Network Virtualization for Dummies

7/24/2019 Network Virtualization for Dummies

1/77


2/77

These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distr ibution, or unauthorized use is strictly prohibited.
http://www.vmware.com/


3/77


NetworkVirtualization

by Mora Gozani

VMware Special Edition


4/77


Network Virtualization For Dummies, VMware Special Edition

Published byJohn Wiley & Sons, Inc.

111 River St.Hoboken, NJ 070305774www.wiley.com

Copyright 2016 by John Wiley & Sons, Inc., Hoboken, New Jersey

No part of this publication may be reproduced, stored in a retrieval system or transmitted in anyform or by any means, electronic, mechanical, photocopying, recording, scanning or otherwise,except as permitted under Sections 107 or 108 of the 1976 United States Copyright Act, without theprior written permission of the Publisher. Requests to the Publisher for permission should beaddressed to the Permissions Department, John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ07030, (201) 7486011, fax (201) 7486008, or online at http://www.wiley.com/go/permissions.

Trademarks:Wiley, For Dummies, the Dummies Man logo, The Dummies Way, Dummies.com,Making Everything Easier, and related trade dress are trademarks or registered trademarks of JohnWiley & Sons, Inc. and/or its affiliates in the United States and other countries, and may not be usedwithout written permission. VMware, vSphere, and vRealize are registered trademarks and VMwareNSX and VMware vRealize Operations, and vRealize Automation are trademarks of VMware, Inc. Allother trademarks are the property of their respective owners. John Wiley & Sons, Inc., is not associ-ated with any product or vendor mentioned in this book.

LIMIT OF LIABILITY/DISCLAIMER OF WARRANTY: THE PUBLISHER AND THE AUTHOR MAKENO REPRESENTATIONS OR WARRANTIES WITH RESPECT TO THE ACCURACY ORCOMPLETENESS OF THE CONTENTS OF THIS WORK AND SPECIFICALLY DISCLAIM ALLWARRANTIES, INCLUDING WITHOUT LIMITATION WARRANTIES OF FITNESS FOR APARTICULAR PURPOSE. NO WARRANTY MAY BE CREATED OR EXTENDED BY SALES ORPROMOTIONAL MATERIALS. THE ADVICE AND STRATEGIES CONTAINED HEREIN MAY NOT BESUITABLE FOR EVERY SITUATION. THIS WORK IS SOLD WITH THE UNDERSTANDING THAT THEPUBLISHER IS NOT ENGAGED IN RENDERING LEGAL, ACCOUNTING, OR OTHER PROFESSIONALSERVICES. IF PROFESSIONAL ASSISTANCE IS REQUIRED, THE SERVICES OF A COMPETENTPROFESSIONAL PERSON SHOULD BE SOUGHT. NEITHER THE PUBLISHER NOR THE AUTHORSHALL BE LIABLE FOR DAMAGES ARISING HEREFROM. THE FACT THAT AN ORGANIZATIONOR WEBSITE IS REFERRED TO IN THIS WORK AS A CITATION AND/OR A POTENTIAL SOURCEOF FURTHER INFORMATION DOES NOT MEAN THAT THE AUTHOR OR THE PUBLISHERENDORSES THE INFORMATION THE ORGANIZATION OR WEBSITE MAY PROVIDE ORRECOMMENDATIONS IT MAY MAKE. FURTHER, READERS SHOULD BE AWARE THAT INTERNETWEBSITES LISTED IN THIS WORK MAY HAVE CHANGED OR DISAPPEARED BETWEEN WHENTHIS WORK WAS WRITTEN AND WHEN IT IS READ.

For general information on our other products and services, or how to create a customFor Dummies

book for your business or organization, please contact our Business Development Department in theU.S. at 8774094177, contact [email protected], or visit www.wiley.com/go/custompub. For infor-mation about licensing theFor Dummiesbrand for products or services, contactBrandedRights&[email protected].

ISBN 9781119125839 (pbk); ISBN 9781119125853 (ebk)

Manufactured in the United States of America

10 9 8 7 6 5 4 3 2 1

Publishers AcknowledgmentsSome of the people who helped bring this book to market include the following:

Development Editor:Becky Whitney

Project Editor:Elizabeth Kuball

Acquisitions Editor:Katie Mohr

Editorial Manager:Rev Mengle

Business Development Representative:Karen Hattan

Dummies Marketing:Jennifer Webb

Production Editor: Siddique Shaik
http://www.wiley.com/http://www.wiley.com/go/permissionshttp://www.wiley.com/go/permissionsmailto:[email protected]://www.wiley.com/go/custompubmailto:BrandedRights&[email protected]:BrandedRights&[email protected]:BrandedRights&[email protected]:BrandedRights&[email protected]:BrandedRights&[email protected]://www.wiley.com/go/custompubmailto:[email protected]://www.wiley.com/go/permissionshttp://www.wiley.com/


5/77


Table of Contents

Introduction ....................................................... 1

About This Book ........................................................................ 1

Foolish Assumptions ................................................................. 1

Icons Used in This Book ............................................................ 2

Where to Go from Here ............................................................. 2

Chapter 1: The Next Evolution of Networking:The Rise of the SoftwareDefined Data Center . . . . . .3

The Business Needs Speed ....................................................... 4

Security Requirements Are Rising ........................................... 5

Apps Need to Move Around ..................................................... 6

Network Architectures Rooted in Hardware Cant

Keep Up with the SDDC ......................................................... 7

Network provisioning is slow ......................................... 7

Workload placement and mobility are limited ............ 8Hardware limitations and lockins breed

complexity and rigidity ............................................... 9

Configuration processes are manual, slow,

and error prone ............................................................ 9

OpEx and CapEx are too high ...................................... 10

You cant leverage hybrid cloud resources ............... 11

Networks have inadequate defenses........................... 12

Chapter 2: Its Time to Virtualize the Network . . . . . . . .13How Network Virtualization Works ....................................... 13

Network Virtualization versus SoftwareDefined

Networking ............................................................................ 18

Virtual Appliances versus Integration in the

Hypervisor ............................................................................ 19

Why the Time Is Right for Network Virtualization............... 19

Meeting the demands of a dynamic business ............ 20

Increasing flexibility with hardware abstraction ....... 20

Increasing security with network

microsegmentation ................................................... 21

Establishing a platform for the SDDC .......................... 22

Rethinking the Network .......................................................... 22


6/77

Network Virtualization For Dummies, VMware Special Edition


Chapter 3: Transforming the Network . . . . . . . . . . . . . . .25

The Key Functionalities of a Virtualized Network ............... 25Overlays .......................................................................... 25

A VXLAN primer ............................................................. 27

The Big Payoff........................................................................... 29

Meet VMware NSX: Networking for the SDDC ...................... 30

How It Works ............................................................................ 30

The NSX architecture .................................................... 30

Integration with existing

network infrastructure .............................................. 31

Simplified networking ................................................... 31Extreme flexibility and extensibility ............................ 32

What It Does: The Key Capabilities of NSX ........................... 32

Everything in software .................................................. 33

Essential isolation, segmentation, and

advanced security services ...................................... 33

Performance and scale .................................................. 34

Unparalleled network visibility .................................... 35

The Key Benefits of VMware NSX .......................................... 36

Functional benefits ........................................................ 36Economic benefits ......................................................... 37

Chapter 4: Network Virtualization Use Cases . . . . . . . .39

Securing the Data Center ........................................................ 39

