Network Virtualization

Concepts
Why learn virtualization?
• Modern computing is more efficient due to virtualization

• Virtualization can be used for mobile, personal and cloud computing

• You can also use virtualization in your personal life

This content will cover

• NSX capabilities and benefits

• the major VMware NSX® components in the data, management,

and control planes and their interactions

• relevant NSX features to use cases

• NSX network virtualization components and services

• how network virtualization is utilized in an SDDC environment

Network Virtualization Benefits
• Efficient cloud deployments are only limited by legacy non-virtual network
infrastructures

• Virtual networks enable the benefits of a cloud deployment to be utilized

across an organization's infrastructure

• Virtualized networks provide speed, mobility, and security

• Isolated networks prevent threats from spreading

What is Network Virtualization?
Network Hypervisor
• Physical network resources are recreated (virtualized) in software

• Routers, switches, and load balancers become virtual devices in the hypervisor
layer

• The pool of devices can be used as needed, on demand

• The entire network can now be run on software

Overlay Networking
• Virtual networks on top of physical networks

• End points connected to physical ports are assigned a VNID

and connected together via virtual links.

• Virtual links are the software equivalent to physical links

Flexibility
• Virtual networks can be as small as two devices or as large as
multiple sites of major enterprise networks.

• Flexible enough to use with any cloud or cluster

• VMware’s NSX for vSphere runs independently of the host’s

operating system

• NSX-T Data Center runs within the host’s

operating system
Virtual Networks vs VLANs
• A virtual network is not the same thing as a VLAN

• VLANS provide layer 2 organization by assigning physical switchports to a

specific purpose or group

• Only 4096 VLANs can be created on a layer 2 network; not a lot for a large
enterprise.

• Configuration of VLANs can be time consuming

Virtual Networks vs VLANs
• Network virtualization provide network services beyond data transfer

• Networks can be recreated in seconds

• Snapshots can be created to save and restore an exact state of a network

• Every network and security service is virtualized

What is Software-Defined
Networking
Software-Defined Network
• Network virtualization and Software-Defined Networking (SDN)
both seek to provide greater network agility

• Both use software to recreate network components

• Both separate the control plane from the data plane

• Both use a controller to help centralize management

• Both provide increased agility to allow great speed and precision in

administration
Software-Defined Network
• SDN is more broadly-defined

• SDN uses software to control switches and routers

• The network is not fully virtualized

• Hardware still plays a role in SDN

Virtual Networks in Physical
Networks
Virtual Networks in Physical Networks
• Virtual networks dramatically
increase the scope of physical
networks

• Virtual networks can run in isolation

along side or on top of identical
physical networks

• Each network is unaffected by the

events on another network
Bridging Between Virtualized
Networks and Traditional VLANs
Overlay Encapsulation Methodologies
• Two most widely used methodologies of overlay networking:
Virtual Extensible Local Area Network (VXLAN)
Generic Network Virtualization Encapsulation

• VXLAN is vendor neutral and defined by RFC 7348

• GENEVE was jointly developed by by Microsoft, Red Hat, and

VMware and is currently going through the IETF process to
become an RFC so it is equally vendor neutral

• It is important to note the VMware NSX-V utilizes VXLAN and

VMware NSX-T uses GENEVE.
VXLAN Operation
• VXLAN works on hardware, software, or both
• 16,777,215 VXLANs are possible compared to 4096 in a traditional
VLAN
• Creating a virtual network on top of a physical network is called
overlay networking
• A VXLAN ID is called a VXLAN Network Identifier (VNI). Each VNI
is a separate virtual network that runs in the overlay network
which are also known as bridge domains
• VXLAN Tunnel Endpoints (VTEPs) connect the physical network
to the overlay network
GENEVE
• GENEVE is almost identically to VXLAN

• It is more flexible because it offers control plane independence

between tunnel endpoints

• GENEVE does not have VTEPs (VXLAN tunnel endpoints), just

tunnel endpoints (TEPs)
The Software Defined Data-Center
Data Centers
• Data centers have traditionally been ‘hardware-centric’ - focused
and reliant on physical equipment

