Network Virtualization

Concepts
From NDG In partnership with VMware IT Academy
www.vmware.com/go/academy
Why learn virtualization?

• Modern computing is more efficient due to virtualization

• Virtualization can be used for mobile, personal and cloud computing

• You can also use virtualization in your personal life

© Network Development Group reserved for use with NDG.tech/vmware

content
This content will cover

• NSX capabilities and benefits

• the major VMware NSX® components in the data, management,

and control planes and their interactions

• relevant NSX features to use cases

• NSX network virtualization components and services

• how network virtualization is utilized in an SDDC environment

© Network Development Group reserved for use with NDG.tech/vmware

content
Course Overview
● The Network Virtualization Concepts micro-course consists of six modules:

● Module 1: Welcome!
● Module 2: Introduction to Network Virtualization
● Module 3: The Software-Defined Data Center
● Module 4: Network Virtualization Service
● Module 5: The NSX Data Center
● Module 6: Where To Go From Here?

© Network Development Group reserved for use with NDG.tech/vmware

content
 Network Virtualization Benefits

• Efficient cloud deployments are only limited by legacy non-virtual network

infrastructures

• Virtual networks enable the benefits of a cloud deployment to be utilized

across an organization's infrastructure

• Virtualized networks provide speed, mobility, and security

• Isolated networks prevent threats from spreading

© Network Development Group reserved for use with NDG.tech/vmware

content
 Module 2:
Introduction to Network Virtualization
Introduction to Network Virtualization
● A 5G world has virtualization at its core. As the number of out connected devices mushrooms from the hundreds of millions
to the tens of billions, data centers are relying more and more on virtualized infrastructure to handle the tsunami of data that
we're producing and consuming. And it's not just data centers: the fact that 100% of the Fortune 100 companies use
virtualization (and VMware virtualization technology at that), tells its own story.
● In the Software-Defined Data Center (SDDC), compute, networking, and storage infrastructure is virtualized so that
resources can be pooled and used more efficiently, less expensively, and faster. Real strides have been made in server
(compute) virtualization and are increasingly being seen with storage virtualization.
● The efficiencies gained from them, however, have been limited to a certain extent by legacy, (i.e, traditional, non-virtual)
network infrastructure that's still reliant on physical hardware and mainly manual processes. While an organization's
virtualized compute and storage may be dynamic, agile, and flexible, its legacy networking just can't keep up. And an
infrastructure or organization that can't keep up often gets left behind.
● Network virtualization enables the speed, mobility, and security, needed in a 5G world. Infrastructure can be made ready for
new applications or be changed in minutes, rather than days or weeks. Apps and workloads are no longer restricted to
individual physical subnets, neither are switches, routers, firewalls, etc. The security focus moves from simply protecting the
perimeter (the outside surface) of a data center's infrastructure to providing the ability to give each virtual machine and virtual
network its own firewall, shifting the focus to the inside perimeter of the data center and reducing the attack surface. In
addition, virtual networks are isolated . and (as we will learn later in this course) segmented from each other and from the
underlying physical infrastructure so that threats cannot be spread if they do get in.
● Network virtualization extends these features and many others to the cloud as well, a critical factor to the 81% of enterprises
that now use multiple cloud deployment models.
© Network Development Group reserved for use with NDG.tech/vmware
content
What is Network Virtualization?
Network Hypervisor
• Physical network resources are recreated (virtualized) in software

• Routers, switches, and load balancers become virtual devices in the hypervisor
layer

• The pool of devices can be used as needed, on demand

• The entire network can now be run on software

© Network Development Group reserved for use with NDG.tech/vmware

content
● Network virtualization totally separates network resources from physical hardware
by recreating those networking resources in software- by virtualizing them.
● Physical routers (which forwards data across multiple networks,) switches (which
forwards data on a single Local Area Network or LAN) and load balancers (which
even out workloads to prevent servers from being overwhelmed) are virtualized in
the hypervisor layer using off-the-shelf, industry-standard servers (server/compute
hosts).
● This virtualized pool can then be used as needed, on-demand. The underlying
physical hardware remains important (it's still used for forwarding) but no longer
needs to be reconfigured every time a new VM or container is added or updated, or
every time a device on the network is moved to a different part of the network. The
whole network can now be run in software.

