VmWare NSX Student Guide PDF

VMware NSX:
Install, Configure, Manage

Lecture Manual
NSX 6.0
VMware Education Services

VMware , Inc.
www.vmware.com/education
VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN -NSXICM6-LECT
Lecture Manual
Copyright/Trademark
Copyright 2014 VMware , Inc. All rights reserved . This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States
and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks
of the ir respective companies.
The training material is provided "as is," and all express or implied cond itions,
representations, and warranties, includ ing any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are discla imed , even if VMware, Inc., has been
advised of the possibility of such claims. This training mate rial is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The train ing material is not a standalone
tra ining tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel , John Tuffin, Jerry Ozbun
Technical review : Elver Sena, Chris McCain
Technical editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation ,
available at http://www.vmware .com/supportlpubs.
www.vmware.com/education
TABLE OF CONTENTS
MODULE 1 Course Introduction 1

Importance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Learner Objectives 3
Learner Objectives (2) .. " ". " ".. ".. " ".. " 4
You Are Here . " " " " " ". " ". " ".. " ". " ".. ".. " " 5
Typographical Conventions. " ".. ".. " " 6
References " " ". " " " " " ". " ". " ". . " ". " ". . ". . ". . . ". . " 7
About NSX " ". " " " " " ". " ". " ".. " ". " ".. ".. " ".. " 8
NSX Certification 9
VMware Learning Path Tool. ".. 10
NSX Resources 11
MODULE 2 NSX Networking" " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "... ".. " 13
You Are Here " " " " " " " " " " " " " ". " ". " " ". " ". " ".. ".. " ".. ".. " 14
Importance" " " " " " " " " " " " " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. " 15
Module Lessons" " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. " ".. " 16
Lesson I: Introduction to vSphere Virtualization 17
Virtual Machines 19
Benefits ofVirtuaI Machines " ".. 20
ESXi Hypervisor 21
vCenter Server. ".. " ".. ".. " " 22
vCenter Server Management Features 23
vSphere vMotion .. " ".. " 25
Shared Storage. ".. " ".. ".. " " 26
Features That Use Shared Storage 27
Virtual Networking 28
Virtual Switch Types 29
Networking Features 30
vSphere Product Placement. 32
Review of Learner Objectives 33
Lesson 2: Overview of the Software-Defined Data Center. 34
Learner Objectives. " " 35
Choices for IT . ".. " ".. " 36
Data Center Models" " 37
Advantage of Software-Defined Data Center " .. 38
Choice for New IT 39
Software-Defined Data Center as New IT. 40
Components of a Software-Defined Data Center 41
Vision and Strategy 42
Virtual Compute, Storage, and Network 43
Data Center Hardware. . . . . . . . . . . . . . . . . . . . 44
Hypervisors and Virtual Switches 45
VMware NSX: Install, Configure, Manage

NSX: Network Virtualization Platform 46
About a Virtual Network 47
Network Virtualization: Layer 2 48
Network Virtualization: Layer 3 49
Concept Summary 50
Review of Learner Objeetives 51
Lesson 3: Introduction to NSX and NSX Manager. 52
NSX Capabilities 54
Prepare for Installation: Client and User Access 55
Prepare for Installation: Port Requirements 56
Installation: Manager OVA 57
Initial Configuration: Management UI 58
Initial Configuration: Time and Syslog Settings 59
Initial Configuration: Network Settings 60
Initial Configuration: vCenter Server Connection 61
NSX Overview: Planes 62
NSX Overview: Data Plane Components 63
NSX Overview: Control Plane Components 64
NSX Overview: Management Plane Component 65
NSX Overview: Consumption 66
Enterprise Topology 67
Servicer Provider: Multiple Tenant Topology 68
Multiple Tenant Topology: Scalable Desigu 69
Scalability 70
NSX for vSphere: Scale Boundaries 71
NSX Manager 72
Building the NSX Platform 73
Lab I: Introduction 74
Lab I: Configuring NSX Manager 75
Concept Summary 76
Lesson 4: NSX Controller 78
NSX Controller 80
NSX Controller Cluster Deployment 82
Control Plane Interaction 83
Control Plane Security 84
Control Plane Security: Diagram 85
User World Agent 86
NSX Controller: Master Election 87
Master Failure Scenario 88
NSX Controller Workload Distribution 89
ii VMware NSX: Install, Configure, Manage

Slicing Assignment 90
Slicing Distribution 91
Slice Redistribution 92
Component Interaction: Configuration 93
Lab 2: Introduction (I) . " .. " " .. " .. " " 94
Lab 2: Introduction (2) . ".. " ".. ".. " " 95
Lab 2: Configuring and Deploying an NSX Controller Cluster 96
Review of Learner Objectives ".. " 97
Key Points 98
MODULE 3 Logical Switch Networks and VXLAN Overlays. ".. " " .. " .. " " . "99
You Are Here 100
Importance" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "101
Module Lessons" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "102
Lesson 1: Ethernet Fundamentals " ". " ".. ".. " " 103
Learner Objectives" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "104
Review: Networking Definitions. ".. " ".. ".. " " 105
Ethernet " .. " .. " " . " " . " " " " " " " " " " "106
MAC Tables 107
Broadcast Domain 108
Address Resolution Protocol 109
From Packets to Frames 110
Segmentation and Encapsulation 111
Layer 3: IPv4 Datagram 112
Layer 4: TCP Segment 113
Concept Summary. " 114
Lesson 2: Overview ofvSphere Distributed Switch " .116
Learner Objectives " .117
VMkernel Networking " .118
Advantages ofvSphere Distributed Switch 119
Distributed Switch Architecture 120
vSphere Distributed Switch Enhancements in ESXi 5.5 121
Design Considerations 122
Teaming Best Practices 123
Load-Based Teaming 124
Distributed Switch in Enterprise 125
Lab 3: Introduction (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Lab 3: Introduction (2) 127
Lab 3: Preparing for Virtual Networking " .128
Concept Summary 129
Lesson 3: Link Aggregation 131
Contents iii
Ethernet Loop 133
Spanning Tree Protocol 134
STP Diagram" . " " " " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "135
Bandwidth Constraint " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "136
Link Aggregation Control Protocol. 137
Enhanced LACP in vSphere 5.5 138
Enhanced LACP ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "139
Concept Summary 140
Lesson 4: Virtual LANs 142
Virtual LANs" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "144
Switches and Routers with VLANs .. " " 145
VLANsand ARP" " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "146
VLANs Across switches" ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "147
VLAN Scalability " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "148
802.1Q 149
802.1Q Frame 150
Native VLAN 151
Concept Summary 152
Lesson 5: VXLAN: Logical Switch Networks 154
Learner Objectives. " ".. ".. " ".. " ".. " ".. " " 155
VXLAN Tenus" ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " "156
VXLAN Protocol Overview 157
Virtual Extensible LAN 158
NSX Use Cases 159
VXLAN Frame Format 160
Multicast: Network Components 161
Internet Group Management Protocol 162
Bidirectional PIM . " ".. " ".. " " " " 163
NSX for vSphere VXLAN Replication Modes 164
VXLAN Replication: Control Plane 165
VXLAN Replication: Data Plane 166
Unicast Mode 167
Multicast Mode 168
Hybrid Mode 169
Unicast and Hybrid Mode: Same Host " .170
Unicast Mode: Different Hosts 172
Hybrid Mode: Different Hosts 173
Multicast Mode: Different Hosts 174
Quality of Service 175
iv VMware NSX: Install, Configure, Manage

QoS Tagging 176
Physical Network Congestion 177
NSX Component Interaction: Configuration 178
NSX Logical Switching 179
Logical Switch 180
Lab 4: Introduction (l) 181
Lab 4: Configuring and Testing Logical Switch Networks 183
Concept Summary 184
Review of Leamer Objectives 185
Key Points 186
MODULE 4 NSX Routing 187

You Are Here 188
Importance 189
Module Lessons 190
Lesson 1: NSX Routing 191
Supported Routing Protocols 193
OSPF Features 194
About OSPF 195
OSPF Neighbor Relationships 196
OSPF Packet Types 197
OSPF Hello Packets 198
Other OSPF Packets 200
OSPF Neighbor States 201
OSPF Router Types 203
OSPF Areas 204
OSPF Area Types 205
OSPF Normal Area 206
OSPF Stub Area 207
OSPF NSSA 208
OSPF Area and Router Types Example 209
Intermediate System to Intermediate System 210
IS-IS Features 211
IS-IS Areas 212
IS-IS Router Levels 213
IS-IS Neighbor Adjacency 214
IS-IS Design Considerations 215
BGP Features 216
Border Gateway Protocol 217
BGP AS Numbers 218
BGP Peers 219
Contents v
BOP Peers Example 220
BOP Route Selection 221
Concept Summary 222
Lesson 2: NSX Logieal Router 224
Layer 3 Networking Overview 226
Layer 3 Enables Larger Networks 227
Distributed Logical Router 228
Hairpinning 229
Distributed Logical Router: Logical View 231
Distributed Logical Router: Physical View 232
Data Path: Host Components 233
VLAN LIF 234
Designated Instance 235
VXLAN LIF 236
Control Plane: Components 237
Logical Router Control Virtual Machine 238
Management, Control, and Data Communication 239
Deployment Models: One Tier 240
Deployment Models: Two Tier 241
Distributed Router Traffic Flow: Same Host 242
Distributed Router Traffic Flow: Different Host. 243
Lab 5: Configuring and Deploying an NSX Distributed Router 248
Concept Summary 249
Lesson 3: Layer 2 Bridging 251
VXLAN to VLAN Layer 2 Bridging 253
Use Cases 254
Layer 2 Bridging Details 255
Bridge Instance 256
Bridge Instance Failure 257
Layer 2 Bridging: Flow Overview 258
Design Considerations 259
ARP Request from VXLAN 260
ARP Response from the VLAN 262
Unicast Traffic 263
ARP Request from VLAN 264
vi VMware NSX: Install, Configure, Manage

Concept Summary 265
Lesson 4: NSX Edge Services Gateway 267
Learner Objectives.. " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "268
NSX Edge Gateway" " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "269
Integrated Network Services" ".. ".. " " 270
NSX Edge Services Gateway Sizing 271
Features Summary. " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "272
NSX Edge Routing 273
Routing Verification 274
Lab 6: Introduction (I) 275
Lab 7: Introduction" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " . "277
Lab 6: Deploying an NSX Edge Services Gateway and Configuring
Static Routing " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "278
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge
Appliances" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "279
Review of Learner Objectives " .280
Key Points 281
MODULE 5 NSX Edge Services Gateway Features " .. " " .. " .. " " .283
You Are Here. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " ".. "... "284
Importance" " " . " " . " " " . " " . " " " . " " . " " " . " " . " ".. " " . " ".. " " . " ".. "285
Module Lessons" .. " ".. ".. " ".. ".. " ".. ".. "... ".. " ".. " "286
Lesson 1: NSX Edge Network Address Translation 287
Learner Objectives. " ".. ".. " ".. " ".. " ".. " " 288
Private IPv4 IP addresses 289
IPv4 Overlapping Space 290
Managing NAT Rules 291
Source NAT Deployment Using NSX Edge " .292
Example: Set Up External Access to Web Server. " " .293
Add a Second External IP Address for NAT Use 294
Destination NAT Deployment Using NSX Edge 295
Creating a Destination NAT Rule for Inbound External Access 296
Create a Destination NAT Rule and Test Inbound Connectivity 297
Creating a Source NAT Rule and Testing Outbound Connectivity 299
Lab 8: Introduction (I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Lab 8: Configuring and Testing Network Address Translation on
an NSX Edge Services Gateway 303
Concept Summary 304
Contents vii
Lesson 2: NSX Edge Load Balancing 306
NSX Edge Load Balancer 308
NSX Edge Load Balancer Modes " 309
Load-Balancer Operation .. " ".. ".. " ".. ".. " ".. ".. " ".. " "310
One-Ann Load Balancer" .. " ".. ".. " " 311
One-Ann Load Balancer Traffic Flow 312
Inline Load Balancer" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "313
Inline Load Balancer Traffic Flow " .314
Lab 9: Introduction 315
Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" " " "317
Lab 9: Configuring Load Balancing with NSX Edge Gateway (2) 318
Lab 10: Advanced Load Balancing .. " " 319
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "320
Review of Learner Objectives" .. " ". " ".. ".. " ".. " 321
Lesson 3: NSX Edge High Availability " " " " " " " ". " ". " " ". " ". " ".. "322
High Availability 324
NSX Edge High Availability Operation 325
Stateful High Availability 326
NSX Edge Failure. " ".. " ".. " ".. " " " 328
NSX Edge Services Gateway High Availability 329
Virtual Machine and Appliance Failure .. ".. " 330
ESXi Host Failure. " ".. " ".. " ".. " " " 331
Lab 11: Introduction " " " " 332
Lab II: Configuring NSX Edge High Availability " .333
Concept Summary 334
Lesson 4: NSX Edge and VPN 336
Logical L2 VPN .. " ".. " ".. " ".. " " " 338
Overview of Layer 2 VPN 339
Logical User (SSL) and Site-to-Site (IPsec) VPN 340
NSX IPsec VPN .. " ".. " ".. " ".. " " " 341
IPsec Security Protocols: Internet Key Exchange " .. " . " " " "342
IPsec Security Protocols: Encapsulating Security Payload. " .. " . " " " "344
IPsec ESP Tunnel Mode Packet " .. " .. " " .345
Configuration Example for IPsec VPN " .346
IPsec with AES-NI 347
Add an IPsec VPN 348
NSX SSL VPN-Plus Service " .. " " .349
SSL VPN-Plus 350
viii VMware NSX: Install, Configure, Manage

NSX Edge SSL VPN-Plus Secure Management Access Server 351
Use Cases for SSL VPN-Plus Services 352
Lab 12: Configuring Layer 2 VPN Tunnels 357
Lab 13: Configuring IPsec Tunnels 358
Lab 14: Configuring and Testing SSL VPN-Plus 359
Concept Summary 360
Review of Leamer Objectives 361
Key Points 362
MODULE 6 NSX Seeurity 363

You Are Here 364
Importance 365
Module Lessons 366
Lesson 1: NSX Edge Firewall 367
Leamer Objectives 368
NSX Edge and Distributed Firewall: Security Comparison 369
NSX Edge Firewall 370
Firewall Rule Types 371
Virtualization Context Awareness 372
Populating Firewall Rules 373
Source and Destination of a Rule 374
Firewall Service 375
Create a Firewall Serviee 376
Action Option 377
Publish Changes 378
NSX Edge Services Gateway: Form Factors 379
Lab 15: Introduction (I) 380
Lab 15: Using NSX Edge Firewall Rules to Control
Network Traffic 382
Concept Summary 383
Lesson 2: Distributed Firewall 385
Evolution of Firewall Placement. 387
Distributed Firewall Overview 388
Distributed Firewall Filtering 389
Distributed Firewall Location and Policy Independence 390
Distributed Firewall Policy Enforcement 391
Contents ix
Distributed Firewall Components: Communication 392
Distributed Data Path 393
Policy Rule Objects 394
Layer 2 Policy Rules" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "395
Layer 3 and Layer 4 Policy Rules 396
Centralized Management of the Distributed Firewall 397
Using Distributed Firewall Sections 398
Policy Rule Objects" " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "399
Logical Switch Rule-Based Example " .. " " .400
Security Groups 401
Security Group Components 402
Rule-Based Security Group Example " .. " " .403
Applied To: Example "" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .404
Lab 16: Introduction" ". " " " " " ". " " " " " ". " " " " " ". " " " " " ". " ". " " ". .405
Lab 16: Using NSX Distributed Firewall Rules to Control
Network Traffic" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .406
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "407
Review of Learner Objectives " .408
Lesson 3: Flow Monitoring .409
Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Flow Monitoring 411
Enable Flow Monitoring .412
Exclusion Settings. " ".. ".. " ".. " ".. " ".. " " .413
Viewing Flows. " ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " .414
Flow Views by Service .415
Live Monitoring" .. " ".. ".. " ".. ".. " ".. ".. " ".. " ".. " .416
Live Monitoring Output Example .417
Lab 17: Introduction .418
Lab 17: Using Flow Monitoring .419
Concept Summary .420
Review of Learner Objectives .421
Lesson 4: Role-Based Access Control .422
Learner Objectives. " ".. " ".. " ".. " " " .423
Authentication, Authorization, and Accounting Model .424
Identity Sources" .. " ".. ".. " ".. ".. " ".. " ".. " ".. " .425
Identity Source vSphere Requirements " .426
Role-Based Access Control for NSX for vSphere " .. " .. "" "427
NSX User Roles 428
Scopes " .. " .. " " "429
NSX Role Guidelines .430
Permission Inheritance Example: Single Group 431
Permission Inheritance Example: Multiple Groups 432
Configure Role-Based Access Control 433
x VMware NSX: Install, Configure, Manage

Define Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434
Lab 18: Managing NSX Users and Roles 436
Concept Summary 437
Review of Learner Objectives .438
Lesson 5: Service Composer 439
Service Composer 441
Using Service Composer 442
NSX Integrated Partners 443
NSX: Third-Party End-to-End Workflow 444
Registering Partner Services 445
Partner Service Registration: Palo Alto Networks 446
Partner Service Registration: Symantec 447
Service Installation 448
Security Policy 449
Service Composer Canvas 450
Canvas View (1) 451
Canvas View (2) 452
Canvas View (3) 453
Service Composer: Vulnerability Scan Example .454
Serviee Composer: Traffic Redirection with PAN Example (1) .455
Service Composer: Traffic Redirection with PAN Example (2) .456
Lesson 6: Other Monitoring Options 459
Learner Objectives .460
About Syslog .461
Syslog Format .462
vCenter Log Insight. .463
Review of Learner Objeetives .465
Key Points .466
Contents xi
xii VMware NSX: Install , Config ure, Manage
MODULE 1
Course Introduction
Slide 1-1 II
oa
Module 1 c
Cil
(1)
:J
......
i3
c.
c
VMware NSX: Install, Configure, Manage Q.
o'
:J
VMware NSX: Install , Configure , Manage 1

Importance
Slide 1-2
VMware NSXTM is the network virtualization and security platform for

the software-defined data center. NSX brings virtualization to your
existing network and transforms network operations and economics.
2 VMwa re NSX: Install , Configure, Manage

II
Learner Objectives
Slide 1-3
By the end of this course, you should be able to meet the following oa
objectives: c
Cil
(1)
Describe the evolution of the software-defined data center ::J
......
Describe how NSX is the next step in the evolution of the software- ac.
defined data center c
Q.
Describe data center prerequisites for NSX deployment o'
::J
Describe basic NSX layer 2 networking

Configure, deploy , and use logical switch networks
Configure and deploy NSX distributed routers to establish East-West
connectivity
Configure and deploy VMware NSX Edge services gateway appliances
to establish North-South connectivity
Configure and use all the main features of the NSX Edge services
gateway
Module 1 Cou rse Introduct ion 3

Learner Objectives (2)
Slide 1-4
By the end of this course, you should be able to meet the following
objectives:
Configure NSX Edge firewall rules to restrict network traffic
Configure Distributed Firewall rules to restrict network traffic
Use role-based access to control user account privileges
Use Activity Monitoring to determine if a security policy is effective
Use Flow Monitoring to monitor network traffic streams
Configure Service Composer policies

II
You Are Here
Slide 1-5
oa
c
Cil
(1)
VMware N5X: Install Configure Manage :J

......
i3
c.
IE Course Introduction
c
Q.
o'
:J
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway Features
NSX Security
Module 1 Course Introduction 5

Typographical Conventions
Slide 1-6
The following typographical conventions are used in this course.
Monospace Filenames, folder names , path

names , and command names :
Navigate to the VMS folder.
Monospace bold What the user types :
Enter ipconfig /release.
Boldface User interface controls:
Click the Configuration tab.
Italic Book titles and placeholder
variables :
vSphere Virtual Machine
Admin istration
ESXi- hostname

II
References
Slide 1-7
oa
c
Cil
(1)
::J
......
ac.
c
Title Location Q.
o'
::J
NSX Installation and Upgrade Guide http://pubs .vmware .com/NSX-6/index.jsp
NSX Administration Guide http://pubs.vmware.com/NSX-6/index.jsp

About NSX
Slide 1-8
NSX is a network virtualization platform that enables you to build a

rich set of logical networking services.
Logical Switching: Layer 2 over Layer 3,

decoupled from the physical network
Logical Routing: Routing between virtual
networks without exiting the software
container
Logical Firewall: Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer: Application Load
Balancing in software
Logical VPN: Site-to-site and remote
Any Network Hardware access VPN in software
NSX API: REST API for integration into
any cloud management platform
Partner Ecosystem
8 VMware NSX: Install, Configure, Manage

