Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

VMware NSX 101: What, Why & How


Published on

VMware NSX provides a platform for deployment of software-defined network (SDN) and network function virtualization (NFV) services across physical network devices in a way that is analogous to server virtualization.

Published in: Technology
  • Be the first to comment

VMware NSX 101: What, Why & How

  1. 1. NSX 101: What,Why & How Aniekan Akpaffiong Bob Horne Initial presentation at HPETOS October 2016
  2. 2. Seminar Introduction • This seminar on NSX will include a discussion of its: • Benefits (including an intro to NSX Networking and SDDC) • Components & Features • Use cases we’ll jump into an NSX Demo and finish with a discussion of Additional Learning Resources and Certification • The goal is to introduce you to NSX; you can then decide if NSX is a journey you’d like to undertake • This seminar will NOT: – replace training and hands-on experience – provide design/consulting advice • Prerequisites – Basic exposure to virtualization – Curiosity about software defined networks 2
  3. 3. Module 1 NSX Overview
  4. 4. In Brief – NSX NVP – Combines functionality from: – Nicira’s NetworkVirtualization Platform (NVP) – VMware vCloud Networking and Security – NSX isVMware's Software Defined Network (SDN) solution – decouples networking and security from the physical hardware – provides network and security features, such as distributed routing and micro-segmentation – treats the physical network as a pool of transport capacity – reduces the time to provision multi-tier network and security services – brings security inside the data center with automated fine-grained policies tied to the virtual machines – NSX brings the operational model of a virtual machine to the data center network L2 – 3 L4 – 7 4 virtualizes network and security services virtualizes the network fabric
  5. 5. Benefits – NSX • Dynamic provisioning of virtual networks and security services • Workload mobility across clusters and L3 infrastructure • Isolation of tenants without the limitations ofVLANs • Centralized management of distributed services • New tools for automation, policy andVM visibility Logical Router Logical Switch Network, Security Services 5
  6. 6. IT’s Requirements 6 TransformationResponsiveness Speed, Agility Bespoke, Simplicity Right Price, RightTime Business Architect Security CIO Customer
  7. 7. Challenges ofVirtualization Performance Challenge: Overhead of virtualization Solution: Deploy services closer to the data Visibility Challenge: Status of physical devices Solution: Build on performant infrastructure Maturity Challenge:The industry is evolving Solution: Rigorous PoC Internal Controls Challenge: Disrupts existing relationships Solution: Convergence, DevOps 7
  8. 8. Module 2 NSX Networking
  9. 9. It’s All NetworkingTo Me 9
  10. 10. Layer Layer Name Protocol Data Unit (PDU) Main Function Example Protocol AddressType 7 Application Data Interaction with user. Provides services to app. FTP Hostname 6 Presentation Data Data representation (Converts/Encrypts) XDR,XML Hostname 5 Session Data Connection dialog (Start/Stop/Order) RPC, SOCKS Socket 4 Transport Segment (TCP) Datagram (UDP) End-to-End Delivery (Entire message) TCP, DCCP Port number 80 3 Network Packet Routing and Addressing IP, IGMP IP Address 2 Data Link Frame Node-to-node (Access to media) Ethernet, MPLS MAC 1C98ECA8EC30 1 Physical Bit Distance and electrical (Low level parameters) RS232, DOCSIS N/A Application Transport Internet Link Communication Model 10A.Akpaffiong, 2016
  11. 11. Broadcast & Collision Domain 11 Broadcast Domain Collision Domain Hub One broadcast domain per device One collision domain per device One broadcast domain per device One collision domain per port One broadcast domain per port One collision domain per port Switch Router
  12. 12. Broadcast & Collision Domain Hub Switch Router Broadcast Device Device Port Collision Device Port Port 12
  13. 13. Packets PayloadOverhead Protocol Data Unit (PDU) Fixed Variable 46 – 1500 Bytes EthernetV2 Standard Payload Range 1501 – 9000 Bytes EthernetV2 Jumbo Payload Range Recommended MTU for NSX 1600 bytes 13