• This has not only been financially expensive but has also come at
the cost of flexibility and agility in a rapidly-changing business
landscape

• All major services in a data center can be virtualized

Software-Defined Data Centers
• Software-Defined Data Center (SDDC) extends virtualization
beyond compute (i.e. servers) to network and storage as well

• Expensive vendor-specific hardware is replaced with affordable

off-the-shelf, industry-standard hardware

• In the software-defined data

center, the hypervisor is the
controller
Physical Data Centers
Physical Date Centers
• Data center infrastructure consists of three
main components: compute systems (a server
or host), storage devices, and networks

• In a physical data center this will all be

hardware

• It was estimated in 2016 that Google had 2.5

million servers

• Physical data centers are inflexible, slow, and

expensive
Virtualized Data Centers
Software Defined Data Centers
• Software-defined data centers solve the problems
of cost, complexity, inefficiency, and inflexibility

• SDDC affords the ability to gather physical

resources into logical pools, which can then be
allocated to individual VMs or containers

• VMware NSX bridges the gap between physical

networks and applications, reduces hardware
complexity and costs, improves application
availability (uptime) and speeds up system
recovery.
VMware’s SDDC Approach
SDDC as a Service
• SDDC technology means more of an organization’s infrastructure can be used
more of the time, in turn making their staff more productive, and greatly reducing
spending on physical equipment and on operating costs

• SDDC enables the deployment of applications in minutes or even seconds with

policy-driven provisioning that matches resources to continually-changing
workloads and business demands.

• SDDC makes possible the right availability, security, and compliance for every
application.

• SDDC supports private, public and hybrid clouds.

Data Center Building Blocks
Building Blocks

• Key components that a large-

scale data center will include are
applications, servers, storage,
networking infrastructure,
management, and automation
Virtualized Data Center Expectations
• Be software-defined

• Have built-in security

• Be very easy to adjust in size – either scaling out/in by adding/removing

devices, or by scaling up/down by adding/removing

• support the latest developments in application technology

• support infrastructure as a code - i.e. support the writing of code that

takes care of configuration and automates provisioning.
Network Virtualization Services
The OSI Model
Virtual Networking
Bridged Networking
• A network type where both a virtual machine and the host that it is
running on are connected to the same network

• With bridged networking, the virtual network adapter (vNIC) for the
virtual machine connects to a physical NIC on the physical host system

• The host network adapter enables the VM to connect to the Local Area
Network (LAN) that the host system uses
NAT
• Network Address Translation (NAT) takes an IP address and translates it
into another IP address

• NAT works by translating addresses of virtual machines in a private

network called a VMnet to that of the host machine

• Port forwarding allows incoming web traffic to pass through a specific

port, chosen by the administrator, to the internal network

• A Dynamic Host Control Protocol (DHCP) server is a system that uses the
DHCP protocol to assign IP addresses to the devices on the network
Host-Only Networking
• Creates a private internal network for the VMs to connect to, similar to a
NAT network

• The VMs can only stay in the private network and do not have direct
access to the public external network

• Useful if you need to set up an isolated virtual network

Virtual Switches
Virtual Switches
• Allow virtual machines to
connect to each other and to
connect to the outside world

• By default, each ESXi host has a

single virtual switch called
vSwitch0

• Similar to the connection

between a computer’s physical
network adapter (NIC) and a
physical switch
Standard Switches
VMkernel Adapter
• A VMkernel adapter is a
port that is used by the
hypervisor to attach a
service to the network

• Every VMkernel adapter

has an IP address by which
this service is accessible
Standard Switched
• A standard switch works much like a physical ethernet switch

• A standard switch can forward traffic internally between VMs within the
same ESXi host, between VMs on different ESXi hosts, and between VMs
and physical machines, and can link to external networks