Limiting lateral movement within

the data center ........................................................... 40

The growth of eastwest traffic within the

data center .................................................................. 41

Visibility and context .................................................... 41Isolation .......................................................................... 42

Segmentation .................................................................. 44

Automation ..................................................................... 44

Secure user environments: Microsegmentation

for VDI ......................................................................... 45

Automating IT Processes ........................................................ 46

IT automation ................................................................. 46

Developer cloud ............................................................. 47

Multitenant infrastructure ............................................ 47Enabling Application Continuity ............................................ 48

Disaster recovery........................................................... 48

Metro pooling ................................................................. 48

Hybrid cloud networking .............................................. 49

iv


7/77


Chapter 5: Operationalizing Network Virtualization . . . 51

Operations Investment Areas ................................................. 52Organization and people............................................... 52

Processes and tooling ................................................... 53

Architecture and infrastructure .................................. 55

Focus on the Big Picture ......................................................... 57

Chapter 6: Ten (Or So) Ways to Get Started withNetwork Virtualization . . . . . . . . . . . . . . . . . . . . . . . . . 59

Dont Miss the Essential Resources ....................................... 59

Boning up on the basics................................................ 60Taking a deeper dive ..................................................... 60

Chatting with bloggers .................................................. 61

Taking an NSX test drive with Handson Labs ........... 61

Learning how to deploy NSX in your

environment ............................................................... 62

Touring the Platform via NSX Product Walkthrough .......... 62

Diving Down into the Technical Details ................................ 63

Deploying NSX with Cisco UCS and Nexus 9000

Infrastructure........................................................................ 64Integrating NSX with Your Existing Network

Infrastructure........................................................................ 65

Integrating with Your Networking Services

Ecosystem Partners ............................................................. 66

Table of Contents v


8/77

vi Network Virtualization For Dummies, VMware Special Edition



9/77


Introduction

Welcome toNetwork Virtualization For Dummies,yourguide to a new and greatly improved approach to data

center networking.

Before I start getting to the heart of the matter of network vir-tualization, I briefly describe some topics that I cover withinthese pages. All the following requirements build the case formoving out of the hardwired network past and into the flex-ible world of network virtualization, which I describe in depthin Chapter 1:

The network needs to move as fast as the business.

Network security needs to move faster than cybercrimi-nals do.

Applications need the flexibility to move across datacenters.

So, how do you get there? The first step is to immerse your-self in the concepts of this new approach to data center net-working. Thats what this book is all about.

About This BookDont let the small footprint fool you. This book is loaded withinformation that can help you understand and capitalize onnetwork virtualization. In plain and simple language, I explainwhat network virtualization is, why its such a hot topic, howyou can get started, and steps you can take to get the bestbang for your IT buck.

Foolish AssumptionsIn writing this book, Ive made some assumptions about you. Iassume that


10/77


You work in an IT shop.

Youre familiar with network terminology.

You understand the concept of virtualization.

Icons Used in This BookTo make it even easier to navigate to the most useful informa-tion, these icons highlight key text:

Take careful note of these key takeaway points.

Read these optional passages if you crave a more technicalexplanation.

Follow the target for tips that can save you time and effort.

Where to Go from HereThe book is written as a reference guide, so you can read itfrom cover to cover or jump straight to the topics youre mostinterested in. Whichever way you choose, you cant go wrong.Both paths lead to the same outcome: a better understand-

ing of network virtualization and how it can help you increasebusiness agility, data center security, and application mobility.

Network Virtualization For Dummies, VMware Special Edition2


11/77


The Next Evolution ofNetworking: The Rise

of the SoftwareDefinedData Center

In This Chapter

Introducing the softwaredefined data center

Building the case for network virtualization

Exploring todays networking challenges

W

hy should you care about network virtualization? Thatquestion has more than a single answer. In fact, in this

chapter, I describe several themes that point to a single over-arching need: Its time to move out of the hardwired past andinto the era of the virtualized network. Heres why:

To stay competitive, businesses need the agility of thesoftwaredefined data center (SDDC).

Antiquated network architectures are blocking the roadto the SDDC.

Legacy network architectures limit business agility, leavesecurity threats unchecked, and drive up costs.

The SDDC is rewriting the rules for the way IT services aredelivered. The SDDC approach moves data centers fromstatic, inflexible, and inefficient to dynamic, agile, andoptimized.

Chapter 1


12/77



In this new world, virtualization enables the intelligence of thedata center infrastructure to move from hardware to software.

All IT infrastructure elements including compute, network-ing, and storage are virtualized and grouped into poolsof resources. These resources can then be automaticallydeployed, with little or no human involvement. Everything isflexible, automated, and controlled by software.

In a SDDC, you can forget about spending days or weeks pro-visioning the infrastructure to support a new application. Youcan now get an app up and running in minutes, for rapid time

to value.

The softwaredefined approach is really a muchneeded frame-work for greater IT agility and more responsive IT servicedelivery, all at a lower cost. Its the key to the data center ofthe future.

One recent study (in June 2014) by the Taneja Group, Trans-forming the Datacenter with VMwares SoftwareDefined Data

Center vCloud Suite, found that SDDCs deliver a 56 percentreduction in annual operational costs for provisioning andmanagement. Even better, softwaredefined approaches canslash the time required to provision a production networkfor a new application from three or four weeks to a matter ofminutes.

The Business Needs SpeedThe chapter opener presents all the good news about softwarebased data centers. Heres the catch: Network architecturesrooted in hardware cant match the speed and agility of SDDCs.

For large companies, the pace of business is pretty crazy, andthe pace of change is only increasing. Everything needs tobe done yesterday. And everything now revolves around ITsability to support the business. This new reality has big impli-cations for the network.

When a business wants to wow its customers with a new app,roll out a hotly competitive promotion, or take a new routeto market, it needs the supporting IT services right away


13/77

Chapter 1: The Next Evolution of Networking 5


not in weeks or months. In todays world, you either go for itor you miss out. Were in the era of the incredible shrinking

window of opportunity.

When the business turns to the IT organization for essentialservices, it wants to hear, Well get it done. Well have it upand running right away, and not, Well, we cant do that justyet because we would first need to do blah, blah, blah to thenetwork, and that will take us at least a few weeks. Thats notgood enough. When business leaders hear that kind of talk,theyre likely to walk away from inhouse IT and walk right

into the arms of a public cloud provider.

The velocity of business wont slow down. Its all one big race-track out there, with people trying to change a full set of tiresand fuel up the car in seven seconds. That means IT needsto move a lot faster. Networks now need to change at theturbocharged speed of a digitally driven business. And thatrequires big changes in the current hardwired approaches tothe network.

Security RequirementsAre Rising

Long ago, a young Bob Dylan advised the world, You dontneed a weatherman to know which way the wind blows.

Today, you could say pretty much the same thing about net-work security. In todays enterprises, a roaring wind is blow-ing in the direction of increased network security.

Everyone knows that we need to do more to avoid costlybreaches that put sensitive information into the hands ofcybercriminals. And no company is immune to the threat. Justconsider some of the headlinegrabbing security breaches ofthe past few years breaches that have brought corporate

giants to their knees. From healthcare and investment bank-ing to retail and entertainment, all companies are now caughtup in the same costly battle to defend the network.

Its like one big war game. A company fortifies its data centerwith a tough new firewall and the cybercriminals slip in


14/77



through a previously unknown back door like a simplevulnerability in a client system and run wild in the data

center. The traditional strategy of defending the perimeterneeds to be updated to include much more protection insidethe data center as well.