© Network Development Group reserved for use with NDG.tech/vmware

content
Overlay Networking
• Virtual networks on top of physical networks

• End points connected to physical ports are assigned a VNID

and connected together via virtual links.

• Virtual links are the software equivalent to physical links

© Network Development Group reserved for use with NDG.tech/vmware

content
Flexibility
• Virtual networks can be as small as two devices or as large as
multiple sites of major enterprise networks.

• Flexible enough to use with any cloud or cluster

• VMware’s NSX for vSphere runs independently of the host’s

operating system

• NSX-T Data Center runs within the host’s

operating system

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Networks vs VLANs
• A virtual network is not the same thing as a VLAN

• VLANS provide layer 2 organization by assigning physical switchports to a

specific purpose or group

• Only 4096 VLANs can be created on a layer 2 network; not a lot for a large
enterprise.

• Configuration of VLANs can be time consuming

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Networks vs VLANs
• Network virtualization provide network services beyond data transfer

• Networks can be recreated in seconds

• Snapshots can be created to save and restore an exact state of a network

• Every network and security service is virtualized

© Network Development Group reserved for use with NDG.tech/vmware

content
What is Software-Defined
Networking
Software-Defined Network
• Network virtualization and Software-Defined Networking (SDN)
both seek to provide greater network agility

• Both use software to recreate network components

• Both separate the control plane from the data plane

• Both use a controller to help centralize management

• Both provide increased agility to allow great speed and precision in

administration

© Network Development Group reserved for use with NDG.tech/vmware

content
Software-Defined Network
• SDN is more broadly-defined

• SDN uses software to control switches and routers

• The network is not fully virtualized

• Hardware still plays a role in SDN

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Networks in Physical
Networks
Virtual Networks in Physical Networks
• Virtual networks dramatically
increase the scope of physical
networks

• Virtual networks can run in isolation

along side or on top of identical
physical networks

• Each network is unaffected by the

events on another network

© Network Development Group reserved for use with NDG.tech/vmware

content
Bridging Between Virtualized
Networks and Traditional VLANs
Overlay Encapsulation Methodologies
• Two most widely used methodologies of overlay networking:
Virtual Extensible Local Area Network (VXLAN)
Generic Network Virtualization Encapsulation

• VXLAN is vendor neutral and defined by RFC 7348

• GENEVE was jointly developed by by Microsoft, Red Hat, and

VMware and is currently going through the IETF process to
become an RFC so it is equally vendor neutral

• It is important to note the VMware NSX-V utilizes VXLAN and

VMware NSX-T uses GENEVE.
© Network Development Group reserved for use with NDG.tech/vmware
content
VXLAN Operation
• VXLAN works on hardware, software, or both
• 16,777,215 VXLANs are possible compared to 4096 in a
traditional VLAN
• Creating a virtual network on top of a physical network is called
overlay networking
• A VXLAN ID is called a VXLAN Network Identifier (VNI). Each
VNI is a separate virtual network that runs in the overlay network
which are also known as bridge domains
• VXLAN Tunnel Endpoints (VTEPs) connect the physical
network to the overlay network

© Network Development Group reserved for use with NDG.tech/vmware

content
GENEVE
• GENEVE is almost identically to VXLAN

• It is more flexible because it offers control plane independence

between tunnel endpoints

• GENEVE does not have VTEPs (VXLAN tunnel endpoints), just

tunnel endpoints (TEPs)

© Network Development Group reserved for use with NDG.tech/vmware

content
The Software Defined Data-
Center
Data Centers
• Data centers have traditionally been ‘hardware-centric’ - focused
and reliant on physical equipment

