Lippis Report 193: Networking Essential to a Successful Virtualized Desktop Project
While IT business leaders have been busy virtualizing servers into ever more dense data centers, virtual desktop infrastructure or VDI options and deployments continue to expand and gain market share during the current business cycle. According to ABI Research, the worldwide market for hosted virtual desktops is forecast to grow from about $500 million in 2009 to a cumulative total of nearly $5 billion in 2016.
Gaining Control and Visibility of Web 2.0 Applications with Broadcom’s App-IQ
While the VDI growth rate is impressive, it still hasn’t crossed the chasm to widespread adoption. It’s not because there is a lack of VDI solutions from companies such as Citrix XenDesktop, Microsoft VDI/RemoteFX, Quest vWorkspace, VMware View and a host of thin and zero client devices. And it’s not because VDI doesn’t have a strong value proposition rooted in lower TCO by as much as 80% than thick clients or PC/laptops as well as far lower energy consumption. And it’s not because tablets have been remise in the VDI market. Au contraire, since the introduction of Apple’s iPad, companies like Citrix, Red Hat, Virtual Bridges and VMware have enabled hosted virtual desktops on iPads, prompting Microsoft to add an optional Companion Device License (CDL) to the existing Software Assurance (SA) volume licensing agreement for Windows 8.
The main reason VDI is still crossing the chasm is most forget how strategic the enterprise network is in delivering an excellent and secure VDI experience, and have not prepared the network to optimally address completely new traffic patterns and handle voice and video. For Cisco’s installed base, the good news is Cisco’s Virtualization Experience Infrastructure (VXI) architecture ensures an excellent user experience with voice and video, thanks to virtual desktop performance and security features that are already embedded in its networking products. In this Lippis Report Research Note, we explore Cisco’s VXI approach to successfully deploying and scaling virtual desktop deployments.
Cisco Catalyst Access Switches Lower TCO by 14% According To Forrester
The virtual desktop market is vibrant with a range of solutions from many suppliers. The basic infrastructure consist of a client, be it a PC/laptop running client software, thin, zero or mobile client. A display protocol, such as PC over IP or PCoIP, ICA/RDP, etc., that transports the display payload between clients and desktop virtualization software, usually running on a virtual machine. In between, clients and hosted virtual desktops are connection brokers that manage connection requests from clients to desktop virtualization software as well as provide an injection point for policy and application access enforcement. For most organizations, virtual desktop deployments utilized ADC or Application Delivery Controllers for both server load balancing as well as client side SSL termination plus server side SSL initiation and/or HTTP presentation.
The Network Is the Critical Path to Virtual Desktop Success
With a straightforward architecture and excellent value proposition, why then do many virtual desktop pilots fail to move into production environments? Why hasn’t virtual desktops crossed the chasm? The primary reason is that many IT planners don’t factor network requirements in to their VDI design. Consider that migrating to a virtual desktop introduces the network between user and desktop. That is, the network needs to respond to user-virtual desktop interactions to within 150 milliseconds—the time it takes for a single human reflex blink—to assure an excellent user experience. Clearly, good user experience is critical to maintaining productivity. Therefore, it is important to think through network requirements during virtual desktop environment planning, as VDI is so dependent upon the network to deliver a secure excellent user experience.
Siemens On The State-of-Enterprise Communications
Further, virtual desktop implementations tend to change traffic patterns too, as applications are hosted in data centers with clients being served via a display protocol throughout an organization, be it remote, campus, branch, home, mobile, etc. But most virtual desktop planning is focused upon data center compute and storageI/O scaling plus client model selection. VDI design should be approached similarly as are unified communications (UC) and video communications projects. With nearly 50 million UC users, according to Frost & Sullivan, and video traffic approaching some 90% of overall internet traffic, it’s safe to say that most corporations have a combination of UC and video traffic flowing across their network. In fact, for those firms that have deployed UC and/or video communications and have virtualized their data centers, the chances are very high that the enterprise network contains the network services needed to deliver an excellent virtual desktop user experience. In other words, most, if not all, network services are already available to IT as they plan their VDI project; they just need to know how.
