VMware NSX Basics

-

What is VMware NSX?

VMware NSX is a Network Virtualization Product which can deliver network on demand as well as virtual network over a physical network and network security.

VMware NSX Data Center is a complete Layer2-Layer7 networking and security virtualization platform that brings the public cloud experience to your private cloud.

VMware NSX is designed to address application frameworks and architectures that have heterogeneous endpoints and technology stacks. In addition to vSphere, these environments can include other hypervisors, KVM, containers, and Bare Metal. VMware NSX is designed to span a software defined network and security infrastructure across platforms other than just vSphere alone. While it is possible to deploy NSX components without needing vSphere, this design focuses on NSX and its integration primarily within a vCenter Server vSphere automated deployment.

What is NSX-V and NSX-T?

VMware launched NSX-V as a first product for vSphere only. But later on they introduced NSX-T to support vSphere, KVM, Bare Metal etc..

 

What is NSX-T Edge?

VMware NSX-T Edge is a logical router (T0) in a virtual machine form factor or bare metal. It is a logical router through which NSX virtual network can connect to physical network via BGP/OSPF Dynamic routing protocol or static routing for connectivity between NSX Edge T0 router and physical network router.

Each logical router contains a services router (SR) and a distributed router (DR). A DR is distributed across all transport nodes that belong to the same transport zone and an SR is centrally instantiated on the Edge Appliance(s). An SR instance is required for services that cannot be distributed i.e. Physical Connectivity, NAT, DHCP, VPN, Gateway firewall, IDS/IPS,Load Balancers, etc.


NSX-V vs NSX-T Terminology

NSX-V or vSphere native

NSX-T

Virtual Distributed Switch (VDS)

NSX Virtual Distributed Switch (N-VDS) and VDS vSphere platform only

NSX Transport zone

Transport zone (overlay or VLAN-backed)

Port groups (vDS)

Segments or Logical Switch

VXLAN (L2 encapsulation)

GENEVE (L2 encapsulation)

Edge Gateway

Tier-0 (T0) Gateway

Distributed Logical Router

Tier-1 (T1) Gateway

ESXi Server

Transport Node (ESXi, KVM, Bare metal)

In NSX-T, we have 2 gateways (Virtual Routers) T0 and T1.

T0 Gateway or Router is a virtual router instance also known as Service Router. It is always running on Edge VM or Bare Metal server. This T0 gateway provides North-South connectivity with Physical Network using static routes or BGP or OSPF connectivity.

T0 provides services like Edge/Gateway Firewall, Load Balancing, NAT, DHCP, North-South Routing, VPN, VRF Lite etc.

T1 Gateway or Distributed Logical Router is a kernel module running on Transport Nodes like ESXi, KVM, Bare Metal. It provides basic packet forwarding and distributed east-west routing functions spans all transport nodes.


Compute Manager
A compute manager is an application that manages resources such as hosts and VMs. One example is vCenter Server.
Control Plane
Computes runtime state based on configuration from the management plane. Control plane disseminates topology information reported by the data plane elements, and pushes stateless configuration to forwarding engines.
Data Plane
Performs stateless forwarding or transformation of packets based on tables populated by the control plane. Data plane reports topology information to the control plane and maintains packet level statistics.
External Network
A physical network or VLAN not managed by NSX-T Data Center. You can link your logical network or overlay network to an external network through a Tier-0 router or NSX Edge.
Logical Port Egress
Outbound network traffic leaving the VM or logical network is called egress because traffic is leaving virtual network and entering the data center.
Logical Port Ingress
Inbound network traffic leaving the data center and entering the VM is called ingress traffic.
Logical Router
NSX-T Data Center routing entity that provide connectivity between different L2 networks. Configuring a logical router through NSX Manager instantiates a logical router on each hypervisor.
Logical Router Port
Logical network port to which you can attach a logical switch port or an uplink port to a physical network.
Logical Switch Port
Logical switch attachment point to establish a connection to a virtual machine network interface or a logical router interface. The logical switch port reports applied switching profile, port state, and link status.
Management Plane
Provides single API entry point to the system, persists user configuration, handles user queries, and performs operational tasks on all of the management, control, and data plane nodes in the system. Management plane is also responsible for querying, modifying, and persisting user configuration.
NSX Edge Cluster
Is a collection of NSX Edge node appliances that have the same settings and provide high availability if one of the NSX Edge node fails.
NSX Edge Node

Edge nodes are service appliances with pools of capacity, dedicated to running network services that cannot be distributed to the hypervisors.