All the while, the costs keep rising in terms of damage tobrand reputation and actual outofpocket costs. Accordingto a research report published in May 2015 titled 2015 Costof Data Breach Study: Global Analysis, by the respectedPonemon Institute, the average total cost of a data breach hit

$3.79 million in 2014, and the average cost paid for each singlelost or stolen record containing sensitive and confidentialinformation rose 6 percent to $154.

Clearly, something has to give. Enterprises need a better archi-tecture to defend against the trolls underthe digital bridge.And this need for a better architecture is a strong argumentfor transforming the network through virtualization.

Apps Need to Move AroundThe rise of server virtualization has made a lot of great thingspossible. In a big step forward, applications are no longer tiedto a single physical server in a single location. You can nowreplicate apps to a remote data center for disaster recovery,move them from one corporate data center to another, orslide them into a hybrid cloud environment.

But theres a catch: the network. Its like a hitch in your giddyup, to borrow some words from the cowboys of old. Thenetwork configuration is tied to hardware, so even if apps canmove with relative ease, the hardwired networking connec-tions hold them back.

Networking services tend to be very different from one datacenter to another, and from an inhouse data center to acloud. That means you need a lot of customization to makeyour apps work in different network environments. Thats amajor barrier to app mobility and another argument forusing virtualization to transform the network.


15/77



Network Architectures Rootedin Hardware Cant Keep Upwith the SDDC

The SDDC is the most agile and responsive architecture forthe modern data center, achieved by moving intelligence intosoftware for allinfrastructure elements. So, lets take stock ofwhere things are today:

Most data centers now leverage server virtualization forthe best compute efficiency. Check!

Many data centers now optimize their storage environ-ments through virtualization. Check!

Few data centers have virtualized their network environ-ments.No check.

Though businesses are capitalizing on server and storagevirtualization, theyre challenged by legacy network infra-structure that revolves around hardwarecentric, manuallyprovisioned approaches that have been around since the firstgeneration of data centers.

In the next several sections, I walk you through some of thespecific challenges of legacy architectures.

Network provisioning is slowAlthough some network provisioning processes can bescripted and softwaredefined networking promises tomake this a reality with hardwarebased systems, there isno automatic linkage to compute or storage virtualization. Asa result, there is no way to automatically provision network-ing when the associated compute and storage is created,

moved, snapshotted, deleted, or cloned. So, network provi-sioning remains slow, despite the use of automated tools.

All the while, the thing that matters the most to the business getting new apps ready for action is subject to frequentdelays caused by the slow, errorprone, manual processesused to provision network services.


16/77



This is all rather ironic when you take a step back and con-sider the bigger picture: The limitations of legacy networks

tie todays dynamic virtual world back to inflexible, dedicatedhardware. Server and storage infrastructure that should berapidly repurposed must wait for the network to catch up.Provisioning then becomes one big hurryupandwait game.

Workload placement and mobilityare limited

In todays fastmoving business environments, apps need tohave legs. They need to move freely from one place to another.This might mean replication to an offsite backupandrecoverydata center, movement from one part of the corporate datacenter to another, or migration into and out of a cloudenvironment.

Server and storage virtualization makes this kind of mobility

possible. But you have to be aware of another problem: thenetwork. When it comes to app mobility, todays hardwirednetwork silos rob apps of their running shoes. Workloads,even those in virtual machines, are tethered to physical net-work hardware and topologies. To complicate matters, dif-ferent data centers have different approaches to networkingservices, so it can take a lot of heavy lifting to configure anapp running in data center A for optimal performance in datacenter B.

All of this limits workload placement and app mobility andmakes change not just difficult but risky. Its always easiest and safest to simply leave things just the way they are.

The current hardwarecentric approach to networking restrictsworkload mobility to individual physical subnets and availabil-ity zones. To reach available compute resources in the datacenter, your network operators may be forced to perform box

bybox configuration of switching, routing, firewall rules, andso on. This process is not only slow and complex but also onethat will eventually hit a wall including the technical limita-tion of 4,096 total VLANs in a single LAN.


17/77



Hardware limitations and lockins

breed complexity and rigidityThe current closed blackbox approach to networking withcustom operating systems, ASICs, CLIs, and management complicates operations and limits agility. This old approachlocks you into not only your current hardware but also all thecomplexities of your current network architecture, limitingyour IT teams ability to adapt and innovate which in turnputs the same limits on the business itself because the busi-

ness can move no faster than IT.

One study, Network Agility Research 2014, by DynamicMarkets, found that 90 percent of companies are disadvan-taged by the complexities of their networks impactingwhen, where, and what applications and services can bedeployed. Here are some rather telling findings from thesame study:

IT makes, on average, ten changes to the corporate net-work in a 12month period that require a maintenancewindow. The average wait for maintenance windows is27 days each.

Businesses spend a total of 270 days a year or 9.6months waiting for IT to deliver a new or improvedservice.

Larger enterprises require significantly more of these

changes and wait even longer for maintenance windows.

Configuration processes aremanual, slow, and error proneOn a daytoday basis, physical networks force your networkteam to perform a lot of repetitive, manual tasks. If a line of

business or a department requests a new application or ser-vice, you need to create VLANs, map VLANs across switchesand uplinks, create port groups, update service profiles, andon and on. On top of this, this configuration work is oftendone via clunky CLIs.


18/77



The rise of softwaredefined networking (SDN) which Iexplain in Chapter 2 is meant to help here by allowing pro-

grammatically controlled hardware, but this still leaves youwith a lot of heavy lifting. For instance, you still need to buildmultiple identical networks to support your development,test, and production teams, and you still lack the ability todeploy your (hardwarebased) network in lock step with yourvirtualized compute and storage.

And then theres the other issue: All this manual configurationwork is error prone. In fact, manual errors are the main cause

of outages. Studies consistently find that the largest percent-age of network incidents in the realm of 32 percent to33.3 percent is due to humancaused configuration errors.(The 33.3 percent estimate is from the Dimension Data report2015 Network Barometer Report, and the 32 percent esti-mate is from the Ponemon Institute report 2013 Cost of DataCenter Outages.)

OpEx and CapEx are too highThe limitations of legacy network architectures are driving updata center costs in terms of both operational expenditures(OpEx) and capital expenditures (CapEx).

OpExThe heavy use of manual processes drives up the cost of net-work operations. Just consider all the laborintensive manual

tasks required to configure, provision, and manage a physicalnetwork. Now multiply the effort of these tasks across all theenvironments you need to support: development, testing, stag-ing, and production; differing departmental networks; differingapplication environments; primary and recovery sites; and soon. Tasks that may be completed in minutes with automatedprocesses or even instantaneously with automaticdeploymentof networks take hours, days, or weeks in a manual world.

And then there are the hidden costs that come with manu-ally introduced configuration errors. One mistake can causea critical connectivity issue or outage that impacts business.The financial effect of an unplanned data center outage canbe huge. The average reported incident length in the studyNetwork Agility Research 2014 by Dynamic Markets was86 minutes at a cost of $7,900 per minute. The average costper incident was $690,200.


19/77



CapExOn the capital side, legacy network architectures require yourorganization to invest in stand-alone solutions for many of thenetworking and security functions that are fundamental todata center operations. These include routing, firewalling, andload balancing. Providing these functions everywhere theyare needed comes with hefty price tags.

There is also the issue of the need to overprovision hardwareto be sure you can meet peak demands, plus the need todeploy activepassive configurations. In effect, you need tobuy twice the hardware for availability purposes.

