Learning VMware NSX - Second Edition

Chapter 1. Introduction to Network Virtualization

This chapter begins with a brief introduction to network virtualization, followed by an overview of its concepts. We then introduce VMware's NSX-V network virtualization solution that allows you to deploy and manage your own software-defined networking stack. We will go over all the features and services of NSX, followed by its configuration maximums. By the end of this chapter, you will have a thorough understanding of the concepts of network virtualization, and NSX-V as a network virtualization solution.

In this chapter, we will cover:

Introducing network virtualization
Concepts of network virtualization
Introducing the NSX-V network virtualization platform
NSX features and services
NSX configuration maximums
Summary

Introducing network virtualization

Today's datacenter demands are a paradigm shift from what they were a decade ago. As the cloud consumption model is being rapidly adopted across the industry, the need for on-demand provisioning of compute, storage, and networking resources is greater than ever. One of the biggest contributing factors to enable the cloud consumption model is server virtualization.

Server virtualization has enabled fast consumption of compute resources along with add-on functionality and services. Snapshots, clones, and templates are all now easier than ever with server virtualization.

If you have worked in a datacenter, you would agree that networking is always challenging to work with. Once the networking design is established, any changes that need to be made are always challenging because of a lack of flexibility due to increasing complexity and demands on the environment. While compute and storage have rapidly improved in their speed of deployment and consumption, networking continues to remain a challenge in today's environments, where simple tasks such as creating a new VLAN are becoming increasingly complex and time consuming.

Note

A metaphor: Today's networking is similar to building roads and highways in a city. Once you have the highways and roads established, it is not easy to expand them, or simply remove and replace them, without affecting traffic. You always have to think ahead and build to facilitate future growth and flexibility. Similarly, traditional networks in a datacenter have to be built to handle future growth and should be flexible enough to allow for changes as they happen.

Network virtualization is the virtualization of network resources using software and networking hardware that enables faster provisioning and deployment of networking resources. Network virtualization lays the foundation for software-defined networking, which allows instant deployment of services to be offered to the consumers. Services such as Edge gateways, VPN, DHCP, DNS, and load balancers can be instantly provisioned and deployed because of the software aspect of network virtualization. The networking hardware allows for physical connectivity, while the software is where all the network logic resides allowing for a feature-rich network service offering.

Network virtualization allows for consumption of simplified logical networking devices and services that are completely abstracted from the complexities of the underlying physical network. Lastly, network virtualization is key for a software-defined data center (SDDC).

Concepts of network virtualization

Now that we have defined what network virtualization is about, let's go over some of the key concepts of network virtualization and software-defined networking:

Decoupling: An important concept of network virtualization is the decoupling of software and the networking hardware. The software works independently of the networking hardware that physically interconnects the infrastructure. Any networking hardware that can inter-op with the software is always going to enhance the functionality, but it is not necessary. Remember that your throughput on the wire will be always limited by your network hardware performance.
Control plane: The decoupling of software and networking hardware allows you to control your network better because all the logic resides in the software. This control aspect of your network is called the control plane. The control plane provides the means to configure, monitor, troubleshoot, and also allow automation against the network.
Data plane: The networking hardware forms the data plane where all the data is forwarded from source to destination. The management of data resides in the control plane; however, the data plane consists of all the networking hardware whose primary function is to forward traffic over the wire from source to destination. The data plane holds all the forwarding tables that are constantly updated by the control plane. This also prevents any traffic interruptions if there is a loss of the control plane, because the networking hardware, which constitutes the data plane, will continue to function without interruptions.
Application Programming Interface (API): The API is one of the important aspects of a virtualized network and allows for true software-defined networking by instantly changing the network behavior. With the API, you can now instantly deploy rich network services in your existing network. Network services such as Edge gateway, VPN, Firewall, and load balancers can all be deployed on the fly by means of an API.

NSX features and services

Before we get started with NSX, it is important to understand some of its features and services.

Note

NSX 6.2 is the current NSX version as of this writing.

