Llevando la Virtualización de Redes a entornos …€¦ · CAS Client Access Server DC Domain...

Llevando la Virtualización de Redes a entornos VMware con NSX Introducción y Casos de Uso

[email protected]

Carlos Sen Jiménez

[email protected]

Martí Perarnau

Según decía TanenBaum….

¿Y en TI …. ?

Compute

Network

Tareas Tradicionales en la Configuración de Red

L3

L2

Configuración Inicial

• Multi-chassis LAG

• Routing configuration

• SVIs/RVIs

• VRRP/HSRP

• STP • Instances/mappings

• Priorities

• Safeguards

• LACP

• VLANs • Infra networks on

uplinks and downlinks

• STP

Configuración Recurrente

• SVIs/RVIs

• VRRP/HSRP

• Advertise new subnets

• Access lists (ACLs)

• VLANs

• Adjust VLANs on trunks

• VLANs STP/MST

mapping

• VLANs STP/MST mapping

• Add VLANs on uplinks

• Add VLANs to server ports

Configuration consistency !

Configuración Tradicional de los Servicios de Red

Configuration consistency !

Ejemplo Aplicación MultiCapa

Web Server Edge Transport Proxy/SLB

CAS

DC/GC/DNS

AD

HUB Transport

MBX

DAG DAG

Storage

Storage

Public Internet

User Access PDA, PC, Web

Microsoft Exchange 2010

CAS Client Access Server

DC Domain Controller

GC Global Catalog

AD Active Directory

MBX Mailbox Server

DAG Database Availability Group

Por si esto no fuese suficiente complejidad…

¿Qué se necesita?

Virtual Machine Data Center

Network

Modelo Operacional

Desacoplar del hardware

Crear, Borrar, Crecer, Reducir

Transparente a la aplicación

Programática

Extensible

¿Podemos hacer este para la red? …

Pero, ¿y si además pudiésemos tener… • Conectividad L2 sobre L3 y permitir así diseños flexibles de red?

• Aislamiento de Tenants nunca más ligado a VLANs?

• Información de Red de VMs (VLANs, IPs yMAC addresses) no expuesta a la electrónica de red?

• Cambios menos frecuentes en la electrónica de red? ¿No necesitar reconfiguración para añadir, mover o cambiar cargas o aplicaciones de los tenants?

• A los administradores de red focalizados en el SLA y no en provisiones/configuraciones para satisfacer las demandas de red de las VMs?

• Servicos de Red Distribuidos en el acceso pero con Gestión Centralizada? (no services core, no extra network hops, no HA cost duplication)

• La posibilidad de utilizar las topologías de red existentes, y planificar la transición a nuevos fabrics más flexibles?

• La posibilidad de que los administradores de red construyesen la red que quieren sin compromisos, manteniendo los requisitos de las aplicaciones y las cargas?

• Una forma de extender las Redes Lógicas entre Redes Físicas?

• Nuevas herramientas para la automarización y aplicación de políiticas?

¿Y si pudiésemos tener para la red?

¿Innovación a la Velocidad del Software?

VMware nombrado como el más Visionario por Gartner en DataCenter Networking Posicionado como el más visionario por la visión más completa

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from VMware, Inc.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner's

research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

Gartner “Magic Quadrant for Data Center Networking” by Mark Fabbi, Tim Zimmerman, Andrew Lerner, April 24, 2014.

¿Qué es la Virtualización de la Red?

12

La Virtualización de la Red != SDN

General Purpose Server Hardware

(Dell, HP, IBM, Quanta,…)

Server Hypervisor

Requirement: x86

Virtual

Machine

Virtual

Machine

Virtual

Machine

Application Application Application

x86 Environment

Decoupled

Hardware

Software

Network Hypervisor

Requirement: IP Transport

Virtual

Network

Virtual

Network

Virtual

Network

Workload Workload Workload

L2, L3, L4-7 Network Services

General Purpose IP Hardware

(Arista, Cisco, HP, Juniper, Cumulus,…)

Network Virtualization con NSX

Compute

Network

VMware NSX

DC Services Just like a VM…..

•Spin up a network

•Spin down a network

•Snapshot a network

•Replicate a network

•All this in minutes to seconds..

