Why VMware NSX? – Part-2

 

Why VMware NSX? – Part-2

 Prashant Pandey, VCAP-NV-2021

 

In Previous blog, we discussed about some basic points talking about some challenges faced by traditional/physical network & how NSX handles the same, where I mentioned that we will discuss about Overlay Tunneling Protocol (OTP) and Micro-segmentation separately in upcoming blogs.

 

Previous blog link - https://nsxworld.blogspot.com/2022/07/why-vmware-nsx.html



So today we will talk about Overlay Tunneling Protocol & Micro Segmentation in this blog.

 

First thing first –

1.what is OTP?

2.which OTP is being used by NSX?         

3.why and 4. where NSX uses OTP?


1. OTP stands for overlay tunneling protocol, it does nothing but encapsulates the virtual network traffic data and carries it over the physical network.

2.       Geneve is the protocol, which is being used by NSX-T latest versions, older version of NSX, which is called NSX-v (NSX for vSphere) used to have VXLAN as OTP, However NSX-v has been obsoleted for more than 1 year now.

3.       NSX data center overlay network implementation is based on tunneling only, NSX uses Geneve for its overlay encapsulation, it provides isolation between the underlay network (physical network) and the overlay network (virtual network).

4.       Tunnels are formed in between tunnel endpoints exists on Physical Hosts/ESX hosts/BareMetal.

 

Challenge existed with Physical network –

 

·       In any DC majority of the traffic (more than 70%) is East-West only.
 
·       With traditional networking any L3 traffic within DC goes till L3 device/Spine and then again comes down causing hair pinning in the network.
 
·       In the below example both machines are connected to different subnets/broadcast domain, so the communication path will be via below path, where it reaches L3 first & then again comes back causing hair pinning, point to be noted that the communication is internal to DC only.

 

Source VM > Physical Switch1 > Physical Router > Physical Switch2 > Destination VM


·       NSX handles above challenges with the feature Overlay tunneling protocol, which is nothing but L2 over L3, that is encapsulating layer-3 packet with Layer-2.
·       In NSX it really does not matter if source & destination VMs are part of same subnet/broadcast-domain or different subnet/broadcast-domain, but what matters is, if source & destination VMs are part of same Hardware or not.
 
·       If both VMs are part of same hardware/Transport Node, distributed routing module (NSX VDS) will take care of the communication & packet will not leave hardware itself. It is possible because of the reference tables which each NSX capable hardware maintains locally.

 

Source VM > VDS > Destination VM


  •    If both VMs are part of different hardware/Transport Node (does not matter if part of same subnet or different), Tunneling will come into picture, below is the example for the same.

  

Source VM > VDS > TEP of TN1 > TEP of TN2 > VDS > Destination VM

     (L2 encapsulation over L3)




Below is the actual Geneve encapsulated packet looks like:

<------------------------ 8 – 260 MTU --------------------->   < ---------------- 1500 MTU ---------- >

 

Geneve MTU Range ----- 1508 – 1760

 ==================================================================================================================================================


NSX Micro Segmentation

 

Traditional data centers face many security challenges: 

  • Traditional security policies align with the environment (web/app/db) rather than with applications. 
  • Traditional segmentation does not prevent lateral communication between workloads in a tier, if one machine of /24 (just an example, can be any CIDR) subnet gets compromised, Attacker can move freely around the entire /24 broadcast domain and access valuable data, since does not get applied within single broadcast domain.
  • Typically, certain high-level segmentation security policies are built in a traditional data center. These policies prevent various types of workloads from communicating with other types of workloads. However, this high-level segmentation does not prevent lateral communication between workloads in a tier. When threats breach the perimeter, their lateral spread is hard to stop
  •   Shared services can traverse tier boundaries without being checked.


NSX Security Model: In addition to perimeter / gateway firewall, NSX offers distributed firewall and micro segmentation, which handles all above challenges faced in traditional DC security model.

