《利用NSX构建双活数据中心ppt课件.pptx》由会员分享,可在线阅读,更多相关《利用NSX构建双活数据中心ppt课件.pptx(41页珍藏版)》请在三一办公上搜索。
1、基于NSX的双活数据中心架构,王培久资深网络技术顾问18621088800,议程,数据中心容灾架构的发展趋势基于单VC的NSX双活解决方案基于多VC的NSX双活解决方案总结,CONFIDENTIAL,2, 2006 Cisco Systems, Inc. All rights reserved.,Cisco Confidential,Cisco Expo Czech Republic,5,数据中心容灾架构的演进,灾备Disaster Recovery,通过异地的数据复制和备份保护数据,持续高可用 (continuous availability )业务失败的快速恢复,业务弹性和敏捷性(Busi
2、ness Resilience&Agility)故障时业务的持续运行能力,High Availability,Business Agility,基于灾备的数据中心,双活数据中心,基于云计算的分布式虚拟化数据中心,Active/Active 应用服务器层,Active/ActiveActive/QueryActive/Standby数据库层,Active/Active Web 层,InternalNetwork,ServiceProvider A,ServiceProvider B,InternalNetwork,INTERNET,数据中心容灾总体架构,VM-Mobility,客户端切换inbo
3、und/outboundDNS+全局站点选择 负载均衡健康路由注入RHI热备份路由本地化,LAN Extensions,数据中心容灾总体架构技术领域,数据复制 存储数据库虚拟化,数据中心的二层互联 传统网络厂商提供的二层互联技术Vmware NSX 网络虚拟化技术:,传输网络和存储的扩展SAN 网络扩展基于DWDM/SDH/IP的传输网络,安全策略的一致性:防火墙等,高层模式:冷备/暖备/热备/双活,虚拟机感知和移动性服务,CONFIDENTIAL,6,传统网络厂商的大二层技术的局限性,主备数据中心需要采用同一厂商的高端网络设备绝大多少数大二层技术虽然可以实现二层STP协议跨站点的隔离但对二层
4、的Flooding仍然缺乏有效的控制手段网络层不支持上层虚拟机自动感知的功能,无法提供跨数据中心的防火墙策略的一致性只关注网络层的二层扩展,无法为上层应用按需地提供逻辑交换、逻辑路由、逻辑防火墙、逻辑负载均衡、VPN等服务,更无法提供网络服务的自动化部署,议程,数据中心容灾架构的发展趋势基于单VC的NSX双活解决方案基于多VC的NSX双活解决方案总结,CONFIDENTIAL,7,基于单VC的数据中心双活解决方案option1跨数据中心集群模式,Active / Active StoragevSphere Metro Storage Cluster,Datastore 1,Datastore
5、1,vCenterServer,L3 Network,Site A,Site B,解决方案要点主机需要配置vSphere Metro Storage Cluster 集群在vMSC的部署中存储是跨数据中心双活。 双活的存储架构可以是: EMC VPLEX, NetApp Metro Cluster 等(更多信息参考 VMware HCL )扩展集群可以跨数据中心支持虚拟机的 Live vMotion所有 Vmkernel 网段采用三层网络: Management, vMotion, IP Storage所有管理节点位于主数据中心,但可以故障时可以切换到另外一个数据中心vMSC集群所需的存储双活
6、架构对时延和带宽有同的要求,如EMC VPLEX要求时延不高于10ms RTT数据中心网络互联故障或NSX组件故障时,两数据中心网络将按现有的网络转发状态转发数据,不会导致网络中断,基于单VC的数据中心双活解决方案option1跨数据中心集群模式,Datastore 1,Datastore 2,vCenterServer,L3 Network,Site A,Site B,由于两数据中心无共享存储跨数据中心虚机迁移需要Storage vMotion,基于单VC的数据中心双活解决方案option2数据中心采用不同集群,解决方案要点不同数据中心采用不同的集群,因此不支持跨数据中心的DRS等功能存储本
7、地化,两数据中心中心无共享存储Enhanced vMotion (simultaneous vMotion and svMotion) 提供跨数据中心vMotion所有Vmkernel 网络采用三层网络: Management, vMotion, IP Storage所有管理组件部署在主中心,包括:vCenter Server, NSX Manager and Controllers 跨数据中心时延需求:Enhanced vMotion is also 10ms RTT. 每个vMotion session:250 Mbps 如不需要live vMotion,NSX可以支持的最大时延为:100
8、ms RTT通过vmotion提供资源移动性和灾难避免功能不提供跨数据中心的自动容灾恢复功能,基于单VC的数据中心双活解决方案option2数据中心采用不同集群,192.168.0.0/24,192.168.0.1,2.2.2.2,2.2.2.0/28,192.168.0.0/24,3.3.3.0/28,VXLAN,VXLAN,VLAN,VLAN,Distributed Logical Router,Dynamic Routing(OSPF, BGP),Primary VMs,Placeholder VMs,192.168.10.2,192.168.10.1,192.168.0.1,3.3.3
9、.3,Distributed Logical Router,Dynamic Routing(OSPF, BGP),192.168.10.2,192.168.10.1,Site1,Site2,SRM,基于单VC的数据中心双活解决方案option3SRMNSX容灾模式,目标:在两个数据中心之间实现自动容灾切换网络:1、内网:主备数据中心采用同样的网段和IP地址段,同时可以基于虚拟机部署DFW防火墙和负载均衡等2、外联:每个数据中心通过NSX Edge和外部路由器实现动态路由互通,Edge连接外部路由器的地址和公网地址采用不同网段3、数据中心互联DCI:两中心之间只需提供高带宽三层IP路由网络互联即
10、可,具体带宽需求需要参考SRM数据复制的要求数据备份:采用SRA 实现两中心之间数据的异步复制,根据RPO/RTO要求可以采用SRM本身自带的软件复制技术实现RPO/RTO要求较高的也可以通过合作伙伴的硬件存储备份方案来实现如:EMC SRDF等切换:1、整体切换:当主数据中心出现整体故障可以实现主备数据中心的自动切换;2、单应用切换:当主数据中心单个应用出现故障时,SRM会在备份数据中心实现此应用的自己切换,基于单VC的数据中心双活解决方案option3SRMNSX容灾模式,议程,数据中心容灾架构的发展趋势基于单VC的NSX双活解决方案基于多VC的NSX双活解决方案总结,CONFIDENTI
