Date post: | 07-Jan-2017 |
Category: |
Technology |
Upload: | csuc-consorci-de-serveis-universitaris-de-catalunya |
View: | 104 times |
Download: | 2 times |
NSX a natural step to SDN
David BelmonteSenior Network Virtualization Support EngineerVMware GSS
Agenda
1 Network Virtualization / SDDC model
2 NSX Networking and Security Capabilities
3 Architecture Overview
4 DFW / Micro-segmentation
5 Multi-Site Support
6 Use case Agencia Tributaria de Catalunya
2
There are four basic things in a typical data center today.
There has been a lot of virtualization in the data center.
Except for one area…
Applications
Compute Storage Networking
Applications
Compute
Networking!
NetworkingStorage
The lack of networking virtualization is holding back your ability to:
Keep up with the pace of business
Secure the data center
Support your apps
Switching
Routing Firewalling/ACLs
Load balancing
The next-generation networking model
NSX value proposition
Network, storage, compute
Virtualization layer
“Network platform”
Virtual networks
The software-defined data center
Meet the demands of a
dynamic business
environment
Deliver networking
security that is faster than
cybercriminals
Provide flexibility to
app mobility
The business world is ready for a new model
Telling the End-to-End NSX Story
PROJECT LEVEL
INITIATIVE LEVEL
PRODUCT LEVEL
SOLUTION LEVEL
NSX PLATFORM
SECURITY IT AUTOMATION APP CONTINUITY
SDDC
Micro-segmentation
Secure User Environments
DMZ Anywhere
IT Automating IT
Developer Cloud
Multi-tenant Cloud
Disaster Recovery
Metro Pooling
Hybrid Cloud Networking
VMware NSX – Networking & Security Capabilities
Any Application(without modification)
Virtual Networks
VMware NSX Network Virtualization Platform
Logical L2
Any Network Hardware
Any Cloud Management Platform
Logical
Firewall
Logical
Load Balancer
Logical L3
Logical
VPN
Any Hypervisor
Logical Switching– Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing– Routing between virtual
networks without exiting the software
container
Logical Firewall – Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer – Application Load
Balancing in software
Logical VPN – Site-to-Site & Remote
Access VPN in software
NSX API – RESTful API for integration into
any Cloud Management Platform
Partner Eco-System
Security Visibility & operationsApplication delivery services Physical to cloud
NSX partner ecosystem
Virtual Network – A complete network in software
Architecture
vCD/vRA
vCenter Server NSX Manager
Management Plane
Control Plane
NSX Edge
Distributed
Router
Controller
Data Plane
NSX Edge
Services Router
VXLAN DR DFWSecurity VXLAN DR DFWSecurityVXLAN DR DFWSecurity
Control Plane Components
Dynamic Routing
VXLAN – VLAN Bridging
Scale Out
VXLAN - no Multicast
ARP suppression
Distributed Routing
Control Plane
NSX Edge
Distributed
Router Controller
NSX Edge Distributed Router Controller
Data Plane Components
Kernel Modules
Message Bus
User World Agent
NAT
DHCP
LB
VPN
Data Plane
NSX Edge
Services Router
ESX Host NSX Edge Services Router
VXLAN DR DFWSecurity VXLAN DR DFWSecurityVXLAN DR DFWSecurity
Components Mapped to Physical InfrastructureWAN
Internet
Compute Racks Infra Racks Edge Racks
Hypervisor
Modules
Controller, VC,
NSX ManagerEdges
NSX Hardware VTEP OVSDB integration: Logical and Physical
VM1
An
ima
ted
Slid
e
Physical Infrastructure
VM1 VM2
VLAN
100
Logical view
Physical view
Distributed Virtual Firewall
VM
VM
VM VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
VM
Benefits…• No “Choke Point”
• Scale Out
• Enforcement closest to VM
NSX Micro-segmentation is the Path to a Zero Trust Architecture
Architecture Traits and Components
• Segmentation by default
• Distributed Switching and Security
• Embedded Advanced Security Options
• Flexible units as trust boundaries
• Centralized Management of PolicyWider application
More Granularity
Unit-Level Trust
• Defines Trust Boundary
• Resources within a unit share similar
functionality/attributes
• Range from a vNIC to an entire enterprise site
• Security applies to all unit ingress and egress traffic
TYPE
OS
NAME
VM
Cross-VC NSX Use Cases• Increase the span of NSX logical networks to enable:
– Capacity Pooling across multiple vCenter Servers
– Non disruptive migrations
– Cloud and VDI deployments
vCenter Server A vCenter Server B vCenter Server C
WebAppDB
WebApp DB
Web App DB
Cross-VC NSX Use Cases
– Active-Active
– Disaster Recovery
vCenter-A vCenter-B
N-S Connectivity N-S Connectivity
NSX Mgr A NSX Mgr B
SRM A SRM B
Web
Web App
Web
DB
DB
DB App
App
Web App DB
App DB
DB
Web
AppWeb
Use case - Agencia Tributaria de Catalunya
ATC Manages inspects and collects its own taxes and some
transferred by the Central State (Order ECF/496/2007)
The ATC is structured in four regional offices,
has a network of 167 taxpayer service offices
distributed throughout the Catalan territory.
