2. The furious pace of technological adoption and
innovation is shortening the life cycle of companies
and forcing executives to make decisions and commit
resources much more quickly.
- McKinsey, “Four Global Forces Breaking all Trends,” April 2015
2
3. Q: How do you use technology as a strategic asset
to thrive and grow without having to start over?
A: Start to think differently about networking.
3
4. Problem Statement
4
A lot of virtualization innovation has happened in the data center.
Data-Center Networking has had improvements in
speeds, density and scale.
The underlying architecture is still hardware
based, expensive, inflexible, and risk-prone.
• You can’t keep up with the pace of business
• You can’t secure the data center
• You can’t support this new app-driven world
Applications
Compute Storage Networking
The image cannot
be displayed. Your
computer may not
have enough
memory to open
the image, or the
image may have
been corrupted.
Restart your
computer, and
then open the file
The image cannot
be displayed. Your
computer may not
have enough
memory to open
the image, or the
image may have
been corrupted.
Restart your
computer, and
then open the file
The image cannot
be displayed. Your
computer may not
have enough
memory to open
the image, or the
image may have
been corrupted.
Restart your
computer, and
then open the file
6. The Software Defined Networking Paradigm
6
§ Separate the control-plane from the data-plane in networking equipment.
§ Centralize network intelligence and state
§ Abstract network infrastructure from applications?
WHY?
§ Agility
§ Speed
§ Repeatable application deployments.
NEW WAY TO DESIGN, DEPLOY and MANAGE the network & services.
7. Software Defined Networking
7
Controller
Brains of the network. It is the
strategic control point in the SDN
network.
Switches
It goes and programs forwarding
instructions or “FLOWS’ into the
southbound switches/routers.
Protocol
The SDN protocol used to program
these flows or instructions was called
OpenFlow.
https://en.wikipedia.org/wiki/Open_Networking_Foundation
8. NOX Controller
8
§ NOX -Original OpenFlow Controller
Developed by Nicira(now VMware)
Open Sourced in 2008
*Nicira is a part of VMware.
11. Network Function Virtualization
11
§ Network Function Virtualization is decoupling functions of a networking that is being carried
out in proprietary hardware appliances and running it in software.
Examples DNS, Caching appliances moved to VM form factors.
Advantages
§ Flexibility
§ Cost
§ Mobility
§ Accelerate Provisioning
12. Use-cases
CONFIDENTIAL 12
The Telco Use-Case
Issues:
§ Vendor Lock In
§ Static placement of gear
§ Procure-Design-Deploy-Integrate
Cycle
§ Innovation
14. Network Virtualization
14
Network Virtualization is defined by the ability to create logical,
virtual networks that are decoupled from the underlying network
hardware.
These virtualized networks are programmatically created, provisioned and managed, with the
underlying physical network serving as a simple packet-forwarding backplane.
23. The Power of Distributed Services
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now
distributed in the hypervisor
26. Web Tier
App Tier
DB Tier
L2 Switch
L3 Subnet
L3 Subnet
AllSoftwareConstruct
Physical Network
NAT
Internet
The next-generation networking model
L2 Switch
L2 Switch
L3 Subnet
27. NSX Components
Cloud
Consumption
§ Self Service Portal
§ vRealize Automation, OpenStack,
Custom CMS
Data Plane
NSX Edge
ESXi Hypervisor Kernel Modules
Distributed Services
§ High – Performance Data Plane
§ Scale-out Distributed Forwarding
Model
Management
Plane
NSX Manager
§ Single configuration portal
§ REST API entry-point
Control Plane
NSX Controller
§ Manages Logical networks
§ Control-Plane Protocol
§ Separation of Control and Data Plane
FirewallDistributed
Logical Router
Logical
Switch
LogicalNetworkPhysical
Network
27
CMP
28. Physical view: VMs in a single logical switch
28
Logical switch 5001
Transport subnet A 192.168.150.0/24
192.168.150.51 192.168.150.52 192.168.250.51
172.16.10.11 172.16.10.12 172.16.10.13
V M1 V M2 V M3
vSphere distributed switch
Physical
network
29. Traffic flow on a VXLAN-backed VDS
29
vSphere distributed switch
Assume VM1 sends
some traffic to VM2:
L2 frame L2 frame
VXLAN overlay
L2 frame
Host A Host B
IP/UDP/VXLAN
IP fabric
1 VM1 sends L2 frame to local VTEP
VTEP adds VXLAN, UDP
and IP headers
2
Physical transport network
forwards as a regular IP packet3
Destination hypervisor VTEP
de-encapsulates frame4
L2 frame delivered to VM25
30. Traffic flow on a VXLAN-backed VDS
30
vSphere distributed switch
VXLAN overlay
Host A Host B
IP fabric
In this setup, VM1 and VM2 are
on different hosts but belong to
the same logical switch
When these VMs communicate,
a VXLAN overlay is established
between the two hosts
31. Logical view: VMs with distributed routing
31
172.16.10.1
192.168.10.0/29
192.168.10.1
Distributed logical
router service
Web LS
172.16.10.0/24
172.16.10.11 172.16.10.12 172.16.10.13
172.16.20.12172.16.20.11
App LS
172.16.20.0/24
172.16.20.1
41. The Power of Distributed Network & Security Services
& Policies
42. Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient, and micro-segmentation is operationally infeasible
Little or no
lateral controls
inside perimeter
Internet Internet
Insufficient Operationally
Infeasible
43. Why traditional approaches are operationally
infeasible…
43
Internet
Perimeter
Firewalls
• Create firewall rules before provisioning
• Update Firewall rules when move or change
• Delete firewall rules when app decommissioned
• Problem increases with more East-West traffic
44. How an SDDC approach makes micro-segmentation
feasible
44
Internet
Security Policy
Perimeter
Firewalls
Cloud
Management
Platform
45. NSX Distributed Firewalling Performance
45
20Gbps Per Host of Firewall Performance
with Negligible CPU Impact
46. Intelligent grouping
Groups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory
Requirements
49. 49
AUTOMATION
Automating IT processes to deliver IT at the
speed of business
SECURITY
Architecting security as an inherent part of the
data center infrastructure
APPLICATION CONTINUITY
Enabling applications and data to reside and
be accessible anywhere
Primary NSX Use Cases