NSX

  1. NSX
  2. Policy
  3. L4-L7
  4. NSX controller
  5. Edge services gateway (ESG)
  6. Distributed logical router (DLR)
  7. BUM

NSX

  • logical switch (LSW) ≡ port-group with VXLAN support

Policy

  • on vNIC level ⇒ virtual endpoints only

L4-L7

  • virtual only

NSX controller

  • VXLAN settings on vSwitch
  • exchange
    • VNID-VTEP mapping
    • ARP tables for ARP suppression
    • addresses of controllers on ESXi
  • VNIC-MAC mapping is locally significant
  • ARP suppression
    1. VM sends ARP request
    2. ESXi intercepts ARP and requests IP-MAC mapping from controller
    3. ESXi sends ARP reply using spoofed source MAC, if received response from controller
    4. if no response form controller – ARP flooding

Edge services gateway (ESG)

  • L3 connection to outside: north-south
  • NAT, VPN, LB

Distributed logical router (DLR)

  • bridge between VXLAN and outside VLAN – on control VM
  • components:
    • control VM ≡ VRF control plane
      • centralized router for all ESXi (east-west)
      • OSPF or BGP with ESG
      • Active/Standby, same host
    • kernel module ≡ VRF data plane
      • RIB is filled by NSX controller
      • connects to LSW via logical interface
      • distributed GW: common IP and vMAC (not changed after vMotion)
  • inter-VNI routing = asymmetric RIB
  • OSPF
    • redistributes connected networks as LSA5
    • Forwarding Address = DLR kernel address

BUM

  • IGMP and PIM ≡ extra CPU load
  • underlay mcast → VNID
  • UTEP
    • receives unicast replication from other underlay subnets
    • received replication is distributed over L2: mcast (MTEP) or unicast
    • does not require PIM