And then there is the cost of forklift upgrades. To take advan-tage of the latest innovations in networking technology,network operators often have to rip and replace legacy gear,with most organizations on a three to fiveyear refresh cycle.Legacy network architectures rooted in hardware also requireoverprovisioning to account for spikes in usage. The inabilityof hardwarebased networks to scale automatically based ondemands requires this inefficiency. And up goes the costs ofnetworking.

Legacy network architectures can also result in other inef-ficiencies. Often, network designers must reserve parts of anetwork for a specific use to accommodate special security orcompliance requirements. Coupled with the need for overpro-visioning, the inefficiencies are magnified, leading to swathsof dark servers kept around just in case without servingany useful purpose. The result looks like a badly fragmentedhard drive.

You cant leverage hybridcloud resourcesCloud service providers have proven that applications and

services can be provisioned on demand. Enterprises every-where would like to enjoy the same level of speed and agility.With that thought in mind, forwardlooking executives envi-sion using hybrid clouds for all kinds of use cases, from datastorage and disaster recovery to software development andtesting.


20/77



But, once again, there is a networkrelated catch. In their questto move to the cloud, enterprises are hampered by vendor

specific network hardware and physical topology. These con-straints that come with legacy data center architectures canmake it difficult to implement hybrid clouds. Hybrid cloudsdepend on a seamless extension of the onpremises datacenter to a public cloud resource, and how do you achievethis when you cant control the public cloud network to mirroryour hardware networking systems?

Networks have inadequatedefensesMany of the widely publicized cyber attacks of recent yearsshare a common characteristic: Once inside the data centerperimeter, malicious code moved from server to server, wheresensitive data was collected and sent off to cybercriminals.These cases highlight a weakness of todays data centers:

They have limited network security controls to stop attacksfrom spreading inside the data center.

Perimeter firewalls are pretty good at stopping many, but notall, attacks. As the recent attacks have shown, threats are stillslipping into the data center through legitimate access points.Once inside, they spread like a deadly viral disease. This hasbeen a tough problem to solve because of the realities ofphysical network architectures. Put simply, with legacy net-

working systems, its too costly to provide firewalling for traf-fic between allworkloads inside the data center. With todaysnetworks, its hard to stop an attack from laterally propagat-ing from server to server using eastwest traffic.

Lets recap. To this point, Ive noted that:

To stay competitive, businesses need the agility of thesoftware-defined data center.

Antiquated network architectures are blocking the roadto the SDDC.

Legacy network architectures limit business agility, leavesecurity threats unchecked, and drive up costs.

These themes point to a single overarching need: Its time tomove out of the hardwired past and into the era of the virtual-ized network.


21/77


Its Time to Virtualizethe Network

In This Chapter

Explaining the basics of network virtualization

Highlighting the benefits of this new approach

Outlining key characteristics of a virtualized network

In this chapter, I dive into the concept of networkvirtualization what it is, how it differs from other

approaches to the network, and why the time is right forthis new approach.

To put things in perspective, lets begin with a little backgroundon network virtualization, the state of todays networks, andhow we got to this point.

How Network VirtualizationWorks

Network virtualization makes it possible to programmaticallycreate, provision, and manage networks all in software, using

the underlying physical network as a simple packetforwardingbackplane. Network and security services in software are dis-tributed to hypervisors and attached to individual virtualmachines (VMs) in accordance with networking and securitypolicies defined for each connected application. When a VM ismoved to another host, its networking and security servicesmove with it. And when new VMs are created to scale an appli-cation, the necessary policies are dynamically applied to thoseVMs as well.

Chapter 2


22/77



Similar to how a virtual machine is a software container thatpresents logical compute services to an application, a virtual

networkis a software container that presents logical networkservices logical switching, logical routing, logical firewall-ing, logical load balancing, logical VPNs, and more to con-nected workloads. These network and security services aredelivered in software and require only IP packet forwardingfrom the underlying physical network. The workloads them-selves are connected via a software representation of a physi-cal network wire. This allows for the entire network to becreated in software (see Figure 21).

Network virtualization coordinates the virtual switches inserver hypervisors and the network services pushed to them

for connected VMs, to effectively deliver a platform or net-work hypervisor for the creation of virtual networks (seeFigure 22).

One way that virtual networks can be provisioned is by usinga cloud management platform (CMP) to request the virtualnetwork and security services for the corresponding work-loads. The controller then distributes the necessary servicesto the corresponding virtual switches and logically attaches

them to the corresponding workloads (see Figure 23).

This approach not only allows different virtual networks to beassociated with different workloads on the same hypervisor,but also enables the creation of everything from basic virtualnetworks involving as few as two nodes, to very advancedconstructs that match the complex, multisegment networktopologies used to deliver multitier applications.

Figure 2-1:Compute and network virtualization.


23/77

Chapter 2: Its Time to Virtualize the Network 15


To connected workloads, a virtual network looks and oper-ates like a traditional physical network (see Figure 24).

Workloads see the same layer 2, layer 3, and layer 4 through7 network services that they would in a traditional physical

Figure 2-2:The network hypervisor.

Figure 2-3:Virtual network provisioning.


24/77


configuration. Its just that these network services are nowlogical instances of distributed software modules running in

the hypervisor on the local host and applied at the virtualinterface of the virtual switch.

To the physical network, a virtual network looks and oper-ates like a traditional physical network (see Figure 25). The

Figure 2-4:The virtual network, from the workloads perspective (logical).

VM

VM

Virtua

lNetw

ork

Existing

Physica

lNetwo

rk

Simplifi

edIPB

ackplan

e:NoVL

ANsNo

ACLsN

oFirewallR

ules

VirtualswitchHypervisor

VirtualswitchHypervisor

Figure 2-5:The virtual network, from the networks perspective (physical).

These materials are 2016 John Wiley & Sons, Inc. Any dissemination, distribution, or unauthorized use is str ictly prohibited.


25/77



physical network sees the same layer 2 network frames thatit would in a traditional physical network. The VM sends a stan-

dard layer 2 network frame that is encapsulated at the sourcehypervisor with additional IP, user datagram protocol (UDP),and virtual extensible LAN (VXLAN) headers. The physical net-work forwards the frame as a standard layer 2 network frame,and the destination hypervisor decapsulates the headers anddelivers the original layer 2 frame to the destination VM.

The ability to apply and enforce security services at the vir-tual interface of the virtual switch also eliminates hairpinning

(see Chapter 3) in situations where eastwest traffic betweentwo VMs on the same hypervisor, but in different subnets, isrequired to traverse the network to reach essential servicessuch as routing and firewalling.

Whats the difference between a virtual

network and a VLAN?If you work in networking, you knowall about VLANs, or virtual local areanetworks. Theyve been around for along time. So, why arent VLANs suf-ficient? Lets look at the differencesbetween VLANs and virtual networks.

The VLAN approach breaks up a

physical local area network intomultiple virtual networks. Groups ofports are isolated from each otheras if they were on physically differ-ent networks. The VLAN approachis like slicing a big network pie intoa lot of bitesize networks. Lookingahead, as your network grows youcould eventually run into a dead end:

the limitation of 4,096 total VLANs ina single LAN.

The problems with VLANs dontstop there. Another big limitationis that VLANs dont allow you tosave, snapshot, delete, clone, or

move networks. And then there isthe inherent security issue withVLANs they dont allow you tocontrol traffic between two systemson the same VLAN. This means thatan attack that hits one system canjump to another system.