II
NSX Cert ification
Slide 1-9
For details about VMware certifications, go to: oa

c
http://mylearn.vmware.com/portals/certification Cil
(1)
::J
......
ac.
c
Q.
o'
::J

VMware Learning Path Tool
Slide 1-10
vmwareEDUCATION SERVICES
Learning Path Tool

Learn by SolutionTrack. Role. Product. or Certification
Choose YourPath'
Leamby Leamby Leamby Achieve

Solution Track Role Product Certification
To determine your learning path for VMware training, go to:

http://vmwarelearningpaths.com
To make the VMware training that you take most valuable, you must decide which learning path to
take. Your learning path can be based upon a solution track that you want to pursue or a role in your
organization that you want to take on. Your learning path can also be based on a product that you
want to master or a VMware certification that you want to achieve. Regard less of wh ich path you
choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.
10 VMware NSX : Install , Configure, Manage

II
NSX Resources
Slide 1- 11
For NSX technical information, use the following resources: oa

c
NSX Resources Cil
(1)
http://www.vmware.com/products/nsx/resources.html ::J
......
VMware Communities ac.
c
http://communities.vmware.com/ Q.
o'
VMware Support ::J
http://www.vmware.com/support/
VMware Education
http://www.vmware.com/education
VMware Support Toolbar
http://vmwaresupport.toolbar.fm
Making full use of VMware technical resources can save you time and money. The following are
extensive VMwa re Web-based resources:
The VMware Communities Web page provides tools and know ledge to help users maximize
their invest ment in VMware products. VMware Communities provides information about
virtua lization technology in technical papers, documentation, a know ledge base , discussion
forums , user groups , and technical newsletters.
The VMware Support page provides a central point from which you can view support offerings,
create a support request, and download products, updates, drivers and tools, and patches.
You can view the course catalog and the latest schedu le of courses offered worldwide on the
VMwa re Education page. This page also provides access to informat ion about the latest
advanced courses offered worldwide.
For quick access to commu nities, documentation, downloads, support information, and more ,
install the VMware Support Toolbar, which is a free download .
VMware vSphere documentation is availab le on the VMware Web site. From this page, you
can access all the vSphere guides , which also include guides for optional modules or products.
Module 1 Cou rse Introduction 11

12 VMware NSX: Install , Configure, Manage
MODULE 2
N5X Networking
Slide 2- 1
Module 2
II
z
en
><
zCD
?o
.....
~
::J
to
VMwa re NSX: Install , Configure , Manage 13

You Are Here
Slide 2-2
VMware NSX: Install Configure Manage
Course Introduction
IE NSX Networking
NSX Routing
NSX Edge Services Gateway
NSX Security
14 VMware NSX: Install , Configu re, Manage

Importance
Slide 2-3
Understanding the high level concepts of the software-defined data

center and network virtualization using VMware NSXTM is critical to
efficiently using NSX in the virtualized environment that enterprises
are moving to. II
z
(j)
><
Z
CD
?o
.....
~
:::J
to
Module 2 NSX Networking 15

Module Lessons
Slide 2-4
Lesson 1: Introduction to vSphere Virtualization

Lesson 2: Overview of the Software-Defined Data Center
Lesson 3: Introduction to NSX and NSX Manager
Lesson 4: NSX Controller

Lesson 1: Introduction to vSphere Virtualization
Slide 2-5
II
z
(j)
Lesson 1: ><
Z
CD
Introduction to vSphere Virtualization ?o
.....
~
:::J
to

Learner Objectives
Slide 2-6
By the end of this lesson, you should be able to meet the following
objectives:
Discuss the features of VMware vSphere
Provide an overview of the challenges that vSphere is intended to
resolve

Virtual Machines
Slide 2-7
Real Operating System II

z
(j)
Dedicated Virtual Hardware ><

Z
CD
?o
Real Applications .....
~
:::J
to
Stable and Dependable No Need for Modification No Special Changes to as
Virtual machines look and behave like physical servers .

Users might not be able to distinguish a virtua l machine from a physical server. Subtle differences
make virtual machines unique and helpful in the data center. The hardware of a virtual machine is
softwa re.
This feature gives you many advantages, such as the ability to replace and upgrade components of
the virtual hardware quickly.
Virtual hardware also allows you to add hardware devices such as network cards and processors
without rebooting the virtua l machine.
Ultimately, virtual hardware can help reduce your downtim e because you do not need to reboot your
virtual machin es every time you want to upgrade their capabilities.

Benefits of Virtual Machines
Slide 2-8
Image Backups
Bare-Metal Backups
File-Based Restores
Hardware Independence for Restores
Virtual machines can be used to host any application from file servers, database serve rs, email
serve rs, and even high-p erform ance application servers.
Organizations might choose to virtualize their servers for the followin g reasons:
Consolidate lightly used servers to conserve space and power in their data center. These
workloads are ideal for virtualization because you can often place many virtua l machines on a
single physic al host.
Increase availability, whether as a protection scheme against common hardware failures or
compl ete site-level disasters. Virtual machines are easy to move, copy, and restore, so they
make disaster recovery simple.
Provision new servers quickl y because new virtual machines can be created and deployed in
minut es.

ESXi Hypervisor
Slide 2-9
VMware ESXi benefits:
Direct hardware access
Less overhead than hosted hypervisors

Type 1 Hypervisor Type 2 Hypervisor
II
z
en
><
Flexible installation options
zCD
?o
.....
~
::J
to
11 ESXi
L -
=Lower resource overhead

0 I:l
---
VMware ESXi is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor
performs the role of resource management while enjoying direct access to the underlying physical
hardware.
This hypervisor can improve your resource efficiency because of less operating system overhead . In
addition, the stability of the ESX i hypervisor is not dependent on another operating system.
ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be
installed onto flash drives, SO cards, and USB drives.
You can also network-boot an ESX i host using traditional boot from network tools such as preboo t
execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers.
VMware provides several ways to deploy your ESXi hosts because each organization's needs vary.
ESXi hosts your virtua l machines and provides some basic management functions to help you
deploy and control your virtual mach ines.

vCenter Server
Slide 2-10
vSphere Client Active Directory

VMware vCenter Server" dom ain
is scalable
ESXi host ESXi host ESXi host

vCenter Server
Components:
Identity Management Server
Database Server 1,000 ESXi hosts
Application Server
Web Server 10,000 VMs
VMware vSphere Web Client
VMware vCenter Server" is a multitier application designed for the enterpris e, but is capabl e of
managing even the smallest of organizations. The vCenter Server system is designed to be highly
scalabl e and can expand with your data center virtu alization initiatives. The vCenter Server system
includes components for an Identity Management Server, Database Server, Application Server, Web
Server, and VMware vSph ere Web Client.
You can deploy the vCenter Server system in various forms and install the roles onto a single server
or multipl e servers depending on your needs. The vCenter Server system can be installed on a
Windows system or deployed as a virtual appliance to give you more flexibility.
A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi
hosts. The vCenter Server system can also manage up to 10,000 pow ered on virtual machin es, which
is ju st one vCenter Server instance.
As an organization expands, you can add more vCent er Server instances and even migrate into a
cloud-b ased configuration to provid e more management and provisioning abiliti es.

vCenter Server Management Features
Slide 2-1 1
The vCenter Server system is a centralized platform for management

features.
The vCenter Server system includes the following management
features:
VMware vSphere vMotion
II
z
(j)
><
Z
VMware vSphere Distributed Resource Scheduler" (DRS) CD
VMware vSphere Distributed Power Manaqernent" (DPM) ?o

.....
~
VMware vSphere Storage vMotion VIT1W<lre :::J
to
VMwar e v Center
VMware vSphere Storage DRS Server
VMware vSphere Data Protection

VMware vSphere High Ava ilability
VMwa re vSphere Fault Tolera nce
VMware vSphere Replication
The vCenter Server system manag es each of your ESXi hosts. The vCenter Server system can
perform operations that require multiple ESXi hosts.
The vCen ter Server system includes the following featur es:
VMware vSphere vMotion enabl es you to migrate running virtua l machines from one ESXi
host to another without disrupting the virtua l machine.
VMware vSphere Distributed Resource Scheduler" (DRS) provid es load balancing for your
virtual machines acros s the ESXi hosts. DRS leverages vSphere vMo tion to balanc e these
worklo ads.
If configured, VMw are vSph ere Distribu ted Power Managem ent" (DPM) can be used to
power off unused ESXi hosts in your environment. DPM can also pow er on the unused EXI
hosts at the correct time.
VMware vSphere Storage vMotion allows you to migrate a running virtual machine 's hard
disks from one storage device to another devic e.
VMware vSphere Storage DRSTM automates load balancing from a storag e perspective.
VMware vSphere Data Protection" enab les you to back up your virtual machin es.

VMware vSphere also has availability features such as VMware vSphere High
Availability'P' to restart your virtual mac hines on another host if you have a hardware problem.
If a virtual machine restart is too slow, VMware vSphere Fault Toleranc e provid es
uninterrupted availability for your virtual machines.
VMware vSphere Replication" can copy your virtual machin es to another site for disaster
recovery.
24 VMware NSX: Install , Configure , Manage

vSphere vMotion
Slide 2- 12

z
en
X
Z
ro
~
o
~
'"
<0
vSphere vMutiun allows yuu tu migrate a running virtual machine from one ESXi host to another,
even during norm al business hours.
You can usc vSphere vMotion to help load balance your ESX i hosts in a cluster.
vCenter Server orchestrates a copy process between the ESXi hosts. The memory is copied between
the hosts and the virtual machioe is transferred to the new host.
vSphere vMutiun can operate without shared storage, meaning that you can migra te a running
virtual machine between hosts, even if the ESXi hosts have no shared storage in common.

Shared Storage
Slide 2- 13
Shared Storage Virtual Machines

Applications and Operating Systems
Visible to multiple ESXi hosts
Typically used to store

virtual machines and ISO files
ESXi Hosts
Storage Array
vSphere supports Fibre Channel, Fibre Channel over Ethernet (FCoE), iSCSI, and NFS for Shared
storage. vSphere also supports local storage .
Each storage option has its own strengths and weaknesses. So VMware does not cons ider one
storage type as better than another for virtua lization.
26 VMware NSX: Install, Configu re, Manage

Features That Use Shared Storage
Slide 2- 14
The following features use

shared storage:

DPM
DRS
Virtual Machines
Applications and Operating Systems
II
z
en
vSphere Storage DRS ><
vSphere HA
zCD
?o
vSphere FT .....
~
::J
to
ESXi Hosts
Storage Array
Features that are listed in the slide require a shared storage infrastructure to work properly.

Virtual Networking
Slide 2- 15
Virtual networking is similar to physical networking. Each virtual machine and ESXi host on the
network has an address and a virtual network card. These virtual network cards are connected to
virtual Ethernet switc hes.
Virtual switches attach your virtual machin es to the physical network, or you can create isolated
networks to be used during testing and development. Virtual networking provides the same
flexibility as server virtualization.

Virtual Switch Types
Slide 2-16
Virtual switches are of the following types:

Standard switch architecture: Manages virtual machine and networking
at the host level
VMware vSphere Distributed Sw itch architecture: Manages virtual
machine and networking at the data center level
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to
Virtual switches can be of different forms, each with a different feature set. vSphere supports two
main categories of virtua l switches: the standard switch and the VMware vSphere Distributed
Switcht>'. Both switches help you to reduce network clutter by reducing the number of physical
network cab les plugged into your ESXi hosts .
Each ESXi host is preb uilt with a standard switch that provides basic connectivity and management
features . The distributed switch expands upon that model by providing a central interface to manage
the different connections and features found in the virtual switches . The distributed switch can
provide more features as a resu lt of this centralized management approach.

Networking Features
Slide 2-17
Networking has the following features:

VLANs
Traffic shaping
Port mirrorin g
Q08, D8CP
CPD/LLDP
Virtual networking can be as simpl e or as comp lex as you need. The following features are
supported by vSphere:
VLANs provide logieal separation of your network traffic , and are often used to isolate different
subnetworks. such as a test or restore network.
Traffic shaping is a feature that allows you to restrict the inbo und and outbound network
bandwidth ofa group of virtual machine s. This feature can help reduc e congestion in your
virtual network.
Port mirroring enables you lu monitor a virtual machin e's traffic for troubleshooting or intrusion
prev ention. This feature allows you to capt ure all the traffic sent to or from a virtual machine
for later inspec tion.
Quality of service (QoS) and DSCP are networkin g standard s that allow network switches to
prioritize certain network traffic over others. An example is prioritizing the voice traffic from a
call manager server to improve performance .
NetFlow is a network monitoring tool that allows you to determin e your top talkers on the
network and other metadata about the comm unications that occur on your network.
30 VMware NSX: Install, Configure , Manage

Cisco Discovery Protoco l (CDP) and Link Layer Discovery Protocol (LLDP) are discovery
protoco ls used to identify neighboring physical network switches. CDP and LLDP can be used
to help discover and troubl eshoot misconfigurations.
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to

vSphere Product Placement
Slide 2- 18
'- >. r:::

0 ;t::: r::: 0 Q)
1/1 0 :;:; u
.~ .c :;:; r::: en
-
0
u
--
r::: III 0::
Q) ..!!! Q)
0
::!: '- "C
Q, III 0 (1); > Q) 0 Q)
>. r:::
~ ~ ::l
'- Q) Q)
'- III
.c..r:::
-
J: 0 0.. Q) u Cl Cl
:;:; .- u
- -
..r::::= III ~ III
vSphere X 0 ..r::: III Q,Q, '-
::l en ::!: '- '--
.-
en ::!: Cl III en Q)
0
III 0:: 0.. 0 .!!! ~
Edition w > ~ 0 >0:: en LL 0 0 en oen
Essentials X
Essentials Plus X X X X X
Standard X X X X X X X
Enterprise X X X X X X X X X
Enterprise Plus X X X X X X X X X X X

Review of Learner Objectives
Slide 2-19
You should be able to meet the following objectives:

Discuss the features of vSphere
Provide an overview of the challenges that vSphere is intended to
resolve
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to

Lesson 2: Overview of the Software-Defined Data Center
Slide 2-20
Lesson 2:
Overview of the Software-Defined Data
Center

Learner Objectives
Slide 2-2 1
objectives:

Describe advantages of the software-defined data center
Identify components of the software-defined data center
II
z
(j)
Explain the role of the virtual network in the software-defined data ><
center Z
CD
?o
.....
~
:::J
to

Choices for IT
Slide 2-22
Software is the foundation that is powering the evolution of networks

and data center infrastructure.
Software-Defined
New IT Data Center
Hardware Defined
Data Center
(
No IT
Outsourced
Today, enterpris e busin ess leaders want their IT to create applic ations quickly and easily. Enterprise
business leaders must decide whether to build in-house IT or to outsourc e their IT and app lications.

Data Center Models
Slide 2-23
Businesses that want to deploy applications and their necessary

server infrastructure quickly, choose between the current hardware-
based model and the software-defined data center.
Hardware-Defined
Data Center OR Software-Defined
Data Center
II
z
(j)
><
.
Any Application Any Application Z
CD
?o
Applicatio n-Spec ific Policies ~~~~~~~~i5l .....
~ ~
:::J
Data Center Virtualization to
Any x86
Any Storage
App lication -Specific Policies

Any IP Network
The hardware-defined data center is the traditi onal model. This model includes racks of equipment
and each piece of hardware includes one or more specific defined tasks. Email, database, and other
business-criti cal applications run on specific servers . This mod el is not the answer for futur e
requir ements.

Advantage of Software-Defined Data Center
Slide 2-24
Some of the most agile providers and consumers are moving system
intelligence into software through custom applications or platforms.
Google I Facebook I
Amazon Data Centers
":oftwa re I Hard ware Abstraction
oftware I Hardware Abstraction
Any x86
Any Storage
Any IP network
Providers are decoupled from physical infrastructure, allowing them to use any x86, any storage,
and any IP networking hardware. This approac h increases agility, reduces cost, and provides a
highly scalable infrastructure with a softwa re-defined data center approac h. These benefits resu lt
from a hardware-abstraction layer software that runs on top.
38 VMwa re NSX: Install , Configu re, Manage

Choice for New IT
Slide 2-25
Software can innovate much faster than hardware.
Software-Defined
Data Center
Google I Facebook I
Amazon Data Centers
Hardware-Defined
Data Cente r
II
z
(j)
><
Any Application Any Application Z
CD
?o
....
~
:::J
to
Any x86
~J
Any Storage
Any IP network
The software-defined data center is similar to the approac h taken by Amazon, Goog le, and
Facebook. This approac h does not include a vertically integrated hardware-specific approac h. For
example, with a hardware-centric infrastructure, you must buy in-unit networking hardware for the
network to function. With the software-defined data center approac h, you can run any network
switch.

Software-Defined Data Center as New IT
Slide 2-26
The software-defined data center can span across multiple data

centers and into hybrid service providers, independent of physical
infrastructure.
Software-Defined Inter-Data Center Hybrid Data Center

Data Center
Any Application Any Application Any Application
. . .. .... .
Data Center
. .
vutuanzauon
Any x86 Any x86 Any x86
Any Storage Any Storage Any Storage
Any IP network Any IP network Any IP network
VMware NSX TM can do layer 2, SSL, and IPSEC VPNs . This functionality provi des business
continuance and disaster recovery capab ilities, whic h are not otherw ise avai lable. NSX can be
combined with VMware vCloud Hybrid Service" to provi de a hybrid cloud strategy.

Components of a Software-Defined Data Center
Slide 2-27
The software-defined data center extends virtualization.
Applications
Software-Defined
Data Center
App lications
Software-De fi ned
Dat a Center
Applications
Software-Defined
Data Center
II
z
en
Virtual Compute
Virtual Storage
Virtual Compute
Virtual Storage
Virtual Compute
Virtual Storage
><
Virtual Network Virtual Network Virtual Network zCD
Policy Policy Policy
Security Security Security ?o
Scale Scale Scale .....
~
Desktop ::J
to
Internet
Storage
Virtual Desktop
Laptop
~ ---~--------------------------------------------_.
Tablet
Mobile
Admin
Policy Configuration Hardware Independence
Operational Visibility
Clo ud Manageme nt IP Network Server Sto rage
Hardware Hardware Hardware
Location Independence
Data Cen ter 1 Data Ce nter 2 Public DC
The software-defined data center extends the virtualization conc epts like abstraction, poolin g, and
automation to all data center resources and services. Components of the software-defined data center
can be implemented together, or in phases:
Compute virtualization, network virtualization, and software-defined storage deliver
abstraction, pooling, and automation of the compute, network, and storage infrastructure
services.
Automated management delivers a framework for policy-based management of data center
application and services.

Vision and Strategy
Slide 2-28
The software-defined data center is not a product, but it is an

approach.
The software-defined data center leverages products from VMwa re and other companies.
Manage ment and orchestration are used to configure, manage, monitor, and operationalize a
software-defined data center. Produc ts like VMware vCloud Automat ion Center'?', VMware
vCe nter Opera tions Management Suitet>', and VMware vCenter Log Insight" and also third -
party solutions or custom cloud management platform s can be used.
The software-defined data center has the followin g advantages :
A software-defined data center is decoupled from the und erlying hardware, and takes advantage
of underlying network, server, and storage hardware.
A software-defined data center is location-independent and can be in a single data center, span
multi ple private data centers, or span hybrid public data centers
A software-defined data center leverages a data center virtualization layer to enable
independent, isolated application environments to be deployed on top of the hardware and
location-independent infrastructure.

Virtual Compute , Storage, and Network
Slide 2-29
The pooling of hardware resources provides many advantages.
II
z
(j)
><
Z
CD
Virtual Virtual Virtual ?o
Software Machines Networks Storage Application .....
--------------------------
Hardware Compute Network Storage
Consumption
~
:::J
to
Capacity Capacity Capacity

Desktop
Internet
Virtual Desktop
Laptop
Tablet
Mobi le
Location Independence
The software-defined data center is a unified data center platform that provides automation,
flexibility, and efficiency. Compute, storage , networking, security, and availability services are
pooled, aggregated, and delivered as softwa re. These services are also managed by intelligent,
policy-driven software.

Data Center Hardware
Slide 2-30
NSX uses existing data center hardware.
'cal Network
, ling phySI
EXl5u
NSX enables you to start with your existing network and server hardware in the data center.

Hypervisors and Virtual Switches
Slide 2-3 1
ESXi hosts, virtual switches, and distributed switches run on the

hardware.

z
en
X
Z
ro
~
o
~
'"
<0

NSX: Network Virtualization Platform
Slide 2-32
NSX handles the data across the virtual switches.
NSX adds nothing to the physic al switching environment. NSX exists in the ESXi environment and
is independent of the network hardware.

