time, desktop virtualization users tend to be highly mobile, and they increasingly demand access across the WAN to their virtual desktops. To improve the performance of virtual desktop traffic across a WAN, Cisco VXI provides several optimization and QoS features. Cisco WAAS technology can improve application response time by reducing bandwidth consumption, thereby increasing application performance. This has the dual benefit of improving the user experience while allowing more users to be served by a given WAN link. Cisco WAAS capabilities rely on transport flow optimization (TFO), data-redundancy elimination (DRE), and Lempel-Ziv (LZ) compression technologies, which combine to increase bandwidth consumption efficiency. Cisco WAAS is discussed in more detail in the Services section of this document. Because some display protocols are proprietary or encrypted, application traffic can be difficult to differentiate. Cisco switches in Cisco VXI can be configured to mark traffic with Differentiated Services Code Point (DSCP) values. These DSCP markings can then be used by Cisco networking devices to direct traffic to the proper queues, based on priority.

254767

7

Cisco VXI Virtualized Workplace

Campus Network

The campus network connects the end users and devices in the corporate network with the data center, WAN, and Internet. In addition to the high-speed connectivity service, the campus network, with its direct interaction with end users and devices, provides a rich set of services, such as Power over Ethernet (PoE), secure access control, and traffic monitoring and management. The Cisco Enterprise Campus 3.0 architecture provides an overview of the campus network architecture and includes descriptions of design considerations, topologies, technologies, configuration design guidelines, and other factors relevant to the design of a highly available, full-service campus switching fabric. As for the WAN, the opaqueness of display protocols can be a challenge for traditional campus networks. A Cisco VXI campus network can use Cisco Catalyst® switches to provide security and availability functions. This capability allows some desktop virtualization traffic types to be characterized and secured based on log-in characteristics.
Branch-Office Network

A remote branch office is an enterprise-controlled environment. Cisco VXI branch offices typically deploy a Cisco branch-office router to enable services such as Cisco WAAS, IP telephony gateways, Cisco Unified Survivable Remote Site Telephony (SRST), and others that enhance desktop virtualization. The primary challenge in the delivery of hosted virtual desktops to branch offices is making sure that the WAN provides adequate performance to meet end-user experience expectations. When hosted virtual desktops are delivered over the WAN, the end user has to cope with limited WAN bandwidth, latency, and packet loss. In a branch office, the Cisco WAE appliance is connoted to the local router, typically a Cisco Integrated Services Router (ISR). The branch-office Cisco WAAS deployment, together with the data center Cisco WAAS deployment, offers a WAN optimization service through the use of intelligent caching, compression, and protocol optimization. When end users access the virtual desktops through the connection broker, Cisco WAAS compresses the response and then efficiently passes it across the WAN at high speed and with little bandwidth use. Commonly used information is cached at both the Cisco WAAS solution in the branch office and in the data center, which significantly reduces the burden on the servers and the WAN.
Teleworkers

Teleworkers can be either fixed or mobile. A fixed teleworker uses a solution such as Cisco Virtual Office, which provides secure, rich network services to workers outside the traditional corporate office, including executives, contractors, and home workers. Cisco Virtual Office delivers extensible data, voice, video, and applications to create a complete office environment. The Cisco VXI architecture supports the use of virtualized endpoints, with users accessing virtual desktops through VPN tunnels. Cisco Unified Personal Communicator can be installed in the virtual desktop and can control the user’s desktop IP phone. Cisco VXI also supports mobile teleworkers connecting to their virtual desktops securely from any endpoint running Cisco AnyConnect™ Secure Mobility Client.

Cisco VXI Virtualized Workplace
Desktop virtualization enables highly mobile end users to access corporate data and applications from a wide range of thin, thick, and zero clients.. The endpoint can be chosen from an ever-expanding list of devices, including smart phones, tablet computing platforms, and laptop and desktop computers, spanning a multitude of operating systems. With Cisco VXI, the enterprise can now offer a consistent user experience across multiple devices. Employees can access their desktop environments from different endpoints during the day: a desktop computer while working from headquarters, a thin-client

8

Cisco VXI Virtualized Workplace

endpoint when visiting a remote branch office, a mobile smart phone while traveling, and a tablet when moving about the enterprise. Even if working from home, an employee can be provided with the means to attach to the enterprise through the use of a personal computer and a VPN client (Figure 7).
Figure 7 Cisco VXI Virtualized Workplace