2,614 million euros were collected in 2015.
Information systems are a key tool in
managing tax.
More than 1,500 daily users use the ATC
system information.
VMware Integrated Solution
NSX
VSAN
VDI
The Challenge
FAS2240-2FAS2240-2
Fujitsu Building Block
x86 Platform Powered by VMware Cloud Solutions
Customer’s Old Datacenter
Software-Defined Datacenter
Datacenter Solution: High Level Design
Cloud1
View Block Management Block
VDI Cluster Management ClusterStandard Pools
Persistent Pools
Building Block CX400 Nodes
VMs Servers Infr
vCenter View vCenter Mngmt
VSAN - VDI
Cloud2
Block PRE
NSX Distributed Network
3D Pools
Backups Tape & Disk
Tape LibraryEternus LT60S2
Tape Server
Backups to DiskEternus JX40S2
Building Block CX400 Nodes
VSAN
Management
VDI Cluster Management
ClusterStandard Pools
Persistent Pools
Building Block CX400 Nodes
VMs Servers Infr
VSAN - VDI
3D Pools
Building Block CX400 Nodes
VSAN
Management
View Block Management Block
PRE
Building Block CX400 Node
LAB
VSAN - PRE
Backups
NSX Distributed Network
vCenter View vCenter Mngmt
SDN Solution Milestones I
VXLANs for VLANs
• Large scale (VNI +16m networks)
• Software provisioning
• L2 across L3 boundaries (VXLAN encapsulation / VTEP)
• Unicast, Multicast and Hybrid modes
• RFC 7348
Logical Switches for Physical Switches
• More than 50,000 ports
• Easy to deploy
• VXLAN-aware
• Software Object (can be used for filtering)
• Applied to Transport Zones
SDN Solution Milestones II
DFW for Physical Firewall
• Modular, Defined In Software
• Included with NSX (Advanced and Enterprise Edition)
• Integrated with all objects in vSphere
• East-West Filtering
• Dynamic Groups
EDGE ESG/DLRs for Physical Routers / LB
• Integrates with all objects in vSphere
• DHCP relay / NAT / LB / OSPF / BGP in one vApp
• DLR distributed dataplane avoids hairpinning E-W traffic to Edges
• Easy HA deployment
• More than 999 interfaces (DLR) 200 subintedge trunk
Key achievements
Infrastructure Consolidation
• 80% less Physical switches (from 20 to 4)
• NO Physical Firewall.
• NO Physical Load Balancer.
• Only 1 Physical Rack per Datacenter (+3 racks per Datacenter in the past)
• Reduced the energy consumption, number of physical devices, rack space, cabling and complexity.
Operational Improvements
• Centralized management from NSX and Security Console
• Micro-segmentation at VM level object-oriented
• Unified services on appliances (LB / NAT / DHCP)
• Automated deployment of environments including network connectivity (days vs hours)
• Improved speed (Kernel speed)
• Optimized data path.
Business Benefits
• Excellent performance.
– Critical for virtual desktop systems
• Solid
– First year in operation without significant problems
• Scalable
– Platform is agile and simple compared to traditional solutions
• Short deployment time
– The test environment was completed in two weeks
• Costs
– Investment and maintenance costs are lower compared to other technologies
Thank You