Llevando la Virtualización de Redes a entornos …€¦ · CAS Client Access Server DC Domain...
Transcript of Llevando la Virtualización de Redes a entornos …€¦ · CAS Client Access Server DC Domain...
Llevando la Virtualización de Redes a entornos VMware con NSX Introducción y Casos de Uso
Carlos Sen Jiménez
Martí Perarnau
Según decía TanenBaum….
¿Y en TI …. ?
Compute
Network
Tareas Tradicionales en la Configuración de Red
L3
L2
Configuración Inicial
• Multi-chassis LAG
• Routing configuration
• SVIs/RVIs
• VRRP/HSRP
• STP • Instances/mappings
• Priorities
• Safeguards
• LACP
• VLANs • Infra networks on
uplinks and downlinks
• STP
Configuración Recurrente
• SVIs/RVIs
• VRRP/HSRP
• Advertise new subnets
• Access lists (ACLs)
• VLANs
• Adjust VLANs on trunks
• VLANs STP/MST
mapping
• VLANs STP/MST mapping
• Add VLANs on uplinks
• Add VLANs to server ports
Configuration consistency !
Configuración Tradicional de los Servicios de Red
Configuration consistency !
Ejemplo Aplicación MultiCapa
Web Server Edge Transport Proxy/SLB
CAS
DC/GC/DNS
AD
HUB Transport
MBX
DAG DAG
Storage
Storage
Public Internet
User Access PDA, PC, Web
Microsoft Exchange 2010
CAS Client Access Server
DC Domain Controller
GC Global Catalog
AD Active Directory
MBX Mailbox Server
DAG Database Availability Group
Por si esto no fuese suficiente complejidad…
¿Qué se necesita?
Virtual Machine Data Center
Network
Modelo Operacional
Desacoplar del hardware
Crear, Borrar, Crecer, Reducir
Transparente a la aplicación
Programática
Extensible
¿Podemos hacer este para la red? …
Pero, ¿y si además pudiésemos tener… • Conectividad L2 sobre L3 y permitir así diseños flexibles de red?
• Aislamiento de Tenants nunca más ligado a VLANs?
• Información de Red de VMs (VLANs, IPs yMAC addresses) no expuesta a la electrónica de red?
• Cambios menos frecuentes en la electrónica de red? ¿No necesitar reconfiguración para añadir, mover o cambiar cargas o aplicaciones de los tenants?
• A los administradores de red focalizados en el SLA y no en provisiones/configuraciones para satisfacer las demandas de red de las VMs?
• Servicos de Red Distribuidos en el acceso pero con Gestión Centralizada? (no services core, no extra network hops, no HA cost duplication)
• La posibilidad de utilizar las topologías de red existentes, y planificar la transición a nuevos fabrics más flexibles?
• La posibilidad de que los administradores de red construyesen la red que quieren sin compromisos, manteniendo los requisitos de las aplicaciones y las cargas?
• Una forma de extender las Redes Lógicas entre Redes Físicas?
• Nuevas herramientas para la automarización y aplicación de políiticas?
¿Y si pudiésemos tener para la red?
¿Innovación a la Velocidad del Software?
VMware nombrado como el más Visionario por Gartner en DataCenter Networking Posicionado como el más visionario por la visión más completa
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from VMware, Inc.
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's
research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner “Magic Quadrant for Data Center Networking” by Mark Fabbi, Tim Zimmerman, Andrew Lerner, April 24, 2014.
¿Qué es la Virtualización de la Red?
12
La Virtualización de la Red != SDN
General Purpose Server Hardware
(Dell, HP, IBM, Quanta,…)
Server Hypervisor
Requirement: x86
Virtual
Machine
Virtual
Machine
Virtual
Machine
Application Application Application
x86 Environment
Decoupled
Hardware
Software
Network Hypervisor
Requirement: IP Transport
Virtual
Network
Virtual
Network
Virtual
Network
Workload Workload Workload
L2, L3, L4-7 Network Services
General Purpose IP Hardware
(Arista, Cisco, HP, Juniper, Cumulus,…)
Network Virtualization con NSX
Compute
Network
VMware NSX
DC Services Just like a VM…..
