Professional Documents
Culture Documents
Copyright/Trademark
Copyright 2014 VMware , Inc. All rights reserved . This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States
and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks
of the ir respective companies.
The training material is provided "as is," and all express or implied cond itions,
representations, and warranties, includ ing any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are discla imed , even if VMware, Inc., has been
advised of the possibility of such claims. This training mate rial is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The train ing material is not a standalone
tra ining tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel , John Tuffin, Jerry Ozbun
Technical review : Elver Sena, Chris McCain
Technical editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation ,
available at http://www.vmware .com/supportlpubs.
www.vmware.com/education
TABLE OF CONTENTS
MODULE 2 NSX Networking" " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "... ".. " 13
You Are Here " " " " " " " " " " " " " ". " ". " " ". " ". " ".. ".. " ".. ".. " 14
Importance" " " " " " " " " " " " " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. " 15
Module Lessons" " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. " ".. " 16
Lesson I: Introduction to vSphere Virtualization 17
Learner Objectives 18
Virtual Machines 19
Benefits ofVirtuaI Machines " ".. 20
ESXi Hypervisor 21
vCenter Server. ".. " ".. ".. " " 22
vCenter Server Management Features 23
vSphere vMotion .. " ".. " 25
Shared Storage. ".. " ".. ".. " " 26
Features That Use Shared Storage 27
Virtual Networking 28
Virtual Switch Types 29
Networking Features 30
vSphere Product Placement. 32
Review of Learner Objectives 33
Lesson 2: Overview of the Software-Defined Data Center. 34
Learner Objectives. " " 35
Choices for IT . ".. " ".. " 36
Data Center Models" " 37
Advantage of Software-Defined Data Center " .. 38
Choice for New IT 39
Software-Defined Data Center as New IT. 40
Components of a Software-Defined Data Center 41
Vision and Strategy 42
Virtual Compute, Storage, and Network 43
Data Center Hardware. . . . . . . . . . . . . . . . . . . . 44
Hypervisors and Virtual Switches 45
MODULE 3 Logical Switch Networks and VXLAN Overlays. ".. " " .. " .. " " . "99
You Are Here 100
Importance" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "101
Module Lessons" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "102
Lesson 1: Ethernet Fundamentals " ". " ".. ".. " " 103
Learner Objectives" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "104
Review: Networking Definitions. ".. " ".. ".. " " 105
Ethernet " .. " .. " " . " " . " " " " " " " " " " "106
MAC Tables 107
Broadcast Domain 108
Address Resolution Protocol 109
From Packets to Frames 110
Segmentation and Encapsulation 111
Layer 3: IPv4 Datagram 112
Layer 4: TCP Segment 113
Concept Summary. " 114
Review of Learner Objectives 115
Lesson 2: Overview ofvSphere Distributed Switch " .116
Learner Objectives " .117
VMkernel Networking " .118
Advantages ofvSphere Distributed Switch 119
Distributed Switch Architecture 120
vSphere Distributed Switch Enhancements in ESXi 5.5 121
Design Considerations 122
Teaming Best Practices 123
Load-Based Teaming 124
Distributed Switch in Enterprise 125
Lab 3: Introduction (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Lab 3: Introduction (2) 127
Lab 3: Preparing for Virtual Networking " .128
Concept Summary 129
Review of Learner Objectives 130
Lesson 3: Link Aggregation 131
Contents iii
Learner Objectives 132
Ethernet Loop 133
Spanning Tree Protocol 134
STP Diagram" . " " " " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "135
Bandwidth Constraint " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "136
Link Aggregation Control Protocol. 137
Enhanced LACP in vSphere 5.5 138
Enhanced LACP ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "139
Concept Summary 140
Review of Learner Objectives 141
Lesson 4: Virtual LANs 142
Learner Objectives 143
Virtual LANs" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "144
Switches and Routers with VLANs .. " " 145
VLANsand ARP" " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "146
VLANs Across switches" ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "147
VLAN Scalability " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "148
802.1Q 149
802.1Q Frame 150
Native VLAN 151
Concept Summary 152
Review of Learner Objectives 153
Lesson 5: VXLAN: Logical Switch Networks 154
Learner Objectives. " ".. ".. " ".. " ".. " ".. " " 155
VXLAN Tenus" ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " "156
VXLAN Protocol Overview 157
Virtual Extensible LAN 158
NSX Use Cases 159
VXLAN Frame Format 160
Multicast: Network Components 161
Internet Group Management Protocol 162
Bidirectional PIM . " ".. " ".. " " " " 163
NSX for vSphere VXLAN Replication Modes 164
VXLAN Replication: Control Plane 165
VXLAN Replication: Data Plane 166
Unicast Mode 167
Multicast Mode 168
Hybrid Mode 169
Unicast and Hybrid Mode: Same Host " .170
Unicast Mode: Different Hosts 172
Hybrid Mode: Different Hosts 173
Multicast Mode: Different Hosts 174
Quality of Service 175
Contents v
BOP Peers Example 220
BOP Route Selection 221
Concept Summary 222
Review of Learner Objectives 223
Lesson 2: NSX Logieal Router 224
Learner Objectives 225
Layer 3 Networking Overview 226
Layer 3 Enables Larger Networks 227
Distributed Logical Router 228
Hairpinning 229
Distributed Logical Router: Logical View 231
Distributed Logical Router: Physical View 232
Data Path: Host Components 233
VLAN LIF 234
Designated Instance 235
VXLAN LIF 236
Control Plane: Components 237
Logical Router Control Virtual Machine 238
Management, Control, and Data Communication 239
Deployment Models: One Tier 240
Deployment Models: Two Tier 241
Distributed Router Traffic Flow: Same Host 242
Distributed Router Traffic Flow: Different Host. 243
Lab 5: Introduction (1) 244
Lab 5: Introduction (2) 245
Lab 5: Introduction (3) 246
Lab 5: Introduction (4) 247
Lab 5: Configuring and Deploying an NSX Distributed Router 248
Concept Summary 249
Review of Learner Objectives 250
Lesson 3: Layer 2 Bridging 251
Learner Objectives 252
VXLAN to VLAN Layer 2 Bridging 253
Use Cases 254
Layer 2 Bridging Details 255
Bridge Instance 256
Bridge Instance Failure 257
Layer 2 Bridging: Flow Overview 258
Design Considerations 259
ARP Request from VXLAN 260
ARP Response from the VLAN 262
Unicast Traffic 263
ARP Request from VLAN 264
MODULE 5 NSX Edge Services Gateway Features " .. " " .. " .. " " .283
You Are Here. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " ".. "... "284
Importance" " " . " " . " " " . " " . " " " . " " . " " " . " " . " ".. " " . " ".. " " . " ".. "285
Module Lessons" .. " ".. ".. " ".. ".. " ".. ".. "... ".. " ".. " "286
Lesson 1: NSX Edge Network Address Translation 287
Learner Objectives. " ".. ".. " ".. " ".. " ".. " " 288
Private IPv4 IP addresses 289
IPv4 Overlapping Space 290
Managing NAT Rules 291
Source NAT Deployment Using NSX Edge " .292
Example: Set Up External Access to Web Server. " " .293
Add a Second External IP Address for NAT Use 294
Destination NAT Deployment Using NSX Edge 295
Creating a Destination NAT Rule for Inbound External Access 296
Create a Destination NAT Rule and Test Inbound Connectivity 297
Creating a Source NAT Rule and Testing Outbound Connectivity 299
Lab 8: Introduction (I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Lab 8: Introduction (2) 301
Lab 8: Introduction (3) 302
Lab 8: Configuring and Testing Network Address Translation on
an NSX Edge Services Gateway 303
Concept Summary 304
Review of Learner Objectives 305
Contents vii
Lesson 2: NSX Edge Load Balancing 306
Learner Objectives 307
NSX Edge Load Balancer 308
NSX Edge Load Balancer Modes " 309
Load-Balancer Operation .. " ".. ".. " ".. ".. " ".. ".. " ".. " "310
One-Ann Load Balancer" .. " ".. ".. " " 311
One-Ann Load Balancer Traffic Flow 312
Inline Load Balancer" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "313
Inline Load Balancer Traffic Flow " .314
Lab 9: Introduction 315
Lab 10: Introduction 316
Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" " " "317
Lab 9: Configuring Load Balancing with NSX Edge Gateway (2) 318
Lab 10: Advanced Load Balancing .. " " 319
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "320
Review of Learner Objectives" .. " ". " ".. ".. " ".. " 321
Lesson 3: NSX Edge High Availability " " " " " " " ". " ". " " ". " ". " ".. "322
Learner Objectives 323
High Availability 324
NSX Edge High Availability Operation 325
Stateful High Availability 326
NSX Edge Failure. " ".. " ".. " ".. " " " 328
NSX Edge Services Gateway High Availability 329
Virtual Machine and Appliance Failure .. ".. " 330
ESXi Host Failure. " ".. " ".. " ".. " " " 331
Lab 11: Introduction " " " " 332
Lab II: Configuring NSX Edge High Availability " .333
Concept Summary 334
Review of Learner Objectives 335
Lesson 4: NSX Edge and VPN 336
Learner Objectives 337
Logical L2 VPN .. " ".. " ".. " ".. " " " 338
Overview of Layer 2 VPN 339
Logical User (SSL) and Site-to-Site (IPsec) VPN 340
NSX IPsec VPN .. " ".. " ".. " ".. " " " 341
IPsec Security Protocols: Internet Key Exchange " .. " . " " " "342
IPsec Security Protocols: Encapsulating Security Payload. " .. " . " " " "344
IPsec ESP Tunnel Mode Packet " .. " .. " " .345
Configuration Example for IPsec VPN " .346
IPsec with AES-NI 347
Add an IPsec VPN 348
NSX SSL VPN-Plus Service " .. " " .349
SSL VPN-Plus 350
Contents ix
Distributed Firewall Components: Communication 392
Distributed Data Path 393
Policy Rule Objects 394
Layer 2 Policy Rules" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "395
Layer 3 and Layer 4 Policy Rules 396
Centralized Management of the Distributed Firewall 397
Using Distributed Firewall Sections 398
Policy Rule Objects" " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "399
Logical Switch Rule-Based Example " .. " " .400
Security Groups 401
Security Group Components 402
Rule-Based Security Group Example " .. " " .403
Applied To: Example "" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .404
Lab 16: Introduction" ". " " " " " ". " " " " " ". " " " " " ". " " " " " ". " ". " " ". .405
Lab 16: Using NSX Distributed Firewall Rules to Control
Network Traffic" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .406
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "407
Review of Learner Objectives " .408
Lesson 3: Flow Monitoring .409
Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Flow Monitoring 411
Enable Flow Monitoring .412
Exclusion Settings. " ".. ".. " ".. " ".. " ".. " " .413
Viewing Flows. " ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " .414
Flow Views by Service .415
Live Monitoring" .. " ".. ".. " ".. ".. " ".. ".. " ".. " ".. " .416
Live Monitoring Output Example .417
Lab 17: Introduction .418
Lab 17: Using Flow Monitoring .419
Concept Summary .420
Review of Learner Objectives .421
Lesson 4: Role-Based Access Control .422
Learner Objectives. " ".. " ".. " ".. " " " .423
Authentication, Authorization, and Accounting Model .424
Identity Sources" .. " ".. ".. " ".. ".. " ".. " ".. " ".. " .425
Identity Source vSphere Requirements " .426
Role-Based Access Control for NSX for vSphere " .. " .. "" "427
NSX User Roles 428
Scopes " .. " .. " " "429
NSX Role Guidelines .430
Permission Inheritance Example: Single Group 431
Permission Inheritance Example: Multiple Groups 432
Configure Role-Based Access Control 433
Contents xi
xii VMware NSX: Install , Config ure, Manage
MODULE 1
Course Introduction
Slide 1-1 II
oa
Module 1 c
Cil
(1)
:J
......
i3
c.
c
VMware NSX: Install, Configure, Manage Q.
o'
:J
By the end of this course, you should be able to meet the following oa
objectives: c
Cil
(1)
Describe the evolution of the software-defined data center ::J
......
Describe how NSX is the next step in the evolution of the software- ac.
defined data center c
Q.
Describe data center prerequisites for NSX deployment o'
::J
By the end of this course, you should be able to meet the following
objectives:
Configure NSX Edge firewall rules to restrict network traffic
Configure Distributed Firewall rules to restrict network traffic
Use role-based access to control user account privileges
Use Activity Monitoring to determine if a security policy is effective
Use Flow Monitoring to monitor network traffic streams
Configure Service Composer policies
oa
c
Cil
(1)
IE Course Introduction
c
Q.
o'
:J
NSX Networking
NSX Routing
NSX Security
oa
c
Cil
(1)
::J
......
ac.
c
Title Location Q.
o'
::J
::J
......
ac.
c
Q.
o'
::J
vmwareEDUCATION SERVICES
Choose YourPath'
To make the VMware training that you take most valuable, you must decide which learning path to
take. Your learning path can be based upon a solution track that you want to pursue or a role in your
organization that you want to take on. Your learning path can also be based on a product that you
want to master or a VMware certification that you want to achieve. Regard less of wh ich path you
choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.
http://www.vmware.com/support/
VMware Education
http://www.vmware.com/education
VMware Support Toolbar
http://vmwaresupport.toolbar.fm
Making full use of VMware technical resources can save you time and money. The following are
extensive VMwa re Web-based resources:
The VMware Communities Web page provides tools and know ledge to help users maximize
their invest ment in VMware products. VMware Communities provides information about
virtua lization technology in technical papers, documentation, a know ledge base , discussion
forums , user groups , and technical newsletters.
The VMware Support page provides a central point from which you can view support offerings,
create a support request, and download products, updates, drivers and tools, and patches.
You can view the course catalog and the latest schedu le of courses offered worldwide on the
VMwa re Education page. This page also provides access to informat ion about the latest
advanced courses offered worldwide.
For quick access to commu nities, documentation, downloads, support information, and more ,
install the VMware Support Toolbar, which is a free download .
VMware vSphere documentation is availab le on the VMware Web site. From this page, you
can access all the vSphere guides , which also include guides for optional modules or products.
N5X Networking
Slide 2- 1
Module 2
II
z
en
><
zCD
?o
.....
~
::J
to
Course Introduction
IE NSX Networking
NSX Routing
NSX Security
II
z
(j)
Lesson 1: ><
Z
CD
Introduction to vSphere Virtualization ?o
.....
~
:::J
to
By the end of this lesson, you should be able to meet the following
objectives:
Discuss the features of VMware vSphere
Provide an overview of the challenges that vSphere is intended to
resolve
Image Backups
Bare-Metal Backups
File-Based Restores
Virtual machines can be used to host any application from file servers, database serve rs, email
serve rs, and even high-p erform ance application servers.
Organizations might choose to virtualize their servers for the followin g reasons:
Consolidate lightly used servers to conserve space and power in their data center. These
workloads are ideal for virtualization because you can often place many virtua l machines on a
single physic al host.
Increase availability, whether as a protection scheme against common hardware failures or
compl ete site-level disasters. Virtual machines are easy to move, copy, and restore, so they
make disaster recovery simple.
Provision new servers quickl y because new virtual machines can be created and deployed in
minut es.
11 ESXi
L -
VMware ESXi is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor
performs the role of resource management while enjoying direct access to the underlying physical
hardware.
This hypervisor can improve your resource efficiency because of less operating system overhead . In
addition, the stability of the ESX i hypervisor is not dependent on another operating system.
ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be
installed onto flash drives, SO cards, and USB drives.
You can also network-boot an ESX i host using traditional boot from network tools such as preboo t
execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers.
VMware provides several ways to deploy your ESXi hosts because each organization's needs vary.
ESXi hosts your virtua l machines and provides some basic management functions to help you
deploy and control your virtual mach ines.
is scalable
VMware vCenter Server" is a multitier application designed for the enterpris e, but is capabl e of
managing even the smallest of organizations. The vCenter Server system is designed to be highly
scalabl e and can expand with your data center virtu alization initiatives. The vCenter Server system
includes components for an Identity Management Server, Database Server, Application Server, Web
Server, and VMware vSph ere Web Client.
You can deploy the vCenter Server system in various forms and install the roles onto a single server
or multipl e servers depending on your needs. The vCenter Server system can be installed on a
Windows system or deployed as a virtual appliance to give you more flexibility.
A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi
hosts. The vCenter Server system can also manage up to 10,000 pow ered on virtual machin es, which
is ju st one vCenter Server instance.
As an organization expands, you can add more vCent er Server instances and even migrate into a
cloud-b ased configuration to provid e more management and provisioning abiliti es.
The vCenter Server system manag es each of your ESXi hosts. The vCenter Server system can
perform operations that require multiple ESXi hosts.
The vCen ter Server system includes the following featur es:
VMware vSphere vMotion enabl es you to migrate running virtua l machines from one ESXi
host to another without disrupting the virtua l machine.
VMware vSphere Distributed Resource Scheduler" (DRS) provid es load balancing for your
virtual machines acros s the ESXi hosts. DRS leverages vSphere vMo tion to balanc e these
worklo ads.
If configured, VMw are vSph ere Distribu ted Power Managem ent" (DPM) can be used to
power off unused ESXi hosts in your environment. DPM can also pow er on the unused EXI
hosts at the correct time.
VMware vSphere Storage vMotion allows you to migrate a running virtual machine 's hard
disks from one storage device to another devic e.
VMware vSphere Storage DRSTM automates load balancing from a storag e perspective.
VMware vSphere Data Protection" enab les you to back up your virtual machin es.
z
en
X
Z
ro
~
o
~
'"
<0
vSphere vMutiun allows yuu tu migrate a running virtual machine from one ESXi host to another,
even during norm al business hours.
You can usc vSphere vMotion to help load balance your ESX i hosts in a cluster.
vCenter Server orchestrates a copy process between the ESXi hosts. The memory is copied between
the hosts and the virtual machioe is transferred to the new host.
vSphere vMutiun can operate without shared storage, meaning that you can migra te a running
virtual machine between hosts, even if the ESXi hosts have no shared storage in common.
ESXi Hosts
Storage Array
vSphere supports Fibre Channel, Fibre Channel over Ethernet (FCoE), iSCSI, and NFS for Shared
storage. vSphere also supports local storage .
Each storage option has its own strengths and weaknesses. So VMware does not cons ider one
storage type as better than another for virtua lization.
ESXi Hosts
Storage Array
Features that are listed in the slide require a shared storage infrastructure to work properly.
Virtual networking is similar to physical networking. Each virtual machine and ESXi host on the
network has an address and a virtual network card. These virtual network cards are connected to
virtual Ethernet switc hes.
Virtual switches attach your virtual machin es to the physical network, or you can create isolated
networks to be used during testing and development. Virtual networking provides the same
flexibility as server virtualization.
Standard switch architecture: Manages virtual machine and networking
at the host level
VMware vSphere Distributed Sw itch architecture: Manages virtual
machine and networking at the data center level
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to
Virtual switches can be of different forms, each with a different feature set. vSphere supports two
main categories of virtua l switches: the standard switch and the VMware vSphere Distributed
Switcht>'. Both switches help you to reduce network clutter by reducing the number of physical
network cab les plugged into your ESXi hosts .
Each ESXi host is preb uilt with a standard switch that provides basic connectivity and management
features . The distributed switch expands upon that model by providing a central interface to manage
the different connections and features found in the virtual switches . The distributed switch can
provide more features as a resu lt of this centralized management approach.
Virtual networking can be as simpl e or as comp lex as you need. The following features are
supported by vSphere:
VLANs provide logieal separation of your network traffic , and are often used to isolate different
subnetworks. such as a test or restore network.
Traffic shaping is a feature that allows you to restrict the inbo und and outbound network
bandwidth ofa group of virtual machine s. This feature can help reduc e congestion in your
virtual network.
Port mirroring enables you lu monitor a virtual machin e's traffic for troubleshooting or intrusion
prev ention. This feature allows you to capt ure all the traffic sent to or from a virtual machine
for later inspec tion.
Quality of service (QoS) and DSCP are networkin g standard s that allow network switches to
prioritize certain network traffic over others. An example is prioritizing the voice traffic from a
call manager server to improve performance .
NetFlow is a network monitoring tool that allows you to determin e your top talkers on the
network and other metadata about the comm unications that occur on your network.
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to
--
r::: III 0::
Q) ..!!! Q)
0
::!: '- "C
Q, III 0 (1); > Q) 0 Q)
>. r:::
~ ~ ::l
'- Q) Q)
'- III
.c..r:::
-
J: 0 0.. Q) u Cl Cl
:;:; .- u
- -
..r::::= III ~ III
vSphere X 0 ..r::: III Q,Q, '-
::l en ::!: '- '--
.-
en ::!: Cl III en Q)
0
III 0:: 0.. 0 .!!! ~
Edition w > ~ 0 >0:: en LL 0 0 en oen
Essentials X
Essentials Plus X X X X X
Standard X X X X X X X
Enterprise X X X X X X X X X
Enterprise Plus X X X X X X X X X X X
Lesson 2:
Overview of the Software-Defined Data
Center
By the end of this lesson, you should be able to meet the following
objectives:
Describe advantages of the software-defined data center
Identify components of the software-defined data center
II
z
(j)
Explain the role of the virtual network in the software-defined data ><
center Z
CD
?o
.....
~
:::J
to
Software-Defined
Hardware Defined
Data Center
(
No IT
Outsourced
Today, enterpris e busin ess leaders want their IT to create applic ations quickly and easily. Enterprise
business leaders must decide whether to build in-house IT or to outsourc e their IT and app lications.
.
Any Application Any Application Z
CD
?o
Applicatio n-Spec ific Policies ~~~~~~~~i5l .....
~ ~
:::J
Data Center Virtualization to
Any x86
Any Storage
The hardware-defined data center is the traditi onal model. This model includes racks of equipment
and each piece of hardware includes one or more specific defined tasks. Email, database, and other
business-criti cal applications run on specific servers . This mod el is not the answer for futur e
requir ements.
Some of the most agile providers and consumers are moving system
intelligence into software through custom applications or platforms.
Google I Facebook I
Amazon Data Centers
Any x86
Any Storage
Any IP network
Providers are decoupled from physical infrastructure, allowing them to use any x86, any storage,
and any IP networking hardware. This approac h increases agility, reduces cost, and provides a
highly scalable infrastructure with a softwa re-defined data center approac h. These benefits resu lt
from a hardware-abstraction layer software that runs on top.
Software-Defined
Data Center
Google I Facebook I
Amazon Data Centers
Hardware-Defined
Data Cente r
II
z
(j)
><
Any Application Any Application Z
CD
?o
....
