The Way We Define a Network Is Changing – AGAIN!

Republished June 19th, 2024, to update to the newest NSX.

by

Bill Ferguson, VCI3,4,5,6, 2024 VCP-DCV/NV/CMA, CCSI, MCT Alumni...

Networking in the Past

When I first started teaching Cisco classes, I remember the spaghetti like mess of cables that were strewn all of over the classrooms. You may have taken one or two of those types of classes. We carefully installed, powered on, and configured each piece of equipment that would be used for our labs. Since each student wanted to install and configure his/her own gear as they attempted connect to the same network, there was always a central core of cables that you could literally trip over! Figure 1 is a photo from one of my very early Cisco classes and Figure 2 shows an example of poor cable management (i.e., a spaghetti mess).

Figure 1: One of my old Cisco classes! 

Figure 2: Poor cable management in the classroom “spaghetti mess”

In businesses with which I've consulted, network administrators have always done a much better job of cable management than we did in class, but they were still required to configure each component of the network individually by logging into its console locally or by a remote connection. Sure, they could save some time with scripts or by copying and pasting configs, but that still required "touching" each piece of the gear individually.

In addition, as security became more and more of a concern, many security mechanisms such as firewalls and IDS/IPS systems were added almost as an "afterthought" instead of being built into the servers and networks in the beginning. This meant that every network change involved keeping up with network diagrams with IP addresses and subnet information so as to apply those changes to only the right places in the network.

With each attempt to improve the network, a new device or at least a new configuration of an existing device was needed. This meant that the network admin was always balancing the attempts of making the network better with the potential risk of "breaking" something else in the process. For example, a router might be configured with NAT or with a VPN tunnel; but how would that affect the other parts of network and their connectivity.

Finally, in regard to connectivity, administrators generally configured their local area network (LAN) and then used wide area network (WAN) connections to add remote locations that they also managed. Layer 2 segments were further divided into broadcast domains using routers or Layer 3 switches. Then, Layer 3 domains were used to first segment traffic and then eventually to connect it to other Layer 3 domains and even to the Internet. The concept of connecting multiple Layer 3 segments with a Layer 2 overlay would have been completely foreign to the admins in my "spaghetti strewn" Cisco classes; but that is exactly what we are doing now!  

How Will NSX Change the Way You Build, Manage, and Secure Your Network?

To understand what we are about to cover, you have to expand your mind. I assume that you understand physical switches and physical routers and have a general idea of what they do. In addition, I assume that you understand at least a little about virtual switches and virtual routers and how they have been used in virtual data centers. With VMware NSX, however, we are not only creating virtual switches and virtual routers, but we are using these components to build a new logical network. This new logical network does not have to play by the rules of the previous networks that you've used and managed, at least not all of them. For example, we can apply micro-segmentation of networking and security in ways that were not possible before NSX. In addition, using a Virtual Extensible Local Area Network (VXLAN) called Generic Network Virtualization Encapsulation (GENEVE), we can stretch this newer and more secure logical network across multiple Layer 3 domains, in our case datacenters, and that means that we can finally realize the full network potential of the Software-Defined Data Center (SDDC).

To begin to understand NSX you should familiarize yourself first with NSX terms. That way, as you acquire more information, you will have a foundational understanding to support it. Therefore, the following is a list of NSX and logical networking terms of which you should be familiar.

A brief description of each term follows:

• Software-Defined Data Center: A datacenter in which the intelligence regarding compute, storage, security, and networking has been moved from the hardware devices and up into the software in such a manner that the entire data center can be software programmatically configured and managed from a central location or set of tools.

• Segment: A logical network that is built from physical gear at its base but that controls the flow of traffic in the software layers before the traffic actually reaches the physical gear. The logical network determines which physical gear the traffic will use and how it will gain access to it. It can also be used to improve security and performance for the applications connected to it.

• Transport Zone: A selection of clusters of hosts that can be in the same datacenter or, using VXLAN, in different datacenters anywhere in the world! In the newest of NSX, there are two types of segments. These are Overlay segments, which provide connectivity through the virtual networks, and VLAN segments, that provide connectivity the outside world.

