Advanced Topics & Future Directions in Network Virtualization with NSX

NET1674

Bruce Davie, VMware, Inc

Disclaimer •  This presentation may contain product features that are currently under development. •  This overview of new technology represents no commitment from VMware to deliver these

features in any generally available product. •  Features are subject to change, and must not be included in contracts, purchase orders, or

sales agreements of any kind.

•  Technical feasibility and market demand will affect final delivery. •  Pricing and packaging for any new technologies or features discussed or presented have not

been determined.

CONFIDENTIAL 2

Objectives •  Provide an update on latest NSX capabilities •  Provide some insight into future NSX direction

•  Deepen your understanding of network virtualization and its value

3 CONFIDENTIAL

Overview •  Network Virtualization in One Slide •  Physical Network Integration

•  Encapsulations •  Service Chaining

•  Multi-site Network Virtualization

•  Summary

4 CONFIDENTIAL

Network Virtualization – an Analogy

CONFIDENTIAL 5

Physical Compute & Memory

Hypervisor Requirement: x86

Virtual Machine

Virtual Machine

Virtual Machine

Application Application Application

x86 Environment

Physical Network

Network Virtualization Platform Requirement: IP Transport

Virtual Network

Virtual Network

Virtual Network

Workload Workload Workload

L2, L3, L4-7 Network Services

Decoupled

VLAN

L2

L3

Virtual Network L2

NSX – Network Virtualization Platform

Physical Network

vSphere Host vSphere Host KVM Xen Server

NSX vSwitch NSX vSwitch Open vSwitch Open vSwitch

Hardware Software

Controller Cluster

VLAN

VTEP API HW Partner

Northbound NSX API

Cloud Management Platform

NSX Edge

API (OVSDB)

Tunnels (VXLAN)

Physical Workloads

Controller Cluster

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Logical network

Connecting the Physical to the Virtual

DB VM MACS

PHYMACS

IP Underlay (no mulitcast required)

Distributed Logical Routing (P V)

Hypervisor vSwitch

Physical View Logical View

192.168.2.254 192.168.1.254

192.168.1.1 192.168.2.1

192.168.1.1

192.168.2.1

Packet Walk

Hypervisor vSwitch

192.168.1.1

192.168.2.1

ARP: IP=192.168.1.254 SRCMAC=VM

ARP: IP=192.168.2.1 SRCMAC=Hypervisor VNI=2

ARP_REP: IP=192.168.1.254 MAC=LogicalRouter_A

ARP: IP=192.168.2.1 SRCMAC=LogicalRouter_B

ARP_REP: IP=192.168.2.1 MAC=Physical

ARP_REP: IP=192.168.2.1 MAC=Physical VNI=2

Distributed L3 •  The other paths (PèV, VèV, PèP) are similar

–  Router’s ARP reply always comes from nearby VTEP or vswitch –  That node then ARPs toward the ultimate destination

•  Note that the LR is fully distributed among VTEPs and vswitches –  Any E-W traffic will travel directly between hypervisors –  No single device does all routing

CONFIDENTIAL 10

VTEP Futures •  BFD health monitoring

–  Mitigate service node failures –  Provide overlay health monitoring/troubleshooting

•  ACL configuration

•  QoS – DSCP setting •  Higher layer services (e.g. ADCs)

11 CONFIDENTIAL

Handling Elephant Flows 1.  Detect Elephants

–  Must be long-lived and high-bandwidth –  vSwitch ideally suited for task, maybe combine with central control

2.  Do something with them: –  Mark the outer DSCP –  Put them in a queue separated from mice –  Route along their own path or network –  Convert to mice

CONFIDENTIAL 12

Results – flow statistic detection & alternate queue reaction

13

0

1

2

3

4

5

6

7

8

9

10

500

550

600

650

700

750

800

850

900

950

1000

1 11 21 31 41 51 61 71 81 91 101 111 121 131

Late

ncy

ms)

Ban

dwid

th (M

bps)

Time (Secs)

Mice vs Elephants (Detection off)

