TIP: If you are a Networking professional, the odds are you don’t
know much about Web services, and RESTful API everyone is mentioning all the
time is your confusion point. REST has gained widespread acceptance across the
Web as a simpler alternative to SOAP and WSDL-based Web services. RESTful systems communicate over the
Hypertext Transfer Protocol with the same HTTP verbs (GET, POST, PUT, DELETE,
etc.) used by web browsers to retrieve web pages and send data to remote
servers.
NSX
uses the Management plane, Control plane, and Data plane models. Components on
one plane have minimal or no effect on the functions of the planes below. The
functional diagram presented in the VMworld 2014 is presented below:
Consumption Model, as a self-service portal
and the Cloud management. vCloud, OpenStack or vCAC platform can be integrated
with the NSX Management plane via REST API.
Management Plane: Serves as the main point of
configuration and includes the REST API for third-party applications that
integrate with NSX and UI interface. NSX Manager is the only component of this
plane, and it integrates directly as a Plug-In into the vCenter. The Management Plane talks to the Control Plane
to initiate the changes, and its components are:
- vCenter Server,
- NSX Manager, talks to the NSX Controllers
- Message Bus, way that these thigs communicate, not the VM but the function.
NSX Manager, which is the only thing you deploy as the
Administrator as a virtual appliance. It’s an .OVA file, which can be
downloaded, at this moment still only from the Nicira page. All the other
components are sequentially deployed. It will later act as the Management
Interface for the NSX. It receives instructions from vCenter, RESTfull API, but
it’s NOT in the Data Plane. You should deploy ONE Manager per vCenter (this is a current
version limitation, and if you have various vCenters be aware that the NSX
Managers wont talk to each other). If you shut down the Manager, there is no
impact to the service. You need 4 CPUs and 12GB of RAM with 60GB of Storage. It’s highly recommended to have
a separate Management Cluster, in order not to mix your Management plane
components with the control plane. 3 Hosts are usually enough, you don’t need a
huge Management Cluster. NSX Manager acts as the Management interface for NSX.
It can receive the instructions from:
- vCenter
- RESTful API
- Other Cloud Management Platform
NSX
Manager is completely out of Control and Data plane, and it can be shut down,
and THE SERVICES CONTINUE, there is no down time; there is just no management
layer. You need to protect it using the vSphere HA.
Control Plane: Manages Logical Networks, but doesn’t sit in
the data path. The logical router control virtual machine handles routing
network relationships. This virtual machine gives the routing table to the NSX
Manager instance.
NSX Control Plane is the component that actually performs the changes,
telling the Router and the Firewall what to do and etc.
- NSX Controllers that do Logical Switching, ARP Broadcasts, VXLAN support etc.
- UWA (User World Agent), which gets installed on each vSphere and control the actual correspondence between the Controller and the Data plane (ESXi hosts).
- Logical Router Control VM is the components in charge of the Routing Tables and other control functions.
NSX Controllers are the Control Plane of NSX, and they are deployed in
ODD number of sets (most common number is 3 to avoid
Split Brain because the 2 that agree on the config fail the 3rd one
when it’s different, or 5 because they use VOTING and an IP pool for IP
Addressing assignments) from the vCenter interface done by the manager. You
need to deploy them in a Cluster arrangement. These provide VXLAN “directory
services”, such as MAC and ARP and VTEP table. There is no Broadcast traffic
and no dependency of Multicast for VXLAN Functionality. Controllers handle the “roles” and an ELECTION is held to
find a Master, which is a new controller. NSX Controllers represent the Control
Plane of the NSX, and unline the NSX Manager – the architecture cannot work
without these. They are deployed in the
Cluster Arrangement (ODD numbers, because they use Voting Quorum), and they
provide several VXLAN directory services (MAC, ARP, VTEP table), and it removes the dependency on Multicast.
Remember
that the NSX controllers are NOT in the Data Path, but if they fail the Control
Plane might start giving problems. From the NSX Manager you can deploy the
Controllers, and all must be in the same
vCenter.
Roles of the NSX Cluster:
-
VXLAN functions.
-
Distributed Router.
-
An election is held to determine the Master.
-
Every Job is divided up in to SLICES (spread across available
nodes).
-
Data is MIRRORED, so when one controller from the cluster
failes – the data is automatically used from the mirror.
NSX
Controller interaction is through CLI, and configuration operations are
available through NSX API. NSX Controller stores four types of tables:
- The ARP table
- The MAC table
- VTEP table
- Routing table
NSX
Controller uses the UWA (User World
Agent) daemons to communicate from the hosts management address. The UWA includes two daemons
that run on the host. The UWA is responsible for communication between NSX
Controller and ESXi host for layers 2 and 3, and for VXLAN communications.
Data Plane: The distributed switch (VDS)
defines the Data Plane. The distributed switch does only Layer 2 switching.
Hosts have to be on the same layer 2 networks so that virtual machines on each
host can communicate with virtual machines on the other host.
NSX Data Plane - the things that move bits, actually doing the work,
and there are 3 big components:
- Kernel Modules, such as VXLAN, and Distributed Routing and Firewall functions
- vSphere Distributed Switch (VDS), which handles all the L2 Switching Functionalities.
- Edge Service Appliances, which handle the NAT, VPN and other Edge services.
Be
sure not to confuse the Distributed Firewall and the EDGE Services Router:
-
The Distributed Router
in the hypervisor handles East-West traffic routing.
-
North-South traffic (to the External Networks/Other Data Centers)
flows through the NSX Edge services
router.
There
are only a few components, they are all
VIRTUAL, and the issue is correctly integrating them. NSX installs three vSphere Installation Bundles (VlB) that
enable NSX functionality to the host. One VlB enables the layer 2 VXLAN
functionality, another VlB enables the distributed router, and the final VlB
enables the distributed firewall. The basic components of the NSX Ecosystem are:
Workload Slicing (Slicing Method) is used to spread the
workload. The concept is to divide every Job into Slices, so when the new
controller is added – slices need to be redistributed. NSX Manager deploys the Controllers. Each
one has 4 CPUs, and 4GBs of RAM. You need controllers to be deployed in same
vCenter that NSX manager is talking to.
Host Kernel Extensions for some features, and User World
Agents (UWA), which does the communication between the Controller and the Host.
Network Service Appliances:
- Edge Service Gateways
- Distributed Router Controllers
Security and Authentication: It’s all protected
using SSL. In the entire
communication between the Manager and the Hosts, and there is a mutual
authentication. NSX Manager creates certificates and stores them in a database.
NSX Manager pushes these certificates to the NSX Controller instances as they
are deployed.