SlideShare a Scribd company logo

VMware NSX 101: What, Why & How

A
Aniekan Akpaffiong

The document outlines a seminar presentation on VMware NSX, focused on its benefits, components, and use cases in software-defined networking. It explores NSX's capabilities such as advanced security features, dynamic provisioning of networks, and the virtualization of network services, including routing and micro-segmentation. Additionally, the document covers NSX architecture, deployment considerations, and the essential concepts of software-defined data centers.

Technology
1 of 86
1
2
Most read
3
4
5
Most read
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
Most read
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
NSX 101: What,Why & How Aniekan Akpaffiong Bob Horne Initial presentation at HPETOS October 2016
Seminar Introduction • This seminar on NSX will include a discussion of its: • Benefits (including an intro to NSX Networking and SDDC) • Components & Features • Use cases we’ll jump into an NSX Demo and finish with a discussion of Additional Learning Resources and Certification • The goal is to introduce you to NSX; you can then decide if NSX is a journey you’d like to undertake • This seminar will NOT: – replace training and hands-on experience – provide design/consulting advice • Prerequisites – Basic exposure to virtualization – Curiosity about software defined networks 2
Module 1 NSX Overview
In Brief – NSX NVP – Combines functionality from: – Nicira’s NetworkVirtualization Platform (NVP) – VMware vCloud Networking and Security – NSX isVMware's Software Defined Network (SDN) solution – decouples networking and security from the physical hardware – provides network and security features, such as distributed routing and micro-segmentation – treats the physical network as a pool of transport capacity – reduces the time to provision multi-tier network and security services – brings security inside the data center with automated fine-grained policies tied to the virtual machines – NSX brings the operational model of a virtual machine to the data center network L2 – 3 L4 – 7 4 virtualizes network and security services virtualizes the network fabric
Benefits – NSX • Dynamic provisioning of virtual networks and security services • Workload mobility across clusters and L3 infrastructure • Isolation of tenants without the limitations ofVLANs • Centralized management of distributed services • New tools for automation, policy andVM visibility Logical Router Logical Switch Network, Security Services 5
IT’s Requirements 6 TransformationResponsiveness Speed, Agility Bespoke, Simplicity Right Price, RightTime Business Architect Security CIO Customer
Challenges ofVirtualization Performance Challenge: Overhead of virtualization Solution: Deploy services closer to the data Visibility Challenge: Status of physical devices Solution: Build on performant infrastructure Maturity Challenge:The industry is evolving Solution: Rigorous PoC Internal Controls Challenge: Disrupts existing relationships Solution: Convergence, DevOps 7
Module 2 NSX Networking
It’s All NetworkingTo Me 9
Layer Layer Name Protocol Data Unit (PDU) Main Function Example Protocol AddressType 7 Application Data Interaction with user. Provides services to app. FTP Hostname example.com 6 Presentation Data Data representation (Converts/Encrypts) XDR,XML Hostname example.com 5 Session Data Connection dialog (Start/Stop/Order) RPC, SOCKS Socket 172.16.3.24:80 4 Transport Segment (TCP) Datagram (UDP) End-to-End Delivery (Entire message) TCP, DCCP Port number 80 3 Network Packet Routing and Addressing IP, IGMP IP Address 172.16.3.24 2 Data Link Frame Node-to-node (Access to media) Ethernet, MPLS MAC 1C98ECA8EC30 1 Physical Bit Distance and electrical (Low level parameters) RS232, DOCSIS N/A Application Transport Internet Link Communication Model 10A.Akpaffiong, 2016
Broadcast & Collision Domain 11 Broadcast Domain Collision Domain Hub One broadcast domain per device One collision domain per device One broadcast domain per device One collision domain per port One broadcast domain per port One collision domain per port Switch Router
Broadcast & Collision Domain Hub Switch Router Broadcast Device Device Port Collision Device Port Port 12
Packets PayloadOverhead Protocol Data Unit (PDU) Fixed Variable 46 – 1500 Bytes EthernetV2 Standard Payload Range 1501 – 9000 Bytes EthernetV2 Jumbo Payload Range Recommended MTU for NSX 1600 bytes 13
VLAN 14 /24 10.1.2.1110.1.2.10 A B 10.1.2.10 A 10.1.2.11 A’ 10.1.4.10 B 10.1.4.11 B’ Trunk Trunk 10.1.2.10 A’ 10.1.4.10 B’ 10.1.2.11 A 10.1.4.11 BVLAN ID X VLAN ID Y X and Y are integers between 1 and 4094 switch
VLAN Frame Format – IEEE 802.1Q 15 Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type/ Length Payload FCS Inner Ethernet Header TPID PCP DEI VID 1500 bytes18 bytes 12 bits1 bit3 bits16 bits 4 bytes TPID Tag Protocol Identifier TCI Tag Control Information PCP 802.1p Priority Levels (COS) DEI Drop eligible indicator (DEI) VID VLAN ID FCS Frame Check Sequence 6 6 bytes2 4 bytes
Virtual Local Area Network -VLAN 16 Adds 4 bytes to the Ethernet frame VLAN IEEE 802.1Q Broadcast isolation and segmentation IEEE 802.1D (STP) at L2 to manage paths Up to 212 (4096) virtual networks
VLAN andVXLAN VLAN –Virtual LAN Segmentation and broadcast isolation IEEE 802.1Q Enables up to (212) or 4096 virtual networks IEEE 802.1D - SpanningTree Protocol (STP) at L2 to manage paths Adds 4 bytes to the Ethernet frame VXLAN –Virtual eXtensible LAN A Layer 2 overlay scheme over a Layer 3 network IETF RFC 7348 Enables up to (224) or 16 million virtual networks TRILL, SPB at L2 and OSPF and BGP at L3 to manage paths Adds 50 byteVXLAN header to Ethernet frame 17
VXLAN… in a nutshell 18 A Framework for OverlayingVirtualized Layer 2 Networks over Layer 3 Networks Virtual eXtensible Local Area Network Fundamental concept of NSX Overlay One of several protocols that enable Network Overlay: STT, OTV, LISP, GENEVE, NVGREEnables dynamic, large-scale, isolated virtual Layer 2 networks in multi-tenant environments. Key traits ofVXLAN overlay technology are: encapsulation & end- point communication VXLAN encapsulates the original Ethernet frame into IP/UDP VTEPs are end-points where Ethernet frame is encapsulated & de- encapsulated
Encapsulation Encapsulation masks data so it can pass undetected under certain circumstances – Like the above, iSCSI data is encapsulated asTCP/IP in order for the SCSI data to be accepted on a TCP/IP network. NSX usingVXLAN to encapsulate Ethernet payload in a similar manner. Ethernet IP TCP iSCSI Data iSCSI PDU C R C 19
Trunk & Access Links 20 Switch SwitchTrunk Link Access Links Access links • Member of oneVLAN ID group • Referred to as the native VLAN • Attached device is unaware of aVLAN membership Trunk links • Conduit for multipleVLAN IDs • 100Mbps or higher link between switches, a switch and router, or a switch and server • Enable VLANs to span across a backbone
21 Traditional Network Design Leaf/Spine “IP Fabric” Design Core Aggregation Access Spine Leaf
Module 3 Software-Defined Data Center (SDDC)