Network virtualization is far morethan VLANs, making possible thecreation of entire networks insoftware including switching,routing, firewalling, and load bal-ancing. This provides far greaterflexibility than has been possiblein the past. With all networkingand security services handled in

software and attached to VMs,laborintensive management andconfiguration processes can bestreamlined and automated, andnetworks are created automaticallyto meet workload demands.


26/77



Network Virtualization versusSoftwareDefined Networking

Network virtualization may sound a lot like softwaredefinednetworking (SDN), but there are actually major differencesbetween these terms. Lets look at these two concepts.

Though the term softwaredefined networkingmeans differ-ent things to different people, this much is clear: SDN allows

software to control the network and its physical devices. SDNis all about software talking to hardware you can essen-tially call it a nextgeneration network management solution.Though it centralizes management and allows you to controlnetwork switches and routers through software, SDN doesntvirtualize all networking functions and components. In otherwords, SDN doesnt allow you to run the entire network insoftware. Hardware remains the driving force for the network.

In contrast to SDN, network virtualization completely decou-ples network resources from the underlying hardware. Allnetworking components and functions are faithfully replicatedin software. Virtualization principles are applied to physicalnetwork infrastructure to create a flexible pool of transportcapacity that can be allocated, used, and repurposed ondemand.

With your networking resources decoupled from the physical

infrastructure, you basically dont have to touch the underly-ing hardware. Virtual machines can move from one logicaldomain to another without anyone having to reconfigurethe network or wire up domain connections. You implementnetwork virtualization in the hypervisor layer on x86 serversrather than on network switches. As I note earlier, the physi-cal network serves as a packetforwarding backplane con-trolled from a higher level.

Softwaredefined networking allows you to control networkswitches and routers through software. It doesnt virtualize allnetworking functions and components.

Network virtualization replicates all networking componentsand functions in software. It allows you to run the entire net-work in software.


27/77



Virtual Appliances versusIntegration in the Hypervisor

What about virtual appliances? Networking functions, ofcourse, can be delivered via virtual appliances(readytogovirtual machines that run on a hypervisor). Virtual appliancesare usually designed to deliver the functionality of a singlenetwork function, such as a router, a WAN accelerator, or anetwork firewall.

Though they meet targeted needs, virtual appliances havesome distinct drawbacks. For starters, virtual appliances run asguests on top of a hypervisor, which limits performance. Andthen there is the issue of virtual appliance sprawl. Because ofthe limited performance of the devices, you may end up havingto deploy tens, hundreds, or even thousands of virtual appli-ances to reach the scale of the full data center. This presents ahuge CapEx barrier and is also an operational nightmare.

The real value of network virtualization emerges in the integra-tion of all networking functions inthe hypervisor. This moresophisticated approach allows the network and the full range ofits functions to follow virtual machines as they move from oneserver to another. Theres no need to reconfigure any networkconnections, because those are all in software. Basically, thenetwork can go anywhere in the data center that is virtualized.

There are many other advantages to the hypervisorbasedapproach to network virtualization. I cover these in Chapter 3.For now, lets just say that this new approach to the networkmakes your data center a lot more agile. Its kind of like goingfrom hardwired to wireless connections on your home net-work. Things can move around, and all the networking stuffgoes with them.

Why the Time Is Right forNetwork Virtualization

People have been talking about network virtualization foryears. Its now time to let the rubber meet the road to meetpressing needs in todays data centers.


28/77



Here are some of the reasons why the time is right for networkvirtualization.

Meeting the demandsof a dynamic businessSimply put, software moves faster than hardware. Its fareasier to deploy services, make changes, and roll back to pre-vious versions when the network is all in software. Todays

businesses have constantly changing requirements, whichputs increasing demands on IT to be able to support thesechanges. When the network environment is run purely in soft-ware, its much more flexible in adapting to changes, making itpossible for IT organizations to meet business demands moreeffectively.

Increasing flexibility with

hardware abstractionNetwork virtualization moves intelligence from dedicatedhardware to flexible software that increases IT and businessagility. This concept is known as abstraction.To explain thisconcept, lets start in the wellestablished world of servervirtualization.

With server virtualization, an abstraction layer, or hypervisor,

reproduces the attributes of the physical server CPU, RAM,disk, and so on in software. Abstraction allows these attri-butes to be assembled on the fly to produce a unique virtualmachine.

Network virtualization works the same way. With network vir-tualization, the functional equivalent of a network hypervisorreproduces networking services such as switching, rout-ing, access control, firewalling, QoS, and load balancing in

software. With everything in software, virtualized services canbe assembled in any combination to produce a unique virtualnetwork in a matter of seconds.

This level of agility is one of the big benefits of the softwaredefined data center, and one of the big arguments for networkvirtualization.


29/77



Increasing security with network

microsegmentationAnother argument for network virtualization revolvesaround the need for stronger security. Network virtualizationincreases security by serving as the foundational buildingblock for microsegmentation(the use of finegrained policiesand network control to enable security insidethe data center).Microsegmentation allows you to shrinkwrap security aroundeach workload, preventing the spread of servertoserver

threats. I explain more on this concept in Chapter 4.

With network virtualization, networks are isolated by default,which means that workloads on two unrelated networks haveno possibility of communicating with each other. Isolationis foundational to network security, whether for compli-ance, containment, or simply keeping development, test,and production environments from interacting. When virtualnetworks are created, they remain isolated from each other

unless you decide to connect them. No physical subnets, noVLANs, no access control lists (ACLs), and no firewall rulesare required in order to enable this isolation.

Virtual networks are also isolated from the underlying physicalnetwork. This isolation not only decouples changes in onevirtual network from affecting another, but it also protects theunderlying physical infrastructure from attacks launched fromworkloads in any of your virtual networks. Once again, you

dont need any VLANs, ACLs, or firewall rules to create thisisolation. Thats just the way it is with network virtualization.

Taking a closer lookat microsegmentation

For a deep dive into the conceptof microsegmentation, downloada copy of Microsegmentation ForDummies (Wiley) at http://i n f o . v m w a r e . c o m /content/33851_Micro-Segmentation_Reg?CID=70

134000000NzKR&src=test&touch=1. This tightly written book,sponsored by VMware, providesa closeup look at the concepts,technologies, and benefits of microsegmentation with VMware NSX.
http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1http://info.vmware.com/content/33851_Micro%E2%80%90Segmentation_Reg?CID=70134000000NzKR&src=test&touch=1


30/77



Establishing a platform

for the SDDCAs I note in Chapter 1, the softwaredefined data center isa muchneeded framework for greater IT agility and moreresponsive IT service delivery, all at a lower cost. As the criti-cal third pillar of the SDDC, building on the pillars of computeand storage virtualization, network virtualization is key tothe SDDC.

Network virtualization is a transformative architecture thatmakes it possible to create and run entire networks in paral-lel on top of existing network hardware. This results in fasterdeployment of workloads, as well as greater agility and secu-rity in the face of increasingly dynamic data centers.

Rethinking the NetworkThough it leverages your existing network hardware, networkvirtualization is a fundamentally new approach to the net-work. This means you need to think about your network innew ways. In the past, network functions revolved all aroundhardware. Now they have all the flexibility of software.

A virtualized network should allow you to take an entire net-work, complete with all its configurations and functions, and

duplicate it in software.

You should be able to create and run your virtualized networkin parallel on top of your existing network hardware. A virtualnetwork can be created, saved, deleted, and restored, just asyou would do with virtual machines, but in this case youredoing it with the entire network.