~
:::J
to
Any x86
~J
Any Storage
Any IP network
The software-defined data center is similar to the approac h taken by Amazon, Goog le, and
Facebook. This approac h does not include a vertically integrated hardware-specific approac h. For
example, with a hardware-centric infrastructure, you must buy in-unit networking hardware for the
network to function. With the software-defined data center approac h, you can run any network
switch.
. . .. .... .
Data Center
. .
vutuanzauon
VMware NSX TM can do layer 2, SSL, and IPSEC VPNs . This functionality provi des business
continuance and disaster recovery capab ilities, whic h are not otherw ise avai lable. NSX can be
combined with VMware vCloud Hybrid Service" to provi de a hybrid cloud strategy.
Applications
Software-Defined
Data Center
App lications
Software-De fi ned
Dat a Center
Applications
Software-Defined
Data Center
II
z
en
Virtual Compute
Virtual Storage
Virtual Compute
Virtual Storage
Virtual Compute
Virtual Storage
><
Virtual Network Virtual Network Virtual Network zCD
Policy Policy Policy
Security Security Security ?o
Scale Scale Scale .....
~
Desktop ::J
to
Internet
Storage
Virtual Desktop
Laptop
~ ---~--------------------------------------------_.
Tablet
Mobile
Admin
Policy Configuration Hardware Independence
Operational Visibility
Clo ud Manageme nt IP Network Server Sto rage
Hardware Hardware Hardware
Location Independence
The software-defined data center extends the virtualization conc epts like abstraction, poolin g, and
automation to all data center resources and services. Components of the software-defined data center
can be implemented together, or in phases:
Compute virtualization, network virtualization, and software-defined storage deliver
abstraction, pooling, and automation of the compute, network, and storage infrastructure
services.
Automated management delivers a framework for policy-based management of data center
application and services.
The software-defined data center leverages products from VMwa re and other companies.
Manage ment and orchestration are used to configure, manage, monitor, and operationalize a
software-defined data center. Produc ts like VMware vCloud Automat ion Center'?', VMware
vCe nter Opera tions Management Suitet>', and VMware vCenter Log Insight" and also third -
party solutions or custom cloud management platform s can be used.
The software-defined data center has the followin g advantages :
A software-defined data center is decoupled from the und erlying hardware, and takes advantage
of underlying network, server, and storage hardware.
A software-defined data center is location-independent and can be in a single data center, span
multi ple private data centers, or span hybrid public data centers
A software-defined data center leverages a data center virtualization layer to enable
independent, isolated application environments to be deployed on top of the hardware and
location-independent infrastructure.
II
z
(j)
><
Z
CD
Virtual Virtual Virtual ?o
Software Machines Networks Storage Application .....
--------------------------
Hardware Compute Network Storage
Consumption
~
:::J
to
Location Independence
The software-defined data center is a unified data center platform that provides automation,
flexibility, and efficiency. Compute, storage , networking, security, and availability services are
pooled, aggregated, and delivered as softwa re. These services are also managed by intelligent,
policy-driven software.
'cal Network
, ling phySI
EXl5u
NSX enables you to start with your existing network and server hardware in the data center.
z
en
X
Z
ro
~
o
~
'"
<0
NSX adds nothing to the physic al switching environment. NSX exists in the ESXi environment and
is independent of the network hardware.
The slide shows an example of layer 2 connectivity between two virtual machin es on the same
hypervisor and host. Traffic on the layer 2 network never leaves the hypervisor.
II
z
en
><
zCD
?o
.....
~
::J
to
. INetwork
Existing PhyslC3
The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual
machin es on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP
subnets and logical switch es with out leaving the hypervisor to use a physical router. This
virtualization also provides routing between two virtual machin es on two different sides of the data
center across multipl e layer 3 subnets and availability zones.
Lesson 3:
Introduction to NSX and NSX Manager
By the end of this lesson, you should be able to meet the following
objectives:
Describe capabilities of NSX
Explain differences between the data, control, and management planes
II
z
(j)
Recognize NSX topologies ><
Z
Illustrate the role of NSX Manager CD
?o
.....
~
:::J
to
Partner Ecosystem
Environment requirements:
Correct DNS configuration for ESXi hosts added by name.
User permissions to add and power on virtual machines.
Permissions to add files to the virtual machine datastore.
1. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location access ible to
your vCenter server and ESXi hosts.
2. Import the OVA like any other virtua l machine.
During the import process you are prompted to configure the initial network settings .
3. Power on the NSX Manager.
4. Log in to the administrative interface to configure the NSX Manager.
5. Configure the different NSX settings.
The NSX features are ready to use.
--.,
I ..... ... J
"._"' ...
~
-----------------------1
NSX ManagerVirtualAppliance Management
After logging in to the NSX Manag er, click Manage App liance Settings to configure the initial
settings.
. ..-
....-... ".,
I ' .. _, ~ ..
l .....
...us
51 II IHGS
Hostn~ ns:.mgrI-Ota
Dom aItl N ."...
SSL Ctl1U'Iutft 1PY4 lnfonn.allOn
Inl68"OU
Ne1mask 155255 ''55 0
Df'f~I1. Oartway 191 168110 :1
IP6InfOfftUlllon
Acld,e ",
Prtl'ilLengttl
OtfaulOa~
~Il oblecti lert'n~nc:t'G ustng ill hOi~ilme , 'l'OO mus.l prtMde one 01' mQfe ONS Unotf'S commonlO ..c~r. ESXhOm and
To rnOfwto
~r ~tl.'. co~nts (Ifl)llmiliTYor st< ol\d ary UMf I S. ...mO\Ot<l.lle fleld Mllablt (Ins ......., In ItItllntwouhJ aUumt tnt ""POns.lbl!lt'J')
lPt ONSStrm1
PJ1m;wy~ In 168 110 10
Sf' COndiitY SeolWf
Ifl\ofiONSStt\l\"fs
Pr1rntSef'm
SecondaryStfWr
Register the NSX Manager with a vCenter Server to begin using NSX
capabi Iities.
'1'1'110;1' ' -
~
....... ~ , . "'IjI"+C.1~ 1'''''_
-'
II
z
en
><
lookup SeNe.. zCD
F'or~.'*r "r~", S 1 _~, lOU","confgur, LOOI<UD s.rw:.
""'d Pf~ tie sao MmInI'tr~fOr
crt1lIff\ll.Io~'l"NSlC .... M~~I'lCS.Mt . . .
ttMl' lOt sse
ton6gu'.lIbtlrllOw()t', (NQ('"
lsotlAOn\It... IIIlto ~(~lM<JIlot..tlheNTP
?o
.....
~
::J
...:-,,- E.. to
(: ~ ""Cl IlO " .c.,.., Urvtf .,..atI\f1I NSX " 1!'lIQ'~~ StiNK' to dflotaYfJ ...........,.II'lft.W1I(t./rt'
l1Wtntott HTTPS ll'Ol1{ ~ ~l'I"iU IOll.OO'tflHfOf(Clf'lVnUl'll{a~ll"""tfl H$l( Ml nl9 tmt"' StMt:.
ESlCalIdVC For.U 1l.lafportS "~.'" IHtotI1:lltnllln(l U"rN.(.t.OfC",,~ "'.pannolol'
lMlIII~bon'lfIt1\ot 'N$XMtalIWOf'l and UP",ad'0\Ii".. WIl)ufI'C.'" t1O$Uocf Dr "l'Wf" ...c...,
S''''''-'''O~In( pl.n. trltvf''''iC~'CPV and IMfl'oOlYrn.,....-..ontl !JfWtfltot'M1 i1I~hlC'W
.c'MltS.!'Wtr 10 . 1 0 .10 .1 1
1(:,,.,..,.... N.me roo!
SlIIIn ConnIfd
Connect the NSX Manager to the desired vCenter Server and the initial configuration is complete.
Management
Plane
- - ----- - - - - - - - - - ------ - - - - - - ------ - - - - - - - - -- ---- - - - - - - --- ----.- - - - - - - ------- - - - - - -- ------- - - - - -- - - - ---- - -- - - - ---
Control
Plane
.--- - - ---_.- - - -- -------- ------- -- ---- ------------- .--- - -- ---- - ------_.- - - --- ------ - -- -----. -- - - --------- - ----------
Data
Plane
NSX uses the management plane, control plane, and data plane models. Compo nents on one plane
have minimal or no effec t on the functi ons of the planes below.
Management
II
z
(j)
Plane ><
--------------------------------------------------- ------ - - - - - - - - ------ - - - - - - - - - ------ - - - - - ---- - - - - - - - --- ------- Z
CD
Control
?o
....
Plane ~
:::J
to
-- - ----- - - - - - ---- -- - - - - -_.- - - - - - - - --- - - - -- ----- - - --- - ----- - - - ------- - - - ---_.- -- - -- -------- -- ------ ---------- - ------
VMware NSX Virtual Switch
NSX Virtual Switch NSX Edge Distributed network edge
Services
+ ~ lti ~ ' G ateway Line rate performance
The data plane is defined by the distributed switch. The distributed switch does only layer 2
switching. Hosts have to be on the same layer 2 network so that virtual machines on each host can
communicate with virtual machines on the other host.
NSX installs three vSphere Installation Bund les (VlB) that enable NSX functionality to the host.
One VlB enables the layer 2 VXLAN functionality, another VlB enables the distributed router, and
the final VlB enables the distributed firewall. After adding the VlBs to a distributed switch, that
distributed switch is called VMware NSX Virtual Switch . On NSX Virtual Switch, hosts are not
restricted to the same layer 2 domain for virtual machine to virtual machine communic ation across
hosts. You must migrate virtual machines from a host before installing the VlBs . If the VlBs must
be removed , the ESXi host requires a reboot.
VMware NSX Edge" gateway is not distributed and so the gateway lacks a contro l entity. NSX
Edge gateway handles control traffic. Conceptually, an NSX Edge gateway should be on the barrier
between the data and control planes.
Management
Plane
- - ---- - - - - - - - -- -_.- - - - - - - - _. ------ - - - - - - - ------ - - - - - - - - -- ----- - - - - - _. ---- - - - - - - - -------- - - - - - - - ------ - - - - - - - -- ~-
The NSX logica l router contro l virt ual machine and VMware NSX Con troller" are virtua l
machi nes that are dep loyed by VMware NSX Managert'<,
The user world agent (UWA) is composed of the ntcpad and vsfwd daemons on the ESXi host.
Communication related to NSX between the NSX Manager instance or the NSX Con tro ller
instance s and the ESXi hos t happen thro ugh the UWA.
The logical router control virtual machine hand les routing network relationships . This virtua l
mach ine gives the routing table to the NSX Manager instance .
The NSX Virtual Switch does not control routing plane traffic . So the NSX logical router control
virtua l mach ine is instant iated on its beha lf to handle that func tion. One NSX Controller virtual
machine gets dep loyed for each distributed logical router instance. The NSX Controller instanc e
retains information for the media access control (MAC), Address Resolution Protocol (ARP), and
Virtua l Tunne l End Poin t (VTEP) tab les. VMware reco mme nds that you deploy NSX Controller
instances in clusters of three to preve nt situatio ns where the NSX Contro ller clusters are split even ly.
If the control plane componen ts are lost, the ability to form new paths between virtual mac hines is
also lost and the current paths age out as the TTLs exp ire.
Management
Plane
NSX Manager vCenter Server Message Bus
A ent
Single point of configuration
REST API and UI interface
II
z
en
><
- - - ----- - - - - - - - ----- -- - ------- ----- - - - - - - _. ----- - - - - - - -- ------ - - - - - - - - ---- - - - - - - - - ------- - - - - - - - ------ -- - - - - - - -- zCD
NSX Logical NSX Controller Manages logical networks
Control
Router Control VM User World Agent
Run-time st ate ?o
Does not sit in the data path .....
Plane Con trol plane protocol ~
::J
to
NSX Virtual Sw itch
NSX Virtual Switch NSX Edge . Distributed netw ork edge
+ - ~- - - - - -dS - - - - - -~- - j
Services Line rate performance
Gateway
Distributed : .~ : NSX Edge gateway
. h VXLAN Distributed Firewall :
Data t. !-~9 !l?~~ _~_~L!!~ ~ j vi rtu al machine form factor
Plane Data plane for North-South
traffic
Routing and advanced
servic es
Switch Security
NSX Manager comm unicates with a vCenter Server system and is the interface for the VMware
NSX APJTM for third-party applicatio ns that integrate with NSX. The NSX Controller instances are
deployed by the NSX Manager instance. NSX Manager requests the vCenter Server system to
deploy the NSX Controller virtual machines from OVA files.
EB~ i
Dis t rib ut ed Flm wal l :
Gatew ay
NSX Edge gateway
Dat a L\>9jc~ 1 RQI,lt \" : Virtual machine form factor
Plane Data plane fo r North-South
Hypervisor Kernel Modules
traffic
Routing and advanced
services
Switch Security
All of these components build an infrastruct ure for networking thai is consumed in the same fashion
as compute, memory, and storage resources in the software-defined data center.
Physical Router
External Network
~------ - II
z
en
><
VLAN 20
zCD
Uplink
?o
NSX Edge Services
.....
~
Gateway ::J
to
VXLAN 5020
Uplink
LR Instance 1
NSX Manager helps to configure and manage logical routin g services. During the configuration
process, you can deploy either a distributed or a centralized logical router. If the distributed router is
selected, the NSX Manager instance deploys the logical router control virtua l machine and pushes
the logical interface configurations to each host throu gh the NSX Controller cluster.
In centralized routing, NSX Manager deploys the NSX Edge services router virtual machin e. The
API interface of NSX Manager helps automate deployment and management of these logical routers
through a cloud management platform .
External Network
Tenant 2
In a a service provider environment, multipl e tenants exist. Each tenant can have different
requirements in terms of number of isolated logical networks and other network services, such as
load balancing, firewall, and VPN. In such deployments, NSX Edge services router provides
network services capabilities and dynamic routing protocol support.
As shown in the slide, the two tenants are connected to the externa l network through the NSX Edge
services router. Each tenant has its logical router instance that provid es routin g in the tenant. A
dynamic routin g protocol is configured between the tenant logical router and the NSX Edge services
router. This routin g protoc ol provides the connectivity from the tenant virtual machin es to the
external network.
In this topolo gy the East-West traffic routing is handled by the distributed router in the hyperviso r
and the North-South traffic flows through the NSX Edge services router.
External Network II
z
en
><
NSX Edge Serv ices
zCD
Gatew ay
?o
.....
~
::J
to
Web logical
Switch
The service provider topology can be scaled out as shown in the slide. The diagram shows nine
tenants served by an NSX Edge instance on the left and the other nine tenants served by an NSX
Edge instance on the right. The service provider can easily provision another NSX Edge instance to
serve additional tenants.
The distributed switch supports up to 1,000 hosts that allow for a wide variety of scaling options.
These options range from a model where every clust er has its own distributed switch to a mod el
with a single distributed switch spanning all clust ers. NSX even supports multipl e distributed
switches in the same cluster.
If a distributed switch spans multipl e clust ers, when you create a port group, every host connected to
that distributed switch knows about the new port group. Thus , every new port group can cause
additional resourc e consumption. The main reason to span distributed switch across clusters is to
support virtual machin e migration with vSph ere vMo tion.
...
1:1 Mapping of
the
vCenter Server
II
z
en
System to the
><
NSX Cluster zCD
?o
.....
~
::J
to
,. _ . _ . _ . _ . _. _ . _ . - .
. ------ -- ---- - ------. I
I
.,
_
p
~ ! !i r]
' 1
r'
I I
I:
L I -. :I q .
i "L -, lI :I
v8p here vnaonon
I._ ._ ._._ ._._ ._ .~
'- '- '- '- '- '- '- '-'
based on DRS
Manua l
vSpherevMotlon
1-------..... 1-1 --------1
NSX is coupl ed with the vCenter Server system to provide enhanced functionality on VMware
hypervisors so that it scales in parallel with the vCenter Server system. Typically a cloud
management system is used to aggregate multiple vCenter Server systems and NSX Manager
instances to enable horizontal scalability.
NSX Manager and vCenter Server systems are linked I: I and NSX Controller clusters are deployed
by NSX Manager. In addition to the vSphere vMo tion bound aries, VMware NSXTM for vSphere
enables layer 2 connectivity that spans the entire vCenter Server using VXLAN . The vCenter Server
system includes 1,000 hosts and 10,000 virtual machines.
NSX provides a similar architecture. The main difference is that the NSX Controller cluster scales
independently from vCenter Server system. So the vSphere vMotion boundaries are the same, but
NSX allows logical network s and layer 2 boundaries to extend beyond a single vCenter Server
system. The limit is still 1,000 hypervisors, but multipl e hypervisor platforms are supported.
- .............-
_ H$I.
.-.-,
... w _
-0
~ _
...-0-1 IIfMIN __
communications. tI'OII'-....._NSlI-., .
.....fII~.....-.._ .~
_1IIOal_-OO:- _ _
1e9a1 _ _ III9CIII-"o.- _
.t_~
_
"' 1... _ 111
- _ _0..
. .......
.....
........ "...,..'*"4""""
- ,,- .......
--
.-.~
t l I _ ~ _ _ ........
...
' " " - t I _ .. -...-_~
"-"'-'..-d_
-oo4~QIl...--.,
-~"- .....
-
........1 . . - . 4 ....,...
.--..n ... "'-t.... ~ ___
NSX Manager is the only component that is installed. NSX Manager handles all the manage ment
tasks. A direct correlation of one vCenter Server system to one NSX Manager exists. So if vCloud
Automa tion Center is present with multiple vCenter Server systems, each of those vCenter Server
systems has an NSX Manager instance.
An installation ofNSX Manager includ es OVA files to deploy the NSX Edge gateways, NSX
Controller, and the VIBs that get pushed to the ESXi hosts for the distributed switches. NSX
Manage r uses REST API for external communications from third-party applications such as
firewa lls and security software that integrate with NSX.
B ~ [!][i][!] VM
II
z
en
vCenter Server 5.5 and ><
ESXi 5.5 zCD
vSphere Distributed
Switch
B [!] [I] [!] ~ B ?o
VM ~[!]~ B .....
~
::J
Logical Networks to
NSX deploys into vSphere clusters. The NSX platform has basic requireme nts. Any serve r on which
you can install ESXi 5.5 can run NSX , connected to any physical network. Multicast over the
physical infrast ructure is an added benefit but not required. After you deploy NSX Manager, you
deploy NSX Controller instances, VIBs, and configure the virtual network.
SSL Certificates
ONSSerwrs
Backups & Resto re
To resofve all objects refiner
vcenter server
Upgrade
Connecting to a vc enter s 1p.,.4 DNS sewers
COMPONENTS
Access' of Chapter 'Prepal Prima!y Server
NSX Management Service Secondary Server
If your vcenter serveris he 1M DNS sewers
Prima!y Server
vcenter Server
Secondary Server
vcenter User Name
Search Domains
Status'
Which protocol facilitates the propaga tion of multicast traffic across a routed network?
Protocol Independent Multicast (PIM)
What is used to acqu ire the MAC addresses asso ciated with IP add resses?
What is a serv ice embedded in the ESXi kernel that is used to protect virtual machine s calle d? A Firewall
NSX Edge
Lesson 4:
NSX Controller
By the end of this lesson, you should be able to meet the following
objectives:
Describe NSX Controller instances
Explain NSX Controller clustering
II
z
(j)
Determine NSX Controller roles ><
Z
CD
?o
.....
~
:::J
to
VMware recommends that you have three NSX Controller instances for each NSX Controller
cluster. You should always have an odd number ofNSCX Controller instances to avoid a situation in
which the NSX Controller instances are split evenly on a decisio n.
NSX Contro ller stores four types of tables:
The ARP tab le
The MAC table
VTEP table
Routing table
The ESXi host, with NSX Virtual Switch, intercepts the following types of traffic:
Virtual machine broadcast
Virtual machine unicast
Virtual machine mult icast
Etherne t requests
Queries to the NSX Contro ller instance to retrieve the correct response to those requests
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to
The first NSX Controller instance that is deployed requests a password and all future NSX
Controller instances that are deployed use this password. This password is used by a user to connect
through SSH into NSX Manager or NSX Controller. NSX Controller must be connected to the same
vCenter Server system as NSX Manager. VMware recommends that you deploy NSX Controller
instances in clusters of three. Each NSX Controller instance in a cluster must be deployed
individually.
!
II
z
en
><
The NSX Controller CLI provides a NSX Controller zCD
Cluster
consistent interface to verify ?o
.....
VXLAN and logical routing ~
::J
network state information. to
NSX Controller uses the UWA daemon s to communicate from the hosts management address . NSX
Controller instances in a cluster replicate the different ARP, MAC, and VTEP tables in that cluster.
The control plane is secure d with SSL encryption by using certifica tes that are managed by NSX
Ma nager.
A Message
REST
API
NSX Manager
~EJ NSX Manager
Database
Create
certificate II
z
en
W Bus
><
zCD
?o
.....
~
::J
to
NSX Manager creates certificates and stores them in a database. NSX Manager pushes these
certific ates to the NSX Contro ller instances as they are deployed . NSX Manager uses the message
bus to talk to the host for dep loying the VlBs . NSX Controller and the host go through the UWA
daemons .
i L_~:W== -
!1- ------ ------------- __---- - ----- -----__-- -
-~ .---------.--.-----.---.--------.---------...- ------..-----1 i
iI Kernel Modules . - !I
ll- - ---- -----
,
- ---- - ------ - ---- - - ---- -..- - - - - - - - - - - - - - - - - - -...- ---.-----.---.-.....--..-...1 iI
The UWA includes two daemons that run on the host. The UWA is responsible for comm unication
between NSX Controller and ESXi host for layers 2 and 3, and for VXLAN communications. The
UWA can connect to multiple NSX Controller instances and maintains logs at / v a r /l o g /
ne tcpa . log. The distributed firewa ll has its own daemon. This daemon talks directly to NSX
Manager.
Two roles are used for NSX Contro ller workloads. These roles are called logical switches and
logical routers. A master election determines the NSX Controller instance that is the master for a
particular role. Every role has a master. The master selects the NSX Controller instances and
allocates the portion of work for that role .
Paxos is a family of protocols for solving consens us in a network of unreliable processors.
~ 'ii.vXLAN .-
If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from
the available NSX Controller instances. The new master NSX Controller instance for that role
reallocates the lost portions of work among the remaining NSX Controller instances.
NSX Controller instances are on the control plane. So an NSX Contro ller failure does not affect data
plane traffic. For example, if the host requests the MAC address for an lP address through an ARP
request, and the NSX Controller instance does not respond, then the ARP is processed. The normal
ARP request process does not wait for the NSX Controller instance.
Dynamically distribute workloads across all available NSX Controller
cluster nodes
Redistribute workloads when a cluster member is added
Have the ability to sustain failure of any cluster node
II
z
(j)
><
Z
Perform the workload distribution so that it is transparent to applications CD
?o
.....