• Logical Switch: A component of the NSX overlay and of each segment that provides connectivity to those VMs that are connected to it and seclusion for those VMs that are not connected to it. A logical switch on the overlay corresponds with a vDS port group on a vSphere Distributed Switch (vDS).

• Tier 0 Gateway: A routing component that is installed into each of the hosts in an NSX overlay transport zone. This component allows primarily for connectivity to the outside world.

• Tier 1 Gateway: A routing component that is installed into each of the hosts in an NSX transport zone. This component allows for the selective connectivity of VMs on different segments as well as connectivity to other VMs and devices in the logical network and the physical network to which it is connected. The Tier 1 Gateway will connect to a Tier 0 Gateway to gain access to the outside world.

• Edge: An NSX component, consisting of a virtual machine or physical machine, which provides for a multitude of services and protocols, such NAT, VPN, Load Balancing, and so on. Edges primarily provide compute resources and connectivity to the outside world.

• Distributed Firewall: A component that is installed onto each of the hosts in the transport zone that can be configured to allow or disallow traffic to the VMs on that host. This component is based in the kernel and therefore becomes part of the software that makes up the VMs running on the host. It therefore cannot be circumvented by the VMs for which it is configured. This component can individually control both incoming and outgoing traffic on every connection of every VM!

All of these components and more can be combined to create a logical network that actually directs and controls traffic before it hits the physical layer and therefore determines which physical devices and connections will carry the traffic and where the traffic will be allowed to flow.

Figure 3 is a typical small configuration of an NSX software defined network. 

 Figure 3: A typical small NSX Topology

How Can Your Organization Benefit from Using NSX?

The use of NSX by a business can be considered more of a complete transformation than just a transition. According to VMware's website, "NSX delivers a completely new operational model for networking that breaks through current physical barriers allowing data center operators to achieve order of magnitude better speed, economics, and choice." Order of magnitude, I guess just means "a lot."  

In essence, NSX does for networks and physical network components what virtual machines did for data centers and physical servers. It allows you to use them in very different and more flexible ways. A virtual network created by NSX is a software container in the same way that a virtual machine (VM) is a software container. Also, in the same way that a VM's guest OS does not know that it's running on a VM, the workloads that the VMs are putting onto the logical network do not know that they are going onto a logical network. That means that you have complete flexibility as to the applications that you run on NSX. In fact, you can use any application that you would use with a physical network. In addition, you can use your vSphere system (as well as other hypervisors) and any vendor platform of physical routers and switches.

How Can You Benefit from Learning about NSX?

Learning about NSX, and software defined network in general, will help you understand the options that your company may be considering and those that large corporations such as Google, Amazon, and ATT have already chosen to use. It's a wise investment of your time, no matter how much or how little you currently know about networking.

If you have spent years learning all about Cisco routers and switches and all the concepts and terminology that apply to them, don't worry because everything that you've already learned still has a role in NSX. The more that you already know about switching, the better off you will be when you begin to study NSX. The more that you already know about routers and routing protocols, the better off you will be when you begin to study NSX. The more that you know about NAT, load balancing, firewalls, VPNs, and so on, the better… well, you get the picture, right?

I think that’s the main thing that you need to do to understand NSX, expand your mind! When you do, you'll begin to see that controlling and securing network workloads with a centralized software tool makes a lot of sense. For example, because the VMs are created by the same software that controls NSX, that allows you to configure a firewall setting for a VM that that has so much micro-segmentation that the firewall basically becomes part of the "DNA" of the VM. The VM can't circumvent that firewall because it's part of the VM itself. That's just one example and the more you learn about NSX and its role in the SDDC, the more you will be glad that you took the time to learn the newer ways. Then, you will be ready for the next big change in the way that we define a network! 

Finally, if you have enjoyed reading this, then you will probably enjoy the latest courses regarding NSX on Linked-In Learning.