© 2014 VMware Inc. All rights reserved.

Bringing Network Virtualisation to VMware Environments With NSX VMware vForums 2014

Martin Banda Systems Engineer, VMware South Africa @vmgenie mbanda@vmware.com

Agenda

• The Software-Defined Data Center and the Network

• How Does It Work

• Better Security

• Better Operational Visibility

• Logical Traffic Flows

• Use Cases

• Eco System

The Software-Defined Data Center and the Network

Intelligence in Software Operational Model of VM for Data Center Automated Configuration & Management

What is a Software-Defined Data Center (SDDC)?

Intelligence in ASICs Dedicated, Vendor Specific Hardware Manual Configuration & Management

Software

Hardware Compute, Network and Storage Capacity Vendor Independent, Best Price/Performance Hardware Simplified Configuration & Management

Compute Virtualization

The Network is a Barrier to Software Defined Data Center

Any Physical Infrastructure

• Provisioning is slow

• Placement & Mobility is limited

• Operational visibility is limited

• Hardware dependent

• Operationally intensive

Network

Server

Storage

The Solution – Transform the Network with Virtualization

Compute Virtualization

• Programmatic provisioning

• Any workload anywhere

• End-to-end operational visibility

• Decoupled from hardware

• Operationally efficient

Network Virtualization

Hardware Independent

Network

Server

Storage

Any Physical Infrastructure

Software Defined Virtual Network

What is a Network Hypervisor?

General Purpose Server Hardware (Dell, HP, IBM, Quanta,…)

Server Hypervisor

Requirement: x86

Virtual

Machine

Virtual

Machine

Virtual

Machine

Application Application Application

x86 Environment

Decoupled

Hardware

Software

General Purpose IP Hardware (Arista, Cisco, HP, Juniper, Cumulus,…)

Network Hypervisor

Requirement: IP Transport

Virtual

Network

Virtual

Network Virtual

Network

Workload Workload Workload

L2, L3, L4-7 Network Services

Virtualize the Network

Decouple

Any

Hardware

Platform

Network Virtualisation Layer

Network Virtualization Decouples and reproduces the network model

Network Hypervisor Decoupled

Physical Network

(Arista, Cisco, HP, Juniper, Cumulus,…)

Workload Workload Workload

L2

L2

L3

Virtual Network

Workload Workload Workload

Virtual Network

L2

WAN

Subnet A Subnet B Subnet C

How Does It Work?

A Data Centre Network…

Internet

Compute Infrastructure….

Internet

Hypervisors and vSwitches…

Internet

NSX | The “Network Hypervisor”

Internet

Virtual Networks – Like Virtual Machines for the Network

Internet

Programmatic Provisioning

Services Distributed to the Virtual Switch

Physical Workloads and Legacy VLANs

The Power of Distribution

Better Security

20

Security – Complete Isolation

Virtual Networks are isolated from each other (Overlapping IP Addresses)

Virtual Networks are isolated from underlying physical network (IPv6 over IPv4)

Central Policies, Distributed Enforcement, Move with VMs

Internet

Security Policy Security Policy

- Reduce Choke Point Security

- Centrally Define Policies, Distribute Rule Enforcement for Segmentation

- Security Policies Move with VMs

- Changes to central policies automatically

distributed to affected VMs

The Power of Distribution

Service Insertion – Example: Palo Alto Networks Next Generation Firewall

Internet

Security Policy

Security Admin

Traffic Steering

Better Operational Visibility

25

Visibility & Troubleshooting

Visibility & Troubleshooting

Use the network troubleshooting tools you use today,

but with better information

Visibility & Troubleshooting

Use the network troubleshooting tools you use today,

but with better information

IPFIX Log

syslog Netflow Log

Logical Traffic Flows

29

Traffic flow with Distributed Routing – Same Host

vSphere Host

VM

vSphere Distributed Switch

VXLAN Transport Network

10.20.10.10

vSphere Host

VXLAN 5001

10.20.10.12

Logical Router Control VM

VM

VXLAN 5002

Host 1 Host 2

1

2

LIF1 : 192.168.20.1

LIF2 : 192.168.10.1

Uplink LIF

LIF2 – ARP Table

VM IP VM MAC

192.168.10.1

0 MAC2

192.168.20.10

192.168.10.10

DA: vMAC

SA: MAC1 Payload L2 IP

DA: 192.168.10.10

SA: 192.168.20.10

MAC1

MAC2

LIF1

LIF2 vMAC Internal LIFs

DA: MAC2

SA: vMAC

pMAC2 pMAC1

LIF1

LIF2 vMAC

Destination

Interface Mask Gateway Connect

192.168.10.0 255.255.255.

0 0.0.0.0 Direct

192.168.20.0 255.255.255.