• This has not only been financially expensive but has also come
at the cost of flexibility and agility in a rapidly-changing business
landscape

• All major services in a data center can be virtualized

© Network Development Group reserved for use with NDG.tech/vmware

content
Software-Defined Data Centers
• Software-Defined Data Center (SDDC) extends virtualization
beyond compute (i.e. servers) to network and storage as well

• Expensive vendor-specific hardware is replaced with affordable

off-the-shelf, industry-standard hardware

• In the software-defined data

center, the hypervisor is the
controller

© Network Development Group reserved for use with NDG.tech/vmware

content
Physical Data Centers
Physical Date Centers
• Data center infrastructure consists of three
main components: compute systems (a server
or host), storage devices, and networks

• In a physical data center this will all be

hardware

• It was estimated in 2016 that Google had 2.5

million servers

• Physical data centers are inflexible, slow, and

expensive

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtualized Data Centers
Software Defined Data Centers
• Software-defined data centers solve the
problems of cost, complexity, inefficiency, and
inflexibility

• SDDC affords the ability to gather physical

resources into logical pools, which can then be
allocated to individual VMs or containers

• VMware NSX bridges the gap between physical

networks and applications, reduces hardware
complexity and costs, improves application
availability (uptime) and speeds up system
recovery.
© Network Development Group reserved for use with NDG.tech/vmware
content
VMware’s SDDC Approach
SDDC as a Service
• SDDC technology means more of an organization’s infrastructure can be used
more of the time, in turn making their staff more productive, and greatly
reducing spending on physical equipment and on operating costs

• SDDC enables the deployment of applications in minutes or even seconds with

policy-driven provisioning that matches resources to continually-changing
workloads and business demands.

• SDDC makes possible the right availability, security, and compliance for every
application.

• SDDC supports private, public and hybrid clouds.

© Network Development Group reserved for use with NDG.tech/vmware

content
Data Center Building Blocks
Building Blocks

• Key components that a large-

scale data center will include
are applications, servers,
storage, networking
infrastructure, management,
and automation

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtualized Data Center Expectations
• Be software-defined

• Have built-in security

• Be very easy to adjust in size – either scaling out/in by adding/removing

devices, or by scaling up/down by adding/removing

• support the latest developments in application technology

• support infrastructure as a code - i.e. support the writing of code that

takes care of configuration and automates provisioning.

© Network Development Group reserved for use with NDG.tech/vmware

content
Network Virtualization Services
The OSI Model

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Networking
Bridged Networking
• A network type where both a virtual machine and the host that it is
running on are connected to the same network

• With bridged networking, the virtual network adapter (vNIC) for the
virtual machine connects to a physical NIC on the physical host system

• The host network adapter enables the VM to connect to the Local Area
Network (LAN) that the host system uses

© Network Development Group reserved for use with NDG.tech/vmware

content
NAT
• Network Address Translation (NAT) takes an IP address and translates
it into another IP address

• NAT works by translating addresses of virtual machines in a private

network called a VMnet to that of the host machine

• Port forwarding allows incoming web traffic to pass through a specific

port, chosen by the administrator, to the internal network

• A Dynamic Host Control Protocol (DHCP) server is a system that uses

the DHCP protocol to assign IP addresses to the devices on the
network

© Network Development Group reserved for use with NDG.tech/vmware

content
Host-Only Networking
• Creates a private internal network for the VMs to connect to, similar to a
NAT network

• The VMs can only stay in the private network and do not have direct
access to the public external network

• Useful if you need to set up an isolated virtual network

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Switches
Virtual Switches
• Allow virtual machines to
connect to each other and to
connect to the outside world

• By default, each ESXi host has

a single virtual switch called
vSwitch0

• Similar to the connection

between a computer’s physical
network adapter (NIC) and a
physical switch

© Network Development Group reserved for use with NDG.tech/vmware

content
Standard Switches
VMkernel Adapter
• A VMkernel adapter is a
port that is used by the
hypervisor to attach a
service to the network