•Spin up a network
•Spin down a network
•Snapshot a network
•Replicate a network
•All this in minutes to seconds..
• Programmatic provisioning
• Place any workload anywhere
• Move any workload anywhere
• Decoupled from hardware
• Operationally efficient
Ya, pero, no puedo cambiar mi arquitectura y sistemas actuales!
15
Requisitos NSX
Conectividad IP entre Hosts
MTU 1600 Bytes
Ya, pero, seguro que el rendimiento…
17
Hypervisor
X86 Hosts
40 Gbps
Per host
Physical or
Virtual
30K
Logical Switches
Hardware
Software
Hardware
Software
40 Gbps
Per host
No
Tromboning
1,000
Logical Routers
Per domain
30 Gbps
Per host
Kernel Integrated
25,000 CPS
2.5 million
Sessions
Scale-Out
150 Gbps
throughput
1M CPS
10M Concurrent
FW, LB, VPN
El Nuevo Rol del Networking por Software
1
10
100
1,000
Ho
sts
30 Gbps
300 Gbps
3 Tbps
30 Tbps
The Power of a Distributed System
Distributed
Switching
Distributed
Routing
Distributed
Firewall
Edge
Services
VMware NSX Software
Virtual Networks
Existing Network Infrastructure
Switching Routing Firewall
LB, VPN
Edge
Services
30 Terabits
per second
El Poder de la Distribución
¿Cómo funciona?
IP
Transport Network
NSX
Controller Cluster
Northbound REST API
11.1.1.10
Gateway Service
Appliance/VM
Virtual
Network VM1
VM2
VM1
VM2
NSX – Funcionamiento
10.2.2.10
Data Plane
Control Plane
VM1 VM1
VM2
Cloud Management
Platform
1 2
10.1.1.10
VM3
192.168.1.0/24
Corpnet
20.1.1.2
VM3
Corpnet
20.1.1.2
10.97.110.10
VM2
VLAN 9
VM4 VM5
VLAN 9
VM4 VM5
1 2
Existing
DC
Network(s)
Casos de Uso
Cloud / Automatización
Automatización / Cloud
Cloud Multi Tenant
VXLAN 5021 to
VXLAN 5029 VXLAN 5031 to
VXLAN 5039
External Network
DLR Instance 10 DLR Instance 1
Web Logical
Switch App Logical Switch DB Logical Switch Web Logical
Switch App Logical Switch DB Logical Switch
Tenant 1.. Tenant 9 Tenant 10.. Tenant 18
Before NV With NV
MAC addresses
ARP entries
VLAN usage
STP load
# of VMs # of Tenants
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
L3
L2
Escalabilidad: Fabrics L2/L3 Tradicionales- Utilización de Recursos Físicos en el Fabric
Escalabilidad: Fabrics L2/L3 Tradicionales- Utilización de Recursos Físicos en el Fabric
Before NV With NV
MAC addresses
ARP entries
VLAN usage
STP load
# of VMs # of Tenants
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
L3
L2
Diseños de Red Flexibles
Diseños de Red de DataCenter
L3 Connectivity
L3/L2
L2
• Scalable 3-Tier design
• STP, VLAN spread
• Expensive, not ideal for Greenfields deployments
Multi-Tier
L3 Connectivity
L2/L3
L2
• Larger L2 domains, reliance on STP
• Comparatively limited in scalability – 2-tier design
• Generally industry is moving away from L2 fabrics
L2 Fabric - VLAN based
Leaf – Tier 1
Spine – Tier 2 • Virtualization and Big Data applications are major
contributors to East-West traffic growth – up to 75%
• L3
• Leaf-Spine design allows for:
Uniform access and consistent latency
N way ECMP – Link utilization and HA
Leaf/Spine
L3
Zero Trust Security – Micro Segmentación Servicios Avanzados de Seguridad
Firewall Distribuido y Service Composer
Internet
Políticas Centrales, Aplicación Distribuida, Acompañan a las VMs
Security Policy Security Policy
