Objective 1.4 – Contrast Physical and Virtual Network Technologies

 

Knowledge

  • Differentiate logical and physical topologies
      Any given node in a network has one or more physical links to other devices in the network; graphically mapping these links results in a geometric shape that can be used to describe the physical topology of the network. Conversely, mapping the data flow between the components determines the logical topology of the network.

    • Physical
      The cabling layout used to link devices is the physical topology of the network. This refers to the layout of cabling, the locations of nodes, and the interconnections between the nodes and the cabling. eg Server Port, Rack switch, Leaf switch, Spine layer

      • Simple – configuration must be simple. Much of the general config must be identical on every component. Differences in configuration would soon become unmanageable
      • Scalable – the number of racks supported in a fabric is dictated by the total number of ports available across all spine switches and the oversubscription that is acceptable.
      • High-bandwidth – In spine–leaf switch topologies, oversubscription typically occurs—if at all—at one point: the leaf switch. The calculation is simple: total amount of bandwidth available to all servers connected to a given leaf switch divided by the aggregate amount of uplink bandwidth provides the oversubscription. More or less bandwidth can be made available to a rack by virtue of provisioning more or fewer uplinks
      • Fault-tolerant – Multipathing-capable fabrics handle box or link failures, reducing the need for manual network maintenance and operations
      • QoS-providing – L2 QoS is “Class of Service”, L3 QoS is “DSCP marking”. QoS values are used to decide which traffic is prioritised or dropped if there is congestion.
      • Firewalls only at routable interfaces
    • Logical
      The logical topology, is the way that the signals act on the network media, or the way that the data passes through the network from one device to the next without regard to the physical interconnection of the devices. Logical topologies are usually Shared Media, or Token Based.
  • Differentiate logical and physical components (i.e. switches, routers, etc.)
    • Switches
      • Physical Switch – ports are either single VLAN or Trunk ports. Limited set of 4096 VLANs per fabric.
      • NSX vSwitch – abstracts the physical network and provides access-level switching in the hypervisor. It is central to network virtualization because it enables logical networks that are independent of physical constructs such as VLAN. A Logical switch is distributed and can span arbitrarily large compute clusters, allowing for VM mobility within the datacenter without limitations of the physical L2 boundary.
    • Routers
      • Physical router – fixed topology, traffic forced to “hairpin” out from hosts to route between VLANs.
      • Logical router enables E-W routing to remain within the host rather than hair-pinning out to a physical router
  • Differentiate logical and physical services (i.e. firewall, NAT, etc.)
    • Firewall
      • Physical firewalls are part of the routing topology, and traffic has to pass through it to be inspected. They suffer from rule sprawl, as rules are added but rarely removed, due to the perceived risk of removing an “in use” rule.
      • Distributed firewalls can protect individual VMs, have dynamic rulesets, allow rules on userids. By only having “relevant” rules pushed down from the NSX Manager, performance is increased in comparison with comparing against the whole rulebase.
    • NAT
      • NAT is normally performed by firewalls, but can be done by routers. Choice of Destination, Source, or Hide NAT.
      • Performed by the NSX Edge. Choice of Destination or Source NAT. Must be used when there is overlapping tenant addressing
    • Load Balancing
      • In the physical network this is usually provided by a physical appliance (e.g. F5 device). Normally requires manual configuration for any new services.
      • NSX load balancing is fully programmable via API, and scales to support very demanding applications (up to 9Gbps throughput, 1M concurrent connections)
  • Differentiate between physical and logical security constructs
      Physical security constructs are generally tied to dedicated hardware, and are inflexible, and difficult to integrate with automation. Logical security constructs in NSX are tightly integrated into vSphere making rule creation faster and less error prone. Rules can include dynamic groups and be configured by automation.

    • Service Composer
        Create rules to dynamically put VMs in specific groups (move to isolated network if infected)
        Simple dynamic security policies without the need for phusical subnets, VLANS, ACLs or firewall rules.
    • Endpoint Security
        VMware endpoint service used by 3rd parties to protect VMs without in-guest agents. E.g. for anti-virus, IDS/IPS
        Ties in with Service Composer to allow automated provisioning of Security Virtual Appliances and orchestration of policy.
    • Data Security
        Needs vShield endpoint
        Provides visibility into sensitive data stored within VMs
        Policy driven
        Support for PCI, PHI, PII types of restricted data

Tools

  • VMware NSX Network Virtualization Design Guide
  • NSX User’s Guide
Advertisements

One thought on “Objective 1.4 – Contrast Physical and Virtual Network Technologies

  1. Pingback: VMware VCP-NV NSX Study Resources | darrylcauldwell.com

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s