VMware NSX provides a platform for deployment of software-defined network (SDN) and network function virtualization (NFV) services across physical network devices in a way that is analogous to server virtualization.
2. Seminar Introduction
• This seminar on NSX will include a discussion of its:
• Benefits (including an intro to NSX Networking and SDDC)
• Components & Features
• Use cases
we’ll jump into an NSX Demo and finish with a discussion of Additional Learning
Resources and Certification
• The goal is to introduce you to NSX; you can then decide if NSX is a
journey you’d like to undertake
• This seminar will NOT:
– replace training and hands-on experience
– provide design/consulting advice
• Prerequisites
– Basic exposure to virtualization
– Curiosity about software defined networks
2
4. In Brief – NSX
NVP
– Combines functionality from:
– Nicira’s NetworkVirtualization Platform (NVP)
– VMware vCloud Networking and Security
– NSX isVMware's Software Defined Network (SDN) solution
– decouples networking and security from the physical hardware
– provides network and security features, such as distributed routing and
micro-segmentation
– treats the physical network as a pool of transport capacity
– reduces the time to provision multi-tier network and security services
– brings security inside the data center with automated fine-grained
policies tied to the virtual machines
– NSX brings the operational model of a virtual machine to the
data center network
L2 – 3 L4 – 7
4
virtualizes network
and security services
virtualizes the
network fabric
5. Benefits – NSX
• Dynamic provisioning of virtual networks and security
services
• Workload mobility across clusters and L3 infrastructure
• Isolation of tenants without the limitations ofVLANs
• Centralized management of distributed services
• New tools for automation, policy andVM visibility
Logical
Router
Logical
Switch
Network,
Security
Services
5
7. Challenges ofVirtualization
Performance
Challenge: Overhead of virtualization
Solution: Deploy services closer to the data
Visibility
Challenge: Status of physical devices
Solution: Build on performant infrastructure
Maturity
Challenge:The industry is evolving
Solution: Rigorous PoC
Internal Controls
Challenge: Disrupts existing relationships
Solution: Convergence, DevOps
7
10. Layer Layer Name Protocol Data
Unit (PDU)
Main Function Example
Protocol
AddressType
7 Application Data Interaction with user.
Provides services to app.
FTP Hostname
example.com
6 Presentation Data Data representation
(Converts/Encrypts)
XDR,XML Hostname
example.com
5 Session Data Connection dialog
(Start/Stop/Order)
RPC, SOCKS Socket
172.16.3.24:80
4 Transport Segment (TCP)
Datagram (UDP)
End-to-End Delivery
(Entire message)
TCP, DCCP Port number
80
3 Network Packet Routing and Addressing IP, IGMP IP Address
172.16.3.24
2 Data Link Frame Node-to-node
(Access to media)
Ethernet,
MPLS
MAC
1C98ECA8EC30
1 Physical Bit Distance and electrical
(Low level parameters)
RS232,
DOCSIS
N/A
Application
Transport
Internet
Link
Communication Model
10A.Akpaffiong, 2016
11. Broadcast & Collision Domain
11
Broadcast Domain
Collision Domain
Hub
One broadcast domain per device
One collision domain per device
One broadcast domain per device
One collision domain per port
One broadcast domain per port
One collision domain per port
Switch Router
12. Broadcast & Collision Domain
Hub Switch Router
Broadcast Device Device Port
Collision Device Port Port
12
13. Packets
PayloadOverhead
Protocol Data Unit (PDU)
Fixed Variable
46 – 1500 Bytes
EthernetV2 Standard Payload
Range
1501 – 9000 Bytes
EthernetV2 Jumbo Payload
Range
Recommended MTU for NSX
1600 bytes
13
15. VLAN Frame Format – IEEE 802.1Q
15
Inner
DST
MAC
Inner
SRC
MAC
802.1Q
(opt)
Ether
Type/
Length
Payload
FCS
Inner
Ethernet
Header
TPID PCP DEI VID
1500 bytes18 bytes
