VMware nsx network virtualization tool
Download as PPTX, PDF0 likes112 views
VMware NSX is a network virtualization and security platform that provides logical switching, routing, firewalling, and load balancing capabilities. It emerged from VMware's acquisition of Nicira. NSX for vSphere is deployed most often as it integrates natively with VMware platforms like vCenter. The NSX architecture consists of edge nodes, controllers, and a manager to program the hypervisor kernel modules that implement the distributed data, control, and management planes. Key NSX components provide distributed logical routing, switching, and firewalling at the hypervisor level for scalability. The NSX edge services gateway delivers integrated network functions like firewall, VPN, and load balancing as virtual appliances.
VMware nsx network virtualization tool
- 1. Welcome to IT Infra Nuggets ! By : Daljeet Singh Topic:VMware NSX
- 2. 2 What is VMware NSX? VMware NSX is the network virtualization and security platform that emerged from VMware . This acquisition launched VMware into the software-defined networking (SDN) and network functions virtualization (NFV) world. VMware NSX for vSphere The most talked about and documented version of VMware NSX is purpose built for vSphere environments, therefore for referred to as NSX for vSphere. NSX for vSphere will be deployed 90% of the time, as it has native integration to other VMware platforms, such as vCenter and vCloud for Automation Center (vCAC). NSX for vSphere offers logical switching, in-kernel routing, in-kernel distributed firewalling, and edge-border L4-7 devices that offer VPN, load balancing, dynamic routing, and FW capabilities.
- 3. Provides A Faithful Reproduction of Network & Security Services in Software Management APIs, UI Switching Routing Firewalling Load Balancing VPN Connectivity to Physical Networks Policies, Groups, Tags Data Security Activity Monitoring CONFIDENTIAL 3
- 4. NSX Architecture and Components Cloud Consumption • Self Service Portal • vCloud Automation Center, OpenStack, Custom Data Plane NSX Edge ESXi Hypervisor Kernel Modules Distributed Services • High – Performance Data Plane • Scale-out Distributed Forwarding Model Management Plane NSX Manager • Single configuration portal • REST API entry-point Control Plane NSX Controller • Manages Logical networks • Control-Plane Protocol • Separation of Control and Data Plane FirewallDistributed Logical Router Logical Switch LogicalNetwork Physical Network … … HW VTEP CONFIDENTIAL 4
- 5. Physical Workloads Security PoliciesSecurity Groups Logical Switching, Routing, Firewall, Load Balancing Web App Database Web “Standard Web” Firewall – allow inbound HTTP/S, allow outbound ANY IPS – prevent DOS attacks, enforce acceptable use Database “Standard Database” Firewall – allow inbound SQL Vulnerability Management – Weekly Scan App “Standard App” Firewall – allow inbound TCP 8443, allow outbound SQL VM VM VM VM VM VM “Default” Firewall – Access shared services (DNS, AD) Anti-Virus – Scan Daily Default Creating Sophisticated Application Topologies CONFIDENTIAL 5
- 6. NSX Data Plane Components Data Plane Edge Clusters and HW VTEP (Physical-to-Virtual) DFWVXLAN DLRSecurity NSX Edge Service Gateways • VM form factor • Highly Available • Dynamic Routing: • OSPF, IS-IS, BGP • L3-L7 Services: • NAT, DHCP, Load Balancer, VPN, Firewall • vSphere Distributed Switch • VMkernel Modules • Logical Switching (VXLAN) • Distributed Logical Router • Distributed Firewall ESXi Hypervisor Kernel Modules (VIBs) Distributed Firewall Distributed Logical Router Logical Switch vSphere Components DFWVXLAN DLRSecurity DFWVXLAN DLRSecurity … … Compute Clusters HW VTEP • ToR Switch • Bandwidth and physical ports scale- out • VLANs for Physical workloads local to a rack CONFIDENTIAL 6
- 7. NSX Control Plane Components • Properties – Virtual Form Factor (4 vCPU, 4GB RAM) – Data plane programming – Control plane Isolation • Benefits – Scale Out – High Availability – VXLAN - no Multicast – ARP Suppression NSX Controllers vSphere Cluster vSphere HA DRS with Anti-affinity VM ESXi VM VM Host Agent Data-Path Kernel Modules 7 CONFIDENTIAL 7
- 8. Management Plane Components • Runs as a Virtual Machine • Provisioning and Management of Network and Network services • VXLAN Preparation • Logical Network Consumption • Network Services Configuration NSX Manager NSX Manager 1:1 Management Plane vRA/Openstack/Custom vCenter NSX REST APIsvSphere APIs NSX Manager vSphere Plugin Single Pane of Glass CONFIDENTIAL 8
- 9. Physical View: VMs in a Single Logical Switch VM1 vSphere Distributed Switch VM2 Logical Switch 5001 VM3 Transport Subnet A 192.168.150.0/24 Physical Network 192.168.150.51 192.168.150.52 192.168.250.51 172.16.10.11 172.16.10.12 172.16.10.13 CONFIDENTIAL 9