Software-Defined Data Center – Concepts • Moves intelligence from hardware into software • Decouples the underlying network, server and storage hardware • Location-independent • Leverages a data center virtualization layer Hardware Software Intelligence baked into Hardware Dedicated,Vendor Specific Hardware Manual Configuration & Management Intelligence in Software Independent,Vendor-Neutral Hardware Automated Configuration & Management
Software-Defined Data Center – Concepts Automation Pooling Abstraction 24 Server FirewallNetworkStorage extends virtualization concepts of abstraction, pooling, and automation to all data center resources and services decouples the underlying network, server and storage hardware, while leveraging its infrastructure location-independent; can be in a single data center, span multiple private data centers, or span hybrid data centers
Software-Defined Data Center – Concepts Application Service Management Application Management Layer vRA Application Services SDDC Management Cloud Management Platform vRA e.g. OpenStack SDDC Foundation Virtualization of Physical Assets VMware vSphere SDSSDN VSANNSX 25
Software-Defined Data Center – Positioning NSX – A software construct – Physical network as a flexible pool of transport capacity – Policy-driven attachment of network and security services – Decouples network configuration from physical infrastructure – Security and micro-segmentation – Key tenant to the software-defined data center (SDDC) 26
Software-Defined Networking –Vendors 27
Module 4 NSX Introduction
VMware NSX treats: “The physical network as a pool of transport capacity with network and security services attached toVM’s with a policy-driven approach.” NSX Introduction VMware NSX brings: “The operational model of a virtual machine to the data center network, transforming the economics of network and security operations.” VMware NSX delivers: “The network virtualization platform of the Software-Defined-DataCenter (SDDC)” 29
NSX Architecture 30 Any Network Device Overlay Transport Any Hypervisor NSX vSwitch NSX Controller NSX Manager NSX API Any Cloud Management Platform e.g.VXLAN, NVGRE, STT ESXi, KVM, XenServer vDS, kernel modules Manage state, P2V gateway Deployment e.g. vRA, OpenStack UI Underlay, 1600 MTU
NSXTypes NSXType vSphere (NSX-v) Multi-hypervisor (NSX-mh) Hypervisor ESXi ESXi, KVM, XenServer SwitchType dvSwitch Open vSwitch Encapsulation VXLAN GRE, STT,VXLAN Central Service NSX Edge Physical NSX GW Appliance Distributed Firewall East-West Distributed Firewall In-kernel East-West DF viaACL and Security Groups Distributed Routing In-kernel Distributed Routing Routing via Open vSwitch Additional Load-balancing,VPN, DHCP, NAT, Central Routing services EOS announced. Successor is NSX-T (Transformers) 31
Sample NSX (6.2.2+) Product Features per License NSX Licenses Sample Features Standard Advanced Enterprise Distributed Switching and Routing    Edge Firewall    Edge Load Balancing   Distributed Firewall   Cross vCenter NSX  VPN (IPSec and SSL)  http://www.vmware.com/products/nsx/compare.html 32
Module 5 NSX Features
NSX Features Switching Routing Firewall Load Balancing VPN Gateway V i r t u a l N e t w o r k s Switching Routing Firewall Load Balancing VPN Gateway 34
172.16.20.1 172.16.20.2 NSX Features – Logical Switching • Creates logically abstracted L2 segments • Logical L2 switching across L3 boundaries • Decoupled from the physical network SRV01 SRV02 Logical L2 Network Segment Physical Logical L3 Powered byVXLAN 35
NSX Features – Routing • Routing Functions: – Distributed Logical Router (DLR) – kernel • Provides L3 routing without leaving the hypervisor • Routing scales with environment by adding hosts • Optimizes East-West traffic flows – NSX Edge Services Router (ESR) –VM APP01 DB01 Physical Logical L3 50025001 DLR 172.16.20.1 172.16.30.1 External Router 36
NSX Features – Routing • Edge Services Routing is performed in the NSX Edge Services Gateway – Routing between tenants – Forwarding information between L2 broadcast domains – North-South communication patterns NSX Edge Internet 37
NSX Features – Distributed Firewall 38 Logical Switch VM VM vNIC at egress at ingress Security Policy enforced: Placement Mobility Performance
NSX Features – Edge Firewall ESG VM VM VM Logical Switch VM VM VM Logical Switch Internet Tenant1 Tenant2 Virtual Appliance North-SouthTraffic Complements DF 39
NSX Features – Micro-segmentation Before NSX Focus on perimeter defense Low priority systems left unprotected Security between systems is expensive Centralized firewalls result in large firewall rules 40 With NSX Micro-granular security model Security applied at virtual network interface Security distributed to every hypervisor Security cost normalized across all systems Automated provisioning of security policies Security policies always follows theVM Security policies are: • simplified • centralized • logically grouped
NSX Features – Load Balancer (Simplified logical representation) VIP = LB IP Edge IP ESG Distribution Method: • ROUND_ROBIN • LEAST_CONN • IP_HASH • URI TCP (8090) HTTP (80) HTTPS (443) SRV n SRV 2 SRV 1Service Request Backend Serer IP Modes of Operation: • One-Arm (DNAT & SNAT) • Inline (DNAT) 41
NSX Features –VPN L3WAN L3WAN Laptop SiteA Site C Site B Remote User L2VPN Edge Allow remote user connect to services Provides connectivity between sites Stretch L2 network between sites 42
NSX Features Logical Switch East-West Communication Kernel-based, extend network reach Logical Router North-South Communication Distributed and Appliance based, inter-provider Services Gateway Physical-to- Virtual Application Services – Firewall, Routing,VPN, LB 43
NSX Features – Security Group, Security Policy 44 SecurityGroup Grouping of workloads Dynamic Static WhatTo Protect
Network Introspection Services Endpoint Service Firewall rules HowTo Protect NSX Features – Security Group, Security Policy 45 SecurityGroup SecurityGroup Security Policy Service Description Applies to Firewall Rules Rules that define the traffic to be allowed to, from, or within the security group vNIC Endpoint Data Security or 3rd party services e.g. anti- virus or vulnerability management services Virtual Machines Network Introspection Services that monitor your network such as IPS and network forensics Virtual Machines WhatTo Protect SecurityPolicy
NSX Features – Security Probing Questions 1. If a threat makes it past your perimeter, are you able to quickly and automatically respond to prevent the threat from moving from server to server? • NSX Micro-segmentation applies security at the workload level without need for additional firewalls or changes to existing network/security platform • Security profile moves seamlessly with the workload • Security scales automatically with the environment 2. Do you need to improve your Security SLA? • Global rule sets can be complex and difficult to modify, making threat analysis and forensics, tedious and time-consuming • NSX Micro-Segmentation reduces the complexity, changes are automatically communicated and propagated, security provisioning is streamlined 46