~
:::J
Solution: Slicing to
Slicing is the action of dividin g NSX Controller workloads into different slices so that each NSX
Controller instance has an equal portion of the work.
After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the
different logical switches and routers among all available NSX Controllers in a cluster. Each
numbered box on the slide represents slices that the master uses to divide the workloads . The logical
switch master divides the logical switches into slices and assigns these slices to different NSX
Controller instances. The master for the logica l routers does the same .
These slices are assigned to the different NSX Controller instances in that cluster. The master for a
role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on
router slic e 6, the slice is to ld to connect to the third NSX Controller inst anc e. If a req uest comes in
on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.
When an NSX Controller fails, the master for the role redistributes slices
among remaining nodes
Slice redistribution happens on:
Creation of the NSX Controller cluster.
A reduction in the number of available NSX Controller nodes in the cluster.
An increase in the number of available NSX Controller nodes in the cluster.
When one of the NSX Controller instances in a cluster fails, the masters for the roles redis tribute the
slices to the remaining available clusters.
x , I
l . ' - - I~
;:::;:~ ,~ ~
I r.::! ~ _
r --.. . I~-
I . ,.
~=-:: ~ L: :::=::E I~ : ~~I
._- . ~ --=
The components of the NSX platform are configured in the following order:
1. Only NSX Manager is installed.
2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided
and the NSX Manager instance conn ects to the vCenter Server system. The NSX Manager
instance enables the NSX components in the VMware vSphere Web Client.
3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager.
4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to
install the VIBs on the ESXi hosts in the cluster.
5. After the components are installed and deployed, you define the logical networking
components, such as adding distributed routers and creating firewall policies.
This procedur e is repeated for each vSphere clust er.
~ Home I 'LO
VInstall atioll I .t ~ Home 1 _0.- ' Installation i
Net w orking & Security Mana g ement I Host Prepar ation L ogical Netw Networkin g & Security VManag em enl 1 Ho st Prepara tion Logical NeIWo
.
E!NSXHome
~ Logical Switc he s
NSX Manager
R!N8XHome
.
l:! LogicalSwitches
NSXManayer
+
Fe. . 1 + ~
N ~m . Nod.
N~m.
nvp-e co nt.r o I Le r
Type
Join status:
Majority status :
# shOIJ co nt.r o.l c-c Lua te r status
5tatus
Join complEtE
ConnEctEd to clustEr majority
5ince
07/14 17:53:22
07/14 18:04:46
II
z
(j)
:Restart status: This controller can be safely restarted 07/14 18:04:47 ><
Z
ClustEr ID: 47b40b57-fbdf-4fcE-a171-bff6a36345bO CD
NodE UUID: 47b40b57-fbdf-4fcE-a171-bff6a36345bO ?o
....
~
:::J
to
Module 3
II
r
o
co
0"
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en
Course Introduction
I NSX Networking
NSX Routing
NSX Security
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Lesson 1:
Ethernet Fundamentals II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
By the end of this lesson, you should be able to meet the following
objectives:
Describe Ethernet frames
Describe segmentation and encapsulation
Explain the Address Resolution Protocol (ARP) process
Point-to-point network: A network in which every physical wire is connected to only two devices.
s;:::;:
o
::r
Switch: A bridge that transforms a shared-bus (broadcast) configuration into a point-to-point Z
network. CD
~
Router: A device that acts as a junction between two layer 3 networks to transfer packets between o
...,
them.
'"
en
0)
Gateway: A device that connects two networks communicating over different protocols. :::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Ethernet is the most commo nly used layer 2 system in data centers . The main purpose of Etherne t is
to define the source and destination of frames and ensure that the shared medium is used efficiently
among all hosts.
The MAC address tables associate MAC addresses with LAN ports
on the switch.
A switch uses a media access control (MAC) address table to direct frames from a sending network
r
~
device to a destination network device. The switch builds this table as it receives frames. The switch z
associates the MAC address of the sending device with the LAN port on which the frame is received
by using the source MAC address in the frame.
o
<
...,
CD
When the switch receives a communication for an unknown destination address, the switch sends 0)
-c
the frame to all other LAN ports of the same VLAN . When the destination device replies, the switch en
adds the relevant MAC source address and port ID in the address table. The switch sends all
subsequent frames for that destination to the correct LAN port without sending to all LAN ports.
/~
Switch Switch
~ /
Hub Hub
/\ /\
r
~
z
o
<
...,
CD
0)
-c
en
Application Data
II
r
o
co
n"
0)
Transport (j)
s;:::;:
o
::r
Network Z
CD
~
Data Link o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Routers and switches review the header information of the frame to route and switch traffic , app ly
policy contro ls, and build routing and switching tables. IP headers enab le quality of service (QoS)
application, control layer 3 loops using Time To Live (TTL), and congestion control using explicit
congestion notification bits. In the IP packet, UDP/TCP segments are embedded with their protoco l
numbers identified in the header for the host or gateway to process.
Data
Offset
Reserved
Acknowledgement Number
UA E R S F
RC0 S Y I
Window II
r
o
GK L T N N co
n"
0)
(j)
Checksum Urgent Pointer s;:::;:
o
::r
Options I Padding
. 1I11e.' .
IilmDr
. ... III - .--m"-
.JiUi.'
Z
CD
~
o
...,
"en
0)
:::J
C.
TCP is a connection-based protocol with guaran teed delivery. Devices send data over a connection
r
~
socket. z
o
<
...,
CD
0)
-c
en
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Lesson 2:
Overview of vSphere Distributed Switch
By the end of this lesson, you should be able to meet the following
objectives:
Describe VMware vSphere Distributed Switch
Configure a distributed switch
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Teaming recommendations:
Link Aggregation Control Protocol (LACP) requires configuration on the upstream switch . You can
use load-based teaming to simpl ify configuration and reduce dependencies on the physical network ,
whil e effectively using multipl e uplinks .
r
~
z
o
<
...,
CD
OJ
-c
en
Management Plane
Legend:
_ dvPGA
_ dvPGB
_ dvUplink PG
dvUplink
Host 1
vmnicO vmnic1 vmmcO vmnic1
In VMwa re vSphere, the host handles the data plane. The host has information about which MAC
addresses are in which port groups. The VMwa re vCen ter Server" system controls the management
plane and if the vCen ter Server system fails, nothing changes on the contro l plane. Hosts and virtual
machines continu e to function. Features that rely on the vCenter Server system, like VMware
vSphere vMoti on, are unavailable until the management plane is restored.
The VMware NSX Virtual Switch'Y, which is a normal distributed switch with the VMware NSXTM
VIBs installed, is different. If a VXLAN port group exists, only the data is managed at the data
plane. The control plane is handled by VMware NSX Controller" and management is handled by
VMware NSX Managerr.
Enhanced LACP
Enhanced SR-IOV
40 GigE NIC support
Packet Classification
II
r
o
co
Traffic Filtering (ACLs) 0"
OJ
DSCP Marking (OoS) (j)
s;:::;:
o
Visibility and Troubleshooting :::r
Z
CD
Host Level Packet Capture
Tool (tcpdump)
:?
o
...,
"en
OJ
:::J
C.
In vSphere 5.5, LACP handles more than port aggregation and supports all LACP features. vSphere
r
~
5.5 also supports Mellanox 40 GB network interface cards. vSphere uses traffic filtering and access z
control lists (ACLs) to enable traffic, drop traffic, or change tags. Layer 2 Class of Service (CoS)
and layer 3 Differentiated Services Code Point (DSCP) tagging is fully supported.
o
<
...,
CD
OJ
-c
en
Available infrastructure:
Type of servers
Type of physical switches
Servers:
Rack mount or blade
Number of ports and speed. For example: Ten 1 Gb links or one 10Gb
link
Physical switches:
Managed and unmanaged
Protocol and features support
You must make several design consideratio ns when planning a distributed switch deployment. In the
software-defined data center ecosys tem the most frequently depleted resource is memory, not CPU .
Not every virtual machin e has the same proportionality of CPU to memory.
Understanding where enviro nment constraints are, and how your design can consider these
constraints is critical. The type of network interfaces in hosts is also important. In today 's data
center 10 GB interfaces are common with some instances of 40 GB interfaces. Dependin g on the
infrastructure, various switches with different features and functions might exist.
Hashing algorithms are not perfect. For serve rs where the systems connecting are varied, the
r
~
hashing works we ll. In scenarios where a few high-consumption endpoints exist, the hashing can z
result in one link being busier than the others. An example is IP storage with NFS . Typically, NFS
datastores or servers are on the same logic layer 2 as the VMke me l port that uses that data. Little to
o
<
no load sharing happens. ...,
CD
0)
-c
en
Network
Traffic
B
an
d 'dl h I VM1 VM2
VM1 VM2 WI
vSphere
7Gig
vMotion
VM1 5Gig
VM2 2Gig
2 3 4
10 11
L..---_>Rebalance
....._ _......~.;;.'--~;...;..._ _Distributed Distributed
Switch Switch
12 GB 2GB 7GB
The examp le shows the advantage of load-based teaming. The diagram on the left has 14 GB of data
going out to two 10GB lines. vSphere vMotion consumes 7 GB, virtual machine 1 (VM I)
consumes 5 GB, and virtua l machine 2 (VM2) consumes 2 GB. Virtual machine 1 and vSphere
vMotion try to send a total of 12 GB of data out of the same 10 GB link. Virtual machine 2 sends 2
GB of data out of the second 10 GB link. Thus , 2 GB is lost on the first link.
The diagram on the right shows that by implementing load-based teaming, virtua l mach ine I is
forced to use the other interface. All machines and services get the bandwidth that they need . This
feature should be configured on distributed switch before NSX is installed.
vCenter Server
2c
~
- - - - - - -
Distributed
Switch
- - 1 1- -
I I
I I
I
I
I
I
- - - - - - - 1
Distributed
Switch
I
I
I
I
II
r
o
I I I co
U
<ll
I I I
0
OJ
ro I I I
ro I I I
(j)
o
I I I
s;:::;:
Cluster 1 Cluster 2 Cluster 3 Cluster 4
ROBO 1 I I ROBO 2 I o
________ ~L ~ ::r
Z
Multiple distributed switches per VC (128) Central management for DC and ROBO CD
environments ~
Distributed switches can span multiple clusters o
...,
Role-based management control
Hundreds of hosts per distributed switch "en
OJ
:::J
C.
Distributed switches must be in the same vCenter Server system as NSX Manager so that NSX
r
~
Manager can use the distributed switch. z
o
<
...,
CD
OJ
-c
en
II
Prefix Length:
*1 C onlrol Plan e Mode
Ia Murbcasl
1
Primary DNS: I MlJ~iJ~on Pf'I/$J(fI '-
Secondary DNS:
I I Unicasl
Segment 10 pool
C
IIXt,ANcQT1lrolpl.af*
DNS Suffix I a Hybrid
Provide a segmentiD pool and m ulticast range uniq ue to this NSX
r
manager. o
Static IP Pool: Op:1IYlJ!edUmc8$l n co
*1 0"
Selec t clu ste rS II) add
Segment10 pool:
*11 I OJ
A static IP P (In the range of 5000-16777216) (j)
a list orcorn
for example 0
N. ",.
r
~
z
o
<
...,
CD
OJ
-c
en
Install NSX for vSphere modules in ESXi hosts and configure the
VXLAN IP pools and a transport zone
1. Prepare for the Lab
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN 10 Pool
5. Configure a Global Transport Zone
6. Clean Up for the Next Lab
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Lesson 3:
Link Aggregation II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
By the end of this lesson, you should be able to meet the following
objectives:
Describe the Spanning Tree Protocol (STP)
Describe the purpose of LACP
Create an overlay network
Host A sends a
broadcast frame.
II
The Ethernet switch notices t broadcast frame and sends a copy out to the
it is a broadcast frame and first switch , thus creating an Ethernet Loop.
sends a copy out of every
interface . r
o
co
0'
OJ
(j)
s;:::;:
o
::r
Z
CD
The second Ethernet switch notices
~
that it is a broadcast frame and o
...,
sends a copy out of every interface. "en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en
STP is a Link Layer protocol that helps maintain a loop free LAN:
STP is standardized in IEEE 802.1 D.
STP assigns a switch as root bridge.
Every other switch in the LAN creates only one data path back to the
bridge.
All other data paths leading to the bridge are prevented from forwarding
traffic.
All paths not leading to the bridge are allowed to forward traffic.
In STP, only one of the two switches blocks the data path. The other
switch keeps the link in a forwarding state.
Root Bridge
II
r
o
co
0"
OJ
(j)
s;:::;:
o
::r
Z
CD
- - - Blocking
~
o
...,
"en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en
STP always blocks all paths except the one leading up to the root
bridge.
If the forwarding path goes down, the switch activates one of the
block paths.
Root Bridge
Forwarding Forwardi ng
~ BI O Cki n g
With Spanning Tree Protocol (STP) , you can gain additional bandw idth between switches by going
to the next speed in Ethernet, for example, from 100 Mb to 1Gb.
LACP:
Is a standards-based link aggregation method: 802.3ad
Provides automatic negotiation of link aggregation parameters between
virtual and physical switches
Advantages:
Provides higher bandwidth and redundancy
Detects link failures and cabling mistakes
II
r
o
Reconfigures links automatically co
n"
0)
Deployments with static link aggregation groups (LAGs) have (j)
problems such as PXE boot. s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
LACP is a type of port aggregation. Port aggrega tion is the bundling of interfaces to tell the STP
r
~
that only a single link exists instead of multiple links. LACP ensures that link aggregation z
parameters match at both ends of the link aggregation.
o
<
The different types of LACP negotiation are the following: ...,
CD
0)
1. Enable port aggregation on the links. Switches do the port aggregation and must be manually -c
en
configured to be compatible at each end of that link.
2. One switch sends repeated requests to the other switch that is requesting the port aggregation
status. The two switches negotiate the status of the links and proceed.
3. Switches wait until they receive an aggregation request, negotiate the status of the links, and
proceed.
The LACP negotiation verifies that the link aggregation configurations between switches are
compatible. For the second or third type of LACP negotiation , switches negotiate details. The details
might includ e the number ofli nks that exist in the port group, the speed of the port group, and MTU.
Each switch determines the hashing that it uses to load balance its links independent of the other.
Hosts and distributed switches can support up to 64 Link Aggregat ion Groups (LAGs) .
Host
Active Link :
LAG 1
LACP:
LAG 1 - 2 Uplinks; LB
algorithm - Source IP
II
r
o
co
address . 0'
OJ
LAG 2 - 2 Uplinks; LB (j)
algorithm - Destination s;:::;:
IP address o
:::r
Z
CD
:?
o
...,
LAG 1 - Port 1,2
Physical Switch 2
LAG 2 - Port 1,2 "en
OJ
:::J
C.
The example shows the use of different switches for LACP, with each link aggregation using a
r
~
different hashing algorithm. z
o
<
...,
CD
OJ
-c
en
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Lesson 4:
Virtual LANs
By the end of this lesson, you should be able to meet the following
objectives:
Explain how VLANs are used
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Switch
VLANs address scalability, security, and network management by enab ling a switch to serve
multipl e virtual subnets from its LAN ports. Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management. Switches must not bridge traffic between VLANs
because the integrity of the VLAN broadcast domain might be violated.
... I.:a!!!::-----~~
II
r
o
co
One link per VLAN or a single VLAN Trunk later. 0'
. ._ 0-'-' - .- -'- . -'- '- OJ
(j)
.-.
....
..-
s;:::;:
o
/ :::r
FaOIO
Z
CD
\ FaO/1 :?
o
.... ...,
... ... "en
- '- 0_. _ . _. _ . _ . -. - . - ".-. ' OJ
:::J
C.
By default, all ports on a switch are in a single broadcast domain. Devices belonging to different
r
~
domains must be isolated using individual switches. VLANs enable a single swi tch to serve multiple z
switching domains . The forwarding table on the sw itch is parti tioned be tween all ports belonging to
a common VLAN.
o
<
...,
CD
With this change, devices belonging to multiple domains can be collocated on a single switch. Also, OJ
-c
hosts can be spread around in the data center on different L2 segments and maintain domain and en
subnet isolation.
Without VLAN, the ARP is seen on all subnets on a switch. All ports
on a switch are part of the broadcast domain.
Assigning a host to the correct VLAN is a two-step process:
Connect the host to the correct port on the switch with a VLAN
configured.
Assign an IP address to the host for that subnet. Otherwise the host
cannot find peers on the same subnet.
- 1
1
3 4 5 6 . Po rt
1 2 2 1 . VLAN
ARP
f Request
1
172.30.1.21/24
VLAN 1
VLAN tagging is used when a single link needs to carry traffic for
more than one VLAN.
Interswitch links are configured as trunks, carrying frames from
multiple VLANs for that switch.
Each frame carries a tag that identifies which VLAN it belongs to.
802.1Q Trunk
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
Without tagging, one physical connection per VLAN is required
between switches. This is not scalable.
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Int erf ac e 5
VLA N 20
.. .-.
802.10 frames increase the standard Ethernet frame to 1522 bytes. o
::r
Up to 1500
6 bytes 6 bytes 2 bytes 2 bytes 2 bytes bytes 6 bytes Z
CD
~
- . 1 :11 - ;1 . o
...,
Standard Ethernet Frame "en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
3 bits 12 bits
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Lesson 5:
VXLAN: Logical Switch Networks
By the end of this lesson, you should be able to meet the following
objectives:
Describe VXLAN overlay networks
Define the VXLAN frame format
Compare unicast, multicast, and hybrid modes
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
A VTEP proxy is a VTEP that forwards VXLAN traffic to its local segment from
another VTEP in a remote segment.
A VXLAN Number Identifier (VNI) is a 24-bit number that gets added to the VXLAN
frame:
The VNI uniquely identifies the segment to which the inner Ethernet frame belongs
Multiple VNls can exist in the same transport zone
VMware NSXTMfor vSphere starts with VNI 5000
VXLAN is an Ethernet in IP overlay technology, where the original layer 2 frame is encapsulated in
a User Datagram Protocol (UDP) packe t and delivered over a transport network. This technology
provides the ability to extend layer 2 networks across layer 3 boundaries and consume capacity
across clusters. The maximum transmission unit (MTU) requirement is for a minimum of 1,600
bytes to support IPv4 and IPv6 guest traffic . The Virtual Tunnel End Point (VTE Ps) do not support
fragmentation. VXLAN also provi des increased scalability as it is no longer tied to the 802.1q
protocol limit of 4,096. The 24-bit address space theoretica lly enables up to 16 million VXLAN
netwo rks. Each VXLAN network is an isolated logical network.
II
50+ bytes of overhead
VXLAN can cross layer 3 network boundaries.
VXLAN is an overlay between VMware ESXi hosts. Virtual r
o
machines do not see VXLAN 10. co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
The VTEP Proxy, used in UTEP and MTEP, replicates the frame that it rece ives. The VXLAN
r
~
Number Identifier (VNI) is 24 bits. z
A transport zone is a configurab le boundary for a VNI. A single transport zone is usually sufficient. o
<
All clusters in the same transport zone share the same VNI. A transport zone can contain multiple ...,
CD
clusters and a cluster can be a part of multiple transport zones. A transport zone tells the host or 0)
-c
cluster which logical switch has been created. If you do not want logical switches to show up on en
certa in hosts, you can create a transport zone to constrain tenants. The underlying port group still
exists across the distributed switch.
VXLAN is a network overlay technology. VXLAN encapsulates frames at layer 2 into a UDP
header. The traffic is encapulated into and deencapsulated from a VXLAN header by the VTEP.
The VXLAN adds 50 to 54 bytes of information to the frame, depending on whether VLAN tagging
is used. VMwa re recommends increasing the MTU to at least 1,600 bytes to support NSX . Larger
MTUs might already be in place depending on what other technologies are in use on the network. If
a custom MTU size is already set, either ensure that enough unused space exists in the MTU to
enable the additional 54 bytes or increase the MTU size to accommodate the addition.
II
r
o
co
0"
Speed up network Automate network Automate network OJ
provisioning and service provisioning for (j)
The most common use cases for NSX are data center autom ation , self-service IT, and multitenant
r
~
cloud environments. z
o
<
...,
CD
OJ
-c
en
( )
IP
Header
Data'
I I IP
Protoco
I
Header
Checksum
I
Outer Outer
Source Dest
IP IP
I I I I I
I I
Outer Outer Optional Optiona l VXLAN
Dest Source 802.1Q Outer EtherType VXLAN RSVD NI RSVD
MAC MAC EtherType 802.1Q Flags (VNI)
The VXLAN fram e forma t is shown here. The top frame is the original frame from the virtua l
machin es, minus the Frame Check Sequence (FCS), encapsu lated in a VXLAN frame. A new FCS
is created by the VTEP to includ e the entire VX LAN frame . The VLAN tag in the layer 2 Etherne t
frame exists if the port group that your VX LAN VMke rnel port is connected to has an assoc iated
VLAN numb er. When the port group is associated with a VLAN number, the port group tags the
VXLAN frame with that VLAN numb er.
II
r
o
co
r+-- IGMP ~ IIII IGMP ---+t 0"
OJ
(j)
UDP / RTP s;:::;:
o
Multicast Traffic
\. ) ::r
Z
Y CD
~
o
...,
LAN "en
OJ
:::J
C.
The idea is to use the network to replicate and prevent the source from creating a large numb er of
r
~
individual unicast sessions to each destination. Some key applications of multic ast include z
multim edia content delivery, financial institutions such as stock exchanges and high-frequency
trading centers, and IPTV networks. Multic ast is a necessary component of many enterprise
o
<
networks. ...,
CD
OJ
-c
en
--....,)~
1t-rwa-- ---')~
Upstream Forwarding
Downstream Forwarding
II
r
o
co
) 0"
RP- Rendezvous Point OJ
(j)
Notation: 1*,G) s;:::;:
o
* = All Source :::r
Z
G = Group CD
Receiver 1 Receiver 2 :?
o
...,
"en
OJ
:::J
C.
a unrcast
unicast. VXLAN controfpftJnehaOOIOO ty NSX coreoser Cluster
'2) Hybrid
--
Hybrid mode is local replication that is Optimized Unless! mode. Offloads local traffic repticsston to pttysical nel'MJrll
Multicast mode requires IGMP for a IIG1 U Management & Edge Cluster C vest t) Norma l
for L3 topology.
Replication mode relates to the hand ling of broadcast, unknown unicast , and multicast (BUM)
traffic. Unicast has no physical network requirements apart from the MTU . All traffic is replicated
by the VTEPs. In the same VXLAN segment, traffic is rep licated by the source VTEP. In remote
VXLAN segments, the NSX Contro ller instance selects a proxy VTEP. Hybrid mode uses IOMP
layer 2 multicast to offload local replication to the physical network. Remote replication uses unicast
proxies, so multicast routing is not necessary. Hybrid is recommended for most deploymen ts.
