Presentation on theme: "Data Center Network Redesign using SDN"— Presentation transcript:
1 Data Center Network Redesign using SDN June 4, 2015Brian PietrewiczDavid JonesChad VanPelt
2 Data Center Network Redesign using SDN IntroductionWhat is a Software Defined NetworkThe Benefits of SDN using NSXHow NSX Provides the SDN ServiceFuture SDN/NSX/Lobocloud Directions
3 Introduction Project History Lobocloud: IT delivered datacenter, servers, storage, networks, OS, database and security servicesSelf Service portalDeploy Windows and Linux virtual machines customized to meet capacity requirementsReady and available in 20 minutes (excluding FW)Adding Multi-tenancy and enhanced security through SDN
4 What is a Software Defined Network In the virtual environment, physical network devices can be virtualized.This adds tremendous flexibility to network infrastructureVirtualized network servicesRoutersSwitchesFirewallsNetwork SegmentsVXLAN Network Interface (VNI)
5 What is NSX Vmware’s Software Defined Network Platform Developed from two product:Nicira Network Virtualization PlatformVMware vCloud Networking and SecurityAbstracts Hardware functionality into softwareIt is to networking what VSphere ESXi is to computing.
7 Benefits of SDN and NSX Improved Network Performance and Functionality Improved SecurityMulti-TenancyAutomation/Ease of Network Deployments
8 Improved Network Performance and Functionality Reduces the hierarchical model of networkingProvides secure intra and inter ESXi trafficIncreases the the number of possible network segments.Provides the ability to utilize multiple physical datacenters/cloud services without requiring complex network changes
9 Improved Network Security Increased protection without increasing management.Centrally Managed Security ServicesMultiple Firewall/Security solutions to meet customers need
13 NSX ModelPerform firewall functionality on the connection between the VM and the Virtual SwitchFirewall rules centally managed by Vcenter and NSX ManagerFirewall rules migrate with the VMCreates consistent rulesets using Security Policy's and GroupsCentrally ManagedReduces Network Hair-pinning
15 Multi-Tenancy Security barriers between VMs on same VXLAN/VLAN Security between functional services, departments, or data/service sensitivity.Web, App, DBNMEL, HR, College of Fine ArtsPublic data, research data, sensitive (PCI,HIPAA,etc) dataVXLANs protected through Edge Service devices and the NSX Distributed Firewalls.
17 Automated Deployment of Network Appliance and Services Provides multi-tenancy to Lobocloud customersAllow dynamic configuration and deployment of NSX Logical ServiceAllows on-demand application delivery with NSX managed network and security services.Deployments are templateable and automatableOn-Demand vs Pre-created
21 VXLAN Network tunneling protocol Provides L2 tunnels over L3 networks Increases number of LAN segments available for traffic.Standard VLANs = 4094VXLAN Network Identifiers = 16 MillionVirtual Tunnel End Points (VTEPS)Terminate VXLAN TunnelsESXi Hosts and Edge Services Gateways
23 VXLAN VXLAN modules operate in ESXi Hypervisor. Manage by NSX ControllersARP, VTEP, MAC tables.VTEPs encapsulate/decapsulate network packets.Wrap UDP Packet Header around L2 packetVXLAN Packet header includes VNI.Encapsulated packets are forwarded between VTEPS over physical network like any other IP traffic.----- Meeting Notes (6/2/15 10:08) -----change VXLAN iD
24 Distributed Logical Router Module on each ESXi HostsRoutes VNI-VNI, VLAN – VLAN and VNI – VLAN network trafficSupports OSPF and BGP ProtocolsKeeps East-West traffic East-West----- Meeting Notes (6/2/15 10:08) -----Routier
25 Distributed Firewall DFW Modules run on Host DFW Modules are controlled by NSX Manager.Configure Rules on VcenterNSX Manager pushes rules to DFW ModulesFirewall process is at the vNic.
26 Distributed Firewall Firewall policy can be wrapped around Cluster Datacenter distributed port groupIP SetsLegacy Port GroupLogical SwitchResource PoolSecurity GroupvAppVirtual MachinevNic
27 Edge Service Gateways (ESG) Use to provide North/South TrafficUsed to provide other network servicesNetwork Address TranslationSSL VPNLoad BalancingESGs are VMs and not modules in ESXiThird Party Vendors provide Advanced ESG services.----- Meeting Notes (6/2/15 10:08) -----Change network simple to ESG is VM and not part of the modules
28 Multi-Tenancy Micro-segmentation DFW Edge Services Using Logical Routers and SwitchesDFWProfiles based on Name, Security Groups, Logical SwitchesEdge ServicesSSL VPNNetwork Address TranslationFirewall
29 VCO/VCAC integrationAutomated Network Connectivity through Network ProfilesAutomated System/Application IsolationDeployment ModelsPrecreated – defined/created by IT NSX AdminsOn-Demand – defined/configured by Lobocloud CustomerLobocloud Customer ProfilesRegularSuper
30 VCAC Network ProfilesDefine IP addresses and subnets used in deploymentsUse IP pools for static IP assignmentsUse standard switches, distributed switches, or logical switchesProfile typesExternalRoutedNetwork address translation (NAT)Private
31 VCAC Security Automation Automated or Predefined Security Group creation using predefined security policiesSecurity tags automatically assign newly created VMs to security groups.Security tags defined in blueprints.
32 The Future Applications of SDN Customer access to tenant securityVDIHybrid CloudScience DMZ