  14. 14. VLAN 14 /24 A B A A’ B B’ Trunk Trunk A’ B’ A BVLAN ID X VLAN ID Y X and Y are integers between 1 and 4094 switch
  15. 15. VLAN Frame Format – IEEE 802.1Q 15 Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type/ Length Payload FCS Inner Ethernet Header TPID PCP DEI VID 1500 bytes18 bytes 12 bits1 bit3 bits16 bits 4 bytes TPID Tag Protocol Identifier TCI Tag Control Information PCP 802.1p Priority Levels (COS) DEI Drop eligible indicator (DEI) VID VLAN ID FCS Frame Check Sequence 6 6 bytes2 4 bytes
  16. 16. Virtual Local Area Network -VLAN 16 Adds 4 bytes to the Ethernet frame VLAN IEEE 802.1Q Broadcast isolation and segmentation IEEE 802.1D (STP) at L2 to manage paths Up to 212 (4096) virtual networks
  17. 17. VLAN andVXLAN VLAN –Virtual LAN Segmentation and broadcast isolation IEEE 802.1Q Enables up to (212) or 4096 virtual networks IEEE 802.1D - SpanningTree Protocol (STP) at L2 to manage paths Adds 4 bytes to the Ethernet frame VXLAN –Virtual eXtensible LAN A Layer 2 overlay scheme over a Layer 3 network IETF RFC 7348 Enables up to (224) or 16 million virtual networks TRILL, SPB at L2 and OSPF and BGP at L3 to manage paths Adds 50 byteVXLAN header to Ethernet frame 17
  18. 18. VXLAN… in a nutshell 18 A Framework for OverlayingVirtualized Layer 2 Networks over Layer 3 Networks Virtual eXtensible Local Area Network Fundamental concept of NSX Overlay One of several protocols that enable Network Overlay: STT, OTV, LISP, GENEVE, NVGREEnables dynamic, large-scale, isolated virtual Layer 2 networks in multi-tenant environments. Key traits ofVXLAN overlay technology are: encapsulation & end- point communication VXLAN encapsulates the original Ethernet frame into IP/UDP VTEPs are end-points where Ethernet frame is encapsulated & de- encapsulated
  19. 19. Encapsulation Encapsulation masks data so it can pass undetected under certain circumstances – Like the above, iSCSI data is encapsulated asTCP/IP in order for the SCSI data to be accepted on a TCP/IP network. NSX usingVXLAN to encapsulate Ethernet payload in a similar manner. Ethernet IP TCP iSCSI Data iSCSI PDU C R C 19
  20. 20. Trunk & Access Links 20 Switch SwitchTrunk Link Access Links Access links • Member of oneVLAN ID group • Referred to as the native VLAN • Attached device is unaware of aVLAN membership Trunk links • Conduit for multipleVLAN IDs • 100Mbps or higher link between switches, a switch and router, or a switch and server • Enable VLANs to span across a backbone
  21. 21. 21 Traditional Network Design Leaf/Spine “IP Fabric” Design Core Aggregation Access Spine Leaf
  22. 22. Module 3 Software-Defined Data Center (SDDC)
  23. 23. Software-Defined Data Center – Concepts • Moves intelligence from hardware into software • Decouples the underlying network, server and storage hardware • Location-independent • Leverages a data center virtualization layer Hardware Software Intelligence baked into Hardware Dedicated,Vendor Specific Hardware Manual Configuration & Management Intelligence in Software Independent,Vendor-Neutral Hardware Automated Configuration & Management
  24. 24. Software-Defined Data Center – Concepts Automation Pooling Abstraction 24 Server FirewallNetworkStorage extends virtualization concepts of abstraction, pooling, and automation to all data center resources and services decouples the underlying network, server and storage hardware, while leveraging its infrastructure location-independent; can be in a single data center, span multiple private data centers, or span hybrid data centers
  25. 25. Software-Defined Data Center – Concepts Application Service Management Application Management Layer vRA Application Services SDDC Management Cloud Management Platform vRA e.g. OpenStack SDDC Foundation Virtualization of Physical Assets VMware vSphere SDSSDN VSANNSX 25
  26. 26. Software-Defined Data Center – Positioning NSX – A software construct – Physical network as a flexible pool of transport capacity – Policy-driven attachment of network and security services – Decouples network configuration from physical infrastructure – Security and micro-segmentation – Key tenant to the software-defined data center (SDDC) 26