Multicast is seen frequent ly in upgrade scenarios from VMware vCloud Networking and
Security'P' 5.1 or environments that already have multicast routing.
r
VTEPTable o
This list of UTEPs or MTEPs is synced to each VTEP. co
0'
OJ
If a UTEP or MTEP leaves a VNI, the NSX Controller (j)
instance selects a new proxy in the segment and s;:::;:
o
updates the participating VTEPs: :::r
Z
VTEP report CD
:?
o
VTEP failure ...,
"en
OJ
:::J
C.
The VTEPs to which the list of UTEPs or MTEPs are synced are memb ers of the associated
r
~
VXLAN Network Identifi er (VN I). z
VTEPs leave a VNI either voluntarily because the VMware ESXi host is gracefully powered off, o
<
or all virtual machin es connected to the VNI are migrated or shut down. VTEPs also leave the VNI ...,
CD
if the VTEP fails. When a VTEP fails, it cannot invalidate its VTEP VNI mappin g entry with the OJ
-c
NSX Controller instance. The NSX Controller instance detects that the keep-alive has expired and en
The first field of eight bits is used for VXLAN flags. Seven of these bits are reserved in vCloud
Networking and Security 5.1. These reserved bits are set to zero . The fifth bit is set to 1 when the
header includes a valid VNI. VMwa re NSXTM for vSphere adds a bit for a replicate locally flag
which is set to 1 for delivery to a UTEP or MTE P.
Source UTEP:
Replicates encapsulated frame to each local VTEP through unicast
Replicates encaps ulated frame to each remote UTEP through unicast
Destination UTEP:
Receives the encapsulated frame from the source VTEP
Replicates encapsulated frame to each local VTEP through unicast
Unicast mode considerations:
II
r
o
co
No multicast configuration needed on the physical network n
0)
In NSX, the default mode of traffic replication is unicast. Initially no multicast support is required
r
~
on the physical network. z
This mode reduces network dependencies to only increase in maximum transmission unit (MTU) . o
<
Each layer 2 transport subnet has one dynam ically assigned VTEP that acts as a proxy and is ...,
CD
responsible for replica ting traffic to other VTEPs within the segment. This proxy addresses the most 0)
-c
common objections and allows VXLAN deployment with minimal physical network support. en
One downside of unicast mode is the higher overhead. In unicast mode the source VTEP and
proxies must copy the same frame multiple times to every VTEP within the layer 2 subnet. Copying
the same frame multiple times results in higher CPU utilization on the host as the VXLAN transport
zone and clusters increase in size.
Source VTEP:
Replicates encapsulated frame to each remote VTEP through multicast
Replicates encapsulated frame to each local VTEP through multicast
No UTEP or MTEP roles
Multicast mode considerations:
IGMP and IGMP snooping configuration needed on the physical
network
Multicast address required over physical network
Lowest overhead on the source VTEP
Configurable per VNI during logical switch provisioning
Multicast mode uses the VTEP as a proxy. In multicast, the VTEP never goes to the NSX Controller
instance. As soon as the VTEP receives the broadcast traffic, the VTEP multicasts the traffic to all
devices .
Source MTEP:
Replicates encapsulated frame to each remote MTEP through unicast
Replicates encapsulated frame to each local VTEP through multicast
Destination MTEP role:
Receives the encapsulated frame from the source MTEP
Replicates encapsulated frame to each local VTEP through multicast
Unicast mode considerations:
II
r
o
co
IGMP Snooping configuration needed on the physical network n"
0)
To reduce the overhead of traffic replication, multicas t proxy is used for optimization. The VTEP
r
~
does not replicate all traffic in software. The VTEP leverages the physical network to replicate z
through multicast by selecting one VTEP in each L2 transport network to serve as a multi cast proxy.
This mode is L2 IOMP only, and PIM is not needed in hybrid mode . This mode is not the defau lt
o
<
mode of operation in NSX for vSphere, but is important for larger scale operations. Also the ...,
CD
0)
configuration overhead or complexity of L2 IOMP is significantly lower than multicast routing. -c
en
Management Network
o
- - - - - - - - - - - - t~..-1
- :;';;;;
- i'-:l:''''-J~---:i-<-.;.;;..;;.o"",.
-- -
,
The diagram shows the process by which virtual machine I (VM I) communicates with virtual
machine 2 (VM2) on the same host in the same VXLAN when VM I lacks the MAC address for
VM2 :
1. VM I sends Address Resolution Protoco l (ARP) request for the MAC address of VM2 on the
same logical switch (VNI 500 I) on the same host.
2. Broadcast is sent to all virtual machines on the logical switch of the same host. The switch
securi ty module uses the management network to query the NSX Controller instances ARP
table for VM2 ARP entry.
3. Because VM2 is on the same logical switch, VM2 sends an ARP reply before NSX Controll er
respon ds to the switch security module:
a. IfVM2 has not participated in previous ARP reply or Dynam ic Host Configuration Protoco l
(DHCP), the NSX Controller instance lacks the inform ation.
b. Switch security module updates local ARP table and notifies NSX Controller to update the
ARP entry for VM2 (in the ARP table).
This scena rio does not incur VXLAN encapsulation . If the transport zone is configured as a
multicast , the ARP request broadcast is forwarded in a VXLAN encaps ulation to all the other
VTEPs in the multicast group.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Management Network
a
The diagram shows the process in unicast mod e. Virtual mach ine I (VM 1) communicates with
virtual machine 3 (VM3) on different host s in the same VXLAN when VMl lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
5001) on a different host in a different cluster.
2. Broadcast is sent on the local logical switch and the switch security modul e queries the NSX
Controller instance for an ARP entry for VM3.
3. The NSX Controller instance lacks the information on VM3. So the broadc ast is forw arded as
encapsulated unicast from VTEPx to all local VTEPs and the remote proxy VTEP.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, and is sent to VTEPx, and
return ed to VM 1.
5. VTEPx learns the MAC address ofVM3 for all subsequent communication from local virtual
machin es to VM3.
II
r
o
co
0"
OJ
(j)
s;:::;:
o
Management Network :::r
Z
, ---.~~~~
- - -- - - -~
- - -~
- - -~
- - -~ ----------------, , CD
,: ~
:
Transport N etwork
---- O Transport Networ k
----
~,----------------------------------~~~~~p~-~ ~~~~------------------------------;
:'
:
:?
o
...,
"en
OJ
:::J
C.
The diagram shows the process in hybr id mode. Virtual machin e I (VM I) communicates with
r
~
virtual machin e 3 (VM3) on different hosts in the same VXLAN when VM I lacks the MAC address z
for VM3:
o
<
1. VM I sends an ARP request for the MAC address of VM3 on the same logical switch (VNI ...,
CD
500 I) on a different host in a different cluster. OJ
-c
en
2. The broadcast is sent on the local logical switch and the switch security modul e queries the
NSX Controller instance and ARP entry for VM3.
3. The NSX Controller lacks the information on VM3. So the broadcast is forwarded from VTEPx
to all local VTEPs using multicast and to the remote proxy VTEP using unicast.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, sent to VTEPx, and returned to
VM I.
5. VTEPx learns the MAC address of VM3 for all subsequent communication from local virtual
machin es to VM3.
..'
Management Network
o
r
:
,
Transport Network
-
------------
0 Transport Network
-
~-----------------------------------~~~~~~~-~ ~~~~-----------------------------_:
The diagram shows the process in multicast mode . Virtua l machine 1 (VM 1) com municates with
virtual machine 3 (VM3) on different hosts in the same VXLAN when VM l lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VN I
500 1) on a different host in a different cluster.
2. The broadcast is sent on local logical switch and the switch security modul e is checked.
3. If the switch security module lacks the information for VM3 , the broa dcast is encapsulated as a
mult icast and forwarded to all VTE Ps.
4 . VM3 sends a uni cast ARP reply that is encapsula ted by VTEPy, sent to VTEPx, and delivered
to VM l.
5. VTEPx learns the MAC of virt ual machine 3 (VM3) for all subseq uen t comm unication from
local virtua l machines to VM3 .
The fact that the virtua l machine is on a differen t cluster does not change the packet walk proc ess . In
all these cases the same events occur when communication is taking place between two virtua l
machin es on different hosts of the same clus ter or different cluster.
You can ensure that the application traffic flowing through the
physical network infrastructure is prioritized by using the following
ways:
Class of Service (CoS): Layer 2 Tag
Differentiated Services Code Point (DSCP) Marking: Layer 3 Tag
6 bits 2 bits
802.1 Q Header
II
r
o
DSCP 16 bits 3 bits 1 bit 12 bits co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
IP Header "en
0)
:::J
C.
Traffic can be classified in different ways. In a layer 2 fram e, the 802.1q header contains the
r
~
inform ation for the Class of Service (CoS). The first 16 bits are always Ox8100 , which means that z
the header contains a VLAN tag. The class of service is in the next 3 bits follow ed by a flag that
indicates whether to fragment.
o
<
...,
CD
Layer 3 has a different field called Differentiated Services Code Point (DSCP) that has 6 bits . The 0)
-c
first three values typically match the first three CoS bits. At the bound ary between layers 2 and 3, en
the switch can take the CoS and other factors like the source or destination address and match that to
a layer 3 DSCP value . Because DSCP has more potential values, it can be more specific about the
service that it is going to provid e.
Guest Tagging
..
Ell
Virtual Switch Tagg ing
..
Ell
Physical Switch Tagging
1
I vSphereil II vSphere'1 .:::l'= II vSphere I
Physical
Network
1
Physical
Network
Physical
Networ k
- - - --
..l
Ell
Traffic that comes from a virtua l machine can be tagged at several levels. Traffic can be tagged by
the virtua l machi ne, by NSX Virtual Switch, or at the physical switch.
Congested Switch
II
r
o
co
0
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
i i Physical Network
"en
OJ
:::J
C.
In the example, the virtual machine traffic is tagged from the hypervisor. The traffic goes through
r
~
the physical network. Depending on the QoS settings and cong estion , the virtual machin e traffic z
reaches its destination or is dropp ed. In most cases of congestion, the traffic with the highest QoS
priority is the most likely to reach its destination.
o
<
...,
CD
OJ
-c
en
NSX Controller
Configuration
(Logical switches ,
Distributed logical routers)
vCenter
Server
Host Configuration
(Logical switches,
Distributed logical routers)
Service
Configuration
(LB , FW, VPN, and so on)
__ ,. ... . f8E --
---I"
,
;.=~
__ _-I
-
. :-=-:: I~ '
'"_"'" 'II -
~
I ~ a.: .--=t
I. I
I
~ I~ : [BE .......
The components of the NSX platform are configured in the followin g order:
1. The NSX Manager is connected to vCenter Server and prepares the infrastructure.
2. Provisioning of logical switches and distributed logical routers occurs throu gh the VMware
vSphere Web Client or VMware NSX APFM. After switches and routers are provisioned, they
are published to NSX Controller and the slicing process determin es which NSX Controller node
is active .
3. NSX Controller proactively syncs inform ation to the active ESXi hosts through the UWA. For
VXLAN logical switches, the host becomes activ e for a given VNI after a virtual machine is
conn ected to that VNI and powered on. The UWA reports to the NSX Controller, syncs the
VTEP list, and starts popul ating MAC and IP address information .
4. The Distributed Firewall configuration is sent directly to the ESXi hosts through the secured
message bus. The VMware NSX Edge" configuration is sent directly to the NSX Edge
gateway through the message bus.
5. As the virtual infrastructure scales and additional hosts are added, the logical switches, routers,
and firewalls are scaled with the compute infrastructure. The scaling occurs as the same clust er
is expanded, or as new clusters are prepared for network virtualization.
\ I
~~
Challenges Benefits
II
r
o
co
Per application or multitenant segmentation Scalable multitenancy across data 0'
OJ
Virtual machine mobility requires L2 center
(j)
everywhere
Large L2 physical network sprawl : STP
Enabling L2 over L3 infrastructure
Overlay based with VXLAN , STT, GRE ,
s;:::;:
issues
o
and so on ::r
HW memory (MAC , FIB) table limits Logical switches span across physical Z
CD
hosts and network switches
~
o
...,
Logical Switching: Usin N to scale the network "en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
'<
en
The logical switch is a distributed port group on the distrib uted switch . The logical switch can
expand distributed switches by being associated with a port group in each distributed switch . The
vCenter Server system creates the port group for the NSX Manager. vSphere vMo tion is supported,
but only among those hosts that are part of the same distributed switch.
===========~
II
Name
[I Firewa ll
r
~
z
o
<
...,
CD
0)
-c
en
J Ready to complete
V irtual ma chine
o /'IJ app-sv-01 a
o /'IJ br-s v-02a
o /'IJ db-s v-01a
o /'IJ mgt- sv-01a
o /'IJ N8 XJ ontroller_af c9ddf4-eee2-4 39a-800 b-6318e d
o /'IJ N8XJ ontroll er_b 1033456- cbea-4be O-832 9-35224
o /'IJ N8XJ ontroll er_bb1 c4724-4g e3-48d9- a2ed-a a504
o /'IJ w eb-sv-0 1a
o /'IJ web -sv-02 a
Create and test logical switches for the Web-Tier, App-Tier, DB-Tier,
and transport networks
1. Prepare for the Lab
2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere
4. Migrate Virtual Machines to Logical Switches
5. Test Connectivity
6. Clean Up for the Next Lab
II
r
o
co
n
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
N5X Routing
Slide 4-1
Module 4
II
z
(J)
><
::0
o
c
~
:::J
c.c
Course Introduction
NSX Networking
IE NSX Routing
NSX Security
II
z
(J)
><
::0
o
c
~
:::J
(C
Lesson 1:
NSX Routing
II
z
(J)
><
::0
o
c
~
:::J
(C
By the end of this lesson, you should be able to meet the following
objectives:
Compare Open Shortest Path First (OSPF), Intermediate System to
Intermediate System (IS-IS), and Border Gateway Protocol (BGP)
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP
II
z
(J)
><
::0
o
c
~
:::J
(C
The TCP/IP protocol suite offers different routing protocols that provide a router with methods for
building valid routes. The following routing protocols are supported:
Open Shortest Path First (OSPF) : This protocol is a link-state protoco l that uses a link-state
routing algorithm. This protocol is an interior routing protocol.
Intermediate System to Intermediate System (IS-IS): This protocol determines the best route for
datagrams through a packet switched network.
Border Gateway Protocol (BGP): This protocol is an exterior gateway protocol that is designed
to exchange routing information between autonomous systems (AS) on the Internet.
OSPF is a link-state protocol. Each router maintains a database describ ing the AS topo logy. When
you enable OSPF, area 0 and area 5 1 are created by default. Area 51 can be deleted and replaced
with a desired area .
By default, OSPF adjacency negotia tions use clear authentication by assuming that the segment is
secure. If installed in an insecure segment, enabling authentication ensure s that a third party cannot
corrup t the routing table or hijack connection by injecting a compromised default route .
adjacencies.
Latest supported OSPF version is version 2. II
z
(J)
><
::0
o
c
~
:::J
(C
OSPF maintains a link-state database that describes the AS topology. Each part icipating router has
an identical database. The router shares this database with routers in the AS by a mechanism called
flooding . All routers in the AS run the same algori thm used to construct the shortest path between
the router and the root. This algori thm gives each router the route to each destination in the AS.
When multiple paths to a destination exist and those paths are of equa l cost, traffic is distributed
equally among those paths.
Routers on the same network segment with the same area 10 are
neighbors.
Neighbor relationships are established through a discovery process:
1. The router determines its OSPF router 10 (RID).
2. The router starts the OSPF process.
3. The router sends out Hello packets using multicast.
4. When a Hello packet is received from anothe r router containing the RID
for itself, the routers become neighbors.
OSPF-enabled routers must find neighboring OSPF-enab led routers and form neighbor adjacencies
with those routers . OSPF-enabled routers form neighbor adjacenc ies by multicasting information to
other OSPF-enabled routers . Each router is responsible for main taining a Neighbor Table of the
OSPF-enab led routers that it has formed adjacencies with . The router is also responsible for sharing
this table with other routers . This multicast uses Hello packets that contain the necessary
information to form adjacencies.
Area 10
II
z
(J)
Checksum
I AuType ><
::0
Authentication o
c
~
Authentication :::J
(C
A ll OSPF packets have a header of 24 bytes. This header contai ns the information required for any
OSPF communica tion:
The version of OSPF in use by the originatin g router.
The packet type : A total of five packet types are sent by OS PF.
The total length of the packet.
The Router ID (RID) of the originating router.
The Area ID for the area to which the originating interface on the originating router belongs.
A checksum va lue for the packet to verify it has not been corru pted. This checksum excludes
the authentication fie lds.
The Authentication type (AuType) currently in use. Authentication can be none, plain text
password, or MD5 authentication.
The authentication data needed if any authentication type is used.
OSPF He l lo Packet
Ne two r k Mask : 255 .255 .255 . 0
Hello I n t e r v a l : 1 0 se c o n ds
Opt i ons : 0 ,, 1 2 (L . E )
0. .. . . .. = DN: DN- b i t i s NOT se t
.0. . . ... = 0 : O- b i t i s NOT s et
. .0. 0 = DC: Dereand circuit s a re NOT s u p p o r te d
Designated Route r
Neighbor
The OSPF-enabled router builds neighbor adjacencies by periodic ally sending out packets called
Hello packets from all OSPF- enabl ed interfaces on the router. OSPF-enabled routers see Hello
packets from other OSPF- enabl ed routers and add these routers to a record called a Neighbor Table.
After the routers have added each other to their tables, those routers have formed an adjacency.
To form a neighbor adjacency, both OSPF- enabled routers must pass certain parameters specified in
their respectiv e Hello packets:
The subnet included is that of the originating interface.
The HelloInt erval is the interval at which the Hello packet is sent from an OSPF-enabled
router 's interfaces. The default interval is 10 seconds but the HelloInt erval is configured per
interface.
Options includ e the capabilities of the originating router.
Router Priority is the priority of the originating router, used in designated router elections.
The originating router sets the Router Dead Interval to guide how long the router is silent before
other routers mark it as a dead link .
The IP address of the current Designated Router.
II
z
(J)
><
::0
o
c
~
:::J
(C
Advertising Router
LSA Header
# LSAs
Header
LSAs
The other OSP F packets are used as part of the process for keeping the Link State tables
synchronized between all OSPF-enabled routers:
1. Type 2 packets are Database Descriptor packets. Database Descriptor packets are used to
synchronize the router link states between all neighbors. This synchroni zation is important for
keeping the router paths accurate and not sending traffic to dead links. The OSPF router
summarizes the local database and the packets carry a set of LSAs inside the Database
Descriptor packet.
2. Type 3 packets are Link State Request packets. OSPF-enabled routers use Link State Request
packets to request neighbor database updates when their own link state databases are old based
on the Database Descriptor packet data. Adjacent rout ers that detect an LSA that is more
updated than their own database copy, request the newer LSA from the neighbor.
3. Type 4 packets are Link State Update (LSU) packets. The request for an update takes the form
of a Link State Request (LSR) packet that contains requests for any LSA updates needed. The
router with the updated database responds to the LSR with a LSU packet that contains all of the
requested LSAs .
4. Type 5 packets are Link State Acknowledgment (LSAck) packets. After the LSU packet is
received, the receiving router sends an LSAck packet to the originating router.
II
Loading
Full
Designated / Backup Designated
z
(J)
Ne i ghbo r 1 0 Pr i S tat e Dead Ti me Ad d r e ss Interfa c e
10.10.1. 2 5 4 10 FULL/ DR 00:0 0: 2 7 1 9 2.1 68.0. 3 Fas te t he r ne t 0 /0 ><
10.10 . 2. 2 5 4 1 FULL/BDR 00:0 0: 31 1 9 2.1 68.0. 7 Fas te t he r ne t 0 /0
::0
o
10. 20.10. 2 5 4 0 2WAY 00:00: 3 3 192.16 8 .0.11 Fas te t he r ne t 0/ 0 c
~
10. 20.11.2 5 4 0 2'11AY 00:00: 2 9 1 9 2. 1 68.0.13 Fas te t he r ne t 0/0 :::J
(C
10 . 20.1 2. 2 5 4 0 DO'I/N 00:00 :35 1 9 2.1 68.0.17 Fas te t he r ne t 0/0
OSPF -enabled routers keep the link state databas e curren t at all times. This database is used to
determine where to send traffic by the most efficient path:
Down indicates that the neighbor has not been heard from within the RouterDeadInterval time .
Attempt is only used for manually configured neighbors. The current router is send ing Hello
packe ts to any router in the Attemp t state.
When the status is Init, the router has received a Hello packet from this neighbor and replied but
has not completed the process for establishing adjacency.
A 2-Way state indicates that bidirectional comm unication is established with the neighbor
router.
Exstart indica tes that the routers are beginning the link state information exchange.
Exchange is the state when neighbor routers exchange the Databas e Descriptor packets.
In the Loading state, based on the information in the Database Descrip tor packets, routers are
exchanging the link state information.
The Full state indica tes that routers are synced and in adjacency.
II
z
(J)
><
::0
o
c
~
:::J
(C
An OSPF AS includes all routers that run OSPF and these routers
exchange link-state information with each other:
An AS is also called a routing domain .
In the OSPF AS, each router interface that is participating in the
OSPF process is placed in an area:
A router can have interfaces in more than one area.
A router with interfaces in more than one area must have one of those
interfaces in the backbone area, or area O.
A router only forms neighbor adjacencies with another router in a local
segment if both routers are in the same area .
The default OSPF area for NSX is Area 51.
Areas are sets of networks that are grouped together. Areas are a collection of routers, links, and
networks that have the same area identification. Each OSPF area can combine with other areas and
form a backbone area . Backbone areas combine multipl e indepe ndent areas into one logical routing
domain. This backbone area has an ID of 0 or (0.0.0.0). The primary responsibility of the backbone
area is to distribute routing information between nonbackbone areas .
II
z
(J)
><
::0
o
c
~
:::J
(C
Each area maintains a separa te link-state database. Stub areas are areas that do not receive route
advertisements externa l to the AS. Not so stubby area (NSSA) is a stub area that can import AS
external routes and send them to other areas . But NSSA cannot receive AS externa l routes from
other areas .
In an OSPF normal area, routers have full visibility to all networks in the AS. Every router in a
normal area knows about every route.
II
z
(J)
><
::0
o
c
~
:::J
(C
A stub area is usefu l if routers do not need to know about every route. Routers contin ue to exchange
information in their area but not external destinations. Instead, routers in the area must send external
packe ts to an area border router (ABR). The area border router advertises a default route in place of
external routes and generates a network summary link-state advertisement (LSA). Packets destined
for an external route are sent to the ABR .