• Programmatic provisioning

• Place any workload anywhere

• Move any workload anywhere

• Decoupled from hardware

• Operationally efficient

Ya, pero, no puedo cambiar mi arquitectura y sistemas actuales!

15

Requisitos NSX

Conectividad IP entre Hosts

MTU 1600 Bytes

Ya, pero, seguro que el rendimiento…

17

Hypervisor

X86 Hosts

40 Gbps

Per host

Physical or

Virtual

30K

Logical Switches

Hardware

Software

Hardware

Software

40 Gbps

Per host

No

Tromboning

1,000

Logical Routers

Per domain

30 Gbps

Per host

Kernel Integrated

25,000 CPS

2.5 million

Sessions

Scale-Out

150 Gbps

throughput

1M CPS

10M Concurrent

FW, LB, VPN

El Nuevo Rol del Networking por Software

1

10

100

1,000

Ho

sts

30 Gbps

300 Gbps

3 Tbps

30 Tbps

The Power of a Distributed System

Distributed

Switching

Distributed

Routing

Distributed

Firewall

Edge

Services

VMware NSX Software

Virtual Networks

Existing Network Infrastructure

Switching Routing Firewall

LB, VPN

Edge

Services

30 Terabits

per second

El Poder de la Distribución

¿Cómo funciona?

IP

Transport Network

NSX

Controller Cluster

Northbound REST API

11.1.1.10

Gateway Service

Appliance/VM

Virtual

Network VM1

VM2

VM1

VM2

NSX – Funcionamiento

10.2.2.10

Data Plane

Control Plane

VM1 VM1

VM2

Cloud Management

Platform

1 2

10.1.1.10

VM3

192.168.1.0/24

Corpnet

20.1.1.2

VM3

Corpnet

20.1.1.2

10.97.110.10

VM2

VLAN 9

VM4 VM5

VLAN 9

VM4 VM5

1 2

Existing

DC

Network(s)

Casos de Uso

Cloud / Automatización

Automatización / Cloud

Cloud Multi Tenant

VXLAN 5021 to

VXLAN 5029 VXLAN 5031 to

VXLAN 5039

External Network

DLR Instance 10 DLR Instance 1

Web Logical

Switch App Logical Switch DB Logical Switch Web Logical

Switch App Logical Switch DB Logical Switch

Tenant 1.. Tenant 9 Tenant 10.. Tenant 18

Before NV With NV

MAC addresses

ARP entries

VLAN usage

STP load

# of VMs # of Tenants

VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM

L3

L2

Escalabilidad: Fabrics L2/L3 Tradicionales- Utilización de Recursos Físicos en el Fabric

Escalabilidad: Fabrics L2/L3 Tradicionales- Utilización de Recursos Físicos en el Fabric

Before NV With NV

MAC addresses

ARP entries

VLAN usage

STP load

# of VMs # of Tenants




L3

L2

Diseños de Red Flexibles

Diseños de Red de DataCenter

L3 Connectivity

L3/L2

L2

• Scalable 3-Tier design

• STP, VLAN spread

• Expensive, not ideal for Greenfields deployments

Multi-Tier

L3 Connectivity

L2/L3

L2

• Larger L2 domains, reliance on STP

• Comparatively limited in scalability – 2-tier design

• Generally industry is moving away from L2 fabrics

L2 Fabric - VLAN based

Leaf – Tier 1

Spine – Tier 2 • Virtualization and Big Data applications are major

contributors to East-West traffic growth – up to 75%

• L3

• Leaf-Spine design allows for:

Uniform access and consistent latency

N way ECMP – Link utilization and HA

Leaf/Spine

L3

Zero Trust Security – Micro Segmentación Servicios Avanzados de Seguridad

Firewall Distribuido y Service Composer

Internet

Políticas Centrales, Aplicación Distribuida, Acompañan a las VMs

Security Policy Security Policy

- Reduce Choke Point Security

- Centrally Define Policies, Distribute Rule Enforcement

- Security Policies Move with VMs

- Changes to central policies automatically

distributed to affected VMs

El Poder de la Distribución

Service Insertion – Ejemplo: Palo Alto Networks Next Gen Firewall

Internet

Security Policy

Security Admin

Traffic Steering

Servicios Avanzados: Automatización de Políticas de Seguridad entre Diferentes Servicios