• Every VMkernel adapter

has an IP address by
which this service is
accessible

© Network Development Group reserved for use with NDG.tech/vmware

content
Standard Switched
• A standard switch works much like a physical ethernet switch

• A standard switch can forward traffic internally between VMs within the
same ESXi host, between VMs on different ESXi hosts, and between
VMs and physical machines, and can link to external networks

• To provide network connectivity to hosts and virtual machines, you

connect the physical NICs of the hosts to uplink ports on the standard
switch

• Virtual machines have network adapters (or vNICs) that you connect to
port groups on the standard switch

© Network Development Group reserved for use with NDG.tech/vmware

content
VMkernel Adapter
• Uses of Vmkernel Adapter:
o VMware vMotion (which enables you to move VMs from one
host to another while they’re powered on with no downtime)
o Management port (which is used for ESXi management traffic
and in most cases - except vSAN implementations - HA (or high
availability) traffic)
o IP storage (which is any form of storage that uses TCP/IP
network communication as its foundation)
o vSphere replication
o vSAN data replication

© Network Development Group reserved for use with NDG.tech/vmware

content
Virtual Machine Port Groups
• Each logical port on the standard switch is a member of a single port
group

• Each port group on a standard switch is identified by a network label,

which must be unique amongst other port groups on a host but
consistent across hosts in order to ensure network connectivity

© Network Development Group reserved for use with NDG.tech/vmware

content
Distributed Switches
vSphere Distributed Switch
• A vSphere Distributed Switch (or vDS) acts as a single switch across all
associated hosts in a data center and provides centralized provisioning,
administration, and monitoring of virtual networks

• Configured on the vCenter Server Appliance (vCSA) and the same

settings are then added to all ESXi hosts that are associated with the
switch

• Virtual machines maintain consistent network configuration as they

move (or migrate) from one host to another

• Each vCenter Server system can support up to 128 vDSs and each vDS
can manage up to 2000hosts
© Network Development Group reserved for use with NDG.tech/vmware
content
vSphere Distributed Switch
• vDS uses the physical
NICs of the ESXi host on
which the VMs are
running to connect them
to the external network

• Policies can be set for

each individual port, not
just for whole port groups

© Network Development Group reserved for use with NDG.tech/vmware

content
Host Proxy Switch
• The data plane section of the vDS is called a host proxy switch

• The networking configuration that you create on a vCenter Server

Appliance is automatically pushed down to all proxy switches

• Proxy switches support:

o Network traffic between virtual machines on any hosts that are members of the
distributed virtual switch

o Network traffic between a virtual machine that uses a distributed virtual switch and
a virtual machine that uses a VMware standard virtual switch

o Network traffic between a virtual machine and a remote system on a physical

network connected to the ESXi host

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX AND N-VDS
• NSX-V requires the use of vDS • Transport nodes are hypervisor
hosts and NSX Edges that will
• NSX-T comes with its own vDS participate in an NSX-T overlay
type: the N-VDS, or NSX
Managed Virtual Distributed • There are two types of
Switch transport zone: an overlay
transport zone and a VLAN
• NSX-T can be deployed without transport zone
a vCenter server

• The primary purpose of an N-

VDS is to forward the traffic
that runs on transport nodes
© Network Development Group reserved for use with NDG.tech/vmware
content
NSX AND N-VDS
• An N-VDS

o Can only attach to a single overlay transport zone

o Can only attach to a single VLAN transport zone

o Can attach to both an overlay transport zone and a VLAN

transport zone at the same time; in that case, both
transport zones and the N-VDS will have the same name

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX AND N-VDS
• Multiple N-VDSs and vDSs can coexist on a transport node; however,
a physical NIC can only be associated with a single N-VDS or vDS.