• To provide network connectivity to hosts and virtual machines, you

connect the physical NICs of the hosts to uplink ports on the standard
switch

• Virtual machines have network adapters (or vNICs) that you connect to
port groups on the standard switch
VMkernel Adapter
• Uses of Vmkernel Adapter:
o VMware vMotion (which enables you to move VMs from one host
to another while they’re powered on with no downtime)
o Management port (which is used for ESXi management traffic and
in most cases - except vSAN implementations - HA (or high
availability) traffic)
o IP storage (which is any form of storage that uses TCP/IP network
communication as its foundation)
o vSphere replication
o vSAN data replication
Virtual Machine Port Groups
• Each logical port on the standard switch is a member of a single port
group

• Each port group on a standard switch is identified by a network label,

which must be unique amongst other port groups on a host but
consistent across hosts in order to ensure network connectivity
Distributed Switches
vSphere Distributed Switch
• A vSphere Distributed Switch (or vDS) acts as a single switch across all
associated hosts in a data center and provides centralized provisioning,
administration, and monitoring of virtual networks

• Configured on the vCenter Server Appliance (vCSA) and the same settings
are then added to all ESXi hosts that are associated with the switch

• Virtual machines maintain consistent network configuration as they move

(or migrate) from one host to another

• Each vCenter Server system can support up to 128 vDSs and each vDS can
manage up to 2000hosts
vSphere Distributed Switch
• vDS uses the physical NICs
of the ESXi host on which
the VMs are running to
connect them to the
external network

• Policies can be set for each

individual port, not just for
whole port groups
Host Proxy Switch
• The data plane section of the vDS is called a host proxy switch

• The networking configuration that you create on a vCenter Server

Appliance is automatically pushed down to all proxy switches

• Proxy switches support:

o Network traffic between virtual machines on any hosts that are members of the
distributed virtual switch

o Network traffic between a virtual machine that uses a distributed virtual switch and a
virtual machine that uses a VMware standard virtual switch

o Network traffic between a virtual machine and a remote system on a physical

network connected to the ESXi host
NSX AND N-VDS
• NSX-V requires the use of vDS • Transport nodes are hypervisor
hosts and NSX Edges that will
• NSX-T comes with its own vDS participate in an NSX-T overlay
type: the N-VDS, or NSX
Managed Virtual Distributed • There are two types of transport
Switch zone: an overlay transport zone
and a VLAN transport zone
• NSX-T can be deployed without
a vCenter server

• The primary purpose of an N-

VDS is to forward the traffic that
runs on transport nodes
NSX AND N-VDS
• An N-VDS

o Can only attach to a single overlay transport zone

o Can only attach to a single VLAN transport zone

o Can attach to both an overlay transport zone and a VLAN

transport zone at the same time; in that case, both
transport zones and the N-VDS will have the same name
NSX AND N-VDS
• Multiple N-VDSs and vDSs can coexist on a transport node; however, a
physical NIC can only be associated with a single N-VDS or vDS.
NSX Logical Switching
NSX Logical Switching
• Logical switching in NSX-V is based on the VXLAN protocol where NSX-
T is based on the GENEVE protocol

• A logical switch is mapped to a unique VXLAN or GENEVE, which

encapsulates the virtual machine traffic and carries it over the physical
IP network

• The NSX logical switch creates logical broadcast domains (devices

connected to the same switch) or segments to which an application or
virtual machine can be logically wired.
NSX Logical Switching
• VLAN networks can’t be saved, snapshotted, cloned, deleted, or moved,
which could negatively impact business continuity in the event of a
system failure

• Every time a VLAN is extended, a time-consuming physical configuration

is needed

• VXLAN uses overlay technology, the virtual Layer 2 network is

abstracted from the underlying physical network and can be configured
and reconfigured very quickly
NSX Logical Routing
NSX Logical Routing
• Network edge security and gateway services are provided in NSX-V by
what’s known as an NSX Edge

