This chapter begins with a brief introduction to network virtualization, followed by an overview of its concepts. We then introduce VMware's NSX-V network virtualization solution that allows you to deploy and manage your own software-defined networking stack. We will go over all the features and services of NSX, followed by its configuration maximums. By the end of this chapter, you will have a thorough understanding of the concepts of network virtualization, and NSX-V as a network virtualization solution.
In this chapter, we will cover:
- Introducing network virtualization
- Concepts of network virtualization
- Introducing the NSX-V network virtualization platform
- NSX features and services
- NSX configuration maximums
- Summary
Today's datacenter demands are a paradigm shift from what they were a decade ago. As the cloud consumption model is being rapidly adopted across the industry, the need for on-demand provisioning of compute, storage, and networking resources is greater than ever. One of the biggest contributing factors to enable the cloud consumption model is server virtualization.
Server virtualization has enabled fast consumption of compute resources along with add-on functionality and services. Snapshots, clones, and templates are all now easier than ever with server virtualization.
If you have worked in a datacenter, you would agree that networking is always challenging to work with. Once the networking design is established, any changes that need to be made are always challenging because of a lack of flexibility due to increasing complexity and demands on the environment. While compute and storage have rapidly improved in their speed of deployment and consumption, networking continues to remain a challenge in today's environments, where simple tasks such as creating a new VLAN are becoming increasingly complex and time consuming.
Note
A metaphor: Today's networking is similar to building roads and highways in a city. Once you have the highways and roads established, it is not easy to expand them, or simply remove and replace them, without affecting traffic. You always have to think ahead and build to facilitate future growth and flexibility. Similarly, traditional networks in a datacenter have to be built to handle future growth and should be flexible enough to allow for changes as they happen.
Network virtualization is the virtualization of network resources using software and networking hardware that enables faster provisioning and deployment of networking resources. Network virtualization lays the foundation for software-defined networking, which allows instant deployment of services to be offered to the consumers. Services such as Edge gateways, VPN, DHCP, DNS, and load balancers can be instantly provisioned and deployed because of the software aspect of network virtualization. The networking hardware allows for physical connectivity, while the software is where all the network logic resides allowing for a feature-rich network service offering.
Network virtualization allows for consumption of simplified logical networking devices and services that are completely abstracted from the complexities of the underlying physical network. Lastly, network virtualization is key for a software-defined data center (SDDC).
Now that we have defined what network virtualization is about, let's go over some of the key concepts of network virtualization and software-defined networking:
- Decoupling: An important concept of network virtualization is the decoupling of software and the networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software is always going to enhance the functionality, but it is not necessary. Remember that your throughput on the wire will be always limited by your network hardware performance.
- Control plane: The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and also allow automation against the network.
- Data plane: The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination. The data plane holds all the forwarding tables that are constantly updated by the control plane. This also prevents any traffic interruptions if there is a loss of the control plane, because the networking hardware, which constitutes the data plane, will continue to function without interruptions.
- Application Programming Interface (API): The API is one of the important aspects of a virtualized network and allows for true software-defined networking by instantly changing the network behavior. With the API, you can now instantly deploy rich network services in your existing network. Network services such as Edge gateway, VPN, Firewall, and load balancers can all be deployed on the fly by means of an API.
VMware NSX-V is a network virtualization platform that allows for software-defined networks and is a critical component of software-defined datacenter architecture. VMware's NSX-V software abstracts the underlying physical network by introducing a software layer that makes it easy to consume network resources by creating multiple virtual networks. NSX-V also allows for deploying multiple logical network services on top of the abstracted layer.
Note
VMware acquired NSX from Nicira in July, 2012. Nicira's NSX was primarily being used for network virtualization in a Xen-based hypervisor.
VMware now has two flavors of NSX: NSX-V, and NSX-MH. NSX-V is NSX for a VMware-based hypervisor while NSX-Multi Hypervisor (NSX-MH) is for OpenStack environments. The two versions have many similarities but also are dissimilar in some aspects. This book focuses on the NSX-VMware (NSX-V) version of NSX only. NSX-V will be referred to as NSX for the rest of the book.