Module 6 NSX Components
NSX Components - Architecture 48 NSX Manager 443/TCP – Admin UI, REST 80/TCP –VIB Access ProLiant DL180 Gen9 UID UID netcpa (UWA) vsfwd (UWA) VTEP 5671/TCP – RMQ 2878, 2888, 3888/TCP – State Sync 443, 902/TCP – vSphereWeb 22, 80, 443, 902/TCP – Mgmt/Provisioning 53, 123, 514/TCP/UDP (DNS, NTP, Syslog) NSX ESG ProLiant DL180 Gen9 UID UID vsfwd (UWA) VTEP 4789/UDP –VXLAN vCenter Server Client PC 123/TCP/UDP – NTP 8301, 8302/UDP – DVS Sync NSX Controller Cluster DFW DFW VMware KB 2079386Visualized 443/TCP – REST RMQ netcpa (UWA) VXLAN VXLAN Routng Routng
49 Feature Feature Operating System Specialized Packet Forwarding Engine NSX: SDN Traditional Network Device
NSX: SDN 50 Feature Feature Operating System Specialized Packet Forwarding Engine Configuration:CLI/GUI Management Plane Data Plane ForwardingTable Routing Protocol(s) Control Plane Neighbor IPTableLink State Traditional Network Device
NSX: SDN 51 Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding EngineFeature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine
NSX: SDN 52 O p e r a t i n g S y s t e m Feature Feature Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine
Overlay Network Uses software to create layers of network abstraction: – run multiple, discrete virtualized network layers on top of the physical network (underlay) 53 Uses encapsulation to create L2 logical networks on top of the existing physical IP network Physical “Underlay” Virtual “Overlay”
VXLAN Encapsulation 54 Outer Ethernet Header Outer IPv4 Header Outer UDP Header Original Ethernet Frame 50 ByteVXLAN Encapsulation Overhead VXLAN Header F C S Payload Inner Ethernet Header OverlayUnderlay
VXLAN Frame Format 55 VXLAN Header Outer UDP Header Outer IPv4 Header Outer Ethernet Header Outer DST MAC Outer SRC MAC VXLAN Type (opt) Outer 802.1Q (opt) Ether Type 14 bytes IP Header Data IP Proto col Header Check Sum Outer SRC IP Outer DST IP 20 bytes SRC Port DST Port UDP Length UDP Check Sum 8 bytes VXLAN Flags RSVD VXLAN Network ID RSVD 8 bytes Payload F C S Inner Ethernet Header Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type 14 or 18 bytes 1500 bytes
VTEP -VXLANTunnel End Point 56 VXLAN Segments VNID 1 VNID 2 VNID 1 VNID 2 VM VM VM VM IP VTEP VXLAN Segments VTEP IP Interface IP Interface VXLAN Segments VTEP encapsulates an Ethernet frame in aVXLAN frame or de- encapsulates aVXLAN frame and forwards the inner Ethernet frame.
57 VNI VTEPESXi 1 VTEPESXi 2 UTEPESXi 3 VM B VTEPESXi 4 Unicast Replication Mode 1 2 3 4 VM A VM C VM D Multicast Unicast HybridBUM – Broadcast, Unknown unicast, and Multicast
Transport Zone Transport Zone • defines clusters of hosts that can participate in the virtual network • configurable boundary for a givenVXLAN Segment • defines the reach of the L2 domain Cluster 1 VDS 1 VDS 2 Transport Zone 1 Cluster 3Cluster 2 58
Module 7 NSX Deployment
NSX Deployment – Hardware Minimum Requirement Appliance Memory vCPU Disk Space NSX Manager (1x) 16 GB 4 60 GB NSX Controller (3x) 4 GB 4 20 GB NSX Edge (1x) Compact: 512 MB 1 1 disk 500MB Large: 1 GB 2 1 disk 500MB + 1 disk 512MB Quad-Large: 1 GB 4 1 disk 500MB + 1 disk 512MB X-Large: 8 GB 6 1 disk 500MB + 1 disk 2GB Guest Introspection 1 GB 2 4 GB NSX Data Security 512 MB 1 6 GB per ESXi host 60
NSX Roles 61 AuditorSecurity Administrator NSX Administrator Enterprise Administrator RO access to all areas R/W access to NSX operations : • installing virtual appliances • configuring port groups RO access to other areas R/W access to all areas of NSX R/W access to NSX security: • defining data security policies • creating port groups • creating reports for NSX modules RO access to other areas
Module 8 NSX Resources
Live Demo Demonstration of NSX 63
NSX Resources -VMware Hands-on Labs 64http://labs.hol.vmware.com/HOL/
NSX Resources – HPE Education www.hpe.com/us/training 65
NSX Resources – Certification VMware NSX Training and Certification 66
A.Akpaffiong, 2016 ”Since before your sun burned hot in space and before your race was born, I have awaited a question.” --The City on the Edge of Forever, StarTrek 67 Questions?
A.Akpaffiong, 2016 You are now free to go! 68
A.Akpaffiong, 2016 Backup Slides 69
NSX NetworkVirtualization Services – Security 70 Third-Party • Antivirus • DLP • Firewall • Intrusion Prevention • Vulnerability Management • Identity and Access Management • Security Policy Management Built-In • Distributed Firewall • Edge Firewall • Data Security • Server Activity Monitoring • VPN (SSL, IPsec)
Software-Defined Networks (SDN) • SDN has two defining characteristics: o SDN separates the control plane from the data plane o SDN consolidates the control plane, so that a single software control program controls multiple data-plane elements • The concept underpinning SDN is simple: o If the data and control plane are de-coupled the static network can be made intelligent, responsive, programmable and centrally controlled. 71
NSX Network Planes – An Analogy 72 Management Plane Control Plane Data Plane Manager & vCenter NSX Controller NSX vSwitch define enforce execute nytimes.com
NSX Components – Network Planes 71
NSX Components – Network Planes Configuration:CLI/GUI ForwardingTable Routing Protocol(s) Neighbor IPTableLink State 72
NSX Components – Network Planes Configuration:CLI/GUI Forwarding Table Routing Protocol(s) Neighbor IPTableLink State NSX vSwitch NSX Edge NSX Controller Edge Logical Router NSX Manager vCenter Server 73
NSX Components – Network Planes • Network Planes – Management plane defines the network policy – Control plane enforces the network policy – Data Plane executes the network policy Management Plane Control Plane Data Plane How What Do NSX Manager vCenter Controller vSwitch 74
NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Limited limited information expansion is expensive global performance characteristics steered choke point 75
NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl choke point steered basic packet information Limited 76
NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed embedded data path scales every packet inspected comprehensive security policy Limited 77
NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed Perimeter Services North-South Limited 78
NSX Features – L2 Bridging 81 VXLAN WebVM AppVM DB SVR2SVR1 VLAN L2 Bridge Connectivity Embedded Scalable HWVTEP Controller Cluster OVSDB
PG 82 VM PGPG VM PG vDS VTEPESXi/ESG PG VM PGPG VM PG vDS VTEPESXi/ESG Active DLR (HA) Standby DLR (HA) Switch Switch Trunk Access orTrunk VNI VID Trunk VMK MAC B MAC A MAC C MAC E MAC D VNI VID VNI VID VNI VID VNI NSX Features – L2 Bridging
83 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Multicast Replication Mode 1 2 3 L3 - PIML2 - IGMP L2 - IGMP
84 VNI VTEPESXi 1 VM A VTEPESXi 2 UTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Unicast Replication Mode 1 2 3 4
85 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Hybrid Replication Mode L2 - IGMP L2 - IGMP 1 2 3 4
NSX Components – ControllerTables 86 NSX Controller Node MAC Table MapVM MACs to VTEP ARP Table MapVM IPs to MAC VTEP Table MapVNI to VTEP

