1 00:00:00,090 --> 00:00:01,340 But hopefully this makes sense. 2 00:00:01,350 --> 00:00:03,960 Let's talk about overlay, underlay and fabrics. 3 00:00:09,000 --> 00:00:14,340 So overlay networks go back a long way in time. 4 00:00:14,340 --> 00:00:20,820 So the example I use when I spoke about the exam and I like that example is in the old days we had a 5 00:00:20,820 --> 00:00:28,260 traditional telephone network, the intelligence was in the telephone network, so the public switched 6 00:00:28,260 --> 00:00:32,580 telephone network that AT&T would have built or British Telecom would have built. 7 00:00:32,580 --> 00:00:33,450 Here in the UK. 8 00:00:33,840 --> 00:00:35,280 The phones were dumb. 9 00:00:35,280 --> 00:00:41,640 They didn't even have dial tone without the network giving dial tone to the phone. 10 00:00:41,640 --> 00:00:43,620 So the phones were essentially stupid. 11 00:00:44,350 --> 00:00:47,650 But then that could revolutionized with voiceover IP. 12 00:00:47,770 --> 00:00:53,620 Then suddenly we were using the internet as a dumb core, and I shouldn't say it's totally dumb, but 13 00:00:53,620 --> 00:00:56,020 from a telephone switching point of view, it was dumb. 14 00:00:56,380 --> 00:01:02,860 We were basically setting up calls across the Internet and the devices in the core Internet didn't understand 15 00:01:02,860 --> 00:01:04,090 what the calls were doing. 16 00:01:04,090 --> 00:01:05,860 They were just routing IP packets. 17 00:01:05,860 --> 00:01:09,070 So I phoned you using Skype or WhatsApp today. 18 00:01:09,430 --> 00:01:10,530 I phone you. 19 00:01:10,540 --> 00:01:13,210 The Internet doesn't understand what we're doing. 20 00:01:13,210 --> 00:01:20,710 I mean, WhatsApp calls are encrypted, so we're setting up a tunnel across the dumb central Internet. 21 00:01:21,070 --> 00:01:26,170 So the intelligence is now in the endpoints rather than in the core network. 22 00:01:26,170 --> 00:01:27,720 So notice the difference. 23 00:01:27,730 --> 00:01:32,680 In the old days, intelligence was in the network, end devices were dumb. 24 00:01:32,680 --> 00:01:33,730 That switched round. 25 00:01:33,730 --> 00:01:37,270 Now core network is just high speed forwarding. 26 00:01:37,270 --> 00:01:38,710 That's what the Internet should be doing. 27 00:01:38,710 --> 00:01:44,200 High speed switching, routing of traffic intelligence is in the edge, not in the core. 28 00:01:44,530 --> 00:01:48,250 So that was a whole industry that got revolutionized. 29 00:01:48,490 --> 00:01:56,290 The PSTN public switch telephone network was intelligent, endpoints were dumb, intelligence was moved 30 00:01:56,290 --> 00:02:00,010 to the edge to the endpoints, call became dumb. 31 00:02:00,010 --> 00:02:04,300 All it was doing is high speed forwarding of traffic from A to B. 32 00:02:04,300 --> 00:02:09,940 So if I made a call from the UK to the US, the core internet routers are just trying to move the traffic 33 00:02:09,940 --> 00:02:13,000 as quickly as possible from the UK to the US. 34 00:02:13,060 --> 00:02:16,510 They don't understand the call setup process. 35 00:02:16,510 --> 00:02:20,230 I mean, WhatsApp again is setting up encrypted calls. 36 00:02:20,230 --> 00:02:25,840 The telephone system in WhatsApp or in Skype is out of the control of the core Internet. 37 00:02:26,440 --> 00:02:28,270 Okay, so that's great. 38 00:02:28,270 --> 00:02:33,280 But in networking for many years, enterprise networking, it didn't work that way. 39 00:02:33,730 --> 00:02:39,880 We would have say Cisco IP phones on a network and they would mark their traffic as important. 40 00:02:39,880 --> 00:02:44,680 But then the network had the intelligence of saying, okay, this traffic is more important than that 41 00:02:44,680 --> 00:02:45,280 traffic. 42 00:02:45,400 --> 00:02:49,720 And then we try to implement all kinds of clever stuff on the network. 43 00:02:49,720 --> 00:02:53,230 So the applications were still done, but the network was intelligent. 