Understanding VMware NSX Control Plane

In this post we'll discuss about NSX control plane in detail. I'll describe the  NSX controllers and functions along with NSX Controller workload distribution. We'll also identify the user world agent in the control plane and the control plane component interactions.


NSX Control Plane

The NSX Control plane runs in the VMware NSX Controller cluster. NSX Controller is an advanced distributed state management system that provides control plane functions for NSX logical switching and routing functions. It is the central control point for all logical switches within a network and maintains information about all hosts, logical switches (VXLANs), and distributed logical routers.






About NSX Controller

NSX Controller provides several benefits:
  • VXLAN and logical routing network information distribution to ESXi hosts
  • Clustering for scale out and high availability
  • Workload distribution among NSX Controllers cluster nodes
  • Maintenance of tables for VXLAN and DLRs
  • Removal of VXLAN dependency on multicast routing and protocol independent multicast in the physical network
  • Suppression of ARP broadcast traffic in VXLAN networks.
NSX Controller is an advanced distributed state management system that controls virtual networks and overlay transport tunnels.


NSX Controller Functions

NSX Controller clusters are responsible for managing various tables for the following logical components:
  • Logical switches
  • DLRs
Additionally, NSX Controllers clusters are responsible for updating ESXi host on the state of logical network components.



NSX Controller Workload Distribution

The NSX Controller cluster must perform the following operations:

  • Dynamically distribute workloads across all available NSX Controller cluster nodes
  • Redistribute workloads when a cluster member is added
  • Have the ability to sustain failure of any cluster node
  • Perform the workload distribution so that it is transparent to applications

To achieve these functions, NSX Controller uses sharding distribute workloads across NSX controller cluster nodes.

Sharding is used to distribute workloads across NSX Controller cluster nodes. Sharding is the action of dividing the NSX Controller workloads into different shards so that each NSX Controller instance has an equal portion of work.



Sharding Assignment

When NSX Controller cluster is made aware of the objects beign created, it performs the following tasks:
  1. For a given cluster role, create a number of shards.
  2. Define objects that are to be sharded.
  3. Assign objects to their shards.

These shards are assigned to the different NSX Controller instances in that cluster. The master for a role decides whitch NSX Controller instances are assigned to which shard in the cluster.



Sharding Distribution

Sharding automatically distributes workloads across NSX Controller cluster nodes. Each numbered box on the shard represents shards that the master uses to divide the workloads. The logical switch master divides the logical switches into shards and assigns these shards to different NSX COntroller instances. The master for logical router also divides the logical routers into shards and assigns these shards to different NSX Controller instances.



If a request comes in on router shard 3, that shard is told to connect to third NSX Controller instance. If a request comes in on logical switch shard 2, that request is processed by the second NSX Controller instances.



Shard Redistribution

When an NSX Controller cluster node fails, the controller-clustering service redistributres shards among the remaining nodes.
Shard redistribution occurs in the following situations:

  • Creation of NSX Controller cluster
  • Increase in the number of available NSX Controller nodes in the cluster
  • Reduction in the number of NSX Controller nodes in the cluster



Control Plane Security

The control plane is secured with SSL encryption by using certificates that are managed by NSX Manager:
  • All NSX Controller communication is protected with SSL encryption over the management network.
  • NSX Manager creates and installs self-signed certificates to each ESXi host and NSX Controller cluster.
  • Mutual authentication of NSX entities occurs by verifying certificates.


Control Plane User World Agents: netcpa and vsfwd

netcpa has following responsibilities:
  • It uses SSL to secure the communication with NSX Controller instances.
  • It mediates between NSX Controller instances and the hypervisor kernel module, except the distributed firewall.
  • It sends information about virtual machine netowork connectivity, MAC address, and IP address to NSX Controller.
  • It retrieves configuration from NSX Manager through the message bus agent vsfwd.

Control plane agent (netcpa) is a TCP (SSL) client that communicates with the controller using the control plane protocol. netcpa might connect to multiple controllers. It communicates with the message bus client (vsfwd) to retrieve control plane related information from NSX Manager.



Management and Control Plane Agent Interactions

User workls agents are deployed by NSX Manger on ESXi hosts through ESX Agent Manager during host preperation. Each ESXi host runs two user world agents (UWA) that include the message client (vsfwd) and control plane agent (netcpa).

Comments

Popular posts from this blog

Specifying SSH port in Ansible Inventory

Ansible-Playbook to display output of multiple show commands (using stdout_lines with Loop)

Filtering Routes in BGP using Route-maps and Prefix-list

Ansible Playbook for Network OS Upgrade with pre and post checks

VMware NSX Traffic Flow — East-West & North-South

Bypassing Proxy Server in Google Chrome

Export or Backup Azure Network Security Groups into CSV using PowerShell

Ansible-playbook for backing up running config of Cisco IOS