In more specific terms, a virtualized network should give you

the ability to

Decouple the network from underlying hardware andapply virtualization principles to network infrastructure.

Create a flexible pool of transport capacity that can beallocated, utilized, and repurposed on demand.


31/77



Deploy networks in software that are fully isolated fromeach other, as well as from other changes in the data

center.

Transfer, move, and replicate the network, just as youcan do with virtualized compute and storage resources.

Make consistent network functionality available any-where in your enterprise.

So, how do you get there? I cover that part of the story inChapter 3, where I explore the technologies behind network

transformation.


32/77




33/77


Transforming the NetworkIn This Chapter

Explaining the key functionality of a virtualized network

Introducing the technologies for network virtualization

Outlining key features of a virtualized network

Exploring functional and economic benefits

In this chapter, I dive down into the technologies you need

in order to bring the benefits of virtualization to yournetwork environment. I begin with an introduction of theconcepts behind network virtualization, and conclude withdetails of VMware NSX, a multi-hypervisor, multicloud man-agement network virtualization platform.

The Key Functionalities ofa Virtualized Network

Lets dive a little deeper into some of the key functionalities ofa virtualized network, including overlays and packet flow.

Overlays

Network virtualization makes use of overlay technologies,which sit above the physical network hardware and work withthe server hypervisor layer. Logical switching is achieved viathe use of overlays, as shown in Figure 31.

Chapter 3


34/77



Network overlays make it possible to run networks entirelyin software, abstracted from the supporting physical networkinfrastructure. They basically create tunnels within the datacenter network.

Packet flow from sender to receiverAs I note elsewhere, virtual networks use the underlyingphysical network as a simple packetforwarding backplane.When VMs communicate with each other, the packet is encap-sulated with the IP address information of the destinationhypervisor. The physical network delivers the frame to thedestination hypervisor, which can remove the outer header,and then the local vSwitch instance delivers the frame to thevirtual machine.

In this way, the communication uses the underlying physicalnetwork as a simple IP backplane one that requires no STP,no VLANs, no ACLs, and no firewall rules. This approach dra-matically simplifies configuration management and eliminatesphysical network changes from the network provisioningprocess.

Overlay technologiesThere are various overlay technologies. One industrystandardtechnology is called Virtual Extensible Local Area Network, orVXLAN. VXLAN provides a framework for overlaying virtual-

ized layer 2 networks over layer 3 networks.

You may have also heard of NVGRE, another type of overlay.NVGRE stands for network virtualization using generic routingencapsulation.NVGRE is similar to VXLAN in its goals, but ituses different approaches to create the overlay. NVGRE has

Figure 3-1:Logical switching via the use of overlays.


35/77

Chapter 3: Transforming the Network 27


had limited adoption in comparison to the momentum ofVXLAN.

In a VMware environment, network virtualization is based onVXLAN. This widely adopted standard was developed jointlyby VMware and major networking vendors.

A VXLAN primerWith its broad industry support, VXLAN has become the de

facto standard overlay (or encapsulation) protocol. VXLANis key to building logical networks that provide layer 2 adja-cency between workloads, without the issue and scalabilityconcerns found with traditional layer 2 technologies.

VXLAN is an overlay technology encapsulating the originalEthernet frames generated by workloads (virtual or physical)connected to the same logical layer 2 segment, usually nameda logical switch (LS).

VXLAN is a layer 2 over layer 3 (L2oL3) encapsulation tech-nology. The original Ethernet frame generated by a workloadis encapsulated with external VXLAN, UDP, IP, and Ethernetheaders to ensure that it can be transported across the net-work infrastructure interconnecting the VXLAN endpoints(virtual machines).

Scaling beyond the 4,096 VLAN limitation on traditional

switches has been solved by leveraging a 24bit identifier,named VXLAN Network Identifier (VNI), which is associatedwith each layer 2 segment created in the logical space. Thisvalue is carried inside the VXLAN header and is normallyassociated with an IP subnet, similar to what traditionallyhappens with VLANs. IntraIP subnet communication hap-pens between devices connected to the same virtual network(logical switch).

Hashing of the layer 2, layer 3, and layer 4 headers presentin the original Ethernet frame is performed to derive thesource port value for the external UDP header. This is impor-tant to ensure load balancing of VXLAN traffic across equalcost paths potentially available inside the transport networkinfrastructure.


36/77



The source and destination IP addresses used in the externalIP header uniquely identify the hosts originating and terminat-

ing the VXLAN encapsulation of frames. This hypervisorbasedlogical functionality is usually referred to as a VXLAN TunnelEndPoint (VTEP).

Encapsulating the original Ethernet frame into a UDP packetincreases the size of the IP packet. We recommend increas-ing the overall maximum transmission unit (MTU) size to aminimum of 1,600 bytes for all the interfaces in the physicalinfrastructure that will carry the frame. The MTU for the

virtual switch uplinks of the VTEPs performing VXLAN encap-sulation is automatically increased when preparing the VTEPfor VXLAN.

Figure 32 describes (at a high level) the steps required toestablish layer 2 communications between VMs leveragingVXLAN overlay functionality:

VM1 originates a frame destined to the VM2 part of the

same layer 2 logical segment (IP subnet).

The source VTEP identifies the destination VTEP whereVM2 is connected and encapsulates the frame beforesending it to the transport network.

The transport network is required only to enable IP com-munication between the source and destination VTEPs.

The destination VTEP receives the VLXLAN frame, deencapsulates it, and identifies the layer 2 segment towhich it belongs.

The frame is delivered to VM2.

Figure 3-2:Establishing layer 2 communication between VMs with

VXLAN.


37/77



The Big PayoffNetwork virtualization helps enterprises achieve major advancesin speed, agility, and security, by automating and simplifyingmany of the processes that go into running a data center network.

Heres a quick checklist of some of the key benefits that comewith this new approach to the network. Network virtualizationhelps you

Reduce network provisioning time from weeks to minutes.

Achieve greater operational efficiency by automatingmanual processes.

Network virtualization in action:An exampleHeres one of many potential exam-ples of how network virtualizationmakes life better for your securityand network administrators.

Communication on a conventional

network can be inefficient whenservices, such as firewalling, areapplied. Traffic must be routed outof the virtual environment, passedthrough the physical securi tyinfrastructure (centralized firewall),

and then redirected back to thevirtual environment. This processis called hairpinning. It adds com-plexity, increases instability, anddecreases the ability to moveworkloads.

By contrast, when network servicesare integrated into the hypervisor,theres no need for this hairpinningprocess. These concepts are illus-trated in the following figure.


38/77



Place and move workloads independently of physicaltopology.

Improve network security within the data center.

Meet VMware NSX: Networkingfor the SDDC

First, a simple definition: VMware NSX is the network virtu-

alization and security platform for the softwaredefined datacenter. NSX reproduces the entire network model in software.This endtoend model enables any network topology fromsimple to complex multitier networks to be created andprovisioned in seconds. It delivers all the goodness of networkvirtualization that I cover in Chapter 2.

While increasing agility and streamlining your approach tothe network, NSX enhances security inside the data center.

These security gains are delivered via automated finegrainedpolicies that wrap security controls around individual vir-tual machines or small groups of virtualized resources. Thisapproach can be a huge help in blocking attacks that movelaterally within the data center, jumping from workload toworkload with little or no controls to block their propaga-tion. With NSX, workloads can be isolated from each other, asthough each were on its own network.

How It WorksLets pop the latch and take a look under the hood ofVMware NSX.

