bringing network virtualisation to vmware … network virtualisation to vmware environments with nsx...
Post on 04-May-2018
237 Views
Preview:
TRANSCRIPT
© 2014 VMware Inc. All rights reserved.
Bringing Network Virtualisation to VMware Environments With NSX VMware vForums 2014
Martin Banda Systems Engineer, VMware South Africa @vmgenie mbanda@vmware.com
Agenda
• The Software-Defined Data Center and the Network
• How Does It Work
• Better Security
• Better Operational Visibility
• Logical Traffic Flows
• Use Cases
• Eco System
The Software-Defined Data Center and the Network
Intelligence in Software Operational Model of VM for Data Center Automated Configuration & Management
What is a Software-Defined Data Center (SDDC)?
Intelligence in ASICs Dedicated, Vendor Specific Hardware Manual Configuration & Management
Software
Hardware Compute, Network and Storage Capacity Vendor Independent, Best Price/Performance Hardware Simplified Configuration & Management
Compute Virtualization
The Network is a Barrier to Software Defined Data Center
Any Physical Infrastructure
• Provisioning is slow
• Placement & Mobility is limited
• Operational visibility is limited
• Hardware dependent
• Operationally intensive
Network
Server
Storage
The Solution – Transform the Network with Virtualization
Compute Virtualization
• Programmatic provisioning
• Any workload anywhere
• End-to-end operational visibility
• Decoupled from hardware
• Operationally efficient
Network Virtualization
Hardware Independent
Network
Server
Storage
Any Physical Infrastructure
Software Defined Virtual Network
What is a Network Hypervisor?
General Purpose Server Hardware (Dell, HP, IBM, Quanta,…)
Server Hypervisor
Requirement: x86
Virtual
Machine
Virtual
Machine
Virtual
Machine
Application Application Application
x86 Environment
Decoupled
Hardware
Software
General Purpose IP Hardware (Arista, Cisco, HP, Juniper, Cumulus,…)
Network Hypervisor
Requirement: IP Transport
Virtual
Network
Virtual
Network Virtual
Network
Workload Workload Workload
L2, L3, L4-7 Network Services
Virtualize the Network
Decouple
Any
Hardware
Platform
Network Virtualisation Layer
Network Virtualization Decouples and reproduces the network model
Network Hypervisor Decoupled
Physical Network
(Arista, Cisco, HP, Juniper, Cumulus,…)
Workload Workload Workload
L2
L2
L3
Virtual Network
Workload Workload Workload
Virtual Network
L2
WAN
Subnet A Subnet B Subnet C
How Does It Work?
A Data Centre Network…
Internet
Compute Infrastructure….
Internet
Hypervisors and vSwitches…
Internet
NSX | The “Network Hypervisor”
Internet
Virtual Networks – Like Virtual Machines for the Network
Internet
Programmatic Provisioning
Services Distributed to the Virtual Switch
Physical Workloads and Legacy VLANs
The Power of Distribution
Better Security
20
Security – Complete Isolation
Virtual Networks are isolated from each other (Overlapping IP Addresses)
Virtual Networks are isolated from underlying physical network (IPv6 over IPv4)
Central Policies, Distributed Enforcement, Move with VMs
Internet
Security Policy Security Policy
- Reduce Choke Point Security
- Centrally Define Policies, Distribute Rule Enforcement for Segmentation
- Security Policies Move with VMs
- Changes to central policies automatically
distributed to affected VMs
The Power of Distribution
Service Insertion – Example: Palo Alto Networks Next Generation Firewall
Internet
Security Policy
Security Admin
Traffic Steering
Better Operational Visibility
25
Visibility & Troubleshooting
Visibility & Troubleshooting
Use the network troubleshooting tools you use today,
but with better information
Visibility & Troubleshooting
Use the network troubleshooting tools you use today,
but with better information
IPFIX Log
syslog Netflow Log
Logical Traffic Flows
29
Traffic flow with Distributed Routing – Same Host
vSphere Host
VM
vSphere Distributed Switch
VXLAN Transport Network
10.20.10.10
vSphere Host
VXLAN 5001
10.20.10.12
Logical Router Control VM
VM
VXLAN 5002
Host 1 Host 2
1
2
LIF1 : 192.168.20.1
LIF2 : 192.168.10.1
Uplink LIF
LIF2 – ARP Table
VM IP VM MAC
192.168.10.1
0 MAC2
192.168.20.10
192.168.10.10
DA: vMAC
SA: MAC1 Payload L2 IP
DA: 192.168.10.10
SA: 192.168.20.10
MAC1
MAC2
LIF1
LIF2 vMAC Internal LIFs
DA: MAC2
SA: vMAC
pMAC2 pMAC1
LIF1
LIF2 vMAC
Destination
Interface Mask Gateway Connect
192.168.10.0 255.255.255.
0 0.0.0.0 Direct
192.168.20.0 255.255.255.