Micro segmentation supports a zero-trust architecture for IT security. This architecture establishes a security perimeter around each VM or container workload with a dynamically defined policy. it performs several functions: 

• Logically divides a data center into distinct security segments to the individual workload level

Attaches the centrally controlled and operationally distributed firewalls directly to each VM


  • With above approach now every VM can have: 

— Individual firewalls 

— Individual security policies


  • Security policies can be based on: 

— VM attributes 

— Network attributes 

— Application attributes 

— User attributes



         Micro-segmentation denies attackers the opportunity to pivot laterally within the internal network, even after the perimeter is breached. NSX-T Data center micro-segmentation prevents the lateral spread of threats across an environment.
         We can apply rules that are specific to the requirements of each workload. In addition, these capabilities are not limited to homogeneous vSphere environments. NSX-T Data center supports various platforms and infrastructure.


Example - Now if we take similar example which we discussed above, but this time micro-segmentation is in place:  if one machine of /24 subnet gets compromised, Attacker will not be able to freely in entire broadcast, since each VM has its only firewall/security policy. This is how lateral spread is restricted in an NSX environment.

 

PS: Any Improvement points or suggestions are welcome.

-----Thank You-----

Prashant Pandey



 



Comments

Post a Comment

Popular posts from this blog

Decision Factors to choose in between NVDS & CVDS during NSX-T deployments

Image
Decision Factors to choose in between NVDS & CVDS            - Prashant Pandey, VCAP-NV During NSX-T deployment, while preparing Transport nodes we have an option to choose between  NVDS (virtual switch dedicated to NSX tasks) & VDS (existing virtual switch used to manage vCenter environment) There are few design decisions which I have tried to consolidate and capture for easy reference. Decision Factors to choose N-VDS or Converge VDS. N-VDS Converge VDS Supports older version of vSphere, prior to 7.0 Requires vSphere 7.0 or more. Requires free pNics for uplinks No free pNics are required , can use original VDS uplinks only. Can only be managed in NSX and not in vCenter. Can be centralized managed in vCenter. Available with older version of NSX-T, prior to 3.0 Available with NSX-T 3.0 onwards ...
Read more

NSX-v to NSX-T workload migration with Network Coexistence via L2Bridge

Image
NSX-v to NSX-T workload migration with Network Co-existence - L2Bridging - Prashant Pandey , VCAP-NV   Use case -L2bridge is one of major use-case of workload migration from NSX-v to NSX-T along with network co-existence. Summary - There are mainly 3 use-cases for the workload migration from NSX-v to NSX-T . 1. Subnet based Migration - Shut one subnet at NSX-v  and add & advertise the same from NSX-T Pros - Easy to migrate, no addition VLAN requirement at physical network. Cons – No flexibility at Application level migration, it has be entire subnet in one go, might not be feasible in most of the production environment.   2. Network Co-existence with VMware HCX tool – Supports Network stretch with L2E feature. Pros – Network Co-existence can be achieved with ease. Cons – Separate license requires, includes extra cost.   3. Network Co-existence with L2Bridging - Supports Network stretch with layer 2 bridging feature. Pros – Netwo...
Read more

Independent Bridging : NSX-v to NSX-T In-Parallel Migration use case.

Image
                    Independent Bridging : NSX-v to NSX-T In-Parallel Migration use case. –  Prashant Pandey, VCAP-NV-2021 Agenda NSX-v to NSX-T workload migration using NSX Independent bridging option. •          Different Available Migration Approaches – High level •          Independent Bridging approach – In detail •          Customer use-case discussion – Why independent Bridging ? •          L2Bridging Readiness •          Validation & Testing Why Migrate to NSX-T ? NSX for vSphere (NSX-V) has already been out of general support since Jan/2022 & will be out of technical guidance from Jan/2023 onwards. Top of mind question for customers who have adopted NSX-V is - how do I upgrade my NSX-V based data center to...
Read more