• NSX Edge can be installed as a distributed logical router (DLR), which is a

virtual router that can use both the fixed, manually configured network
routes of static routing and dynamic routing, where routers
communicate with each other updating routes in real-time
NSX Logical Routing
• NSX-V’s DLR provides East-West distributed routing

• Allows two VMs to be on the same host but on different subnets, and
still communicate without their traffic having to leave the hypervisor
NSX Logical Routing
• NSX-T introduces a two-tiered routing architecture that enables the
management of networks at the provider tier (tier-0) and user tier (tier-1)

• The tier-0 logical router is attached to the physical network for North-South
traffic

• The tier-1 router can connect to the tier-0 router via uplinks, that can connect to
logical switches and manage east-west communications

• NSX-T supports static routing and the dynamic routing protocol eBGP on tier-0
logical routers

• Tier-1 logical routers support static routes but do not support any dynamic
routing protocols
Edge Routing and NAT
Edge Routing and NAT
• In a network, the edge is typically the point where every customer and device
connection come into and depart from a data center

• NSX-V Edge Services Gateway (ESG) is a multi-function, multi-use virtual

machine appliance for network virtualization

• NSX-T provides the same services through an NSX Edge appliance - not to be
confused with an Edge Services Gateway
Centralized Routing
• ECMP (equal cost multi-path) can
be used to increase bandwidth
between physical and virtual
networks

• If centralized services (such as NAT) need to run

on the Edge appliance, the appliance will need
to be in what’s known as active-standby mode.
Distributed Routing
• Dynamic routing uses protocols such as Open Shortest Path First (OSPF – an
intra-domain protocol that prioritizes the shortest path based on the cost of
available paths) in the case of NSX-V, and Border Gateway Protocol (BGP – an
inter-domain protocol that prioritizes the best path as defined by a list of
attributes) in the case of NSX-T Data Center.

• ESG supports both source NAT

where a private IP address is
translated into a public IP
address, and destination NAT, a
public IP address to private IP
address translation
Load Balancing
Load Balancing
• A load balancer evens out workloads to prevent servers from being
overwhelmed. Its other main use is to provide high availability

• It only routes traffic to servers that are able to fulfill the client request and do so
in a way that prevents any single server being over-burdened while maximizing
overall network speed and use of resources

• The NSX load balancing service is specially designed for IT automation and uses
the same central point of management and monitoring as other NSX network
services
Load Balancing
• In proxy mode, an NSX Edge is connected directly to the logical network where
load-balancing services are required

• Proxy mode is simpler to deploy and provides greater flexibility than traditional
load balancers

• One limitation of proxy mode is that it requires provisioning more NSX Edges
and requires the deployment of source NAT which means that the servers in the
data center do not have the original client IP address
Load Balancing
• With inline mode, the NSX Edge
is inline to the traffic destined for
the server pool

• Inline mode is also quite simple,

and additionally, the servers have
the original client IP address
L2/L3 VPN
L2/L3 VPN
• A Virtual Private Network (or VPN) helps extend a private network over a
public network privately

• It does this by creating a tunnel or private line from a local network to an

external network (and vice versa) for the secure transmission of data

• The tunnel is a virtual connection established between two endpoints using

a tunneling protocol
L2/L3 VPN
• Two of the most widely-used tunneling protocols are:
o Internet Protocol Security (IPsec), which authenticates senders,
checks the integrity of data being transmitted and encrypts it;
users need to install software on their machines in order to be able
to establish a connection

o Secure Sockets Layer (SSL), or its successor Transport Layer

Security (TLS), both of which enable secure communication across
public networks from a web browser.
L2/L3 VPN

• With Layer 2 VPN (L2 VPN), you can extend layer 2 networks (VLANs or
VXLANs) across multiple sites that are on the same broadcast domain
• The extended network is a single subnet with a single broadcast domain, so
VMs remain on the same subnet when they are moved between network
sites and their IP addresses remain the same.
L2/L3 VPN

