让网络虚拟化成为一种习惯软件定义的网络技术更新刘承罡战略客户资深技术顾问VMwareNSX架构与组件AnimatedSlide自服务&自动化•自服务平台•vCloudAutomationCenter,OpenStack,Custom数据平面NSXEdgeESXiHypervisorKernelModulesDistributedServices•高性能&分布式的数据平面•转发能力的横向扩展管理平面NSXManager•统一的配置Portall•RESTAPI支持控制平面NSXController•逻辑网络管理•标准的控制协议OVSDB•控制平面和数据平面分离FirewallDistributedLogicalRouterLogicalSwitch逻辑网络物理网络……NSX架构与组件自服务&自动化数据平面NSXEdgeESXiHypervisorKernelModulesDistributedServices管理平面NSXManager控制平面NSXControllerFirewallDistributedLogicalRouterLogicalSwitch逻辑网络物理网络……★不受限制★大势所趋的技术方向★架构卓越★永不妥协的性能指标★集团军作战的EcosystemAgenda1大势所趋的技术方向与卓越架构2永不妥协的“蚂蚁雄兵”3“小蚂蚁”的单兵能力4集团作战的Ecosystem5正确道路上的美好明天CONFIDENTIAL4技术方向的正确性是持续成功的重要保障!CONFIDENTIAL5Overlay技术是服务器虚拟化的“绝佳伴侣”和必然方向SDNcontrolcontrolOverlayvsVirtualizationlayercontrol5VMware的SDN之路•网络虚拟化根植于VMware的DNA之中:从ESX到NSX•只有网络虚拟化才能做到–虚拟网络和物理网络的完全松耦合,真正做到SDN的硬件无关性–灵活的自定义组网,解决硬件网络在规模和敏捷度上的不足SwitchingRoutingFirewallingLoadBalancingVPNConnectivitytoPhysical•通过虚拟化软件与架构实现网络和安全服务的“忠实重现”通过虚拟化的方式来实现overlay以及相关服务是顺势而为!1.解耦PhysicalVirtual2.重现3.自动化NetworkOperationsCloudOperations硬件无关性通过虚拟化带来的运维和自动化优势不改变现有网络VirtualPhysical物理网络设计:无缝转换vs最佳实践,一切取决于用户CONFIDENTIAL8WAN/InternetL3L2L3L2PODAPODBComputeClustersEdge机架WANInternetL3L2L3L2L3L2LeafSpineL2VLANsforbridging永不妥协的“蚂蚁雄兵”SSHClientNSXDFWvSphereTCP/5671TCP/443TCP/443vSphereClientNSXManagervCenterServerAPIESXiHostRESTAPIClientTCP/22通过vSphereWebClient连接VC创建安全规则[管理平面]1VC把安全规则下发给NSXManager[DFW控制平面].NSXManager保留所有规则2安全规则最终下发给ESXi主机[DFW数据平面]3TCP/443VXLANDRDFWSwitchSecurityNSX分布式防火墙–系统架构10CONFIDENTIALNSX分布式防火墙数据流1•同主机上两个VM之间的通信,数据流不会走物理交换机•防火墙策略在SourceVM的出流量(egress)上强制执行减少了网络上未被授权的网络流量•防火墙规则同样在DestinationVM’svNIC的入流量(ingress)上执行11同主机内通讯ExternalNetworkSourceDestinationVirtualSwitchCONFIDENTIALExternalNetworkSourceDestinationVirtualSwitchVirtualSwitchNSX分布式防火墙数据流2•不通物理主机间VM的通信流量需要经过物理交换机•防火墙策略在目标和源VM上强制执行•和非虚拟化环境通信的数据流和此类似12主机间通讯CONFIDENTIAL可维护性更强的防火墙规则•使用云对象(资源池、vApp、自定义安全组、Tag等)来代替传统的五元组,提高可维护性13CONFIDENTIALSrcDst192.168.1.1192.168.5.210.0.0.110.0.2.510.0.0.210.0.2.510.0.0.310.0.2.5RulesprawlSrcDstAction业务1业务1、业务2、业务3Allow业务1OutsideofVDCDeny业务2业务1、业务2、业务3Allow业务2OutsideofVDCDeny……ALLALLDenyNSX分布式路由:组件关系图14NSXEdge(Actingasnexthoprouter)172.16.10.0/24172.16.20.0/24DLR192.168.10.1192.168.10.2ExternalNetwork192.168.10.3DLRControlVMDataPathControlControllerClusterControlNSXMgr从逻辑路由器实例(VM)上配置动态路由协议1在逻辑路由器实例和NSXEdge(北向路由器)之间建立动态路由的邻接关系3从NSXEdge上学到的路由信被推送到Controller以便继续分发到4Controller把路由信息分发到ESXi主机上5ESXi主机的路由模块负责处理接下来数据平面的数据转发613456NSXController把逻辑路由器上的配置信息以及LIF配置推送到ESXi主机上22PeeringOSPF,BGP172