It's a time-consuming and laborious job , Once a business system needs to add some new functions , Or different business systems need to access each other , We need to adjust the network in the data center , This process is not only time-consuming , And it needs to be very careful , Avoid any wrong configuration and network interruption .
Traditional data centers ： Each business system is isolated from each other in hardware
Based on vSphere In the software defined data center , Each virtual machine network is connected to Hypervisor Provided by a virtual switch , This switch is across the whole vSphere Each physical server in the cluster has , So it's called a distributed switch (Distributed Switch). All the network communication of virtual machine is realized through this virtual switch , The distributed switch is responsible for forwarding packets to the destination through the underlying physical network . Since all network communication is realized by virtual switch software , We can naturally achieve more network functions through software , The software is VMware NSX.
The realization principle of network virtualization
NSX It provides virtual network for virtual machine , Isolate virtual machines from physical networks , The network service has nothing to do with the specific physical network equipment , It makes users have more flexibility in the selection and purchase of network equipment .NSX Almost all network services can be provided on the virtual network , Such as ： Router 、 Load balancing 、 Firewall, etc . In addition to these regular functions ,NSX It can also provide some functions that traditional physical network can't realize or cost a lot ：
? East West firewall ： We usually call the network traffic inside the data center east-west traffic , Traffic inside and outside the data center is called north-south traffic . Generally, data centers only set firewalls on the external network boundary , Because in principle, the invasion risk comes from the outside , Inside the data center is relatively secure .
If you use a hardware firewall , You need to set a firewall between all business systems , Not to mention that it's a big hardware investment , Even the setting and maintenance of firewall rules is a huge workload , So no data center would do that . however NSX It's easy to do this with software , Minimize the risk of intrusion from inside the data center , Even if a hacker can attack an application , He also has no access to other systems inside the data center .
? Network differential segment ： Traditional physical network uses physical network segment or VLAN To isolate different networks , And it can only be isolated to the physical server （ There is no isolation between virtual machines on the same server ）, When you need to adjust the network segment , Need to adjust physical network or VLAN, It's not an easy job . Differential segment (Micro-segmentation) It's a distributed firewall , Every virtual machine has a firewall , Naturally, it is easy to isolate the virtual machines outside the differential segment .
Software defines the data center ：
Each business system is in NSX Virtual network platform is isolated from each other , But sharing the same physical network
NSX The virtual network platform no longer requires the network physical isolation of each business system , Only standardized switches or routers are needed to connect the whole data center into a large network ,NSX It will provide isolation on the virtual network layer according to business requirements （ Using the differential segment technique ）. The planning and management of data center network is greatly simplified , It can reduce the purchase cost of network equipment , It can also effectively reduce the cost of network operation and management .
stay NSX On the virtual network , In traditional networks, routing provided by hardware (RT – Routing) 、 In exchange for (SW – Switching)、 Load balancing (LB – Load Balancing) And the firewall (FW – FireWall) The functions are all realized by software , Greater flexibility .
NSX There are three main application scenarios ：
? Data center network security ： As mentioned above , Distributed software firewall and differential segment greatly simplify the network security management of data center , Compared with the physical network environment, it can achieve a higher level of security protection .
? IT automation ： The function of virtual network is realized by software , So you can use commands to create network devices dynamically , Adjust network configuration and security policy parameters , Realize data center IT automation .
? Business continuity ： The network environment of virtual machine is provided by virtual network , When a failover occurs (failover) when , Virtual machine doesn't need to change, including IP Any network parameter including address ,NSX Will be responsible for the virtual machine depends on the entire virtual network environment and the corresponding network security policy migration to a new server to run , So as to ensure the continuity of the business .
IE-LAB Supported by high-quality teachers , Comprehensive learning platform and perfect teaching service , We have trained batch after batch of HCIE/CCIE student , Join us , Achieve the future .