Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you a brief analysis of how to carry out NSX technology. The article is rich in content and analyzes and narrates it from a professional point of view. I hope you can get something after reading this article.

VMware NSX is the network virtualization platform of VMware, which can filter any traffic coming and going in the super manager.

VMware's approach abstracts physical zero-trust security while using distributed network coverage based on super manager attributes. Administrators can create rules in a centralized relational system and force them across distributed firewall devices. Finally, a centralized management solution is implemented, and each hypervisor can be extended to a two-digit Gpbs.

VMware NSX goes a step further by providing the same virtualization capabilities for computing and storage over the network.

NSX network virtualization is divided into NSX (NSX-V) in vSphare environment and NSX (NSX-MH) in multi-virtualization environment, which are different software. the latest versions are 6.2.0 and 4.2.4 respectively, which need to be known before deployment. Among them, NSX-MH is more like the original Nicira NVP platform, mainly based on KVM and Xen, based on OVS to achieve network virtualization.

However, whether you use NSX-V or NSX-MH, the basic logical architecture is the same, except for some components in the data plane (for example, in NSX-V, the virtual switch is a vSphare distributed switch, while in NSX-MH, the virtual switch is OVS). The following figure is a basic diagram of the NSX network virtualization architecture. It is based on the underlying physical network. In the logical network, it is divided into data plane, control plane and management plane. In the data plane, there are distributed services (including logical switches, logical routers, logical firewalls) and NSX gateway services. The main component of the control plane is the NSX controller. The main component of the management plane is NSX Manager.

With these components, NSX can provide the following functional services:

Switching: achieve the expansion of the layer 2 switching network anywhere in the network, regardless of the underlying physical network.

Routing: routing between IP subnets can be done in a logical network without the need for traffic to physical routers or layer 3 switches. This routing is performed at the Hypervisor layer of the virtual machine, and the CPU consumption is small, providing the best path for the routing table within the virtual network architecture.

Firewall: with this feature, security can be performed at the Hypervisor layer and at the virtual Nic level. This will enable firewall rules to be implemented in a scalable manner without creating bottlenecks on physical firewall devices. Firewalls are distributed above the Hypervisor layer, generate very little CPU overhead, and can be executed at wire speed.

Logical load balancing: supports four to seven layers of load balancing and can perform SSL termination.

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

The architecture of NSX-V is actually very simple, because its logical hierarchy is very clear-the management plane, the control plane, the data plane, and there are not many components in each plane.

In NSX-V architecture, the data plane is based on VDS. VDS needs to be enabled on the hypervisor of every ESXi, and every ESXi host has a user space and a kernel space.

We install VMware Installation Bundles (VIBs) into the kernel space of ESXi host hypervisor to realize various functions of NSX-V-distributed switching and routing, distributed firewall and VXLAN encapsulation and unpacking.

User space, on the other hand, is a component used to provide communication paths with the control plane and the management plane.

In the VMware NSX platform, we use the VETP agent working mechanism, which is responsible for transferring VXLAN traffic from the local subnet to another subnet. The transmission area (Transport Zone) is the configurable boundary of the VNI. A vSphere cluster in the same transport area uses the same VNI, and a transport area can contain ESXi hosts in different vSphere clusters. Of course, a vSphere cluster can also be part of a different transport zone. The transport area informs the host or cluster that the logical switch has been created.

In the traditional physical network, for the communication between a Web server and the App server in the same host, because they are in different network segments, they need a layer 3 switch to handle the traffic between them. Therefore, after leaving the host, the traffic needs to go through the ToR layer 2 switch to the core switch, and then return to the layer 2 switch and re-enter the host, which requires a 4-hop connection. Of course, if the ToR switch has the layer 3 function turned on, the communication only needs 2 hops. In the NSX environment, because we directly implement three layers of functions at the hypervisor level of the host, the Web server and the App server are directly connected, and the communication connection between them is 0 hops, as shown in the following figure. It is worth noting that both NSX-V and NSX-MH environments achieve the same results on the hop count of traffic.

In May 2016, VMware quietly made a major update to the multi-hypervisor version of NSX, introducing NSX-T to replace NSX-MH. The multi-hypervisor version of NSX network virtualization software supports KVM, ESXi and Xen hypervisor, which is another big move in the field of network virtualization after VMware acquired Nicira and its network virtualization platform in 2012. However, because NSX-T provides many new features, upgrading NSX-MH is not simply a local update. On the contrary, it may involve completely reinstalling the entire product, and users need to spend more money and energy to make technical adjustments to adapt to the existing environment.

VMware nsx-t aims to address emerging application frameworks and architectures, heterogeneous terminals and technology stacks. In addition to these environments, it may also include other hypervisors, containers, bare metal, and public clouds. Nsx-t allows the development team to choose the technology that best suits their particular application. Nsx-t is also designed for management, IT operations and extensions.

Some of the key architectural priorities of NSX-T include the following:

Management plane: the nsx-t management plane is designed with advanced clustering technology to enable the platform to handle large-scale concurrent API requests.

Control plane: the nsx-t control plane tracks the security status of real-time virtual networks and systems. The nsx-t control plane separates the cluster control plane (CCP) and the local control plane (LCP) with the control plane as the center. This greatly simplifies the work of CCP and enables the platform to extend heterogeneous endpoints.

Nsx-t of the data plane: the data plane is not dependent on vSwitch, and all create, read, update and delete (CRUD) operations are performed through nsx-t.

Note: the switch in NSX-T is different from-V VDS. The creation, reading, updating and deletion of VDS are controlled by vCenter, and this function is moved to NSX Mananger in-T, including configuring uplink teaming policies and defining QoS, and so on. So the decoupling with vSphere can be realized. Distributed routing, distributed firewall, NAT, DHCP are all integrated in-T.

Multi-tenant routing model

Nsx-t supports a routing model of logical separation between multi-level router functions (known in NSX as a Tier0 router) and tenant router functionality (called the NSX of a first-tier router). Tier0 logical router, the routing layer can be controlled by the cloud provider and can peep with the physical infrastructure.

This logical router, which the cloud tenant provides the routing layer, can be configured through GUI API / per-tenant and attached Tier0 routers.

The routing of nsx-t instantiated hypervisor distributed routers optimizes multiple levels of things.

In a heterogeneous environment, nsx-t has a consistent operation and monitoring interface, as well as a heterogeneous infrastructure operation toolkit for management and troubleshooting, and complex environments. Nsx-t has port connection detection and Traceflow to help users track connections to virtual and physical devices.

NSX's REST API is powerful and an open specification that can integrate various languages and bind corresponding plug-ins, including integration with CMP, as well as OpenStack.

The NSX OpenStack plug-in is available for developers to establish and maintain multi-tenant cloud service development.

NSX edge nodes provide extreme gateway and service performance, using innovative Intel DPDK technology.

NSX-T is independent of vCenter and can be docked with other different PaaS platforms.

The above is the editor for you to share how to carry out the analysis of NSX technology, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.