0 0.0.0.0 Direct

FIB or Routing Table

3

4

Payload L2 IP

Traffic flow with Distributed Routing – Different Host

vSphere Host

VM

VDS

VXLAN Transport Network

10.20.10.10

VXLAN 5001

VM

VXLAN 5002 1

4

vSphere Host

10.20.10.11 LIF2 - ARP Table

DA: vMAC

SA: MAC1

DA: 10.20.10.11

SA: 10.20.10.10

5002

DA: MAC2

SA: pMAC1

MAC1 MAC2 5

192.168.20.10 DA: MAC2

SA: vMAC

DA: MAC2

SA: pMAC1

2 VM IP VM MAC

192.168.10.1

0 MAC2

Payload L2 IP

DA: 192.168.10.10

SA: 192.168.20.10

Payload L2 IP

L2 IP UDP VXLAN Payload L2 IP

Payload L2 IP 192.168.10.10

LIF1

LIF2 vMAC

pMAC2 pMAC1

LIF1

LIF2 vMAC

Host 1 Host 2

3

Traffic flow from physical host on a VLAN – ARP Req. and Resp.

vSphere Host

vSphere Distributed Switch

10.20.10.10

vSphere Host

Uplink LIF

10.20.10.12

VM

VXLAN 5002

L2 Network

VLAN 10

LIF1

LIF2

Internal LIF

Host 2 Host 1

192.168.10.10

1 2 3

DA: Broadcast

SA: MAC1 Payload L2 IP

DA: 192.168.20.1

SA: 192.168.20.11

192.168.20.11

GW : 192.168.20.1

DA: 192.168.20.11

SA: 192.168.20.1

vMAC

Payload L2 IP DA: MAC1

SA: pMAC2

4

LIF1

LIF2 vMAC

VM

192.168.10.11

MAC1

pMAC2

VXLAN Transport

VLAN 100 VLAN 10

2

MAC2 MAC3

LIF1 : 192.168.20.1

LIF2 : 192.168.10.1

ARP Table

VM IP VM MAC

192.168.20.1 pMAC2

GW : 192.168.10.1

pMAC1

5

Designated

Instance

LIF1

Traffic flow between physical host and VM on VXLAN (Ingress)

vSphere Host

vSphere Distributed Switch

10.20.10.10

vSphere Host

Uplink LIF

10.20.10.12

VM

VXLAN 5002

L2 Network

VLAN 10

LIF1

LIF2

Internal LIF

Host 2 Host 1

192.168.10.10

1 2 3

DA: pMAC2

SA: MAC1 Payload L2 IP

DA: 192.168.10.10

SA: 192.168.20.11

192.168.20.11

GW : 192.168.20.1

vMAC

4

LIF1

LIF2 vMAC

VM

192.168.10.11

MAC1

pMAC2

VXLAN Transport

VLAN 100 VLAN 10

MAC2 MAC3

LIF1 : 192.168.20.1

LIF2 : 192.168.10.1

ARP Table

VM IP VM MAC

192.168.20.1 pMAC2

GW : 192.168.10.1

pMAC1

5002

L2 IP UDP VXLAN Payload L2 IP

DA: 192.168.10.10

SA: 192.168.20.11 DA: 10.20.10.10

SA: 10.20.10.12

DA: MAC2

SA: pMAC2

5

Designated

Instance

LIF1

VM IP VM MAC

Traffic flow from VM on VXLAN to physical host on VLAN (Egress)

vSphere Host

vSphere Distributed Switch

10.20.10.10

vSphere Host

Uplink LIF

10.20.10.12

VM

VXLAN 5002

L2 Network

VLAN 10

LIF1

LIF2

Host 2 Host 1

192.168.10.10

5

192.168.20.11

GW : 192.168.20.1

vMAC

3

LIF1

LIF2 vMAC

VM

192.168.10.11

MAC1

pMAC2

VXLAN Transport

VLAN 100 VLAN 10

MAC2 MAC3 GW : 192.168.10.1

pMAC1

1

2 LIF1 - ARP Table

DA: vMAC

SA: MAC2 Payload L2 IP

DA: 192.168.20.11

SA: 192.168.10.10

Designated

Instance

LIF1

Out of band UDP channel is

established with DI for ARP

resolution on LIF1

VM IP VM MAC

192.168.20.1

1 MAC1

4

ARP request sent out by

the DI

7

ARP response

6 ARP request

DA: MAC1

SA: pMAC1 Payload L2 IP

DA: 192.168.20.11

SA: 192.168.10.10

8

Use Cases

35

VMware NSX Use Case Examples

• Self Service R&D Clouds & Data Center Automation

– Speed & Agility

– Automated Provisioning

• Data Center Refresh

– Flexibility and choice for physical infrastructure

– Hardware independence

• Data Center Migration and Disaster Recovery

– No Re-IPing application workloads

• Scale-out DMZ

• Micro-segmentation

– Leverages inherent isolation and distributed firewalling

36

Ecosystem

37

VMware NSX Ecosystem – Technology Partners

More Information

CONFIDENTIAL 39

Hands on Labs (HOL): http://labs.hol.vmware.com/ NSX Design Guide: http://www.vmware.com/products/nsx/resources NSX Public Landing Page: http://www.vmware.com/products/nsx

Thank You Questions?

CONFIDENTIAL 40