The following figure represents the software abstraction of a physical network and networking hardware by NSX. This is synonymous with how the VMware vSphere hypervisor achieves software abstraction of CPU, memory, and storage, making it possible for the creation of multiple virtual machines:

Just as the vSphere hypervisor allows you to create, delete, snapshot, and monitor a virtual machine, NSX allows you to programmatically create, delete, snapshot, and monitor a virtual network. NSX can be deployed on your current physical network infrastructure, and does not require you to upgrade your existing infrastructure.
Lastly, NSX deployment is non-disruptive to your existing network and traffic. It can seamlessly be deployed on top of your existing infrastructure, and consumption of its services can take place in conjunction with your traditional network.
Before we get started with NSX, it is important to understand some of its features and services.
Some NSX features are listed as follows. We will discuss these features in great detail in the following chapters:
- Logical switching: NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANS).
- NSX gateway services: The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.
- Logical routing: Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes important to be able to route traffic from one logical switch to another. Logical routing helps achieve this by routing traffic between logical switches, or even between a logical switch and public networks. Logical routing can be extended to perform east-west routing that saves unnecessary network hops, increasing network efficiency. Logical routers can also provide north-south connectivity allowing access to workloads living in the physical networks. Logical routers also help avoid hairpinning of traffic, thereby increasing network efficiency.
Note
East-west traffic is traffic between virtual machines within a datacenter. In the current context, this typically will be traffic between logical switches in a VMware environment. North-south traffic is traffic moving in and out of your datacenter. This is any traffic that either enters your datacenter or leaves your datacenter.
- Logical firewall: NSX allows you the option of a distributed logical firewall or an Edge firewall for use within your software-defined networking architecture. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs, but also virtual machine names and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.
- Extensibility: There are third-party VMware partner solutions to integrate directly into the NSX platform that allow a vendor choice in multiple service offerings. There are many VMware partners who offer solutions such as traffic monitoring, IDS, and application firewall services that can integrate directly into NSX. This enhances management and end user experience by having one management system to work with.
The features listed earlier enable NSX to offer a wide variety of services that can be consumed in your infrastructure. These services can be deployed and configured by the NSX API as well. Some of the NSX services are listed as follows:
- Load balancer: NSX Edge offers a variety of services and the logical load balancer is one of them. The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end users. The logical load balancer can also be used as a high availability (HA) mechanism to ensure your application has the most uptime.
- Virtual private networks (VPN): The NSX Edge offers the VPN service that allows you to provision secure encrypted connectivity for end users to your applications and workloads. Edge VPN service offers SSL-VPN plus it allows for user access and IPSEC site-to-site connectivity, which enables two sites to be interconnected securely.
- Dynamic Host Configuration Protocol (DHCP): NSX Edge offers DHCP services that allow IP address pooling, and also static IP assignments. An administrator can now rely on the DHCP service to manage all IP addresses in your environment, rather than having to maintain a separate DHCP service. The DHCP service can also relay DHCP requests to your existing DHCP server as well. The NSX Edge DHCP service can relay any DHCP requests generated from your virtual machines to a pre-existing physical or virtual DHCP server, without any interruptions.
- Domain name system (DNS): NSX Edge offers a DNS relay service that can relay any DNS requests to an external DNS server.
- Service composer: The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.
- Data security: NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.
Other NSX features include cross-vCenter networking and security, which allow you to manage multiple vCenter NSX environments using a primary NSX manager. This not only allows centralized management, but also extends one or more services and features across multiple vCenter environments. We will talk more about cross vCenter networking in the upcoming chapters.
Let's have a look at what the NSX configuration maximums are. VMware has not published an official document, so the following limits listed were gathered by reviewing NSX documentation and online research. Some websites that contributed include www.vmguru.com.
Some of these limits are hard limits while most of them are soft limits, beyond which VMware does not support such configurations. For example, if you exceed the number of concurrent connections per Edge gateway, it will affect your gateway's performance, but won't cause it to halt or reject new connections. The hard limit verses soft limit documentation is not explicitly published, but VMware NSX support can clarify if needed. The chances are that you will scale out your environment before reaching these maximums.
The maximums for NSX follow.
Note
NSX 6.2 is the current NSX version as of this writing. Configuration maximums can differ based software release. Always refer to the most up-to-date documentation to ensure accuracy.
The following table shows the limits for NSX – vCenter Maximums:
Description | Limit |
vCenters | 1 |
NSX Managers | 1 |
DRS clusters | 12 |
NSX controllers | 3 |
Hosts per cluster | 32 |
Hosts per Transport Zone | 256 |
A Transport Zone defines the scope of a logical switch and can span one or more vSphere clusters. We will this discuss in greater depth in the upcoming chapters.