Campus Endpoints

Campus

Branch Endpoints

Branch Office

Mobile Teleworker Endpoint

Mobile Teleworker

IP

Fixed Teleworker Endpoint

Fixed Teleworker

Endpoint devices can be characterized as zero clients, thin clients, or thick clients. Zero clients are relatively simple, limited-function devices with operating systems that are not exposed to the end user. These devices rely heavily on the capabilities in their hosted virtual desktops. The embedded OS makes the zero-client endpoint inherently more secure than other options. Task workers are the primary users of these devices. Thin-client devices are more feature rich than zero clients and are usually customizable. Thin-client devices offer more capability and greater flexibility. Thin-client endpoints are usually customized by system administrators and then locked down. Thin clients are most often used by power users who need, in addition to basic access, features such as streaming video. Thick-client devices are desktop or laptop computers running a standard OS, but with thin-client-type software installed as an application. Thick-client devices allow users to work offline and are often the choice of mobile users. Cisco VXI is designed to provide the greatest possible flexibility in terms of endpoint selection. Cisco VXI is ecosystem based, with an open and technology-agnostic approach to client selection (Figure 8).

254768

9

Cisco VXI Rich Media

Figure 8

Cisco VXI Endpoints

Virtualized Workplace Cisco Clients Zero Client & IP Phone Thin Clients Cius Business Tablets Tandberg Endpoints Ecosystem Thin Clients

Cisco VXI Rich Media
In enterprises today, rich media is critical for business productivity. Rich media incorporates everything from content rich web pages with embedded video content to collaboration and social web applications. The type of content could include Adobe Flash media, audio, video on demand (VoD), voice over IP (VoIP), application streaming and more. However, in a desktop virtualization environment, rich media can consume considerable processor, memory, storage, and network resources. While high-performance, scalable computing capabilities, and effective storage technologies can help ease the pressure, transporting rich media across the network has remained a challenge for many organizations. The Cisco VXI architecture incorporates a wide range of tools and techniques for efficiently handling rich media. The most powerful of these tools is Cisco WAAS, which employs advanced compression techniques to conserve bandwidth (up to 3X reduction) and optimize traffic flows (Figure 9). Cisco VXI also uses network-based QoS features to differentiate rich media streams. While display protocols do hide traffic from the network to a degree, enterprises can use the DSCP marking capabilities in Cisco network infrastructure products, along with Cisco IOS Software queuing techniques, to provide preferential treatment for rich media traffic. Moreover, Cisco VXI can easily adapt to new products and technologies that may provide even greater granularity and control over virtual desktop traffics. For example, Cisco WAAS and related Cisco rich media services can be combined with emerging technologies such as HDX and Multimedia Redirection (MMR) being brought to market by ecosystem partners such as Citrix and VMware. Both of these technologies are designed to optimize delivery of rich media in the display protocol.

10

254797

Cisco VXI Security

Figure 9

Cisco WAAS for Rich Media

Video Source Branch Office End-users see pixelization as media is rendered from the data center Branch Router Edge Router

WAN Optimization Branch Office Cisco WAE Data Center Cisco WAE

Virtualized Data Center
254769

End-users experience no pixelization

Cisco VXI enables end users to make and receive voice or video calls through their virtualized desktops running Cisco Unified Personal Communicator. Cisco Unified Personal Communicator, in effect, becomes the controller for the user’s local IP desk phone. In this scenario, the control traffic flows from the end user to the virtual desktop, but the actual media traffic flows directly from phone to phone. IP phones in branch offices can communicate with each other, without needing to run the voice and video traffic through the virtual desktop. This separation of control and media planes also allows the network to apply QoS functions, call admission control, and path optimization for the media traffic.