12 bits1 bit3 bits16 bits
4 bytes
TPID Tag Protocol Identifier
TCI Tag Control Information
PCP 802.1p Priority Levels (COS)
DEI Drop eligible indicator (DEI)
VID VLAN ID
FCS Frame Check Sequence
6 6 bytes2
4 bytes
16. Virtual Local Area Network -VLAN
16
Adds 4 bytes
to the
Ethernet
frame
VLAN
IEEE 802.1Q
Broadcast
isolation and
segmentation
IEEE 802.1D
(STP) at L2 to
manage
paths
Up to 212
(4096) virtual
networks
17. VLAN andVXLAN
VLAN –Virtual LAN
Segmentation and broadcast isolation
IEEE 802.1Q
Enables up to (212) or 4096 virtual networks
IEEE 802.1D - SpanningTree Protocol (STP) at L2 to
manage paths
Adds 4 bytes to the Ethernet frame
VXLAN –Virtual eXtensible LAN
A Layer 2 overlay scheme over a Layer 3 network
IETF RFC 7348
Enables up to (224) or 16 million virtual networks
TRILL, SPB at L2 and OSPF and BGP at L3 to manage
paths
Adds 50 byteVXLAN header to Ethernet frame
17
18. VXLAN… in a nutshell
18
A Framework for
OverlayingVirtualized
Layer 2 Networks over
Layer 3 Networks
Virtual eXtensible
Local Area Network
Fundamental
concept of
NSX Overlay
One of several protocols
that enable Network
Overlay: STT, OTV, LISP,
GENEVE, NVGREEnables dynamic, large-scale,
isolated virtual Layer 2 networks in
multi-tenant environments.
Key traits ofVXLAN
overlay technology are:
encapsulation & end-
point communication
VXLAN encapsulates
the original Ethernet
frame into IP/UDP
VTEPs are end-points
where Ethernet frame is
encapsulated & de-
encapsulated
19. Encapsulation
Encapsulation masks data so it can pass undetected under certain circumstances
– Like the above, iSCSI data is encapsulated asTCP/IP in order for the SCSI data to be accepted on a
TCP/IP network. NSX usingVXLAN to encapsulate Ethernet payload in a similar manner.
Ethernet IP TCP iSCSI Data
iSCSI PDU
C
R
C
19
20. Trunk & Access Links
20
Switch SwitchTrunk Link
Access Links
Access links
• Member of oneVLAN ID group
• Referred to as the native VLAN
• Attached device is unaware of aVLAN membership
Trunk links
• Conduit for multipleVLAN IDs
• 100Mbps or higher link between switches, a switch
and router, or a switch and server
• Enable VLANs to span across a backbone
23. Software-Defined Data Center – Concepts
• Moves intelligence from hardware into software
• Decouples the underlying network, server and storage hardware
• Location-independent
• Leverages a data center virtualization layer
Hardware
Software
Intelligence baked into Hardware
Dedicated,Vendor Specific Hardware
Manual Configuration & Management
Intelligence in Software
Independent,Vendor-Neutral Hardware
Automated Configuration & Management
24. Software-Defined Data Center – Concepts
Automation
Pooling
Abstraction
24
Server FirewallNetworkStorage
extends virtualization concepts
of abstraction, pooling, and
automation to all data center
resources and services
decouples the underlying
network, server and storage
hardware, while leveraging its
infrastructure
location-independent; can be
in a single data center, span
multiple private data centers,
or span hybrid data centers
25. Software-Defined Data Center – Concepts
Application Service Management
Application Management Layer
vRA Application
Services
SDDC Management
Cloud Management Platform
vRA e.g. OpenStack
SDDC Foundation
Virtualization of Physical Assets
VMware vSphere
SDSSDN
VSANNSX
25
26. Software-Defined Data Center – Positioning NSX
– A software construct
– Physical network as a flexible pool of transport
capacity
– Policy-driven attachment of network and
security services
– Decouples network configuration from
physical infrastructure
– Security and micro-segmentation
– Key tenant to the software-defined data center
(SDDC)
26
29. VMware NSX treats:
“The physical network as a pool of transport
capacity with network and security services
attached toVM’s with a policy-driven
approach.”
