Learning VMware NSX - Second Edition

3 (2 reviews total)
By Ranjit Singh Thakurratan
  • Instant online access to over 7,500+ books and videos
  • Constantly updated with 100+ new titles each month
  • Breadth and depth in over 1,000+ technologies
  1. Introduction to Network Virtualization

About this book

VMware NSX is a platform for the software-defined data center. It allows complex networking topologies to be deployed programmatically in seconds. SDNs allow ease of deployment, management, and automation in deploying and maintaining new networks while reducing and in some cases completely eliminating the need to deploy traditional networks.

The book allows you a thorough understanding of implementing Software defined networks using VMware’s NSX. You will come across the best practices for installing and configuring NSX to setup your environment. Then you will get a brief overview of the NSX Core Components NSX’s basic architecture. Once you are familiar with everything, you will get to know how to deploy various NSX features. Furthermore, you will understand how to manage and monitor NSX and its associated services and features. In addition to this, you will also explore the best practices for NSX deployments.

By the end of the book, you will be able to deploy Vmware NSX in your own environment with ease. This book can come handy if you are preparing for VMware NSX certification.

Publication date:
August 2017
Publisher
Packt
Pages
254
ISBN
9781788398985

 

Chapter 1. Introduction to Network Virtualization

This chapter begins with a brief introduction to network virtualization, followed by an overview of its concepts. We then introduce VMware's NSX-V network virtualization solution that allows you to deploy and manage your own software-defined networking stack. We will go over all the features and services of NSX, followed by its configuration maximums. By the end of this chapter, you will have a thorough understanding of the concepts of network virtualization, and NSX-V as a network virtualization solution.

In this chapter, we will cover:

  • Introducing network virtualization
  • Concepts of network virtualization
  • Introducing the NSX-V network virtualization platform
  • NSX features and services
  • NSX configuration maximums
  • Summary
 

Introducing network virtualization


Today's datacenter demands are a paradigm shift from what they were a decade ago. As the cloud consumption model is being rapidly adopted across the industry, the need for on-demand provisioning of compute, storage, and networking resources is greater than ever. One of the biggest contributing factors to enable the cloud consumption model is server virtualization.

Server virtualization has enabled fast consumption of compute resources along with add-on functionality and services. Snapshots, clones, and templates are all now easier than ever with server virtualization.

If you have worked in a datacenter, you would agree that networking is always challenging to work with. Once the networking design is established, any changes that need to be made are always challenging because of a lack of flexibility due to increasing complexity and demands on the environment. While compute and storage have rapidly improved in their speed of deployment and consumption, networking continues to remain a challenge in today's environments, where simple tasks such as creating a new VLAN are becoming increasingly complex and time consuming.

Note

A metaphor: Today's networking is similar to building roads and highways in a city. Once you have the highways and roads established, it is not easy to expand them, or simply remove and replace them, without affecting traffic. You always have to think ahead and build to facilitate future growth and flexibility. Similarly, traditional networks in a datacenter have to be built to handle future growth and should be flexible enough to allow for changes as they happen.

Network virtualization is the virtualization of network resources using software and networking hardware that enables faster provisioning and deployment of networking resources. Network virtualization lays the foundation for software-defined networking, which allows instant deployment of services to be offered to the consumers. Services such as Edge gateways, VPN, DHCP, DNS, and load balancers can be instantly provisioned and deployed because of the software aspect of network virtualization. The networking hardware allows for physical connectivity, while the software is where all the network logic resides allowing for a feature-rich network service offering.

Network virtualization allows for consumption of simplified logical networking devices and services that are completely abstracted from the complexities of the underlying physical network. Lastly, network virtualization is key for a software-defined data center (SDDC).

 

Concepts of network virtualization


Now that we have defined what network virtualization is about, let's go over some of the key concepts of network virtualization and software-defined networking:

  • Decoupling: An important concept of network virtualization is the decoupling of software and the networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software is always going to enhance the functionality, but it is not necessary. Remember that your throughput on the wire will be always limited by your network hardware performance.
  • Control plane: The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and also allow automation against the network.
  • Data plane: The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination. The data plane holds all the forwarding tables that are constantly updated by the control plane. This also prevents any traffic interruptions if there is a loss of the control plane, because the networking hardware, which constitutes the data plane, will continue to function without interruptions.
  •  Application Programming Interface (API): The API is one of the important aspects of a virtualized network and allows for true software-defined networking by instantly changing the network behavior. With the API, you can now instantly deploy rich network services in your existing network. Network services such as Edge gateway, VPN, Firewall, and load balancers can all be deployed on the fly by means of an API.
 

Introducing the NSX-V network virtualization platform


VMware NSX-V is a network virtualization platform that allows for software-defined networks and is a critical component of software-defined datacenter architecture. VMware's NSX-V software abstracts the underlying physical network by introducing a software layer that makes it easy to consume network resources by creating multiple virtual networks. NSX-V also allows for deploying multiple logical network services on top of the abstracted layer.