  27. 27. Software-Defined Networking –Vendors 27
  28. 28. Module 4 NSX Introduction
  29. 29. VMware NSX treats: “The physical network as a pool of transport capacity with network and security services attached toVM’s with a policy-driven approach.” NSX Introduction VMware NSX brings: “The operational model of a virtual machine to the data center network, transforming the economics of network and security operations.” VMware NSX delivers: “The network virtualization platform of the Software-Defined-DataCenter (SDDC)” 29
  30. 30. NSX Architecture 30 Any Network Device Overlay Transport Any Hypervisor NSX vSwitch NSX Controller NSX Manager NSX API Any Cloud Management Platform e.g.VXLAN, NVGRE, STT ESXi, KVM, XenServer vDS, kernel modules Manage state, P2V gateway Deployment e.g. vRA, OpenStack UI Underlay, 1600 MTU
  31. 31. NSXTypes NSXType vSphere (NSX-v) Multi-hypervisor (NSX-mh) Hypervisor ESXi ESXi, KVM, XenServer SwitchType dvSwitch Open vSwitch Encapsulation VXLAN GRE, STT,VXLAN Central Service NSX Edge Physical NSX GW Appliance Distributed Firewall East-West Distributed Firewall In-kernel East-West DF viaACL and Security Groups Distributed Routing In-kernel Distributed Routing Routing via Open vSwitch Additional Load-balancing,VPN, DHCP, NAT, Central Routing services EOS announced. Successor is NSX-T (Transformers) 31
  32. 32. Sample NSX (6.2.2+) Product Features per License NSX Licenses Sample Features Standard Advanced Enterprise Distributed Switching and Routing    Edge Firewall    Edge Load Balancing   Distributed Firewall   Cross vCenter NSX  VPN (IPSec and SSL)  32
  33. 33. Module 5 NSX Features
  34. 34. NSX Features Switching Routing Firewall Load Balancing VPN Gateway V i r t u a l N e t w o r k s Switching Routing Firewall Load Balancing VPN Gateway 34
  35. 35. NSX Features – Logical Switching • Creates logically abstracted L2 segments • Logical L2 switching across L3 boundaries • Decoupled from the physical network SRV01 SRV02 Logical L2 Network Segment Physical Logical L3 Powered byVXLAN 35
  36. 36. NSX Features – Routing • Routing Functions: – Distributed Logical Router (DLR) – kernel • Provides L3 routing without leaving the hypervisor • Routing scales with environment by adding hosts • Optimizes East-West traffic flows – NSX Edge Services Router (ESR) –VM APP01 DB01 Physical Logical L3 50025001 DLR External Router 36
  37. 37. NSX Features – Routing • Edge Services Routing is performed in the NSX Edge Services Gateway – Routing between tenants – Forwarding information between L2 broadcast domains – North-South communication patterns NSX Edge Internet 37
  38. 38. NSX Features – Distributed Firewall 38 Logical Switch VM VM vNIC at egress at ingress Security Policy enforced: Placement Mobility Performance
  39. 39. NSX Features – Edge Firewall ESG VM VM VM Logical Switch VM VM VM Logical Switch Internet Tenant1 Tenant2 Virtual Appliance North-SouthTraffic Complements DF 39
  40. 40. NSX Features – Micro-segmentation Before NSX Focus on perimeter defense Low priority systems left unprotected Security between systems is expensive Centralized firewalls result in large firewall rules 40 With NSX Micro-granular security model Security applied at virtual network interface Security distributed to every hypervisor Security cost normalized across all systems Automated provisioning of security policies Security policies always follows theVM Security policies are: • simplified • centralized • logically grouped
  41. 41. NSX Features – Load Balancer (Simplified logical representation) VIP = LB IP Edge IP ESG Distribution Method: • ROUND_ROBIN • LEAST_CONN • IP_HASH • URI TCP (8090) HTTP (80) HTTPS (443) SRV n SRV 2 SRV 1Service Request Backend Serer IP Modes of Operation: • One-Arm (DNAT & SNAT) • Inline (DNAT) 41
  42. 42. NSX Features –VPN L3WAN L3WAN Laptop SiteA Site C Site B Remote User L2VPN Edge Allow remote user connect to services Provides connectivity between sites Stretch L2 network between sites 42
  43. 43. NSX Features Logical Switch East-West Communication Kernel-based, extend network reach Logical Router North-South Communication Distributed and Appliance based, inter-provider Services Gateway Physical-to- Virtual Application Services – Firewall, Routing,VPN, LB 43