NSX Introduction
VMware NSX brings:
“The operational model of a virtual machine to
the data center network, transforming the
economics of network and security
operations.”
VMware NSX delivers:
“The network virtualization platform of the
Software-Defined-DataCenter (SDDC)”
29
30. NSX Architecture
30
Any Network Device
Overlay Transport
Any Hypervisor
NSX vSwitch
NSX Controller
NSX Manager
NSX API
Any Cloud Management Platform
e.g.VXLAN,
NVGRE, STT
ESXi, KVM,
XenServer
vDS, kernel
modules
Manage state,
P2V gateway
Deployment
e.g. vRA,
OpenStack
UI
Underlay, 1600
MTU
31. NSXTypes
NSXType vSphere (NSX-v) Multi-hypervisor (NSX-mh)
Hypervisor ESXi ESXi, KVM, XenServer
SwitchType dvSwitch Open vSwitch
Encapsulation VXLAN GRE, STT,VXLAN
Central Service NSX Edge Physical NSX GW Appliance
Distributed
Firewall
East-West Distributed Firewall
In-kernel
East-West DF viaACL and
Security Groups
Distributed
Routing
In-kernel Distributed Routing Routing via Open vSwitch
Additional Load-balancing,VPN, DHCP,
NAT, Central Routing services
EOS announced.
Successor is NSX-T
(Transformers)
31
32. Sample NSX (6.2.2+) Product Features per License
NSX Licenses
Sample Features Standard Advanced Enterprise
Distributed Switching
and Routing
Edge Firewall
Edge Load Balancing
Distributed Firewall
Cross vCenter NSX
VPN (IPSec and SSL)
http://www.vmware.com/products/nsx/compare.html 32
34. NSX Features
Switching Routing Firewall Load Balancing VPN Gateway
V i r t u a l N e t w o r k s
Switching Routing Firewall Load Balancing VPN Gateway
34
35. 172.16.20.1
172.16.20.2
NSX Features – Logical Switching
• Creates logically abstracted L2 segments
• Logical L2 switching across L3 boundaries
• Decoupled from the physical network
SRV01 SRV02
Logical L2
Network Segment
Physical
Logical
L3
Powered byVXLAN
35
37. NSX Features – Routing
• Edge Services Routing is performed in the NSX Edge Services Gateway
– Routing between tenants
– Forwarding information between L2 broadcast domains
– North-South communication patterns
NSX
Edge
Internet
37
38. NSX Features – Distributed Firewall
38
Logical Switch
VM VM
vNIC at egress
at ingress
Security Policy enforced:
Placement
Mobility
Performance
39. NSX Features – Edge Firewall
ESG
VM VM VM
Logical Switch
VM VM VM
Logical Switch
Internet
Tenant1 Tenant2
Virtual Appliance
North-SouthTraffic
Complements DF
39
40. NSX Features – Micro-segmentation
Before NSX
Focus on perimeter defense
Low priority systems left unprotected
Security between systems is expensive
Centralized firewalls result in large firewall rules
40
With NSX
Micro-granular security model
Security applied at virtual network interface
Security distributed to every hypervisor
Security cost normalized across all systems
Automated provisioning of security policies
Security policies always follows theVM
Security policies are:
• simplified
• centralized
• logically grouped
41. NSX Features – Load Balancer (Simplified logical representation)
VIP = LB IP
Edge IP
ESG
Distribution Method:
• ROUND_ROBIN
• LEAST_CONN
• IP_HASH
• URI
TCP (8090)
HTTP (80)
HTTPS (443)
SRV n
SRV 2
SRV 1Service Request
Backend Serer IP
Modes of Operation:
• One-Arm (DNAT & SNAT)
• Inline (DNAT)
41
42. NSX Features –VPN
L3WAN L3WAN
Laptop
SiteA Site C
Site B
Remote User
L2VPN
Edge
Allow remote
user connect to
services
Provides
connectivity
between sites
Stretch L2