About a Virtual Network
Slide 2-33
A virtual network is a software container that delivers network

services. These network services are expected from a network by
connected workloads.
II
z
en
><
zCD
?o
.....
~
::J
to

Network Virtualization: Layer 2
Slide 2-34
NSX virtualizes logical switching.
The slide shows an example of layer 2 connectivity between two virtual machin es on the same
hypervisor and host. Traffic on the layer 2 network never leaves the hypervisor.

Network Virtualization: Layer 3
Slide 2-35
NSX virtualizes logical routing.
II
z
en
><
zCD
?o
.....
~
::J
to
. INetwork
Existing PhyslC3
The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual
machin es on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP
subnets and logical switch es with out leaving the hypervisor to use a physical router. This
virtualization also provides routing between two virtual machin es on two different sides of the data
center across multipl e layer 3 subnets and availability zones.

Concept Summary
Slide 2-36
A review of concepts discussed in this lesson:
What is the layer where management components
The management plane
operate?
What is the layer where control components operate? The control plane
What is the layer where data is transmitted? The data plane

What is a vSphere port group created on a distributed
A logical switch
switch with NSX modules installed called?
What are multiple tenants connected to the same egress
Multitenant
point segregated by isolating the tenant networks called?
What handles NSX communications between the
User World Agent (UWA)
VMware NSX Manager!" , VMware NSX Controller!" ,
and ESXi host?
Virtual Extensible Local Area Network
What uses layer 3 UDP encapsulation to extend logical (VXLAN)
layer 2 networks across layer 3 boundaries?
Representational State Transfer API
What is used for integration into cloud management (REST API)
platform?
NSX Controller
What is the virtual machine used by NSX for control
plane operations?

Slide 2-37

Describe advantages of the software-defined data center
Identify components of the software-defined data center
Explain the role of the virtual network in the software-defined data
center
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to

Lesson 3: Introduction to NSX and NSX Manager
Slide 2-38
Lesson 3:
Introduction to NSX and NSX Manager

Learner Objectives
Slide 2-39
objectives:

Describe capabilities of NSX
Explain differences between the data, control, and management planes
II
z
(j)
Recognize NSX topologies ><
Z
Illustrate the role of NSX Manager CD
?o
.....
~
:::J
to

NSX Capabilities
Slide 2-40
NSX has a number of features.

Lo gical Switching: Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing : Routing between virtual

networks without exiting the software container
Logical Firewall: Distributed firewall, kernel

integrated, high performance
Logical Load Balancer: Application load

balancing in software
Logical Virtual Private Network (VPN): Site-

Any Network Hardware to-site and remote access VPN in software
VMware NSX APITM : REST API for integration

into any cloud management platform
Partner Ecosystem
NSX provides the following function al services:

Logical layer 2 to enable the extension of a layer 2 segment or IP subnet anyw here in the fabric
irrespective of the physical network design.
Distributed routin g to enable routin g between IP subnets without traffic going out to the
physical router.
Distributed firewall to enable security enforcement at the kernel and VNIC level.
Logical load balancing to provid e support for layer 4 throu gh layer 7 load balancin g with the
ability to do SSL termination,
SSL VPN services to enable layer 2 VPN services.

Prepare for Installation: Client and User Access
Slide 2-4 1
The requirements for deploying NSX to a vSphere environment are

the following:
Management system and browser requirements:
A supported web browser:
- Internet Explorer 8, 9 (54-bit), and 10.
II
z
(j)
><
- The two most recent versions of Mozilla Firefox. Z
CD
- The two most recent versions of Google Chrome. ?o
The vSphere Web Client. .....
~
:::J
Cookies enabled in the browser used for management. to
Environment requirements:
Correct DNS configuration for ESXi hosts added by name.
User permissions to add and power on virtual machines.
Permissions to add files to the virtual machine datastore.
NSX has the following requirements:

vCenter Server 5.5 or later
ESXi 5.0 or later for each server
VMware Tools'P'

Prepare for Installation: Port Requirements
Slide 2-42
NSX components require a number of ports for NSX

communications:
443 between the ESXi hosts , vCenter Server, and NSX Manager.
443 between the REST client and NSX Manager.
TCP 902 and 903 between the vSphere Web Client and ESXi hosts.
TCP 80 and 443 to access the NSX Manager management user
interface and initialize the vSphere and NSX Manager connection.
TCP 22 for CLI troubleshooting.
NSX requires these port s for installation and daily operations.

Installation: Manager OVA
Slide 2-43
After ensuring the correct preparation steps, install the OVA:

1. Obtain the NSX Manager OVA file.
2. Deploy the NSX Manager OVA file.
3. Log in to the NSX Manager.
II
z
(j)
4. Establish the NSX Manager and vCenter Server connection. ><
Z
5. Back up the NSX Manager data. CD
?o
.....
~
:::J
to
To install the OVA
1. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location access ible to
your vCenter server and ESXi hosts.
2. Import the OVA like any other virtua l machine.
During the import process you are prompted to configure the initial network settings .
3. Power on the NSX Manager.
4. Log in to the administrative interface to configure the NSX Manager.
5. Configure the different NSX settings.
The NSX features are ready to use.

Initial Configuration: Management UI
Slide 2-44
Access the NSX Manager user interface to configure the manager

initially.
--.,
I ..... ... J
"._"' ...
~
-----------------------1
NSX ManagerVirtualAppliance Management
Download Tech sccccn LOg
~ Manage Appll3nte settIf'lgs BackUp & Restore
Manage vCenter PegrstranOll upgraoe
After logging in to the NSX Manag er, click Manage App liance Settings to configure the initial
settings.

Initial Configuration: Time and Syslog Settings
Slide 2-45
Configure the time server and syslog settings.
. ..-
....-... ".,
I ' .. _, ~ ..
rime s.n mg. Uneontlgur. HTP serv!i!"] ~

II
z
en
st11lNC'J,
><
Gene ral Spttll'1 P'lTP urvtr t1etow Fot 590 ton"atlon 10work cor~tIY It II reQulrt d 1tl0i1 tt..,
be In sync 11'5 lecOftlfMnd~ lo U'58the same mpUM."t tJ'5edbY1M!'sao51-rver
~ on !tit, 'tIrtlJll aoppllinu ~n13 tffP UM'r ItlOuk!
zCD
NTP$eM'1 192 168 no 10
Tim.lone tJTC ?o
D e!Jlme 01108f1Q14 21 35 U .....
~
::J
to
S}osIogSefwf ( Unc(Ml(lg urt J~
You( an s~1ftthe IP ad4feu Ot ".me oftrle "rs," S.t"Mlf Sh.' elln De rnolYe'd uSIng1M!'abO'tementioned ONS Sel't'tf{'S)
Syttog StfWf "<'C-I-Q1 a corp local

PM 51'
ProtocOl UOP
l .....
...us
On the general page, configure the time and Syslog services.

Initial Configuration: Network Settings
Slide 2-46
Assign the NSX Manager to the correct IP address and configure

other IP settings.
51 II IHGS
Hostn~ ns:.mgrI-Ota
Dom aItl N ."...
SSL Ctl1U'Iutft 1PY4 lnfonn.allOn
Inl68"OU
Ne1mask 155255 ''55 0
Df'f~I1. Oartway 191 168110 :1
IP6InfOfftUlllon
Acld,e ",
Prtl'ilLengttl
OtfaulOa~
~Il oblecti lert'n~nc:t'G ustng ill hOi~ilme , 'l'OO mus.l prtMde one 01' mQfe ONS Unotf'S commonlO ..c~r. ESXhOm and
To rnOfwto
~r ~tl.'. co~nts (Ifl)llmiliTYor st< ol\d ary UMf I S. ...mO\Ot<l.lle fleld Mllablt (Ins ......., In ItItllntwouhJ aUumt tnt ""POns.lbl!lt'J')
lPt ONSStrm1
PJ1m;wy~ In 168 110 10
Sf' COndiitY SeolWf
Ifl\ofiONSStt\l\"fs
Pr1rntSef'm
SecondaryStfWr
Verify that the network settings are correc t.

Initial Configuration: vCenter Server Connection
Slide 2-47
Register the NSX Manager with a vCenter Server to begin using NSX
capabi Iities.
'1'1'110;1' ' -
~
....... ~ , . "'IjI"+C.1~ 1'''''_
-'
II
z
en
><
lookup SeNe.. zCD
F'or~.'*r "r~", S 1 _~, lOU","confgur, LOOI<UD s.rw:.
""'d Pf~ tie sao MmInI'tr~fOr
crt1lIff\ll.Io~'l"NSlC .... M~~I'lCS.Mt . . .
ttMl' lOt sse
ton6gu'.lIbtlrllOw()t', (NQ('"
lsotlAOn\It... IIIlto ~(~lM<JIlot..tlheNTP
?o
.....
~
::J
...:-,,- E.. to
(: ~ ""Cl IlO " .c.,.., Urvtf .,..atI\f1I NSX " 1!'lIQ'~~ StiNK' to dflotaYfJ ...........,.II'lft.W1I(t./rt'
l1Wtntott HTTPS ll'Ol1{ ~ ~l'I"iU IOll.OO'tflHfOf(Clf'lVnUl'll{a~ll"""tfl H$l( Ml nl9 tmt"' StMt:.
ESlCalIdVC For.U 1l.lafportS "~.'" IHtotI1:lltnllln(l U"rN.(.t.OfC",,~ "'.pannolol'
lMlIII~bon'lfIt1\ot 'N$XMtalIWOf'l and UP",ad'0\Ii".. WIl)ufI'C.'" t1O$Uocf Dr "l'Wf" ...c...,
S''''''-'''O~In( pl.n. trltvf''''iC~'CPV and IMfl'oOlYrn.,....-..ontl !JfWtfltot'M1 i1I~hlC'W
.c'MltS.!'Wtr 10 . 1 0 .10 .1 1
1(:,,.,..,.... N.me roo!
SlIIIn ConnIfd
Connect the NSX Manager to the desired vCenter Server and the initial configuration is complete.

NSX Overview: Planes
Slide 2-48
Each component operates in a specific plane.

Consumption
Model
Management
Plane
- - ----- - - - - - - - - - ------ - - - - - - ------ - - - - - - - - -- ---- - - - - - - --- ----.- - - - - - - ------- - - - - - -- ------- - - - - -- - - - ---- - -- - - - ---
Control
Plane
.--- - - ---_.- - - -- -------- ------- -- ---- ------------- .--- - -- ---- - ------_.- - - --- ------ - -- -----. -- - - --------- - ----------
Data
Plane
NSX uses the management plane, control plane, and data plane models. Compo nents on one plane
have minimal or no effec t on the functi ons of the planes below.

NSX Overview: Data Plane Components
Slide 2-49
The data plane handles the flow of data between endpoints.

Consumption
Model
Management
II
z
(j)
Plane ><
--------------------------------------------------- ------ - - - - - - - - ------ - - - - - - - - - ------ - - - - - ---- - - - - - - - --- ------- Z
CD
Control
?o
....
Plane ~
:::J
to
-- - ----- - - - - - ---- -- - - - - -_.- - - - - - - - --- - - - -- ----- - - --- - ----- - - - ------- - - - ---_.- -- - -- -------- -- ------ ---------- - ------
VMware NSX Virtual Switch
NSX Virtual Switch NSX Edge Distributed network edge
Services
+ ~ lti ~ ' G ateway Line rate performance
Data =-liDii,stil,rib~~u ted

. h
:
: VXLAN
~
~
Distri but ed Firewall :
I.:C? g.i ~_<!I.f~.C?!J_t~_r
:
': '
VMware NSX Edge gateway
virtual machine form factor
Data plane for North-South
Plane Hypervisor Kernel Modules
traffic
Routing and advanced
ESXi services
Switch Security
The data plane is defined by the distributed switch. The distributed switch does only layer 2
switching. Hosts have to be on the same layer 2 network so that virtual machines on each host can
communicate with virtual machines on the other host.
NSX installs three vSphere Installation Bund les (VlB) that enable NSX functionality to the host.
One VlB enables the layer 2 VXLAN functionality, another VlB enables the distributed router, and
the final VlB enables the distributed firewall. After adding the VlBs to a distributed switch, that
distributed switch is called VMware NSX Virtual Switch . On NSX Virtual Switch, hosts are not
restricted to the same layer 2 domain for virtual machine to virtual machine communic ation across
hosts. You must migrate virtual machines from a host before installing the VlBs . If the VlBs must
be removed , the ESXi host requires a reboot.
VMware NSX Edge" gateway is not distributed and so the gateway lacks a contro l entity. NSX
Edge gateway handles control traffic. Conceptually, an NSX Edge gateway should be on the barrier
between the data and control planes.

NSX Overview: Control Plane Components
Slide 2-50
The control plane handles the implementation.

Consumption
Model
Management
Plane
- - ---- - - - - - - - -- -_.- - - - - - - - _. ------ - - - - - - - ------ - - - - - - - - -- ----- - - - - - _. ---- - - - - - - - -------- - - - - - - - ------ - - - - - - - -- ~-
NSX Logical NSX Controller Manages lo gical networks

Router Control VM User World Agent
Run-time state
Control
Does not sit in the dat a path
Plane Control plane protocol
.--- ----- --- --- - - -_.- ---------- - - --------- ------ - --- ---_.- - - - ----_.-- - - -------- - -- ---------- - -_.--- --- ------ - ----
NSX Virtual Sw itch
NSX Virtual Sw itch NSX Edge . Distributed netwo rk edge
Services Li ne rat e performance
Gateway
NSX Edge gateway
Data Virtual mach ine form factor
Plane Data pl ane fo r North-So uth
t raffic
services
Switch Security
The NSX logica l router contro l virt ual machine and VMware NSX Con troller" are virtua l
machi nes that are dep loyed by VMware NSX Managert'<,
The user world agent (UWA) is composed of the ntcpad and vsfwd daemons on the ESXi host.
Communication related to NSX between the NSX Manager instance or the NSX Con tro ller
instance s and the ESXi hos t happen thro ugh the UWA.
The logical router control virtual machine hand les routing network relationships . This virtua l
mach ine gives the routing table to the NSX Manager instance .
The NSX Virtual Switch does not control routing plane traffic . So the NSX logical router control
virtua l mach ine is instant iated on its beha lf to handle that func tion. One NSX Controller virtual
machine gets dep loyed for each distributed logical router instance. The NSX Controller instanc e
retains information for the media access control (MAC), Address Resolution Protocol (ARP), and
Virtua l Tunne l End Poin t (VTEP) tab les. VMware reco mme nds that you deploy NSX Controller
instances in clusters of three to preve nt situatio ns where the NSX Contro ller clusters are split even ly.
If the control plane componen ts are lost, the ability to form new paths between virtual mac hines is
also lost and the current paths age out as the TTLs exp ire.

NSX Overview: Management Plane Component
Slide 2-51
The management plane handles the user management input.

Consumption
Model
Management
Plane
NSX Manager vCenter Server Message Bus
A ent
Single point of configuration
REST API and UI interface
II
z
en
><
- - - ----- - - - - - - - ----- -- - ------- ----- - - - - - - _. ----- - - - - - - -- ------ - - - - - - - - ---- - - - - - - - - ------- - - - - - - - ------ -- - - - - - - -- zCD
NSX Logical NSX Controller Manages logical networks
Control
Router Control VM User World Agent
Run-time st ate ?o
Does not sit in the data path .....
Plane Con trol plane protocol ~
::J
to
NSX Virtual Sw itch
NSX Virtual Switch NSX Edge . Distributed netw ork edge
+ - ~- - - - - -dS - - - - - -~- - j
Services Line rate performance
Gateway
Distributed : .~ : NSX Edge gateway
. h VXLAN Distributed Firewall :
Data t. !-~9 !l?~~ _~_~L!!~ ~ j vi rtu al machine form factor
Plane Data plane for North-South
traffic
servic es
Switch Security
NSX Manager comm unicates with a vCenter Server system and is the interface for the VMware
NSX APJTM for third-party applicatio ns that integrate with NSX. The NSX Controller instances are
deployed by the NSX Manager instance. NSX Manager requests the vCenter Server system to
deploy the NSX Controller virtual machines from OVA files.

NSX Overview: Consumption
Slide 2-52
These planes build a virtualized network that is consumed by customers.

Self-service portal
Co nsumption ,., Cloud management
Model VMware vCloud
Automation c enter w
NSX Manager ve enter Server
Management Message Bus
Single point of configuration
A ant
REST API and UI interface
Plane
NSX Logical NSX Controller Manages Logical networks

User World Agen t
Router Contro l VM Run-t Ime state
Con trol
Does n ot sit in the data path
Plane Control plane protocol
NSX Virtual Swi tch

NSX Virt ual Switch NSX Edg e Distributed network edge
Services Line rate performance
EB~ i
Dis t rib ut ed Flm wal l :
Gatew ay
NSX Edge gateway
Dat a L\>9jc~ 1 RQI,lt \" : Virtual machine form factor
Plane Data plane fo r North-South
Hypervisor Kernel Modules
traffic
services
Switch Security
All of these components build an infrastruct ure for networking thai is consumed in the same fashion
as compute, memory, and storage resources in the software-defined data center.

Enterprise Topology
Slide 2-53
A common enterprise-level topology.
Physical Router
External Network
~------ - II
z
en
><
VLAN 20
zCD
Uplink
?o
NSX Edge Services
.....
~
Gateway ::J
to
VXLAN 5020
Uplink
LR Instance 1
NSX Manager helps to configure and manage logical routin g services. During the configuration
process, you can deploy either a distributed or a centralized logical router. If the distributed router is
selected, the NSX Manager instance deploys the logical router control virtua l machine and pushes
the logical interface configurations to each host throu gh the NSX Controller cluster.
In centralized routing, NSX Manager deploys the NSX Edge services router virtual machin e. The
API interface of NSX Manager helps automate deployment and management of these logical routers
through a cloud management platform .

Servicer Provider: Multiple Tenant Topology
Slide 2-54
Multiple tenants to the same NSX Edge gateway.
External Network
NSX Edge Services

Gateway
Tenant 2
In a a service provider environment, multipl e tenants exist. Each tenant can have different
requirements in terms of number of isolated logical networks and other network services, such as
load balancing, firewall, and VPN. In such deployments, NSX Edge services router provides
network services capabilities and dynamic routing protocol support.
As shown in the slide, the two tenants are connected to the externa l network through the NSX Edge
services router. Each tenant has its logical router instance that provid es routin g in the tenant. A
dynamic routin g protocol is configured between the tenant logical router and the NSX Edge services
router. This routin g protoc ol provides the connectivity from the tenant virtual machin es to the
external network.
In this topolo gy the East-West traffic routing is handled by the distributed router in the hyperviso r
and the North-South traffic flows through the NSX Edge services router.

Multiple Tenant Topology: Scalable Design
Slide 2-55
This multitenant topology is more flexible.
External Network II
z
en
><
NSX Edge Serv ices
zCD
Gatew ay
?o
.....
~
::J
to
Web logical
Switch
The service provider topology can be scaled out as shown in the slide. The diagram shows nine
tenants served by an NSX Edge instance on the left and the other nine tenants served by an NSX
Edge instance on the right. The service provider can easily provision another NSX Edge instance to
serve additional tenants.

Scalability
Slide 2-56
Scaling compute infrastructure:
Adding hosts to clusters
Add ing new clusters
Effect on distributed switch design : Distributed

switch can span across 1,000 hosts.
Scaling number of users or applications:

More virtual machines are connected to isolated
networks (VLANs)
Q; Effects on distributed switch design:

c
Q)
o Separate port groups for each application
.!!l
ro 10,000 port groups are supported
o
Cluster 1 Cluster 2 Cluster 3
The number of virtual ports is 60,000
Dynam ic port management (static ports)
The distributed switch supports up to 1,000 hosts that allow for a wide variety of scaling options.
These options range from a model where every clust er has its own distributed switch to a mod el
with a single distributed switch spanning all clust ers. NSX even supports multipl e distributed
switches in the same cluster.
If a distributed switch spans multipl e clust ers, when you create a port group, every host connected to
that distributed switch knows about the new port group. Thus , every new port group can cause
additional resourc e consumption. The main reason to span distributed switch across clusters is to
support virtual machin e migration with vSph ere vMo tion.

