In other words, the network hardware does not have to use MPLS, 802.1q VLANs, VRFs, or other network abstractions to create securely separated, multi-tenant networks. Instead, the NSX controlled vSwitch handles this by tunneling hypervisor-to-hypervisor traffic in an overlay. The underlying network's responsibility is merely to forward the overlay traffic.
For engineers thinking this forwarding model through, broadcast, multicast, and unknown unicast (BUM) traffic that requires flooding might seem to pose a problem, as BUM frames would be hidden from the underlying network hardware by the overlay. Hedlund says that, "at the edge hypervisor, we have visibility into all of the end hosts. When a VM turns on, we know its IP address and MAC address right away. We don't have to glean that or learn that through networking protocols." Since all the endpoints are known to NSX, there's no requirement for unknown unicast flooding. Multicast and broadcast packets are copied from hypervisor to hypervisor.
Overlays are not all there is to the NSX network virtualization message, though. Scott Lowe, VMware engineer architect, says "one of the huge value-adds for NSX is we can now bring L4-L7 network services into the virtual networks and be able to provide these services and instantiate them and manage them as part of that virtual network."
And by L4-L7 network services, he means distributed firewalls and load-balancers. As a part of NSX, VMware offers these additional components because it allows for greater network efficiency. In traditional network models, centralized firewalls and load-balancers must have traffic steered to them for processing. For host-to-host traffic contained within a data center, this means the direct path between hosts must be ignored in favor of the host-to-host path that includes the network appliance.
NSX addresses this issue by placing these services inline at the network edge, as a part of the hypervisor vSwitch traffic flow. What's more, these services are managed by the NSX controller, reducing the elements a network operator is responsible for.
Despite the availability of NSX's L4-L7 services, VMware recognized that customers might want additional capabilities, so NSX will include support for third-party appliances. "We're not going to try to be the best load-balancer in the world or the best firewall in the world and beat everybody at features, Hedlund says. "We're going to try and provide 80% - most of the features a customer would deploy. But if there's that extra feature you need from a specific firewall or load-balancer, we want to provide a platform for those to be integrated in."
Indeed, VMware announced NSW with a budding partner ecosystem, listing Arista, Brocade, Cumulus, Palo Alto Networks, Citrix, F5, Symantec, and several others as vendors with products that integrate into the NSX environment.
Sign up for CIO Asia eNewsletters.