network between
sites
42
44. NSX Features – Security Group, Security Policy
44
SecurityGroup
Grouping of
workloads
Dynamic
Static
WhatTo Protect
45. Network Introspection Services
Endpoint Service
Firewall rules
HowTo Protect
NSX Features – Security Group, Security Policy
45
SecurityGroup
SecurityGroup
Security Policy
Service Description Applies to
Firewall Rules Rules that define the traffic to be allowed
to, from, or within the security group
vNIC
Endpoint Data Security or 3rd party services e.g. anti-
virus or vulnerability management services
Virtual
Machines
Network
Introspection
Services that monitor your network such as
IPS and network forensics
Virtual
Machines
WhatTo Protect
SecurityPolicy
46. NSX Features – Security Probing Questions
1. If a threat makes it past your perimeter, are you able to quickly and automatically
respond to prevent the threat from moving from server to server?
• NSX Micro-segmentation applies security at the workload level without need for additional
firewalls or changes to existing network/security platform
• Security profile moves seamlessly with the workload
• Security scales automatically with the environment
2. Do you need to improve your Security SLA?
• Global rule sets can be complex and difficult to modify, making threat analysis and forensics,
tedious and time-consuming
• NSX Micro-Segmentation reduces the complexity, changes are automatically communicated
and propagated, security provisioning is streamlined
46
50. NSX: SDN
50
Feature Feature
Operating System
Specialized Packet
Forwarding Engine
Configuration:CLI/GUI
Management Plane
Data Plane
ForwardingTable
Routing Protocol(s)
Control Plane
Neighbor IPTableLink State
Traditional Network Device
51. NSX: SDN
51
Feature Feature
Operating System
Specialized Packet
Forwarding Engine
Feature Feature
Operating System
Specialized Packet
Forwarding EngineFeature Feature
Operating System
Specialized Packet
Forwarding Engine
Feature Feature
Operating System
Specialized Packet
Forwarding Engine
Feature Feature
Operating System
Specialized Packet
Forwarding Engine
52. NSX: SDN
52
O p e r a t i n g S y s t e m
Feature Feature
Simple Packet
Forwarding Engine
Simple Packet
Forwarding Engine
Simple Packet
Forwarding Engine
Simple Packet
Forwarding Engine
Simple Packet
Forwarding Engine
53. Overlay Network
Uses software to create layers of network abstraction:
– run multiple, discrete virtualized network layers on top of
the physical network (underlay)
53
Uses encapsulation to create L2 logical networks on top of
the existing physical IP network
Physical “Underlay”
Virtual “Overlay”
55. VXLAN Frame Format
55
VXLAN
Header
Outer
UDP
Header
Outer IPv4
Header
Outer
Ethernet
Header
Outer
DST
MAC
Outer
SRC
MAC
VXLAN
Type
(opt)
Outer
802.1Q
(opt)
Ether
Type
14 bytes
IP
Header
Data
IP
Proto
col
Header
Check
Sum
Outer
SRC IP
Outer
DST
IP
20 bytes
SRC
Port
DST
Port
UDP
Length
UDP
Check
Sum
8 bytes
VXLAN
Flags
RSVD
VXLAN
Network
ID
RSVD
8 bytes
Payload
F
C
S
Inner
Ethernet
Header
Inner
DST
MAC
Inner
SRC
MAC
802.1Q
(opt)
Ether
Type
14 or 18 bytes
1500 bytes
56. VTEP -VXLANTunnel End Point
56
VXLAN
Segments
VNID 1
VNID 2
VNID 1
VNID 2
VM
VM
VM
VM
IP
VTEP
VXLAN
Segments
VTEP
IP
Interface
IP
Interface
VXLAN Segments
VTEP encapsulates an Ethernet frame in aVXLAN frame or de-
encapsulates aVXLAN frame and forwards the inner Ethernet frame.