© Network Development Group reserved for use with NDG.tech/vmware

content
About Distributed Switches
● A distributed switch functions as a single virtual switch across all associated
hosts.
● Distributed switches have several benefits over standard switches:

○ They simplify data center administration.

○ They enable networking statistics and policies to migrate with virtual

machines during a VMware vSphere® vMotion® migration.
Networ Networ Networ
k State k State k State

vSwitch vSwitch vSwitch Distributed Virtual Switch

ESXi Host ESXi Host ESXi Host ESXi Host ESXi Host ESXi Host

Standard Switches Distributed Switches

Distributed Switch Architecture
● A distributed switch moves network management components to the data
center level.
vSphere vSpher
vMotion e
Port Managemen vMotio Management
t Port n Port Port
Distributed Ports
and Port Groups
Distributed Switch vCenter
(Control Plane) Server
Uplink
Port Group

Host 1 Host 2

Hidden Virtual
Switches
(I/O Plane) Virtual

Physical NICs Physical

(Uplinks)
NSX Logical Switching
NSX Logical Switching
• Logical switching in NSX-V is based on the VXLAN protocol where
NSX-T is based on the GENEVE protocol

• A logical switch is mapped to a unique VXLAN or GENEVE, which

encapsulates the virtual machine traffic and carries it over the physical
IP network

• The NSX logical switch creates logical broadcast domains (devices

connected to the same switch) or segments to which an application or
virtual machine can be logically wired.

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Switching
• VLAN networks can’t be saved, snapshotted, cloned, deleted, or
moved, which could negatively impact business continuity in the event
of a system failure

• Every time a VLAN is extended, a time-consuming physical

configuration is needed

• VXLAN uses overlay technology, the virtual Layer 2 network is

abstracted from the underlying physical network and can be
configured and reconfigured very quickly

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Routing
NSX Logical Routing
• Network edge security and gateway services are provided in NSX-V
by what’s known as an NSX Edge

• NSX Edge can be installed as a distributed logical router (DLR), which

is a virtual router that can use both the fixed, manually configured
network routes of static routing and dynamic routing, where routers
communicate with each other updating routes in real-time

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Routing
• NSX-V’s DLR provides East-West distributed routing

• Allows two VMs to be on the same host but on different subnets, and
still communicate without their traffic having to leave the hypervisor

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Routing
• NSX-T introduces a two-tiered routing architecture that enables the
management of networks at the provider tier (tier-0) and user tier (tier-1)

• The tier-0 logical router is attached to the physical network for North-South
traffic

• The tier-1 router can connect to the tier-0 router via uplinks, that can connect
to logical switches and manage east-west communications

• NSX-T supports static routing and the dynamic routing protocol eBGP on tier-
0 logical routers

• Tier-1 logical routers support static routes but do not support any dynamic
routing protocols
© Network Development Group reserved for use with NDG.tech/vmware
content
Edge Routing and NAT
Edge Routing and NAT
• In a network, the edge is typically the point where every customer and device
connection come into and depart from a data center

• NSX-V Edge Services Gateway (ESG) is a multi-function, multi-use virtual

machine appliance for network virtualization

• NSX-T provides the same services through an NSX Edge appliance - not to
be confused with an Edge Services Gateway

© Network Development Group reserved for use with NDG.tech/vmware

content
Centralized Routing
• ECMP (equal cost multi-path) can
be used to increase bandwidth
between physical and virtual
networks

• If centralized services (such as NAT) need to

run on the Edge appliance, the appliance will
need to be in what’s known as active-standby
mode.

© Network Development Group reserved for use with NDG.tech/vmware

content
Distributed Routing
• Dynamic routing uses protocols such as Open Shortest Path First (OSPF – an
intra-domain protocol that prioritizes the shortest path based on the cost of
available paths) in the case of NSX-V, and Border Gateway Protocol (BGP –
an inter-domain protocol that prioritizes the best path as defined by a list of
attributes) in the case of NSX-T Data Center.