- 10. IP Fabric Host A Host B vSphere Distributed Switch Traffic Flow on a VXLAN Backed VDS 10 •In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch •When these VMs communicate, a VXLAN overlay is established between the two hosts dvUplink-PG Logical SW A VM1 dvUplink-PG dvPG-VTEP VTEP dvPG-VTEP VTEP VXLAN Overlay Logical SW A VM2 CONFIDENTIAL
- 11. NSX Logical Routing Introduction 11 DLR Kernel Module NSX Edge ESXi Hypervisor Kernel Modules (VIBs) Distributed Logical Router Distributed Logical Routing Optimized for E-W Traffic Patterns Centralized Routing Optimized for N-S Routing vSphere Host LIF1 LIF2 Logical Routing Deep DiveNET5826 CONFIDENTIAL
- 12. NSX Routing: Distributed, Feature-Rich • Physical Infrastructure Scale Challenges – Routing Scale • VM Mobility is a challenge • Multi-Tenant Routing Complexity • Traffic hair-pins Challenges • Distributed Routing in Hypervisor • Dynamic, API based Configuration • Full featured – OSPF, BGP, IS-IS • Logical Router per Tenant • Routing Peering with Physical Switch Benefits SCALABLE ROUTING – Simplifying Multi-tenancy L2 L2 Tenant A Tenant B L2 L2 L2 Tenant C L2 L2 L2 CMP CONFIDENTIAL 12
- 13. NSX Logical Routing : Components Interaction 13 NSX Edge (Acting as next hop router) 172.16.10.0/24 172.16.20.0/24 DLR 192.168.10.1 192.168.10.2 External Network 192.168.10.3 DLR Control VM Data Path Control Controller Cluster Control NSX Mgr Dynamic routing protocol is configured on the logical router instance1 OSPF/BGP peering between the NSX Edge and logical router control VM3 Learnt routes from the NSX Edge are pushed to the Controller for distribution4 Controller sends the route updates to all ESXi hosts 5 Routing kernel modules on the hosts handle the data path traffic6 1 3 4 5 6 Controller pushes new logical router Configuration including LIFs to ESXi hosts 2 2 Peering OSPF, BGP 172.16.30.0/24 CONFIDENTIAL
- 14. Distributed East-West Routing Traffic Flow Different Hosts 14 vSphere Host VM1 VDS VXLAN Transport Network VXLAN 5001 VM2 VXLAN 5002 1 4 vSphere Host LIF2 - ARP Table DA: vMAC SA: MAC1 DA: 20.20.20.20 SA: 10.10.10.10 5002 MAC1 MAC2 5 172.16.10.10 2 VM IP VM MAC 172.16.20.10 MAC2 PayloadL2 IP DA: 172.16.20.10 SA: 172.16.10.10 PayloadL2 IP L2 IP UDP VXLAN PayloadL2 IP 172.16.20.10 LIF1 LIF2 vMAC LIF1 LIF2 vMAC Host 1 Host 2 3 10.10.10.10/24 20.20.20.20/24 3 DA: MAC2 SA: vMAC
- 15. NSX Distributed Firewalling • Centralized Firewall Model • Static Configuration • IP Address based Rules • 40 Gbps per Appliance • Lack of visibility with encapsulated traffic • Distributed at Hypervisor Level • Dynamic, API based Configuration • VM Name, VC Objects, Identity-based Rules • Line Rate ~20 Gbps per host • Full Visibility to encapsulated traffic Challenges Benefits PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING Firewall Mgmt VMware NSX API CMP NSX DFW Deep DiveSEC5589 CONFIDENTIAL 15
- 16. Distributed Firewall Features VM5 VM1 vSphere Distributed Switch Web-LS1 VM4 App-LS1 Management Cluster192.168.150.51 192.168.150.52 192.168.250.51 VM2 • Firewall rules are enforced at VNIC Level • Policy independent of location (L2 or L3 adjacency) • State persistent across vMotion • Enforcement based on VM attributes like Tags, VM Names, Logical Switch, etc Capabilities CONFIDENTIAL 16
- 17. Distributed Firewall Rules VM5 VM1 vSphere Distributed Switch Web-LS1 VM4 App-LS1 Management Cluster192.168.150.51 192.168.150.52 192.168.250.51 VM2 Rules Based on VM Names CONFIDENTIAL 17
- 18. Distributed Firewall Rules VM5 VM1 vSphere Distributed Switch Web-LS1 VM4 App-LS1 Management Cluster192.168.150.51 192.168.150.52 192.168.250.51 VM2 Rules Based on Logical Switches CONFIDENTIAL 18
- 19. Features Summary NSX Edge Gateway Services Rule configuration with IP, Port ranges, Grouping Objects, VC ContainersFirewall Configuration of IP Pools, gateways, DNS servers and search domains.DHCP IPSec site to site VPN between two Edges or other vendor VPN terminators.Site-to-Site VPN Stretch your layer 2 across datacenters.L2VPN Allow remote users to access the private networks behind Edge GSW.SSL VPN Configure Virtual Servers and backend pools using IP addresses or VC ObjectsLoad Balancing Source and Destination NAT capabilities.Network Address Translation Active-Standby HA capability which works well with vSphere HA.High Availability Static as well as Dynamic Routing protocols support (OSPF, BGP, ISIS)Routing Allow configuring DNS relay and remote syslog servers.DNS/Syslog
- 20. NSX Edge Integrated Network Services …. Firewall Load Balancer VPN Routing/NAT DHCP/DNS relayDDI VM VM VM VM VM • Integrated L3 – L7 services • Virtual appliance model to provide rapid deployment and scale-out Overview • Real time service instantiation • Support for dynamic service differentiation per tenant/application • Uses x86 compute capacity Benefits CONFIDENTIAL 20