0 0.0.0.0 Direct
FIB or Routing Table
3
4
Payload L2 IP
Traffic flow with Distributed Routing – Different Host
vSphere Host
VM
VDS
VXLAN Transport Network
10.20.10.10
VXLAN 5001
VM
VXLAN 5002 1
4
vSphere Host
10.20.10.11 LIF2 - ARP Table
DA: vMAC
SA: MAC1
DA: 10.20.10.11
SA: 10.20.10.10
5002
DA: MAC2
SA: pMAC1
MAC1 MAC2 5
192.168.20.10 DA: MAC2
SA: vMAC
DA: MAC2
SA: pMAC1
2 VM IP VM MAC
192.168.10.1
0 MAC2
Payload L2 IP
DA: 192.168.10.10
SA: 192.168.20.10
Payload L2 IP
L2 IP UDP VXLAN Payload L2 IP
Payload L2 IP 192.168.10.10
LIF1
LIF2 vMAC
pMAC2 pMAC1
LIF1
LIF2 vMAC
Host 1 Host 2
3
Traffic flow from physical host on a VLAN – ARP Req. and Resp.
vSphere Host
vSphere Distributed Switch
10.20.10.10
vSphere Host
Uplink LIF
10.20.10.12
VM
VXLAN 5002
L2 Network
VLAN 10
LIF1
LIF2
Internal LIF
Host 2 Host 1
192.168.10.10
1 2 3
DA: Broadcast
SA: MAC1 Payload L2 IP
DA: 192.168.20.1
SA: 192.168.20.11
192.168.20.11
GW : 192.168.20.1
DA: 192.168.20.11
SA: 192.168.20.1
vMAC
Payload L2 IP DA: MAC1
SA: pMAC2
4
LIF1
LIF2 vMAC
VM
192.168.10.11
MAC1
pMAC2
VXLAN Transport
VLAN 100 VLAN 10
2
MAC2 MAC3
LIF1 : 192.168.20.1
LIF2 : 192.168.10.1
ARP Table
VM IP VM MAC
192.168.20.1 pMAC2
GW : 192.168.10.1
pMAC1
5
Designated
Instance
LIF1
Traffic flow between physical host and VM on VXLAN (Ingress)
vSphere Host
vSphere Distributed Switch
10.20.10.10
vSphere Host
Uplink LIF
10.20.10.12
VM
VXLAN 5002
L2 Network
VLAN 10
LIF1
LIF2
Internal LIF
Host 2 Host 1
192.168.10.10
1 2 3
DA: pMAC2
SA: MAC1 Payload L2 IP
DA: 192.168.10.10
SA: 192.168.20.11
192.168.20.11
GW : 192.168.20.1
vMAC
4
LIF1
LIF2 vMAC
VM
192.168.10.11
MAC1
pMAC2
VXLAN Transport
VLAN 100 VLAN 10
MAC2 MAC3
LIF1 : 192.168.20.1
LIF2 : 192.168.10.1
ARP Table
VM IP VM MAC
192.168.20.1 pMAC2
GW : 192.168.10.1
pMAC1
5002
L2 IP UDP VXLAN Payload L2 IP
DA: 192.168.10.10
SA: 192.168.20.11 DA: 10.20.10.10
SA: 10.20.10.12
DA: MAC2
SA: pMAC2
5
Designated
Instance
LIF1
VM IP VM MAC
Traffic flow from VM on VXLAN to physical host on VLAN (Egress)
vSphere Host
vSphere Distributed Switch
10.20.10.10
vSphere Host
Uplink LIF
10.20.10.12
VM
VXLAN 5002
L2 Network
VLAN 10
LIF1
LIF2
Host 2 Host 1
192.168.10.10
5
192.168.20.11
GW : 192.168.20.1
vMAC
3
LIF1
LIF2 vMAC
VM
192.168.10.11
MAC1
pMAC2
VXLAN Transport
VLAN 100 VLAN 10
MAC2 MAC3 GW : 192.168.10.1
pMAC1
1
2 LIF1 - ARP Table
DA: vMAC
SA: MAC2 Payload L2 IP
DA: 192.168.20.11
SA: 192.168.10.10
Designated
Instance
LIF1
Out of band UDP channel is
established with DI for ARP
resolution on LIF1
VM IP VM MAC
192.168.20.1
1 MAC1
4
ARP request sent out by
the DI
7
ARP response
6 ARP request
DA: MAC1
SA: pMAC1 Payload L2 IP
DA: 192.168.20.11
SA: 192.168.10.10
8
Use Cases
35
VMware NSX Use Case Examples
• Self Service R&D Clouds & Data Center Automation
– Speed & Agility
– Automated Provisioning
• Data Center Refresh
– Flexibility and choice for physical infrastructure
– Hardware independence
• Data Center Migration and Disaster Recovery
– No Re-IPing application workloads
• Scale-out DMZ
• Micro-segmentation
– Leverages inherent isolation and distributed firewalling
36
Ecosystem
37
VMware NSX Ecosystem – Technology Partners
More Information
CONFIDENTIAL 39
Hands on Labs (HOL): http://labs.hol.vmware.com/ NSX Design Guide: http://www.vmware.com/products/nsx/resources NSX Public Landing Page: http://www.vmware.com/products/nsx
Thank You Questions?
CONFIDENTIAL 40
top related