- Reduce Choke Point Security
- Centrally Define Policies, Distribute Rule Enforcement
- Security Policies Move with VMs
- Changes to central policies automatically
distributed to affected VMs
El Poder de la Distribución
Service Insertion – Ejemplo: Palo Alto Networks Next Gen Firewall
Internet
Security Policy
Security Admin
Traffic Steering
Servicios Avanzados: Automatización de Políticas de Seguridad entre Diferentes Servicios
SG: Quarantine SG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)
5.[Externally] Admin applies patches, Vul Mgmt re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal
duties
VSM F/W VSM F/W
Services Services
Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager
Vul Mgmt
AntiVirus
Vul Mgmt
AntiVirus
Conectividad MultiSite (DCI) y DR Extensión de Nivel 2
Varios Casos de Uso Extensión Nivel 2
CONFIDENTIAL 37
Enterprise Use Cases
• Workload mobility across sites, while retaining IP addresses
• Datacenter Consolidation or Migration
• Extend networks across physical sites to allow for capacity expansion
• Support Live Migration of workloads
• Disaster Avoidance and/or Disaster Recovery
VMware
vSphere
VMware
vCenter
Server
VMware
vSphere
Site A
Site B
ESXi Hosts ESXi Hosts
VMware NSX Multi-Site Single VC, Cluster Estirado
Active / Active
Storage
vSphere Metro Storage
Cluster Datastore 1 Datastore 1
vCenter Server
L3 Network
Site A Site B
V
M
1
V
M
2
V
M
3 Logical Switch
A
172.16.10.0/24 V
M
4
V
M
5 Logical Switch
B
172.16.20.0/24
Distributed Logical
Router
Site A
NSX
Edge GW Uplink Net A
Site B
NSX
Edge GW Uplink Net B
VMware NSX Multi-Site Single VC, Clusters Separados
Datastore 1 Datastore 2
vCenter Server
L3 Network
Site A Site B
V
M
1
V
M
2
V
M
3 Logical Switch
A
172.16.10.0/24 V
M
4
V
M
5 Logical Switch
B
172.16.20.0/24
Distributed Logical
Router
Site A
NSX
Edge GW Uplink Net A
Site B
NSX
Edge GW Uplink Net B
Storage vMotion Required for VM Mobility
VMware NSX Multi-Site L2 VPN
Datastore 1 Datastore 2
vCenter Server
Site A or On Prem
Site B or Off Prem
V
M
1
V
M
2
Network A
172.16.10.0/24
Site A
NSX
Edge
GW
Site A
Uplink Network
vCenter Server
V
M
3
V
M
4
Network B
172.16.10.0/24
Site B
NSX
Edge
GW
Site B
Uplink Network
SSL SSL L3 Network
SRM con NSX for vSphere
192.168.0.0/24
192.168.0.1
2.2.2.2
2.2.2.0/28
192.168.0.0/24
3.3.3.0/28
No Network Readdressing (Dynamic Routing)
VXLAN VXLAN
VLAN VLAN
vCenter + SRM vCenter + SRM
Distributed Logical
Router
Dynamic Routing
(OSPF, BGP)
Primary
VMs Placeholder
VMs
192.168.10.2
192.168.10.1
192.168.0.1
3.3.3.3
Distributed Logical
Router
Dynamic Routing
(OSPF, BGP)
192.168.10.2
192.168.10.1
Resumen
Hypervisor
X86 Hosts Hardware
Software
CAPEX
OPEX
Hardware
Software
Forwarding
Capacity
Agility
& Speed
El Nuevo Rol del Networking por Software
1
10
100
1,000
Ho
sts
30 Gbps
300 Gbps
3 Tbps
30 Terabits per second
The Power of a Distributed System
Existing Network Infrastructure
Simplified No VLAN, No ACL, No Firewall Rules
• New Functionality
• New Economics
• Existing Infrastructure
Distributed
Switching
Distributed
Routing
Distributed
Firewall
Edge
Services
VMware NSX Software
VMware NSX Ecosystem – Technology Partners