Transcript PowerPoint

Data Center Network Redesign
using SDN
June 4, 2015
Brian Pietrewicz
David Jones
Chad VanPelt
Data Center Network Redesign using
SDN
•
•
•
•
•
Introduction
What is a Software Defined Network
The Benefits of SDN using NSX
How NSX Provides the SDN Service
Future SDN/NSX/Lobocloud Directions
Introduction
• Project History
• Lobocloud:
– IT delivered datacenter, servers, storage, networks, OS,
database and security services
– Self Service portal
– Deploy Windows and Linux virtual machines customized
to meet capacity requirements
– Ready and available in 20 minutes (excluding FW)
– Adding Multi-tenancy and enhanced security through
SDN
What is a Software Defined Network
• In the virtual environment, physical network devices
can be virtualized.
– This adds tremendous flexibility to network infrastructure
• Virtualized network services
– Routers
– Switches
– Firewalls
• Network Segments
– VXLAN Network Interface (VNI)
What is NSX
• Vmware’s Software Defined Network Platform
• Developed from two product:
– Nicira Network Virtualization Platform
– VMware vCloud Networking and Security
• Abstracts Hardware functionality into software
• It is to networking what VSphere ESXi is to
computing.
NSX in Software Defined Network
Benefits of SDN and NSX
• Improved Network Performance and
Functionality
• Improved Security
• Multi-Tenancy
• Automation/Ease of Network Deployments
Improved Network Performance and
Functionality
– Reduces the hierarchical model of networking
– Provides secure intra and inter ESXi traffic
– Increases the the number of possible network
segments.
– Provides the ability to utilize multiple physical
datacenters/cloud services without requiring complex
network changes
Improved Network Security
• Increased protection without increasing
management.
• Centrally Managed Security Services
• Multiple Firewall/Security solutions to meet
customers need
Traditional vs. NSX Firewalls
Traditional
NSX
Traditional model of security
• Wall around datacenter only
• Host based firewalling required to isolate servers
• Host based firewalling
– Hard to manage
– Inconsistent
• Traffic hair-pinning to physical firewall
NSX Model
• Perform firewall functionality on the connection
between the VM and the Virtual Switch
• Firewall rules centally managed by Vcenter and NSX
Manager
• Firewall rules migrate with the VM
• Creates consistent rulesets using Security Policy's
and Groups
• Centrally Managed
• Reduces Network Hair-pinning
Multi-Tenancy
• Security barriers between VMs on same
VXLAN/VLAN
• Security between functional services, departments,
or data/service sensitivity.
– Web, App, DB
– NMEL, HR, College of Fine Arts
– Public data, research data, sensitive (PCI,HIPAA,etc) data
• VXLANs protected through Edge Service devices and
the NSX Distributed Firewalls.
Automated Deployment of Network
Appliance and Services
• Provides multi-tenancy to Lobocloud customers
• Allow dynamic configuration and deployment of
NSX Logical Service
• Allows on-demand application delivery with NSX managed
network and security services.
• Deployments are templateable and automatable
• On-Demand vs Pre-created
How NSX Works
VXLAN
• Network tunneling protocol
• Provides L2 tunnels over L3 networks
• Increases number of LAN segments available for
traffic.
– Standard VLANs = 4094
– VXLAN Network Identifiers = 16 Million
• Virtual Tunnel End Points (VTEPS)
– Terminate VXLAN Tunnels
– ESXi Hosts and Edge Services Gateways
VXLAN
• VXLAN modules operate in ESXi Hypervisor.
• Manage by NSX Controllers
– ARP, VTEP, MAC tables.
• VTEPs encapsulate/decapsulate network packets.
– Wrap UDP Packet Header around L2 packet
– VXLAN Packet header includes VNI.
• Encapsulated packets are forwarded between VTEPS
over physical network like any other IP traffic.
Distributed Logical Router
• Module on each ESXi Hosts
• Routes VNI-VNI, VLAN – VLAN and VNI – VLAN
network traffic
• Supports OSPF and BGP Protocols
• Keeps East-West traffic East-West
Distributed Firewall
• DFW Modules run on Host
• DFW Modules are controlled by NSX Manager.
• Configure Rules on Vcenter
• NSX Manager pushes rules to DFW Modules
• Firewall process is at the vNic.
Distributed Firewall
Firewall policy can be wrapped around
• Cluster
• Datacenter distributed port group
• IP Sets
• Legacy Port Group
• Logical Switch
• Resource Pool
• Security Group
• vApp
• Virtual Machine
• vNic
Edge Service Gateways (ESG)
• Use to provide North/South Traffic
• Used to provide other network services
– Network Address Translation
– SSL VPN
– Load Balancing
• ESGs are VMs and not modules in ESXi
• Third Party Vendors provide Advanced ESG
services.
Multi-Tenancy
• Micro-segmentation
– Using Logical Routers and Switches
• DFW
– Profiles based on Name, Security Groups, Logical Switches
• Edge Services
– SSL VPN
– Network Address Translation
– Firewall
VCO/VCAC integration
• Automated Network Connectivity through Network
Profiles
• Automated System/Application Isolation
• Deployment Models
– Precreated – defined/created by IT NSX Admins
– On-Demand – defined/configured by Lobocloud Customer
• Lobocloud Customer Profiles
– Regular
– Super
VCAC Network Profiles
• Define IP addresses and subnets used in
deployments
• Use IP pools for static IP assignments
• Use standard switches, distributed switches, or
logical switches
• Profile types
–
–
–
–
External
Routed
Network address translation (NAT)
Private
VCAC Security Automation
• Automated or Predefined Security Group creation
using predefined security policies
• Security tags automatically assign newly created
VMs to security groups.
• Security tags defined in blueprints.
The Future Applications of SDN
•
•
•
•
Customer access to tenant security
VDI
Hybrid Cloud
Science DMZ
Questions/Answers