Learn NSX – Part-01

As promised in my last post , here  comes the first part of NSX learning….

NSX for vSphere creates a network virtualization layer on top of which all virtual networks are created. This layer is an abstraction between the physical and virtual networks. The components required to create this network virtualization layer are:

  • vCenter Server
  • NSX Manager
  • NSX Controller
  • NSX Virtual Switch
  • NSX for vSphere API


As per the above figure , these components are separated into three different planes to create communications boundaries and provide isolation of workload data from system control messages:

  • Data plane
  • Control plane
  • Management plane

Data Plane –  The NSX data plane is implemented by the NSX vSwitch. The vSwitch in NSX for vSphere is based on the VDS with additional components added to enable rich services. The add-on NSX components include kernel modules distributed as VMware installation bundles (VIBs). These modules run within the hypervisor kernel, providing services including distributed routing, distributed firewall, and VXLAN to VLAN bridging. The NSX VDS abstracts the physical network, providing access-level switching in the hypervisor. This is central to network virtualization as it enables logical networks that are independent of physical constructs (e.g., VLANs).
The NSX vSwitch enables support for overlay networking with the use of the
VXLAN protocol and centralized network configuration.Overlay networking with NSX enables the following capabilities:

• Creation of a flexible logical layer 2 (L2) overlay over existing IP networks on
existing physical infrastructure.
• Agile provisioning of communication – both east–west and north–south –
while maintaining isolation between tenants.
• Application workloads and VMs that are agnostic of the overlay network, operating as if   they were connected to a physical network.

The data plane also consists of gateway devices that can provide communication
from the logical networking space to the physical network (e.g., VXLAN to
VLAN). This functionality can happen at either L2 (NSX bridging) or at L3 (NSX

In Simple English ” Where your Data Runs ” , if any Management Plane (NSX Manager)  or Control Plane (NSX controller ) is Down , still your data traffic is not affected .

Control Plane – The control plane is where network virtualization control messages are located. The NSX controller is a key part of the NSX control plane. In a vSphere environment with the vSphere Distributed Switch (VDS), the controller enables multicast free VXLAN and control plane programming of elements such as the Distributed Logical Routing (DLR).
The NSX controller is a part of the control plane; it is logically separated from all data plane traffic. To further enhance high availability and scalability, NSX controller nodes are deployed in a cluster of odd number instances.
In addition to controller, the control VM, provides the routing control plane that allows the local forwarding in ESXi and allows dynamic routing between ESXI and north-south routing provided by Edge VM. It is critical to understand that data plane traffic never traverses the control plane component.

Management Plane is where the network virtualization orchestration happens. In this layer, cloud management platforms such as VMware vRealize™ Automation can be used to request, consume, and destroy networking resources for virtual workloads.

The NSX manager is the management plane for the NSX eco-system. NSX manager provides configuration and orchestration of:
• Logical networking components – logical switching and routing
• Networking and Edge services
• Security services and distributed firewall
Edge services and security services can be provided by either built-in components of NSX Manager or by integrated 3rd party vendors. NSX manager allows seamless orchestration of both built-in and external services.

All security services, whether built-in or 3rd party, are deployed and configured by
the NSX management plane. The management plane provides a single window
for viewing services availability. It also facilitates policy based service chaining,
context sharing, and inter-service events handling. This simplifies the auditing of
the security posture, streamlining application of identity-based controls. (e.g., AD,
mobility profiles).

Happy Learning 🙂


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s