Show 161 – VMware NSX – Real World SDN – Sponsored

Deep diving on VMware NSX ? You bet. Download the PDF file and read along with us as we unpack how VMware NSX works with Brad Hedlund and Scott Lowe.

Network Virtualization is the certainly the biggest architecture shift in our careers and probably yours.  And make no mistake, this is about networking.  Greg Ferro often says that overlays are about more networking, better networking (not less networking) – and we couldn’t agree more.  That’s why we’re excited to bring this discussion on VMware NSX to Packet Pushers.  VMware NSX is a networking platform, designed for the next generation data center architecture, the software defined data center.

VMware NSX Logo

The power of any

Make no mistake, VMware NSX is a standalone virtual networking platform built to work with any hypervisor, on any physical network, for any application, deployed from any cloud management platform.  Any good networking platform must be agnostic to the things connecting to it, and VMware NSX is no different.

Enabling the era of the Virtual Network

Like VMware ESX and virtual machines, VMware NSX creates the fundamental abstraction of the virtual network.  A virtual network is complete with L2-L7 networking services such as logical switching, routing, load balancing, security, and more, assembled in any arbitrary logical topology. Virtual networks are then deployed programmatically with a similar speed and operational model as the virtual machine — create, start, stop, template, clone, snapshot, introspect, delete, etc. in seconds.

Services oriented networking

VMware NSX simplifies the configuration of the physical network, as it handles all of the necessary traffic steering to provision service insertion through overlays (VXLAN, STT, etc.).  Network engineers can focus more time on enabling new service offerings, capacity planning for those services, and the virtual/physical architecture.  Significantly less time will be required for mundane traffic steering provisioning tasks.  Consider how server virtualization had a skill elevating effect on server admins.  With virtual servers auto deployed, more time is spent on capacity planning a virtual infrastructure, gaining more valuable skills.  The same will be true for network virtualization and the networking admin.  This is a great time to be in networking.

Show PDF

Link: PPP-VMware-NSX-Topologies-Traffic-Flows Design Guide

Distributed Layer 3 Routing & Firewall

The vswitch is the first (and last) hop in a virtualized infrastructure, and history has proven that moving more functionality to the network edge is more scalable and efficient (e.g. MPLS, Skype).  VMware NSX inserts itself at the network edge, the hypervisor vswitch layer, and brings a whole lot more functionality to the vswitch than ever before.  The basic layer 2 bridging vswitch as you know it transforms into a distributed layer 2 switch, layer 3 router, and stateful firewall, all centrally managed by the NSX Controller Cluster.

Two VMs on the same host but different subnets?  They talk directly on that host.  No Layer 3 interface configurations necessary on physical switches.  Two VMs in different security domains?  They talk directly with stateful firewalling.  The NSX vswitch does all of the routing and firewalling.  No traffic steering through a physical firewall choke point.  No hairpin hops through a Layer 3 core switch.

See the PDF file linked to this post containing diagrams of traffic flows before and after NSX, which were discussed on the show.

Server Load Balancing & Perimeter Firewall

NSX virtual networks can include server load balancing and perimeter firewall services, through auto provisioned NSX Edge multi service virtual machines.  The NSX Edge usually functions as the north-south perimeter for the virtual network, with one leg facing a public/DMZ VLAN on a physical network and the other leg facing a VXLAN inside the virtual network.  The NSX Edge is capable of dynamic routing protocols (BGP, OSPF) to advertise IP networks within its virtual network to a physical router adjacent on the DMZ VLAN.  NSX Edge obviates the need for manual configurations of physical LB/FW appliances and their limited multi-tenancy contexts.

NSX Partner Integration

Ultimately, VMware NSX represents a virtual network control plane that 3rd parties can easily integrate with.  One such example are the numerous top of rack switch vendors demonstrating integration with VMware NSX at VMworld 2013.  In these demos, the ToR switch with VTEP in silicon registers with VMware NSX as a Layer 2 gateway, enabling bridging from a VLAN/port to a VXLAN within a virtual network.  Other 3rd party integrations can include higher level services such as Firewall and Load Balancers, WAN accelerators, IDS/IPS, and more.

Visibility and Troubleshooting

From a central viewpoint (the NSX Controller Cluster) you now have aggregate visibility into the complete state of the virtual network, including port counters, policy, and all flow data.  Moreover, from a central viewpoint you can view the health of the physical and virtual network and conduct sophisticated troubleshooting tests leveraging the plethora of flow data, metadata, and x86 CPUs at the edge.

Multi data center

Probably the biggest barrier to achieving true application HA/DR between data centers is the network.  Quickly recreating compute and storage in another data center can be done, those problems have already been solved, but recreating the application’s network topology and services is tremendously painful and risky (bridging VLANs between sites). Network Virtualization can provide an elegant solution here.  Meaning, services rich virtual networks can be deployed in seconds from templates, auto provisioned with APIs and software, on any hardware.  This makes it possible for virtual networks to be synchronized between sites, right along with virtual machines and storage, ready for synchronized push-button or triggered failover, compute, network, and storage together.  I see this as one of the killer apps for the software defined data center.

It’s a great time to be in Networking

Any way you slice it, there’s never been a more exciting time to be in networking.  For a while there, things were starting to get boring and bit mundane, with little innovation.  All of that has suddenly changed.  The future of networking and our careers are on to bigger and better things; an era of networking services, architecture, policy, and capacity planning.  This train is going places.  Jump on it.

Greg Ferro
Greg Ferro is a Network Engineer/Architect, mostly focussed on Data Centre, Security Infrastructure, and recently Virtualization. He has over 20 years in IT, in wide range of employers working as a freelance consultant including Finance, Service Providers and Online Companies. He is CCIE#6920 and has a few ideas about the world, but not enough to really count. He is a host on the Packet Pushers Podcast, blogger at EtherealMind.com and on Twitter @etherealmind and Google Plus.
Greg Ferro
Greg Ferro
  • Brandon Mangold

    Great set of resources on NSX. I really like the addition of the PDF.

    What I am still trying to figure out what is technically possible with NSX that wasn’t/isn’t possible with Cisco 1000v/CSR/vASA/VXLAN?

    As usual thanks for the great content… too much networking is NEVER enough.

    • Oded Rotter

      Maybe lack of SLB/ADC capabilities and one centerlized management for the whole Data Center ?

  • Nick Day

    Great show, currently working with the horrors of traffic steering in dc networks and can see all the benefits. Looking forward to trialing this as soon as possible along with the testing of other vendor solutions in this space. Anyone know how to get trial licenses ?

    Love the diagrams but I think maybe the hop counts would only be true if all your vteps are on the same subnet or the l2 switches were l3 aware.