Cisco VXI Security
Desktop virtualization is inherently more secure, as data and applications actually reside in the data center rather than on the end-user device. Desktop virtualization thus provides protection against data leakage and data loss due to theft or damage. However, desktop virtualization also introduces several security challenges that potentially extend from the data center to the end user. In the data center, enterprises now have to contend with controlling access to, and between, the virtual resources that reside on physical servers. Virtual desktop addresses, for example, can be dynamic and require the same level of surveillance as a desktop device outside the data center's infrastructure. The Cisco VXI architecture employs an intelligent Layer 2 virtual switch, such as the Cisco Nexus 1000V Switch (Figure 10), within the virtual machine group. This switch helps ensure that security policies follow each virtual machine throughout its lifecycle, and it provides the same protections for virtual machines as a physical switch provides for physical devices. Similarly, security boundaries must be respected and enforced within the virtual machine group. By routing traffic from the Cisco Nexus 1000V to the data center aggregation layer, enterprises can create a firewall security checkpoint that enforces policies based on IP addresses and access control lists. At the data center aggregation layer, Cisco Nexus switches and Cisco ASA security devices can be deployed to make appropriate routing and access decisions based on common security policies.

11

Cisco VXI Performance Acceleration

Figure 10

Cisco Nexus 1000V Virtual Switch

VM

VM

VM

VM

Cisco Nexus 1000V VEM Hypervisor

Server Cisco Nexus 1000V VSM

Physical switches

Throughout the rest of the network, the primary objectives are to authenticate users and to protect data traveling between the data center and the end user. For client authentication, IEEE 802.1x is the preferred solution, but MAC authentication bypass (MAB) can also be used. Beyond the authentication of the device as a network entity, devices should be monitored for continued authenticity as close to their access point as possible. This is accomplished with network-based port security measures such as Dynamic Host Configuration Protocol (DHCP) snooping, dynamic Address Resolution Protocol (ARP) inspection, and IP source guard. Branch offices belong to the corporate security domain, but are separated from it by WAN links. To protect data traveling between branch-office and corporate locations, Cisco VXI uses IP Security IPsec encryption between data center and branch-office routers. These tunnels can be deployed by using certificates or preshared passwords to authenticate the tunnel endpoints. This approach encrypts the Cisco VXI data between the two locations to reduce the likelihood that data will be compromised in transit. The branch office likewise should employ the proper authentication measures and use network-based infrastructures like those mentioned here. Teleworkers can use Cisco’s award-wining VPN technology to connect to the enterprise network across the Internet. The mobile teleworker typically uses Cisco AnyConnect VPN Client 2.5 to connect with a VPN security appliance (like the Cisco ASA) at the network edge, where the user will be authenticated. The user’s virtual desktop data will be fully protected as it traverses the Internet in an encrypted VPN tunnel. This technology can also be deployed for traffic traversing a managed WAN.

Cisco VXI Performance Acceleration
Cisco VXI includes a number of performance-enhancing technologies and features. In the data center, Cisco Extended Memory Technology increases user density (50 percent more virtual machines) and improves application performance by up to 43 percent. The Cisco Application Control Engine (ACE) supports SSL offload on behalf of connection brokers to reduce their processor load by up to 50%. Cisco Unified Fabric provides a cohesive, scalable, and intelligent data center infrastructure that supports the storage throughput and I/O operations per second (IOPS) necessary for high application responsiveness during peak demand periods.

12

254770

Cisco VXI High Availability

In addition, Cisco WAAS improves performance (including video) by two to seven times. Cisco WAAS, also a critical component of Cisco VXI Rich Media Services, accelerates the delivery of virtual desktops to remote users, increases the number of users that can be effectively supported over the WAN, lowers IT costs, and improves the overall user experience. Cisco WAAS optimizes desktop virtualization display protocols such as ICA and RDP by mitigating latency and reducing bandwidth requirements. The solution employs advanced compression and DRE to dramatically reduce the number of redundant packets traversing the network, which conserves bandwidth while improving application performance. Cisco WAAS supports transport file optimization (TFO) for improved throughput and reliability, and application-specific accelerators for a broad range of application protocols. A special use case for Cisco WAAS involves remote users sending requests to a local printer. In a desktop virtualization environment, the print request may be initiated locally, but it is actually processed in the data center in which the virtual desktops and print servers are located. The print job delivered to the user’s local printer travels outside the display protocol as it crosses the network (see Figure 11). Cisco WAAS can optimize this traffic to reduce the effect of print jobs on network operations.
Figure 11 Cisco WAAS Printing Optimization