• ESG supports both source NAT

where a private IP address is
translated into a public IP
address, and destination NAT, a
public IP address to private IP
address translation

© Network Development Group reserved for use with NDG.tech/vmware

content
Load Balancing
Load Balancing
• A load balancer evens out workloads to prevent servers from being
overwhelmed. Its other main use is to provide high availability

• It only routes traffic to servers that are able to fulfill the client request and do
so in a way that prevents any single server being over-burdened while
maximizing overall network speed and use of resources

• The NSX load balancing service is specially designed for IT automation and
uses the same central point of management and monitoring as other NSX
network services

© Network Development Group reserved for use with NDG.tech/vmware

content
Load Balancing
• In proxy mode, an NSX Edge is connected directly to the logical network
where load-balancing services are required

• Proxy mode is simpler to deploy and provides greater flexibility than traditional
load balancers

• One limitation of proxy mode is that it requires provisioning more NSX Edges
and requires the deployment of source NAT which means that the servers in
the data center do not have the original client IP address

© Network Development Group reserved for use with NDG.tech/vmware

content
Load Balancing
• With inline mode, the NSX Edge
is inline to the traffic destined for
the server pool

• Inline mode is also quite simple,

and additionally, the servers
have the original client IP
address

© Network Development Group reserved for use with NDG.tech/vmware

content
L2/L3 VPN
L2/L3 VPN
• A Virtual Private Network (or VPN) helps extend a private network over a
public network privately

• It does this by creating a tunnel or private line from a local network to an

external network (and vice versa) for the secure transmission of data

• The tunnel is a virtual connection established between two endpoints

using a tunneling protocol

© Network Development Group reserved for use with NDG.tech/vmware

content
L2/L3 VPN
• Two of the most widely-used tunneling protocols are:
o Internet Protocol Security (IPsec), which authenticates senders,
checks the integrity of data being transmitted and encrypts it;
users need to install software on their machines in order to be
able to establish a connection

o Secure Sockets Layer (SSL), or its successor Transport Layer

Security (TLS), both of which enable secure communication
across public networks from a web browser.

© Network Development Group reserved for use with NDG.tech/vmware

content
L2/L3 VPN

• With Layer 2 VPN (L2 VPN), you can extend layer 2 networks (VLANs or
VXLANs) across multiple sites that are on the same broadcast domain
• The extended network is a single subnet with a single broadcast domain,
so VMs remain on the same subnet when they are moved between
network sites and their IP addresses remain the same.

© Network Development Group reserved for use with NDG.tech/vmware

content
L2/L3 VPN

• Layer 3 VPN (L3 VPN) services are used to provide secure layer 3
connectivity into the data center network from remote locations
• The L3 VPN services can be used by remote clients using SSL tunnels to
securely connect to private networks behind an NSX Edge gateway which
is acting as an L3 VPN server in the data center
• the NSX Edge can be deployed to use standard IPSec protocol settings
to operate with all major physical VPN vendors’ equipment and establish
site-so-site secure L3 connections

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Firewalls
NSX Logical Firewalls
• NSX logical firewalls provide security mechanisms for dynamic virtual
data centers and consist of two components to address different uses

• The centralized Edge firewall offered by NSX Edge Services Gateway

(ESG) focuses on the north-south traffic enforcement at the data center
perimeter

• The Distributed Firewall (DFW) is enabled in the kernel on the ESXi host
and focuses on east-west traffic controls

• They can be deployed independently or together

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Firewalls
• The NSX distributed firewall is a stateful firewall, meaning that it monitors
the state of active connections and uses this information to determine
which network packets to allow through the firewall.