  44. 44. NSX Features – Security Group, Security Policy 44 SecurityGroup Grouping of workloads Dynamic Static WhatTo Protect
  45. 45. Network Introspection Services Endpoint Service Firewall rules HowTo Protect NSX Features – Security Group, Security Policy 45 SecurityGroup SecurityGroup Security Policy Service Description Applies to Firewall Rules Rules that define the traffic to be allowed to, from, or within the security group vNIC Endpoint Data Security or 3rd party services e.g. anti- virus or vulnerability management services Virtual Machines Network Introspection Services that monitor your network such as IPS and network forensics Virtual Machines WhatTo Protect SecurityPolicy
  46. 46. NSX Features – Security Probing Questions 1. If a threat makes it past your perimeter, are you able to quickly and automatically respond to prevent the threat from moving from server to server? • NSX Micro-segmentation applies security at the workload level without need for additional firewalls or changes to existing network/security platform • Security profile moves seamlessly with the workload • Security scales automatically with the environment 2. Do you need to improve your Security SLA? • Global rule sets can be complex and difficult to modify, making threat analysis and forensics, tedious and time-consuming • NSX Micro-Segmentation reduces the complexity, changes are automatically communicated and propagated, security provisioning is streamlined 46
  47. 47. Module 6 NSX Components
  48. 48. NSX Components - Architecture 48 NSX Manager 443/TCP – Admin UI, REST 80/TCP –VIB Access ProLiant DL180 Gen9 UID UID netcpa (UWA) vsfwd (UWA) VTEP 5671/TCP – RMQ 2878, 2888, 3888/TCP – State Sync 443, 902/TCP – vSphereWeb 22, 80, 443, 902/TCP – Mgmt/Provisioning 53, 123, 514/TCP/UDP (DNS, NTP, Syslog) NSX ESG ProLiant DL180 Gen9 UID UID vsfwd (UWA) VTEP 4789/UDP –VXLAN vCenter Server Client PC 123/TCP/UDP – NTP 8301, 8302/UDP – DVS Sync NSX Controller Cluster DFW DFW VMware KB 2079386Visualized 443/TCP – REST RMQ netcpa (UWA) VXLAN VXLAN Routng Routng
  49. 49. 49 Feature Feature Operating System Specialized Packet Forwarding Engine NSX: SDN Traditional Network Device
  50. 50. NSX: SDN 50 Feature Feature Operating System Specialized Packet Forwarding Engine Configuration:CLI/GUI Management Plane Data Plane ForwardingTable Routing Protocol(s) Control Plane Neighbor IPTableLink State Traditional Network Device
  51. 51. NSX: SDN 51 Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding EngineFeature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine Feature Feature Operating System Specialized Packet Forwarding Engine
  52. 52. NSX: SDN 52 O p e r a t i n g S y s t e m Feature Feature Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine Simple Packet Forwarding Engine
  53. 53. Overlay Network Uses software to create layers of network abstraction: – run multiple, discrete virtualized network layers on top of the physical network (underlay) 53 Uses encapsulation to create L2 logical networks on top of the existing physical IP network Physical “Underlay” Virtual “Overlay”
  54. 54. VXLAN Encapsulation 54 Outer Ethernet Header Outer IPv4 Header Outer UDP Header Original Ethernet Frame 50 ByteVXLAN Encapsulation Overhead VXLAN Header F C S Payload Inner Ethernet Header OverlayUnderlay
  55. 55. VXLAN Frame Format 55 VXLAN Header Outer UDP Header Outer IPv4 Header Outer Ethernet Header Outer DST MAC Outer SRC MAC VXLAN Type (opt) Outer 802.1Q (opt) Ether Type 14 bytes IP Header Data IP Proto col Header Check Sum Outer SRC IP Outer DST IP 20 bytes SRC Port DST Port UDP Length UDP Check Sum 8 bytes VXLAN Flags RSVD VXLAN Network ID RSVD 8 bytes Payload F C S Inner Ethernet Header Inner DST MAC Inner SRC MAC 802.1Q (opt) Ether Type 14 or 18 bytes 1500 bytes
  56. 56. VTEP -VXLANTunnel End Point 56 VXLAN Segments VNID 1 VNID 2 VNID 1 VNID 2 VM VM VM VM IP VTEP VXLAN Segments VTEP IP Interface IP Interface VXLAN Segments VTEP encapsulates an Ethernet frame in aVXLAN frame or de- encapsulates aVXLAN frame and forwards the inner Ethernet frame.