• Layer 3 VPN (L3 VPN) services are used to provide secure layer 3
connectivity into the data center network from remote locations
• The L3 VPN services can be used by remote clients using SSL tunnels to
securely connect to private networks behind an NSX Edge gateway which is
acting as an L3 VPN server in the data center
• the NSX Edge can be deployed to use standard IPSec protocol settings to
operate with all major physical VPN vendors’ equipment and establish site-
so-site secure L3 connections
NSX Logical Firewalls
NSX Logical Firewalls
• NSX logical firewalls provide security mechanisms for dynamic virtual data
centers and consist of two components to address different uses

• The centralized Edge firewall offered by NSX Edge Services Gateway (ESG)
focuses on the north-south traffic enforcement at the data center perimeter

• The Distributed Firewall (DFW) is enabled in the kernel on the ESXi host and
focuses on east-west traffic controls

• They can be deployed independently or together

NSX Logical Firewalls
• The NSX distributed firewall is a stateful firewall, meaning that it monitors
the state of active connections and uses this information to determine
which network packets to allow through the firewall.

• Data packets flowing through the network are identified by the following:
o Source address
o Source port
o Destination address
o Destination port
o Protocol
NSX Logical Firewalls
• A distributed firewall on an ESXi host (one instance per virtual machine
vNIC) contains two tables: a rule table to store all policy rules, and a
connection tracker table to temporarily store (or cache) traffic flow entries
for rules with a permit action
• DFW rules are enforced in a top-to-bottom order
• Each packet is checked against the top rule in the rule table before moving
down the subsequent rules in the table
• The first rule in the table that matches the traffic parameters is enforced
• The last rule in the table is the DFW default policy rule: packets not
matching any rule above the default rule will be enforced by the default
rule
Edge Firewall
Edge Firewall

• The NSX Edge firewall provides stateful perimeter defense for north-south
traffic flows between the virtual and physical networks
• It’s used on the logical router and provides network address translation
(NAT) as well as site-to-site IPsec and SSL VPN functionality
• The Edge firewall can be managed with the same management tools as for
the distributed firewall
The NSX Data Center
The NSX Data Center
• The NSX Data Center reproduces
the whole network, whether the
network is simple or complex, in
software

• Provisioning and managing

networking in software instead of
hardware results in level security,
speed, agility and cost-efficiency
that simply isn't possible with the
traditional architecture.
Bringing Network Virtualization to
the SDDC
Bringing Network Virtualization to the
SDDC
• By abstracting the traditionally physical infrastructure of routers, switches,
load balancers, and firewalls into a data center's virtualization layer, the data
center becomes agile and responsive to business needs as they change
• Virtual networks can be created, copied, moved, deleted and restored
quickly and easily, with no physical reconfigurations necessary
• With micro-segmentation (which we'll discuss later on in this course) threats
are prevented from moving laterally, server to server, inside the data center
• The NSX Data Center uses standardized, pre-defined templates, to provision
consistent networking and security, speeding up provisioning time from
days or weeks to seconds.
Key Components
Key Components
• The NSX Manager is based on the Photon operating system

• The NSX-T Manager, on the other hand, runs on the Ubuntu operating
system

• NSX can be integrated with any cloud management platform through

Representational State Transfer (REST) APIs

• NSX-V can be configured through vSphere Client, through a command-line

interface (CLI) and through a REST API
Key Components
• Some of NSX Data Center’s other key components include:
o Logical distributed switching
o NSX Gateway
o Logical routing between logical switches
o Logical distributed firewalling
o A logical load balancer with SSL termination
o Logical VPN for site-to-site and remote access VPNs in
software
o Service insertion
o Multi-site, multi-cloud networking and security
Key Benefits
Key Benefits
• NSX Data Center helps organizations achieve the speed, agility, security,
and reliability of the software-defined data center

• Every physical networking element and service in a traditional environment

can be recreated in software

• Automation and orchestration greatly reduce the amount of time-

consuming manual configuration that administrators need to do, which in
turn greatly reduces the amount of costly human error
Key Benefits
• Network traffic flows are simplified