Note

VMware acquired NSX from Nicira in July, 2012. Nicira's NSX was primarily being used for network virtualization in a Xen-based hypervisor.

VMware now has two flavors of NSX: NSX-V, and NSX-MH. NSX-V is NSX for a VMware-based hypervisor while NSX-Multi Hypervisor (NSX-MH) is for OpenStack environments. The two versions have many similarities but also are dissimilar in some aspects. This book focuses on the NSX-VMware (NSX-V) version of NSX only. NSX-V will be referred to as NSX for the rest of the book.

The following figure represents the software abstraction of a physical network and networking hardware by NSX. This is synonymous with how the VMware vSphere hypervisor achieves software abstraction of CPU, memory, and storage, making it possible for the creation of multiple virtual machines:

Just as the vSphere hypervisor allows you to create, delete, snapshot, and monitor a virtual machine, NSX allows you to programmatically create, delete, snapshot, and monitor a virtual network. NSX can be deployed on your current physical network infrastructure, and does not require you to upgrade your existing infrastructure.

Lastly, NSX deployment is non-disruptive to your existing network and traffic. It can seamlessly be deployed on top of your existing infrastructure, and consumption of its services can take place in conjunction with your traditional network.

 

NSX features and services


Before we get started with NSX, it is important to understand some of its features and services.

Note

NSX 6.2 is the current NSX version as of this writing.

Some NSX features are listed as follows. We will discuss these features in great detail in the following chapters:

  • Logical switching: NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANS).
  • NSX gateway services: The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.
  • Logical routing: Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes important to be able to route traffic from one logical switch to another. Logical routing helps achieve this by routing traffic between logical switches, or even between a logical switch and public networks. Logical routing can be extended to perform east-west routing that saves unnecessary network hops, increasing network efficiency. Logical routers can also provide north-south connectivity allowing access to workloads living in the physical networks. Logical routers also help avoid hairpinning of traffic, thereby increasing network efficiency.

Note

East-west traffic is traffic between virtual machines within a datacenter. In the current context, this typically will be traffic between logical switches in a VMware environment. North-south traffic is traffic moving in and out of your datacenter. This is any traffic that either enters your datacenter or leaves your datacenter.

  • Logical firewall: NSX allows you the option of a distributed logical firewall or an Edge firewall for use within your software-defined networking architecture. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs, but also virtual machine names and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.
  • Extensibility: There are third-party VMware partner solutions to integrate directly into the NSX platform that allow a vendor choice in multiple service offerings. There are many VMware partners who offer solutions such as traffic monitoring, IDS, and application firewall services that can integrate directly into NSX. This enhances management and end user experience by having one management system to work with.

The features listed earlier enable NSX to offer a wide variety of services that can be consumed in your infrastructure. These services can be deployed and configured by the NSX API as well. Some of the NSX services are listed as follows:

  • Load balancer: NSX Edge offers a variety of services and the logical load balancer is one of them. The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end users. The logical load balancer can also be used as a high availability (HA) mechanism to ensure your application has the most uptime.
  • Virtual private networks (VPN): The NSX Edge offers the VPN service that allows you to provision secure encrypted connectivity for end users to your applications and workloads. Edge VPN service offers SSL-VPN plus it allows for user access and IPSEC site-to-site connectivity, which enables two sites to be interconnected securely.
  • Dynamic Host Configuration Protocol (DHCP): NSX Edge offers DHCP services that allow IP address pooling, and also static IP assignments. An administrator can now rely on the DHCP service to manage all IP addresses in your environment, rather than having to maintain a separate DHCP service. The DHCP service can also relay DHCP requests to your existing DHCP server as well. The NSX Edge DHCP service can relay any DHCP requests generated from your virtual machines to a pre-existing physical or virtual DHCP server, without any interruptions.
  • Domain name system (DNS): NSX Edge offers a DNS relay service that can relay any DNS requests to an external DNS server.
  • Service composer: The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.
  • Data security: NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.

Other NSX features include cross-vCenter networking and security, which allow you to manage multiple vCenter NSX environments using a primary NSX manager. This not only allows centralized management, but also extends one or more services and features across multiple vCenter environments. We will talk more about cross vCenter networking in the upcoming chapters.

 

NSX configuration maximums


Let's have a look at what the NSX configuration maximums are. VMware has not published an official document, so the following limits listed were gathered by reviewing NSX documentation and online research. Some websites that contributed include www.vmguru.com.

Some of these limits are hard limits while most of them are soft limits, beyond which VMware does not support such configurations. For example, if you exceed the number of concurrent connections per Edge gateway, it will affect your gateway's performance, but won't cause it to halt or reject new connections. The hard limit verses soft limit documentation is not explicitly published, but VMware NSX support can clarify if needed. The chances are that you will scale out your environment before reaching these maximums.

The maximums for NSX follow.

Note

NSX 6.2 is the current NSX version as of this writing. Configuration maximums can differ based software release. Always refer to the most up-to-date documentation to ensure accuracy.