Key Network Services for Successful Video Desktop Deployments
There are particular virtual desktop implementation problems that are solved best within the network. For example, approximately 55% of employee population is found in branch offices, which are often served with high latency, low bandwidth links. Networking firms have solved this problem for UC and video communications with Quality of Service (QoS), high availability and bandwidth management for some time now and these services can be extended to virtual desktops. Application optimization in these environments utilize L4-7 services such as WAN optimization and ADC, which again can and should be applied to virtual desktop deployments. To gain visibility into application flow NetFlow, IP SLA, specific routing techniques such as Cisco’s Performance Routing or PfR have and should be utilized for virtual desktops. Scaling virtual desktops is mainly focused in the data center where vSwitches and virtualized L4-7 services offer unique scale attributes.
The Total Economic Impact™ of Cisco Catalyst AccessSwitches
What is fundamental is that networking spans an entire organization, and its unique network services can be put to use for all virtual desktops use cases, such as call center agents, task worker, knowledge worker, medical imaging, etc., distributed throughout an enterprise, be it in a branch office, home worker, campus employee, mobile worker and the data center. The same network services put in place for desktop and mobile computing such as security can be put to work for virtual desktops too. Once an IT business leader’s portfolio of supported endpoints includes desktop, mobile and virtual, she/he is in a position to manage migration among and between each based upon user requirements, cost, etc.
There is no other networking company that has the breadth of expertise to accelerate virtual desktops adoption like Cisco. Cisco’s VXI is a superset of VDI and integrates and extends proven Cisco architectures for data centers, borderless networks and collaboration to provide a comprehensive system for deploying virtual desktops across the enterprise. We’ll focus on unique aspects of Cisco’s VXI in the form of a top five best practices for virtual desktop deployment.
Cisco Catalyst SmartOperations Solutions Guide
Split Display Protocol from Media Traffic at Desktop Client: Cisco’s VXI solution supports the splitting of voice and video media traffic from the display protocol. This is one of the most important attributes of Cisco’s VXI. Once signaling and rich media traffic is separated from the display protocol at the client, the network can then utilize all its network service resources for rich media traffic to deliver an excellent experience.
Without splitting, voice communications between two employees in a branch office would have to traverse the WAN to the data center then travel back down to the branch office for the duration of the session; this is called the hairpin effect as voice and video is tunneled through the display protocol. In short, WAN bandwidth is heavily consumed, virtual machine processing suffers and performance is severely compromised. The hairpin effect is mitigated by the separation of display protocol and voice and video traffic at the client so as voice and video communications flow outside of the display protocol and through the network where QoS, Call Admission Control (CAC) and other network services are applied.
2012 State of EnterpriseCommunications Global Findings
In essence, the voice and video traffic are treated just like they are in a non-VDI environment, only with Cisco VXI, they terminate on desktop clients as an integrated solution. Splitting is achieved through a range of options including devices that plug in IP Phones such as the Cisco’s VXC 22xx and 21xx zero client and thin/zero clients such as the Cisco VXC 6215 thin client, or software appliances that reside on thick clients such as the Cisco VXC 4000 PC client, plus a growing number of thin/zero clients.
Utilize Network Services for Virtual Desktops: Two specific network services are to be utilized to enhance the virtual desktop user experience. Those are QoS and Universal Power over Ethernet or UPOE, which delivers 60W of PoE power.
After voice/video signaling such as SCCP (Skinny Call Control Protocol) and SIP (Session Initiation Protocol) have been separated from the display protocol, QoS can be applied to individual flows such as display protocols ICA/RDP/PCoIP, telephony signaling, telephony media such as RTP (Real-Time Transport Protocol), SRTP (Secure RTP) and most common network print traffic for locally attached printers. These flows can be prioritized and optimized based upon requirements.
Designing WANs for Today that Position You for Tomorrow
In addition to QoS, UPOE or the ability to power certain thin/zero clients from Ethernet switches such as Cisco’s Catalyst 4500E is available, which lowers power consumption and increases power management control. Currently, Cisco VXC and LG clients can be powered through Cisco UPOE with a splitter. Samsung clients can also be powered over UPOE natively.
Scaling VXI Deployments: In addition to compute capacity and storage I/O, scaling virtual desktop deployments is accomplished in the data center by increasing connection broker capacity, which is accomplished by load balancing a large number of client connections across some number of connection brokers. Note most connection brokers are running on top of VMs, therefore offloading server tasks also contribute to scaling broker capacity to service a large number of connections.
