Data Center Network Redesign using SDN June 4, 2015 Brian
Pietrewicz David Jones Chad VanPelt
Slide 2
Data Center Network Redesign using SDN Introduction What is a
Software Defined Network The Benefits of SDN using NSX How NSX
Provides the SDN Service Future SDN/NSX/Lobocloud Directions
Slide 3
Introduction Project History Lobocloud: IT delivered
datacenter, servers, storage, networks, OS, database and security
services Self Service portal Deploy Windows and Linux virtual
machines customized to meet capacity requirements Ready and
available in 20 minutes (excluding FW) Adding Multi-tenancy and
enhanced security through SDN
Slide 4
What is a Software Defined Network In the virtual environment,
physical network devices can be virtualized. This adds tremendous
flexibility to network infrastructure Virtualized network services
Routers Switches Firewalls Network Segments VXLAN Network Interface
(VNI)
Slide 5
What is NSX Vmwares Software Defined Network Platform Developed
from two product: Nicira Network Virtualization Platform VMware
vCloud Networking and Security Abstracts Hardware functionality
into software It is to networking what VSphere ESXi is to
computing.
Slide 6
NSX in Software Defined Network
Slide 7
Benefits of SDN and NSX Improved Network Performance and
Functionality Improved Security Multi-Tenancy Automation/Ease of
Network Deployments
Slide 8
Improved Network Performance and Functionality Reduces the
hierarchical model of networking Provides secure intra and inter
ESXi traffic Increases the the number of possible network segments.
Provides the ability to utilize multiple physical datacenters/cloud
services without requiring complex network changes
Slide 9
Improved Network Security Increased protection without
increasing management. Centrally Managed Security Services Multiple
Firewall/Security solutions to meet customers need
Slide 10
Traditional vs. NSX Firewalls TraditionalNSX
Slide 11
Traditional model of security Wall around datacenter only Host
based firewalling required to isolate servers Host based
firewalling Hard to manage Inconsistent Traffic hair-pinning to
physical firewall
Slide 12
Slide 13
NSX Model Perform firewall functionality on the connection
between the VM and the Virtual Switch Firewall rules centally
managed by Vcenter and NSX Manager Firewall rules migrate with the
VM Creates consistent rulesets using Security Policy's and Groups
Centrally Managed Reduces Network Hair-pinning
Slide 14
Slide 15
Multi-Tenancy Security barriers between VMs on same VXLAN/VLAN
Security between functional services, departments, or data/service
sensitivity. Web, App, DB NMEL, HR, College of Fine Arts Public
data, research data, sensitive (PCI,HIPAA,etc) data VXLANs
protected through Edge Service devices and the NSX Distributed
Firewalls.
Slide 16
Slide 17
Automated Deployment of Network Appliance and Services Provides
multi-tenancy to Lobocloud customers Allow dynamic configuration
and deployment of NSX Logical Service Allows on-demand application
delivery with NSX managed network and security services.
Deployments are templateable and automatable On-Demand vs
Pre-created
Slide 18
Slide 19
How NSX Works
Slide 20
Slide 21
VXLAN Network tunneling protocol Provides L2 tunnels over L3
networks Increases number of LAN segments available for traffic.
Standard VLANs = 4094 VXLAN Network Identifiers = 16 Million
Virtual Tunnel End Points (VTEPS) Terminate VXLAN Tunnels ESXi
Hosts and Edge Services Gateways
Slide 22
Slide 23
VXLAN VXLAN modules operate in ESXi Hypervisor. Manage by NSX
Controllers ARP, VTEP, MAC tables. VTEPs encapsulate/decapsulate
network packets. Wrap UDP Packet Header around L2 packet VXLAN
Packet header includes VNI. Encapsulated packets are forwarded
between VTEPS over physical network like any other IP traffic.
Slide 24
Distributed Logical Router Module on each ESXi Hosts Routes
VNI-VNI, VLAN VLAN and VNI VLAN network traffic Supports OSPF and
BGP Protocols Keeps East-West traffic East-West
Slide 25
Distributed Firewall DFW Modules run on Host DFW Modules are
controlled by NSX Manager. Configure Rules on Vcenter NSX Manager
pushes rules to DFW Modules Firewall process is at the vNic.
Slide 26
Distributed Firewall Firewall policy can be wrapped around
Cluster Datacenter distributed port group IP Sets Legacy Port Group
Logical Switch Resource Pool Security Group vApp Virtual Machine
vNic
Slide 27
Edge Service Gateways (ESG) Use to provide North/South Traffic
Used to provide other network services Network Address Translation
SSL VPN Load Balancing ESGs are VMs and not modules in ESXi Third
Party Vendors provide Advanced ESG services.
Slide 28
Multi-Tenancy Micro-segmentation Using Logical Routers and
Switches DFW Profiles based on Name, Security Groups, Logical
Switches Edge Services SSL VPN Network Address Translation
Firewall
Slide 29
VCO/VCAC integration Automated Network Connectivity through
Network Profiles Automated System/Application Isolation Deployment
Models Precreated defined/created by IT NSX Admins On-Demand
defined/configured by Lobocloud Customer Lobocloud Customer
Profiles Regular Super
Slide 30
VCAC Network Profiles Define IP addresses and subnets used in
deployments Use IP pools for static IP assignments Use standard
switches, distributed switches, or logical switches Profile types
External Routed Network address translation (NAT) Private
Slide 31
VCAC Security Automation Automated or Predefined Security Group
creation using predefined security policies Security tags
automatically assign newly created VMs to security groups. Security
tags defined in blueprints.
Slide 32
The Future Applications of SDN Customer access to tenant
security VDI Hybrid Cloud Science DMZ