More Related Content

PPTX
VMware NSX-T Design for Small to Mid-Sized Data Centers v1.0 EN.pptx
Hythamsaadeh
 
PDF
An Introduction to VMware NSX
Scott Lowe
 
PPTX
VMware Disaster Recovery Solution Presentation EN (1).pptx
Fernando564134
 
PPTX
NSX-T Architecture and Components.pptx
Atif Raees
 
PDF
VMware vSphere Networking deep dive
Sanjeev Kumar
 
PPTX
VMware Cloud Foundation - PnP presentation 8_6_18 EN.pptx
BradLai3
 
PPTX
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
Avi Networks
 
PPTX
VMware Advance Troubleshooting Workshop - Day 2
Vepsun Technologies
 
VMware NSX-T Design for Small to Mid-Sized Data Centers v1.0 EN.pptx
Hythamsaadeh
 
An Introduction to VMware NSX
Scott Lowe
 
VMware Disaster Recovery Solution Presentation EN (1).pptx
Fernando564134
 
NSX-T Architecture and Components.pptx
Atif Raees
 
VMware vSphere Networking deep dive
Sanjeev Kumar
 
VMware Cloud Foundation - PnP presentation 8_6_18 EN.pptx
BradLai3
 
23.06.15 NSX ALB and vCD integration deepdive_webinar0615.pptx
Avi Networks
 
VMware Advance Troubleshooting Workshop - Day 2
Vepsun Technologies
 

What's hot (20)

PDF
VSAN – Architettura e Design
VMUG IT
 
PPTX
VMware vSAN - Novosco, June 2017
Novosco
 
PDF
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
PDF
VMware HCI solutions - 2020-01-16
David Pasek
 
PPTX
VMware vSphere technical presentation
aleyeldean
 
PDF
Nsx t reference design guide 3-0
MohamedAzizKandil1
 
PPTX
Microsoft Active Directory.pptx
masbulosoke
 
PPTX
cloud_foundation_on_vxrail_vcf_pnp_licensing_guide.pptx
VitNguyn252054
 
PDF
What’s New in VMware vSphere 7?
Insight
 
PDF
VMware Virtual SAN Presentation
virtualsouthwest
 
PDF
VMware Tanzu Introduction
VMware Tanzu
 
PPTX
Virtual Infrastructure Overview
valerian_ceaus
 
PPTX
Vce vxrail-customer-presentation new
Jennifer Graham
 
PPTX
Introduction to Hyper-V
Mark Wilson
 
PPTX
VMware vSphere 6.0 - Troubleshooting Training - Day 1
Sanjeev Kumar
 
PPTX
Windows Server 2019.pptx
masbulosoke
 
PDF
Understanding Cisco’ Next Generation SD-WAN Technology
Cisco Canada
 
PDF
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
Edureka!
 
PDF
Meraki Overview
Cloud Distribution
 
PPTX
SDN Architecture & Ecosystem
Kingston Smiler
 
VSAN – Architettura e Design
VMUG IT
 
VMware vSAN - Novosco, June 2017
Novosco
 
Microsoft Windows Server 2022 Overview
David J Rosenthal
 
VMware HCI solutions - 2020-01-16
David Pasek
 
VMware vSphere technical presentation
aleyeldean
 
Nsx t reference design guide 3-0
MohamedAzizKandil1
 
Microsoft Active Directory.pptx
masbulosoke
 
cloud_foundation_on_vxrail_vcf_pnp_licensing_guide.pptx
VitNguyn252054
 
What’s New in VMware vSphere 7?
Insight
 
VMware Virtual SAN Presentation
virtualsouthwest
 
VMware Tanzu Introduction
VMware Tanzu
 
Virtual Infrastructure Overview
valerian_ceaus
 
Vce vxrail-customer-presentation new
Jennifer Graham
 
Introduction to Hyper-V
Mark Wilson
 
VMware vSphere 6.0 - Troubleshooting Training - Day 1
Sanjeev Kumar
 
Windows Server 2019.pptx
masbulosoke
 
Understanding Cisco’ Next Generation SD-WAN Technology
Cisco Canada
 
VMware Tutorial For Beginners | VMware Workstation | VMware Virtualization | ...
Edureka!
 