Some NSX features are listed as follows. We will discuss these features in great detail in the following chapters:

Logical switching: NSX allows the ability to create L2 and L3 logical switching that enables workload isolation and separation of IP address space between logical networks. NSX can create logical broadcast domains in the virtual space that prevent the need to create any logical networks on the physical switches. This means you are no longer limited to 4096 physical broadcast domains (VLANS).
NSX gateway services: The Edge gateway services interconnect your logical networks with your physical networks. This means a virtual machine connected to a logical network can send and receive traffic directly to your physical network through the gateway.
Logical routing: Multiple virtual broadcast domains (logical networks) can be created using NSX. As multiple virtual machines subscribe to these domains, it becomes important to be able to route traffic from one logical switch to another. Logical routing helps achieve this by routing traffic between logical switches, or even between a logical switch and public networks. Logical routing can be extended to perform east-west routing that saves unnecessary network hops, increasing network efficiency. Logical routers can also provide north-south connectivity allowing access to workloads living in the physical networks. Logical routers also help avoid hairpinning of traffic, thereby increasing network efficiency.

Note

East-west traffic is traffic between virtual machines within a datacenter. In the current context, this typically will be traffic between logical switches in a VMware environment. North-south traffic is traffic moving in and out of your datacenter. This is any traffic that either enters your datacenter or leaves your datacenter.

Logical firewall: NSX allows you the option of a distributed logical firewall or an Edge firewall for use within your software-defined networking architecture. A distributed logical firewall allows you to build rules based on attributes that include not just IP addresses and VLANs, but also virtual machine names and vCenter objects. The Edge gateway features a firewall service that can be used to impose security and access restrictions on north-south traffic.
Extensibility: There are third-party VMware partner solutions to integrate directly into the NSX platform that allow a vendor choice in multiple service offerings. There are many VMware partners who offer solutions such as traffic monitoring, IDS, and application firewall services that can integrate directly into NSX. This enhances management and end user experience by having one management system to work with.

The features listed earlier enable NSX to offer a wide variety of services that can be consumed in your infrastructure. These services can be deployed and configured by the NSX API as well. Some of the NSX services are listed as follows:

Load balancer: NSX Edge offers a variety of services and the logical load balancer is one of them. The logical load balancer distributes incoming requests among multiple servers to allow for load distribution while abstracting this functionality from end users. The logical load balancer can also be used as a high availability (HA) mechanism to ensure your application has the most uptime.
Virtual private networks (VPN): The NSX Edge offers the VPN service that allows you to provision secure encrypted connectivity for end users to your applications and workloads. Edge VPN service offers SSL-VPN plus it allows for user access and IPSEC site-to-site connectivity, which enables two sites to be interconnected securely.
Dynamic Host Configuration Protocol (DHCP): NSX Edge offers DHCP services that allow IP address pooling, and also static IP assignments. An administrator can now rely on the DHCP service to manage all IP addresses in your environment, rather than having to maintain a separate DHCP service. The DHCP service can also relay DHCP requests to your existing DHCP server as well. The NSX Edge DHCP service can relay any DHCP requests generated from your virtual machines to a pre-existing physical or virtual DHCP server, without any interruptions.
Domain name system (DNS): NSX Edge offers a DNS relay service that can relay any DNS requests to an external DNS server.
Service composer: The service composer allows you to allocate network and multiple security services to security groups. Virtual machines that are part of these security groups are automatically allocated the services.
Data security: NSX data security provides visibility into sensitive data, ensures data protection, and reports back on any compliance violations. A data security scan on designated virtual machines allows NSX to analyze and report back on any violations based on the security policy that applies to these virtual machines.

Other NSX features include cross-vCenter networking and security, which allow you to manage multiple vCenter NSX environments using a primary NSX manager. This not only allows centralized management, but also extends one or more services and features across multiple vCenter environments. We will talk more about cross vCenter networking in the upcoming chapters.

NSX configuration maximums

Let's have a look at what the NSX configuration maximums are. VMware has not published an official document, so the following limits listed were gathered by reviewing NSX documentation and online research. Some websites that contributed include www.vmguru.com.