Elephant

Mice

cumulusnetworks.com

Results – flow statistic detection & alternate queue reaction

14

0

1

2

3

4

5

6

7

8

9

10

500

550

600

650

700

750

800

850

900

950

1000

1 11 21 31 41 51 61 71 81 91 101 111 121 131

Late

ncy

(ms)

Ban

dwid

th (M

bps)

Time (Secs)

Mice vs Elephants (Detection on)

Elephant

Mice

cumulusnetworks.com

Tunneling •  Networking people love to argue about tunnel formats •  Primarily a low-level detail of the implementation

•  But tunnel format matters: –  Interoperability (HW + SW endpoints) –  ECMP on current switches –  Extensibility –  Performance –  Visibility

•  Current options (VXLAN, NVGRE, STT) all fall short somewhere •  Enter Geneve (Generic Network Virtualization Encapsulation)

–  VMware, Microsoft, Red Hat, Intel (the x86 world)

CONFIDENTIAL 15

Tunnels are like cables Physical

Hypervisor Hypervisor

WORLD

Virtual Network

STT

VXLAN VXLAN Cable Cable

Cable

Copper Cable

Controller Third party hardware

Geneve

Geneve Geneve

Geneve Header

MAC IP

UDP Geneve

Inner Eth Inner IP Inner L4 Payload

Options

+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ |Ver| Opt Len |O|C| Rsvd. | Protocol Type | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Virtual Network Identifier (VNI) | Reserved | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | Variable Length Options | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+

CONFIDENTIAL 17

How the Options Are Used •  <Type, length, value> structure

–  Type is structured to allow vendor-specific options

•  “C” bit indicates “critical” options •  Example use:

–  convey the source or dest of a packet when that info can’t be determined from other fields •  e.g. ARP request from a logical router could be from anywhere physically •  Mirrored packets might be sent somewhere other than dest address

–  Indicate traceflow packets –  Carry logical port info for egress policy –  State versioning –  Service chaining –  etc.

CONFIDENTIAL 18

What about VXLAN, STT, etc.? •  Hardware that supports VXLAN and STT will be around for a long time •  If you’re buying switches today, they’ll support VXLAN

•  VXLAN NIC offloads also available today •  Of course we’ll continue to support VXLAN & STT

–  Easy for us to support multiple encapsulation types –  We mix & match STT & VXLAN (and GRE) today

•  Geneve goal is that we don’t need another encap for a long time

19 CONFIDENTIAL

Service Chaining

•  Creating a graph of services (e.g. load balance, firewall, WAN optimize, etc.) •  Network virtualization provides a natural way to do this in automated manner

–  Creating virtual topologies

•  Often need to pass metadata along the chain –  e.g. make the results of a classification step available to a later node –  Ongoing argument about how to pass this metadata – Geneve provides a reasonable option

Partner VNF Firewall VPN

IPsec/SSL

CONFIDENTIAL 20

Service Chaining Example: E-W Firewall & Routing

Logical View

Hypervisor1 Hypervisor1

vSwitch

Hypervisor1 Hypervisor2

vSwitch

3rd Party FW 3rd Party FW

Physical View

Web App

Web App

Multi-Site Network Virtualization •  We support some multi-site scenarios today (see NET1974)

–  E.g. stretched metro cluster –  Snapshot, clone, restore across locations

•  Important to think of the full picture, not just networking –  E.g. do you want to migrate a VM across the WAN without its data? –  Where does your Cloud Management Platform live? How many CMP instances?

•  Lots of distinct use cases è plenty of work ongoing

22

The Multi-Site Spectrum

23

Single DC Federation

Geographically Dispersed DCs

Metro Area DCs

Sub-ms latency High BW

Low-ms latency High BW

100-ms latency Constrained BW

CONFIDENTIAL

IP/MPLS CORE

PE To Customer Sites

Connecting Virtualized Data Centers to the WAN

Hypervisor Hypervisor Hypervisor

NSX Edge

vSwitch vSwitch vSwitch

Using “Option B” to Map Logical Networks to MPLS Labels

NSX Edge

Logical Network Prefixes advertised in MP-BGP with MPLS

labels

ASBR To Customer Sites

MPLS Core

Treat interface like inter-AS (RFC 4364)