Meraki Overview
Cloud Distribution
 
SDN Architecture & Ecosystem
Kingston Smiler
 
Ad

Similar to VMware NSX 101: What, Why & How (20)

PDF
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld
 
PDF
VMware NSX primer 2014
Sanjay Basu
 
PPTX
VMworld 2015: VMware NSX Deep Dive
VMworld
 
PPTX
VMworld 2015: VMware NSX Deep Dive
VMworld
 
PPTX
VMUGbe 21 Filip Verloy
Filip Verloy
 
PDF
NSX, un salt natural cap a SDN
CSUC - Consorci de Serveis Universitaris de Catalunya
 
PDF
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld
 
PDF
GAMO VMware vCloud Air
GAMO a.s.
 
PPTX
VMware nsx network virtualization tool
Daljeet Singh Randhawa
 
PDF
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
PPTX
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld
 
PDF
VMworld 2013: Datacenter Transformation with Network Virtualization: Today an...
VMworld
 
PDF
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud
 
PDF
Sdn primer pdf
Pooja Patel
 
PPTX
NSX-MH
sethuraman ramanathan
 
PDF
VMworld 2013: VMware NSX Extensibility: Network and Security Services from 3r...
VMworld
 
PDF
VMworld 2014: Introduction to NSX
VMworld
 
PDF
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
VMUG IT
 
PDF
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld
 
PDF
NSX Reference Design version 3.0
Doddi Priyambodo
 
VMworld 2015: The Future of Network Virtualization with VMware NSX
VMworld
 
VMware NSX primer 2014
Sanjay Basu
 
VMworld 2015: VMware NSX Deep Dive
VMworld
 
VMworld 2015: VMware NSX Deep Dive
VMworld
 
VMUGbe 21 Filip Verloy
Filip Verloy
 
NSX, un salt natural cap a SDN
CSUC - Consorci de Serveis Universitaris de Catalunya
 
VMworld 2013: Deploying VMware NSX Network Virtualization
VMworld
 
GAMO VMware vCloud Air
GAMO a.s.
 
VMware nsx network virtualization tool
Daljeet Singh Randhawa
 
VMware NSX for vSphere - Intro and use cases
Angel Villar Garea
 
VMworld 2016: How to Deploy VMware NSX with Cisco Infrastructure
VMworld
 
VMworld 2013: Datacenter Transformation with Network Virtualization: Today an...
VMworld
 
OVHcloud Hosted Private Cloud Platform Network use cases with VMware NSX
OVHcloud
 
Sdn primer pdf
Pooja Patel
 
NSX-MH
sethuraman ramanathan
 
VMworld 2013: VMware NSX Extensibility: Network and Security Services from 3r...
VMworld
 
VMworld 2014: Introduction to NSX
VMworld
 
NSX: La Virtualizzazione di Rete e il Futuro della Sicurezza
VMUG IT
 
VMworld 2013: Bringing Network Virtualization to VMware Environments with NSX
VMworld
 
NSX Reference Design version 3.0
Doddi Priyambodo
 
Ad

Recently uploaded (20)

PDF
KodekX | Application Modernization Development
KodekX
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
PPTX
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
PPT
Teaching material agriculture food technology
LiaRayya
 
PDF
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
PPTX
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
PDF
Modernizing your data center with Dell and AMD
Principled Technologies
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KodekX | Application Modernization Development
KodekX
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Network Security Unit 5.pdf for BCA BBA.
Serpent6
 
Effective Security Operations Center (SOC) A Modern, Strategic, and Threat-In...
ReZa AdineH
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Approach and Philosophy of On baking technology
30anthuong17
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PA Analog/Digital System: The Backbone of Modern Surveillance and Communication
AVTRON Technologies LLC
 
Teaching material agriculture food technology
LiaRayya
 
TokAI - TikTok AI Agent : The First AI Application That Analyzes 10,000+ Vira...
SOFTTECHHUB
 
20250228 LYD VKU AI Blended-Learning.pptx
DatVoNgoc
 
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
SHREYAS PHANSE
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Diabetes mellitus diagnosis method based random forest with bat algorithm
IAESIJAI
 
A Presentation on Artificial Intelligence
memembruh336
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
NewMind AI Weekly Chronicles - August'25 Week I
NewMind AI
 
Modernizing your data center with Dell and AMD
Principled Technologies
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 

