| Tweet |
In this post I am going to describe how VTEPs learn about the virtual machines connected to the logical Layer 2 networks. The learning process is quite similar to a transparent bridge function. As transparent bridges learn based on the packets received on the bridge ports, the VTEP also learn based on the inner and outer header of the packets received.
Let’s take an example to illustrate the VTEP learning process.
Example Deployment with Two Hosts
| Tweet |
I am happy to announce the availability of the VMware vCloud Networking and Security – DMZ Design and Deployment Guide. This paper highlights how securing a virtual DMZ environment using vCloud Networking and Security can be a strategic enabler to your organization as it helps you to reduce your capital expenditure and increase agility, while building a cloud ready, secure and scalable environment for business applications. The paper also highlights the different design approaches to securing business critical applications and enables you to make the choice that is most suited to your organization in the cloud journey. Further, it gives prescriptive configuration guidance to help you get started with the deployment of your preferred approach.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.
| Tweet |
In this post I am going to address a common question about the security and performance impact when multiple logical Layer 2 networks are mapped to one multicast group address.
As mentioned in earlier post here, vCloud Networking and Security (vCNS) Manager is responsible for mapping the logical Layer 2 networks to multicast group addresses. If you provide less number of multicast group addresses than the logical layer 2 networks, vCNS manager will assign the logical layer 2 networks to multicast addresses in a round robin fashion. For example, if there are 4 logical L2 networks (A1,A2,A3,A4) and 2 multicast group addresses (M1, M2), Logical networks A1 and A3 will be mapped to multicast group address M1 while A2 and A4 are mapped to M2.
| Tweet |
I covered some basics on Multicast in the last blog entry here. Let’s now take a look how multicast is utilized in VXLAN deployments. During the configuration of VXLAN, it is required to allocate a multicast address range and also define the number of logical Layer 2 networks that will be created. For more details on the configuration steps please refer to the VXLAN Deployment Guide.
Ideally, one logical Layer 2 network is associated with one multicast group address. Sixteen million logical Layer 2 networks can be identified in VXLAN, using 24 bit field in the encapsulation header, but the multicast group addresses are limited (224.0.0.0 to 239.255.255.255). In some scenarios it might not be possible to have one to one mapping of a logical Layer 2 network to multicast group address. In such scenarios the vCloud Networking and Security Manager maps multiple logical networks to a multicast group address. After the discussion on the association of multicast group to logical network, let’s take a look at some details on the logical network properties.
| Tweet |
VMware vCloud Networking and Security App Firewall is a hypervisor-based firewall that protects applications in the virtual datacenter from network-based attacks. In this blog, let’s look at how to micro-segment a VXLAN network to deploy a 3-tier application using vCloud Networking and Security 5.1 App Firewall.
Use Case
Each application is deployed using a separate VXLAN network as shown below. To keep the diagram simple, only one application is shown below. The application has three tiers – web, app and db.
| Tweet |
In the last post here, I provided some details on vSphere hosts configured as VTEPs in a VXLAN deployment. Also, I briefly mentioned that Multicast protocol support is required in the physical network for VXLAN to work. Before I discuss how Multicast is utilized in VXLAN deployment, I want to briefly talk about some of basics on Multicast.
In the diagram below you see three main types of communication modes that are common in a network – Unicast, Broadcast and Multicast.
Figure 1
| Tweet |
In the last six months, I have talked to many customers and partners on Virtual eXtensible Local Area Network (VXLAN). One of the things I felt was challenging was how to explain the technology to two different type of audience. On one hand, there are Virtual Infrastructure administrators who want to know what problems this new technology is going to solve for them and what are the use cases. While on the other hand, there are Networking folks who want to dig into packet flows and all the innate protocol level details, how this technology compares with others, and what is the impact of this on the physical devices in the network etc.
The papers that we have made available “Network virtualization Design Guide” and “VXLAN Deployment Guide”, provides some basic knowledge about the technology, Use cases, and step-by-step deployment instructions. However, some of the detailed packet flow scenarios are not explained in these papers. So I thought it would be a good idea to put together a series of post discussing the packet flows in a VXLAN environment. Also, there are many common questions that I would like to address as part of this series.
To start this series, I will first describe the different components of the VMware’s VXLAN implementation.
| Tweet |
Over the last few months, you have seen my blog articles on the vCloud Networking and Security solution. Some of you may have even been inspired to try it, but were not able to set aside or configure infrastructure to do any testing. Well, here’s your chance to get hands-on experience on everything that I wrote, without committing any equipment in your lab.
HOL-SDC-1303 – An In-depth Exploration of vCloud Networking and Security is a brand-new hands-on lab that walks you through vCloud Networking and Security with a use-case based approach. You can explore all of the following areas using this lab.
This lab is now available in the VMware Hands-on Lab portal. This online environment lets you run a wide variety of labs from any web browser, and is free to anyone. You can register for access by visiting http://hol.vmware.com, where you can also find documentation, community discussions, and the HOL blog. Search for HOL-SDC-1303 in the catalog after logging to Hands-on Lab portal.
I would like to thank Ray Budavari, Bill Call, Charu Chaubal, Joseph Dieckhans, Andrew Hald and Pablo Roesch for all their help in making this hands-on-lab available.
Get notification of these blogs and more vCloud Networking and Security information by following me on Twitter @vCloudNetSec.
| Tweet |
Today while I was working on a LAB, I struggled to find where the migration option is for the vmknics in the new NGC client. In the traditional client, as shown in the screen shot below, you can select the virtual adapter and then either choose to change the properties of the adapter or migrate it to another switch
Traditional Client Screen Shot
| Tweet |
The content for this blog is created by Trevor Gerdes (@trevorgerdes). Posting it here with minor changes.
VMware vCloud Networking and Security Edge Gateway is part of the vCloud Networking and Security solution and provides network edge security and gateway services such as DHCP, VPN, NAT, Firewall, Load Balancing, IPSEC VPN and SSL VPN. In this blog, we will look at the details in configuring the SSL VPN function to allow remote users connect securely to private networks behind an Edge Gateway.
Edge Gateway supports 25 simultaneous connections from SSL VPN clients on the Compact version and 100 simultaneous connections from SSL VPN clients on the Large version. The X-Large appliance does not support SSL VPN.