44 00:02:53,230 --> 00:02:56,140 Notice where I'm going with this network was intelligent. 45 00:02:56,140 --> 00:03:02,320 Applications were dumb from the point of view that a PC just sent traffic to its default gateway and 46 00:03:02,320 --> 00:03:04,330 then the network took care of things. 47 00:03:04,330 --> 00:03:07,300 Intelligence and the network endpoints were done. 48 00:03:07,780 --> 00:03:11,560 VMware and others change this entirely. 49 00:03:11,560 --> 00:03:14,710 So VMware purchased a company called Nazara. 50 00:03:15,340 --> 00:03:17,140 This hero almost got bought by Cisco. 51 00:03:17,620 --> 00:03:26,620 But in a data center, when we using iSCSI as an example from VMware, they said, okay, we don't need 52 00:03:26,620 --> 00:03:27,970 an intelligent network. 53 00:03:27,970 --> 00:03:34,210 We will put the intelligence in the iSCSI service in the service because the servers have visibility 54 00:03:34,210 --> 00:03:36,760 of the applications running on them. 55 00:03:36,820 --> 00:03:43,840 The server, iSCSI server has visibility of the VMs and the applications running on the server. 56 00:03:43,870 --> 00:03:50,080 The network can't see the VMs like the iSCSI server can. 57 00:03:50,080 --> 00:03:55,930 So rather than having an intelligent network, we make the network dumb, just like the internet. 58 00:03:55,930 --> 00:04:01,390 It doesn't have visibility of the applications and the VMs on the ESXi server. 59 00:04:01,390 --> 00:04:07,840 And what we do is we set up tunnels across the core network. 60 00:04:07,840 --> 00:04:12,790 So you could have and it doesn't matter, it could be Cisco routers, could be HPE switches, it doesn't 61 00:04:12,790 --> 00:04:13,000 matter. 62 00:04:13,000 --> 00:04:19,930 Your core network is simply there to route as quickly as possible from one iSCSI server to another iSCSI 63 00:04:19,959 --> 00:04:20,380 server. 64 00:04:20,380 --> 00:04:23,590 And we build what they call here an overlay network. 65 00:04:23,590 --> 00:04:30,730 So we have our IP network, traditional, say IP version four, and then we build a whole new network 66 00:04:30,730 --> 00:04:33,250 on top of that called an overlay network. 67 00:04:33,250 --> 00:04:39,430 This underlay network, the physical network doesn't understand what's going on because all it sees 68 00:04:39,430 --> 00:04:40,420 is tunnels. 69 00:04:40,450 --> 00:04:45,400 Think of WhatsApp, think of IPsec tunnels that you use across the Internet. 70 00:04:46,090 --> 00:04:53,500 You can have the Internet and you build encrypted tunnels across the Internet that connect various sites 71 00:04:53,830 --> 00:04:54,760 of your company. 72 00:04:54,760 --> 00:05:00,520 So your company may have sites in the US and the UK, in Canada, in Japan, whatever. 73 00:05:00,550 --> 00:05:03,880 You set up these VPNs across the Internet. 74 00:05:03,910 --> 00:05:08,680 You would be very upset if the Internet routers could actually see inside your IP tunnel. 75 00:05:08,680 --> 00:05:16,810 The whole idea of encryption is to hide the internal network information from the core Internet network. 76 00:05:16,810 --> 00:05:18,640 Same principle here. 77 00:05:18,700 --> 00:05:24,550 Now, we're not using typically encryption in a data center they use rather than IP seq tunnels or tunnels 78 00:05:24,550 --> 00:05:26,980 they use VXLAN tunnels. 79 00:05:27,010 --> 00:05:32,620 The whole idea of a VXLAN is think of a restriction in traditional switching. 80 00:05:32,620 --> 00:05:34,090 We have a 2.1. 81 00:05:34,090 --> 00:05:37,780 Q It's restricted to just over 4000 VLANs. 82 00:05:37,780 --> 00:05:43,270 You can only have 4000 VLANs in a network now if you running big. 83 00:05:43,370 --> 00:05:50,090 S Z service and you have lots of customers and then you have lots of departments for lots of customers 84 00:05:50,090 --> 00:05:52,500 and they want a whole bunch of VLANs. 85 00:05:52,520 --> 00:05:55,460 You run out of 4000 VLANs very, very quickly. 