Network printer

Hosted Virtual Desktop Branch office router Display protocol WAN acceleration for display protocol WAN acceleration for print job Branch office Cisco WAE Data Center Cisco WAE
254772

Edge Router Print Job

Print server

Cisco VXI High Availability
Today’s network is more strategic than ever. Maintaining application uptime and availability has become essential for IT departments. Nearly all mission-critical applications require transparent failover if parts of the system become unresponsive. Therefore, resilient network design should be considered throughout the network. Network resiliency can be achieved by designing with redundancy technologies, redundant devices, and redundant links. Server uptime is also important in helping prevent lost productivity and helping ensure that users can access their virtual desktops without any interruptions. Desktop virtualization systems must be able to detect failures of a connection broker or virtual desktop and dynamically mitigate these failures. Cisco VXI high-availability services use load-balancing technology to enhance the availability and scalability of desktop virtualization environments. Load balancers such as the Cisco ACE can help ensure that connections are distributed evenly across connection brokers, with failed or inaccessible servers automatically excluded. Cisco ACE is typically deployed in pairs at the aggregation layer in data center networks, where it monitors the health of connection brokers and processes client requests and server responses. Cisco ACE also provides session persistence on behalf of client IP addresses. Cisco ACE can be deployed either as a standalone appliance (Cisco ACE 4710) or as a network module in a device such as the Cisco Catalyst 6500 Series Switches. After the connection broker has assigned a virtual desktop to an end user,

13

Cisco VXI Energy Efficiency

subsequent display protocol traffic bypasses the Cisco ACE. Another important Cisco ACE capability, from a Cisco VXI perspective, is that the device can be partitioned into multiple logical devices. Cisco ACE virtualization enables IT administrators to create separate, individual load-balancing contexts for different DV solutions. Cisco ACE can be used to load balance connection brokers deployed in direct or tunneled modes. In direct mode, the broker is only used to set up a connection between a user and a virtual desktop agent. Once the connection is established, subsequent traffic flows directly between the end point and the virtual desktop. In tunneled mode, all traffic flows through the connection broker. Tunneled mode can provide enhanced security, but also increases processor overhead. Figure 12 shows the Cisco ACE deployed in a direct mode environment. Traffic from the client to the connection broker is load-balanced by Cisco ACE, while display traffic from client to the virtual desktop does not flow through the broker and is therefore not load-balanced (Figure 12).
Figure 12 Cisco ACE Load Balancing

Cisco ACE

Connection Brokers Connection Brokers

Cisco UCS

Cisco VXI Energy Efficiency
Cisco VXI increases energy efficiency in desktop virtualization environments. The Cisco Unified Computing System, for example, supports a greater virtual machine density per blade than other solutions, resulting in less power consumed and lower cooling costs per virtual machine. The unified fabric deployed in the data center enables a dramatic reduction in network adapters, blade-server switches, and cabling, which improves performance and reduces the number of devices that have to be powered and cooled. Cisco networking products now support cost-effective PoE, and Cisco EnergyWise services are implemented across Cisco’s routing and switching portfolio. Cisco EnergyWise services provide measurement, monitoring, and control of energy use by network and network-attached IT devices. Collectively, these services enable organizations to significantly reduce energy consumption and environmental impact.

14

254771

VM

VM

VM

Cisco VXI Location Awareness

Cisco VXI Location Awareness
Many enterprises need to restrict user access to corporate resources on the basis of factors such as location or time of day. A financial trading firm, for example, may want to allow access to email and basic applications to any employee, anywhere, but to allow access to customer trading accounts only when an employee is on premises. Cisco VXI provides the services needed to tailor access according to location. The Cisco Secure Access Control System (ACS), for example, can apply rule-based policies to control user access based on identity or on other factors such as time of day, location, or access type. The Cisco Mobility Services Engine (MSE) platform supports context-aware networking and provides the capability to track wired and wireless network devices. Cisco VXI enables organizations to extend access to more users in more places, while maintaining compliance with corporate policy.