An OSPF NSSA allows external routing information to be imported in a limited fashion into the
stub area. OSPF NSSA is useful for making an area aware of a non-O SPF router. This information
can be flooded within the area, but the area remai ns protected from being flooded with all routes.
Area 0
Area 813
Normal
:l"t~lf-----{O ) Internal
Router
Internal
II
z
(J)
Router ><
::0
o
c
Area 829 Stub ~
:::J
c.c
The diagram shows the interaction s of the different areas with each other.
IS-IS is an interdomain dynamic routing protocol used to support large routing domains. OSPF is
designed to support only TCP/IP networks whereas IS-IS started as an ISO protoco l. Both protoco ls
are interior gateway protocols (lOP), but IS-IS runs over layer 2 and is intended to support multiple
routed protocols.
Router-level support:
Area 10, system 10 (default router-id), IS-Type (default level -1-2),
domain password , and area password
Area-level support:
Up to 3 IP addresses per area
Interface-level support:
vNIC name
Hello timer, hello multiplier
Metric, priority
Circuit type
II
z
(J)
LSP interval ><
Mesh group ::0
o
c
~
Password :::J
(C
IS-IS and OSPF have similar features. VMware NSXTM supports up to three IP addressees per area
and a wide range of interface levels.
IS-IS uses a two-level hierarchy for managing and scaling large networks. A routing domain is
partitioned into areas . Level I routers know the topology of their area including all routers and
endpoints in their area. Leve l I routers do not know the identity of routers or destinations outside
their areas . Level I routers forward all traffic that is outside their area to a level 2 router in their
area .
Level 2 routers know the level 2 area and know which addresses can be reached by contacting other
level 2 routers. A level 2 router does not know the topology of a layer I area . Level 2 routers can
exchange packets or routing information directly with external routers located outside of the routing
domain.
IS-IS assigns an area type to the entire router rather than the router
links.
II
z
(J)
><
::0
o
c
~
:::J
c.c
Leve l l routers belonging to a level 1 area only form neighbor adjacencies with level 1 routers in the
same area and have full visibi lity of their area . Leve l 2 routers belonging to a level 2 area can form
neigh bor adjace ncies with any level 2 router, including in other areas and advertise interarea routes.
Level 1-2 routers belong to both level 1 and level 2 areas at the same time. Similar to OSPF 's AB R,
level 1-2 routers can form neighbor adjace ncies with any othe r router in any area. Level 1-2 router
takes level 1 area routing updates and propagates them to level 2 areas and the other way round.
Only level 2 routers can connect to an external netwo rk.
All IS-IS speakers in a segment form neighbor adjacencies with each other:
Levell routers send and listen for level I Hello Protocol Data Units (PDUs).
Level 2 routers send and listen for level 2 Hello PDUs.
Level 1-2 routers send and listen for levell and level 2 Hello PDUs.
II
z
(J)
><
::0
o
c
~
:::J
(C
II
z
(J)
><
::0
o
c
~
:::J
(C
BOP is a standardize d exterior gateway protocol designed to exchange routin g and reachability
inform ation between AS on the Internet.
An AS is a set of routers under a single technical administration . The AS uses an interior gateway
protocol (lOP) and common metr ics to determin e how to route packe ts in the AS. The AS uses an
interAS routing protocol to determine how to route packe ts to other AS. Each of these AS is
uniquely identified using an AS numb er (ASN) .
II
z
(J)
><
::0
o
c
~
:::J
(C
Peers are manually configured to exchange routing information and form TCP connections. A peer
in a different AS is called an external peer, while a peer in the same AS is called an internal peer.
A BGP router is only aware of its BGP neighbors and conducts all
control plane communication with them.
AS 90 r
iBG P
A BGP router only installs one path to a route in its routing table.
If multiple paths exist for the route, the BGP router selects the best
route based on the following criteria:
1. Prefer the path with the highest local preference.
2. Prefer the locally originated path.
3. Prefer the shortest AS path.
4. Choose the path with the lowest origin code .
5. Choose the path with the lowest multiexit discriminator.
6. Choose an eBGP over an iBGP.
7. Choose a route through the nearest IGP neighbor as determined by the
lowest IGP metric .
II
z
(J)
BOP routers typically receive multipl e paths to the same destination. The BOP best path algorithm
is used to determin e which path is best to install in the BOP routing table.
By the end of this lesson, you should be able to meet the following
objectives:
Compare OSPF , IS-IS, and BGP
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP
II
z
(J)
><
::0
o
c
~
:::J
(C
Lesson 2:
NSX Logical Router
By the end of this lesson, you should be able to meet the following
objectives:
Describe the role of the distributed logical router
Deploy a distributed logical router
II
z
(J)
><
::0
o
c
~
:::J
(C
Router
Endpoint
These tasks are performed by the router that allows the routing between different nodes without
broadcasting all traffic to all nodes.
Series Central
II
z
(J)
><
::0
o
c
~
:::J
c.c
In addition to being linked to endpoints in a local network, the router can be linked to other routers .
Nodes that are separated by distance communicate with each other witho ut extending miles of
network cables. Placing a router at each group of endpoints and running a single line from router to
router is a practica l solution . Rout ers can be chain ed in series , or connected by a centra l router.
Use Cases
MM ' Optimize routing and data path in virtual
networks
' Supports single tenant or multitenant
deployment models
Routin g between virtual networks, layer 3 is distributed in the hypervisor. The distributed logical
router optimizes the routing and data path, and supports single-tenant or mult itenant deployments.
For example, a network that contains two VNls that have the same IP address ing. Two different
distribut ed routers must be deployed with one distribut ed router conn ecting to tenant A and one to
tenant B.
Packet is
delivered to the
gateway interface
VM on green logical t:l~ ii for routing.
switch communicates
with VM on red logical ..... "" ,
switch.
Edge/Managemen
fter the Routing decision ,
Rack l
~
~
r
Frame delive red
o the destinatio
II
z
(J)
network to the VTEP ><
gateway IP of green ::0
logical switch. o
> c
~
VXLAN Transport Network :::J
(C
Without the distributed router, routin g is done in one of the following ways:
A physical appliance is used. All traffic has to go to a physical appliance and come back
regardless of whether the virtual machin es are on the same host.
Routing is perform ed on a virtual router such as the VMwa re NSX Edge" gateway. This
method uses a virtual machine runnin g on one of the hosts to act as the router.
If virtual machin es runnin g on a hypervisor are connected to different subnets, the communication
between these virtual machines has to go throu gh a router. This nonoptimal traffic flow is sometimes
called hairpinning.
The example in the slide illustrates the traffic flow without the distributed logical router:
1. A virtual machine on the first VMware ESXi host wants to communicate with a virtual
machin e on the same ESXi host. The two virtual machines are on separate subnets.
2. A frame is sent by the green virtual machine to the distributed switch. Because the virtual
machin es are on different subnets, the host forwards the frame to the default gateway.
3. The frame is received by the ESXi host that is hosting the NSX Edge gateway.
4. The packet is delivered to the NSX Edge gateway for routin g.
WebVM AppVM
VXLAN 5001
VLAN
Router Instance 2
II
z
(J)
AppVM
><
::0
o
c
~
:::J
(C
VLAN 10 VLAN 20
The distributed logical router rout es between YXLAN subnets. Two virtual machin es might be on
the same host and the Web YM on YXLAN 500 I might want to communicate with the App YM on
YXLAN 5002. The distributed logical router routes traffic between the two virtual machin es on the
same host.
The distributed logical router can also route between physical and virtua l subnets.
NSX
Co ntrolle r
Cl u-ster
VMware NSX Manager" configures and manages the routing service. During the configuration
process, NSX Manager deploys the logical router control virtual machine and pushes the logical
interface configurations to each host through the control cluster.
The logical router control virtual machine is the control plane component ofthe routin g process. The
logical router control virtual machin e supports the OSPF and BGP protocols.
The logical router kernel module is configured as part of the preparation through NSX Manager. The
kernel modul es are similar to line cards in a modul ar chassis supporting layer 3 routing. The kernel
modul es have a routing inform ation base that is pushed through the VMware NSX Controller"
cluster. The kernel modul e performs all the data plane functions of route lookup and Address
Resoluti on Protocol (ARP) entry lookup.
The NSX Controller cluster is responsible for distributing routes learned from the logical router
control virtual mach ine across the hypervisors. Each control node in the cluster takes responsibility
for distributing the information for a particular distributed logical router instanc e. In a deployment
where multipl e distributed logical router instances are deployed, the load is distributed across the
NSX Controller nodes .
The distributed logical router instance owns the logical interfaces (L1Fs):
IP addresses are ass igned on the L1Fs .
Multiple L1Fs can be configured on one distributed logical router instance.
The L1F configuration is distributed to every host.
An ARP table is maintained per L1F.
The virtual MAC (vMAC) is the MAC address of the L1F:
vMAC is the same across all the hosts and it is never seen by the physical
netwo rk, only by virtual machines.
Virtual machines use the vMAC as thei r default gateway MAC address .
The physical MAC (pMAC) is the MAC address of the uplink through
which traffic flows to the physical network:
II
z
(J)
><
For VLAN L1Fs the pMAC is seen by the physical network. ::0
o
c
~
:::J
(C
The distribu ted logica l router owns the logical interface (LIF). This concep t is simi lar to interfaces
on a physical router. But on the distribu ted router, the interfaces are called LIFs. The LIF connects to
logical switches or distributed port groups. A distributed logical router can have a maximum of
1,000 LIFs . For each segment that the distrib uted logical router is connected to, the distr ibuted
logical router has one ARP tab le.
The media access control (MAC) addresses in this environment are the virtua l MAC (vMAC)
addresses and the physical MAC (pMAC) addresses. If a LIF connects to a logical switch, the
virtual machines use the MAC addresses associated with that LIF as their next hop for the default
gateway. When a virtua l mach ine does an ARP request, the virtua l machine's MAC address is called
a vMAC. A virtual machine 's vMAC is never stored in the MAC table of a physical switch because
the virtua l machine's vMAC address is interna l to the VXLAN domain. Every host running the same
distributed logical router instance presents the same vMAC for each LIF to the virtual machines in
the logical switc h.
If an interface on the distrib uted logical router connects to a distrib uted port group , the distributed
router might talk to a physical entity by using the source MAC address . So a physica l switch sees
the pMAC and has the pMAC in the MAC table .
The distributed logica l router is connec ted to a port group that gives access to the physical network.
The physical network might not be able to determine which of the different hosts own the MAC
address for that VLAN LIF at any point in time . To overcome this problem, each host has its own
pMAC address for the VLAN LIF, but only one host responds to ARP requests for the VLAN LIF.
The host that responds to the ARP requests for the VLAN LIFs is called the designated instance and
this host is chosen by NSX Controller. The designated instance also sends ARP requests on behalf
of all other hosts . All ingress traffic to the VLAN LIF is received by the designated instance. All
egress traffic from the VLAN LIF leaves the originating host directly without going through the
designated instance.
If the VXLAN LIF connects to a VXLAN port group or logical switch, the LIF has a vMAC that is
used by all hosts. No designated instance exists because the vMAC is never visible in the physical
network.
You can have only one VXLAN LIF connecti ng to a logical switch. Only one distributed logica l
router can be connected to a logical switch.
When a distributed logical router is deployed, the logical router control virtua l machine is also
deployed. The logical router control virtua l machine handles all control plane communications for
the distributed logical router. To enable high availability, deploy two logical router control virtual
machines and designate one as active and one as passive. If the active logical router control virtual
machine fails, the passive logical router contro l virtual machine takes 15 secon ds to take over.
Because the control virtual machine is not in the data plane, data plane traffic is not affected.
Controlling high availability resu lts in the addition or remova l of additional logical router control
virtual machines. When high availability is enabled, NSX Manage r enables the VMwa re vCenter
Server" system to deploy another logical control router virtua l machine. The logical router control
virtua l machine handles the OSPF and BOP protocols. So without a passive logical router control
virtual machine, you might lose neighbor adjace ncies if the active logical router control virtual
machine has a problem.
<--
Control plane protocol
Control
Provides OSPF route updates
Plane to other routers (peering)
---- - - _.-- - ----- ----- ---- - --- -- ------ - ---- ---- - - ---- _.- --- - -------- -- - ----- -- --- - -- ----- - - - --- - - - - - - - ----- - - - -- --
The physical rou ting takes
NSX Virtual Sw itch NSX Edge place in the data plane
ESXi
The logical router control virtual machine is a control plane component and does not perform any
routin g. The routin g is performed in the data plane by the distributed logical router.
The logical router control virtua l machine's function is to establish routing proto col sessions with
other routers. An IP address called the Protocol Address is assigned to the logical router control
virtual machin e. This address is used to form adjacencies with peers.
The firewall installed to the distributed router does not do East-West traffic filtering. The firewall is
strictly present to protect the logical router control virtual machine.
II
machine. The protocol address is
used for contro l communication .
To support OSPF, the logical router control virtual machine must have a connection in the segment
as the LIF of the distributed router. OSPF configuration requires the following IP addresses:
An IP address for the uplink LIF on the distributed router for data plane communications.
An IP address used exclusively for control conversations to the logical router control virtual
machin e. This IP address is used by the control virtual machine to talk OSPF neighbor
adjacencies and update the routin g table. The control virtual machine also does BOP across this
IP address.
These machines do appear as virtual machines in the vCenter Server system inventory. These
machin es should only be manipulated from the Network and Security view of the VMware
vSphere Web Client, and never from VMs and Templates or other views.
OSPF :
VLAN VX LA N
Uplink Uplin k
BGP 'of
'"fJ\....;...------...Oist ributed Logical Router
tor'tl~ ---
- - - - -10 ESe ES'- - - - - -.
Web App DB
The diagram shows a distributed logical router connected to multiple logical switches. These
switches can be VXLANs. An up link can be added and converted to a VLAN uplink by connecting
the uplink to a port group . After the uplink is connected, a designated instance is chosen and
connected to the phys ical network.
You can put an NSX Edge instance between the physical and the logical router. VMware
recommends this design. If you are deploying and NSX Edge instance, do not use a VLAN LIP. Use
a VXLAN LIF. Use a VLAN LIF only if you must go direct ly outside. If you use VXLAN with the
edge , no designated instance exists and every router can directly forward traffic.
logical networks I
: (OSPF, IS-IS, BGP)
't'
Perimeter NSX Edge
Transit Uplink1 Transit Uplink3
,,,- - - - - - - - - - - - - - -
II
~
,,,
Dynamic Routing
(OSPF, BGP)
~ z
(J)
><
::0
o
c
~
:::J
c.c
The topology needs firewa lling at the perimeter to restrict access between the distributed routers. On
each distr ibuted router, firewa ll rules only allow traffic between certa in devices and selected traffic
on the outside.
The topology can easily be converted to a multitenancy configuration by inserting an NSX Edge
instance above each of the three logical routers . The original NSX Edge instance becomes the
perimeter NSX Edge instance that is shared by the three NSX Edge instances . The NSX Edge
instances allow each tenant their own config uration. Often , the NAT dev ice also belongs to the
tenant.
L1 F1
Internal L1Fs
L1F2
L1F1 : 192.168. 20.1 ~
L1F2 : 192.168.10.1
vMAC
Host 1 Host 2
DA: MAC2
SA: vMAC
Ho st 1 _-.III~ Host 2
In the example, virtual machin e I (VMI ) on VXLAN 500 I attempts communication to virtual
machin e 2 (VM2) on VXLAN 5002 :
1. VM2 is on a different subnet. So VM I sends the frame to the default gateway.
2. The default gateway sends the traffic to the router and the router determin es that the destination
IP address is on a directly conn ected interface.
3. The router checks its ARP table to obtain the MAC address of the destination virtual machine.
But the MAC address is not listed. The router sends the frame to the logical switch for VXLAN
5002.
4. The source and destination MAC addresses on the internal frame are changed. So the
destination MAC address is the address for VM2 and the source MAC address is the vMAC
LIF for that subnet. The logical switch in the source host determin es that the destin ation is on
host number 2.
5. The logical switch puts the Ethernet frame in a VXLAN frame and sends the frame to host 2.
6. Host 2 takes out the layer 2 frame, looks at the destination mac address, and delivers it to the
destination virtual machine.
Ic _ O . wo.x f ~ j
U'...., HD:.~ 1 1t1 ' ' ' ,H! . 1 -,
1lI--
....--....... ""-h
-
l ~ "'I1 """'"
N.... NSl(Edge
~ o.. ~_
... --.... 6 Ready to c OfIJlIlel e
.-.....-
~, o Ena ble Hi gh AlIailabilily
i:3 ~""" ~
.... -...,
~tffDC llan~
Name -l I
Hostname I I
De5wpbQn
I I
't enant I I
, .. ~
vNIC#
Name *'li,.,..,_
:': .,....--",.,..,.,.... ~
Type: o Internal G Uplink
Connected To Select Remove
Connectiii ty Status Connected 0 Disconnec ted
"" x
II
Prima ry IP
MAC Addresses
Add Subnet
o '---------'1 0 Ca ncel I
II
z
(J)
><
::0
o
c
~
:::J
(C
II
z
(J)
><
::0
o
c
~
:::J
(C
Lesson 3:
Layer 2 Bridging
II
z
(J)
><
::0
o
c
~
:::J
(C
By the end of this lesson, you should be able to meet the following
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging
Distributed Router
II
z
(J)
><
::0
o
ESXi Host c
~
Designated Instance :::J
(C
VXLAN 973729
You create a layer 2 bridge between a logical switch and a VLAN , which enables you to migrate
virtual workloads to physical devices with no effect on IP addresses. A logical network can leverage
a physical gateway and access existing physical network and securi ty resources by bridging the
logical switch broadcast domain to the VLAN broadcast domain.
Bridging can also be used in a migration strategy where you might be using P2V and you do not
want to change subnets.
VXLAN to VXLAN bridging or VLAN to VLAN bridging is not supported. Bridging between
different data centers is also not supported. All participants of the VLAN and VXLAN bridge must
be in the same data center.
The layer 2 bridge runs on the host that has the NSX Edge logical router virtual machine. The layer
2 bridging path is entirely in the VMkernel. The sink port connects to the distributed port group
from the VMkernel on the distributed router. The sink port steers all traffic related to bridg ing on to
the switch . You cannot have routing enabled on those interfaces that you connect to the distributed
router.
The distrib uted router that performs the bridging cannot perform routing on that logical switc h. The
virtual machines on that switch cannot use the distributed router as their default gateway. Because
logical switches cannot be connec ted to more than one distrib uted router, those virtual machines
must have a default gateway. The default gateway must be either externally in the physical network
or in an appliance, such as the NSX Edge gateway. The NSX Edge gateway must be connected to
the logical switc h on the port group .
The host where the logical router control virtual machine runs is
selected as the designated instance to perform the VXLAN to VLAN
bridging function:
The bridge instance sends a copy of learned MAC address table entries
to the NSX Controller.
If the bridge instance fails, the control virtual machine pushes a copy of
the MAC address table to the new designated instance.
If every host is allowed to go directly to the physical network with the broadcast traffic, the network
might be overwhelmed. So one of the hosts is chosen as a bridge instance. NSX Controller chooses
a host to be the brid ge instance. The bridge instance is usually the host that is runnin g the logical
router controller.
If the brid ge instance fails, the NSX Controller instance pushes a copy of the media access control
(MAC) address table to the new bridge instance to keep it synchronized.
VXLAN 5001
In the example, a logical distributed router controller has failed and NSX HA is enabled. When the
bridge instance fails, the bridge instance is moved to the new active host and gets the physical MAC
addresses that were on the failed bridge instance. You can have multiple bridges on the same logical
router.
Traffic flow from the VXLAN to the VLAN through the bridge instance.
ARP Request
,
192.168 .100.4
~
VM1 VM2 VM 3
V NI50001 1
VXLAN SW01 VLAN100
VTEP 1 VT EP 2
Physical Host
vLan 100
192 .168 .100.4
In the example, VM2 wants to communicate with a physical host on VLAN 100. ESXi host numb er
3 is the bridge instance.
Latency and CPU usage comparable with standard VXLAN.
Loop prevention:
Only one bridge active per VXLAN-VLAN.
II
z
(J)
Detect and filter if the same packet is received through a different uplink ><
::0
by matching MAC address . o
c
~
:::J
(C
A bridg e instance is assigned to the ESXi host that runs the logical distributed controll er. If you have
to use multipl e bridges, consider usin g multipl e distributed routers so that the bridge instances can
be spread out among the different ESXi hosts to get greater throughput.
The VLAN-VXLAN logical switch must be on the same distributed switch. The port group that you
are bridging must have a VLAN numb er associated with it.
You must consider the throughput that goes throu gh the designated instance and also the latency.
Because all the bridge traffic is hairpinn ed to the bridge instance, you should only have one bridge
from VXLAN to VLAN to avoid loops.
Detect and filter is a function of the brid ge instance to ensure that duplic ate packets are not coming
through.
Layer 2
Network
Port, MACl
The exampl e is a packet walk of an Address Resolution Protocol (ARP) requ est from a virtual
machin e to a physic al host on the network. In the example, the virtual machine on this VXLAN
segment attempts to contact this physical host for the first time:
1. The ARP request from VM I comes to the ESXi host with the IP addre ss of a host on the
physical network.
2. The ESXi host does not know the destination MAC addre ss. So the ESXi host contacts NSX
Controller to find the destination MAC address.
3. The NSX Controller instanc e is unawar e of the MAC address. So the ESXi host sends a
broadcast to the VXLAN segment 500 I.
4. All ESXi hosts on the VXLAN segment receive the broadcast and forward it up to their virtual
machines.
5. VM2 receives the request becaus e it is a broadcast and disregards the frame and drops it.
6. The designated instance receives the broadcast.
7. The designated instanc e forwards the broadcast to VLAN 100 on the physical network.
II
z
(J)
><
::0
o
c
~
:::J
(C
MAC3
IP3 MAC3
DA~
o ~~ ;;':';''-_ _
Port 1 MAC1
Port 2 MAC3
The slide shows an example of the response from the physical host back to the virtual machine:
1. The physical host creates an ARP response for the machine. The source MAC address is the
physical host's MAC and the destination MAC is the virtual machine's MAC address.
2. The physical host puts the frame on the wire.
3. The physical switch sends the packet out of the port where the ARP request originated.
4. The frame is received by the bridge instance.
5. The bridge instance examines the MAC address table, sends the packet to the VNl that contains
the virtual machine's MAC address, and sends the frame. The bridge instance also stores the
MAC address of the physical server in the MAC address table.
6. The ESXi host receives the frame and stores the MAC address of the physical server in its own
local MAC address table.