From a networking perspective two L4-7 (Layer 4-7) services ease VDI scaling; those are ADC or load balancing and WAN optimization. Cisco’s products are its ACE or Application Control Engine and WAAS or Wide Area Application Services. ACE provides load balance service to connection brokers and offloads SSL processing. Note that offloading SSL processing can save 50 to 70% of server CPU utilization. In addition, ACE minimizes the impact of login storms. WAAS delivers advanced compression and application optimization, which is critical to deliver an excellent VDI user experience, especially for branch office and remote users by reducing latency. In addition, WAAS’s advanced compression delivers more simultaneous virtual desktop and virtual application connections over the WAN. ACE provides the means to dramatically scale broker capacity, which immediately scales the overall VDI environment.
As virtual desktop components in the data center nearly all reside in the virtualization domain, being able to deliver virtualized L4-7 services is both economical as well as more flexible. To address this, the virtualized version of WAAS is the vWAAS and in conjunction with the Nexus 1000V vSwitch and vPATH, WAAS services can be delivered in the path of traffic, off the path of traffic as well as in VM-based deployments.
Securing Virtual Desktops: What many IT leaders don’t recognize is that a virtual desktop or virtual application deployment brings potential layer 2 threats into the data center. Cisco’s Catalyst switches support Cisco-integrated security features or CISF, which have been mitigating this category of threats in campus and branch office networks for years.
For example, CISF supports DHCP (Dynamic Host Configuration Protocol) snooping, which prevents against server spoofing and man-in-the-middle (MITM) attacks, which, when applied in the data center, help prevent a VM from acting as an unauthorized DHCP server. Dynamic ARP Inspection (DAI) adds security to ARP (Address Resolution Protocol) using DHCP snooping table by validating ARP requests and responses, which when applied in the data centerhelps prevent ARP-poisoning based MITM attacks. IP Source Guard (IPSG) prevents IP host spoofing by filtering traffic on vEthernet interfaces and permits only traffic where IP and MAC address match (DHCP bindings/static). IPSG, when applied in the data center, helps prevent a VM from spoofing the IP address of another VM. The Cisco Nexus 1000V, as well as Nexus physical switches, supports DHCP snooping, Dynamic ARP Inspection and IP Source Guardwhich brings these layer 2 defenses to the data center virtualized environment. Further, Cisco’s Virtual Security Gateway or VSG provides firewall services to virtualized desktop and application traffic in the data center.
As IT leaders have been implementing context aware threat mitigation via Cisco’s SecureX framework for thick and mobile endpoints, virtual desktop endpoints can be protected under this same security umbrella via Identity Service Engine or ISE. SecureX provides SecOps greater visibility of applications and network traffic, and control of network security resources to mitigate exploits faster and more effectively by providing context-aware security information brought on by Bring Your Own Device or BYOD, cloud computing applications and services plus virtual desktops. Cisco achieves this through its ASA-CX Context-Aware Security capabilities, expanded support for Security Group Tagging or SGT within TrustSec enabled devices, and the addition of device profiling functionality in the IOS of its routers, switches and wireless access points. All of this security technology works with its ISE—Cisco’s identity and access control policy platform and is naturally extended to VXI deployments.
VXI Management:VXI management is a combination of Cisco and partner management solutions. This is both practical from an industry structure point of view and IT organizational design. As virtual desktop deployments are based upon multiple vendor technologies, it’s impossible to aggregate a single view or pane-of-glass to depict the virtualized environment within an enterprise. In fact, most, if not all, IT organizations do not operate to take advantage of a single virtual desktop pane-of-glass management approach. The best approach is to provide management tools needed for various IT operational groups, such as networking, applications, virtualization, storage and helpdesk. VXI management provides the components for absolute end-to-end management and visibility, including provisioning, day-to-day management and monitoring, reporting, etc.
The above five best practices offer IT architects a network approach to accelerate virtual desktop deployments. In addition to data center compute and storage scaling requirements for virtual desktops, the enterprise network, too, requires attention to assure a successful virtual desktop implementation. For those firms that are well down the road to UC, video communication and virtualized data center deployments adding the above best practices should require minimal cost as most of the network services are already deployed. In addition for those that have deployed Cisco’s UCS, they will enjoy an additional benefit as UCS offers the densest virtual desktop deployments in the industry, independent upon how they deploy UCS, be it FlexPod with NetApp, V-block or self designed.
Cisco’s VXI offers a unique value proposition of a scalable virtual desktop solution that delivers performance and security at minimal addition cost, allowing IT business leaders to significantly reduce their desktop acquisition and support cost. This is fundamental to the current business cycle as computing rapidly evolves toward mobile and cloud, IT business leaders can utilized VXI to reduce their legacy computing cost and put that savings to accelerate strategic mobile and cloud computing plans.