The following table shows the limits for Switching Maximums:
Description | Limit |
Logical switches | 10,000 |
Logical switch ports | 50,000 |
Bridges per distributed logical router | 500 |
The following table shows the limits for Distributed Logical Firewall Maximums:
Description | Limit |
Rules per NSX Manager | 100,000 |
Rules per VM | 1,000 |
Rules per host | 10,000 |
Concurrent connections per host | 2,000,000 |
Security groups per NSX Manager | 10,000 |
The following table shows the limits for Distributed Logical Router (DLR) Maximums:
Description | Limit |
DLRs per host | 1,000 |
DLR per NSX Manager | 1,200 |
Interfaces per DLR | 999 |
Uplink interfaces per DLR | 8 |
Active routes per DLR | 2,000 |
Active routes per NSX Manager | 12,000 |
OSPF adjacencies per DLR | 10 |
BGP peers per DLR | 10 |
The following table shows the limits for NSX Edge Services Gateway (ESG) Maximums:
Description | Limit |
Total number of Edge service gateways per NSX Manager | 2,000 |
Interfaces per ESG (internal, uplink or trunk) | 10 |
Sub-interfaces on a trunk | 200 |
NAT rules per ESG | 2,000 |
Static routes per ESG | 2,048 |
The following table shows the limits for Edge Services Gateway Compact Maximums:
Description | Limit |
OSPF routes per ESG | 20,000 |
OSPF adjacencies per ESG | 10 |
BGP peers per ESG | 10 |
BGP routes per ESG | 20,000 |
Total routes per ESG | 20,000 |
Concurrent connections per ESG | 64,000 |
The following table shows the limits for Edge Services Gateway Large Maximums:
Description | Limit |
OSPF routes per ESG | 50,000 |
OSPF adjacencies per ESG | 20 |
BGP peers per ESG | 20 |
BGP routes per ESG | 50,000 |
Total routes per ESG | 50,000 |
Concurrent connections per ESG | 1,000,000 |
The following table shows the limits for Edge Services Gateway X-Large Maximums:
Description | Limit |
OSPF routes per ESG | 100,000 |
OSPF adjacencies per ESG | 40 |
BGP peers per ESG | 50 |
BGP routes per ESG | 250,000 |
Total routes per ESG | 250,000 |
Concurrent connections per ESG | 1,000,000 |
The following table shows the limits for Edge Services Gateway Quad-Large Maximums:
Description | Limit |
OSPF routes per ESG | 100,000 |
OSPF adjacencies per ESG | 40 |
BGP peers per ESG | 50 |
BGP routes per ESG | 250,000 |
Total routes per ESG | 250,000 |
Concurrent connections per ESG | 1,000,000 |
The following table shows the limits for Edge Services Gateway Overall Maximums:
Description | Limit |
Load balancer VIPs | 64 |
Load balancer pools | 64 |
Load balancer servers per pool | 32 |
Firewall rules per ESG | 2,000 |
The following table shows the limits for DHCP, VPN Service Maximums:
Description | Limit |
DHCP pools per Edge service gateway (all Sizes) | 20,000 |
Number of IPSEC tunnels per Edge gateway - Compact | 512 |
Number of IPSEC tunnels per Edge gateway - Large | 1600 |
Number of IPSEC tunnels per Edge gateway - X-Large | 4096 |
Number of IPSEC tunnels per Edge gateway - Quad-Large | 6000 |
SSL VPN number of concurrent connections (compact/large/x-large/quad-large) | 50/100/100/1000 |
The following table shows the limits for Multi-vCenter NSX Supported Features:
Description | Limit |
Logical switch | Yes |
L2 bridges | No |
Logical distributed router | Yes |
Distributed firewall | Yes |
Edge services | No |
IP security groups | Yes |
We started this chapter with an introduction to network virtualization and software-defined networking. We discussed the concepts of network virtualization and introduced VMware's NSX network virtualization platform. We then discussed different NSX features and services, including logical switching, logical routing, Edge gateway services, extensibility, service composer, and data security. We also briefly discussed the multi-vCenter NSX feature. We ended the chapter with configuration maximums for NSX. In Chapter 2, NSX Core Components, we will look at the different components of NSX and VXLAN.