11、AL,14,NSX 逻辑网络 (今天),CONFIDENTIAL,Logical Switch,Local VC Inventory,Local VC Inventory,Local VC Inventory,vCenter A,vCenter B,vCenter C,NSX ControllerCluster,NSX ControllerCluster,NSX ControllerCluster,Single NSX Domain can spanmore than one site,Logical Switch,Logical Switch,NSX 逻辑网络 (6.2),CONFIDENT
12、IAL,16,Logical Switch,Local VC Inventory,Local VC Inventory,Local VC Inventory,vCenter A,vCenter B,vCenter C,NSX ControllerCluster,Logical Switch,NSX ControllerCluster,NSX ControllerCluster,Logical Switch,Single NSX Domain can spanmore than one site,LogicalSwitches,多VC使用场景,Increase the span of NSX l
13、ogical networks to enable:Capacity Pooling across multiple vCenter ServersNon disruptive migrationsCloud and VDI deployments,CONFIDENTIAL,17,Centralized security policy managementOne place to Manage FW rulesRules enforced regardless of VM location and VC,CONFIDENTIAL,18,Universal Firewall Policy,多VC
14、使用场景,NSX 6.2 supports new mobility boundaries in vSphere 6Enable Cross VC, Cross vSwitch and Long Distance vMotionOn existing networks, with no new hardware required,CONFIDENTIAL,19,vCenter-A,VDS-A,VXLAN Transport (L3) &vMotion Network (L3),vCenter-B,VDS-B,= 150ms RTT,多VC使用场景,Enhance NSX Multi-Site
15、SupportActive-Active (From Metro to 150ms RTT)Disaster Recovery,CONFIDENTIAL,20,vCenter-A,vCenter-B,N-S Connectivity,NSX Mgr A,NSX Mgr B,SRM A,SRM B,Web,Web,App,=150ms,Web,DB,DB,DB,App,App,Web,App,DB,App,DB,DB,Web,App,Web,多VC使用场景,Multi-VC with NSX,How it Works,Multi-VC Logical Networks (NSX 6.2),CON
16、FIDENTIAL,22,Local VC Inventory,Local VC Inventory,Local VC Inventory,vCenter & NSX Manager A,Universal Object Configuration(NSX UI & API),Universal Configuration Synchronization,Universal ControllerCluster,Primary,Secondary,vCenter & NSX Manager B,vCenter & NSX Manager H,Secondary,Multi-VC Logical
17、Networks (NSX 6.2),Universal Controller Cluster size remains at 3 nodesNSX Controllers always run within a single vCenter Server and single SiteUnique Universal Segment ID Pool:Ensures ULS VNIs are consistent across all VCsUDLR IDs are also automatically derived from this poolThe Universal Controlle
18、r Cluster continues to manage Local VXLAN/DLR objects in addition to Universal onesTransport Zone determines whether Logical Switches are Local or UniversalSegment ID pool is now required for any DLR, even without VXLAN LIFsNSX 6.2 Distributed Logical Routing supports Local EgressCross VC vMotion wi
19、ll be validated with both Universal Logical Switches and L2VPN,CONFIDENTIAL,23,Multi-VC Primary and Secondary NSX Managers,Multi-VC Universal Segment ID Pool,Multi-VC Universal Transport Zones,Multi-VC Universal Logical Switches,Multi-VC Universal Distributed Logical Routing,Multi-VC Distributed Fir
20、ewall (NSX 6.2),NSX vSphere 6.2 will also support Multi-VC Distributed Firewall for centralized management of Firewall rules for universal objectsThis is performed through Universal sections in the DFW rule tableThese section will automatically be synchronized to all Secondary NSX ManagersUniversal
