VMware NSX Data Plane — Components & their interaction

In this post we'll discuss about the NSX data plane, it's components and how these data plane components interact with each other.




NSX Data Plane Components

The NSX data plane consists of the VMware NSX Virtual Switch which is based on vSphere Distributed Switch with additional components to enable services. NSX kernel modules, user-space agents, configuration files, and install scripts are packged in a vSphere Installation Bundle (VIB) and run with the hypervisor kernel to provide services such as logical switching, distributed routing, and logical firewall.

The NSX data plane also includes the NSX Edge Services Gateway, a virtual appliance that offers routing and NAT, perimeter firewall, load-balancing, and other services such as VPN and DHCP.


vSpher Distributed Switch abstracts the physical network and provides access-level switching in the hypervisor. It is central to network virtualization because it enables logical networks that are independent of physical constructs, such as VLANs.

Some of the benefits of vSphere Distributed Switch are:
  • Support for overlay networking with centralized network configuration
  • Facilitates a massive scale of hypervisors
  • Provides multiple features such as port mirroring, configuration backup and restore, network health check, QoS, and LACP.


NSX hypervisor kernel modules bring additional capabilities that include:
  • Support for overlay networking with VXLAN and centralized network configuration
  • Hypervisor-embedded first-hop routing for east-west traffic optimization
  • Distributed firewall for micro-segmentation


In an NSX domain, NSX Virtual Switch is the software that operates in server hypervisors to form a software abstraction layer between servers and the physical network.

NSX Virtual Switch is based on vSphere distributed switches which provide uplinks for host connectivity to the top-of-rack (ToR) physical switches. As a best practice, VMware recommends to plan and prepare your vSphere distributed switches before installing NSX for vSphere:
  • NSX services are not supported on vSphere Standard Switch.
  • VM workloads must be connected to vSphere distributed switches to use NSX services and features.
  • A single host can be attached to multiple vSphere distributed switches.
  • A single vSphere distributed switch can span multiple hosts across multiple clusters.
  • For each host cluster that will participate in NSX, all hosts within the cluster must be attached to a common vSphere distributed switch.



NSX and vSphere Distributed Switch

Often, to simplify a deployment, each cluster of hosts is associated with only one vSphere distributed switch even though some of the vSphere distributed switches span multiple clusters.
For example, suppose your vCenter Server system contains the following host clusters:
  • SA-Compute-01 cluster for compute hosts
  • SA-Management for management and edge hosts 

The image below shows how these clusters might appear in vCenter Server


Each vSphere distributed switch contains distributed port groups for the different types of traffic that need to be carried. Typical traffic types include management, production virtual machine, and vMotion. Normally, one port group for each traffic type is created on each vSphere distributed switch. A Distributed Uplink PortGroup is also required for connection to the physical network.
The following screen shows how these distributed switches and ports appear in vCenter Server:




NSX VXLAN Enhancements: Data Plane

The data plane supports multiple VXLAN VMkernel adapters per host to provide additional options for uplink load distribution.
Overlay networks provide logical switches based on the VXLAN protocol, decoupling the physical network.
Additional data plane enhancements include:
  • DSCP and class of service (CoS) tags from an internal frame copied to an external VXLAN encapsulated header
  • Dedicated TCP/IP stacks for VXLAN
  • Support for VXLAN hardware off-loading to network adapters


Learn more about VMware NSX here




Comments

Popular posts from this blog

Anyconnect SSL-Client VPN with Self-signed Certificate on Cisco ASA

Filtering Routes in BGP using Route-maps and Prefix-list

Open Shortest Path First (OSPF)

IKEv2 IPsec Site-to-Site VPN configuration on Cisco ASA 8.4(x)

IPsec VPN as a Backup for Point-to-Point Link using IP SLA

Border Gateway Protocol (BGP)

Cisco ASA Active/Active Failover Configuration

Bypassing Proxy Server in Google Chrome

Cisco ASA Active/Standby Failover Configuration