Cisco VXI Mobility
Cisco recognized long ago that networks needed to accommodate mobile users, and Cisco has delivered a wide range of mobility products and technologies, including wireless network infrastructure, mobile routers, Cisco IOS Mobile IP, intelligent roaming, and an adaptive wireless intrusion prevention system (IPS). The Cisco AnyConnect VPN Client enables PCs to establish VPN connections with the corporate network. More recently, Cisco CleanAir Technology delivered silicon-level intelligence to create a self-healing, self-optimizing wireless infrastructure that reduces the effect of radio-frequency (RF) interference. Cisco provides many tools for extending enterprise networks to support employees on the move.

Cisco VXI Policy
Policy services can encompass a wide range of capabilities, but in the context of desktop virtualization they refer primarily to QoS functions for traffic handling. QoS functions are critical to providing users with the high-quality experience to which they are accustomed. As previously noted, however, QoS in a virtualized environment presents challenges. Display protocols are often proprietary and encrypted, making their contents opaque to the network. Another complication is that a single desktop virtualization session may transport data for multiple applications at the same time, with no effective way to prioritize one application’s traffic over another. In the near term, satisfactory results can be achieved by configuring the Cisco network to perform hardware-based DSCP marking and forwarding traffic on the basis of these values.

Managing the Cisco VXI Environment
An end-to-end Cisco VXI deployment requires a comprehensive management architecture that provides the capability to provision, monitor, and troubleshoot the service for a large number of users on a continuous basis. The task of managing a Cisco VXI system is a challenge given the number of hardware and software components in the overall system (for example, campus, branch office, and Internet). These components provide services (for example, desktop virtualization, network, storage, computing, storage, security, load-balancing, WAN acceleration, and unified communications services) to both end users (local and remote) and administrators. The administrators are expected to manage different technologies and services (for example, to perform network, storage, database, and desktop administration). Main features of the Cisco VXI management architecture include:

15

Conclusion

•

Operations management - the process of monitoring the status of every element and its components and performing diagnostic testing. It includes the use of Simple Network Management Protocol (SNMP), syslog, and XML-based monitoring of elements as well as the use of HTTP-based interfaces to manage devices. It also includes endpoint and virtual desktop inventory and hardware and software asset management. Service management - the process of monitoring and troubleshooting the status and quality of experience (QoE) of user sessions. It includes the use of packet capture and monitoring tools such as Cisco Network Analysis Module (NAM), NetFlow, and Wireshark to monitor a session. It also enables the desktop virtualization administrator to remotely access the endpoints and virtual desktops to observe performance and collect data (bandwidth and latency measurements). It includes the capability to measure computing, memory, storage, and network resource utilization in real time to identify bottlenecks or causes of service degradation. Session detail records for a virtual desktop session can help administrators diagnose any connection failures or quality problems. Service statistics management - the process of collecting quality and resource use measurements and generating reports that can be used for operations, infrastructure optimization, and capacity planning. Measurements can include session volume, service availability, session quality, session detail records, resource utilization, and capacity across the system. The reports can be used for billing purposes and to manage service levels. Provisioning management - the process of provisioning end users, virtual desktops, and endpoints using batch provisioning tools and templates. It can involve vendor-provided APIs (for instance, XML) that can be used for scripting, automation, and self-service provisioning. It includes software image and application management on endpoints and virtual desktops.

•

•

•

Conclusion
Cisco VXI is a comprehensive, end-to-end virtualization architecture. It facilitates rapid deployment of desktops and improves control and security by improving visibility at the virtual machine level. It also offers the industry’s lowest TCO. Cisco VXI integrates rich media and network services to improve performance and application response. Its modular, ecosystem-based architecture preserves customer flexibility and helps ensure long-term alignment with the industry. With Cisco VXI, customers can deploy a solution that enables agile and efficient service provisioning, provides personalized and pervasive user interactions, and creates a more open environment while increasing IT control.

For More Information
Cisco Virtual Experience Infrastructure Validated Design http://www.cisco.com/en/US/docs/solutions/Enterprise/Data_Center/VXI/CVD/VXI_DG.html

CCVP, the Cisco logo, and Welcome to the Human Network are trademarks of Cisco Systems, Inc.; Changing the Way We Work, Live, Play, and Learn is a service mark of Cisco Systems, Inc.; and Access Registrar, Aironet, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, iQuick Study, LightStream, Linksys, MeetingPlace, MGX, Networkers, Networking Academy, Network Registrar, PIX, ProConnect, ScriptShare, SMARTnet, StackWise, The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0711R)

16