1
00:00:00,170 --> 00:00:01,380
But hopefully this makes sense.

2
00:00:01,380 --> 00:00:04,010
Let's talk about overlay underlay and fabrics.

3
00:00:09,130 --> 00:00:14,400
So overlay networks go back a long way in time.

4
00:00:14,470 --> 00:00:20,800
So the example I use when I spoke about the exam and I like that example is in the old days we had a

5
00:00:20,800 --> 00:00:23,650
traditional telephone network.

6
00:00:23,650 --> 00:00:30,610
The intelligence was in the telephone network so the public switched telephone network that AT&amp;T would

7
00:00:30,610 --> 00:00:35,410
have built or British Telecom would have built here in the U.K. The phones were done.

8
00:00:35,410 --> 00:00:41,680
They didn't even have dial tone without the network giving dial tone to the phone.

9
00:00:41,680 --> 00:00:47,790
So the phones were essentially stupid but then that God revolutionized with voice over IP.

10
00:00:47,970 --> 00:00:52,050
Then suddenly we were using the Internet as a dumb call.

11
00:00:52,200 --> 00:00:53,480
And I shouldn't say it's totally dumb.

12
00:00:53,490 --> 00:00:56,550
But from a telephone switching point of view it was done.

13
00:00:56,550 --> 00:01:02,880
We were basically setting up calls across the Internet and the devices in the core Internet didn't understand

14
00:01:02,880 --> 00:01:04,200
what the calls were doing.

15
00:01:04,200 --> 00:01:05,950
They were just routing IP packets.

16
00:01:06,030 --> 00:01:09,300
So I phoned you using Skype or WhatsApp today.

17
00:01:09,600 --> 00:01:10,540
I phone you.

18
00:01:10,560 --> 00:01:13,230
The Internet doesn't understand what we're doing.

19
00:01:13,230 --> 00:01:21,030
I mean WhatsApp calls are encrypted so we setting up a tunnel across the damn central Internet.

20
00:01:21,240 --> 00:01:26,370
So the intelligence is now in the endpoints rather than in the core network.

21
00:01:26,370 --> 00:01:33,390
So notice the difference in the old days intelligence was in the network in devices were done that switch

22
00:01:33,390 --> 00:01:38,720
round now core network is just high speed forwarding that's what the Internet should be doing.

23
00:01:38,820 --> 00:01:44,710
High speed switching routing of traffic intelligence is in the edge not in the core.

24
00:01:44,730 --> 00:01:52,800
So that was a whole industry that got revolutionized the PSTN public switch telephone network was intelligent

25
00:01:53,100 --> 00:02:00,690
endpoints were dumb intelligence was moved to the edge to the endpoints core became done all it was

26
00:02:00,690 --> 00:02:04,450
doing is high speed forwarding of traffic from a to b.

27
00:02:04,500 --> 00:02:09,960
So I made a call from the UK to the US the core Internet routers are just trying to move the traffic

28
00:02:09,960 --> 00:02:13,190
as quickly as possible from the UK to the US.

29
00:02:13,260 --> 00:02:16,550
They don't understand the call setup process.

30
00:02:16,560 --> 00:02:23,580
I mean WhatsApp again is setting up encrypted calls the telephone system in WhatsApp or in Skype is

31
00:02:23,700 --> 00:02:26,490
out of the control of the core Internet.

32
00:02:26,490 --> 00:02:26,730
OK.

33
00:02:26,750 --> 00:02:28,320
So that's great.

34
00:02:28,350 --> 00:02:33,580
But in networking for many years enterprise networking it didn't work that way.

35
00:02:33,930 --> 00:02:40,470
We would have say Cisco IP phones on a network and they would mark their traffic as important but then

36
00:02:40,470 --> 00:02:46,200
the network had the intelligence of saying okay this traffic is more important that traffic and then

37
00:02:46,410 --> 00:02:49,770
we try to implement all kinds of clever stuff on the network.

38
00:02:49,860 --> 00:02:53,260
So the applications were still done but the network was intelligent.