  57. 57. 57 VNI VTEPESXi 1 VTEPESXi 2 UTEPESXi 3 VM B VTEPESXi 4 Unicast Replication Mode 1 2 3 4 VM A VM C VM D Multicast Unicast HybridBUM – Broadcast, Unknown unicast, and Multicast
  58. 58. Transport Zone Transport Zone • defines clusters of hosts that can participate in the virtual network • configurable boundary for a givenVXLAN Segment • defines the reach of the L2 domain Cluster 1 VDS 1 VDS 2 Transport Zone 1 Cluster 3Cluster 2 58
  59. 59. Module 7 NSX Deployment
  60. 60. NSX Deployment – Hardware Minimum Requirement Appliance Memory vCPU Disk Space NSX Manager (1x) 16 GB 4 60 GB NSX Controller (3x) 4 GB 4 20 GB NSX Edge (1x) Compact: 512 MB 1 1 disk 500MB Large: 1 GB 2 1 disk 500MB + 1 disk 512MB Quad-Large: 1 GB 4 1 disk 500MB + 1 disk 512MB X-Large: 8 GB 6 1 disk 500MB + 1 disk 2GB Guest Introspection 1 GB 2 4 GB NSX Data Security 512 MB 1 6 GB per ESXi host 60
  61. 61. NSX Roles 61 AuditorSecurity Administrator NSX Administrator Enterprise Administrator RO access to all areas R/W access to NSX operations : • installing virtual appliances • configuring port groups RO access to other areas R/W access to all areas of NSX R/W access to NSX security: • defining data security policies • creating port groups • creating reports for NSX modules RO access to other areas
  62. 62. Module 8 NSX Resources
  63. 63. Live Demo Demonstration of NSX 63
  64. 64. NSX Resources -VMware Hands-on Labs 64
  65. 65. NSX Resources – HPE Education 65
  66. 66. NSX Resources – Certification VMware NSX Training and Certification 66
  67. 67. A.Akpaffiong, 2016 ”Since before your sun burned hot in space and before your race was born, I have awaited a question.” --The City on the Edge of Forever, StarTrek 67 Questions?
  68. 68. A.Akpaffiong, 2016 You are now free to go! 68
  69. 69. A.Akpaffiong, 2016 Backup Slides 69
  70. 70. NSX NetworkVirtualization Services – Security 70 Third-Party • Antivirus • DLP • Firewall • Intrusion Prevention • Vulnerability Management • Identity and Access Management • Security Policy Management Built-In • Distributed Firewall • Edge Firewall • Data Security • Server Activity Monitoring • VPN (SSL, IPsec)
  71. 71. Software-Defined Networks (SDN) • SDN has two defining characteristics: o SDN separates the control plane from the data plane o SDN consolidates the control plane, so that a single software control program controls multiple data-plane elements • The concept underpinning SDN is simple: o If the data and control plane are de-coupled the static network can be made intelligent, responsive, programmable and centrally controlled. 71
  72. 72. NSX Network Planes – An Analogy 72 Management Plane Control Plane Data Plane Manager & vCenter NSX Controller NSX vSwitch define enforce execute
  73. 73. NSX Components – Network Planes 71
  74. 74. NSX Components – Network Planes Configuration:CLI/GUI ForwardingTable Routing Protocol(s) Neighbor IPTableLink State 72
  75. 75. NSX Components – Network Planes Configuration:CLI/GUI Forwarding Table Routing Protocol(s) Neighbor IPTableLink State NSX vSwitch NSX Edge NSX Controller Edge Logical Router NSX Manager vCenter Server 73
  76. 76. NSX Components – Network Planes • Network Planes – Management plane defines the network policy – Control plane enforces the network policy – Data Plane executes the network policy Management Plane Control Plane Data Plane How What Do NSX Manager vCenter Controller vSwitch 74
  77. 77. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Limited limited information expansion is expensive global performance characteristics steered choke point 75
  78. 78. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl choke point steered basic packet information Limited 76
  79. 79. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed embedded data path scales every packet inspected comprehensive security policy Limited 77
  80. 80. NSX Features – Firewall • Physical vs.Virtual vs. Distributed vs. Edge Firewall Sprawl Enforcement Assumed Perimeter Services North-South Limited 78
  81. 81. NSX Features – L2 Bridging 81 VXLAN WebVM AppVM DB SVR2SVR1 VLAN L2 Bridge Connectivity Embedded Scalable HWVTEP Controller Cluster OVSDB
  82. 82. PG 82 VM PGPG VM PG vDS VTEPESXi/ESG PG VM PGPG VM PG vDS VTEPESXi/ESG Active DLR (HA) Standby DLR (HA) Switch Switch Trunk Access orTrunk VNI VID Trunk VMK MAC B MAC A MAC C MAC E MAC D VNI VID VNI VID VNI VID VNI NSX Features – L2 Bridging
  83. 83. 83 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Multicast Replication Mode 1 2 3 L3 - PIML2 - IGMP L2 - IGMP
  84. 84. 84 VNI VTEPESXi 1 VM A VTEPESXi 2 UTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Unicast Replication Mode 1 2 3 4
  85. 85. 85 VNI VTEPESXi 1 VM A VTEPESXi 2 MTEPESXi 3 VM CVM B VTEPESXi 4 VM D NSX Features – Hybrid Replication Mode L2 - IGMP L2 - IGMP 1 2 3 4
  86. 86. NSX Components – ControllerTables 86 NSX Controller Node MAC Table MapVM MACs to VTEP ARP Table MapVM IPs to MAC VTEP Table MapVNI to VTEP