The virtual machine receives the frame.
MAC3
8i
'"
5001 IP3 MAC3
II
z
(J)
DA~ '-:":":':;;~:":':" _
><
::0
o
c
~
Port 1 MAC 1
:::J
Port2 MAC3 c.c
The example shows the traffic flow from the virtual machin e to the physical server after the initial
ARP request is resolved:
1. The virtual machine sends a packet destined for the physical server.
2. The ESXi host locates the destination MAC address in its MAC address table.
3. The ESXi host sends the traffic to the bridge instanc e.
4. The bridge instance receives the packet and locates the destination MAC address.
5. The bridg e instance forwards the packet to the physical network.
6. The switch on the physical server receives the traffic and forwards the traffic to the physical
host.
The physical host receives the traffic.
MAC3
Layer 2
Network
The slide shows an example of an ARP request from a physical host on a VLAN to a virtual
machine on VXLAN :
1. An ARP request is receive d from the physical server on the VLAN that is destined for a virtual
machine on the VXLAN through broadcast.
2. The frame is sent to the physical switch where it is forwarded to all ports on VLAN 100.
3. The ESXi host receives the frame and passes it up to the bridge instance.
4. The bridge instance receives the frame and looks up the destination IP address in its MAC
address table.
5. Because the bridge instance does not know the destination MAC address, it sends a broadcast
on VXLAN 500 1 to resolve the MAC address.
6. All ESX i hosts on the VXLAN receive the broadcast and forwar d the frame to their virtual
machines.
VM2 drops the frame, but VM 1 sends an ARP response.
II
z
(J)
><
::0
o
c
~
:::J
(C
By the end of this lesson, you should be able to meet the following
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging
Lesson 4:
NSX Edge Services Gateway
II
z
(J)
><
::0
o
c
~
:::J
(C
By the end of this lesson, you should be able to meet the following
objectives:
Deploy NSX Edge gateway
Deploy OSPF on NSX Edge
II
z
(J)
><
::0
o
Physical Network
---- c
~
:::J
c.c
NSX Edge supports OS PF, an lOP that routes IP packets only in a single routing domain. NSX Edge
gathers link state information from avai lable routers and constructs a topology map of the network.
The topology determines the routing table presented to the Internet layer, which makes routing
decisions based on the destination IP address found in IP packe ts.
Firewall Overview
Load balancer
Integrated L3 to L7 services
VPN Virtual appliance model to
Routing and NAT provide rapid deployment and
scale-out
DHCP and DNS relay
Benefits
Several perimeter services are available for the NSX Edge gateway. These services are not
embedded in the distributed router. NSX Edge gateway is a virtual machine that has one interface
connected to the virtual mach ine segment through logical switches or distributed and standard port
groups.
These services are meant to work in environments where a third-p arty solution might not exist.
Sometimes a third-p arty solution might be more effective than NSX Edge service because that
solution is a dedicated device and not a multipurpose device like NSX Edge . All of these services
can be disabled to allow a third-party solution to be deployed.
In a multitenancy environment, NSX Edge for NAT might exist if duplicate IP segments exist.
X-Large
Suitable for high performance
6vCPU layer 7 load balancer
8192 MB vRAM
Quad-Large
Suitable for high
4vCPU
II
performance firewall and
1024 MB routing
vRAM
Large
2vCPU z
(J)
1024 MB vRAM ><
::0
o
Compact c
~
:::J
1 vCPU , 512 MB vRAM c.c
When NSX Edge gateway is deployed, the wizard asks for the desired size. If a gateway with the
wrong size is deployed, the gateway can be replaced with minim al effort by deploying a new NSX
Edge gateway. The existing NSX Edge gateway is removed and an NSX Edge gateway with the
desired size is created. The configuration from the old NSX Edge gateway is applied by NSX
Manager to the new NSX Edge gateway. The name of the new NSX Edge gateway instance is
different.
A service interruption might occur when the old NSX Edge gateway instance is remove d and the
new NSX Edge gateway instance is redeployed.
F ire w all 5-Tuple rule configuration with IP, port ranges, grouping objects .
Rou ting Static and dynamic routing protocols support (OSPF, BGP, IS-IS).
Load Balancing Configure virtual servers and backend pools using IP addresses or VC objects.
Site-to-Site V PN IPsec site-to-site VPN between two NSX Edge instances or other vendor VPN terminators .
SS L V PN Allow remote users to access the internal networks behind NSX Edge gateway
High Availabi lity Active-Standby HA capability that works with VMwa re vSphere High Availability.
Traditional firewalls operate by applying a set of rules containing a few criteria including source IP
address and port , destination IP address and port, and protocol. Advanced third-p arty firewalls have
a few additional options. In addition to the traditional criteria, the NSX Edge firewall, NSX Edge, or
Distributed Firewall, can use additional vSphere criteria. The vSphere criteria include resource
pools, clusters, networks, and many other metadata details from the vCenter Server system.
II
z
(J)
><
::0
o
c
~
:::J
(C
6 firewllll and HA
Connected To I I Sele ct Remove-
7 Ready-In complete D Enable High AvailaPill1y ccn nectrofv Status Connecteo o Disconnected
Configure subnets
Nam e
Hostname
- , Perimeter G alew~
[
IPAdd,u .
X
Subn.t P.. ~ ~ L ongltl
nescnou on
II
I
Tenant I MAC Addresses I I
You can speclflo' a MAC address or leaveit blank for auto ueneranon In
case ofHA, fWQ dltrerent MAC addresses ere required
,
MTU r 500 ,
~
z
N,~ --
Cancel
Options
Fence Parameters
o
[
En able Pr o)(\{ARP 0 Se nd le MP Re dire ct
, (J)
><
::0
Example: ethernellJ.f111er1pa raml"'t o
c
~
~ I c'""' : ~ :::J
c.c
+
Global Cnnfi quratie n
Typ@ NebAlork Next Hop Interrace MTU
Static Routes
internal_high 1 0 10.10 0/ 2 4 10 .9 9 .2 Uplink-lntel1ace
OSPF user 1 0 10.7.0/ 2 4 1 0. 7 7 . 2 Uplink-Interface 1500
BGP user 1 0 10.9.0/ 2 4 10 . 5 5 . 2 Tran sit-Interfac e 1500
1515
Route Redistrihution
IS-IS
Descriptio + I EditDynamicRouting Configuration
vNIC
RouteRedistribution
DynamicRl:
Uplink-Interface Router 10 : * [ Uplink-Interface - 1... I I
II
Trans it-Interfa ce
G"l Enable 08P F
Router 10:
11 Enable BGP
08PF :
f"J Enable 18-18
BGP:
D Enable Logging
18-18 :
Log Level: I I_
nl_
O ~_
z
(J)
Logging: o ><
LogLevel: ::0
I Save II Cancel L o
c
~
:::J
(C
II
z
(J)
><
::0
o
c
~
:::J
(C
Module 5
II
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Course Introduction
NSX Networking
NSX Routing
NSX Security
The services gateway gives you access to all VMware NSX Edge
services such as firewall, network address translation (NAT),
Dynamic Host Configuration Protocol, virtual private network (VPN),
load balancing, and high availability.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Lesson 1:
NSX Edge Network Address Translation
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
By the end of this lesson, you should be able to meet the following
objectives:
Determine when to use a destination network address translation rule
and a source network address translation rule
Add an internal interface to the NSX Edge gateway
Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic
Hosts assigned with private IP addresses cannot communicate with other hosts through the Internet.
The solution to this problem is to use network address translation (NAT) with private addressi ng.
II
z
(J)
X
VMware NSX Edge" provides NAT service to assign a publi c address to a computer or group of m
0..
(Q
computers in a private network . Using this technology limits the numb er of public IP addresses that CD
an organization or company must use, for econo my and security purposes. (J)
CD
You must configure NAT rules to provide access to services running on privately addressed virtual
<:
n"
CD
machines. The NAT service config uration is separate d into source NAT and destination NAT rules. rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
VM VM VM
192.168.1.2
192.168.1 .3 192.168.1.4
Test-Network
192.168.1.1
NSX Edge Gateway
External-Network
Source NAT is used to translate a private internal IP address into a publi c IP address for outbo und
traffic. In the slide, NSX Edge gateway is translating Test-Network using addresses 192.168.1.0
through 192.1 68.1.24 and 10.20.181.171. This technique that the source NAT uses is called
masquerading. In this type of source NAT, the whole Lab-Network behind the NSX Edge gateway is
masquerading as a single host with IP address 10.20.18 1.171. You can also use the primary IP
address 10.20.1 81.170 as the source NAT translated IP address .
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Summary
______ o_n_i
lo_r_ l t.1anage l _
_ a_1I " " ' - _ - - - J L - _ . l -_ _~
( Settings l_F_ir_ew "___ __L_
Gr
o Uplink-Interlace 1192.168.100.10 I
To add a second IP address to the already-defined subnet for the external interface
1. In the VMwa re NSX Manager" page, select Edges and double-cli ck edge-I to display the
management page for HQ-E dge .
2. Select Configure > Interface s to display the list of interfaces.
3. Click the Ed it (pencil) icon to add the second IP address .
The second address is used to define both destination NAT and source NAT rules.
VM VM VM
192.168.1.2
192.168.1.3 192.168.1.4
Test-Network
192.168.1 .1
External-Network II
z
(J)
X
Destination NAT is commonly used to publish a service located in a private network on a publicly m
0..
(Q
accessib le IP address . In the example, NSX Edge NAT is publishing the Web Server 192.168.1.2 on CD
an externa l network as 10.20.181.171. You can also use the primary IP address 10.20.181.170 as (J)
CD
destination NAT. <:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
You can create a destination NAT rule to map a public IP address to a private internal IP address .
The rule translates the destination IP address in the inbound packet to an interna l IP address and
forwar ds the packet.
The original (public) IP address must be added to the NSX Edge interface on which you want to add
the rule, that is, on the external interface.
~==~
Tran slated Port/Range : I-1
2. Enable the rule in the dialog box Description"
or after the rule is added. _ _ _I
D Enabled
3. Enable logging while testing D Enable loggin g
the rule.
OK I[ Cancel I,
II
z
(J)
X
To create the destination NAT rule m
0..
(Q
CD
1. In the NSX Edge management page, doubl e-click the NSX Edge instance that handles the NAT (J)
operations. CD
<:
2. Click the NAT tab. n
CD
rJl
In the slide, the rule is configured for the HQ- Edge instance. G)
til
......
CD
3. Click the Add icon and select Add DNAT Rule. stil
'<
In the Add DNAT Rule dialog box, configure the following settings : "Tl
CD
til
The interface on which to apply the destination NAT rule, for example, External. ......
C
.....
CD
The drop-d own menu displays the names of all 10 interfaces for this NSX Edge instance, rJl
but not in alphabetical order.
The original (public) IP address in one of the following formats:
IP address: 192.168.10.1
IP address range: 192.168.10.1-192.168.10.10
IP address/subnet: 192.168.10. 1/24
UDP
TCP
Any
The origina l port or port range:
Port number: 80
Port range: 80-85
Any port
Tran slated IPlran ge: Th e trans lated IP address is in one of the form ats listed for the original
(public) IP address.
Tran slated Port/ran ge: Th e transl ated port rang e, as described for the original port or port
range .
o Enabled
o Enable logging
OK I[ Cancel L
address must be added to the NSX Edge interface on which you want to add the rule. The IP address
<:
n"
CD
formats are the same formats that are used for the Add DNAT Rule choices. The source NAT rule rJl
Destination
Address
Source Destination
Port Port
Original PortlRange:
1 1 1
OK II Cancel I, Translated IP/Range: >I< I I
Translated PortiRange:
1 1 1
Descnptron:
1_ _ 1
o Enabled
o Enable logging
OK II Cancel I, II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
.....
til
CD
stil
'<
"Tl
CD
.....
til
C
....
CD
rJl
(iiOO;; ; ,
Use destination NAT and source NAT rules to establish a one-to-one relationship
between the IP address of a Web server on an internal subnet and an IP address
in an externally accessible subnet
1. Prepare for the Lab
2. Verify Non-Translated Packet Addressing
3. Configure an AdditionallP Address on the Uplink Interface of Perimeter
Gateway
4. Configure a Destination NAT Rule
5. Test Connectivity Using the Destination NAT Translation
6. Verify Non-Translated Packet Addressing Before Defining a Source NAT Rule
II
7. Configure a Source NAT Rule
8. Test Connectivity Using the Source NAT Translation
9. Use What You Have Learned
z
(J)
10. Clean Up for the Next Lab X
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Lesson 2:
NSX Edge Load Balancing
By the end of this lesson, you should be able to meet the following
objectives:
Describe the NSX Edge load balancing
Configure load balancing
Compare one-armed load balancing to inline load balancing
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
The NSX Edge load balanc er enables network traffic to follow multiple paths to a specific
destination. The NSX Edge load balancer distributes incoming service requests evenly among
multiple servers in such a way that the load distribution is transparent to users. Load balancing thus
helps in achieving optimal resource use, maximi zing throughput, minimizing response time, and
avoiding overload. NSX Edge provides load balancing up to layer 7.
In the example in the slide , access to the Web server network is load balanced.
The load balancer does not do global balancing, but it does local load balancing. If multiple virtual
machines provide a Web service , the NSX Edge load balancer can provide load balancing across
those virtual machines. One of the virtual machines being load balanced might become unreachable,
or the service might become unresponsive. The load balancer service detects that condition and
removes that Web server from the load balance rotation.
Clients do not open a Web browser and go to the IP address of the Web server. Instead, the client
points to an IP that is owned or hosted by the load balanc er itself. The load balancer redirects the
client traffic by changing the destination IP address. The load balancer 's IP address is chang ed to the
IP address of the Web server that was selected to establish your session. The IP address that was
used by the client to connect to the Web site is called the virtual IP (vIP).
Features
Modes
One-arm mode
Inline mode
II
z
(J)
><
The load balanc er accepts TCP, HTT P, or HTTPS reques ts on the externa l IP ad dress and decides m
0..
(Q
w hich internal server to use. CD
(J)
You can ad d a server pool to manage and share backend servers flex ibly and efficient ly. A pool CD
manages load balance r distributi on meth od s and has a service mo nitor attac hed to it for health check
<:
0'
CD
parameters. rJl
G)
Implement ation models for load ba lanc ing can eithe r be one -arm or inline. til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Layer 7 load balancing combines standard load balancing features for specific types of content. An
application delivery network can be optimized to serve specific types of content. For example, data
security, such as data scrubbing, is likely not necessary for l PG or GIF images , so the scrubbing
might be applied to only HTML and PHP.
The one-arm load balancer mode is also called proxy mode. The NSX
Edge gateway uses one interface to advertise the viP address and to
connect to the Web servers.
Design considerations:
Increases the number of NSX Edge appliances deployed
Client IP address is not preserved :
Web traffic can use the x-forward ed-for HTTP header
II
z
(J)
X
The one-arm load balancer has several advan tages and disadvantages. The advantages are that the m
0..
(Q
design is simple and can be deployed easily. The main disadvantage is that you must have a load CD
balancer per segment, leading to a large number of load balancers. (J)
CD
<:
The one-arm implementation uses the HTTP X-Forwarded-For standard to redirect traffic to a n
CD
different IP address . rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
__ ~Ojl~~ ~e~~o!:..k ~ _
---------- ..... ,
I
I
~
Router: NSX Edge ,
or Distributed I
I
Router (Layer 3) I
I
I
I Source NAT I
I
I
+ -:-jtt~==1~=1if~
0'
Destination NAT
I
I
I
~ NSX Edge Router ,
" Load Balancer I
---------------------------------~
In the one-ann design, when you deploy the NSX Edge instance, the interface advertises the vIP.
This vIP is the IP address that clients use to reach the load balanced servers. When traffic reaches
the vIP, the destination IP address is changed to the Web server IP address. This IP address is sent to
the Web server that is chosen by the load balancer. The NSX Edge instance uses NAT to change the
source IP address of the requestor to an IP address on the same subnet as the vIP. So when the Web
server replies, it is replying to the translated IP address on the NSX Edge load balancer. The NSX
Edge instance does the reverse NAT and sends the traffic back to the requestor.
In this design, the load balancer has to be on the same segment as the Web servers to which it is
providing the load balancing service.
If you do not use NAT to change the source IP address, the virtual machines reply directly to the
requestor and use their source IP address instead of the vIP. The requestor does not recognize the
serve r and discards the traffic.
Inline load balancer mode is also called transparent mode. The NSX
Edge gateway uses the following distinct interfaces:
An interface to advertise the viP address
An interface to connect to the Web servers
Design considerations:
Client IP address is preserved
An NSX Edge gateway must exist and the Web servers must point to
the NSX Edge gateway as the default gateway.
II
z
(J)
X
Inline proxy is another design option. The advan tage is that the client IP address is preserved m
0..
(Q
because the proxies are not doing source NAT. This design also requires fewer load balancers CD
because a single NSX Edge instance can service multiple segments. (J)
CD
With this configuration, you cannot have a distr ibuted router beca use the Web servers must point at
<:
n'
CD
the NSX Edge instance as the default gateway. rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Logical network
I
;--------------
NSX Edge Router
,
\
I (Destination NAT) (Layer 3 + Load Balancer) I
I
I
I
I
I
I
I
I
I
I
I
I
I
, /
J
,-------------------------------,
The inline proxy design is similar to the traditional firewall design. The device has at least two
interfaces. The vIP resides on the external interface. The internal interface is connected to the
segment for the Web servers. In this model the only IP address that uses NAT is the destination IP
address. The vIP is changed to one of the virtual machine IP addresses. The load balancer perform s
a hashing algorithm to decide which of the Web servers gets that traffic.
You must not change the source IP address because you must set up your Web serve rs to use your
NSX Edge instance as the default gateway. Traffic comes back the same way so that externa l IP
address can remain.
o Transparent
Cipher
~~
[ OK I[ Can cel
L
II
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
11
CD
til
......
C
.....
CD
rJl
Edll ProfIle
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Lesson 3:
NSX Edge High Availability
By the end of this lesson, you should be able to meet the following
objectives:
Explain benefits of stateful high availability
Configure the high availability service
Test and verify the high availability service before placing the service in
production
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
NSX Edge high availability (HA) ensures that an NSX Edge appliance is always available by
installing an active pair ofNSX Edge gateways on your virtualized infrastructure . You can enable
high avai lability either when installing NSX Edge or on an installed NSX Edge instance.
The primary NSX Edge appliance is in the active state and the secondary app liance is in the standby
state . NSX Edge replicates the configuration of the primary appliance for the standby appliance or
you can manually add two appliances. VMware recommends that you create the primary and
secondary applianc es on separate resource pools and datastores. If you create the prima ry and
secondary appliances on the same datastore, the datastore must be shared across all hosts in the
cluster. Thus, the high avai lability app liance pair can be dep loyed on different VMware ESXi
hosts . If the datastore is a local storage , both virtual mach ines are deployed on the same host.
Heartbeat
--- Data Synchronization
NSX Manager manages the lifecycle of both peers and pushes user configurations because they are
<:
n"
CD
connected to both NSX Edge instances simultaneously. rJl
G)
NSX Edge pushes runtime state inform ation to the standby, such as VMware vCenter Single Sign- til
......
CD
On" information. stil
'<
NSX Edge HA peers communicate with each other for heartbeat messages and runtim e state "Tl
synchronization. Each peer has a designated IP address to communicate with the other peer. The IP CD
til
......
addresse s are for high availability purposes only and cannot be used for any other services . The IP C
.....
CD
addresses must be allocated on one of the internal interfaces of the NSX Edge. rJl
Heartbeat and data synchronization both use the same internal vNIC. Layer 2 connectivity is
through the same port group.
The primary NSX Edge appliance is in the active state and the
secondary appliance is in the standby state:
All NSX Edge services run on the active appliance.
The primary appliance maintains a heartbeat with the standby
appliance and sends service updates through an internal interface .
If a heartbeat is not received from the primary appliance in the
specified time, the primary appliance is declared dead and the
standby moves to the active state. The standby appliance:
Takes over the interface configuration of the primary appliance
Starts the NSX Edge services that were running on the primary
appliance
The NSX Edge gateway replicates the configuration of the primary
appliance to create the standby appliance.
The primary NSX Edge appliance is in the active state and the secondary appliance is in the standby
state. All NSX Edge services run on the active appliance . The primary appliance maintains a
heartbeat with the standby appliance and sends service updates through an internal interface.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 6
seconds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were runnin g on the primary appliance. When the switch over
takes place, a system event is displayed in the System Events tab of Settings & Reports. Load
balancer and virtual private network (VPN) services must reestablish TCP connection with NSX
Edge, so the service is disrupt ed for some time. Virtual wire connections and firewall sessions are
synchronized between the primary and standby appliances, so that service is not disrupted during
switch over.
If the NSX Edge appliance fails and a bad state is reported, high ava ilability force-synchroni zes the
failed appliance to revive it. When the appliance is revived, it takes on the configuration of the now
active appliance and stays in a standby state. If the NSX Edge appliance is dead, you must delete the
appliance and add an appliance.
The NSX Edge appliance replicates the configuration of the primary appliance for the standby
appliance or you can manually add two appliances . VMware recommends that you create the
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
If the primary NSX Edge appliance fails, the secondary NSX Edge
detects the failure:
Default dead timer is 15 seconds:
Can be changed
Minimum 6 seconds
Secondary NSX Edge assumes the primary role:
The CLI command shows service high availability to verify primary
After secondary NSX Edge becomes primary, all new flows go
through it:
Connections must be re-established for all flows existing at the time of
primary failure .
Load balance persistence is synchronized.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 15
secon ds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were running on the primary appliance. When the switch over
takes place, a syste m event is displayed in the System Events tab of Settings & Reports. Load
balancer and VPN services must re-establish TCP connection with NSX Edge, so the service is
disrupted for some time. Virtual wire connections and firewall sessions are synchronized between
the primary and standby appliances, so no service disrupti on occurs during switch over.
,----l I,----
I - YM - - II
,----
I - - II
,----
I -
,----
- II II -_ -_ II
I VM _ I
I _ I I v .. I I "M _ I
11'''' _
I __ I I __ I I __ I I __ I
I _ Willi I
L ___' L ___' L ___' L ___' L ___'
II
z
(J)
><
NSX Edge ensures that the two highly available NSX Edge virtual machines are not on the same m
0..
(Q
ESXi host. This feature works even after you migrate virtual machines with DRS and vSphere CD
vMotion. But this feature does not work when you manually migrate the virtual machines to the (J)
CD
same host. Two virtual machines are deployed on a vCenter Server host in the same resource pool <:
0'
and datastore as the appliance that you configured. Local link IPs are assigned to high availability CD
rJl
virtual machines in the NSX Edge HA so that they can communicate with each other. You can G)
specify management lP addresses to override the local links. til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
PlXlJ. , SSH-Web-Pool1 UP
Virtual machine Appl icat ion Health Check pOOl-2 HTTPWeb-Pool UP
has to be configured for the pool.
