This was a great explanation. I am not a network engineer by any stretch. My speciality is Virtualization. The overlay and underlay terms have been very confusing to me. I could never figure out how I could specify a segment in the NSX overlay and the network SAs not track me down and slap my hands. So correct me if I am wrong. What I took from your explanation is the edge VTEP IP is what the physical network is using at L3 for the packet IP header when routing out?
Thanks Erik! Edge TEP is only used when talking to other NSXT hosts (your vsphere hosts). It goes like this- VM A on host5 wants to talk to the internet. Packet is encapsulated by host5 with GENEVE- sent to the edge (source is host5 TEP, destination is edge TEP). Edge receives it and strips the overlay encapsulation entirely off. Now the source IP is VM A, and destination is the internet server. So the underlay never sees VM->VM IPs (due to being encapsulated between hosts), but WILL see those VM IPs if they exit the NSXT environment. Make sense?
I assume that means that the subnet that is assigned to an Overlay segment has to be a range that will not conflict with another VLAN backed subnet in the physical network? Meaning that if a subnet is assigned to a NSX-T segment it has to own it completely? You can’t have a situation where physical hosts are being assign the same IPs as VM sitting in NSX-T on the same subnet? Especially if VMs are reaching out across the physical network to access DBs or NAS or VMs in other separate NSX-T instances?
Hi, im not from network background but this explained me much better about overlay network with GENEVE. Got a question. When orginial packet of Data, Innner IP and Inner Eth Header is wrapped by GENEVE header for encapsulation and VNI id is generated then how would the outer IP will find the destination TEP IP to pass the data along with the other Eth header to find the destination mac address of the host?
Hey Mike: I am starting with nsx now. I actually come from a physical network background. Do you have any videos to spin up a nsx lab end to end ? Right from spinning up a esxi, Vcenter and nsx.? I know you have a nsx demo, but for esxi and vcenter ? Like a step by step video to set up in my lab or something.
Had a solution architect wanting to run a MetroCluster and use NSX to replace OTV. I asked what will stretch the management L2 Vlan. He said NSX. I said you don’t put your management and run your vCenter and controllers on an overlay
Firstly... Mate, your vids are amazing and I'm a big fan of your stuff..... One question though, is there any way to encrypt traffic in NSX? I always thought the encapsulation was encrypted but I'm finding out it's not... i.e. the separation between customers really needs to be encrypted E/W if you have multi-tenancy. Thoughts?
Nah, no encryption as of now for E-W traffic. Regarding the multi-tenant thing..I understand the concern and it's a valid one. In a nutshell, with NSX-T, you DO have the option to have separate infrastructure (virtual routers/T0/T1/Edges) and even Transport Nodes (vSphere Hosts/ESXi hosts). So if segmentation is a concern you can definitely ensure that no traffic can leak between tenants. That is the approach I'd take assuming there is great concern on tenant->tenant access. Obviously it doesn't solve the unencrypted thing though.
hello, Thx for your video just to be sure If I understand correcty the overlay network is internal to nsxt component if I try to contact a server on my physical network the "external world" don't see the geneve encapsulation just the classic exact?
You are just amazing Mike. Most simplified explanation possible ❤❤
Thank you!
Ur my hero - Sending this one to my customers FOR SURE.
Possibly the most simple explanation of overlay networking that I have ever seen in 15 mins.
Thank you so much for explaining it from a VMware Admin perspective as it was easy to grasp it.
Very well explained, especially the comment around a Layer 2/3 device only being concerned with certain fields in the ethernet packet. Nicely put!
Thanks this much more info in just 15 mins .....thanks a lot..!
oh man, such a great skills you have with explaining! voice, personality! good stuff man..
Thank you Jorge! I dislike my own voice, so I'm glad someone thinks it's good for this stuff! :)
Awsum, thanks Mike !
This was a great explanation. I am not a network engineer by any stretch. My speciality is Virtualization. The overlay and underlay terms have been very confusing to me. I could never figure out how I could specify a segment in the NSX overlay and the network SAs not track me down and slap my hands.
So correct me if I am wrong. What I took from your explanation is the edge VTEP IP is what the physical network is using at L3 for the packet IP header when routing out?
Thanks Erik! Edge TEP is only used when talking to other NSXT hosts (your vsphere hosts). It goes like this- VM A on host5 wants to talk to the internet. Packet is encapsulated by host5 with GENEVE- sent to the edge (source is host5 TEP, destination is edge TEP). Edge receives it and strips the overlay encapsulation entirely off. Now the source IP is VM A, and destination is the internet server. So the underlay never sees VM->VM IPs (due to being encapsulated between hosts), but WILL see those VM IPs if they exit the NSXT environment. Make sense?
I assume that means that the subnet that is assigned to an Overlay segment has to be a range that will not conflict with another VLAN backed subnet in the physical network? Meaning that if a subnet is assigned to a NSX-T segment it has to own it completely? You can’t have a situation where physical hosts are being assign the same IPs as VM sitting in NSX-T on the same subnet? Especially if VMs are reaching out across the physical network to access DBs or NAS or VMs in other separate NSX-T instances?
Hi, im not from network background but this explained me much better about overlay network with GENEVE. Got a question. When orginial packet of Data, Innner IP and Inner Eth Header is wrapped by GENEVE header for encapsulation and VNI id is generated then how would the outer IP will find the destination TEP IP to pass the data along with the other Eth header to find the destination mac address of the host?
Man you are amazing... very well explained
Hey Mike: I am starting with nsx now. I actually come from a physical network background.
Do you have any videos to spin up a nsx lab end to end ? Right from spinning up a esxi, Vcenter and nsx.? I know you have a nsx demo, but for esxi and vcenter ? Like a step by step video to set up in my lab or something.
Had a solution architect wanting to run a MetroCluster and use NSX to replace OTV. I asked what will stretch the management L2 Vlan. He said NSX. I said you don’t put your management and run your vCenter and controllers on an overlay
I love NSX, but I would not put management on an overlay (NSX or otherwise) if it were my environment!
Firstly... Mate, your vids are amazing and I'm a big fan of your stuff..... One question though, is there any way to encrypt traffic in NSX? I always thought the encapsulation was encrypted but I'm finding out it's not... i.e. the separation between customers really needs to be encrypted E/W if you have multi-tenancy. Thoughts?
Nah, no encryption as of now for E-W traffic. Regarding the multi-tenant thing..I understand the concern and it's a valid one. In a nutshell, with NSX-T, you DO have the option to have separate infrastructure (virtual routers/T0/T1/Edges) and even Transport Nodes (vSphere Hosts/ESXi hosts). So if segmentation is a concern you can definitely ensure that no traffic can leak between tenants. That is the approach I'd take assuming there is great concern on tenant->tenant access. Obviously it doesn't solve the unencrypted thing though.
@@NRDYTech great stuff... keep up the amazing work too. best wishes from the UK!
hello,
Thx for your video
just to be sure If I understand correcty the overlay network is internal to nsxt component
if I try to contact a server on my physical network the "external world" don't see the geneve encapsulation just the classic exact?
Correct! You got it.
Hoi Mike, Can you do something about VPN within NSX-T?
Hi sir, Can I ask you some question about LB on NSX-T?
What's up?