Some of these limits are hard limits while most of them are soft limits, beyond which VMware does not support such configurations. For example, if you exceed the number of concurrent connections per Edge gateway, it will affect your gateway's performance, but won't cause it to halt or reject new connections. The hard limit verses soft limit documentation is not explicitly published, but VMware NSX support can clarify if needed. The chances are that you will scale out your environment before reaching these maximums.

The maximums for NSX follow.

Note

NSX 6.2 is the current NSX version as of this writing. Configuration maximums can differ based software release. Always refer to the most up-to-date documentation to ensure accuracy.

The following table shows the limits for NSX – vCenter Maximums:

Description	Limit
vCenters	1
NSX Managers	1
DRS clusters	12
NSX controllers	3
Hosts per cluster	32
Hosts per Transport Zone	256

A Transport Zone defines the scope of a logical switch and can span one or more vSphere clusters. We will this discuss in greater depth in the upcoming chapters.

The following table shows the limits for Switching Maximums:

Description	Limit
Logical switches	10,000
Logical switch ports	50,000
Bridges per distributed logical router	500

The following table shows the limits for Distributed Logical Firewall Maximums:

Description	Limit
Rules per NSX Manager	100,000
Rules per VM	1,000
Rules per host	10,000
Concurrent connections per host	2,000,000
Security groups per NSX Manager	10,000

The following table shows the limits for Distributed Logical Router (DLR) Maximums:

Description	Limit
DLRs per host	1,000
DLR per NSX Manager	1,200
Interfaces per DLR	999
Uplink interfaces per DLR	8
Active routes per DLR	2,000
Active routes per NSX Manager	12,000
OSPF adjacencies per DLR	10
BGP peers per DLR	10

Note

Open Shortest Path First (OSPF) and Border Gateway Protocol (BGP) are routing protocols.

The following table shows the limits for NSX Edge Services Gateway (ESG) Maximums:

Description	Limit
Total number of Edge service gateways per NSX Manager	2,000
Interfaces per ESG (internal, uplink or trunk)	10
Sub-interfaces on a trunk	200
NAT rules per ESG	2,000
Static routes per ESG	2,048

The following table shows the limits for Edge Services Gateway Compact Maximums:

Description	Limit
OSPF routes per ESG	20,000
OSPF adjacencies per ESG	10
BGP peers per ESG	10
BGP routes per ESG	20,000
Total routes per ESG	20,000
Concurrent connections per ESG	64,000

The following table shows the limits for Edge Services Gateway Large Maximums:

Description	Limit
OSPF routes per ESG	50,000
OSPF adjacencies per ESG	20
BGP peers per ESG	20
BGP routes per ESG	50,000
Total routes per ESG	50,000
Concurrent connections per ESG	1,000,000

The following table shows the limits for Edge Services Gateway X-Large Maximums:

Description	Limit
OSPF routes per ESG	100,000
OSPF adjacencies per ESG	40
BGP peers per ESG	50
BGP routes per ESG	250,000
Total routes per ESG	250,000
Concurrent connections per ESG	1,000,000

The following table shows the limits for Edge Services Gateway Quad-Large Maximums:

Description	Limit
OSPF routes per ESG	100,000
OSPF adjacencies per ESG	40
BGP peers per ESG	50
BGP routes per ESG	250,000
Total routes per ESG	250,000
Concurrent connections per ESG	1,000,000

The following table shows the limits for Edge Services Gateway Overall Maximums:

Description	Limit
Load balancer VIPs	64
Load balancer pools	64
Load balancer servers per pool	32
Firewall rules per ESG	2,000

The following table shows the limits for DHCP, VPN Service Maximums:

Description	Limit
DHCP pools per Edge service gateway (all Sizes)	20,000
Number of IPSEC tunnels per Edge gateway - Compact	512
Number of IPSEC tunnels per Edge gateway - Large	1600
Number of IPSEC tunnels per Edge gateway - X-Large	4096
Number of IPSEC tunnels per Edge gateway - Quad-Large	6000
SSL VPN number of concurrent connections (compact/large/x-large/quad-large)	50/100/100/1000