When setting up load balancing , you place different destination servers into different pools . Pools
includ e the virtual machin es that are hosting the Web server. When you select the pool in the
VMware vSph ere Web Client, you can see members of that pool and members that are marked as
unavailable.
The response to an ESXi host failure is the same as when the NSX
Edge primary appliance fails:
If VMware vSphere Distributed Resource Scheduler" is enabled in
the cluster, the secondary NSX Edge gateway runs in a different ESXi
host from the primary NSX Edge gateway:
Anti-affinity rules are automatically created.
II
z
(J)
X
Host failure is handled in the same way as an NSX Edge failure. The keep-alive packets between the m
0..
(Q
standby and active NSX Edge devices time out if the virtual machine fails or if the host that contains CD
the active device fails. The recovery process is the same as for NSX Edge failure. If a host (J)
CD
configured with DRS fails , the anti-affinity rule ensures that the second virtual mach ine is relocated <:
to a different host when the new virtual machin e powers on. n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
You use the load balancing from the previous lab and expand upon
it.
Genefal" CSR I?J. HI
Common Name
,
I I
OrganlzabonNam" ,, Ed~ Protile I:!
O,gamzahon UnI1 Name I Ap p P rO~ le I
Localil\" TW' o rep 0 HTTP '0 . HTIPS
State , D Enable SSLPa ssth, ough
Country I HTTPRed i'ect URL I I
hl"ssayeAlgo rrthm I RSA Pers,stence I None I- I
CookJe Name
Descnpbon
lIlod ..
+ / X
En . bl . d N.",. IP Add'.... W. ;ght Mo njl. , Po rt eo, ..... ~Co"n lA,nConn
Cipher
I I-
'"
Client Aulll enbcation [ IgnOre I- o Transparent
OD~
Configure high availability and use the NSX Edge command line to
determine current HA status and view heartbeat traffic
1. Prepare for the Lab
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
6. Clean Up for the Next Lab
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Lesson 4:
NSX Edge and VPN
By the end of this lesson, you should be able to meet the following
objectives:
Configure a layer 2 VPN on the NSX Edge gateway
Explain how an IPsec VPN enables systems at a branch location to
access systems securely on a private network at headquarters
Configure an IP address on an external interface for use by an IPsec
VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet
Describe the use case that SSL VPN-Plus addresses
Decide whether Web-access mode or full-access mode is optimal for a
use case
Configure the SSL VPN-Plus server settings that enable SSL on the
external interface II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Features
SSL-based
Web-proxy Support
L2 Bridge to Cloud
Broadcast support
Scale and
- - - - - - - - - - -i"lrl-- ...I..- ..I.....I Performance
High Performance:
AES-NI acceleration
2 Gb/s throughput per
tenant
Use Cases
Cloud On-boarding
Cloud Burst ing
Layer 2 VPN allows you to configure a tunnel between two sites. Virtual machines remain on the
same subnet in spite of being moved between these sites, which enables you to extend your data
center. An NSX Edge gateway at one site can provide all services to virtual machines on the other
site.
To create the L2 VPN tunnel, you configure a layer 2 VPN server and
layer 2 VPN client:
You enable the layer 2 VPN service on the NSX Edge instance and
configure a server and a client.
The layer 2 VPN server is the source NSX Edge gateway to which the
L2 VPN is to be connected.
The layer 2 VPN client is the destination NSX Edge.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Features
Interoperable IPsec tested with major
vendors
Clients on all major os (Windows,
Apple , Linux)
Remote authentication through Active
Directory, RSA Secure 10, LDAP,
Radius
TCP Acceleration
Encryption : 3DES , AES128 , AES256
AESNI HIW Offload
NAT and perimeter firewall traversal
Use Cases
Cloud to corporate
Cloud on-boarding
Remote office or branch office
Remote management
NSX Edge supports several types of VPNs. SSL VPN-Plus allows remote users to access private
corporate applications. IPsec VPN offers site-to-site connec tivity between an NSX Edge instance
and remote sites. Layer 2 VPN enables you to extend your data center by allowing virtual machines
to keep network connectivity across geographica l boundaries.
II
z
(J)
X
NSX Edge supports certificate authentication, preshared key mode, IP unicast traffic, and no m
0..
(Q
dynamic routing protocol between the NSX Edge instance and remote VPN routers . Behind each CD
remote VPN router, you can configure multipl e subnets to connect to the internal network behind an (J)
CD
NSX Edge instance through IPsec tunn els. These subnets and the internal network behind an NSX <:
Edge instance must have address ranges that do not overlap . n"
CD
rJl
You can deploy an NSX Edge gateway behind a NAT device. In this deployment, the NAT device G)
til
......
translates the VPN address of a NSX Edge instance to a publi cly access ible address facing the CD
Internet. Remote VPN routers use this public address to access the NSX Edge instance. You can also stil
'<
place remote VPN routers behind a NAT device. You must provide the VPN native address and the "Tl
VPN Gateway ID to set up the tunn el. On both ends, static one-to-one NAT is required for the VPN CD
til
......
address. You can have a maximum of 64 tunn els across a maximum of 10 sites. C
.....
CD
rJl
IPsec is a framework of open standards. Many technical terms are in the logs of the NSX Edge
instance and other VPN appliances that you can use to troubleshoot the IPsec VPN. You might
encounter some of these standards:
Internet Security Assoc iation and Key Management Protoco l (ISAKMP): This protocol is
defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an
Internet enviro nment. ISAKMP only provides a framework for authentication and key exchange
and is designed to be key exchange independent.
Oakley: This protocol is a key agreement protoco l that allows authenticated parties to exchange
keying materia l across an insecure connection by using the Diffie-Hellman key exchange
algorithm.
Internet Key Exchange (IKE): This protoco l is a combination of ISAKMP framework and
Oakley. NSX Edge provides IKEv2.
IKE has two phases. Phase 1 sets up mutual authentication of the peers , negotiates
cryptograp hic parameters, and creates session keys. Phase 2 negotiates an IPsec tunnel by
creating keying material for the IPsec tunn el to use. Phase 2 either uses the IKE phase one keys
as a base or performs a new key exchange .
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec, it provides
origin authenticity, integrity, and confidentiality protection of packets. ESP in Tunnel Mode
encapsulates the entire original IP packet with a new packet header. ESP protects the whole inner IP
packet (including the inner header). The outer header remains unprot ected. ESP operates directly on
IP, using IP protocol number 50.
Original Data
IP Header
Encrypted
( )
Authenticated
( )
II
z
(J)
X
When a packet is processed by ESP in tunnel mode , the entire packet is surro unded by the ESP m
0..
(Q
header, ESP trailer, and ESP authentication data: CD
(J)
ESP header: Contains two fields, the SPI and Sequence Number, and comes before the CD
encrypted data .
<:
n"
CD
rJl
ESP trai ler: Placed after the encrypted data . The ESP trai ler contains padding that is used to G)
align the encrypted data through a Padding and Pad Length field. til
......
CD
ESP authen tication data: Contains an integrity check value. stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
'. '. b
'!<
The slide contains config uration examples for a basic point-to-point IPsec VPN connection between
an NSX Edge instance at headquarters and an NSX Edge instance at the remote location . VPN
gateways from Cisco, WatchGuard, and others can also be used at the remote location.
For this scenario, the NSX Edge instance at headquarters connects the interna l network,
192.168.20.0 through 192.168.20.24, to the Internet. The NSX Edge interfaces are configured as
follows:
The uplink interface is 10.15.25.13.
The interna l interface is 192.168.20.1.
The remote gateway connects the 172.16.0.0 through 172.16.0. 16 internal network to the Internet.
The remote gateway interfaces are configured as follows:
The uplink interface is 10.15.25.13.
The internal interface is 192.168.30 .1.
II
Supports certificate authentication, preshared key mode, and IP unicast
traffic.
z
(J)
X
The encryption overhead for packet traffic in a VPN application can be high. The Intel AES-NI m
0..
(Q
feature can substantially reduce the demand on the CPUs of the ESXi hosts. CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
You must configure at least one externallP address on the NSX Edge
gateway to provide IPsec VPN service: Add IPSec VP N
,+.
type of authentication , Diffie-
Hellman group, and MTU. ~~
"
Remote Desktop
,< Connection
~ ShowQpbom
With SSL VPN-Plus, remote users can connect securely to private network s behind an NSX Edge
gateway. Remote users can acce ss servers and applications in the private networks.
NSX Edge provides users with access to protected resources by establishing an SSL encrypted
tunnel between a laptop (Mac OS X or Windows) and NSX Edge.
The SSL VPN-Plus service is intended to be deployed as a substitute for more complicated IPsec
c1ient-to- site or jump serve r solut ions. SSL VPN-Plus does not support mobile clients, nor does it
deliver common end-user features such as reverse proxy, custom portal, and SSL offload.
The use cases and capabilities ofNSX Edge SSL VPN-Plus are different from capabiliti es that are
provided by Horizon" View'>' . View is the VMware comprehensive approac h to virtual desktop
infrastructure, secure mobility, and end-user remote access .
Features
Supports up to 25
users
Full tunnel client
SSL-encrypted AES,
SHA
Authentication through
Local, RADIUS , LDAP
Windows and Mac as
clients
Web browser or thick-
client choice II
z
(J)
><
NSX Edge provides administrative users with full tunnel access to protected reso urces by m
0..
(Q
establishing an SSL encrypted tunn el between a laptop (Mac or Windows) and NSX Edge . CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
The primary use case is secure remote access without the use of a
jump box.
Another use case is to secure Web access with the thick client:
In full-tunnel mode, any traffic initiated at the client is tunneled to the
SSL VPN-Plus gateway and directed to the respective networks.
No traffic is sent from the client system directly to the Internet.
Access can be enforced for the client system's local network (LAN).
The administrator can direct the traffic to a Web filtering or caching
device .
Creating a layer 2 VPN requires two NSX Edge instances with the
correct VPN configuration.
.. Chent DetaIls : ~
Server Address: I
,
Server Port
:J
Inlema l lnlertate " IWElb-TIer I. I
OescnptlOn
I I
I Fetch Status I
PrOlCVSettlngs ~ Tunnel Status
cert mcete DeCalls:
Status : ~ UP
o Validate server c ernnc ete
.,
CAC e rtlfltale
Establi shed Date : 0
"'-n HI"'.
II
Byte Received : 1876
Byte Tran sm itted : 56696
""
QQ I Can CElI JI ~ z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Pee r Id Isranch
'" IHQ I
Peer End point * 11 0 . 1 0 . 1 3 0 . 1 0 . 11 0 . 1 0 . 1 0 0 . 10 I
Endpom l should tJ;:Ja v Endpomt fjhouid be a valid IP address or let!
blank /0 repre:;;enlAN':>' blank to rep/esenlANY
Pre-Shared Key I I I
o Dis play shared key o Display sha red key
Diffie- Hei lman Group 0 DH 2 O DH5 up 0 0 H2 O OH5
[;?I En abl e perfect forw ard se crecy(PFS) [;?I Enable perfect forward secrecy(PFS)
QQ~ QQ~
RetryDuration:
s e....a r c erme ete [;?J Use Default Certificate
Lockout Duration
II
Status o Enabled 0 Disabled
o Use this setverror secondaryauthentication
rermrnate Session if authentication fails
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Des cription D Hide SSL cnentn~rk adapter o SelVEl ' secullly certificate vahoaton
Send Traffic 0 OverTunnel 0 Bypass Tunnel ~~
~ Enable TC P Optimiz ation
Ports
staius 0 Enabled 0 Disabled
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
NSX Security
Slide 6- 1
Module 6
II
z
(f)
X
(f)
(1)
o
c
....
~
Course Introduction
NSX Networking
NSX Routing
.. . ..
~ NSX Security
z
(J)
><
(J)
(J)
o
c...,
~
Lesson 1:
NSX Edge Firewall
II
z
(f)
X
(f)
(1)
o
c
....
~
By the end of this lesson, you should be able to meet the following
objectives:
Describe where the VMware NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules
A logical firewall provides security mechanisms for dynamic virtua l data centers. A logical firewall
includ es components to addres s different dep loyment use cases.
The Distributed Firewall focuses on East-West access and the VMware NSX Edge" Firewall
II
z
(f)
focuses on the North -South traffic enforcement at the tenant or data center perimeter. Together, these X
(f)
components addr ess the end-to-end firewall needs of virtual data centers. You can dep loy either or (1)
both of these technologies. o
c
....
~
...... - I ~ C"
+ c..nllf.ll.03 N1u~r. C1I!f_' lno."", 14olI'~ I/iIlIMUI
.....
-;
O '
~ .
.. ,
_M
,.- -.
,-
0 '" ~ .
O ll$llI' M1 ,-an,
"<tt,t
-..
.,......
-""
~ ,
"""
The NSX Edge firewall provides perimeter security functionality including firewall , network
address translation (NAT), and site-to-site IPSec and SSL virtua l private network (VP N)
functio nality. This solution is avai lable in the virtual machine form factor and can be deployed in a
high availability mode .
Ty PE
Internal
Internal
User
Default
II
z
(f)
X
(f)
(1)
o
c
....
~
The NSX Edge firewall can filter traffic flows based on IP and
TCP/UDP header information.
The NSX Edge firewall can also filter traffic flows based on
virtualization-specific information:
Data center
Cluster
Resource pool
Port group
Logical switch
vApp
Virtual machine name
II
z
(f)
X
(f)
(1)
o
c
....
~
The rule's source and destination can include the IP address in the
packet or information provided by VMware vCenter Server, such as
virtual machine name or resource pool:
The source and destination can be compounded to include multiple
criteria.
If any of the criteria listed in the source matches, the rule is applied.
When you select a virtua l NIC (vNIC) Group, and select vse, the rule applies to the traffic generated
by the NSX Edge instance. If you selec t interna l or external, the rule applies to traffic coming from
any internal or uplink interface of the selected NSX Edge instance. The rule is updated when you
configure additional interfaces.
'"'
any O ospf:any:any
D "A'Data RecoveryAppliance
o ~ H e a rttl e a t
o ~ ll4 i co rs on Exctlange2010
D ~ M S Exchange 2010 Client Access Servers
New
Avoid specifying the source port when you create rules. Instead, you can create a service for a
protocol-port combination. II
z
(f)
X
(f)
(1)
o
c
....
~
- Add Service
Service Grou p
'~
I =====::;
Name
Descnpnon:
Protocol ITCP I I
Destination ports:
e.c.: 700 1-7020,7100,8000-9 000
.. Advanced options
So urce ports
e.a.: 700 1-7020,7 100.8000-9000
The Action option allows the rule to accept or deny the traffic:
Logging can be enabled for the rule.
Network Address Translation support can be enabled.
The rule can be applied on ingress or egress.
OK II Cancel
II
z
(f)
X
(f)
(1)
o
c
....
~
This rule se t has unsaved manges . Click on PUblish Changes button 10start deplo ying
~~
.0 X _t - . Generated rulesarecurrently shown Hiderules ISea rch I ~ C'
T..,. s.-
"" No- Des!.inelion SoM~ ActIon
The NSX Edge services gateway provides several virtual machine form
factors.
Number of NAT rules: 2,000.
II
z
(f)
X
(f)
(1)
o
c
....
~
Firewall rules are processed in order. The first rule that matches the
traffic being examined is applied and the traffic is passed or dropped.
Value: I I
eg192168200 1,192.168.200.1124, 192.166.200 .1-
192.168.200 24
Restrict the protocol.
[ OK II C ancel I
Ihttp]
Available (30) .01 Selected (0)
0 Q CIM-HTI P
0 CIM-HTI PS
ffi
0
0
HTIP
HTIPS
0
0
HTTPS , net.tcp binding
I OK II Cancel I
II
z
(f)
X
(f)
(1)
o
...c
~
Define NSX Edge firewall rules to restrict traffic to one or more Web
servers
1. Prepare for the Lab
2. Enable Flow Monitoring for Future Reference
3. Restrict Inbound Web Server Traffic to HTTP and HTTPS
4. Determine How the Firewall Rule Interacts with Other NSX Edge
Features
5. Clean Up for the Next Lab
II
z
(f)
X
(f)
(1)
o
c
....
~
Lesson 2:
Distributed Firewall
II
z
(f)
X
(f)
(1)
o
c
....
~
By the end of this lesson, you should be able to meet the following
objectives:
Compare the Distributed Firewall to traditional firewalls
Describe the policy enforcement of the Distributed Firewall
Configure rules on the Distributed Firewall
cd
I
The firewa ll has evolved in recent years. Originally, the firewall was a physical device that was
placed at the perimeter of the network to inspect traffic entering the data center.
The next stage in the evo lution was firewall appliances runnin g in virtual machines. From a
II
z
(f)
hypervisor perspective, one virtual machine talked to another virtual machine. The virtual machine X
(f)
acting as the firewa ll had to be the default gateway for the other virtual machines runnin g on that (1)
host. Sometimes, firewa lls also ran in the virtual machine to provide an additional layer of security. o
c
....
The Distributed Firewall is a hypervisor kernel-embedded firewa ll that provides visibility and ~
control for virtualized workloads and networks. The Distributed Firewa ll offers multiple sets of
configurab le rules for netwo rk layers 2, 3, and 4.
VM
Kernel-Embedded Firewall
The hypervisor-embedded nature of the firewall delivers close to line rate throu ghput to enable
higher workload consolidation on physical servers . The distributed nature of the firewa ll provides a
scale-out architecture that extends firewall capac ity when additional hosts are added to a data center.
No virtua l machine can circumvent the firewa ll. Egress and ingress packet are always processed by
the firewall. In extreme load exists, such as CPU satura tion or if memory is full, the Distributed
Firewa ll behaves as a fail close firewall. No packet passes through the firewall.
..[)
The Distributed Firewall provid es security filtering functions on every host in the hypervisor at the
kem el level. The Distrib uted Firewall is an East-West statefu l layer 2, 3, and 4 firewall. The
Distributed Firewall provid es distrib uted enforcement of policy rules. The Distributed Firewall is
configured usin g the VMware vSph ere Web Client. The Distributed Firewall is independent of the
II
z
(f)
X
distributed router. (f)
(1)
The Distributed Firewall is meant for East-West traffic or horizontal traffic . The NSX Edge firewall o
c
....
focuses on the North -South traffic enforcement at the tenant or data center perimeter. ~
The NSX Edge services gateway firewall protects the data path traffic. The firewall on the contro l
virtual machin e for the distrib uted router contro ls access to the distributed router, for example, to
enable SSH access to the contro l virtual mach ine. So the firewall rules have no effect on the data
path traffic for the distributed router.
The Distributed Firewall policy is independent of where the virtual machin e is located. If a virtua l
machin e is migra ted to another host using VMware vSphere vMo tion, the firewall policy
follows the virtua l machin e.
IP1 IP3
MAC1 MAC3
No relationship exists between distributed switch ACL or security capabilities and Distributed Firewall.
Distributed Firewall rules are enforced at the vNIC layer before encapsulation or after de-
encapsulation. The distribut ed firewa ll policies are independent of whether a virtual machine is
connected to a VXLAN or VLAN . Distributed Firewall rules are independent of virtual machine
location.
II
z
(f)
X
(f)
The Distributed Firewa ll can enforce rules even if the virtual machines are on the same layer 2 (1)
segment. Policy rules always follow a virtual machine if the virtual machine is migrated to another o
c
....
host. ~
Firewall rules are configured in the vSphere Web Client and pushed
to VMware NSX Manager.
REST API
Client
vSphe re
We b
Client
Distributed
Firewall
Using a Web browser, you can connect to the vSphere Web Client that accesses the VMware
vCen ter Server" system . The vCenter Server system provides the user interface to manage policy
rules and mon itor distrib uted firewa ll activity.
The vCenter Server system communicates with VMware NSX Managert'". NSX Manager pushes
the rules down to the VMware ESXi host into the distr ibuted firewa ll kernel module.
The distributed firewa ll module on the ESXi host runs in the kerne l space and is responsible for
firewa ll rules enforcement at the vNIC level.
VMware NSX APFM can also be used to comm unicate with and configure the Distributed Firewall.
VMware NSX Controller" is not responsible for distributed firewa ll functiona lity.
i ------"j
1 ,
1~-----------------------,
~ 1
i---- -------------- ----.
, -, 1
1 1 , 1
1 , 1 1 , 1
:1 VM :, 1
1
1
1
1
1
,
,
1
1
, 1
1 I 1 1 , 1
1 1
1 , 1 1 , 1
, 1
1 I 1
1._ _ 1
" L_ _ __ J
L
1 . ''
The Distributed Firewall provid es hypervisor-based firewall enforcement on every vNIC . The data
path is optimized for performance and scalability. This daemon checks rules on both the ingress and
egress on the source and destination virtual machine. No virtua l machine traffic can circumvent the
firewal l.
II
z
(f)
X
(f)
(1)
o
c
....
~
. .. ~ .
Application Layer Presentation Layer
Ne twork La ye r
source or destination IP addresses or L4
protocols. Some examples of L4 protocols are
SSH (TCP port 22), HTIP (TCP port 80).
I I I
Da ta Li nk Lay er L2 rules control traffic at data link layer. Use L2
Ne twork Access Lay er rules to filter specific source or destination
Physi cal Lay er MAC addresses or L2 protocols. Some
examples of L2 protocols are ARP, RARP, and
LLDP.
The Distributed Firewall supports security rules at the layer 2, layer 3, and layer 4 levels. Layer 2
rules are configured in the Ethernet tab of the NSX Controller instance. These rules are meant for
actions that happen at layer 2 such as Cisco Discovery Protoco l (CDP) and ARP.
The rules for layer 3 and layer 4 are defined in the Ge neral tab. The Ge neral tab policies define
rules to manage traditional traffic between virtual machines in different subnets or from East-West
traffic.
....;;- .
.-
~ &.I..:""'"Y
f! Nl>XHoIN
_. Ib)Ic.Il ~
'" ..-
"'--
~":'y2~
-- _.
-
; ;;' NSXE"OI4
... .
u
. ~I '
- - - -
1-..
- J~
-
'!l -
.--
DI"WeTttMl:'l\M~ll
..., ....
,
, + lll / "
l!J s.rn:. ~ It." N"P'--" 08""'.-. ...
"'"- . 1:- ' 1
'"
1'3--
Cil Fbo1r ~
~1119 . ~ ~
---
~....-, L.I)W7l'1* lJ
.
' ' .... .... ....