Tier-0 Logical Router
A Tier-0 Logical Router provides north-south connectivity and connects to the physical routers. It can be configured as an active-active or active-standby cluster. The Tier-0 gateway runs BGP and peers with physical routers. In active-standby mode the gateway can also provide stateful services.
Tier-1 Logical Router
A Tier-1 logical router connects to one Tier-0 logical router for northbound connectivity to the subnetworks attached to it. It connects to one or more overlay networks for southbound connectivity to its subnetworks. A Tier-1 logical router can be configured as an active-standby cluster.
Transport Zone
Collection of transport nodes that defines the maximum span for logical switches. A transport zone represents a set of similarly provisioned hypervisors and the logical switches that connect VMs on those hypervisors. It also has been registered with the NSX-T Data Center management plane and has NSX-T Data Center modules installed. For a hypervisor host or NSX Edge to be part of the NSX-T Data Center overlay, it must be added to the NSX-T Data Center transport zone.
Transport Node
A fabric node is prepared as a transport node so that it becomes capable of participating in an NSX-T Data Center overlay or NSX-T Data Center VLAN networking. For a KVM host, you can preconfigure the N-VDS or you can have NSX Manager perform the configuration. For an ESXi host, NSX Manager always configures the N-VDS.
Uplink Profile
Defines policies for the links from hypervisor hosts to NSX-T Data Center logical switches or from NSX Edge nodes to top-of-rack switches. The settings defined by uplink profiles might include teaming policies, active/standby links, the transport VLAN ID, and the MTU setting. The transport VLAN set in the uplink profile tags overlay traffic only and the VLAN ID is used by the TEP endpoint.
VM Interface (vNIC)
Network interface on a virtual machine that provides connectivity between the virtual guest operating system and the standard vSwitch or vSphere distributed switch. The vNIC can be attached to a logical port. You can identify a vNIC based on its Unique ID (UUID).
Virtual Tunnel Endpoint
Each hypervisor has a Virtual Tunnel Endpoint (VTEP) responsible for encapsulating the VM traffic inside a VLAN header and routing the packet to a destination VTEP for further processing. Traffic can be routed to another VTEP on a different host or the NSX Edge gateway to access the physical network.

Policy Mode and Manager Mode Use cases
Policy ModeManager Mode
Most new deployments should use Policy mode.

NSX Federation supports only Policy mode. If you want to use NSX Federation, or might use it in future, use Policy mode.

Deployments which were created using the advanced interface, for example, upgrades from versions before Policy mode was available.
NSX Cloud deploymentsDeployments which integrate with other plugins. For example, NSX Container Plug-in, Openstack, and other cloud management platforms.
Networking features available in Policy mode only:
  • DNS Services and DNS Zones
  • VPN
  • Forwarding policies for NSX Cloud
Networking features available in Manager mode only:
  • Forwarding up timer
Security features available in Policy mode only:
  • Endpoint Protection
  • Network Introspection (East-West Service Insertion)
  • Context Profiles
    • L7 applications
    • FQDN
  • New Distributed Firewall and Gateway Firewall Layout
    • Categories
    • Auto service rules
    • Drafts
Security features available in Manager mode only:
  • Bridge Firewall


Names for Objects Created in Policy Mode and Manager Mode

 

The objects you create have different names depending on which interface was used to create them.

Object Names

Objects Created Using Policy Mode                       Objects Created Using Manager Mode

Segment                                                                           Logical Switch

Tier-1 gateway                                                                 Tier-1 logical router

Tier-0 gateway                                                                  Tier-0 logical router

Group                                                                                NSGroup, IP Sets, MAC Sets

Security Policy                                                                   Firewall section

Gateway firewall                                                                Edge firewall


                                            

Comments

Post a Comment

Popular posts from this blog

How to migrate the N-VDS as the host switch to VDS 7.0 in NSX-T 3.x

-
Image
  Hello There, In this article, i am covering how to migrate the ESXi host switch from N-VDS to VDS 7.0 switch in NSX-T 3.2.x version. When using N-VDS as the host switch,  NSX-T  is represented as an opaque network in  vCenter Server . N-VDS owns one or more of the physical interfaces (pNICs) on the transport node, and port configuration is performed from  NSX-T Data Center . You can migrate your host switch to  vSphere  Distributed Switch (VDS) 7.0 for optimal pNIC usage and manage the networking for  NSX-T  hosts from  vCenter Server . When running  NSX-T  on a VDS switch, a segment is represented as an  NSX-T  Distributed Virtual Port Groups. Any changes to the segments on the  NSX-T  network are synchronized in  vCenter Server. We have an NSX-T environment running with NSX-T 3.2.2.1 version. this environment was designed and implemented with NSX-T 2.x version and that time we used the N-VDS as host...
Read more

vROPS appliances password remediation tasks failed from SDDC manager

-
Image
Issue details:-   Password remediation tasks on SDDC manager getting failed with below error. However, we are able to connect SSH with root password on the vROPS appliances, no issues with credentials. I checked Operations logs on SDDC manager and found below logs, indicating the SSH connectivity issues from SDDC to vROPS appliances. Tried to do SSH vROPS appliance from SDDC manager, getting below error... Seems some issue with ECDSA key.. Resolution:- SSH to vROPS appliance and retrieve the ECDSA ssh keys as below. Now, we have 2 options to update the correct SSH keys for vROPS appliance on SDDC manager known_Hosts files located at below location.   /root/.ssh/known_hosts   /etc/vmware/vcf/commonsvcs/known_hosts   /home/vcf/.ssh/known_hosts   /opt/vmware/vcf/commonsvcs/defaults/hosts/known_hosts First option is manually copy and paste the SSH key on all the known_hosts files and restart the SDDC manager services and then try to remediate the password again...
Read more

How to Import/Register a VM into vRA portal

-
Image
You can import an unmanaged virtual machine to a vRealize Automation environment. An unmanaged virtual machine exists in a vCenter but is not managed in a vRealize Automation environment and cannot be viewed in the vRA portal . Once you import an unmanaged virtual machine, the virtual machine is managed by using the vRealize Automation management interface. you can see the virtual machine on the Managed Machines tab or the Items tab. Please follow below steps to Import/Register VM into a vRA portal. Log in to vRealize Automation as a fabric administrator and as a business group manager. If you are importing virtual machines that use static IP addresses, prepare a properly configured address pool.  If you use bulk import to import a virtual machine with a static IP address that is allocated to another virtual machine, the import fails. Create a Blueprint and should not have even network attached as well. See below snapin. Create Network profile that s...
Read more