39
00:02:53,370 --> 00:02:54,740
Notice where I'm going with us.

40
00:02:54,870 --> 00:02:56,150
Network was intelligent.

41
00:02:56,190 --> 00:03:02,340
Applications were done from the point of view that a P.C. just sent traffic to its default gateway and

42
00:03:02,340 --> 00:03:04,370
then the network took care of things.

43
00:03:04,410 --> 00:03:11,400
Intelligence and the network endpoints were done a VM where and others changed this entirely.

44
00:03:11,760 --> 00:03:19,410
So VM where purchased a company called the sera sera almost got bought by Cisco but in a datacenter

45
00:03:20,250 --> 00:03:27,960
when we using ASX sign as an example from VM where they said OK we don't need an intelligent network

46
00:03:28,020 --> 00:03:34,200
we will put the intelligence in the ASX ie servers in the service because the servers have visibility

47
00:03:34,200 --> 00:03:36,850
of the applications running on them.

48
00:03:37,050 --> 00:03:43,840
The server ASX AI server has visibility of the victims and the applications running on the server.

49
00:03:44,040 --> 00:03:50,340
The network can't see the victims like the ASX ie server can.

50
00:03:50,340 --> 00:03:55,950
So rather than having an intelligent network we make the network dumb just like the Internet.

51
00:03:56,100 --> 00:04:03,060
It doesn't have visibility of the applications and the VMs on the ASX ie server and what we do is we

52
00:04:03,060 --> 00:04:10,690
set up tunnels across the core network so you could have and it doesn't matter could be Cisco writers

53
00:04:10,710 --> 00:04:12,450
could be HP switches.

54
00:04:12,450 --> 00:04:18,630
It doesn't matter your core network is simply there to rot as quickly as possible from one ASX ie server

55
00:04:18,930 --> 00:04:23,490
to another E6 I server and we build what they call here an overlay network.

56
00:04:23,760 --> 00:04:31,290
So we have our IP network traditional say IP version 4 and then we build a whole new network on top

57
00:04:31,290 --> 00:04:33,420
of that called an overlay network.

58
00:04:33,420 --> 00:04:39,420
This underlying network the physical network doesn't understand what's going on because all it sees

59
00:04:39,420 --> 00:04:40,590
is tunnels.

60
00:04:40,680 --> 00:04:42,010
Think of WhatsApp.

61
00:04:42,150 --> 00:04:49,440
Think of IP SEC tunnels that you use across the Internet you can have the Internet and you build encrypted

62
00:04:49,440 --> 00:04:53,640
tunnels across the Internet that connect to various sites.

63
00:04:53,660 --> 00:05:00,330
Two of your company so your company may have sites in the US and the UK in Canada in Japan whatever

64
00:05:00,750 --> 00:05:06,420
you set up these VPN ends across the internet you would be very upset if the Internet writers could

65
00:05:06,420 --> 00:05:08,790
actually see inside your IP SAC tunnel.

66
00:05:08,790 --> 00:05:16,960
The whole idea of encryption is to hide the internal network information from the core Internet network.

67
00:05:16,980 --> 00:05:18,900
Same principle here.

68
00:05:18,930 --> 00:05:23,700
Now we're not using typically encryption in a data datacenter they use rather than IP SEC tunnels or

69
00:05:23,700 --> 00:05:27,130
geo re tunnels they use Vieques or land tunnels.

70
00:05:27,210 --> 00:05:33,810
The whole idea of a vehicle land is think of a restriction in traditional switching we have a two to

71
00:05:33,840 --> 00:05:41,730
one Q it's restricted to just over 4000 villains you can only have 4000 villains in a network now if

72
00:05:41,730 --> 00:05:48,900
you running big ASX AI servers and you have lots of customers and then you have lots of departments

73
00:05:48,900 --> 00:05:54,900
for lots of customers and they want a whole bunch of villains you run out of 4000 villains very very

74
00:05:54,900 --> 00:05:59,600
quickly so vehicles land supports 16 million villains.