The following table shows the limits for NSX – vCenter Maximums:

Description

Limit

vCenters

1

NSX Managers

1

DRS clusters

12

NSX controllers

3

Hosts per cluster

32

Hosts per Transport Zone

256

A Transport Zone defines the scope of a logical switch and can span one or more vSphere clusters. We will this discuss in greater depth in the upcoming chapters.

The following table shows the limits for Switching Maximums:

Description

Limit

Logical switches

10,000

Logical switch ports

50,000

Bridges per distributed logical router

500

The following table shows the limits for Distributed Logical Firewall Maximums:

Description

Limit

Rules per NSX Manager

100,000

Rules per VM

1,000

Rules per host

10,000

Concurrent connections per host

2,000,000

Security groups per NSX Manager

10,000

The following table shows the limits for Distributed Logical Router (DLR) Maximums:

Description

Limit

DLRs per host

1,000

DLR per NSX Manager

1,200

Interfaces per DLR

999

Uplink interfaces per DLR

8

Active routes per DLR

2,000

Active routes per NSX Manager

12,000

OSPF adjacencies per DLR

10

BGP peers per DLR

10

Note

Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) are routing protocols.

The following table shows the limits for NSX Edge Services Gateway (ESG) Maximums:

Description

Limit

Total number of Edge service gateways per NSX Manager

2,000

Interfaces per ESG (internal, uplink or trunk)

10

Sub-interfaces on a trunk

200

NAT rules per ESG

2,000

Static routes per ESG

2,048

The following table shows the limits for Edge Services Gateway Compact Maximums:

Description

Limit

OSPF routes per ESG

20,000

OSPF adjacencies per ESG

10

BGP peers per ESG

10

BGP routes per ESG

20,000

Total routes per ESG

20,000

Concurrent connections per ESG

64,000

The following table shows the limits for Edge Services Gateway Large Maximums:

Description

Limit

OSPF routes per ESG

50,000

OSPF adjacencies per ESG

20

BGP peers per ESG

20

BGP routes per ESG

50,000

Total routes per ESG

50,000

Concurrent connections per ESG

1,000,000

The following table shows the limits for Edge Services Gateway X-Large Maximums:

Description

Limit

OSPF routes per ESG

100,000

OSPF adjacencies per ESG

40

BGP peers per ESG

50

BGP routes per ESG

250,000

Total routes per ESG

250,000

Concurrent connections per ESG

1,000,000

The following table shows the limits for Edge Services Gateway Quad-Large Maximums:

Description

Limit

OSPF routes per ESG

100,000

OSPF adjacencies per ESG

40

BGP peers per ESG

50

BGP routes per ESG

250,000

Total routes per ESG

250,000

Concurrent connections per ESG

1,000,000

The following table shows the limits for Edge Services Gateway Overall Maximums:

Description

Limit

Load balancer VIPs

64

Load balancer pools

64

Load balancer servers per pool

32

Firewall rules per ESG

2,000

The following table shows the limits for DHCP, VPN Service Maximums:

Description

Limit

DHCP pools per Edge service gateway (all Sizes)

20,000

Number of IPSEC tunnels per Edge gateway - Compact

512

Number of IPSEC tunnels per Edge gateway - Large

1600

Number of IPSEC tunnels per Edge gateway - X-Large

4096

Number of IPSEC tunnels per Edge gateway - Quad-Large

6000

SSL VPN number of concurrent connections (compact/large/x-large/quad-large)

50/100/100/1000

The following table shows the limits for Multi-vCenter NSX Supported Features:

Description

Limit

Logical switch

Yes

L2 bridges

No

Logical distributed router

Yes

Distributed firewall

Yes

Edge services

No

IP security groups

Yes

 

Summary


We started this chapter with an introduction to network virtualization and software-defined networking. We discussed the concepts of network virtualization and introduced VMware's NSX network virtualization platform. We then discussed different NSX features and services, including logical switching, logical routing, Edge gateway services, extensibility, service composer, and data security. We also briefly discussed the multi-vCenter NSX feature. We ended the chapter with configuration maximums for NSX. In Chapter 2,  NSX Core Components, we will look at the different components of NSX and VXLAN.

About the Author

  • Ranjit Singh Thakurratan

    Ranjit Singh Thakurratan is a two-time published author and has over 10 years of multicloud expertise and works as a Principal Chief Architect at DellEMC. Ranjit holds a master's degree in Information Technology—infrastructure assurance and an engineering degree in computer science. He has presented at numerous conferences held at Boston, Washington DC, New York, Denver, and Dallas. He runs a technology blog and he can be reached via his Twitter handle, @RJAPPROVES and on Linkedin at RJApproves. Apart from technology, Ranjit is also interested in astrophysics, animal welfare, and open source projects.

    Browse publications by this author

Latest Reviews

(2 reviews total)
Muito bom, bem detalhado e com ótimo conteúdo
no mood to read the book because no reply to me more than 48 hours that charged me double time.

Recommended For You

Mastering VMware vSphere 6.7 - Second Edition

Unleash the benefits of VMware vSphere 6.7 to provide a powerful, flexible and secure digital infrastructure

By Martin Gavanda and 3 more