VMware NSX 101: What, Why & How

  • 1. NSX 101: What,Why & How Aniekan Akpaffiong Bob Horne Initial presentation at HPETOS October 2016
  • 2. Seminar Introduction • This seminar on NSX will include a discussion of its: • Benefits (including an intro to NSX Networking and SDDC) • Components & Features • Use cases we’ll jump into an NSX Demo and finish with a discussion of Additional Learning Resources and Certification • The goal is to introduce you to NSX; you can then decide if NSX is a journey you’d like to undertake • This seminar will NOT: – replace training and hands-on experience – provide design/consulting advice • Prerequisites – Basic exposure to virtualization – Curiosity about software defined networks 2
  • 4. In Brief – NSX NVP – Combines functionality from: – Nicira’s NetworkVirtualization Platform (NVP) – VMware vCloud Networking and Security – NSX isVMware's Software Defined Network (SDN) solution – decouples networking and security from the physical hardware – provides network and security features, such as distributed routing and micro-segmentation – treats the physical network as a pool of transport capacity – reduces the time to provision multi-tier network and security services – brings security inside the data center with automated fine-grained policies tied to the virtual machines – NSX brings the operational model of a virtual machine to the data center network L2 – 3 L4 – 7 4 virtualizes network and security services virtualizes the network fabric
  • 5. Benefits – NSX • Dynamic provisioning of virtual networks and security services • Workload mobility across clusters and L3 infrastructure • Isolation of tenants without the limitations ofVLANs • Centralized management of distributed services • New tools for automation, policy andVM visibility Logical Router Logical Switch Network, Security Services 5
  • 6. IT’s Requirements 6 TransformationResponsiveness Speed, Agility Bespoke, Simplicity Right Price, RightTime Business Architect Security CIO Customer
  • 7. Challenges ofVirtualization Performance Challenge: Overhead of virtualization Solution: Deploy services closer to the data Visibility Challenge: Status of physical devices Solution: Build on performant infrastructure Maturity Challenge:The industry is evolving Solution: Rigorous PoC Internal Controls Challenge: Disrupts existing relationships Solution: Convergence, DevOps 7
  • 10. Layer Layer Name Protocol Data Unit (PDU) Main Function Example Protocol AddressType 7 Application Data Interaction with user. Provides services to app. FTP Hostname example.com 6 Presentation Data Data representation (Converts/Encrypts) XDR,XML Hostname example.com 5 Session Data Connection dialog (Start/Stop/Order) RPC, SOCKS Socket 172.16.3.24:80 4 Transport Segment (TCP) Datagram (UDP) End-to-End Delivery (Entire message) TCP, DCCP Port number 80 3 Network Packet Routing and Addressing IP, IGMP IP Address 172.16.3.24 2 Data Link Frame Node-to-node (Access to media) Ethernet, MPLS MAC 1C98ECA8EC30 1 Physical Bit Distance and electrical (Low level parameters) RS232, DOCSIS N/A Application Transport Internet Link Communication Model 10A.Akpaffiong, 2016
  • 11. Broadcast & Collision Domain 11 Broadcast Domain Collision Domain Hub One broadcast domain per device One collision domain per device One broadcast domain per device One collision domain per port One broadcast domain per port One collision domain per port Switch Router
  • 12. Broadcast & Collision Domain Hub Switch Router Broadcast Device Device Port Collision Device Port Port 12
  • 13. Packets PayloadOverhead Protocol Data Unit (PDU) Fixed Variable 46 – 1500 Bytes EthernetV2 Standard Payload Range 1501 – 9000 Bytes EthernetV2 Jumbo Payload Range Recommended MTU for NSX 1600 bytes 13
  • 15. VLAN Frame Format – IEEE 802.1Q 15 Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type/ Length Payload FCS Inner Ethernet Header TPID PCP DEI VID 1500 bytes18 bytes 12 bits1 bit3 bits16 bits 4 bytes TPID Tag Protocol Identifier TCI Tag Control Information PCP 802.1p Priority Levels (COS) DEI Drop eligible indicator (DEI) VID VLAN ID FCS Frame Check Sequence 6 6 bytes2 4 bytes
  • 16. Virtual Local Area Network -VLAN 16 Adds 4 bytes to the Ethernet frame VLAN IEEE 802.1Q Broadcast isolation and segmentation IEEE 802.1D (STP) at L2 to manage paths Up to 212 (4096) virtual networks
  • 17. VLAN andVXLAN VLAN –Virtual LAN Segmentation and broadcast isolation IEEE 802.1Q Enables up to (212) or 4096 virtual networks IEEE 802.1D - SpanningTree Protocol (STP) at L2 to manage paths Adds 4 bytes to the Ethernet frame VXLAN –Virtual eXtensible LAN A Layer 2 overlay scheme over a Layer 3 network IETF RFC 7348 Enables up to (224) or 16 million virtual networks TRILL, SPB at L2 and OSPF and BGP at L3 to manage paths Adds 50 byteVXLAN header to Ethernet frame 17
  • 18. VXLAN… in a nutshell 18 A Framework for OverlayingVirtualized Layer 2 Networks over Layer 3 Networks Virtual eXtensible Local Area Network Fundamental concept of NSX Overlay One of several protocols that enable Network Overlay: STT, OTV, LISP, GENEVE, NVGREEnables dynamic, large-scale, isolated virtual Layer 2 networks in multi-tenant environments. Key traits ofVXLAN overlay technology are: encapsulation & end- point communication VXLAN encapsulates the original Ethernet frame into IP/UDP VTEPs are end-points where Ethernet frame is encapsulated & de- encapsulated
  • 19. Encapsulation Encapsulation masks data so it can pass undetected under certain circumstances – Like the above, iSCSI data is encapsulated asTCP/IP in order for the SCSI data to be accepted on a TCP/IP network. NSX usingVXLAN to encapsulate Ethernet payload in a similar manner. Ethernet IP TCP iSCSI Data iSCSI PDU C R C 19
  • 20. Trunk & Access Links 20 Switch SwitchTrunk Link Access Links Access links • Member of oneVLAN ID group • Referred to as the native VLAN • Attached device is unaware of aVLAN membership Trunk links • Conduit for multipleVLAN IDs • 100Mbps or higher link between switches, a switch and router, or a switch and server • Enable VLANs to span across a backbone
  • 21. 21 Traditional Network Design Leaf/Spine “IP Fabric” Design Core Aggregation Access Spine Leaf
  • 23. Software-Defined Data Center – Concepts • Moves intelligence from hardware into software • Decouples the underlying network, server and storage hardware • Location-independent • Leverages a data center virtualization layer Hardware Software Intelligence baked into Hardware Dedicated,Vendor Specific Hardware Manual Configuration & Management Intelligence in Software Independent,Vendor-Neutral Hardware Automated Configuration & Management