75
00:05:59,610 --> 00:06:02,910
And I say villains because that concept no longer exists.

76
00:06:03,060 --> 00:06:10,040
Sixteen million subnets rather than 4000 subnets in order to have one key.

77
00:06:10,230 --> 00:06:15,320
So in a traditional switching network we would create up to 4000 villains.

78
00:06:15,330 --> 00:06:21,480
That's how we would implement security let's say by restricting who can talk to who based on villains

79
00:06:21,540 --> 00:06:28,030
or subnets but in a traditional switched environment we kind of limited that doesn't scale to a data

80
00:06:28,030 --> 00:06:28,480
center.

81
00:06:28,860 --> 00:06:33,870
So in a data center they want to use this whole concept and let me go over it again just to make sure

82
00:06:33,870 --> 00:06:39,360
that it's clear we have a core network could be Cisco routers Cisco switches.

83
00:06:39,630 --> 00:06:44,360
Notice the politics here because VMware and the Sierra basically changed the game.

84
00:06:44,610 --> 00:06:49,780
The core network now doesn't have to be fancy because it's going to be like the internet.

85
00:06:49,830 --> 00:06:57,270
I just need the core routers to route traffic from one year six I service a one VM with server to another

86
00:06:57,270 --> 00:07:01,890
VM with server and just assume we got a whole bunch of them with servers these VM where servers will

87
00:07:01,890 --> 00:07:08,720
set up tunnels to each other automatically they're not encrypted but it's the same concept.

88
00:07:08,730 --> 00:07:14,400
They will set up a tunnel from one year six ice over to another year six ice server and they will use

89
00:07:14,400 --> 00:07:20,310
a totally different subnet totally different network just like you if you setting up a VPN across the

90
00:07:20,310 --> 00:07:25,090
Internet we'll use a different subnet different IP addressing to the core Internet.

91
00:07:25,200 --> 00:07:29,050
You can rot or if C 1918 addresses across the Internet.

92
00:07:29,100 --> 00:07:30,170
Agreed.

93
00:07:30,240 --> 00:07:37,410
If you use a tunnel so the outside IP address would be a public IP address when you're riding from one

94
00:07:37,410 --> 00:07:40,050
rider to another using an IP cell tunnel across the Internet.

95
00:07:40,170 --> 00:07:46,200
But the inside IP addresses could be already 1918 addresses the core Internet doesn't see that data

96
00:07:46,230 --> 00:07:53,490
because it's encrypted so the whole idea in a data center is the core network could be very simple basic

97
00:07:53,680 --> 00:07:54,590
subletting.

98
00:07:54,750 --> 00:07:56,050
We don't need villains.

99
00:07:56,070 --> 00:07:58,410
We can run routing everywhere.

100
00:07:58,410 --> 00:08:04,860
So this solved another problem because let's say we want to have a VM on one ASX ice server and another

101
00:08:04,860 --> 00:08:10,650
VM on another year yes expensive but we want them in the same villain same deal and same broadcast domain.

102
00:08:10,740 --> 00:08:17,300
They must be layer 2 connection between these two VMs that own different servers.

103
00:08:17,310 --> 00:08:18,850
Now you might say why would you want to do that now.

104
00:08:18,870 --> 00:08:26,070
Think about V motion the V motion is something that allows you to move a VM automatically if you want

105
00:08:26,310 --> 00:08:30,540
from one physical ASX AI server to another ASX AI server.

106
00:08:30,540 --> 00:08:35,980
So when the load on the server gets too high it can automatically migrate to the VM to another 6 ISO

107
00:08:35,990 --> 00:08:38,490
over to use resources on this ASX AI server.

108
00:08:38,700 --> 00:08:44,130
But the problem is you've now moved the VM from one server to another server but you want to keep them

109
00:08:44,130 --> 00:08:51,000
in the same VLAN so what happens if I move it to that server over there using the motion across a network.

110
00:08:51,030 --> 00:08:57,810
Now traditionally we would have to run Layer 2 across this because that VM and this VM on the same subnet.