The NSX architectureThe NSX approach to network virtualization allows you totreat your physical network as a pool of transport capacitythat can be consumed and repurposed on demand. Virtualnetworks are created, provisioned, and managed in software,using your physical network as a simple packetforwardingbackplane.


39/77



Virtualized network services are distributed to each virtualmachine independently of the underlying network hardware

or topology. This means workloads can be added or moved onthe fly and all the network and security services attached tothe virtual machine move with it, anywhere in the data center.Your existing applications operate unmodified. They see nodifference between a virtual network and a physical networkconnection.

Integration with existingnetwork infrastructureNSX works with your existing compute and networking infra-structure, applications, and security products. You can deployNSX nondisruptively on top of your current infrastructure.

Better still, NSX is not an allornothing approach. You donthave to virtualize your entire network. You have the flexibility

to virtualize portions of your network by simply adding hyper-visor nodes to the NSX platform.

Gateways,available as software from VMware or topofrackswitch hardware from VMware partners, give you the abilityto seamlessly interconnect virtual and physical networks.These can be used, for example, to support network accessby workloads connected to virtual networks or to directlyconnect legacy VLANs and baremetal workloads to virtual

networks.

Simplified networkingAfter NSX is deployed, little interaction with the physical net-work is required. You no longer need to deal with the physicalnetwork configuration of VLANs, ACLs, spanning trees, com-plex sets of firewall rules, and convoluted hairpinning trafficpatterns because these are no longer necessary when thenetwork is virtualized.

As you deploy NSX virtual networks, you can increasinglystreamline your physical network configuration and design.Vendor lockin becomes a thing of the past because thephysical network only needs to deliver reliable highspeed


40/77



packetforwarding. This means you can mix and matchhardware from different product lines and vendors.

Extreme flexibility andextensibilityNSX is extremely flexible, highly extensible, and widely sup-ported. A powerful trafficsteering capability allows any combi-nation of network and security services to be chained together

in any order. Its all defined by the application policies you setfor each workload.

This high degree of flexibility applies not only to native NSXservices but also to a wide variety of compatible thirdpartysolutions including virtual and physical instances of nextgeneration firewalls, application delivery controllers, andintrusion prevention systems.

Lets take a step back and consider the bigger picture here.The availability of many NSXcompatible products fromVMware partners is a sign of industry support for the newoperational model delivered by the NSX platform. Thisgives you greater confidence as you move into the realmof the virtualized network. You have a broad ecosystem onyour side.

What It Does: The KeyCapabilities of NSX

Lets look at some of the key technical capabilities of VMwareNSX. At the outset, keep this point in mind: NSV virtualizes allnetwork functions. That means things that used to be donein hardware are now done in software. In this sense, NSX islike a magic carpet that floats over all the networking gear

described in the following sections.


41/77



Everything in softwareHere are the key features of VMware NSX:

Logical switching:NSX allows you to reproduce thecomplete layer 2 and layer 3 switching functionality ina virtual environment, decoupled from the underlyinghardware.

NSX gateway:This layer 2 gateway enables seamlessconnection to physical workloads and legacy VLANs.

Logical routing:Routing between logical switches pro-vides dynamic routing within different virtual networks.

Logical, distributed firewalling:NSX allows you tocreate a distributed firewall, integrated into the hypervi-sor and wrapping security around each workload.

Logical load balancer:NSX provides a fullfeatured loadbalancer with SSL termination.

Logical VPN:NSX supports sitetosite and remote accessVPNs in software.

NSX API:This RESTful API enables integration into anycloud management platform.

Essential isolation, segmentation,

and advanced security servicesEvery year, businesses spend billions of dollars to secure theperimeter of their data centers. And guess what? Breachescontinue to mount. Though it is an essential part of a securitystrategy, perimeter protection doesnt do everything youneed. We need a new model for data center security. Microsegmentation, a concept I introduce in Chapter 2, providesthis model.

NSX brings security inside the data center with automatedfinegrained policies tied to the virtual machines. Networksecurity policies are enforced by firewalling controls inte-grated into the hypervisors that are already distributedthroughout the data center. These security policies movewhen VMs move and adapt dynamically to changes in yourdata center.


42/77



Virtual networks can operate in their own address spaces orhave overlapping or duplicate address spaces all without

interfering with each other. Virtual networks are inherentlyisolated from all other virtual networks, and the underly-ing physical network, by default. Each virtual network islike an island in a data center sea. This approach allows youto securely isolate networks from each other. You end upwith an inherently better security model for the data center.Malicious software that slips through your firewall is nolonger free to jump from server to server.

Of course, none of this means you have to give up your favor-ite network security solutions. NSX is a platform for bringingthe industrys leading networking and security solutions intothe softwaredefined data center. Thanks to tight integrationwith the NSX platform, thirdparty products and solutions canbe deployed as needed and can adapt dynamically to chang-ing conditions in your data center.

NSX network virtualization capabilities enable the three key

functions of microsegmentation:

Isolation:No communication across unrelated networks

Segmentation:Controlled communication within anetwork

Security with advanced services:Made possible by tightintegration with thirdparty security solutions

Performance and scaleNSX delivers proven performance and scale. Because net-working functions are embedded in the hypervisor, NSX fea-tures a scaleout architecture that enables seamless scaling ofadditional capacity while also delivering solid availability andreliability.

Heres an example of the extreme scalability of NSX: In a realworld NSX deployment, a single cluster of controllers is beingused to deliver more than 10,000 virtual networks, which inturn support more than 100,000 virtual machines.


43/77



In the NSX environment:

The processing required for the execution of distributednetwork services is only incremental to what the vSwitchis already doing for connected workloads.

The vSwitch is a module that is integrated with thehypervisor kernel, along with all the NSX network andsecurity services.

Virtual network transport capacity scales linearly (along-side VM capacity) with the introduction of each new

hypervisor/host, adding 20 Gbps of switching and routingcapacity and 19.6 Gbps of firewalling capacity.

Unparalleled network visibilityNSX takes visibility into the network to an allnew level. Withconventional approaches to networking, configuration andforwarding state are spread across lots of disparate network

devices. This fragmentation can cloud your view and compli-cate troubleshooting.

By contrast, NSX provides all configuration and state informa-tion for all network connections and services in one place.Connectivity status and logs for all NSX components andvirtual network elements (logical switches, routers, and thelike) are readily accessible, as is the mapping between virtualnetwork topologies and the underlying physical network. This

enables full visibility of traffic between VMs even when thecommunicating VMs are on the same host and network trafficnever reaches the physical network.

Better yet, with NSX, you have access to advanced trou-bleshooting tools like TraceFlow. This function injects asynthetic packet into a virtual switch port, providing theopportunity to observe the network path as it traverses physi-cal and logical network systems. This allows administrators

to identify the full path a packet takes and troubleshoot anypoints where the packet is dropped (for instance, because offirewall policies) along the way.

This level of visibility isnt possible if youre running traditionalphysical networking hardware, and it definitely wouldnt bepossible with physical networking in situations where two VMsare communicating on the same host.


44/77



The Key Benefits ofVMware NSX

Now were getting to the really good stuff. Lets look at someof the ways your organization can cash in on the capabilitiesof network virtualization with VMware NSX. You can breakthe story into two camps: functional benefits and economicbenefits.

Functional benefitsThe functional benefits of NSX revolve around four pillars ofthe softwaredefined data center: speed, agility, security, andreliability. Lets look at how these benefits are delivered.