MPLS Labelled Packets mapped to/from logical networks

WAN

Multi-site using MP-BGP

Hypervisor Hypervisor Hypervisor NSX Edge

vSwitch vSwitch vSwitch Hypervisor Hypervisor Hypervisor

NSX Edge

vSwitch vSwitch vSwitch

MP-BGP

WAN

Multi-site using MP-BGP

Hypervisor Hypervisor Hypervisor NSX Edge

vSwitch vSwitch vSwitch Hypervisor Hypervisor Hypervisor

NSX Edge

vSwitch vSwitch vSwitch

MP-BGP

VM VM

NSX API NSX API

VM

NSX  Controller   NSX  Controller   NSX  Controller   NSX  Controller  NSX  Controller  

Controller State Distribution

•  All nodes active

•  Workload sliced among nodes

•  Logical network state – semantically rich

Node5  Node4  

WebService  API  

Persistent  Storage  

Logical    Network  

Transport    Network  

Node1   Node2   Node3  

Controller  Cluster  

NSX  Controller   NSX  Controller   NSX  Controller   NSX  Controller  NSX  Controller  

Controller State Distribution

Node5  Node4  

WebService  API  

Persistent  Storage  

Logical    Network  

Transport    Network  

Node1   Node2   Node3  

Controller  Cluster  

Summary •  Network virtualization – not just for the bleeding edge •  Physical networks are part of the story

–  Control the physical edge for non-virtualized workloads and north-south traffic –  Communicate with the underlay for congestion/elephant flow mitigation –  Keep moving up the stack

•  Tunneling – a detail, but an important one

•  Multi-site –  Consider use case & complete system –  Some solutions today, more soon

•  Exciting times for networking!

30

Related Sessions

Hands-on Labs

32

•  SDC-1402 vSphere Distributed Switch from A to Z •  SDC-1403 Introduction to VMware NSX •  SDC-1420 OpenStack with VMware vSphere and NSX •  SDC-1423 vCloud Suite Basic Networking •  SDC-1424 VMware NSX and SDDC •  SDC-1425 VMware NSX Advanced

Advanced Technical Track - Networking

CONFIDENTIAL 33

•  NET1949 VMware NSX for Docker, Containers & More •  NET1589 Reference Design for SDDC with NSX & vSphere •  NET1583 NSX for vSphere Logical Routing Deep Dive •  NET1974 Multi-Site Data Center Solutions with VMware NSX •  NET1966 Operational Best Practices for VMware NSX •  NET1592 Under the Hood: Network Virtualization with OpenStack Neutron & VMware NSX

Group Discussions - Networking •  NET3441-GD vSphere Distributed Switch •  NET3442-GD vCAC and NSX •  NET3443-GD NSX Routing Design Best Practices •  NET3445-GD NSX Multi Site Deployments •  NET3444-GD NSX Network Services

Technical Track - Networking

CONFIDENTIAL 34

•  NET1846 Introduction to NSX •  NET1743 VMware NSX – A Technical Deep Dive •  NET1957 NFV for Telco Infrastructure •  NET1468 A Tale of Two Perspectives: IT Operations with VMware NSX •  NET1586 Advanced Network Services with NSX •  NET1560 The NSX Guide to Horizon View •  NSX1883 NSX Performance Overview •  NSX1588 Load Balancer as a Service, using NSX or Partner Solutions •  NET1401 vSphere Distributed Switch Best Practices for NSX •  NET2318 Scale-Out NSX Deployments: With VMware-powered SDDC •  NET1581 Reference Design for SDDC with NSX for Multi-Hypervisors •  NET2379 Dynamically Configuring Application Specific Network Services for vCAC &NSX •  NET2225 NSX Platform: Enabling 3rd Party Network & Security Solutions

Thank You Bruce Davie bdavie@vmware.com

Thank You

Fill out a survey Every completed survey is entered into a

drawing for a $25 VMware company store gift certificate

Advanced Topics & Future Directions in Network Virtualization with NSX

NET1674

Bruce Davie, VMware, Inc