21、Section is managed on the Primary NSX Manager andread only on Secondary NSX ManagersUniversal DFW rules are based on IP/MAC Sets as VC inventory remains local to an NSX ManagerSupports both VXLAN and VLAN backed deploymentsvMotion across VCs with Universal DFW policy be fully supported,CONFIDENTIAL,
22、29,Multi-VC Universal Distributed Firewall,30,Universal Section,Local Section,Multi-VC Universal Distributed Firewall,31,Universal DFW RulesSupported Configuration Objects,CONFIDENTIAL,L2 rules:,L3 rules:,Universal MAC SetUniversal SG (containing Universal MAC Set),Global IP SetGlobal SG (containing
23、 Global IP Set),Universal LSDFW-only (in case of VLAN backed dvPg),Note: Rule-ID (32 bit format) is the same across all NSX instances,Universal Services (pre-defined and user-defined),Universal Services (pre-defined and user-defined),Multi-VC Universal Security Groups, IP/MAC Sets & Services,32,Secu
24、rity Groups,IP Sets, MAC Sets, Services and Service Groups all have a Universal context in addition to theexisting Local context,多VC 部署模式,单点多VC 部署场景 1,34,UniversalLogical Switches,Universal Control VM,E1,Route Updates,Physical Router,Universal Transit VXLAN Uplink,Site A,NSX EdgeServices GW,VC B wit
25、h NSX Manager (Secondary),Route Updates,E8,UCC,单点多VC Edge部署在一个 VC,35,Universal Control VM,E1,E4,Physical Router,Site A,NSX EdgeServices GW,vC with NSX Manager (Secondary),E2,E3,E8,E7,E5,E6,UniversalLogical Switches,Universal Transit VXLAN,36,Universal Control VM,Physical Router,Universal Transit VXL
26、AN,Site A,NSX EdgeServices GW,vC with NSX Manager (Secondary),UniversalLogical Switches,E8,单点多VC Edge部署在多个 VC,vCenterServer,L3 Network,Site A,Site B,Multi-Site Enhancement: Locale IDNSX 6.2 introduces the concept of Locale ID for routes sent to the NSX Controller. This value is set to the NSX Manage
27、r UUID by defaultIf Local Egress is not enabled on the UDLR, the Locale ID value is ignoredWhen Local Egress is enabled, the NSX Controller will only send routes to ESXi hosts with a matching Locale IDUsing a site specific uplink, each site can have a local routing configuration. This allows NSX 6.2
28、 to support up to 8 sites with local egressLocale ID can also be set on a per UDLR, per Cluster or per Host level if the same NSX Manager is used across multiple sites,Locale ID: NSX-A,Locale ID: NSX-B,CONFIDENTIAL,vCenterServer,Control VMw/ Local Egress,Control VMw/ Local Egress,多VC 出口路由的优化,多点多VC 部
29、署场景2,38,PrimaryControl VM,E1,Route Updates with Locale ID,Site APhysical Routers,Universal Transit VXLAN Uplink A,Site A,NSX EdgeServices GW,VC B with NSX Manager (Secondary),Route Updateswith Locale ID,E8,E1,Site BPhysical Routers,Universal Transit VXLAN Uplink B,E8,SecondaryControl VM,Route Updateswith Locale ID,Route Updateswith Locale ID,UCC,UniversalLogical Switches,Site B,NSX EdgeServices GW,议程,数据中心容灾架构的发展趋势基于单VC的NSX双活解决方案基于多VC的NSX双活解决方案总结,CONFIDENTIAL,39,NSX双活数据中心方案比较,谢谢!,