57. 57
VNI
VTEPESXi 1 VTEPESXi 2 UTEPESXi 3
VM B
VTEPESXi 4
Unicast Replication Mode
1
2
3
4
VM A VM C VM D
Multicast
Unicast
HybridBUM – Broadcast, Unknown unicast, and Multicast
58. Transport Zone
Transport Zone
• defines clusters of hosts that can participate in the virtual network
• configurable boundary for a givenVXLAN Segment
• defines the reach of the L2 domain
Cluster 1
VDS 1 VDS 2
Transport Zone 1
Cluster 3Cluster 2
58
60. NSX Deployment – Hardware Minimum Requirement
Appliance Memory vCPU Disk Space
NSX Manager (1x) 16 GB 4 60 GB
NSX Controller (3x) 4 GB 4 20 GB
NSX Edge (1x)
Compact: 512 MB 1 1 disk 500MB
Large: 1 GB 2 1 disk 500MB + 1 disk 512MB
Quad-Large: 1 GB 4 1 disk 500MB + 1 disk 512MB
X-Large: 8 GB 6 1 disk 500MB + 1 disk 2GB
Guest Introspection 1 GB 2 4 GB
NSX Data Security 512 MB 1 6 GB per ESXi host
60
61. NSX Roles
61
AuditorSecurity
Administrator
NSX
Administrator
Enterprise Administrator
RO access to all areas
R/W access to NSX operations :
• installing virtual appliances
• configuring port groups
RO access to other areas
R/W access to all areas of NSX
R/W access to NSX security:
• defining data security policies
• creating port groups
• creating reports for NSX
modules
RO access to other areas
66. NSX Resources – Certification
VMware NSX Training and Certification
66
67. A.Akpaffiong, 2016
”Since before your sun
burned hot in space and
before your race was born,
I have awaited a question.”
--The City on the Edge of Forever, StarTrek
67
Questions?
71. Software-Defined Networks (SDN)
• SDN has two defining characteristics:
o SDN separates the control plane from the data plane
o SDN consolidates the control plane, so that a single software control
program controls multiple data-plane elements
• The concept underpinning SDN is simple:
o If the data and control plane are de-coupled the static network can be
made intelligent, responsive, programmable and centrally controlled.
71
72. NSX
Network Planes – An Analogy
72
Management Plane Control Plane Data Plane
Manager & vCenter NSX Controller NSX vSwitch
define enforce execute
nytimes.com
76. NSX Components – Network Planes
• Network Planes
– Management plane defines the
network policy
– Control plane enforces the
network policy
– Data Plane executes the
network policy
Management
Plane
Control
Plane
Data
Plane
How
What
Do
NSX Manager vCenter
Controller
vSwitch
74
77. NSX Features – Firewall
• Physical vs.Virtual vs. Distributed vs. Edge Firewall
Limited
limited information
expansion is expensive
global performance characteristics
steered
choke point
75
78. NSX Features – Firewall
• Physical vs.Virtual vs. Distributed vs. Edge Firewall
Sprawl
choke point
steered
basic packet information
Limited
76
79. NSX Features – Firewall
• Physical vs.Virtual vs. Distributed vs. Edge Firewall
Sprawl Enforcement Assumed
embedded
data path
scales
every packet inspected
comprehensive security policy
Limited
77
80. NSX Features – Firewall
• Physical vs.Virtual vs. Distributed vs. Edge Firewall
Sprawl Enforcement Assumed Perimeter Services
North-South
Limited
78