-
+0 / - "
In the vSphere Web Client, under the Network and Security section, you find the Firewall tab. The
Firewall tab is where distributed firewall policies are defined. On the Co nfigu ration tab of the
Firewall tab are General policies and Ethernet policies. Ethernet policies are rules that are enforced
at layer 2.
II
z
(f)
X
(f)
(1)
o
c
....
~
You define firewall rules for layer 3 and layer 4 rules on the General
tab.
-
t! NS.I: _
;,==-
...
"<Sll:~, [ tN. ' ~ ~ .lOD .1
.
DfW~
-. ~ .1
' -71
-
DllllSoKutfIy
:<- -..
Q N2MlfMl:mtR'lO
.
&1
,
~L.$ . _ U _~OCX
..
'
...""'-
, n ..
~ Ing " kunfr ~
"
The Firewall tab allows centralized management of all Distributed Firewall rules.
e. .....
VM Co ntainers
- VM names OHC~ ..,. ...,
""
e. "" ..... ... - VM tags
- VM attributes ..
. DHC P-C~"' I
- ...
The Firewall tab allows centrali zed manag ement of all Distributed Firewall rules. When you add a
rule, you provide a name , source, destina tion, service , action , and where the rules are enforced.
The source and destination can be an IP set, but it can also be a security group that you define . A
II
z
(f)
security group is a collection of assets or grouping objects from your VMware vSphere inventory. X
(f)
You can also create sections to separate rules for different lines of busine sses, for example, different (1)
departments . o
c
....
The last rule or the default rule is typically set to deny. In most cases, an administrator wants to ~
explicitly allow certain types of traffic and block everything else by default. Internet rules get
applied before genera l rules so they are processed from top to bottom . When the traffic matches a
particular rule, the processing stops and the rule actio n is processed .
s.a _ _ . ..... _ _
-....---
. ~ - -"-::::""'\I~~
-
... . -
"1- -
-.
,,-............
tj -
-..--.
.""
_.
.---.
!t ""5ll ~
.......,.~
--
..,
.""
....
.""
..-- -..:uoo ....... _
~~---""
...
."" .""
The Distributed Firewall can have different rules based on sections such as a department. For
example, you might separate rules for human resources and for engineering departments in separate
sections. If you later decide to combine rules from different sections, you can merge sections and
consolidate the rules in those sections. You merge sections together by clicking the Merge icon.
Although sections have no effect on security, sectioning can ease management by allowing
administrators to apply rules to specific groups or job roles.
Security Group NSX security group attribute (defined through Service Composer tab)
Rule will apply for all VM/ vNIC part of the Security Group
VMware NSX Services" enable you to put multiple ports into a nam e, for example, ports 20 and 21
into NSX Services called FTP. You can use protocol ports or you can create NSX Services in new
port new ranges. Several predefined NSX Services are created on the Distributed Firewall by
default.
II
z
(f)
X
(f)
You can perform various actions on the traffic. Actions define what the firewall should do with the (1)
traffic after a rule match occurs , such as block or allow or log or not log. o
c
....
Using the Applied To text box, you can specify which virtual machin e, and hence which vNICs, ~
receive the rule. The Applied To text box enables you to specify where the rules are enforced. The
rule action can be applied to a logical switch and is applied to every virtual machin e on the virtual
switch. You can apply the rule action to a clust er and every virtual machin e in that clust er is affected
by that firewall rule. If a new virtual machine is added to the clust er, the firewall rule is also applied
to that virtual machine. You can apply the rules to a data center, a clust er, a distributed port group, a
network, a logical switch , or a virtual machine vNIC.
When search ing Syslogs for firewall values, you must look for the BSIP value in the firewall entries.
r- iRl _~
,tano .tQI .
1'fSJI,~
- _. - -
Ie.-
- IEEl
.....
~
e _-_
:"!-
..1'J-. --
1~
...,
,
1.71
'ZaEi .
....
tB ROOt
""".'.Mal"nPS_ ..
X6
- ..
" .....-.-..
. -- I
+ 1 / . ..
'i
G ____ ' 5I UNUlI _ JoWUl'
~ =_!WI
- ___
........
.-
!!""-
...... ..-,--,
1m >
e-. ...... "-J""'"'S ,J r:/ . ..
WebVM
-------------
VM1NM2 Block
VM1 Allow
VM2 VM1 Block
(assuming
APP lo gical- sw itch-2 default rule is
VXLAN 5002 VM4 VM3 set to block)
In the example on the slide, traffic coming from the Web logical switch that is destined for the App
logical switch is blocked by rule I . Thus, VM I and VM2 cannot talk to VM3 and VM4 .
Rule 2 states that traffic from VM I destined for VM2 is allowed. Th e two virtual machines are on
the same logical switch segm ent. Assuming that the default ru le is set to block all other traffic,
traffic from VM2 is not allow ed to VM I and traffic between VM3 and VM4 is block ed.
.-- '-
O' ..J"j e-
11 1oISll _
ll. -......
ENSlI.I~
<-~
~.-~
......- -
- .-
.--
"-
'!l - -
.
"
The Grouping feature enables you to create custom containers to which you can assig n resources,
such as virtual machines and network adapters, for distributed firewa ll protection. After a group is
defined, you can add the group as source or destination to a firewa ll rule for protection.
II
z
(f)
Using the dynamic mapping capabi lity of security groups, you can define the criteria that an object X
(f)
must meet to be added to the security group that you are creating. This capability enables you to (1)
include virtual machines by defining a filter criteria with several parameters supported to match the o
c
....
search criteria. ~
For examp le, you may include a criteria to add all virtua l machines that run a specific operating
system (such as Microsoft Windows 2003) to the security group. Securi ty tags are case-sensitive.
When you create a security group, you specify its expression, inclusions, and
exclusion parts
Expression:
Defined the dynamic membersh ip criteria of vCenter Server objects
Configured in the Defined dynamic membership tab in the New Security Group wizard
Inclusions:
Static membership selection of vCenter Server objects
Configured in the Select objects to include tab in the New Security Group wizard
Exclusions:
Static membersh ip rejection of vCenter Server objects
Configured in the Select objects to exclude tab in the New Security Group wizard
Objects identified in the inclusion part are added to the objects identified in the
expression
Any objects identified in the exclusions part is removed from the security group
.~: ' I
. G/ . L I
SECURITY-GROUP-WINDOWS: dynamic membership: Computer OS name contains Windows
VM3 VM 1 Allow
r- .,
VM2 VM4 Allow
W EB logical-switch -1
VXL AN 5001 VM4 VM2 Allow
When the security group is created, it can be used as a source or destination when creating a firewall
policy. This ability gives organizations the flexibility in designing their firewall rules and reducing
the numb er of lines they have to enter. When the security group is created, you can add virtual
machin es to a security group by editing the security group. Securit y groups can be nested in other
II
z
(f)
X
security groups. (f)
(1)
In the example, two securit y groups exist. One group contains virtual machin es running the o
..,c
Windows operating system and the other contains virtual machin es running the Linux operating ~
system. The firewall policy is set so that Windows traffic sent to Linux is blocked. Linux virtual
machin e traffic sent to Windows is allowed. The Windows and Linux virtual machines are in the
same segment and yet one line enforces this policy. If you add virtual machines, they fall into the
security groups depending on the operating system and the policy is applied.
Allow
The Applied To text box allows you to specify which destination component receives the rules. The
rule might contain a virtual machine, vNIC, cluster, distributed port group, network , data center, or
logical switch in the source or destination text boxes. VMware recomm ends that you add these
comp onents into the Applied To text box so that the rule is optim ally offloaded to the ESXi hosts.
When dealing with large rule sets or overlappin g IP addresses , use the Applied To text box to
restrict the scope of Distributed Firewall rules.
Rules are created on the vSphere Web Client and sent through the vCenter Server instance which
passes them on to the NSX Manager. The NSX manager instance evaluates the rule and pushes the
rule to the corresponding host to apply to the corresponding virtual machin es. So both rules are
attached to VMI , only the first rule is attached to VM2, only the first rule is attached to VM3, and
only the second rule is attached to VM4.
In the example, you have two rules. Rule lone allows VM I to communicate with VM2 and VM3
on port 123. The second rule says that VMI can communicate with VM4 on port 321.
Traffic going to VM4 does not need to check rule I. The second rule applies to VM I and VM4 , so
the traffic going to VM3 does not go throu gh this rule.
Search
OK I[ Cancel
II
z
(f)
X
(f)
(1)
o
c
....
~
II
z
(f)
X
(f)
(1)
o
c
....
~
Lesson 3:
Flow Monitoring
II
z
(f)
X
(f)
(1)
o
c
....
~
By the end of this lesson, you should be able to meet the following
objectives:
Describe how Flow Monitoring can be used to enhance security
Configure a Distributed Firewall rule to block a traffic flow
=
o
NSX Edges
Firewall
Systemis configured to NOT collectfirewall relatedffows
~ SpOOfGuard
Service DefiniUons
B Service Composer
J Data Secu rity
m, Flow Momtorlng
The Distributed Firewall has visibility of all traffic flows that have taken place in the logica l
switches. By drillin g down into the traffic data, you can eva luate the use of your resources and send
session information to the Distributed Firewall to create a rule or block rule at any level.
II
z
(f)
X
(f)
(1)
o
c
....
~
........ I
N.~,&kc.nty
p'! NSXHO",.
iQt.,.tIll.. on
CiIobIIflow CGIiKuo. SUtvt;; En.bled ( (M,abllt ]
1J: L O~ ~'
=NSX[~ .. ~o,~"'/J;!a; r ~~.'~~l"1.IT'.t" ~'Kol'ed~
8 $tMo;t ComNStl'
QlD"' _
I
~. .-r-u.g
I- -' & s.c".r ~1orY 138137
~ tfS;l; "Jl'l~WJ > .......
By default , Flow Monitoring is disabled. To enab le Flow Monitoring, click the Enable button.
Flows that should not be collect ed can be added to the exclusion lists in the Exclus ion Settings of
the Configuratio n tab.
II
z
(f)
X
(f)
(1)
o
c
....
~
........""
f:
-\
~1"....i-~~L:",.
, _ .t..... .t . . . ..t..=-
... _ .I"NI"
., .... .'.
.._ ..."
_
a~
I ....... .
0._ !.
t a...
...... . .
,. ,.
I~' _
I"' UI "
...... 10.. ...
...... 1'1."
.....
~ ..- . Uoo'" ~
-
--
_ _ _ '1l;J')
~"'H
-~
n,.
--
"'"
_
,
-
_~--.e--.-1Il ;JQ;.I
,.
-- --
- 'Ill!
..
--
.. ... ....
. .-.-.- -,.....
On."1'"''
----... ........---
~,~
.-.-
.. t.
.-,....
.~"lt
~ . . . . .1' .. ,. -~ (,.-
.'...... ......
__ r __
.!II!IIIII""
--__ l._
I n ' ''U!'I''
Il'1l1'lt"'"''
a-Ull'tl. ' . "
_"1ol1'1hII
."'Mn.,.
II
~- ,
If you click the Details by Service button at the top, you might see a flow that you do not want. You
can add a rule to block the flow or edit the existing rule that is permitting the flow.
z
(f)
X
(f)
(1)
o
c
....
~
You can view UDP and TCP connections from and to a selected vNIC .
l.,.
5 00 ....0 .
(jI _ _
dl ~ "
/J ~ "
I ~l e-'
To view traffic between two virtual machines, you can view live traffic for one virtual machine on
one computer and the other virtual machine on a second computer. You can view traffic for a
maximum of two vNICs per host and for 5 vNICs per infrastructure.
The screenshot shows the output from Live Monitoring for the
selected vNIC.
II
z
(f)
X
(f)
(1)
o
c
....
~
N8XManager: [ 192.168.1104 2 I ~I
OK II Cancel I
~ Allowed FIOWS ~ Blo cked Flows 1
Examine network flows using the Flow Monitoring feature and define
a firewall rule based on a flow
1. Prepare for the Lab
2. Examine Dashboard Details
3. Review Allowed Flows by Service
4. Add a Firewall Rule Based on a Flow
5. Clean Up for the Next Lab
II
z
(f)
X
(f)
(1)
o
c
....
~
II
z
(f)
X
(f)
(1)
o
c
....
~
Lesson 4:
Role-Based Access Control
By the end of this lesson, you should be able to meet the following
objectives:
Describe authentication , authorization, and accounting (AAA)
Describe role-based access control
Describe the roles available in NSX Manager
Explain the scope options
Configure role-based access control in NSX Manager
II
z
(f)
X
(f)
(1)
o
c
....
~
In many organizations, networkin g and security operations are handled by different teams or
members. Such organizations might require a way to limit certain operations to specific users.
VMware NSX TM supports VMware vCenter Single Sign-Ont> vCen ter Sing le Sign-On enables
NSX to authenticate users from other identity services such as Active Directory, Network
Information Serv ice (NIS), and LDAP.
II
z
(f)
X
(f)
(1)
o
c
....
~
A user 's role defines the actions that the user is allowed to perform on a given resource. The role
determines the user 's authorized activities on the given resource, ensuring that a user has access
only to functions necessary to complete applicable operations. This role allows domain control over
specific resources, or system-wide control if the user 's right has no restrictions.
II
z
(f)
X
(f)
(1)
o
c
....
~
NSX Manager provides four default roles that allow you to determine a user's authorized level of
activity.
NSX provides scopes to restrict the area that a user can access in
the NSX system:
Global: The user has access to all areas of NSX.
Limited Access: The user has access to only the NSX areas defined in
the user profile .
The scope of a role determin es resources that a particular user can view.
II
z
(f)
X
(f)
(1)
o
c
....
~
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is an NSX Auditor with read-only access to all areas.
II
z
(f)
X
(f)
(1)
o
c
....
~
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is a Security Administrator with read-write access to all objects in
Datacenter1.
John is an NSX Auditor with read-only access to all other areas.
II
z
(f)
X
(f)
(1)
o
c
....
~
-----,}
~ ume aHen to 1Ft. port group , datacenter, or NSX Edgl' lis ted be-low
II
z
(f)
X
(f)
(1)
o
c
....
~
Add an ssa user as an NSX Administrator and change the role of the
user
1. Prepare for the Lab
2. Add an SSG User with NSX Administration Rights
3. Restrict an NSX User to Administration of a Specific NSX Edge
4. Explore Roles and Scope Limitations
5. Clean Up for the Next Lab
II
z
(f)
X
(f)
(1)
o
c
....
~
Lesson 5:
Service Composer
II
z
(f)
X
(f)
(1)
o
c
....
~
By the end of this lesson, you should be able to meet the following
objectives:
Explain how Service Composer enhances security
Create a policy and security group
Create a rule in Service Composer
Security Groups Security Policies
............................ ~
..................................
Members (VM , vNIC) and Services (Firewall , antivirus)
Context (user identity, security and Profiles (labels representing
posture) specific policies)
You map services to a security group, and the services are applied to the virtual machines in the
securi ty group. Define security policies based on service profiles already defined (or blessed) by the
security team . Apply these policies to one or more security groups where your workloads are
members .
II
z
(f)
X
(f)
(1)
o
c
....
~
NSX collects all third-party security tools in one place where the team
can manage, control, and apply security.
NSXAPI
-
:+
L2 Gateway ADC/LB Firewa ll
Security Services
6)
IDS/IPS
6)
AV/FIM
6)
Vulnerability
Management
Traffic leaves the virtual machine and is sent to the integrated partner product. Some partners have
integrated products into NSX. This traffic flow happens before the traffic reaches the network. II
z
(f)
X
(f)
(1)
o
c
....
~
.1_
-
....... ' ~
--
!I HSI _
..=I$IU,..
I O' ... 0 . - .
IGlIliIlNIIIf ;t:l... nf~
+ / x _ .
.... . -
,.--""--
"'-
_..
...............
MMI..... ~
..... .....".
I
__
~ .
.
-- ""- ~ ............. 1
:i....-.e
.........
!l teP "-'-'
~-.
........ . .
If the partner solutions management console does not provide a mechanism to register the solution
with NSX Manager, you must register the solution manually. II
z
(f)
X
(f)
(1)
o
c
....
~
Ask the partner for instructions on how to register the service with
NSX.
---
--_--.... -.......
~- --'
.
,1-. ---
--'-
'-
g .. r-.
-
ft _
_
------_-.... -..
---
--
--_.
---
.Ol--
L _
.--- -
e- _ _ ._ t
----,_ .
_ _ _ _ I
-
._.- _
.-- -
~ - -.
II
z
(f)
X
(f)
(1)
o
c
....
~
After you register the partner service, you must deploy the partner
service virtual machine.
. --
(~~.1I-"7'
- .-_::-:':":"'-
---.- 4
~ .
'"
:=- -=;-: --- ;-
- =:--
-- .=-- I
- - - - - .. - - - - - - -
I :=-==
~
.-=
1--.__-- _----._-_..- .....-
O ' -
_ 1
:..;--
I~~~iiiiiiiiil~
- - - - -
1' 7 _ = ...':":'"......
.. ---
- t=-
eft __ _
. .- "C-" ,,__ -~ -~ -~
.--
, ~ -
.-- .. "' - "
. _ .e--_. 1---
...-..-.1 1 '. 2 uI ...._
...
...
..
~ .-.
~.-.
-
", e . -.__
~
~
, --
~
:i.... _
.-==--~ ~ Symantec
If the partn er solution includes a host-resident virtual appliance, you can install the service after you
register the solution.
-0-_.--
l ....IE ' ,
i." 1._ ....-
, .,1_-
.:; ., .=-
..
_"'_1 ....
......
~.-.- -
_ _ _ . . . . . . . t,
.. .~ ...
II
z
(f)
X
(f)
(1)
o
c
....
~
1
2
pel DSS ZOlne
1
~1
Service Composer offers a canvas view that displays all security groups in the selected NSX
Manager. The view also displays details such as members of each security grou p and the security
policy that is applied to the member.
Containers: Grouping of VMs , IPs, and more to define Policies are a collection of service
what you want to protect. profiles that are assigned to this
container to define how you want to
Example: Financial Applications, Desktop Users, protect this container.
Quarantine Zone
Example: PCI Compliance or
Quarantine Policy
All security groups in the selected NSX Manager, which are not contained in another security group,
are displayed with the policies applied on them. II
z
(f)
X
(f)
(1)
o
c
....
~
ard
~1
The slide shows virtual machines that are currently part of the main security group and nested
security groups.
-
'-.- ..
. --
Q
--
8]0 - . 1& , ...... ,. -
8Jo 61 0 61 0 Q
---
""'V'
Each rectangular box in the canvas represents a security group. Icons in the box represent security
group members and details about the security policy mapped to the security group. II
z
(f)
X
(f)
(1)
o
c
....
~
1. The Web server virtual machine that is running 115 is deployed, unknowingly having a
vulnerability.
2. A vulnerab ility scan is initiated on Web server, for example, Rapid7's Nexpose product.
3. The virtual machine is tagged in NSX Manager with the eVE and evss Score.
4. NSX Manager associates the virtual machine with the Quarantine (VSM FfW Deny).
5. The adm inistrator applies patches, Nexpose re-scans vi rtual machine and clears tag.
6. NSX Manager removes the virtual machine from Quarantine and the v irtual machine returns to
its normal duties.
In the examp le, the virtua l machine powers on and is a part of the group . So polices are applied to
the virtua l machine. Rapid 7 gets the traffic and determines the rating of the virtual machine and
labels the traffic as untrustworthy. The virtua l machine is moved to a new security group and denies
all the traffic. The virtua l machine is moved from the trusted security group to the untrusted security
group based on input from the Rapid 7 device .
The virtual machines can be a part of the first security group because they meet the criteria of both
groups . However, the highest weight gets the policy applied . The weighting determines which
policy is applied to the virtual mach ine when the virtua l machine is a part of multip le groups.
User
Security-Group to Security-Group
--------
Security-Group to Any
Traffic redirection or (traffic steering) from a guest virtual machine to a Palo Alto Networks VM-
Series firewa ll is performed internally at the hypervisor level using shared memory space . The NSX
admin istrator specifies which DVS port-group or logical switch (VXLAN) needs to be served by the
Palo Alto Networks VM-Series firewa ll.
II
z
(f)
X
(f)
Using Service Composer or Security Policy, the security team can define traffic flows that are (1)
redirected to the Palo Alto Networks VM-Series firewa ll for inspection and enforcement. Traffic o
c
....
allowed by the VM-Series Firewall is then returne d to the VMware NSX Virtual Switch" for ~
delivery to the final destina tion. The final destinat ion is either the guest virtua l machine or the
physica l device.
Traffic redirectio n (defined in the Network Introspection Service window) can be defined in the
following ways:
From Security Group (SG- I for instance) to Security Group (SG-2 for instance)
From Any to Security Group (SG- I for instance)
From Securi ty Group (SG- I for instanc e) to Any
Any means any source or destination IP address respectively.
Redirect to service
Do not redirect
o
Protocol:
Any - ",.
Specified: TCP/UDP destination
port and source port
.--
.
.. .
,~
II
z
(f)
X
(f)
(1)
o
c
....
~
Lesson 6:
Other Monitoring Options
II
z
(f)
X
(f)
(1)
o
c
....
~
By the end of this lesson, you should be able to meet the following
objectives:
Describe how to find firewall entries in the Syslog
Analyze Syslog security entries
Controller" Gett,ng Started Summ ary Mo.nllQf ~ RelatedObJeds Aulo cenerate rules Enabled
SyslGg seMlIS
Serve
Se~e r5 ConOgurllDon
Powe r Milnagement
M"'-Wl'M"h
System Resour ce AIoc.lI bl
SETTINGS
General
NelwOf1(
SSL cemncates
saoaes & Restore
Upgrade
syslog corp loca l
Sys~ Server
p,"
51'
TCP
Protocol
You can enable Syslog for the NSX components even on NSX Controller and NSX Edge . You
specify a Syslog serve r where all the Syslog messages are collected. Management plane logs are
available through NSX Manager and data plane logs are available through vCenter Server. VMware
recommends that you specify the same Syslog server for the NSX component and vCenter Server to
II
z
(f)
X
get a complete picture when viewing logs on the Syslog serve r. (f)
(1)
o
C
....
~
The system event message logged in the Syslog has the following
structure:
Syslog header
Event 10
Timestamp
Application name
Event code
Severity
Message
The system event message that is logged in the Syslog has the structure listed in the slide.
.--
II~I
VMware vCenter Log Insight" provides faster analytical queries and aggregation than tradit ional
tools, especially on larger data sets. vCenter Log Insight identifies key-value pairs and adds
structure to all types of unstructured log data, enabling administrators to troubleshoot quickly,
without needing to know the data beforehand.
II
z
(f)
X
(f)
(1)
o
c
....
~
II
z
(f)
X
(f)
(1)
o
c
....
~