86 00:05:55,460 --> 00:06:04,850 So VXLAN supports 16 million VLANs and I say VLANs because that concept no longer exists, 16 million 87 00:06:04,850 --> 00:06:09,530 subnets rather than 4000 subnets in 82.1. 88 00:06:09,530 --> 00:06:15,230 Q So in a traditional switching network, we would create up to 4000 VLANs. 89 00:06:15,230 --> 00:06:21,500 That's how we would implement security, let's say, by restricting who can talk to who based on VLANs 90 00:06:21,500 --> 00:06:22,400 or subnets. 91 00:06:22,760 --> 00:06:28,640 But in a traditional switched environment, we kind of limited that doesn't scale to a data center. 92 00:06:28,640 --> 00:06:33,860 So in a data center, they want to use this whole concept and let me go over it again just to make sure 93 00:06:33,860 --> 00:06:38,990 that it's clear we have a core network could be Cisco routers, Cisco switches. 94 00:06:39,380 --> 00:06:40,460 Now notice the politics. 95 00:06:40,460 --> 00:06:43,910 Yeah, because VMware and Nazara basically changed the game. 96 00:06:44,450 --> 00:06:49,580 The core network now doesn't have to be fancy because it's going to be like the internet. 97 00:06:49,610 --> 00:06:57,290 I just need the core routers to route traffic from one ESXi server, so one VMware server to another 98 00:06:57,290 --> 00:06:58,160 VMware server. 99 00:06:58,160 --> 00:07:00,410 And just assume you've got a whole bunch of VMware servers. 100 00:07:00,440 --> 00:07:06,020 These VMware servers will set up tunnels to each other automatically. 101 00:07:06,500 --> 00:07:08,720 They're not encrypted, but it's the same concept. 102 00:07:08,810 --> 00:07:14,810 They will set up a tunnel from one iSCSI server to another iSCSI server and they will use a totally 103 00:07:14,810 --> 00:07:17,090 different subnet, totally different network. 104 00:07:17,090 --> 00:07:22,610 Just like you, if you're setting up a VPN across the internet will use a different subnet, different 105 00:07:22,610 --> 00:07:24,950 IP addresses to the core internet. 106 00:07:24,980 --> 00:07:29,060 You can route all RFC 1918 addresses across the Internet. 107 00:07:29,060 --> 00:07:31,730 Agreed if you use a tunnel. 108 00:07:31,730 --> 00:07:38,120 So the outside IP address would be a public IP address when you're writing from one router to another 109 00:07:38,120 --> 00:07:40,040 using an IPsec tunnel across the Internet. 110 00:07:40,040 --> 00:07:44,420 But the inside IP addresses could be RFC 1918 addresses. 111 00:07:44,420 --> 00:07:47,390 The core Internet doesn't see that data because it's encrypted. 112 00:07:47,390 --> 00:07:54,530 So the whole idea in a data center is the core network could be very simple, basic subletting. 113 00:07:54,530 --> 00:07:58,190 We don't need VLANs, we can run routing everywhere. 114 00:07:58,220 --> 00:08:04,880 So this solved another problem because let's say we want to have a VM on one iSCSI server and another 115 00:08:04,880 --> 00:08:10,580 VM on another iSCSI server, but we want them in the same VLAN, same VLAN, same broadcast domain. 116 00:08:10,580 --> 00:08:16,940 They must be layer two connection between these two VMs that are in different servers. 117 00:08:17,150 --> 00:08:18,710 Now you might say, why would you want to do that? 118 00:08:18,710 --> 00:08:20,360 Now think about the motion. 119 00:08:20,440 --> 00:08:27,350 The motion is something that allows you to move a VM automatically, if you want, from one physical 120 00:08:27,350 --> 00:08:30,350 iSCSI server to another iSCSI server. 121 00:08:30,350 --> 00:08:35,840 So when the load on the server gets too high, it can automatically migrate the VM to another iSCSI 122 00:08:35,870 --> 00:08:38,539 server to use resources on this iSCSI server. 123 00:08:38,539 --> 00:08:43,940 But the problem is you've now moved the VM from one server to another server, but you want to keep 124 00:08:43,940 --> 00:08:45,260 them in the same VLAN. 125 00:08:45,260 --> 00:08:50,810 So what happens if I move it to that server over there using the motion across a network? 