NSX Design Notes (1/10) – Functional Components

1) NSX Manager

  1. Virtual Appliance – NSX Management plane
  2. NSX Manger : vCenter -> 1:1
  3. Responsible for
    1. Deployment of control clusters and ESX Host preparation (install VIBs).
    2. Deployment and configuration of NSX Edges (ESG and DLR).
  4. SSL
    1. Creates self-signed ssl certificates for control cluster nodes and esxi hosts. Control plane communication is encrypted.
    2. SSL is enabled by default from 6.1
  5. Failure impact
    1. Impacts only NSX management plane
    2. Already Deployed logical networks would function seamlessly.
  6. Backup / Restore
    1. Supports data level backup by NSX manager GUI.
    2. Backups can be scheduled.
    3. Restore possible only on freshly deployed manager instances

2) Control Cluster

  1. Responsible for managing the Hypervisor switching and routing modules
  2. Supports ARP suppression mechanism
  3. Cluster nodes are virtual appliances deployed from NSX manager UI
  4. Recommendation: Deploy nodes in three distinct ESX hosts. Use Anti-Affinity rules
  5. Cluster nodes
    1. Controller cluster uses slicing mechanism to ensure all nodes are active at any given time.
    2. One of the nodes will be master. If master fails one of the other nodes become master
    3. In case of a controller node failure , slices owned by the node are reassigned to other node
    4. If only one node is active ( other nodes failed) controller reverts to read only mode

3) VXLAN Primer

  1. L2 Communication over VXLAN

4) ESXi Hypervisors with VDS

  1. User space and Kernel space

5) NSX Edge Services Gateway

  1. Multi-function multi-use VM Appliance
  2. Modes
    1. Active-Passive
    2. Active-Active (ECMP mode)
      1. Upto 8
      2. Only routing services available
  3. Services provided
    1. Routing
    2. NAT
    3. Firewall
    4. Load balancing
    5. L2/L3 VPN
    6. DHCP/DNS Relay
  4. Routing
    1. Centralized On ramp / off ramp routing between logical networks and physical networks.
    2. Supports : OSPF , iBGP, eBGP & static routing
  5. NAT : Supports both source and destination NAT
  6. Firewall:
    1. Edge firewall is between NSX logical networks and physical networks (North-South traffic).
    2. DFW is for East-West traffic.
  7. Load balancing:
  8. VPN :
    1. L2 VPN ( Extend L2 domains between geo dispersed datacenters)
    2. L3 VPN ( IPsec VPN , SSL VPN)
  9. DHCP , DNS and IP address management (DDI)
    1. DNS Relay
    2. DHCP Server
    3. DHCP Relay

5) Transport Zone

  1. Collection of ESXi hosts that can communicate with each other across a physical network infrastructure
  2. TZ can extend across multiple VDS

6) DFW

  1. Operates at VM vNIC level. VMs can be connected to VLAN backed dvPortgroup or VXLAN logical switch.
  2. DFW instance is located between vNIC and Logical switch. All ingress and egress packets must pass through DFW.
  3. L2-L4 Stateful firewall services. (L2 -Mac address and L2 protocols , IP Addresses , TCP/UDP ports)
  4. L2 rules are enforced before L3/L4 rules.
  5. Runs in kernel space
  6. DFW entities
    1. NSX Manager
    2. vCenter
    3. ESXi Hosts

  7. VSIP (Service Insertion Platform) adds complementary services like spoof guard , traffic redirection from third party vendors
    1. Spoof guard – Maintains a reference table of VM name and IP addresses retrieved from VMware tools during initial boot up.
    2. Traffic direction available in service composer/security policy (6.0) , Partner security services tab (6.1 +)
  8. DFW Instance on ESX host contains two tables
    1. Rule table : Stores all policy rules
    2. Connection tracker table : stores flow entries with permit action
  9. Flow is identified by 5-tuple information – Src IP , Dest IP, Protocol , Src port & Dest port
  10. DFW rules
    1. Rules are processed from top to bottom
    2. Enforce first rule that matches traffic parameters
    3. DFW default policy rule at the bottom is catch-all
    4. DFW first performs lookup in connection tracker table , if flow is not available then it processes rule table
  11. DFW fully supports vMotion.

Source: http://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/products/nsx/vmw-nsx-network-virtualization-design-guide.pdf

NSX Home Lab (5/6) - Micro Segmentation
NSX Design Notes (2/10) – Logical Switching
No tags for this post.

Leave a Comment