• Data packets flowing through the network are identified by the following:
o Source address
o Source port
o Destination address
o Destination port
o Protocol

© Network Development Group reserved for use with NDG.tech/vmware

content
NSX Logical Firewalls
• A distributed firewall on an ESXi host (one instance per virtual machine
vNIC) contains two tables: a rule table to store all policy rules, and a
connection tracker table to temporarily store (or cache) traffic flow entries
for rules with a permit action
• DFW rules are enforced in a top-to-bottom order
• Each packet is checked against the top rule in the rule table before
moving down the subsequent rules in the table
• The first rule in the table that matches the traffic parameters is enforced
• The last rule in the table is the DFW default policy rule: packets not
matching any rule above the default rule will be enforced by the default
rule

© Network Development Group reserved for use with NDG.tech/vmware

content
Edge Firewall
Edge Firewall

• The NSX Edge firewall provides stateful perimeter defense for north-
south traffic flows between the virtual and physical networks
• It’s used on the logical router and provides network address translation
(NAT) as well as site-to-site IPsec and SSL VPN functionality
• The Edge firewall can be managed with the same management tools as
for the distributed firewall

© Network Development Group reserved for use with NDG.tech/vmware

content
The NSX Data Center
The NSX Data Center
• The NSX Data Center reproduces
the whole network, whether the
network is simple or complex, in
software

• Provisioning and managing

networking in software instead of
hardware results in level security,
speed, agility and cost-efficiency
that simply isn't possible with the
traditional architecture.

© Network Development Group reserved for use with NDG.tech/vmware

content
Bringing Network Virtualization to
the SDDC
Bringing Network Virtualization to the
SDDC
• By abstracting the traditionally physical infrastructure of routers, switches,
load balancers, and firewalls into a data center's virtualization layer, the data
center becomes agile and responsive to business needs as they change
• Virtual networks can be created, copied, moved, deleted and restored
quickly and easily, with no physical reconfigurations necessary
• With micro-segmentation (which we'll discuss later on in this course) threats
are prevented from moving laterally, server to server, inside the data center
• The NSX Data Center uses standardized, pre-defined templates, to
provision consistent networking and security, speeding up provisioning time
from days or weeks to seconds.

© Network Development Group reserved for use with NDG.tech/vmware

content
Key Components
Key Components
• The NSX Manager is based on the Photon operating system

• The NSX-T Manager, on the other hand, runs on the Ubuntu operating
system

• NSX can be integrated with any cloud management platform through

Representational State Transfer (REST) APIs

• NSX-V can be configured through vSphere Client, through a command-

line interface (CLI) and through a REST API

© Network Development Group reserved for use with NDG.tech/vmware

content
Key Components
• Some of NSX Data Center’s other key components include:
o Logical distributed switching
o NSX Gateway
o Logical routing between logical switches
o Logical distributed firewalling
o A logical load balancer with SSL termination
o Logical VPN for site-to-site and remote access VPNs
in software
o Service insertion
o Multi-site, multi-cloud networking and security

© Network Development Group reserved for use with NDG.tech/vmware

content
Key Benefits
Key Benefits
• NSX Data Center helps organizations achieve the speed, agility, security,
and reliability of the software-defined data center

• Every physical networking element and service in a traditional

environment can be recreated in software

• Automation and orchestration greatly reduce the amount of time-

consuming manual configuration that administrators need to do, which in
turn greatly reduces the amount of costly human error

© Network Development Group reserved for use with NDG.tech/vmware

content
Key Benefits
• Network traffic flows are simplified

• Using ECMP means that NSX virtualized networks will keep on working
even if multiple devices fail at the same time

• NSX app isolation policy acts as a firewall to block all inbound and
outbound traffic to and from workloads

• Security policies are attached to the applications they’re protecting

• Existing server capacity is used better and money is saved

• vRealize Network Insight provides a 360° view of your entire NSX

infrastructure

© Network Development Group reserved for use with NDG.tech/vmware

content
Integrating with Existing
Networking Infrastructure
Integrating with Existing Networking Infrastructure

