NSX
NSX is software defined Networking and Security works with VXLAN technology an overlay technique which will carry L2 traffic over L3
Need of VXLAN?
With traditional network we have following issues.
STP block redundant links to avoid loops in L2 so it wastage of bandwidth for which we have paid.
Limited number of vlan ie 4094, 12 bit long. As data center scale increases, number of tenants increases and this number is not sufficient.
Benefits of VXLAN:
Segment network same as vlan do and also can create 16 million vxlans and VNI field is 24 bit
Migration of VMs is possible between two data center by tunneling the traffic over L3 network
No need of STP for network converge instead L3 routing protocols are used for communication.
Isolation between different set of user, departments can still be achieved in L2 with Vlans but again router is required to communicate between different network
How encapuslation happens?
Switches and routers participating on Vxlan has interfaces called VTEP which provides the connection between underlay and overlay
Each interface has IP address and VNI. VTEP interfaces are used to create tunnel to deliver Vxlan frame
NSX takes the feature that are traditionally found on the hardware switch/router and bring up those NIC working function up in the hypervisor.
Distributed firewall:
In traditional firewall we have centralised firewall configuration like on perimeter or edge it is called of single point of failure.
With distributed firewall we have granularity, firewall is installed on each hypervisor and on each ports.
Distributed Intrusion Detection and Prevention Service (IDS/IPS)
Distributed IPS/IDS monitors network traffic on the host for suspicious activity.
IDS detects intrusion attempts based on already known malicious instruction sequences. The detected patterns in the IDS are known as signatures.
Signatures can be enabled based on severity. Signatures are automatically applied to your hosts after they are downloaded from the cloud maintained by Trustwave.
NSX Distributed IDS/IPS combines industry-leading signature sets, protocol decoders and anomaly detection-based mechanisms to hunt for known and unknown attacks in the traffic flow
NSX Intelligence
Provides a visualization of the security posture of your on-premises VMware NSX Data Center environment. The visualization is based on the network traffic flows aggregated within a specified time period.
NSX Intelligence also assists you with micro- segmentation planning by making recommendations that are based on analytics with enforcement on security policies.
No comments:
Post a Comment