NSX for vSphere : Scale Boundaries
Slide 2-57
...
1:1 Mapping of
the
vCenter Server
II
z
en
System to the
><
NSX Cluster zCD
?o
.....
~
::J
to
,. _ . _ . _ . _ . _. _ . _ . - .
. ------ -- ---- - ------. I
I
.,
_
p
~ ! !i r]
' 1
r'
I I
I:
L I -. :I q .
i "L -, lI :I
v8p here vnaonon
I._ ._ ._._ ._._ ._ .~
'- '- '- '- '- '- '- '-'
based on DRS
Manua l
vSpherevMotlon
1-------..... 1-1 --------1
Logical Network Span
NSX is coupl ed with the vCenter Server system to provide enhanced functionality on VMware
hypervisors so that it scales in parallel with the vCenter Server system. Typically a cloud
management system is used to aggregate multiple vCenter Server systems and NSX Manager
instances to enable horizontal scalability.
NSX Manager and vCenter Server systems are linked I: I and NSX Controller clusters are deployed
by NSX Manager. In addition to the vSphere vMo tion bound aries, VMware NSXTM for vSphere
enables layer 2 connectivity that spans the entire vCenter Server using VXLAN . The vCenter Server
system includes 1,000 hosts and 10,000 virtual machines.
NSX provides a similar architecture. The main difference is that the NSX Controller cluster scales
independently from vCenter Server system. So the vSphere vMotion boundaries are the same, but
NSX allows logical network s and layer 2 boundaries to extend beyond a single vCenter Server
system. The limit is still 1,000 hypervisors, but multipl e hypervisor platforms are supported.

NSX Manager
Slide 2-58
NSX centralized management plane:

Provides the management UI and NSX API.
Installs UWA, VXLAN, distributed routing , and distributed firewall kernel
modules.
Configures the NSX Controller cluster through a REST API.
Configures hosts through
a message bus.
Generates certificates to - '-
,,-,=,--_ o
- .............-
_ H$I.
secure control plane

~
.-.-,
... w _
-0
~ _
...-0-1 IIfMIN __
communications. tI'OII'-....._NSlI-., .
.....fII~.....-.._ .~
_1IIOal_-OO:- _ _
1e9a1 _ _ III9CIII-"o.- _
.t_~
_
"' 1... _ 111
- _ _0..
. .......
.....
........ "...,..'*"4""""
- ,,- .......
--
.-.~
t l I _ ~ _ _ ........
...
' " " - t I _ .. -...-_~
"-"'-'..-d_
-oo4~QIl...--.,
-~"- .....
-
........1 . . - . 4 ....,...
.--..n ... "'-t.... ~ ___
NSX Manager is the only component that is installed. NSX Manager handles all the manage ment
tasks. A direct correlation of one vCenter Server system to one NSX Manager exists. So if vCloud
Automa tion Center is present with multiple vCenter Server systems, each of those vCenter Server
systems has an NSX Manager instance.
An installation ofNSX Manager includ es OVA files to deploy the NSX Edge gateways, NSX
Controller, and the VIBs that get pushed to the ESXi hosts for the distributed switches. NSX
Manage r uses REST API for external communications from third-party applications such as
firewa lls and security software that integrate with NSX.