• The NSX Data Center can be

deployed without disruption to
existing compute and networking
infrastructure, applications, and
security products because it works
with them
• The existing underlying physical
network remains to handle packet
forwarding but, once NSX Data
Center is deployed, it barely needs to
be touched and can, in fact, be
streamlined
© Network Development Group reserved for use with NDG.tech/vmware
content
NSX Architecture
NSX Architecture
• NSX architecture consists of a
data plane, control plane, and
management plane

• Each plane consists of multiple

components, responsible for
platform management, traffic
control, and service delivery

• The architecture also includes

the necessary components for
integration with a cloud
management platform

© Network Development Group reserved for use with NDG.tech/vmware

content
Management Plane
Management Plane
• NSX Manager provides
configuration and orchestration of
logical switching and routing, the
distributed firewall, networking,
and Edge services, and security
services

• The single unified user interface

allows you to manage both
vSphere and NSX within the
vSphere Client

© Network Development Group reserved for use with NDG.tech/vmware

content
Management Plane

In a NSX-T Data Center, the management plane

function and the central control plane function have
been collapsed into a new management cluster to
reduce the number of virtual appliances that need to
be deployed and managed by the NSX
administration

© Network Development Group reserved for use with NDG.tech/vmware

content
Control Plane
Control Plane
• The NSX Controller serves as the
central control point for all logical
switches within a network, and
maintains information about all
hosts, logical switches and
distributed logical routers
• Controllers distribute network
information across all controllers
in a cluster and are responsible
for distributing network
information to all the ESXi hosts
• The controller cluster is
responsible for managing the
distributed switching and routing
modules in the hypervisor

© Network Development Group reserved for use with NDG.tech/vmware

content
Control Plane

• In NSX-T, whenever a Distributed Logical

Router (DLR) is deployed, a control VM is
automatically created
• The control VM communicates with the NSX
Controller cluster to ensure that the control
plane has the most up-to-date routing table
• UWAs pass virtual machine MAC addresses and
IP addresses to NSX Controllers

© Network Development Group reserved for use with NDG.tech/vmware

content
Data Plane
Data Plane
• The NSX data plane is where the
actual network traffic flows
• It consists of the NSX virtual
switch, which is based on the
vSphere Distributed Switch (vDS)
with additional components to
enable services
• Logical switching enables an
extension of a Layer 2 segment
and IP subnets anywhere in the
network, independent of the
physical network design
• NSX security enforcement is
done directly at the kernel and
vNIC level

© Network Development Group reserved for use with NDG.tech/vmware

content
Security Features
Security Features
• NSX embeds security functions directly into the
hypervisor, providing micro-segmentation and
automated, most-finely detailed (granular)
security for every individual virtual desktop or
device
• NSX enables security policies to travel with
specific workloads, wherever they are in the
network and whenever they move
• NSX can provide a logical DMZ anywhere in the
data center, and, being software, it can be as
large or as small as needed

© Network Development Group reserved for use with NDG.tech/vmware

content
Micro Segmentation
Micro Segmentation
• Micro-segmentation is the ability to segment elements of a system into extremely granular
components

• Once a network is segmented, security policies can easily be applied, whether an

administrator wants to target a cluster of servers or a single VM

• Virtual networks are isolated by default – from each other and from the underlying physical
network – and this provides an immediate security boost since a problem with one virtual
network is contained to that one network

• NSX works seamlessly with the best-known security products

© Network Development Group reserved for use with NDG.tech/vmware

content
Secure End User
Secure End User
• Unfortunately, managing groups of virtual desktop users is often a complicated process
involving multiple teams

• NSX simplifies VDI by providing security based on logical groups of users or departments;
organizations are able to speed the deployment of virtual desktop environments and use
their resources more efficiently

• NSX micro-segmentation integrates network and security with VDI management, allowing
for the creation of a single set of policies for as many different VDI users as necessary

• With NSX, if one end-user’s virtual desktop is attacked, the breach can easily be contained
to just that user

© Network Development Group reserved for use with NDG.tech/vmware

content