1. Data Center Network Redesign using SDN
June 4, 2015
Brian Pietrewicz
David Jones
Chad VanPelt

2. Data Center Network Redesign using SDN
Introduction
What is a Software Defined Network
The Benefits of SDN using NSX
How NSX Provides the SDN Service
Future SDN/NSX/Lobocloud Directions

3. Introduction Project History Lobocloud:
IT delivered datacenter, servers, storage, networks, OS, database and security services
Self Service portal
Deploy Windows and Linux virtual machines customized to meet capacity requirements
Ready and available in 20 minutes (excluding FW)
Adding Multi-tenancy and enhanced security through SDN

4. What is a Software Defined Network
In the virtual environment, physical network devices can be virtualized.
This adds tremendous flexibility to network infrastructure
Virtualized network services
Routers
Switches
Firewalls
Network Segments
VXLAN Network Interface (VNI)

5. What is NSX Vmware’s Software Defined Network Platform
Developed from two product:
Nicira Network Virtualization Platform
VMware vCloud Networking and Security
Abstracts Hardware functionality into software
It is to networking what VSphere ESXi is to computing.

6. NSX in Software Defined Network

7. Benefits of SDN and NSX Improved Network Performance and Functionality
Improved Security
Multi-Tenancy
Automation/Ease of Network Deployments

8. Improved Network Performance and Functionality
Reduces the hierarchical model of networking
Provides secure intra and inter ESXi traffic
Increases the the number of possible network segments.
Provides the ability to utilize multiple physical datacenters/cloud services without requiring complex network changes

9. Improved Network Security
Increased protection without increasing management.
Centrally Managed Security Services
Multiple Firewall/Security solutions to meet customers need

10. Traditional vs. NSX Firewalls

11. Traditional model of security
Wall around datacenter only
Host based firewalling required to isolate servers
Host based firewalling
Hard to manage
Inconsistent
Traffic hair-pinning to physical firewall

13. NSX Model
Perform firewall functionality on the connection between the VM and the Virtual Switch
Firewall rules centally managed by Vcenter and NSX Manager
Firewall rules migrate with the VM
Creates consistent rulesets using Security Policy's and Groups
Centrally Managed
Reduces Network Hair-pinning

15. Multi-Tenancy Security barriers between VMs on same VXLAN/VLAN
Security between functional services, departments, or data/service sensitivity.
Web, App, DB
NMEL, HR, College of Fine Arts
Public data, research data, sensitive (PCI,HIPAA,etc) data
VXLANs protected through Edge Service devices and the NSX Distributed Firewalls.

17. Automated Deployment of Network Appliance and Services
Provides multi-tenancy to Lobocloud customers
Allow dynamic configuration and deployment of NSX Logical Service
Allows on-demand application delivery with NSX managed network and security services.
Deployments are templateable and automatable
On-Demand vs Pre-created

19. How NSX Works

21. VXLAN Network tunneling protocol Provides L2 tunnels over L3 networks
Increases number of LAN segments available for traffic.
Standard VLANs = 4094
VXLAN Network Identifiers = 16 Million
Virtual Tunnel End Points (VTEPS)
Terminate VXLAN Tunnels
ESXi Hosts and Edge Services Gateways

23. VXLAN VXLAN modules operate in ESXi Hypervisor.
Manage by NSX Controllers
ARP, VTEP, MAC tables.
VTEPs encapsulate/decapsulate network packets.
Wrap UDP Packet Header around L2 packet
VXLAN Packet header includes VNI.
Encapsulated packets are forwarded between VTEPS over physical network like any other IP traffic.
----- Meeting Notes (6/2/15 10:08) -----
change VXLAN iD

24. Distributed Logical Router
Module on each ESXi Hosts
Routes VNI-VNI, VLAN – VLAN and VNI – VLAN network traffic
Supports OSPF and BGP Protocols
Keeps East-West traffic East-West
----- Meeting Notes (6/2/15 10:08) -----
Routier

25. Distributed Firewall DFW Modules run on Host
DFW Modules are controlled by NSX Manager.
Configure Rules on Vcenter
NSX Manager pushes rules to DFW Modules
Firewall process is at the vNic.

26. Distributed Firewall Firewall policy can be wrapped around Cluster
Datacenter distributed port group
IP Sets
Legacy Port Group
Logical Switch
Resource Pool
Security Group
vApp
Virtual Machine
vNic

27. Edge Service Gateways (ESG)
Use to provide North/South Traffic
Used to provide other network services
Network Address Translation
SSL VPN
Load Balancing
ESGs are VMs and not modules in ESXi
Third Party Vendors provide Advanced ESG services.
----- Meeting Notes (6/2/15 10:08) -----
Change network simple to ESG is VM and not part of the modules

28. Multi-Tenancy Micro-segmentation DFW Edge Services
Using Logical Routers and Switches
DFW
Profiles based on Name, Security Groups, Logical Switches
Edge Services
SSL VPN
Network Address Translation
Firewall

29. VCO/VCAC integration
Automated Network Connectivity through Network Profiles
Automated System/Application Isolation
Deployment Models
Precreated – defined/created by IT NSX Admins
On-Demand – defined/configured by Lobocloud Customer
Lobocloud Customer Profiles
Regular
Super

30. VCAC Network Profiles
Define IP addresses and subnets used in deployments
Use IP pools for static IP assignments
Use standard switches, distributed switches, or logical switches
Profile types
External
Routed
Network address translation (NAT)
Private

31. VCAC Security Automation
Automated or Predefined Security Group creation using predefined security policies
Security tags automatically assign newly created VMs to security groups.
Security tags defined in blueprints.

32. The Future Applications of SDN
Customer access to tenant security
VDI
Hybrid Cloud
Science DMZ

33. Questions/Answers