Building the NSX Platform
Slide 2-59
Consumption
You can deploy NSX by using this process.
~~~
Prerequisites:
Physical Network-
VXLAN Transport
Network, MTU
/ P rogrammati
Virtual
Network Deployment
B ~ [!][i][!] VM
II
z
en
vCenter Server 5.5 and ><
ESXi 5.5 zCD
vSphere Distributed
Switch
B [!] [I] [!] ~ B ?o
VM ~[!]~ B .....
~
::J
Logical Networks to
Log ic al Network or Secu rity Serv ic es

Ql
E Deploy Logical Switches per tier
j::
Ql Deploy Distributed Logical Router
l:
Prepa rat ion or Connect to Existing Router
0 1_ =-- - - Host
- -Preparation
- - - - - .... Create Bridged Network
Logical Network Preparation Connect to Centralized Router
NSX deploys into vSphere clusters. The NSX platform has basic requireme nts. Any serve r on which
you can install ESXi 5.5 can run NSX , connected to any physical network. Multicast over the
physical infrast ructure is an added benefit but not required. After you deploy NSX Manager, you
deploy NSX Controller instances, VIBs, and configure the virtual network.

Lab 1: Introduction
Slide 2-60
At the beginning of lab 1, the installation of NSX Manager is

complete. The focus of this lab is verification of the initial
configuration.
Manage
SfTlIHC$ (jener 31network settings
SETTltIGS TimeSetlings General
Hos1n ame
General SpecifllNTP server betov Network
Demain Name
Network NTPServer sst. cenncates 1P'f4 Information

Backup s s Restore Address
SSL Certificates Timezone
UOQlacle Netm ask
Backups & Restore
Manage DefaultOalewav
Upgrade
t aervce IPv61nformabon
COMPOtlEtlTS SETTINGS looJ(upservice Address
NSXManagement Service Fcr vce nter verstons 5.1 a PrefiXLength

General
Default Gateway
Netwo rk Loo kup Service
SSL Certificates
ONSSerwrs
Backups & Resto re
To resofve all objects refiner
vcenter server
Upgrade
Connecting to a vc enter s 1p.,.4 DNS sewers
COMPONENTS
Access' of Chapter 'Prepal Prima!y Server
NSX Management Service Secondary Server
If your vcenter serveris he 1M DNS sewers
Prima!y Server
vcenter Server
Secondary Server
vcenter User Name
Search Domains
Status'

Lab 1: Configuring NSX Manager
Slide 2-6 1
Attach an NSX Manager appliance to a vCenter Server system

1. Access Your Lab Environment
2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
II
z
(j)
><
Z
4. License vCenter Server, the ESXi Hosts, and NSX Manager CD
5. Clean Up for the Next Lab ?o

.....
~
:::J
to

Concept Summary
Slide 2-62
A review of concepts discussed in this les son:

What is the set of rules used by routers to determine paths called? Routing Protocols
Which protocol facilitates the propaga tion of multicast traffic across a routed network?
Protocol Independent Multicast (PIM)
What is used to acqu ire the MAC addresses asso ciated with IP add resses?
Address Resolution Protocol (ARP)

What is the layer 2 address of a network interface?
Media Access Control (MAC) address

What is used to issue textual commands to NSX components ?
Command Line Interface (CLI)

What is the file for mat used to store and import virtual machines?
Open Virtualization Format (OVF)

What is a network device used to restrict and filter traffic betwee n networks and endpo ints?
What is a serv ice embedded in the ESXi kernel that is used to protect virtual machine s calle d? A Firewall
What is the method for dividing workloads among NSX controllers ?

Distributed Firewall
What is an appliance deployed by the NSX manager , primarily used for perimeter services?
Slice
NSX Edge

Slide 2-63

Describe capabilities of NSX
Explain differences between the data , control, and management planes
Recognize NSX topologies
II
z
(j)
Illustrate the role of NSX Manager ><
Z
CD
?o
.....
~
:::J
to

Lesson 4: NSX Controller
Slide 2-64
Lesson 4:
NSX Controller

Learner Objectives
Slide 2-65
objectives:

Describe NSX Controller instances
Explain NSX Controller clustering
II
z
(j)
Determine NSX Controller roles ><
Z
CD
?o
.....
~
:::J
to

NSX Controller
Slide 2-66
NSX Controller provides:

VXLAN distribution and logical routing network information to ESXi
hosts.
Clustering for scale out and high availability.
Workload distribution within an NSX Controller cluster.
Removal of multicast routing and PIM dependency in the physical
network.
Suppression of ARP broadcast traffic in VXLAN networks.
NSX Controller
VXLAN Directory
Service
MAC table
ARPlable
VTEP table
VMware recommends that you have three NSX Controller instances for each NSX Controller
cluster. You should always have an odd number ofNSCX Controller instances to avoid a situation in
which the NSX Controller instances are split evenly on a decisio n.
NSX Contro ller stores four types of tables:
The ARP tab le
The MAC table
VTEP table
Routing table
The ESXi host, with NSX Virtual Switch, intercepts the following types of traffic:
Virtual machine broadcast
Virtual machine unicast
Virtual machine mult icast
Etherne t requests
Queries to the NSX Contro ller instance to retrieve the correct response to those requests

For example, when a virtual machine sends an ARP request to get the MAC address for another
virtual machine, that ARP request is intercepted by the host and sent to the NSX Controller instance.
If the NSX Controller instance has the correct information , the informatio n is returned to the host
and the host replies to the virtual machin e locally. Thu s, broadcast traffic is reduced across the
VXLAN and the various tables on the NSX Controller instance are built. NSX Controller gets the
routing tables from the logical routing controller virtual machin e.
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to

NSX Controller Cluster Deployment
Slide 2-67
NSX Controller nodes are deployed as virtual machines.

Each virtual machine consumes 4 vCPU and 4 GB of RAM.
NSX Controller password is defined during the deployment of the
first node and is consistent across all nodes.
NSX Controller nodes must be deployed in the same vCenter Server
instance that NSX Manager is connected to.
A cluster size of 3 NSX Controller nodes is recommended.
NSX Controller interaction is through CLI, and configuration
operations are available through NSX API.
The first NSX Controller instance that is deployed requests a password and all future NSX
Controller instances that are deployed use this password. This password is used by a user to connect
through SSH into NSX Manager or NSX Controller. NSX Controller must be connected to the same
vCenter Server system as NSX Manager. VMware recommends that you deploy NSX Controller
instances in clusters of three. Each NSX Controller instance in a cluster must be deployed
individually.

Control Plane Interaction
Slide 2-68
ESXi hosts and NSX logical router

virtual machines learn network
information and send it to NSX
Controller through UWA.
NSX Manager
!
II
z
en
><
The NSX Controller CLI provides a NSX Controller zCD
Cluster
consistent interface to verify ?o
.....
VXLAN and logical routing ~
::J
network state information. to
NSX Manager also provides APls

to programmatically retrieve data
from the NSX Controller nodes in
future.
NSX Controller uses the UWA daemon s to communicate from the hosts management address . NSX
Controller instances in a cluster replicate the different ARP, MAC, and VTEP tables in that cluster.

Control Plane Security
Slide 2-69
All NSX Control communication is protected with SSL encryption

over the management network.
NSX Manager creates and installs self-signed certificates to each
ESXi host and NSX Controller cluster.
Mutual authentication of NSX entities occurs by verifying certificates.
The control plane is secure d with SSL encryption by using certifica tes that are managed by NSX
Ma nager.

Control Plane Security: Diagram
Slide 2-70
The control plane requires certificate-based authentication.
A Message
REST
API
NSX Manager
~EJ NSX Manager
Database
Create
certificate II
z
en
W Bus
><
zCD
?o
.....
~
::J
to
NSX Manager creates certificates and stores them in a database. NSX Manager pushes these
certific ates to the NSX Contro ller instances as they are deployed . NSX Manager uses the message
bus to talk to the host for dep loying the VlBs . NSX Controller and the host go through the UWA
daemons .

User World Agent
Slide 2-71
The UWA has the following features:

Runs as a service daemon called netcpa .
Uses SSL to communicate with NSX Controller on the control plane.
Mediates between NSX Controller and the hypervisor kernel modules ,
except the distributed firewall
Retrieves information from NSX Manager through the message bus
agent.
The Distributed Firewall kernel modules communicate directly with
NSX Manager through the vsfwd service daemon.
-'-1
,
NSX Controller NSX Controller NSX Controller
i L_~:W== -
!1- ------ ------------- __---- - ----- -----__-- -
-~ .---------.--.-----.---.--------.---------...- ------..-----1 i
iI Kernel Modules . - !I
ll- - ---- -----
,
- ---- - ------ - ---- - - ---- -..- - - - - - - - - - - - - - - - - - -...- ---.-----.---.-.....--..-...1 iI
iL ESXi Host " Ji
The UWA includes two daemons that run on the host. The UWA is responsible for comm unication
between NSX Controller and ESXi host for layers 2 and 3, and for VXLAN communications. The
UWA can connect to multiple NSX Controller instances and maintains logs at / v a r /l o g /
ne tcpa . log. The distributed firewa ll has its own daemon. This daemon talks directly to NSX
Manager.
86 VMwa re NSX : Install , Configure, Manage

NSX Controller: Master Election
Slide 2-72
Each role needs a master.

Masters for different roles can sit on different nodes.
NSX Controller uses Paxos-based algorithm.
Guaranteed correctness (not necessarily convergence).
II
z
en
><
zCD
?o
.....
~
::J
to
Two roles are used for NSX Contro ller workloads. These roles are called logical switches and
logical routers. A master election determines the NSX Controller instance that is the master for a
particular role. Every role has a master. The master selects the NSX Controller instances and
allocates the portion of work for that role .
Paxos is a family of protocols for solving consens us in a network of unreliable processors.

Master Failure Scenario
Slide 2-73
A node failure triggers an election for roles when the master is no

longer available for that role.
A new node is promoted to master after the election process.
~ 'ii.vXLAN .-
If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from
the available NSX Controller instances. The new master NSX Controller instance for that role
reallocates the lost portions of work among the remaining NSX Controller instances.
NSX Controller instances are on the control plane. So an NSX Contro ller failure does not affect data
plane traffic. For example, if the host requests the MAC address for an lP address through an ARP
request, and the NSX Controller instance does not respond, then the ARP is processed. The normal
ARP request process does not wait for the NSX Controller instance.

NSX Controller Workload Distribution
Slide 2-74
The NSX Controller cluster must:

Dynamically distribute workloads across all available NSX Controller
cluster nodes
Redistribute workloads when a cluster member is added
Have the ability to sustain failure of any cluster node
II
z
(j)
><
Z
Perform the workload distribution so that it is transparent to applications CD
?o
.....
~
:::J
Solution: Slicing to
Slicing is the action of dividin g NSX Controller workloads into different slices so that each NSX
Controller instance has an equal portion of the work.

Slicing Assignment
Slide 2-75
For a given role, create a number of slices.

Define objects that are to be sliced.
Assign objects into their slices.
Logical Switches / VNls Objects Logical Routers
Logical Switch Slices Logical Router Slices
After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the
different logical switches and routers among all available NSX Controllers in a cluster. Each
numbered box on the slide represents slices that the master uses to divide the workloads . The logical
switch master divides the logical switches into slices and assigns these slices to different NSX
Controller instances. The master for the logica l routers does the same .

Slicing Distribution
Slide 2-76
For a given role, create a number of slices

Define objects that are to be sliced.
Assign objects into their slices.
Distribute slices across NSX Controller cluster nodes.
II
z
en
><
zCD
?o
.....
~
::J
to
Logical Switch Slices Logical Router Slices
These slices are assigned to the different NSX Controller instances in that cluster. The master for a
role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on
router slic e 6, the slice is to ld to connect to the third NSX Controller inst anc e. If a req uest comes in
on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.

Slice Redistribution
Slide 2-77
When an NSX Controller fails, the master for the role redistributes slices
among remaining nodes
Slice redistribution happens on:
Creation of the NSX Controller cluster.
A reduction in the number of available NSX Controller nodes in the cluster.
An increase in the number of available NSX Controller nodes in the cluster.
When one of the NSX Controller instances in a cluster fails, the masters for the roles redis tribute the
slices to the remaining available clusters.

Component Interaction: Configuration
Slide 2-78
The components of the NSX platform are configured in a specific

order.
vCenter
Server
A
V
Register with
vCenter Server
NSX Manager
. . DeployNSX
. . Manager
II
~epl~
z
oy ~
NSX .
Deploy the NSX Edge
en
><
zCD
Controller Cluster ~ :.
gateway and configure
network services ?o
.....
NSX Controller NSX Edge ~
::J
Gateway to
r- --- - ----- ---~
x , I
l . ' - - I~
;:::;:~ ,~ ~
I r.::! ~ _
r --.. . I~-
I . ,.
~=-:: ~ L: :::=::E I~ : ~~I
._- . ~ --=
l_ vSpher e ClusteL 1 ,._._.vSphere ClusteL2 _J l _.VSPhere CI,usteL N j
The components of the NSX platform are configured in the following order:
1. Only NSX Manager is installed.
2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided
and the NSX Manager instance conn ects to the vCenter Server system. The NSX Manager
instance enables the NSX components in the VMware vSphere Web Client.
3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager.
4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to
install the VIBs on the ESXi hosts in the cluster.
5. After the components are installed and deployed, you define the logical networking
components, such as adding distributed routers and creating firewall policies.
This procedur e is repeated for each vSphere clust er.

Lab 2: Introduction (1)
Slide 2-79
Add NSX Controller clusters in odd numbers.
~ Home I 'LO
VInstall atioll I .t ~ Home 1 _0.- ' Installation i
Net w orking & Security Mana g ement I Host Prepar ation L ogical Netw Networkin g & Security VManag em enl 1 Ho st Prepara tion Logical NeIWo
.
E!NSXHome
~ Logical Switc he s
NSX Manager
R!N8XHome
.
l:! LogicalSwitches
NSXManayer
~ NSXEdges NSX lJI, n, gtr

~ NSXEdges NSX M , n,~. ,
n Firewall E! 192.168.110.42 n Firewall E!! 192 .168. 110.42

Iif3 scoorouaro IiI5 SpoofGuard
I 't\ ServiceDefinitions
8 ServiceComposer
~ DataSecurity
.."....- .. seetce Definitions
EJ Service Com pose r
~ DataSecurity
GlFlow Monitorin g NSXliU'"'~8t e L1 92 ~ 1 1 ~ ~ Flow Monitor ing
!!!B Activity Monito ring ll_.."., 1 gg ActiVity Moniloring

.. Networking & Security Inventm y
(: Iu~.,-,: , Pil'Qt -I .. Networking & Se&ur ity Invent ory
E!! NSX Managers .. >

C1IU~1Of4'
1 ~ NSX Managers .. >
H- I NSX Cont roller nodes
NSX Controller node Conn"",-" ro
+
Fe. . 1 + ~
N ~m . Nod.
N~m.
eonnoner-e 192.168110 201

connouer-7 192 ,168,110,202
confroner-a 192.16B.110.203

Slide 2-80
Use the CLI to confirm the NSX Controller status.
nvp-e co nt.r o I Le r
Type
Join status:
Majority status :
# shOIJ co nt.r o.l c-c Lua te r status
5tatus
Join complEtE
ConnEctEd to clustEr majority
5ince
07/14 17:53:22
07/14 18:04:46
II
z
(j)
:Restart status: This controller can be safely restarted 07/14 18:04:47 ><
Z
ClustEr ID: 47b40b57-fbdf-4fcE-a171-bff6a36345bO CD
NodE UUID: 47b40b57-fbdf-4fcE-a171-bff6a36345bO ?o
....
~
:::J
to

Lab 2: Configuring and Deploying an NSX Controller Cluster
Slide 2-8 1
Deploy a three-node NSX Controller Cluster

1. Prepare for the Lab
2. Deploy the First NSX Controller Instance
3. Verify That the First NSX Controller Instance Is Operational
4. Deploy the Second NSX Controller Instance
5. Verify That the Second NSX Controller Instance Is Operational
6. Deploy the Third NSX Controller Instance
7. Verify That the Third NSX Controller Instance Is Operational
8. Clean Up for the Next Lab

Slide 2-82

Describe NSX Controller instances
Explain NSX Controller clustering
Determine NSX Controller roles
II
z
(j)
><
Z
CD
?o
.....
~
:::J
to

Key Points
Slide 2-83
Software is the foundation that is powering the evolution of networks

and data center infrastructure.
NSX uses the management plane, control plane, and data plane
models.
NSX Controller provides VXLAN distribution and logical routing network
information to ESXi hosts.
Questions?

MODULE 3
Logical Switch Networks and VXLAN

Overlays
Slide 3- 1
Module 3
II
r
o
co
0"
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en
VMware NSX: Install , Configure , Manage 99

You Are Here
Slide 3-2
Course Introduction
I NSX Networking
IE Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Security

Importance
Slide 3-3
Virtual Extensible LAN (VXLAN) enables you to create a logical

network for your virtual machines across different networks. You can
create a layer 2 network on top of your layer 3 networks.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en
Module 3 Logical Switch Networks and VXLAN Overlays 101

Module Lessons
Slide 3-4
Lesson 1: Ethernet Fundamentals

Lesson 2: Overview of vSphere Distributed Switch
Lesson 3: Link Aggregation
Lesson 4: Virtual LANs
Lesson 5: VXLAN: Logical Switch Networks

Lesson 1: Ethernet Fundamentals
Slide 3-5
Lesson 1:
Ethernet Fundamentals II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Learner Objectives
Slide 3-6
objectives:
Describe Ethernet frames
Describe segmentation and encapsulation
Explain the Address Resolution Protocol (ARP) process

Review: Networking Definitions
Slide 3-7
Network: Physical connection that enables computers to communicate

Frame: Unit of transfer, Layer 2 of the OSI model
Packets (a layer 3 unit of transfer) are segmented into Frames for transmission
Frames are transmitted across the physical medium and assembled by the target/destination device
Protocol: An agreement between two devices about how information is to be transmitted.
Broadcast Domain: Shared communication medium.
Delivery: The way a receiver identifies the destination of a frame :

The header is in the front of the frames [Header][Payload]
Many nodes might receive a frame, but only the identified destination keeps the frame (all others
II
r
o
co
discard) n'
0)
Arbitration : The act of negotiating the use of a shared medium. (j)
Point-to-point network: A network in which every physical wire is connected to only two devices.
s;:::;:
o
::r
Switch: A bridge that transforms a shared-bus (broadcast) configuration into a point-to-point Z
network. CD
~
Router: A device that acts as a junction between two layer 3 networks to transfer packets between o
...,
them.
'"
en
0)
Gateway: A device that connects two networks communicating over different protocols. :::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Ethernet
Slide 3-8
Source and destination identification uses media access control (MAC)

addresses:
Listen and wait for channel to be available
Carrier Sense Multiple Access with Collision Detection (CSMA-CD): If a
collision occurs, wait a random period before retrying.
IPreamble 1Destination I Source 1 Type 1---'-.-.--r-I-c-R-c-I
8 bytes 6 bytes 6 bytes 2 bytes 46 to 1,500 bytes 4 bytes
Destination and source are 48-bit MAC addresses (for example ,

OO:26:4a:18:f6:aa)
The Type indicates the protocol that the Data portion of the frame contains:
Type Ox0800 is IPv4
Type Ox0806 is ARP
Type Ox86DD is IPv6
Data part of layer 2 frame contains a layer 3 datagram
Ethernet is the most commo nly used layer 2 system in data centers . The main purpose of Etherne t is
to define the source and destination of frames and ensure that the shared medium is used efficiently
among all hosts.

MAC Tables
Slide 3-9
The MAC address tables associate MAC addresses with LAN ports
on the switch.
VlaIl Ifac Addr ess Type Po r ts

- --- ---- -- - - --- - - -- -- -- -
All 657 0 .7367 .745 0 S TATIC CPU
All
1
1
1
gefa .2 054 .4465
Ob 9 f. 5 a g e. 7 6 a8
7 1d5 .5 1c4 .dcc4
d7cb .463d . e5dc
S TATIC
DYNAMI C
DYNAlofIC
DYNAlofI C
CPU
Fa O/5
FaO/ 8
FaO/ 2
II
r
o
co
1 6fb2 .eb09 .f9ac DYNAlofIC FaO/ l l n'
0)
1 l a 4 7. 9 400. e 4 6 7 DYNAlofIC FaO/ 9 (j)
1 d 8fd . 8d8f .9ged DYNAlofIC FaO/7 s;:::;:
o
1 b7 05 .be 8b .6 2 8 e DYNAlofI C Fa O/4 ::r
1 13 5 3.0 7 2 a. b 9 4b DYNAlofIC FaO/ 13 Z
CD
1 c6cb .73g e . lb2c DYNAlofIC FaO/6 ~
o
...,
1 f3 8c .3 17b .b9 0 0 DYNAlofI C FaO/3
"en
0)
:::J
C.
A switch uses a media access control (MAC) address table to direct frames from a sending network
r
~
device to a destination network device. The switch builds this table as it receives frames. The switch z
associates the MAC address of the sending device with the LAN port on which the frame is received
by using the source MAC address in the frame.
o
<
...,
CD
When the switch receives a communication for an unknown destination address, the switch sends 0)
-c
the frame to all other LAN ports of the same VLAN . When the destination device replies, the switch en
adds the relevant MAC source address and port ID in the address table. The switch sends all
subsequent frames for that destination to the correct LAN port without sending to all LAN ports.

Broadcast Domain
Slide 3- 10
A broadcast domain is a logical division of a computer network, in

which all hosts can reach each other by broadcast at the data link
layer. Router
/~
Switch Switch
~ /
Hub Hub
/\ /\
Broadcast Domain Collision Domain

Address Resolution Protocol
Slide 3- 11
ARP provides a mechanism for a device to map an IP address to a

MAC address.
When a device needs to communicate with another device for which
the IP address is known but the MAC address is unknown:
The source device creates an ARP packet with the destination's IP
address.
The source places the packet in a Broadcast Ethernet frame.
The Broadcast Ethernet Frame is transmitted across the local subnet.
II
r
o
co
The destination device receives a copy of the frame and opens the n'
0)
copy to check the IP address in the destination field. (j)

s;:::;:
The destination responds to the ARP request with a frame to the source o
::r
with the destination's MAC address as the source MAC address. Z
CD
The source receives frames and reads the destination's MAC address. ~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

From Packets to Frames
Slide 3- 12
An Ethernet Ethertype of Ox0800 indicates that the payload is an IP

packet:
When putting a packet into a frame, the end station uses the
destination MAC address that corresponds to the destination IP
address.
If the destination IP address is not in the same subnet as the source
end station, the end station uses the MAC address of the default
gateway as the destination MAC address.
If the end station does not know the destination MAC address that
corresponds with the destination IP address, the end station cannot
send the frame.
All network data moves through a network as frames

Segmentation and Encapsulation
Slide 3- 13
Lower layers add headers (and sometimes trailers) to data from

higher layers.
Network entities (switches/routers) move traffic based on header
information at the appropriate 051 layer.
Advanced features like intrusion detection and firewalls look deeper
beyond the header.
Application Data
II
r
o
co
n"
0)
Transport (j)
s;:::;:
o
::r
Network Z
CD
~
Data Link o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Layer 3: IPv4 Datagram
Slide 3-14
IP packets are carried in Ethernet frames.
Version I IHL IDifferentiated Services Total Length

Identification Flags I Fragment Offset
Time to Live I Protocol Header Checks um
Source Address (32-bit IPv4 address)
Destination Address (32-bit IPv4 address)
Options I Padding
IilmDr .. In. . ,.... . .
-
-'"
Version =4 Protocol =6 means that the data

If no options, IHL =5 portion contains a TCP segment.
Source and Destination are 32 bit
Protocol = 17 means UDP
IPv4 addresses
Routers and switches review the header information of the frame to route and switch traffic , app ly
policy contro ls, and build routing and switching tables. IP headers enab le quality of service (QoS)
application, control layer 3 loops using Time To Live (TTL), and congestion control using explicit
congestion notification bits. In the IP packet, UDP/TCP segments are embedded with their protoco l
numbers identified in the header for the host or gateway to process.

Layer 4: TCP Segment
Slide 3-15
Source and destination are 16bit TCP port numbers.
Source Port Destination Port

Sequence Number
Data
Offset
Reserved
Acknowledgement Number
UA E R S F
RC0 S Y I
Window II
r
o
GK L T N N co
n"
0)
(j)
Checksum Urgent Pointer s;:::;:
o
::r
Options I Padding
. 1I11e.' .
IilmDr
. ... III - .--m"-
.JiUi.'
Z
CD
~
o
...,
"en
0)
:::J
C.
TCP is a connection-based protocol with guaran teed delivery. Devices send data over a connection
r
~
socket. z
o
<
...,
CD
0)
-c
en

Concept Summary
Slide 3- 16
A review of terms used in this lesson:

What is the data encapsulation for layer 2
Ethernet frame
transmission across the physical network
medium called?
What is the data encapsu lation fo r layer 3 for
Packet
transm ission across routed networks called?
Which is the data link layer of the OSI model of
Layer 2
a network?
Which is the network layer of the OSI model of a
Layer 3
network?
Which is the transport layer of the OSI model of
Layer 4
a network?

Slide 3- 17

Describe Ethernet frames
Describe segmentation and encapsulation
Explain the ARP process
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Lesson 2: Overview of vSphere Distributed Switch