SG: Quarantine SG: Web Servers

1.Web Server VM running IIS is deployed, unknowingly having a vulnerability

2.Vulnerability Scan is initiated on web server

3.VM is tagged in NSX Manager with the CVE and CVSS Score

4.NSX Manager associates the VM with the Quarantine (VSM F/W Deny)

5.[Externally] Admin applies patches, Vul Mgmt re-scans VMs, clears tag

6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal

duties

VSM F/W VSM F/W

Services Services

Membership: Include VMs which have CVSS score >= 9 Membership: Include VMs which have been provisioned as “WebServer”

NSX Manager

Vul Mgmt

AntiVirus

Vul Mgmt

AntiVirus

Conectividad MultiSite (DCI) y DR Extensión de Nivel 2

Varios Casos de Uso Extensión Nivel 2

CONFIDENTIAL 37

Enterprise Use Cases

• Workload mobility across sites, while retaining IP addresses

• Datacenter Consolidation or Migration

• Extend networks across physical sites to allow for capacity expansion

• Support Live Migration of workloads

• Disaster Avoidance and/or Disaster Recovery

VMware

vSphere

VMware

vCenter

Server

VMware

vSphere

Site A

Site B

ESXi Hosts ESXi Hosts

VMware NSX Multi-Site Single VC, Cluster Estirado

Active / Active

Storage

vSphere Metro Storage

Cluster Datastore 1 Datastore 1

vCenter Server

L3 Network

Site A Site B

V

M

1

V

M

2

V

M

3 Logical Switch

A

172.16.10.0/24 V

M

4

V

M

5 Logical Switch

B

172.16.20.0/24

Distributed Logical

Router

Site A

NSX

Edge GW Uplink Net A

Site B

NSX

Edge GW Uplink Net B

VMware NSX Multi-Site Single VC, Clusters Separados

Datastore 1 Datastore 2

vCenter Server

L3 Network

Site A Site B

V

M

1

V

M

2

V

M

3 Logical Switch

A

172.16.10.0/24 V

M

4

V

M

5 Logical Switch

B

172.16.20.0/24

Distributed Logical

Router

Site A

NSX

Edge GW Uplink Net A

Site B

NSX

Edge GW Uplink Net B

Storage vMotion Required for VM Mobility

VMware NSX Multi-Site L2 VPN

Datastore 1 Datastore 2

vCenter Server

Site A or On Prem

Site B or Off Prem

V

M

1

V

M

2

Network A

172.16.10.0/24

Site A

NSX

Edge

GW

Site A

Uplink Network

vCenter Server

V

M

3

V

M

4

Network B

172.16.10.0/24

Site B

NSX

Edge

GW

Site B

Uplink Network

SSL SSL L3 Network

SRM con NSX for vSphere

192.168.0.0/24

192.168.0.1

2.2.2.2

2.2.2.0/28

192.168.0.0/24

3.3.3.0/28

No Network Readdressing (Dynamic Routing)

VXLAN VXLAN

VLAN VLAN

vCenter + SRM vCenter + SRM

Distributed Logical

Router

Dynamic Routing

(OSPF, BGP)

Primary

VMs Placeholder

VMs

192.168.10.2

192.168.10.1

192.168.0.1

3.3.3.3

Distributed Logical

Router

Dynamic Routing

(OSPF, BGP)

192.168.10.2

192.168.10.1

Resumen

Hypervisor

X86 Hosts Hardware

Software

CAPEX

OPEX

Hardware

Software

Forwarding

Capacity

Agility

& Speed

El Nuevo Rol del Networking por Software

1

10

100

1,000

Ho

sts

30 Gbps

300 Gbps

3 Tbps

30 Terabits per second

The Power of a Distributed System

Existing Network Infrastructure

Simplified No VLAN, No ACL, No Firewall Rules

• New Functionality

• New Economics

• Existing Infrastructure

Distributed

Switching

Distributed

Routing

Distributed

Firewall

Edge

Services

VMware NSX Software

VMware NSX Ecosystem – Technology Partners

Llevando la Virtualización de Redes a entornos …€¦ · CAS Client Access Server DC Domain...

Documents

Transcript of Llevando la Virtualización de Redes a entornos …€¦ · CAS Client Access Server DC Domain...