  • 24. Software-Defined Data Center – Concepts Automation Pooling Abstraction 24 Server FirewallNetworkStorage extends virtualization concepts of abstraction, pooling, and automation to all data center resources and services decouples the underlying network, server and storage hardware, while leveraging its infrastructure location-independent; can be in a single data center, span multiple private data centers, or span hybrid data centers
  • 25. Software-Defined Data Center – Concepts Application Service Management Application Management Layer vRA Application Services SDDC Management Cloud Management Platform vRA e.g. OpenStack SDDC Foundation Virtualization of Physical Assets VMware vSphere SDSSDN VSANNSX 25
  • 26. Software-Defined Data Center – Positioning NSX – A software construct – Physical network as a flexible pool of transport capacity – Policy-driven attachment of network and security services – Decouples network configuration from physical infrastructure – Security and micro-segmentation – Key tenant to the software-defined data center (SDDC) 26
  • 29. VMware NSX treats: “The physical network as a pool of transport capacity with network and security services attached toVM’s with a policy-driven approach.” NSX Introduction VMware NSX brings: “The operational model of a virtual machine to the data center network, transforming the economics of network and security operations.” VMware NSX delivers: “The network virtualization platform of the Software-Defined-DataCenter (SDDC)” 29
  • 30. NSX Architecture 30 Any Network Device Overlay Transport Any Hypervisor NSX vSwitch NSX Controller NSX Manager NSX API Any Cloud Management Platform e.g.VXLAN, NVGRE, STT ESXi, KVM, XenServer vDS, kernel modules Manage state, P2V gateway Deployment e.g. vRA, OpenStack UI Underlay, 1600 MTU
  • 31. NSXTypes NSXType vSphere (NSX-v) Multi-hypervisor (NSX-mh) Hypervisor ESXi ESXi, KVM, XenServer SwitchType dvSwitch Open vSwitch Encapsulation VXLAN GRE, STT,VXLAN Central Service NSX Edge Physical NSX GW Appliance Distributed Firewall East-West Distributed Firewall In-kernel East-West DF viaACL and Security Groups Distributed Routing In-kernel Distributed Routing Routing via Open vSwitch Additional Load-balancing,VPN, DHCP, NAT, Central Routing services EOS announced. Successor is NSX-T (Transformers) 31
  • 32. Sample NSX (6.2.2+) Product Features per License NSX Licenses Sample Features Standard Advanced Enterprise Distributed Switching and Routing    Edge Firewall    Edge Load Balancing   Distributed Firewall   Cross vCenter NSX  VPN (IPSec and SSL)  http://www.vmware.com/products/nsx/compare.html 32
  • 34. NSX Features Switching Routing Firewall Load Balancing VPN Gateway V i r t u a l N e t w o r k s Switching Routing Firewall Load Balancing VPN Gateway 34
  • 35. 172.16.20.1 172.16.20.2 NSX Features – Logical Switching • Creates logically abstracted L2 segments • Logical L2 switching across L3 boundaries • Decoupled from the physical network SRV01 SRV02 Logical L2 Network Segment Physical Logical L3 Powered byVXLAN 35
  • 36. NSX Features – Routing • Routing Functions: – Distributed Logical Router (DLR) – kernel • Provides L3 routing without leaving the hypervisor • Routing scales with environment by adding hosts • Optimizes East-West traffic flows – NSX Edge Services Router (ESR) –VM APP01 DB01 Physical Logical L3 50025001 DLR 172.16.20.1 172.16.30.1 External Router 36
  • 37. NSX Features – Routing • Edge Services Routing is performed in the NSX Edge Services Gateway – Routing between tenants – Forwarding information between L2 broadcast domains – North-South communication patterns NSX Edge Internet 37
  • 38. NSX Features – Distributed Firewall 38 Logical Switch VM VM vNIC at egress at ingress Security Policy enforced: Placement Mobility Performance
  • 39. NSX Features – Edge Firewall ESG VM VM VM Logical Switch VM VM VM Logical Switch Internet Tenant1 Tenant2 Virtual Appliance North-SouthTraffic Complements DF 39
  • 40. NSX Features – Micro-segmentation Before NSX Focus on perimeter defense Low priority systems left unprotected Security between systems is expensive Centralized firewalls result in large firewall rules 40 With NSX Micro-granular security model Security applied at virtual network interface Security distributed to every hypervisor Security cost normalized across all systems Automated provisioning of security policies Security policies always follows theVM Security policies are: • simplified • centralized • logically grouped
  • 41. NSX Features – Load Balancer (Simplified logical representation) VIP = LB IP Edge IP ESG Distribution Method: • ROUND_ROBIN • LEAST_CONN • IP_HASH • URI TCP (8090) HTTP (80) HTTPS (443) SRV n SRV 2 SRV 1Service Request Backend Serer IP Modes of Operation: • One-Arm (DNAT & SNAT) • Inline (DNAT) 41
  • 42. NSX Features –VPN L3WAN L3WAN Laptop SiteA Site C Site B Remote User L2VPN Edge Allow remote user connect to services Provides connectivity between sites Stretch L2 network between sites 42
  • 43. NSX Features Logical Switch East-West Communication Kernel-based, extend network reach Logical Router North-South Communication Distributed and Appliance based, inter-provider Services Gateway Physical-to- Virtual Application Services – Firewall, Routing,VPN, LB 43
  • 44. NSX Features – Security Group, Security Policy 44 SecurityGroup Grouping of workloads Dynamic Static WhatTo Protect
  • 45. Network Introspection Services Endpoint Service Firewall rules HowTo Protect NSX Features – Security Group, Security Policy 45 SecurityGroup SecurityGroup Security Policy Service Description Applies to Firewall Rules Rules that define the traffic to be allowed to, from, or within the security group vNIC Endpoint Data Security or 3rd party services e.g. anti- virus or vulnerability management services Virtual Machines Network Introspection Services that monitor your network such as IPS and network forensics Virtual Machines WhatTo Protect SecurityPolicy
  • 46. NSX Features – Security Probing Questions 1. If a threat makes it past your perimeter, are you able to quickly and automatically respond to prevent the threat from moving from server to server? • NSX Micro-segmentation applies security at the workload level without need for additional firewalls or changes to existing network/security platform • Security profile moves seamlessly with the workload • Security scales automatically with the environment 2. Do you need to improve your Security SLA? • Global rule sets can be complex and difficult to modify, making threat analysis and forensics, tedious and time-consuming • NSX Micro-Segmentation reduces the complexity, changes are automatically communicated and propagated, security provisioning is streamlined 46
  • 48. NSX Components - Architecture 48 NSX Manager 443/TCP – Admin UI, REST 80/TCP –VIB Access ProLiant DL180 Gen9 UID UID netcpa (UWA) vsfwd (UWA) VTEP 5671/TCP – RMQ 2878, 2888, 3888/TCP – State Sync 443, 902/TCP – vSphereWeb 22, 80, 443, 902/TCP – Mgmt/Provisioning 53, 123, 514/TCP/UDP (DNS, NTP, Syslog) NSX ESG ProLiant DL180 Gen9 UID UID vsfwd (UWA) VTEP 4789/UDP –VXLAN vCenter Server Client PC 123/TCP/UDP – NTP 8301, 8302/UDP – DVS Sync NSX Controller Cluster DFW DFW VMware KB 2079386Visualized 443/TCP – REST RMQ netcpa (UWA) VXLAN VXLAN Routng Routng