• Using ECMP means that NSX virtualized networks will keep on working even
if multiple devices fail at the same time

• NSX app isolation policy acts as a firewall to block all inbound and
outbound traffic to and from workloads

• Security policies are attached to the applications they’re protecting

• Existing server capacity is used better and money is saved

• vRealize Network Insight provides a 360° view of your entire NSX

infrastructure
Integrating with Existing
Networking Infrastructure
Integrating with Existing Networking Infrastructure

• The NSX Data Center can be deployed

without disruption to existing
compute and networking
infrastructure, applications, and
security products because it works
with them
• The existing underlying physical
network remains to handle packet
forwarding but, once NSX Data Center
is deployed, it barely needs to be
touched and can, in fact, be
streamlined
NSX Architecture
NSX Architecture
• NSX architecture consists of a
data plane, control plane, and
management plane

• Each plane consists of multiple

components, responsible for
platform management, traffic
control, and service delivery

• The architecture also includes

the necessary components for
integration with a cloud
management platform
Management Plane
Management Plane
• NSX Manager provides
configuration and orchestration of
logical switching and routing, the
distributed firewall, networking,
and Edge services, and security
services

• The single unified user interface

allows you to manage both
vSphere and NSX within the
vSphere Client
Management Plane

In a NSX-T Data Center, the management plane

function and the central control plane function have
been collapsed into a new management cluster to
reduce the number of virtual appliances that need to
be deployed and managed by the NSX
administration
Control Plane
Control Plane
• The NSX Controller serves as the
central control point for all logical
switches within a network, and
maintains information about all
hosts, logical switches and
distributed logical routers
• Controllers distribute network
information across all controllers
in a cluster and are responsible
for distributing network
information to all the ESXi hosts
• The controller cluster is
responsible for managing the
distributed switching and routing
modules in the hypervisor
Control Plane

• In NSX-T, whenever a Distributed Logical

Router (DLR) is deployed, a control VM is
automatically created
• The control VM communicates with the NSX
Controller cluster to ensure that the control
plane has the most up-to-date routing table
• UWAs pass virtual machine MAC addresses and
IP addresses to NSX Controllers
Data Plane
Data Plane
• The NSX data plane is where the
actual network traffic flows
• It consists of the NSX virtual
switch, which is based on the
vSphere Distributed Switch (vDS)
with additional components to
enable services
• Logical switching enables an
extension of a Layer 2 segment
and IP subnets anywhere in the
network, independent of the
physical network design
• NSX security enforcement is
done directly at the kernel and
vNIC level
Security Features
Security Features
• NSX embeds security functions directly into the
hypervisor, providing micro-segmentation and
automated, most-finely detailed (granular)
security for every individual virtual desktop or
device
• NSX enables security policies to travel with
specific workloads, wherever they are in the
network and whenever they move
• NSX can provide a logical DMZ anywhere in the
data center, and, being software, it can be as
large or as small as needed
Micro Segmentation
Micro Segmentation
• Micro-segmentation is the ability to segment elements of a system into extremely granular
components

• Once a network is segmented, security policies can easily be applied, whether an

administrator wants to target a cluster of servers or a single VM

• Virtual networks are isolated by default – from each other and from the underlying physical
network – and this provides an immediate security boost since a problem with one virtual
network is contained to that one network

• NSX works seamlessly with the best-known security products

Secure End User
Secure End User
• Unfortunately, managing groups of virtual desktop users is often a complicated process
involving multiple teams

• NSX simplifies VDI by providing security based on logical groups of users or departments;
organizations are able to speed the deployment of virtual desktop environments and use
their resources more efficiently

• NSX micro-segmentation integrates network and security with VDI management, allowing
for the creation of a single set of policies for as many different VDI users as necessary

• With NSX, if one end-user’s virtual desktop is attacked, the breach can easily be contained
to just that user