Slide 3-18
Lesson 2:
Overview of vSphere Distributed Switch

Learner Objectives
Slide 3- 19
objectives:
Describe VMware vSphere Distributed Switch
Configure a distributed switch
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

VMkernel Networking
Slide 3-20
Teaming recommendations:
Link Aggregation Control Protocol (LACP) 802.3ad is a good

option for optimal use of available bandwidth and quick
convergence .
Load-based teaming is recommended to simplify configuration

and reduce dependencies on the physical network, while still
effectively using multiple uplinks.
VMware NSXTMintroduces support for multiple VTEPs per host

with VXLANs.
Network partitioning technologies tend to increase complexity.
Overlay networks are used for virtual machines.
Use VLANs for VMkernel interfaces to avoid circular

dependencies.
Physical
DHCP relay and IP helper support are important for VMware Switch
vSphere Auto DeployTM.
Link Aggregation Control Protocol (LACP) requires configuration on the upstream switch . You can
use load-based teaming to simpl ify configuration and reduce dependencies on the physical network ,
whil e effectively using multipl e uplinks .

Advantages of vSphere Distributed Switch
Slide 3-2 1
The advantages of using a vSphere Distributed Switch are the

following:
Manage all switches in a data center versus individual switches per
host
Advanced feature support

Higher scale
Foundation for your network virtualization journey II
r
o
co
0"
VM VM VM OJ
~ NETWORK NETWORK NETWORK (j)

STATE STATE STATE s;:::;:
o
:::r
Z
CD
:?
o
...,
"en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en

Distributed Switch Architecture
Slide 3-22
Management plane: Configures various parameters of the distributed switch
Data plane: Handles the packet switching function
Management Plane
Legend:
_ dvPGA
_ dvPGB
_ dvUplink PG
dvUplink
Host 1
vmnicO vmnic1 vmmcO vmnic1
In VMwa re vSphere, the host handles the data plane. The host has information about which MAC
addresses are in which port groups. The VMwa re vCen ter Server" system controls the management
plane and if the vCen ter Server system fails, nothing changes on the contro l plane. Hosts and virtual
machines continu e to function. Features that rely on the vCenter Server system, like VMware
vSphere vMoti on, are unavailable until the management plane is restored.
The VMware NSX Virtual Switch'Y, which is a normal distributed switch with the VMware NSXTM
VIBs installed, is different. If a VXLAN port group exists, only the data is managed at the data
plane. The control plane is handled by VMware NSX Controller" and management is handled by
VMware NSX Managerr.

vSphere Distributed Switch Enhancements in ESXi 5.5
Slide 3-23
Performance and Scale
Enhanced LACP
Enhanced SR-IOV
40 GigE NIC support
Packet Classification
II
r
o
co
Traffic Filtering (ACLs) 0"
OJ
DSCP Marking (OoS) (j)
s;:::;:
o
Visibility and Troubleshooting :::r
Z
CD
Host Level Packet Capture
Tool (tcpdump)
:?
o
...,
"en
OJ
:::J
C.
In vSphere 5.5, LACP handles more than port aggregation and supports all LACP features. vSphere
r
~
5.5 also supports Mellanox 40 GB network interface cards. vSphere uses traffic filtering and access z
control lists (ACLs) to enable traffic, drop traffic, or change tags. Layer 2 Class of Service (CoS)
and layer 3 Differentiated Services Code Point (DSCP) tagging is fully supported.
o
<
...,
CD
OJ
-c
en

Design Considerations
Slide 3-24
Available infrastructure:
Type of servers
Type of physical switches
Servers:
Rack mount or blade
Number of ports and speed. For example: Ten 1 Gb links or one 10Gb
link
Physical switches:
Managed and unmanaged
Protocol and features support
You must make several design consideratio ns when planning a distributed switch deployment. In the
software-defined data center ecosys tem the most frequently depleted resource is memory, not CPU .
Not every virtual machin e has the same proportionality of CPU to memory.
Understanding where enviro nment constraints are, and how your design can consider these
constraints is critical. The type of network interfaces in hosts is also important. In today 's data
center 10 GB interfaces are common with some instances of 40 GB interfaces. Dependin g on the
infrastructure, various switches with different features and functions might exist.

Teaming Best Practices
Slide 3-25
Link aggregation mechanisms do not double the bandwidth:

Hashing algorithm performs better in some scenarios. For example:
Web servers that are accessed by different users have enough
variation in IP source and destination addresses and can utilize links
effectively.
However, few workloads accessing a NAS array have no variation in
the packet header fields. Traffic might end up on only one physical NIC.
II
r
o
Load-based teaming has the following advantages: co
n
0)
Takes link utilization into account (j)
Checks the utilization of links every 30 seconds

s;:::;:
o
::r
No special configuration required on the physical switches Z
CD
~
o
...,
"en
0)
:::J
C.
Hashing algorithms are not perfect. For serve rs where the systems connecting are varied, the
r
~
hashing works we ll. In scenarios where a few high-consumption endpoints exist, the hashing can z
result in one link being busier than the others. An example is IP storage with NFS . Typically, NFS
datastores or servers are on the same logic layer 2 as the VMke me l port that uses that data. Little to
o
<
no load sharing happens. ...,
CD
0)
-c
en

Load-Based Teaming
Slide 3-26
Load-based teaming splits traffic to utilize all available links.
Network
Traffic
B
an
d 'dl h I VM1 VM2
VM1 VM2 WI
vSphere
7Gig
vMotion
VM1 5Gig
VM2 2Gig
2 3 4
10 11
L..---_>Rebalance
....._ _......~.;;.'--~;...;..._ _Distributed Distributed
Switch Switch
12 GB 2GB 7GB
The examp le shows the advantage of load-based teaming. The diagram on the left has 14 GB of data
going out to two 10GB lines. vSphere vMotion consumes 7 GB, virtual machine 1 (VM I)
consumes 5 GB, and virtua l machine 2 (VM2) consumes 2 GB. Virtual machine 1 and vSphere
vMotion try to send a total of 12 GB of data out of the same 10 GB link. Virtual machine 2 sends 2
GB of data out of the second 10 GB link. Thus , 2 GB is lost on the first link.
The diagram on the right shows that by implementing load-based teaming, virtua l mach ine I is
forced to use the other interface. All machines and services get the bandwidth that they need . This
feature should be configured on distributed switch before NSX is installed.

Distributed Switch in Enterprise
Slide 3-27
The distributed switch has many features that are useful in an

enterprise setting.
vCenter Server
2c
~
- - - - - - -
Distributed
Switch
- - 1 1- -
I I
I I
I
I
I
I
- - - - - - - 1
Distributed
Switch
I
I
I
I
II
r
o
I I I co
U
<ll
I I I
0
OJ
ro I I I
ro I I I
(j)
o
I I I
s;:::;:
Cluster 1 Cluster 2 Cluster 3 Cluster 4
ROBO 1 I I ROBO 2 I o
________ ~L ~ ::r
Z
Multiple distributed switches per VC (128) Central management for DC and ROBO CD
environments ~
Distributed switches can span multiple clusters o
...,
Role-based management control
Hundreds of hosts per distributed switch "en
OJ
:::J
C.
Distributed switches must be in the same vCenter Server system as NSX Manager so that NSX
r
~
Manager can use the distributed switch. z
o
<
...,
CD
OJ
-c
en

Slide 3-28
Install NSX modules on hosts.
1--- ---'-- - -' Host Preparation Logical Network Preparation
NSX Manag er: ( 192.168.110.42 I~ )

Installation of network virtualization componentsonvSphere hosts
Clusters & Hosts Installation Status

liB SpoofGuard .. 1Jb Managementand Edge Cluster -r: Installing
~ s er-tce Definitions r: Installing
~ l!lJ Com pute Cluster A
EJ Servi ce Composer I}b Compute Cluster B Install
0lJ Data Securrty
Gl Flow Monitoring
Ii!8 Activity Monitoring

Slide 3-29
Prepare hosts for VXLAN networking.

Eb Add IP Pool 1
- - New T' ansport lone (?l, ..
Name:
*1
eatewav
*1 Name * lOIObarTranspon Zone 1
A gateway c OesUlpbon
II
Prefix Length:
*1 C onlrol Plan e Mode
Ia Murbcasl
1
Primary DNS: I MlJ~iJ~on Pf'I/$J(fI '-
Secondary DNS:
I I Unicasl
Segment 10 pool
C
IIXt,ANcQT1lrolpl.af*
DNS Suffix I a Hybrid
Provide a segmentiD pool and m ulticast range uniq ue to this NSX
r
manager. o
Static IP Pool: Op:1IYlJ!edUmc8$l n co
*1 0"
Selec t clu ste rS II) add
Segment10 pool:
*11 I OJ
A static IP P (In the range of 5000-16777216) (j)
a list orcorn
for example 0
N. ",.
tt Mana geme nt and Edge Clusle r

" o Enable multicast addressing s;:::;:
ab cd:87 :87: 0 Compute Cluster A Multicast addresses are required only for Hybrid and Multica.st control o
:::r
0 {) ccrnoute Cluster 8 plane modes
Z
CD
Multicast must be enabled if you are using 5.1 host.
:?
o
...,
I OK II Cancel
L "en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en

Lab 3 : Preparing for Virtual Networking
Slide 3-30
Install NSX for vSphere modules in ESXi hosts and configure the
VXLAN IP pools and a transport zone
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN 10 Pool
5. Configure a Global Transport Zone

Concept Summary
Slide 3-3 1

What is a virtual switch shared across multiple
Distributedswitch
ESXi hosts called?
(Hint: VMware NSX Virtual Switch" is defined as a port
group on this.)
What is the configuration of multiple NICs to

share workloads for higher bandwidth called?
Teaming
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Slide 3-32

Describe vSphere Distributed Switch
Configure a distributed switch

Lesson 3: Link Aggregation
Slide 3-33
Lesson 3:
Link Aggregation II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Learner Objectives
Slide 3-34
objectives:
Describe the Spanning Tree Protocol (STP)
Describe the purpose of LACP
Create an overlay network

Ethernet Loop
Slide 3-35
Host A sends a
broadcast frame.
The third Ethernet switch notices that it is a
II
The Ethernet switch notices t broadcast frame and sends a copy out to the
it is a broadcast frame and first switch , thus creating an Ethernet Loop.
sends a copy out of every
interface . r
o
co
0'
OJ
(j)
s;:::;:
o
::r
Z
CD
The second Ethernet switch notices
~
that it is a broadcast frame and o
...,
sends a copy out of every interface. "en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en

Spanning Tree Protocol
Slide 3-36
STP is a Link Layer protocol that helps maintain a loop free LAN:
STP is standardized in IEEE 802.1 D.
STP assigns a switch as root bridge.
Every other switch in the LAN creates only one data path back to the
bridge.
All other data paths leading to the bridge are prevented from forwarding
traffic.
All paths not leading to the bridge are allowed to forward traffic.
NSX does not participate in STP.

STP Diagram
Slide 3-37
In STP, only one of the two switches blocks the data path. The other
switch keeps the link in a forwarding state.
Root Bridge
II
r
o
co
0"
OJ
(j)
s;:::;:
o
::r
Z
CD
- - - Blocking
~
o
...,
"en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
-c
en

Bandwidth Constraint
Slide 3-38
STP always blocks all paths except the one leading up to the root
bridge.
If the forwarding path goes down, the switch activates one of the
block paths.
Root Bridge
Forwarding Forwardi ng
~ BI O Cki n g
With Spanning Tree Protocol (STP) , you can gain additional bandw idth between switches by going
to the next speed in Ethernet, for example, from 100 Mb to 1Gb.

Link Aggregation Control Protocol
Slide 3-39
LACP:
Is a standards-based link aggregation method: 802.3ad
Provides automatic negotiation of link aggregation parameters between
virtual and physical switches
Advantages:

Provides higher bandwidth and redundancy
Detects link failures and cabling mistakes
II
r
o
Reconfigures links automatically co
n"
0)
Deployments with static link aggregation groups (LAGs) have (j)
problems such as PXE boot. s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
LACP is a type of port aggregation. Port aggrega tion is the bundling of interfaces to tell the STP
r
~
that only a single link exists instead of multiple links. LACP ensures that link aggregation z
parameters match at both ends of the link aggregation.
o
<
The different types of LACP negotiation are the following: ...,
CD
0)
1. Enable port aggregation on the links. Switches do the port aggregation and must be manually -c
en
configured to be compatible at each end of that link.
2. One switch sends repeated requests to the other switch that is requesting the port aggregation
status. The two switches negotiate the status of the links and proceed.
3. Switches wait until they receive an aggregation request, negotiate the status of the links, and
proceed.
The LACP negotiation verifies that the link aggregation configurations between switches are
compatible. For the second or third type of LACP negotiation , switches negotiate details. The details
might includ e the number ofli nks that exist in the port group, the speed of the port group, and MTU.
Each switch determines the hashing that it uses to load balance its links independent of the other.

Enhanced LACP in vSphere 5.5
Slide 3-40
Comprehensive load balancing algorithm support includes 20

hashing algorithm options.
Multiple LAGs:
64 LAGs per host
64 LAGs per distributed switch
Workflow:
New workflow to configure LACP using templates
Useful in large environments
Hosts and distributed switches can support up to 64 Link Aggregat ion Groups (LAGs) .

Enhanced LACP
Slide 3-4 1
Host
Active Link :
LAG 1
LACP:
LAG 1 - 2 Uplinks; LB
algorithm - Source IP
II
r
o
co
address . 0'
OJ
LAG 2 - 2 Uplinks; LB (j)
algorithm - Destination s;:::;:
IP address o
:::r
Z
CD
:?
o
...,
LAG 1 - Port 1,2
Physical Switch 2
LAG 2 - Port 1,2 "en
OJ
:::J
C.
The example shows the use of different switches for LACP, with each link aggregation using a
r
~
different hashing algorithm. z
o
<
...,
CD
OJ
-c
en

Concept Summary
Slide 3-42

What is the condition where there are multiple
Ethernet loop
layer 2 paths between two endpoints called?
Which protocol ensures that there are no Spanning Tree Protocol (STP)
Ethernet loops?
Which is the standards-based link aggregation

Link Aggregation Control Protocol (LACP)
method used in NSX?

Slide 3-43

Describe the STP
Describe the purpose of LACP
Create an overlay network
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Lesson 4: Virtual LANs
Slide 3-44
Lesson 4:
Virtual LANs

Learner Objectives
Slide 3-45
objectives:
Explain how VLANs are used
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Virtual LANs
Slide 3-46
Split switches into separate virtual switches:

Only members of a virtual LAN (VLAN) can see that VLAN 's traffic.
Traffic between VLANs must go through a router.
Switch
VLAN X Nodes VLAN Y Nodes
VLANs address scalability, security, and network management by enab ling a switch to serve
multipl e virtual subnets from its LAN ports. Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management. Switches must not bridge traffic between VLANs
because the integrity of the VLAN broadcast domain might be violated.
144 VMwa re NSX: Install, Configu re, Manage

Switches and Routers with VLANs
Slide 3-47
Without VLANs , each group is on a different IP network and on a different

switch. . - . - . _ . _ . - . -. - .
.-. . .-. '- .
....
\
... I.:a!!!::-----~~
-'- -'- '-'-'-'-'- ".-. .'-'

10.2.0.0/16
II
r
o
co
One link per VLAN or a single VLAN Trunk later. 0'
. ._ 0-'-' - .- -'- . -'- '- OJ
(j)
.-.
....
..-
s;:::;:
o
/ :::r
FaOIO
Z
CD
\ FaO/1 :?
o
.... ...,
... ... "en
- '- 0_. _ . _. _ . _ . -. - . - ".-. ' OJ
:::J
C.
By default, all ports on a switch are in a single broadcast domain. Devices belonging to different
r
~
domains must be isolated using individual switches. VLANs enable a single swi tch to serve multiple z
switching domains . The forwarding table on the sw itch is parti tioned be tween all ports belonging to
a common VLAN.
o
<
...,
CD
With this change, devices belonging to multiple domains can be collocated on a single switch. Also, OJ
-c
hosts can be spread around in the data center on different L2 segments and maintain domain and en
subnet isolation.
Module 3 Logical Switch Netwo rks and VXLAN Overlays 145

VLANs and ARP
Slide 3-48
Without VLAN, the ARP is seen on all subnets on a switch. All ports
on a switch are part of the broadcast domain.
Assigning a host to the correct VLAN is a two-step process:
Connect the host to the correct port on the switch with a VLAN
configured.
Assign an IP address to the host for that subnet. Otherwise the host
cannot find peers on the same subnet.
- 1
1
3 4 5 6 . Po rt
1 2 2 1 . VLAN
ARP
f Request
1
172.30.1.21/24
VLAN 1
172.30.2. rO/24 172.30.1.23/24

VLAN 2 VLAN 1

VLANs Across switches
Slide 3-49
VLAN tagging is used when a single link needs to carry traffic for
more than one VLAN.
Interswitch links are configured as trunks, carrying frames from
multiple VLANs for that switch.
Each frame carries a tag that identifies which VLAN it belongs to.
----------- Tagged Frames
802.1Q Trunk
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
Without tagging, one physical connection per VLAN is required
between switches. This is not scalable.
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

VLAN Scalability
Slide 3-50
How does host A communicate with host E?

How does host F communicate with host B?
Host A, MAC A Host B, MAC B Hoste, MAC C
Int erf ac e 5
VLA N 20
Host 0 , MAC 0 Host E, MAC E HostF, MAC F

802.10
Slide 3-5 1
802.1 Q is an extension to the Ethernet standards to enable VLAN

information to be carried in an Ethernet frame:
802 .10 is configured in interfaces, typically Ethernet switches.
Interfaces that are configured to support 802.10 Ethernet frames are
called Trunk interfaces.
Interfaces that are not configured to support 802.10 frames are called
Access interfaces.
The 802.10 standard has support for 4096 VLANs.
II
r
o
co
VLANs 0 and 4095 are not used for production traffic. n'
0)
The 802.10 EtherType is Ox8100. (j)

s;:::;:
.. .-.
802.10 frames increase the standard Ethernet frame to 1522 bytes. o
::r
Up to 1500
6 bytes 6 bytes 2 bytes 2 bytes 2 bytes bytes 6 bytes Z
CD
~
- . 1 :11 - ;1 . o
...,
Standard Ethernet Frame "en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

802.10 Frame
Slide 3-52
Normal Ethernet Frame

SA: 6 Type/Length: 2 Data: 46 to 1500
IEEE 802.1q Tagged Frame
C12 bits of VLAN ID to identify 4,096 possible VLANs
3 bits 12 bits

Native VLAN
Slide 3-53
A Trunk interface expects every ingress frame to be tagged with a

VLAN number. If an ingress frame is received without a VLAN tag, the
frame is dropped by the Ethernet switch.
To avoid dropping frames, a trunk can be configured to assign all
ingress frames without a VLAN tag to a default VLAN. This default
VLAN is called the native VLAN.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Concept Summary
Slide 3-54

What are groups of devices on separate physical
networks that communicate as if on the same logical Virtual Local Area Networks (VLAN)
network called?
What is broadcasting communications from a single
Multicast
source endpoint to multiple destination endpoints called?
What is broadcasting communications from a single
Unicast
source endpoint to a single dest ination endpoint called?
Which is the communications protocol for establishing
Internet Group Management Protocol (IGMP)
multicast group memberships?

Slide 3-55

Explain how VLANs are used
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Lesson 5: VXLAN: Logical Switch Networks
Slide 3-56
Lesson 5:
VXLAN: Logical Switch Networks

Learner Objectives
Slide 3-57
objectives:
Describe VXLAN overlay networks
Define the VXLAN frame format
Compare unicast, multicast, and hybrid modes
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

VXLAN Terms
Slide 3-58
A Virtual Tunnel End Point (VTEP) is an entity that encapsulates an Ethernet

frame in a VXLAN frame or de-encapsulates a VXLAN frame and forwards the
inner Ethernet frame.
A VTEP proxy is a VTEP that forwards VXLAN traffic to its local segment from
another VTEP in a remote segment.
A transport zone defines members or VTEPs of the VXLAN overlay:

Can include ESXi hosts from different VMware vSphere clusters
A cluster can be part of multiple transport zones
A VXLAN Number Identifier (VNI) is a 24-bit number that gets added to the VXLAN
frame:
The VNI uniquely identifies the segment to which the inner Ethernet frame belongs
Multiple VNls can exist in the same transport zone
VMware NSXTMfor vSphere starts with VNI 5000
VXLAN is an Ethernet in IP overlay technology, where the original layer 2 frame is encapsulated in
a User Datagram Protocol (UDP) packe t and delivered over a transport network. This technology
provides the ability to extend layer 2 networks across layer 3 boundaries and consume capacity
across clusters. The maximum transmission unit (MTU) requirement is for a minimum of 1,600
bytes to support IPv4 and IPv6 guest traffic . The Virtual Tunnel End Point (VTE Ps) do not support
fragmentation. VXLAN also provi des increased scalability as it is no longer tied to the 802.1q
protocol limit of 4,096. The 24-bit address space theoretica lly enables up to 16 million VXLAN
netwo rks. Each VXLAN network is an isolated logical network.

VXLAN Protocol Overview
Slide 3-59
VXLAN VTEP is the VMkernel interface that serves as the endpoint

for encapsulation or de-encapsulation of VXLAN traffic.
Ethernet in IP overlay network:
Entire L2 frame encapsulated in User Datagram Protocol (UDP)
II
50+ bytes of overhead
VXLAN can cross layer 3 network boundaries.
VXLAN is an overlay between VMware ESXi hosts. Virtual r
o
machines do not see VXLAN 10. co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
The VTEP Proxy, used in UTEP and MTEP, replicates the frame that it rece ives. The VXLAN
r
~
Number Identifier (VNI) is 24 bits. z
A transport zone is a configurab le boundary for a VNI. A single transport zone is usually sufficient. o
<
All clusters in the same transport zone share the same VNI. A transport zone can contain multiple ...,
CD
clusters and a cluster can be a part of multiple transport zones. A transport zone tells the host or 0)
-c
cluster which logical switch has been created. If you do not want logical switches to show up on en
certa in hosts, you can create a transport zone to constrain tenants. The underlying port group still
exists across the distributed switch.
Module 3 Logical Switch Netwo rks and VXLAN Overlays 157

Virtual Extensible LAN
Slide 3-60
VXLAN is an IP overlay technology that eliminates virtual network

segmentation.
VXLAN functionality:
Allows network boundary devices to extend virtual network boundaries
over physical IP networks
Expands the number of available logical Ethernet segments from 4094
to over 16 million logical segments
Encapsulates the source Ethernet frame in a new UDP packet
VXLAN is transparent to virtual machines
Adds 50 bytes to the original frame
Submitted to IETF for standardization
In April 2013, lANA reserved UDP port 4789 for VXLAN.
VXLAN is a network overlay technology. VXLAN encapsulates frames at layer 2 into a UDP
header. The traffic is encapulated into and deencapsulated from a VXLAN header by the VTEP.
The VXLAN adds 50 to 54 bytes of information to the frame, depending on whether VLAN tagging
is used. VMwa re recommends increasing the MTU to at least 1,600 bytes to support NSX . Larger
MTUs might already be in place depending on what other technologies are in use on the network. If
a custom MTU size is already set, either ensure that enough unused space exists in the MTU to
enable the additional 54 bytes or increase the MTU size to accommodate the addition.

NSX Use Cases
Slide 3-61
II
r
o
co
0"
Speed up network Automate network Automate network OJ
provisioning and service provisioning for (j)
provisioning for tenants with s;:::;:

Simplify service o
insertion, both virtual private clouds and customization ::r
tesUdev Z
and physical Maximize hardware CD
environments ~
Streamline DMZ sharing across
o
...,
changes tenants
"en
OJ
:::J
C.
The most common use cases for NSX are data center autom ation , self-service IT, and multitenant
r
~
cloud environments. z
o
<
...,
CD
OJ
-c
en

VXLAN Frame Format
Slide 3-62
( )
IP
Header
Data'
I I IP
Protoco
I
Header
Checksum
I
Outer Outer
Source Dest
IP IP
I I I I I
I I
Outer Outer Optional Optiona l VXLAN
Dest Source 802.1Q Outer EtherType VXLAN RSVD NI RSVD
MAC MAC EtherType 802.1Q Flags (VNI)
The VXLAN fram e forma t is shown here. The top frame is the original frame from the virtua l
machin es, minus the Frame Check Sequence (FCS), encapsu lated in a VXLAN frame. A new FCS
is created by the VTEP to includ e the entire VX LAN frame . The VLAN tag in the layer 2 Etherne t
frame exists if the port group that your VX LAN VMke rnel port is connected to has an assoc iated
VLAN numb er. When the port group is associated with a VLAN number, the port group tags the
VXLAN frame with that VLAN numb er.

Multicast: Network Components
Slide 3-63
The goal of multicast is to send a single packet from a source device

to multiple destinations, likely on different subnets.
Server Router 1 Layer 2 switch Client

with IGMP snooping
II
r
o
co
r+-- IGMP ~ IIII IGMP ---+t 0"
OJ
(j)
UDP / RTP s;:::;:
o
Multicast Traffic
\. ) ::r
Z
Y CD
~
o
...,
LAN "en
OJ
:::J
C.
The idea is to use the network to replicate and prevent the source from creating a large numb er of
r
~
individual unicast sessions to each destination. Some key applications of multic ast include z
multim edia content delivery, financial institutions such as stock exchanges and high-frequency
trading centers, and IPTV networks. Multic ast is a necessary component of many enterprise
o
<
networks. ...,
CD
OJ
-c
en

Internet Group Management Protocol
Slide 3-64
Hosts use the Internet Group Management Protocol (IGMP) to tell

routers about group membership.
Routers or layer 3 switch solicits group membership from directly
connected hosts.
Versions:
Version 1: RFC 1112 is supported on Windows 95.
Version 2: RFC 2236 is supported on the latest service pack for Windows and
most UNIX systems.
Version 3: RFC 3376 is supported in Window XP and various UNIX systems.