126 00:08:50,810 --> 00:08:57,170 Now traditionally we would have to run layer two across this because that VM and this VM are in the 127 00:08:57,170 --> 00:08:57,770 same subnet. 128 00:08:57,770 --> 00:09:00,500 So we need to have a layer two connection across. 129 00:09:00,500 --> 00:09:07,670 But with this overlay network and this concept of doing away with a clever core, the core network can 130 00:09:07,670 --> 00:09:08,600 run routing protocols. 131 00:09:08,600 --> 00:09:12,260 So we don't need spanning tree, we just run OSPF everywhere as an example. 132 00:09:12,260 --> 00:09:18,740 So it's a layer three network, but this VM running on this ESX server and this VM running on this ESXi 133 00:09:18,770 --> 00:09:25,460 server can be in the same subnet because they are connected across a tunnel. 134 00:09:25,460 --> 00:09:30,260 So this PC could have an IP address of ten one one to this piece. 135 00:09:30,260 --> 00:09:32,840 You could have an IP address of ten 111 slash 24. 136 00:09:32,840 --> 00:09:38,960 Let's say when a broadcast is sent by this PC, it goes into the tunnel, sent across the tunnel to 137 00:09:38,960 --> 00:09:39,560 that PC. 138 00:09:39,560 --> 00:09:44,480 On the other side, it gets complicated with broadcasts and multicast, but just think of the concept 139 00:09:44,480 --> 00:09:50,900 that these two devices are in the same VLAN when in actual fact they are not same VLAN because this 140 00:09:50,900 --> 00:09:52,370 infrastructure is routed. 141 00:09:52,370 --> 00:09:59,950 So we are basically pulling a cable logically from that VM on that ESXi server to this VM on this ESXi 142 00:09:59,960 --> 00:10:00,350 server. 143 00:10:00,350 --> 00:10:04,760 So logically, you've got an Ethernet cable from one side to the other, but it's just a tunnel created 144 00:10:04,760 --> 00:10:06,050 using VXLAN. 145 00:10:06,140 --> 00:10:07,610 Now I went into a lot of detail here. 146 00:10:07,610 --> 00:10:13,420 Let me just summarize overlay network is a network that's built on top of an underlay network, underlay 147 00:10:13,450 --> 00:10:20,420 network of physical devices, which could be Cisco routers and switches iSCSI so from VMware will bold 148 00:10:20,570 --> 00:10:24,950 and it's actually NSX it's not iSCSI it's NSX is the product that does this. 149 00:10:24,950 --> 00:10:32,930 NSX will build a whole new network, an overlay network across the underlay network. 150 00:10:32,930 --> 00:10:37,370 This underlay network doesn't understand what's going on with this overlay network. 151 00:10:37,580 --> 00:10:42,560 As an analogy, again, think of this underlay as the internet and the overlay network. 152 00:10:42,810 --> 00:10:46,160 Your VPN tunnels going across the Internet. 153 00:10:46,170 --> 00:10:52,140 The core routers don't have visibility of the traffic that you encrypting through your IPsec tunnels. 154 00:10:52,470 --> 00:11:01,050 The core Cisco routers and switches in a data center don't have visibility of the VM traffic going through 155 00:11:01,050 --> 00:11:02,610 a VXLAN tunnel. 156 00:11:02,640 --> 00:11:09,600 All they see is this ESXi server wants to talk to this iSCSI server or this iSCSI server wants to talk 157 00:11:09,600 --> 00:11:11,100 to that year SCSI server. 158 00:11:11,130 --> 00:11:19,920 They don't understand that it's actually a VM running within the CSC server that's talking to VM within 159 00:11:19,950 --> 00:11:21,300 that ESXi server. 160 00:11:21,300 --> 00:11:23,640 So we basically tunneling traffic across. 161 00:11:23,730 --> 00:11:31,010 Now I'm going to add some videos from my NSX and overlays course. 162 00:11:31,020 --> 00:11:32,910 There are other vendors that also do this. 163 00:11:33,210 --> 00:11:34,350 Again, it's optional. 164 00:11:34,350 --> 00:11:38,730 So if you want to watch that stuff, then feel free to see this more practically. 165 00:11:38,730 --> 00:11:43,980 I've been dealing with this stuff for a long time, but it's now great to see that it's coming to the 166 00:11:43,980 --> 00:11:44,760 CCNA.