.16.30.0/24通过对南北向Edge服务的横向扩展实现对多租户网络的支持ExternalNetworkTenant1WebLogicalSwitchAppLogicalSwitchDBLogicalSwitch…WebLogicalSwitchAppLogicalSwitchDBLogicalSwitchTenantNSXEdgeServicesGatewayNSXEdgeX-Large(RouteAggregationLayer)TenantNSXEdgeServicesGatewayVXLANUplinks(orVXLANTrunk*)VXLANUplinks(orVXLANTrunk)VXLAN5100Transit1516VXLANVLANEdgeRouting对ECMP的支持WebDBDLRE1PhysicalRouterAppCoreActiveStandbyE2RoutingAdjacencyRoutingAdjacencyActive-StandbyStatefulWebDBDLRPhysicalRouterAppCoreActiveActiveRoutingAdjacencyE2E1RoutingAdjacencyRoutingAdjacencyRoutingAdjacencyActive-ActiveNon-StatefulWebDBDLRAppTransitVXLANE1E2E3E4E5E6E7E8R1R2R3R4CoreVLAN10VLAN20ECMP8ActiveEdgesNon-Stateful“小蚂蚁”的单兵作战能力!VM8性能测试拓扑CONFIDENTIAL1818TransportSubnetAComputeClusterEdgeClusterManagementClusterTransportSubnetBTransportSubnetCL3FabricComputeCluster2x10GNICsperserverL2/L3boundaryVM1VM8VM1LACPonVDSMLAGonArista7150性能测试拓扑BM1-VM1BM1-VM8BM2-VM1BM2-VM8ComputeBM1ComputeBM2vCenterServerNSXManagerControllerClusterVXLANTransportZoneSpanningComputeandEdgeClustersComputeVDSEdgeVDSCompute-BM1Compute-BM2Edge-1Edge-2VTEPIP:10.114.214.54VTEPIP:10.114.214.53VTEPIP:10.114.210.88VDSMode:SourceandDestIPaddr/TCP/UDPportandVLANVTEPMode:EnhancedLACPMTU:1600VTEPIP:10.114.210.70ManagementVDSMgmtDLRControlVMEdgeVMEdgeCONFIDENTIAL19CONFIDENTIAL测试硬件配置vSphere5.5.0build1623387ServerMakeDellPowerEdgeR720CPUIntel(R)Xeon(R)CPUE5-2680v2@2.80GHz2socket10corespersocketMemory128GBRAMNetworkAdapterIntel(R)2PX520/2PI350rNDC–82599EBcontrollerHyperthreadingEnabledVMCentOS6.5VMCPU1vCPUVMRAM2GBVMvNICDrivervmxnet3Allotherserversettingsatsystemdefaults20测试工具•16VMscreatedintotal(8onTXand8onRXside)•TrafficGenerator:NetPerf2.6•AutomatedinfrastructurewhichwillloginintotheVMsandstartthenetperfcommands•EachTXVMwillsend4flowstotheRXVMCONFIDENTIAL21VM8CONFIDENTIAL2222VM1NSXvSwitchLogicalSwitchComputeClusterComputeClusterVM8VM10510152064512150032k64kSendthroughputinGbpsTCPMessageSize-Lineratetraffic(~18Gbps)with2NICsperhostwithVXLAN-AdditionalCPUforVXLANtrafficbetweenhostsis~3%ofCPU.0246810121464512150032k64k*AdditionalCPU%perGbpsTCPMessageSize逻辑交换机性能*Yaxisshows%ofadditionalCPUoverheadascomparedtosamebaselinetestsperformedonVLANbasednetworks.CONFIDENTIAL23单节点分布式路由性能VM8VM1NSXvSwitchLogicalSwitchComputeClusterVM8VM10510152064512150032k64kSendThroughputinGbpsTCPMessgeSize-LineratetrafficevenwithLogicalRouting-NoadditionalCPUcomparedtousingLSwithVXLAN024681064512150032k64kAdditionalCPU%perGbpsTCPMessageSizeComputeClusterLogicalSwitchCONFIDENTIAL24