Bidirectional PIM
Slide 3-65
Source/Receiver
- - - Shared Tree
--....,)~
1t-rwa-- ---')~
Upstream Forwarding
Downstream Forwarding
II
r
o
co
) 0"
RP- Rendezvous Point OJ
(j)
Notation: 1*,G) s;:::;:
o
* = All Source :::r
Z
G = Group CD
Receiver 1 Receiver 2 :?
o
...,
"en
OJ
:::J
C.
For network virtualization using VXLAN , bidirectional Protocol-Independent Multicast (PIM) is

r
~
import ant. VXLAN relies on a many-to-many multicast infrastructure. The most efficient way is to z
use bidirectional PIM.
o
<
...,
CD
OJ
-c
en

NSX for vSphere VXLAN Replication Modes
Slide 3-66
Three modes of traffic replication exist: ~ New Transport Zone 1Ql, ..

two modes are based on VMware NSX Name >II IGIObal-Transport-Zone I
Controller" based and one mode is Description
based on data plane I I

Control Plane Mode a Multicast
Unicast mode is all replication using Multicast on Physical rJeMJolf< used (or VXLAN con lrol plane
a unrcast
unicast. VXLAN controfpftJnehaOOIOO ty NSX coreoser Cluster
'2) Hybrid
--
Hybrid mode is local replication that is Optimized Unless! mode. Offloads local traffic repticsston to pttysical nel'MJrll
Select clusters 10add

offloaded to the physical network and ~ Clusters to Add (2) Selected Objects
remote replication through unicast. (Q. Filler .)

N~m. NSX ",S..,Id', Sb IU$
Multicast mode requires IGMP for a IIG1 U Management & Edge Cluster C vest t) Norma l
layer 2 topology and multicast routing

~ IJ Compute Clus ter 01 = vost & Norma!
for L3 topology.
All modes require at least a 1,GOO-byte

. .
MTU. -- I~
QQ~
Replication mode relates to the hand ling of broadcast, unknown unicast , and multicast (BUM)
traffic. Unicast has no physical network requirements apart from the MTU . All traffic is replicated
by the VTEPs. In the same VXLAN segment, traffic is rep licated by the source VTEP. In remote
VXLAN segments, the NSX Contro ller instance selects a proxy VTEP. Hybrid mode uses IOMP
layer 2 multicast to offload local replication to the physical network. Remote replication uses unicast
proxies, so multicast routing is not necessary. Hybrid is recommended for most deploymen ts.
Multicast is seen frequent ly in upgrade scenarios from VMware vCloud Networking and
Security'P' 5.1 or environments that already have multicast routing.

VXLAN Replication: Control Plane
Slide 3-67
In unicast or hybrid mode, the NSX Controller instance

selects one VTEP in every remote segment from its NSX Controller
VTEP mapping table as a proxy. This selection is per VNI VXLAN Directory
Service
(balances load across proxy VTEPs).
In unicast mode, this proxy is called a Unicast Tunnel
[
II
End Point (UTEP). MAC Table
In hybr id mode, this proxy is called a Multicast Tunnel

End Point (MTEP).
[ ARPTable
r
VTEPTable o
This list of UTEPs or MTEPs is synced to each VTEP. co
0'
OJ
If a UTEP or MTEP leaves a VNI, the NSX Controller (j)
instance selects a new proxy in the segment and s;:::;:
o
updates the participating VTEPs: :::r
Z
VTEP report CD
:?
o
VTEP failure ...,
"en
OJ
:::J
C.
The VTEPs to which the list of UTEPs or MTEPs are synced are memb ers of the associated
r
~
VXLAN Network Identifi er (VN I). z
VTEPs leave a VNI either voluntarily because the VMware ESXi host is gracefully powered off, o
<
or all virtual machin es connected to the VNI are migrated or shut down. VTEPs also leave the VNI ...,
CD
if the VTEP fails. When a VTEP fails, it cannot invalidate its VTEP VNI mappin g entry with the OJ
-c
NSX Controller instance. The NSX Controller instance detects that the keep-alive has expired and en
invalidates the entry.

VXLAN Replication: Data Plane
Slide 3-68
The VXLAN header format is updated in NSX

for vSphere:
A new REPLICATE LOCALLY bit is used in VXLAN Header Format
the VXLAN header for unicast and hybrid
modes.
When a UTEP or MTEP receives a unicast
frame with the REPLICATE_LOCALLY bit set,
the UTEP or MTEP is responsible for injecting
the frame to the local transport network.
The behavior of the proxy depends on its
traffic replication mode.
The first field of eight bits is used for VXLAN flags. Seven of these bits are reserved in vCloud
Networking and Security 5.1. These reserved bits are set to zero . The fifth bit is set to 1 when the
header includes a valid VNI. VMwa re NSXTM for vSphere adds a bit for a replicate locally flag
which is set to 1 for delivery to a UTEP or MTE P.

Unicast Mode
Slide 3-69
Source UTEP:
Replicates encapsulated frame to each local VTEP through unicast
Replicates encaps ulated frame to each remote UTEP through unicast
Destination UTEP:

Receives the encapsulated frame from the source VTEP
Replicates encapsulated frame to each local VTEP through unicast
Unicast mode considerations:
II
r
o
co
No multicast configuration needed on the physical network n
0)
Higher overhead on the source VTEP and UTEP (j)

s;:::;:
Configurable per VNI during logical switch provisioning o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
In NSX, the default mode of traffic replication is unicast. Initially no multicast support is required
r
~
on the physical network. z
This mode reduces network dependencies to only increase in maximum transmission unit (MTU) . o
<
Each layer 2 transport subnet has one dynam ically assigned VTEP that acts as a proxy and is ...,
CD
responsible for replica ting traffic to other VTEPs within the segment. This proxy addresses the most 0)
-c
common objections and allows VXLAN deployment with minimal physical network support. en
One downside of unicast mode is the higher overhead. In unicast mode the source VTEP and
proxies must copy the same frame multiple times to every VTEP within the layer 2 subnet. Copying
the same frame multiple times results in higher CPU utilization on the host as the VXLAN transport
zone and clusters increase in size.

Multicast Mode
Slide 3-70
Source VTEP:
Replicates encapsulated frame to each remote VTEP through multicast
Replicates encapsulated frame to each local VTEP through multicast
No UTEP or MTEP roles
Multicast mode considerations:
IGMP and IGMP snooping configuration needed on the physical
network
Multicast address required over physical network
Lowest overhead on the source VTEP
Configurable per VNI during logical switch provisioning
Multicast mode uses the VTEP as a proxy. In multicast, the VTEP never goes to the NSX Controller
instance. As soon as the VTEP receives the broadcast traffic, the VTEP multicasts the traffic to all
devices .

Hybrid Mode
Slide 3-7 1
Source MTEP:
Replicates encapsulated frame to each remote MTEP through unicast
Destination MTEP role:

Receives the encapsulated frame from the source MTEP
Unicast mode considerations:
II
r
o
co
IGMP Snooping configuration needed on the physical network n"
0)
VTEPs send IGMP joins and IGMP reports (j)

s;:::;:
Multicast address required over physical network o
::r
Configurable per VNI during logical switch provisioning Z
CD
~
o
...,
"en
0)
:::J
C.
To reduce the overhead of traffic replication, multicas t proxy is used for optimization. The VTEP
r
~
does not replicate all traffic in software. The VTEP leverages the physical network to replicate z
through multicast by selecting one VTEP in each L2 transport network to serve as a multi cast proxy.
This mode is L2 IOMP only, and PIM is not needed in hybrid mode . This mode is not the defau lt
o
<
mode of operation in NSX for vSphere, but is important for larger scale operations. Also the ...,
CD
0)
configuration overhead or complexity of L2 IOMP is significantly lower than multicast routing. -c
en

Unicast and Hybrid Mode: Same Host
Slide 3-72
VM1 communicates with VM2 on the same host.
Management Network
o
- - - - - - - - - - - - t~..-1
- :;';;;;
- i'-:l:''''-J~---:i-<-.;.;;..;;.o"",.
-- -
,
: ,,"--U Transport Network 0 Transport Network

: '-..
~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~~~~~~~!! ~~~~- - - - - - - - - - - - - - - - - - - - - - - - - - - - -_:
The diagram shows the process by which virtual machine I (VM I) communicates with virtual
machine 2 (VM2) on the same host in the same VXLAN when VM I lacks the MAC address for
VM2 :
1. VM I sends Address Resolution Protoco l (ARP) request for the MAC address of VM2 on the
same logical switch (VNI 500 I) on the same host.
2. Broadcast is sent to all virtual machines on the logical switch of the same host. The switch
securi ty module uses the management network to query the NSX Controller instances ARP
table for VM2 ARP entry.
3. Because VM2 is on the same logical switch, VM2 sends an ARP reply before NSX Controll er
respon ds to the switch security module:
a. IfVM2 has not participated in previous ARP reply or Dynam ic Host Configuration Protoco l
(DHCP), the NSX Controller instance lacks the inform ation.
b. Switch security module updates local ARP table and notifies NSX Controller to update the
ARP entry for VM2 (in the ARP table).

4. Logical switch delivers a unicast ARP reply to VM 1.
This scena rio does not incur VXLAN encapsulation . If the transport zone is configured as a
multicast , the ARP request broadcast is forwarded in a VXLAN encaps ulation to all the other
VTEPs in the multicast group.
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Unicast Mode: Different Hosts
Slide 3-73
Initial communications of VM1 with VM3 on another host.
Management Network
a
The diagram shows the process in unicast mod e. Virtual mach ine I (VM 1) communicates with
virtual machine 3 (VM3) on different host s in the same VXLAN when VMl lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
5001) on a different host in a different cluster.
2. Broadcast is sent on the local logical switch and the switch security modul e queries the NSX
Controller instance for an ARP entry for VM3.
3. The NSX Controller instance lacks the information on VM3. So the broadc ast is forw arded as
encapsulated unicast from VTEPx to all local VTEPs and the remote proxy VTEP.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, and is sent to VTEPx, and
return ed to VM 1.
5. VTEPx learns the MAC address ofVM3 for all subsequent communication from local virtual
machin es to VM3.

Hybrid Mode: Different Hosts
Slide 3-74
Initial communications of VM1 with VM3 on another host.
II
r
o
co
0"
OJ
(j)
s;:::;:
o
Management Network :::r
Z
, ---.~~~~
- - -- - - -~
- - -~
- - -~
- - -~ ----------------, , CD
,: ~
:
Transport N etwork
---- O Transport Networ k
----
~,----------------------------------~~~~~p~-~ ~~~~------------------------------;
:'
:
:?
o
...,
"en
OJ
:::J
C.
The diagram shows the process in hybr id mode. Virtual machin e I (VM I) communicates with
r
~
virtual machin e 3 (VM3) on different hosts in the same VXLAN when VM I lacks the MAC address z
for VM3:
o
<
1. VM I sends an ARP request for the MAC address of VM3 on the same logical switch (VNI ...,
CD
500 I) on a different host in a different cluster. OJ
-c
en
2. The broadcast is sent on the local logical switch and the switch security modul e queries the
NSX Controller instance and ARP entry for VM3.
3. The NSX Controller lacks the information on VM3. So the broadcast is forwarded from VTEPx
to all local VTEPs using multicast and to the remote proxy VTEP using unicast.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, sent to VTEPx, and returned to
VM I.
5. VTEPx learns the MAC address of VM3 for all subsequent communication from local virtual
machin es to VM3.

Multicast Mode: Different Hosts
Slide 3-75
Initial communication of VM1 with VM3.
..'
Management Network
o
r
:
,
Transport Network
-
------------
0 Transport Network
-
~-----------------------------------~~~~~~~-~ ~~~~-----------------------------_:
The diagram shows the process in multicast mode . Virtua l machine 1 (VM 1) com municates with
virtual machine 3 (VM3) on different hosts in the same VXLAN when VM l lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VN I
500 1) on a different host in a different cluster.
2. The broadcast is sent on local logical switch and the switch security modul e is checked.
3. If the switch security module lacks the information for VM3 , the broa dcast is encapsulated as a
mult icast and forwarded to all VTE Ps.
4 . VM3 sends a uni cast ARP reply that is encapsula ted by VTEPy, sent to VTEPx, and delivered
to VM l.
5. VTEPx learns the MAC of virt ual machine 3 (VM3) for all subseq uen t comm unication from
local virtua l machines to VM3 .
The fact that the virtua l machine is on a differen t cluster does not change the packet walk proc ess . In
all these cases the same events occur when communication is taking place between two virtua l
machin es on different hosts of the same clus ter or different cluster.

Quality of Service
Slide 3-76
You can ensure that the application traffic flowing through the
physical network infrastructure is prioritized by using the following
ways:
Class of Service (CoS): Layer 2 Tag
Differentiated Services Code Point (DSCP) Marking: Layer 3 Tag
6 bits 2 bits
802.1 Q Header
II
r
o
DSCP 16 bits 3 bits 1 bit 12 bits co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
IP Header "en
0)
:::J
C.
Traffic can be classified in different ways. In a layer 2 fram e, the 802.1q header contains the
r
~
inform ation for the Class of Service (CoS). The first 16 bits are always Ox8100 , which means that z
the header contains a VLAN tag. The class of service is in the next 3 bits follow ed by a flag that
indicates whether to fragment.
o
<
...,
CD
Layer 3 has a different field called Differentiated Services Code Point (DSCP) that has 6 bits . The 0)
-c
first three values typically match the first three CoS bits. At the bound ary between layers 2 and 3, en
the switch can take the CoS and other factors like the source or destination address and match that to
a layer 3 DSCP value . Because DSCP has more potential values, it can be more specific about the
service that it is going to provid e.

QoS Tagging
Slide 3-77
Guest Tagging
..
Ell
Virtual Switch Tagg ing
..
Ell
Physical Switch Tagging
vSphere Distributed Switch
1
I vSphereil II vSphere'1 .:::l'= II vSphere I
Physical
Network
1
Physical
Network
Physical
Networ k
- - - --
..l
Ell
Distributed switches pass VM CoS

markings downstream Distributed switch implements CoS and OoS marking or remarking done in the
NIOe cannot assign separate queue DSCP marking, or both phys ical switch and/or router
based on the tag Preferred option Burdensome OoS management on each
Administrators lose control Single edge OoS enforcement point edg e device (for example : ToR)
Traffic that comes from a virtua l machine can be tagged at several levels. Traffic can be tagged by
the virtua l machi ne, by NSX Virtual Switch, or at the physical switch.

Physical Network Congestion
Slide 3-78
----+ Higher Tagged Traffic
----+ Lower Tagged Traffic

"Sphere Distributed Switch ----+ Untagged Traffic
II vSphere:1
Congested Switch
II
r
o
co
0
OJ
(j)
s;:::;:
o
:::r
Z
CD
:?
o
...,
i i Physical Network
"en
OJ
:::J
C.
In the example, the virtual machine traffic is tagged from the hypervisor. The traffic goes through
r
~
the physical network. Depending on the QoS settings and cong estion , the virtual machin e traffic z
reaches its destination or is dropp ed. In most cases of congestion, the traffic with the highest QoS
priority is the most likely to reach its destination.
o
<
...,
CD
OJ
-c
en

NSX Component Interaction: Configuration
Slide 3-79
Configuring the NSX platform.
NSX Controller
Configuration
(Logical switches ,
Distributed logical routers)
vCenter
Server
Host Configuration
(Logical switches,
Distributed logical routers)
Service
Configuration
(LB , FW, VPN, and so on)

__ ,. ... . f8E --
---I"
,
;.=~
__ _-I
-
. :-=-:: I~ '
'"_"'" 'II -
~
I ~ a.: .--=t
I. I
I
~ I~ : [BE .......
The components of the NSX platform are configured in the followin g order:
1. The NSX Manager is connected to vCenter Server and prepares the infrastructure.
2. Provisioning of logical switches and distributed logical routers occurs throu gh the VMware
vSphere Web Client or VMware NSX APFM. After switches and routers are provisioned, they
are published to NSX Controller and the slicing process determin es which NSX Controller node
is active .
3. NSX Controller proactively syncs inform ation to the active ESXi hosts through the UWA. For
VXLAN logical switches, the host becomes activ e for a given VNI after a virtual machine is
conn ected to that VNI and powered on. The UWA reports to the NSX Controller, syncs the
VTEP list, and starts popul ating MAC and IP address information .
4. The Distributed Firewall configuration is sent directly to the ESXi hosts through the secured
message bus. The VMware NSX Edge" configuration is sent directly to the NSX Edge
gateway through the message bus.
5. As the virtual infrastructure scales and additional hosts are added, the logical switches, routers,
and firewalls are scaled with the compute infrastructure. The scaling occurs as the same clust er
is expanded, or as new clusters are prepared for network virtualization.

NSX Logical Switching
Slide 3-80
\ I
~~

Challenges Benefits
II
r
o
co
Per application or multitenant segmentation Scalable multitenancy across data 0'
OJ
Virtual machine mobility requires L2 center
(j)
everywhere
Large L2 physical network sprawl : STP
Enabling L2 over L3 infrastructure
Overlay based with VXLAN , STT, GRE ,
s;:::;:
issues
o
and so on ::r
HW memory (MAC , FIB) table limits Logical switches span across physical Z
CD
hosts and network switches
~
o
...,
Logical Switching: Usin N to scale the network "en
OJ
:::J
C.
r
~
z
o
<
...,
CD
OJ
'<
en

Logical Switch
Slide 3-81
The logical switch is a virtual network segment that has been

identified with a VNI:
Each logical switch gets its own unique VNI.
A VXLAN distributed switch port group is created in all the VTEPs in the
same transport zone where the logical switch is created .
Virtual machine 's vNICs get connected to logical switches.
Logical switches support mobility and availability features in vSphere
such as:
VMware vSphere vMotion
VMware vSphere High Availability
The logical switch is a distributed port group on the distrib uted switch . The logical switch can
expand distributed switches by being associated with a port group in each distributed switch . The
vCenter Server system creates the port group for the NSX Manager. vSphere vMo tion is supported,
but only among those hosts that are part of the same distributed switch.

Slide 3-82
Creating logical switches.
Logical Swit ches
N ~X M::m:::.npr' r 1 n ... 1 en 11 n . ... I ... 1

~ New logical Switch ? ~.
===========~
II
Name
:::::: NSX Edge s De scription

* :=
1
[I Firewa ll
15 Spo ofGuard * I Globa l Transport Zo ne

TransportZone I I r
Il!\ Service Definition s o
tJ Service Composer Control Plane Mode o Multi cast co
Multicast on Physical neM'ork used for VXl.AN control plane.
n"
I'flJ Data Se curity 0)
61 Flow Monitoring o Unicast (j)

gg ActivityMonitoring VXLAN control plane handfed by NSX Controller Cluster. s;:::;:
... Networking & Security Inventory
o Hybrid o
::r
OptimizedUnic&st mode. Off/oads focal traffic replication to physical ne~il'Ork.
NSX Managers ) Z
CD
~
o
...,
OK I[ Cance l
.d .
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Slide 3-83
Migrating virtual machines to the logical switches.
~ Iransit-Netwnrk - AddVirtual Machines
1 Select Virtual Ma chines Select Virtual Machines

Select VMs to connect to this network
2 Select VNICs
J Ready to complete
V irtual ma chine
o /'IJ app-sv-01 a
o /'IJ br-s v-02a
o /'IJ db-s v-01a
o /'IJ mgt- sv-01a
o /'IJ N8 XJ ontroller_af c9ddf4-eee2-4 39a-800 b-6318e d
o /'IJ N8XJ ontroll er_b 1033456- cbea-4be O-832 9-35224
o /'IJ N8XJ ontroll er_bb1 c4724-4g e3-48d9- a2ed-a a504
o /'IJ w eb-sv-0 1a
o /'IJ web -sv-02 a

Lab 4: Configuring and Testing Logical Switch Networks
Slide 3-84
Create and test logical switches for the Web-Tier, App-Tier, DB-Tier,
and transport networks
2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere
4. Migrate Virtual Machines to Logical Switches
5. Test Connectivity
II
r
o
co
n
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Concept Summary
Slide 3-85

What is the tunnel endpoint for VXLAN communication
between ESXi hosts , across a transport network , using Layer 3 VXLAN Tunnel Endpoint (VTEP)
encapsulation called?
What is the tunnel endpoint for VXLAN communications using Multicast Tunnel Endpoint (MTEP)
multicast called ?
What is the tunnel endpoint for VXLAN communications using
Logical switch
unicast called?
What is a port group on a vSphere Distributed Switch with NSX Unicast Tunnel Endpoint (UTEP)
modules installed called?
What is the transmission of different multicast traffic across
VXLAN replication
VXLAN networks called ?
Which mode uses both unicast and multicast to conserve
Hybrid
bandwidth while ensuring a speedy delivery?
Which feature ensures that high-value traffic is prioritized
Quality of Service (QoS)
during periods of network conge stion?

Slide 3-86

Describe VXLAN overlay networks
Define the VXLAN frame format
Compare unicast, multicast, and hybrid modes
II
r
o
co
n"
0)
(j)
s;:::;:
o
::r
Z
CD
~
o
...,
"en
0)
:::J
C.
r
~
z
o
<
...,
CD
0)
-c
en

Key Points
Slide 3-87
VLANs split switches into separate virtual switches.

A distributed switch is used to manage all switches in a data center
versus individual switches per host.
LACP provides automatic negotiation of link aggregation parameters
between virtual and physical switches.
A VXLAN VTEP is the VMkernel interface which serves as the endpoint
for encapsulation/de-encapsulation of VXLAN traffic.
Questions?

MODULE 4
N5X Routing
Slide 4-1
Module 4
II
z
(J)
><
::0
o
c
~
:::J
c.c

You Are Here
Slide 4-2
Course Introduction
NSX Networking
IE NSX Routing
NSX Edge Services Gateway Features
NSX Security

Importance
Slide 4-3
The distributed routing capability in the VMware NSXTM platform

provides an optimized and scalable way of handling East-West traffic
in a data center.
The VMware NSX Edge services router provides the traditional
centralized routing support in the NSX platform.
II
z
(J)
><
::0
o
c
~
:::J
(C
Module 4 NSX Routing 189

Module Lessons
Slide 4-4
Lesson 1: NSX Routing

Lesson 2: NSX Logical Router
Lesson 3: Layer 2 Bridging
Lesson 4: NSX Edge Services Gateway

Lesson 1: NSX Routing
Slide 4-5
Lesson 1:
NSX Routing
II
z
(J)
><
::0
o
c
~
:::J
(C

Learner Objectives
Slide 4-6
objectives:
Compare Open Shortest Path First (OSPF), Intermediate System to
Intermediate System (IS-IS), and Border Gateway Protocol (BGP)
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP

Supported Routing Protocols
Slide 4-7
The following routing protocols are supported by NSX:

OSPF
IS-IS
BGP:
Internal BGP (iBGP)
External BGP (eBGP)
II
z
(J)
><
::0
o
c
~
:::J
(C
The TCP/IP protocol suite offers different routing protocols that provide a router with methods for
building valid routes. The following routing protocols are supported:
Open Shortest Path First (OSPF) : This protocol is a link-state protoco l that uses a link-state
routing algorithm. This protocol is an interior routing protocol.
Intermediate System to Intermediate System (IS-IS): This protocol determines the best route for
datagrams through a packet switched network.
Border Gateway Protocol (BGP): This protocol is an exterior gateway protocol that is designed
to exchange routing information between autonomous systems (AS) on the Internet.

OSPF Features
Slide 4-8
OSPF distributes routing information between different routers

belonging to a single autonomous system (AS):
Area level support: Default area 51
Backbone and NSSA support
Clear text and MD5 peer authentication
Interface-level support
Helio interval and dead interval configuration
Priority for designated router and backup designated router election
Interface cost configuration
OSPF is a link-state protocol. Each router maintains a database describ ing the AS topo logy. When
you enable OSPF, area 0 and area 5 1 are created by default. Area 51 can be deleted and replaced
with a desired area .
By default, OSPF adjacency negotia tions use clear authentication by assuming that the segment is
secure. If installed in an insecure segment, enabling authentication ensure s that a third party cannot
corrup t the routing table or hijack connection by injecting a compromised default route .

About OSPF
Slide 4-9
OSPF is a routing protocol that uses the router's link states to

determine the optimal path to reach a destination:
OSPF is an Internal Gateway Protocol (IGP) because it is under the
management control of a single institution or AS.
OSPF uses Dijkstra's algorithm to find the shortest path, or the lowest
cost, to a destination .
Every OSPF router creates a path tree to each subnet. The OSPF
router is at the center of the tree.
OSPF routers that share an Ethernet segment form neighbor

adjacencies.
Latest supported OSPF version is version 2. II
z
(J)
><
::0
o
c
~
:::J
(C
OSPF maintains a link-state database that describes the AS topology. Each part icipating router has
an identical database. The router shares this database with routers in the AS by a mechanism called
flooding . All routers in the AS run the same algori thm used to construct the shortest path between
the router and the root. This algori thm gives each router the route to each destination in the AS.
When multiple paths to a destination exist and those paths are of equa l cost, traffic is distributed
equally among those paths.

OSPF Neighbor Relationships
Slide 4-10
Routers on the same network segment with the same area 10 are
neighbors.
Neighbor relationships are established through a discovery process:
1. The router determines its OSPF router 10 (RID).
2. The router starts the OSPF process.
3. The router sends out Hello packets using multicast.
4. When a Hello packet is received from anothe r router containing the RID
for itself, the routers become neighbors.
OSPF-enabled routers must find neighboring OSPF-enab led routers and form neighbor adjacencies
with those routers . OSPF-enabled routers form neighbor adjacenc ies by multicasting information to
other OSPF-enabled routers . Each router is responsible for main taining a Neighbor Table of the