- 21. NSX Load Balancing • Application Mobility • Multi-tenancy • Configuration complexity – manual deployment model • On-demand load balancer service • Simplified deployment model for applications – one-arm or inline • Layer 7, SSL, … Challenges Benefits LOAD BALANCER – Per Tenant Application Availability Model Tenant A VM1 VM2 VM1 VM2 Tenant B NSX Load Balancing Deep Dive NET5612 CONFIDENTIAL 21
- 22. NSX L2VPN • Brownfield NSX deployments (VLAN -> VXLAN) • Data Center Migrations (P2V, V2V) • Disaster Recovery & Testing • Cloud Bursting & Onboarding Use Cases • Long Distance / High Latency • Multiple management domains • NSX present only on a single site • Max 1500 byte MTU on WAN Best Fit for L2 extensions with • SSL secured L2 extension over any IP network • Independent of vCenter Server boundaries • Can co-exist with existing default gateway • No specialized hardware required • Supports up to 750Mb/s per Edge • AES-NI supported if available Highlights Internet / WAN Enterprise Internet / WAN Hybrid Cloud Public Cloud Connecting Remote Sites with NSXNET5352
- 23. Useful Trainings 23 VMware NSX Load Balancing VMware NSX Network Virtualization: NSX Operations VMware vSphere 5 - Part 1: Introduction to Virtualization VMware NSX Network Virtualization: Technology and Architecture VMware NSX Network Virtualization: NSX Network Services
- 24. Thank You
Editor's Notes
- #7: Explain each module in little detail.. Showing the value of each feature Port Security : Provides DHCP snooping used by VXLAN module; Port Security – IP spoof guard VXLAN – VTEP ; MTEP – Multicast replication; ARP Proxy Distributed Router – East – West traffic between VXLAN vWires had to go through Edge gateway Distributed Firewall – Better performance Message Bus provides a new communication channel that allows direct communication from NSX manager to the host User World Agent – Communicates with the controller one one side and the kernel modules on the other
- #8: TBD: Properties & Benefits (VM, separation of MP/CP/DP, scale-out, no multicast) - Functions: overlay, L2, L3 dataplane programming Provides control plane to distribute Logical Switching and Logical Routing network information to ESXi hosts NSX Controllers are clustered for scale out and high availability Network information is sliced across nodes in a Controller Cluster Removes Dependencies on Multicast from Physical Networks Provides suppression of ARP broadcast traffic in logical networks
- #9: Functionality NSX for vSphere centralized management plane 1:1 mapping between an NSX Manager and vCenter Server Provides the management UI and API for NSX Configures Controller Cluster Generates certificates to secure control plane communications Installs Logical Switching, Distributed Routing and Firewall kernel modules on ESXi hosts Operationally: Deploys NSX Controller and NSX Edge Virtual Appliances (OVF) vSphere Web Client Plugin Host configuration includes Distributed Firewall and NSX Edges
- #11: VXLAN traffic uses a vmknic which provides VXLAN Virtual Tunnel End Point (VTEP) functionality A single dvPortGroup per VDS is created for all VTEPs A logical switch is a L2 broadcast domain implemented using VXLAN A dvPortGroup is created for each logical switch Provides local switching & isolation VXLAN logical switches can also span multiple VDS
- #14: The Distributed Logical Router Control Plane is provided by a per instance DLR Control VM and the NSX Controller Supports Dynamic Routing Protocols OSPF BGP Communicates with NSX Manager and Controller Cluster NSX Manager sends LIF information to the Control VM and Controller Cluster Control VM sends Routing updates to the Controller Cluster DLR Control VM and NSX Controller are not in the data path High availability supported through Active-Standby configuration
- #15: VMware NSX provides a faithful reproduction of Network & Security Services in Software VXLAN is the overlay technology empowering those virtual networking capabilities Logical Routing allows for communication between virtual workloads belonging to separate IP subnets Distributed Routing optimizes traffic flows for East-West communication inside the Data Center Centralized Routing handles on-ramp/off-ramp communication with the external physical network Multiple logical topologies can be built combining NSX DLR and Edge functional components Each logical routing components can be deployed redundantly to guarantee a fully resilient design
- #16: While we’re focusing on Firewalling here, note that NSX is the security platform offering Antivirus, Intrusion Prevention, Vulnerability Management, Identity and Access Management, Security Policy Management, DLP File Integrity Monitoring and more…
- #22: Challenges Applications are not mobile as they are tied to a physical LB instance Multi-tenancy ? Configuration automation