Creating entire networks in software in secondsNSX arms you with a library of logical networking elements

and services, such as logical switches, routers, firewalls, loadbalancers, VPN, and workload security. You can mix andmatch these components to create isolated virtual networktopologies in seconds.

Minimizing the risk and impact of data breachesYou can use NSX to isolate workloads, each with its own secu-rity policies. This capability helps you contain threats and

block the movement of malicious software within your datacenter. Better internal security can help you avoid or reducethe costs of data breaches.

Speeding IT service delivery and time to marketWith network virtualization, you can reduce the time requiredto provision multitier networking and security services fromweeks to minutes. Some enterprises use NSX to give applica-tion teams full selfservice provisioning capabilities. Even

better, the automation and orchestration capabilities in NSXhelp you avoid the risk of manual configuration errors.

Simplifying network traffic flowsYou can use NSX to lessen the load of servertoserver traffic(eastwest traffic) on the oversubscribed core. With a virtual


45/77



network, VMs communicate with one another through thevSwitch or aggregation fabric. This cuts down on eastwest

traffic hops and helps you avoid the pitfalls of convolutedtraffic patterns. The idea is to make better use of your currentassets and avoid the costs of building up core capacity withmore hardware.

Increasing service availabilityCloudscale data centers have few outages because they haveflatter fabrics with equalcost multipath routing between anypoints on the network. Simplified leafspine fabrics make indi-vidual links or devices inconsequential. The network can with-stand multiple simultaneous device failures with no outage.With the network virtualization capabilities of NSX, you canachieve the same high availability in your data center.

Economic benefitsThe economic benefits of network virtualization with NSX

emerge in the form of savings on both capital and operationalexpenditures.

Reducing the risk of costly breachesHistorically, deploying firewalls to control an increasingvolume of eastwest traffic inside the data center has beencost prohibitive for many enterprises. Whats more, the sheernumber of devices needed and the effort required to set up

and manage a complex matrix of firewall rules have made thisapproach operationally infeasible. The microsegmentationcapabilities that come with network virtualization make thisall not just doable but affordable. You can now reduce therisk of crossdata center security breaches while avoidinghighdollar capital expenditures for additional hardware andsoftware.

Reducing time and effort

Network virtualization can greatly reduce the effort and timeit takes to complete network tasks. Generally, NSX reducesthe effort from hours to minutes, and the cycle times fromdays to minutes. If you consider all the manual tasks requiredto provision and manage a physical network across devel-opment, testing, staging, and production environments and


46/77



the fact that NSX automates these, you begin to see lots ofopportunities to reduce operational costs.

Improving server asset utilizationIn traditional topologies, each network cluster has its owncompute capacity. IT admins often overprovision computeto avoid the lengthy, errorprone network reconfigurationrequired to reach available capacity in another cluster. NSXgives you a better way to get things done. You can use NSX tobridge two or more network clusters and deploy workloads tothe unused capacity. By making better use of existing servercapacity, you can avoid the need to buy new physical servers.

Improving price/performance savingsMany enterprises are using the capabilities of NSX and net-work virtualization to replace expensive proprietary hardwarewith lowercost infrastructure that can be bought from vari-ous vendors whoever has the best price/performance.

Extending the hardware life cycleYou can use NSX to pull more value from your existing networkinfrastructure. Heres how: NSX offloads an increasing volumeof eastwest traffic from the network core. This allows you toextend the hardware lifespan without having to add expensivecapacity. With NSX, the underlying network hardware becomesa simple IPforwarding backplane. Rather than refresh yournetworking gear at the end of the accounting depreciationcycle, you can use it for longer periods. With this approach,

you touch the hardware only to add more capacity or toreplace individual devices when they fail.


47/77


Network VirtualizationUse Cases

In This Chapter

Enhancing data center security

Automating IT processes

Improving application continuity

In this chapter, I walk through a series of examples of theway people are putting network virtualization into action.

As I note in Chapter 3, virtualization with NSX is not an allornothing approach. You dont have to virtualize your entirenetwork. You can virtualize portions of your network for tar-geted use cases and then expand your use of virtualizationover time.

And heres a cool fact: Enterprises can often justify the cost ofNSX through a single use case while they establish a strate-gic platform that automates IT and drives additional use casesand projects over time.

In the following sections, I drill down into some of the morecommon use cases, to show how you can use network virtual-ization to speed up processes, strengthen security, and keepyour applications up and running.

Securing the Data CenterAs I note elsewhere, security is a huge and evergrowing con-cern for enterprises. Here are some of the ways that

Chapter 4


48/77



network virtualization can help you mitigate the risks of databreaches.

Limiting lateral movement withinthe data centerModern attacks exploit inherent weaknesses in traditionalperimetercentric network security strategies to infiltrateenterprise data centers. After successfully evading the data

centers perimeter defenses, an attack can move laterallywithin the data center from workload to workload with littleor no controls to block its propagation.

Microsegmentation of the data center network restricts unau-thorized lateral movement but, until now, hasnt been opera-tionally feasible in data center networks.

Traditional packetfiltering and advanced nextgeneration

firewalls implement controls as physical or virtual chokepoints on the network. As application workload traffic passesthrough these control points, network packets are eitherblocked or allowed to traverse the firewall based on the fire-wall rules that are configured at that control point.

There are two key operational barriers to microsegmentationusing traditional firewalls: throughput capacity and securitymanagement.

Limitations on transport capacity can be overcome, but ata significant cost. Its possible to buy enough physical orvirtual firewalls to deliver the capacity required to achievemicrosegmentation, but in most (if not all) organizations,purchasing the number of firewalls necessary for effectivemicrosegmentation isnt financially feasible. Im effec-tively talking about a separate firewall per virtual machine.How many virtual machines does your data center have?

Hundreds? Thousands? This would mean potentially thou-sands of firewalls for a typical data center.

The burden of security management also increases expo-nentially with the number of workloads and the increasinglydynamic nature of todays data centers. If firewall rules needto be manually added, deleted, and/or modified every time


49/77

Chapter 4: Network Virtualization Use Cases 41


a new VM is added, moved, or decommissioned, the rate ofchange quickly overwhelms IT operations. Its this barrier

that has been the demise of most security teams bestlaidplans to realize a comprehensive microsegmentation or least-privilege, unitlevel trust strategy in the data center.

The softwaredefined data center (SDDC) leverages a networkvirtualization platform to offer several significant advantagesover traditional network security approaches automatedprovisioning, automated move/add/change for workloads, dis-tributed enforcement at every virtual interface and inkernel,

scaleout firewalling performance, distributed to every hyper-visor and baked into the platform.

The growth of eastwest trafficwithin the data centerOver the past decade, applications have increasingly been

deployed on multitier server infrastructures, and eastwestservertoserver communications now account for signifi-cantly more data center traffic than northsouth clienttoserver and Internet communications. In fact, traffic inside thedata center now accounts for as much as 80 percent of allnetwork traffic. These multitier application infrastructures aretypically designed with little or no security controls to restrictcommunications between systems.

Attackers have modified their attack strategy to take advan-tage of this paradigm shift in data center traffic, as well as thefact that prevailing perimetercentric defense strategies offerlittle or no controls for network communications within thedata center. Security teams must likewise extend their defensestrategy inside the data center where the vast majority ofnetwork traffic actually exists and is unprotected instead offocusing almost exclusively on perimeter defenses.

Visibility and contextThe growt

Network Virtualization for Dummies

Documents

Transcript of Network Virtualization for Dummies