111
00:08:57,810 --> 00:09:04,620
So we need to have a layer 2 connection across but with this overlay network and this concept of doing

112
00:09:04,620 --> 00:09:09,690
away with a clever core the core network can run writing protocols so we don't need spanning tree we

113
00:09:09,690 --> 00:09:11,400
just run away SPF everywhere.

114
00:09:11,400 --> 00:09:12,450
As an example.

115
00:09:12,450 --> 00:09:14,060
So it's a layer 3 network.

116
00:09:14,280 --> 00:09:20,490
But this VM running on this year's x5 server and this VM running on this year's X ie server can be in

117
00:09:20,490 --> 00:09:25,560
the same subnet because they are connected across a tunnel.

118
00:09:25,680 --> 00:09:30,300
So this piece could have an IP address of 10 1 1 2 this piece.

119
00:09:30,300 --> 00:09:36,420
You could have an IP address of 10 1 1 1 24 let's say when a broadcast is sent by this P.C. it goes

120
00:09:36,420 --> 00:09:40,650
into the tunnel centre across the tunnel to that P.C. on the other side.

121
00:09:40,920 --> 00:09:45,720
It gets complicated with broadcasts and multicast but just think of the concept that these two devices

122
00:09:45,720 --> 00:09:52,420
on the same VLAN when in actual fact they're not same villain because this infrastructure is routed.

123
00:09:52,560 --> 00:09:59,680
So we are basically pulling a cable logically from that VM on that E6 I server to this VM on this is

124
00:09:59,680 --> 00:10:04,800
X I said so logically you to Ethan a cable from one side to the other but it's just a tunnel created

125
00:10:04,800 --> 00:10:06,340
using Vieques land.

126
00:10:06,390 --> 00:10:07,600
I went into a lot of detail here.

127
00:10:07,620 --> 00:10:13,250
Let me just summarize overlay network is a network that's both on top of an underlying network under

128
00:10:13,260 --> 00:10:17,060
a network of physical devices which could be Cisco rather than switches.

129
00:10:17,120 --> 00:10:22,320
Yes it's high from the hardware will bold and it's actually NSX.

130
00:10:22,320 --> 00:10:29,850
It's not yes excites NSX is the product that does this NSX will build a whole new network and overlay

131
00:10:29,850 --> 00:10:36,180
network across the underlying network this underlying network doesn't understand what's going on with

132
00:10:36,180 --> 00:10:37,620
an overlay network.

133
00:10:37,770 --> 00:10:44,610
As an analogy again think of this underlay as the Internet and the overlay network as your VPN tunnels

134
00:10:44,610 --> 00:10:46,310
going across the Internet.

135
00:10:46,350 --> 00:10:51,960
The core routers don't have visibility of the traffic that you encrypting through your IP SEC tunnels

136
00:10:52,590 --> 00:11:00,780
that call Cisco routers and switches in a data center don't have visibility of the VM traffic going

137
00:11:00,780 --> 00:11:02,700
through a vehicle and tunnel.

138
00:11:02,790 --> 00:11:04,880
All they see is this.

139
00:11:04,950 --> 00:11:10,050
Yes excised server wants to talk to this iOS 6 AI server or this is X I server wants to talk to that

140
00:11:10,110 --> 00:11:18,030
yes X I said they don't understand that it's actually a VM running within this year's X I server that's

141
00:11:18,030 --> 00:11:21,210
talking to VM within that iOS 6 AI server.

142
00:11:21,480 --> 00:11:23,570
So we basically tunneling traffic across.

143
00:11:23,970 --> 00:11:33,230
Now I'm gonna add some videos from my NSX and overlays course there are other vendors that also do this.

144
00:11:33,330 --> 00:11:34,380
Again it's optional.

145
00:11:34,380 --> 00:11:38,760
So if you want to watch that stuff then feel free to see the small practically.

146
00:11:38,760 --> 00:11:43,890
I've been dealing with this stuff for a long time but it's now great to see that it's coming to the

147
00:11:43,950 --> 00:11:44,640
CCN CCMA.