  • 49. 49 Feature Feature Operating System Specialized Packet Forwarding Engine NSX: SDN Traditional Network Device
  • 50. NSX: SDN 50 Feature Feature Operating System Specialized Packet Forwarding Engine Configuration:CLI/GUI Management Plane Data Plane ForwardingTable Routing Protocol(s) Control Plane Neighbor IPTableLink State Traditional Network Device
  • 51. NSX: SDN 51 Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding EngineFeature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine
  • 52. NSX: SDN 52 O p e r a t i n g S y s t e m Feature Feature Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine
  • 53. Overlay Network Uses software to create layers of network abstraction: – run multiple, discrete virtualized network layers on top of the physical network (underlay) 53 Uses encapsulation to create L2 logical networks on top of the existing physical IP network Physical “Underlay” Virtual “Overlay”
  • 54. VXLAN Encapsulation 54 Outer Ethernet Header Outer IPv4 Header Outer UDP Header Original Ethernet Frame 50 ByteVXLAN Encapsulation Overhead VXLAN Header F C S Payload Inner Ethernet Header OverlayUnderlay
  • 55. VXLAN Frame Format 55 VXLAN Header Outer UDP Header Outer IPv4 Header Outer Ethernet Header Outer DST MAC Outer SRC MAC VXLAN Type (opt) Outer 802.1Q (opt) Ether Type 14 bytes IP Header Data IP Proto col Header Check Sum Outer SRC IP Outer DST IP 20 bytes SRC Port DST Port UDP Length UDP Check Sum 8 bytes VXLAN Flags RSVD VXLAN Network ID RSVD 8 bytes Payload F C S Inner Ethernet Header Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type 14 or 18 bytes 1500 bytes
  • 56. VTEP -VXLANTunnel End Point 56 VXLAN Segments VNID 1 VNID 2 VNID 1 VNID 2 VM VM VM VM IP VTEP VXLAN Segments VTEP IP Interface IP Interface VXLAN Segments VTEP encapsulates an Ethernet frame in aVXLAN frame or de- encapsulates aVXLAN frame and forwards the inner Ethernet frame.
  • 57. 57 VNI VTEPESXi 1 VTEPESXi 2 UTEPESXi 3 VM B VTEPESXi 4 Unicast Replication Mode 1 2 3 4 VM A VM C VM D Multicast Unicast HybridBUM – Broadcast, Unknown unicast, and Multicast
  • 58. Transport Zone Transport Zone • defines clusters of hosts that can participate in the virtual network • configurable boundary for a givenVXLAN Segment • defines the reach of the L2 domain Cluster 1 VDS 1 VDS 2 Transport Zone 1 Cluster 3Cluster 2 58
  • 60. NSX Deployment – Hardware Minimum Requirement Appliance Memory vCPU Disk Space NSX Manager (1x) 16 GB 4 60 GB NSX Controller (3x) 4 GB 4 20 GB NSX Edge (1x) Compact: 512 MB 1 1 disk 500MB Large: 1 GB 2 1 disk 500MB + 1 disk 512MB Quad-Large: 1 GB 4 1 disk 500MB + 1 disk 512MB X-Large: 8 GB 6 1 disk 500MB + 1 disk 2GB Guest Introspection 1 GB 2 4 GB NSX Data Security 512 MB 1 6 GB per ESXi host 60
  • 61. NSX Roles 61 AuditorSecurity Administrator NSX Administrator Enterprise Administrator RO access to all areas R/W access to NSX operations : • installing virtual appliances • configuring port groups RO access to other areas R/W access to all areas of NSX R/W access to NSX security: • defining data security policies • creating port groups • creating reports for NSX modules RO access to other areas
  • 64. NSX Resources -VMware Hands-on Labs 64http://labs.hol.vmware.com/HOL/
  • 65. NSX Resources – HPE Education www.hpe.com/us/training 65
  • 66. NSX Resources – Certification VMware NSX Training and Certification 66
  • 67. A.Akpaffiong, 2016 ”Since before your sun burned hot in space and before your race was born, I have awaited a question.” --The City on the Edge of Forever, StarTrek 67 Questions?
  • 68. A.Akpaffiong, 2016 You are now free to go! 68
  • 70. NSX NetworkVirtualization Services – Security 70 Third-Party • Antivirus • DLP • Firewall • Intrusion Prevention • Vulnerability Management • Identity and Access Management • Security Policy Management Built-In • Distributed Firewall • Edge Firewall • Data Security • Server Activity Monitoring • VPN (SSL, IPsec)
  • 71. Software-Defined Networks (SDN) • SDN has two defining characteristics: o SDN separates the control plane from the data plane o SDN consolidates the control plane, so that a single software control program controls multiple data-plane elements • The concept underpinning SDN is simple: o If the data and control plane are de-coupled the static network can be made intelligent, responsive, programmable and centrally controlled. 71
  • 72. NSX Network Planes – An Analogy 72 Management Plane Control Plane Data Plane Manager & vCenter NSX Controller NSX vSwitch define enforce execute nytimes.com
  • 73. NSX Components – Network Planes 71
  • 74. NSX Components – Network Planes Configuration:CLI/GUI ForwardingTable Routing Protocol(s) Neighbor IPTableLink State 72
  • 75. NSX Components – Network Planes Configuration:CLI/GUI Forwarding Table Routing Protocol(s) Neighbor IPTableLink State NSX vSwitch NSX Edge NSX Controller Edge Logical Router NSX Manager vCenter Server 73
  • 76. NSX Components – Network Planes • Network Planes – Management plane defines the network policy – Control plane enforces the network policy – Data Plane executes the network policy Management Plane Control Plane Data Plane How What Do NSX Manager vCenter Controller vSwitch 74
  • 77. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Limited limited information expansion is expensive global performance characteristics steered choke point 75
  • 78. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl choke point steered basic packet information Limited 76
  • 79. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed embedded data path scales every packet inspected comprehensive security policy Limited 77
  • 80. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed Perimeter Services North-South Limited 78
  • 81. NSX Features – L2 Bridging 81 VXLAN WebVM AppVM DB SVR2SVR1 VLAN L2 Bridge Connectivity Embedded Scalable HWVTEP Controller Cluster OVSDB
  • 82. PG 82 VM PGPG VM PG vDS VTEPESXi/ESG PG VM PGPG VM PG vDS VTEPESXi/ESG Active DLR (HA) Standby DLR (HA) Switch Switch Trunk Access orTrunk VNI VID Trunk VMK MAC B MAC A MAC C MAC E MAC D VNI VID VNI VID VNI VID VNI NSX Features – L2 Bridging
  • 83. 83 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Multicast Replication Mode 1 2 3 L3 - PIML2 - IGMP L2 - IGMP
  • 84. 84 VNI VTEPESXi 1 VM A VTEPESXi 2 UTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Unicast Replication Mode 1 2 3 4
  • 85. 85 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Hybrid Replication Mode L2 - IGMP L2 - IGMP 1 2 3 4
  • 86. NSX Components – ControllerTables 86 NSX Controller Node MAC Table MapVM MACs to VTEP ARP Table MapVM IPs to MAC VTEP Table MapVNI to VTEP