OSPF-enab led routers that it has formed adjacencies with . The router is also responsible for sharing
this table with other routers . This multicast uses Hello packets that contain the necessary
information to form adjacencies.

OSPF Packet Types
Slide 4-11
OSPF has many different packet types used for communicating

OSPF information:
Hello packets
Database Descriptor packets
Link State Request packets
Link State Update packets
Link State Acknowledgement packets
Version # I Type I Packet Length

Router 10
Area 10
II
z
(J)
Checksum
I AuType ><
::0
Authentication o
c
~
Authentication :::J
(C
A ll OSPF packets have a header of 24 bytes. This header contai ns the information required for any
OSPF communica tion:
The version of OSPF in use by the originatin g router.
The packet type : A total of five packet types are sent by OS PF.
The total length of the packet.
The Router ID (RID) of the originating router.
The Area ID for the area to which the originating interface on the originating router belongs.
A checksum va lue for the packet to verify it has not been corru pted. This checksum excludes
the authentication fie lds.
The Authentication type (AuType) currently in use. Authentication can be none, plain text
password, or MD5 authentication.
The authentication data needed if any authentication type is used.

OSPF Hello Packets
Slide 4-12
OSPF He l lo Packet
Ne two r k Mask : 255 .255 .255 . 0
Hello I n t e r v a l : 1 0 se c o n ds
Opt i ons : 0 ,, 1 2 (L . E )
0. .. . . .. = DN: DN- b i t i s NOT se t
.0. . . ... = 0 : O- b i t i s NOT s et
. .0. 0 = DC: Dereand circuit s a re NOT s u p p o r te d

. . .0. . .. = L : Th e p ac ket c ont ain3 LLS data b lock

.... 0 ... = NP : N ,9s a i s NOT s uppo rt ed
... . . 0 .. = MC: NOT mu l t i c a s t capabl e
. . . . . . 1- = E : E"te r na lRouti ngCapacity
Ro ut e r Priorit y : 1
Rout e r De ad Inte r v a l : ~ O se c on ds Network Mask
Desi gnated Ro ut e r : 0 .0 .0 .0
Ba c kup De sign at ed Route r : 0 .0 .0 .0 I I
Hellolnterval Options Router Priority
Ac t i ve Ne ighbour : 1 0 . 1 0 .2 .2
RouterDeadlnterval
Designated Route r
Backup Designa ted Router
Neighbor
The OSPF-enabled router builds neighbor adjacencies by periodic ally sending out packets called
Hello packets from all OSPF- enabl ed interfaces on the router. OSPF-enabled routers see Hello
packets from other OSPF- enabl ed routers and add these routers to a record called a Neighbor Table.
After the routers have added each other to their tables, those routers have formed an adjacency.
To form a neighbor adjacency, both OSPF- enabled routers must pass certain parameters specified in
their respectiv e Hello packets:
The subnet included is that of the originating interface.
The HelloInt erval is the interval at which the Hello packet is sent from an OSPF-enabled
router 's interfaces. The default interval is 10 seconds but the HelloInt erval is configured per
interface.
Options includ e the capabilities of the originating router.
Router Priority is the priority of the originating router, used in designated router elections.
The originating router sets the Router Dead Interval to guide how long the router is silent before
other routers mark it as a dead link .
The IP address of the current Designated Router.

The IP address of the current Back up Designated Router.
The RIDs of all OSPF neighbor routers for the originating router.
II
z
(J)
><
::0
o
c
~
:::J
(C

Other OSPF Packets
Slide 4-13
Database Descriptor Link State Request
Interface MTU I Options LS Type
00 Sequence Number Link State 10
Advertising Router
LSA Header
Link State Update Link State Acknowledgement
# LSAs
Header
LSAs
The other OSP F packets are used as part of the process for keeping the Link State tables
synchronized between all OSPF-enabled routers:
1. Type 2 packets are Database Descriptor packets. Database Descriptor packets are used to
synchronize the router link states between all neighbors. This synchroni zation is important for
keeping the router paths accurate and not sending traffic to dead links. The OSPF router
summarizes the local database and the packets carry a set of LSAs inside the Database
Descriptor packet.
2. Type 3 packets are Link State Request packets. OSPF-enabled routers use Link State Request
packets to request neighbor database updates when their own link state databases are old based
on the Database Descriptor packet data. Adjacent rout ers that detect an LSA that is more
updated than their own database copy, request the newer LSA from the neighbor.
3. Type 4 packets are Link State Update (LSU) packets. The request for an update takes the form
of a Link State Request (LSR) packet that contains requests for any LSA updates needed. The
router with the updated database responds to the LSR with a LSU packet that contains all of the
requested LSAs .
4. Type 5 packets are Link State Acknowledgment (LSAck) packets. After the LSU packet is
received, the receiving router sends an LSAck packet to the originating router.

OSPF Neighbor States
Slide 4-14
OSPF Neighbors have different states depending on their status:

Down
Attempt
Init
2-Way
Exstart
Exchange
II
Loading
Full
Designated / Backup Designated
z
(J)
Ne i ghbo r 1 0 Pr i S tat e Dead Ti me Ad d r e ss Interfa c e
10.10.1. 2 5 4 10 FULL/ DR 00:0 0: 2 7 1 9 2.1 68.0. 3 Fas te t he r ne t 0 /0 ><
10.10 . 2. 2 5 4 1 FULL/BDR 00:0 0: 31 1 9 2.1 68.0. 7 Fas te t he r ne t 0 /0
::0
o
10. 20.10. 2 5 4 0 2WAY 00:00: 3 3 192.16 8 .0.11 Fas te t he r ne t 0/ 0 c
~
10. 20.11.2 5 4 0 2'11AY 00:00: 2 9 1 9 2. 1 68.0.13 Fas te t he r ne t 0/0 :::J
(C
10 . 20.1 2. 2 5 4 0 DO'I/N 00:00 :35 1 9 2.1 68.0.17 Fas te t he r ne t 0/0
OSPF -enabled routers keep the link state databas e curren t at all times. This database is used to
determine where to send traffic by the most efficient path:
Down indicates that the neighbor has not been heard from within the RouterDeadInterval time .
Attempt is only used for manually configured neighbors. The current router is send ing Hello
packe ts to any router in the Attemp t state.
When the status is Init, the router has received a Hello packet from this neighbor and replied but
has not completed the process for establishing adjacency.
A 2-Way state indicates that bidirectional comm unication is established with the neighbor
router.
Exstart indica tes that the routers are beginning the link state information exchange.
Exchange is the state when neighbor routers exchange the Databas e Descriptor packets.
In the Loading state, based on the information in the Database Descrip tor packets, routers are
exchanging the link state information.
The Full state indica tes that routers are synced and in adjacency.

The Designated Router (DR) is an OSP F-enabled router interface. This interface is elected by all the
other routers in an area to be a centralized router that keeps a topology table of the entire network.
The Backup Designated Router (BDR) is designated if the DR fails. When a DR is present, other
OSPF-enabled routers form adjacencies only with the DR and BDR. Non-DR or BDR rout ers send
updates directl y to the DR and BDR. The DR multi casts updates out to all other routers in the area.
The use of this centra lized maintenance coupled with the use of multi casting conserves network
bandwidth.
The DR is determi ned throu gh an election proc ess where the OSP F-enabled router interface with the
highest priority is elected as the DR. The BDR is the OSPF-enabled router interface with the next
highest priority. If the DR fails, the BDR assumes the DR role and a new BDR is elected.

OSPF Router Types
Slide 4-15
The OSPF router type is a property of the OSPF process. A physical

router can host more than a single OSPF router type with one type on
each port.
Routers can have the following OSPF router types:
Area Border Routers (ABR): Connect one or more areas to the
backbone network.
Autonomous System Boundary Routers (ASBR): Connect to other
autonomous systems and exchange routing information.
Internal Routers (IR): Connect all interfaces in a single OSPF area .
II
z
(J)
><
::0
o
c
~
:::J
(C
The main router types are the following:

Area Border Routers (ABR) connect one or more OSPF areas to the backbone network. The
ABR keeps an individual copy of the link-sta te database in memory for each connec ted area .
Autonomous System Boundary Routers (ASBR) connect to other routers that belong to other
areas using other routing protcols or static routing. The static routing or additional routing
protoco l, such as IS-IS is in addition to OSPF. The ASBRs distrib ute routes discovered from
external systems to other OSPF -enab led routers .
The Interna l Router (IR) is an OSPF-enabled router that belongs to only one area and has
neighbors only within that area .

OSPF Areas
Slide 4- 16
An OSPF AS includes all routers that run OSPF and these routers
exchange link-state information with each other:
An AS is also called a routing domain .
In the OSPF AS, each router interface that is participating in the
OSPF process is placed in an area:
A router can have interfaces in more than one area.
A router with interfaces in more than one area must have one of those
interfaces in the backbone area, or area O.
A router only forms neighbor adjacencies with another router in a local
segment if both routers are in the same area .
The default OSPF area for NSX is Area 51.
Areas are sets of networks that are grouped together. Areas are a collection of routers, links, and
networks that have the same area identification. Each OSPF area can combine with other areas and
form a backbone area . Backbone areas combine multipl e indepe ndent areas into one logical routing
domain. This backbone area has an ID of 0 or (0.0.0.0). The primary responsibility of the backbone
area is to distribute routing information between nonbackbone areas .

OSPF Area Types
Slide 4- 17
OSPF defines the following types of areas:

Normal area
Stub area
Not so stubby area (NSSA)
II
z
(J)
><
::0
o
c
~
:::J
(C
Each area maintains a separa te link-state database. Stub areas are areas that do not receive route
advertisements externa l to the AS. Not so stubby area (NSSA) is a stub area that can import AS
external routes and send them to other areas . But NSSA cannot receive AS externa l routes from
other areas .

OSPF Normal Area
Slide 4- 18
An OSPF normal area is a nonbackbone area that receives full

routing updates from the backbone:
Routers in the area have full visibility of all networks in the OSPF AS.
No special configuration is needed in the routers.
In an OSPF normal area, routers have full visibility to all networks in the AS. Every router in a
normal area knows about every route.

OSPF Stub Area
Slide 4-19
An OSPF stub area is a nonbackbone area that receives only a

default route from the backbone.
Routers within the area continue to exchange routing updates and
intra-area routes:
Routers in the area have full visibility of only networks in their area .
The stub area is configured at the area border router.
II
z
(J)
><
::0
o
c
~
:::J
(C
A stub area is usefu l if routers do not need to know about every route. Routers contin ue to exchange
information in their area but not external destinations. Instead, routers in the area must send external
packe ts to an area border router (ABR). The area border router advertises a default route in place of
external routes and generates a network summary link-state advertisement (LSA). Packets destined
for an external route are sent to the ABR .

OSPF NSSA
Slide 4-20
An OSPF NSSA is a nonbackbone area that receives only a default

route from the backbone:
The NSSA also has an AS boundary router that injects external routes
to the area.
The external routes are advertised to the backbone area.
Routers in the area continue to exchange routing information for intra-
area networks.
The NSSA is configured on an area border router.
An OSPF NSSA allows external routing information to be imported in a limited fashion into the
stub area. OSPF NSSA is useful for making an area aware of a non-O SPF router. This information
can be flooded within the area, but the area remai ns protected from being flooded with all routes.

OSPF Area and Router Types Example
Slide 4-21
Areas are logical groupings of hosts, networks, and routers.
Area 0
Area 813
Normal
:l"t~lf-----{O ) Internal
Router
Internal
II
z
(J)
Router ><
::0
o
c
Area 829 Stub ~
:::J
c.c
The diagram shows the interaction s of the different areas with each other.

Intermediate System to Intermediate System
Slide 4-22
IS-IS is a routing protocol that uses the router's link states to

determine the optimal path to reach a destination:
Similar in design to OSPF.
IS-IS can route non-IP traffic.
IS-IS was originally defined by OSI/IEC 10589:2002.
IS-IS is the preferred IGP used by large Internet Service Providers
(ISPs) globally.
In ISO terminology, IS-IS is a router.
IS-IS is an interdomain dynamic routing protocol used to support large routing domains. OSPF is
designed to support only TCP/IP networks whereas IS-IS started as an ISO protoco l. Both protoco ls
are interior gateway protocols (lOP), but IS-IS runs over layer 2 and is intended to support multiple
routed protocols.

IS-IS Features
Slide 4-23
Router-level support:
Area 10, system 10 (default router-id), IS-Type (default level -1-2),
domain password , and area password
Area-level support:
Up to 3 IP addresses per area
Interface-level support:
vNIC name
Hello timer, hello multiplier

Metric, priority
Circuit type
II
z
(J)
LSP interval ><
Mesh group ::0
o
c
~
Password :::J
(C
IS-IS and OSPF have similar features. VMware NSXTM supports up to three IP addressees per area
and a wide range of interface levels.

IS-IS Areas
Slide 4-24
Like OSPF, IS-IS associates routers into areas:

Areas should be contiguous.
IS-IS defines two areas: level 1 areas and level 2 areas.
Level 1 areas are equivalent to normal OSPF nonbackbone areas:
Routers in this area advertise intra-area route information in the area.
A router can be a part of multiple level 1 areas.
Level 2 areas only advertise inter-area route information in the area:
This area is close to an OSPF backbone area.
Like OSPF , IS-IS area has numbers.
IS-IS uses a two-level hierarchy for managing and scaling large networks. A routing domain is
partitioned into areas . Level I routers know the topology of their area including all routers and
endpoints in their area. Leve l I routers do not know the identity of routers or destinations outside
their areas . Level I routers forward all traffic that is outside their area to a level 2 router in their
area .
Level 2 routers know the level 2 area and know which addresses can be reached by contacting other
level 2 routers. A level 2 router does not know the topology of a layer I area . Level 2 routers can
exchange packets or routing information directly with external routers located outside of the routing
domain.

IS-IS Router Levels
Slide 4-25
IS-IS assigns an area type to the entire router rather than the router
links.
Leve l 1 Area Leve l 2 Backbone Level 1 Area
II
z
(J)
><
::0
o
c
~
:::J
c.c
Leve l l routers belonging to a level 1 area only form neighbor adjacencies with level 1 routers in the
same area and have full visibi lity of their area . Leve l 2 routers belonging to a level 2 area can form
neigh bor adjace ncies with any level 2 router, including in other areas and advertise interarea routes.
Level 1-2 routers belong to both level 1 and level 2 areas at the same time. Similar to OSPF 's AB R,
level 1-2 routers can form neighbor adjace ncies with any othe r router in any area. Level 1-2 router
takes level 1 area routing updates and propagates them to level 2 areas and the other way round.
Only level 2 routers can connect to an external netwo rk.

IS-IS Neighbor Adjacency
Slide 4-26
ISIS routers exchange Hello Protocol Data Units (Hello PDU) to

discover ISIS speakers in the segment and to form neighbor
adjacencies.
Level 1 Area Level 2 Backbone
All IS-IS speakers in a segment form neighbor adjacencies with each other:
Levell routers send and listen for level I Hello Protocol Data Units (PDUs).
Level 2 routers send and listen for level 2 Hello PDUs.
Level 1-2 routers send and listen for levell and level 2 Hello PDUs.

IS-IS Design Considerations
Slide 4-27
IS-IS has more flexible rules than OSPF regarding neighbor

adjacencies and route advertisement:
Level 2 only routers are not needed.
Multiple level 1 areas can be joined with level 1 or 2 routers .
An area cannot be disjointed.
All routers in the same area should have an area path to every other
router in the area.
Area boundaries exist in the links, not routers.
II
z
(J)
><
::0
o
c
~
:::J
(C

BGP Features
Slide 4-28
iBGP and eBGP support

Router-level configuration
Local AS
Neighbor-level configuration:
Keep alive timer (default 60)
Hold-down timer (default 180)
Authentication MD5
Per neighbor filtering
Inbound or outbound accept or deny by prefix range
The BOP is an interAS routing protocol.

BOPs can be either internal BOP (iBOP) or externa l BOP (eBOP) . eBO P is used when talking to a
router that has an AS number that is different from its own. iBOP is used with routers in the same
local AS.
You can use neighbor-level configurations to configure various settings to customize the BOP
configuration.

Border Gateway Protocol
Slide 4-29
BGP is a routing protocol that provides route reachability while

avoiding path loops:
BGP is an external gateway protocol (EGP) because BGP is used
between different AS under different management controls to advertise
routes.
Each AS administrator chooses which routes to advertise through BGP.
Each AS administrator chooses which routes to receive through BGP.
BGP is the standard route advertisement protocol on the Internet.
Latest BGP version is 4, RFC 4271.
II
z
(J)
><
::0
o
c
~
:::J
(C
BOP is a standardize d exterior gateway protocol designed to exchange routin g and reachability
inform ation between AS on the Internet.

BGP AS Numbers
Slide 4-30
BGP speakers are assigned an AS number (ASN).

An ASN uniquely identifies all the BGP speaking routers under the
same management control:
The Internet Assigned Numbers Authority (lANA) assigns public ASNs.
Originally BGP supported 2 A16, or 65,536 ASNs:
RFC 6793 expanded ASN support for 2"32, or 4,294,967,296 ASNs.
ASNs 64,512 through 65,534 and 4,200,000,000 through
4,294,967,294 are internal ASNs for anyone to use.
These internal ASNs cannot be advertised on the Internet.
An AS is a set of routers under a single technical administration . The AS uses an interior gateway
protocol (lOP) and common metr ics to determin e how to route packe ts in the AS. The AS uses an
interAS routing protocol to determine how to route packe ts to other AS. Each of these AS is
uniquely identified using an AS numb er (ASN) .

BGP Peers
Slide 4-31
BGP neighbor adjacencies, called peers, are manually configured.

Each BGP speaker must have information about the other BGP router
before the BGP speaker starts sending hello packets:
BGP peers establish a communication over rep port 179.
If two BGP peers have different BGP ASNs , the peers are called eBGP
and BGP assumes that they are under different management control.
If two BGP peers have the same BGP ASN, the peers are called iBGP
and BGP assumes that they are under one management control.
II
z
(J)
><
::0
o
c
~
:::J
(C
Peers are manually configured to exchange routing information and form TCP connections. A peer
in a different AS is called an external peer, while a peer in the same AS is called an internal peer.

BGP Peers Example
Slide 4-32
A BGP router is only aware of its BGP neighbors and conducts all
control plane communication with them.
AS 90 r
iBG P

BGP Route Selection
Slide 4-33
A BGP router only installs one path to a route in its routing table.
If multiple paths exist for the route, the BGP router selects the best
route based on the following criteria:
1. Prefer the path with the highest local preference.
2. Prefer the locally originated path.
3. Prefer the shortest AS path.
4. Choose the path with the lowest origin code .
5. Choose the path with the lowest multiexit discriminator.
6. Choose an eBGP over an iBGP.
7. Choose a route through the nearest IGP neighbor as determined by the
lowest IGP metric .
II
z
(J)
8. Choose a path with the lowest router 10.

><
::0
o
c
~
:::J
(C
BOP routers typically receive multipl e paths to the same destination. The BOP best path algorithm
is used to determin e which path is best to install in the BOP routing table.

Concept Summary
Slide 4-34

Which is the interior routing protocol that uses
Open Shortest Path First (OSPF)
link state tables to map network topology?
Which protocol floods link state information
Intermediate System to
through a network of routers to map network Intermediate System (IS-IS) protocol
topology?
Which protocol manually configures and uses
Border Gateway Protocol (BGP)
rep to connect to peers?

Slide 4-35
objectives:
Compare OSPF , IS-IS, and BGP
Describe OSPF area types
Describe IS-IS routing levels
Describe the BGP
II
z
(J)
><
::0
o
c
~
:::J
(C

Lesson 2: NSX Logical Router
Slide 4-36
Lesson 2:
NSX Logical Router

Learner Objectives
Slide 4-37
objectives:
Describe the role of the distributed logical router
Deploy a distributed logical router
II
z
(J)
><
::0
o
c
~
:::J
(C

Layer 3 Networking Overview
Slide 4-38
The network layer handles the following:

Selecting routes
Knowing the addresses of neighboring network nodes
Prioritizing traffic based on quality of service
Forwarding messages for local host domains to the transport layer
Router
Endpoint
These tasks are performed by the router that allows the routing between different nodes without
broadcasting all traffic to all nodes.

Layer 3 Enables Larger Networks
Slide 4-39
Layer 3 routers can be linked to other routers and endpoints.

Inter-router links allow for much larger networks.
Series Central
II
z
(J)
><
::0
o
c
~
:::J
c.c
In addition to being linked to endpoints in a local network, the router can be linked to other routers .
Nodes that are separated by distance communicate with each other witho ut extending miles of
network cables. Placing a router at each group of endpoints and running a single line from router to
router is a practica l solution . Rout ers can be chain ed in series , or connected by a centra l router.

Distributed Logical Router
Slide 4-40
The distributed routing capability in the NSX platform provides an
optimized and scalable way of handling East-West traffic in a data
center. Overview
Routing between virtual netwo rks

without leaving virtual space
'Layer 3 data plane distriOOOOOObuted in
hypervisor
;:..) Layer 3 control plane running in a virtual
machine
-Dynarnic routing protocols for route discovery
and adve rtiseme nt
'Simplified deployment using VMwa re NSX
Manaqer " UI or API
Scale & Performance
' 1000 Logical Interfaces per distributed logical

router instance
'1 200 distributed logical router instances total
'1 00 per VMware ESXi host
'Line rate performance per hyperviso r
Use Cases
MM ' Optimize routing and data path in virtual
networks
' Supports single tenant or multitenant
deployment models
Routin g between virtual networks, layer 3 is distributed in the hypervisor. The distributed logical
router optimizes the routing and data path, and supports single-tenant or mult itenant deployments.
For example, a network that contains two VNls that have the same IP address ing. Two different
distribut ed routers must be deployed with one distribut ed router conn ecting to tenant A and one to
tenant B.

Hairpinning
Slide 4-41
The distributed logical router prevents hairpinning.
NSX Edge Galeway
Packet is de livered to the

destination .
Packet is
delivered to the
gateway interface
VM on green logical t:l~ ii for routing.
switch communicates
with VM on red logical ..... "" ,
switch.
Frame are sent over

VXLAN transport
Com pu te
Rack 1
the frame is sent to the

VM on Red Logical Switch
NSX
Edge/Managemen
fter the Routing decision ,
Rack l
~
~
r
Frame delive red
o the destinatio
II
z
(J)
network to the VTEP ><
gateway IP of green ::0
logical switch. o
> c
~
VXLAN Transport Network :::J
(C
Without the distributed router, routin g is done in one of the following ways:
A physical appliance is used. All traffic has to go to a physical appliance and come back
regardless of whether the virtual machin es are on the same host.
Routing is perform ed on a virtual router such as the VMwa re NSX Edge" gateway. This
method uses a virtual machine runnin g on one of the hosts to act as the router.
If virtual machin es runnin g on a hypervisor are connected to different subnets, the communication
between these virtual machines has to go throu gh a router. This nonoptimal traffic flow is sometimes
called hairpinning.
The example in the slide illustrates the traffic flow without the distributed logical router:
1. A virtual machine on the first VMware ESXi host wants to communicate with a virtual
machin e on the same ESXi host. The two virtual machines are on separate subnets.
2. A frame is sent by the green virtual machine to the distributed switch. Because the virtual
machin es are on different subnets, the host forwards the frame to the default gateway.
3. The frame is received by the ESXi host that is hosting the NSX Edge gateway.
4. The packet is delivered to the NSX Edge gateway for routin g.

5. The NSX Edge gateway makes a routing decision and sends the packet back to the ESXi host,
which forwards the packe t back to the red logical switch.
6. The ESXi host that is hosting the red virtual machine receives the packe t and forwards the
frame to the red virtual machine.
7. The packet is delivered to the red virtual machine. If the red virtual machine responds, the
traffic flow is reversed.

Distributed Logical Router: Logical View
Slide 4-42
The distributed logical router kernel modules can route between

physical and virtual subnets.
VXLAN logical Router Instance 1
WebVM AppVM
VXLAN 5001
VLAN
Router Instance 2
II
z
(J)
AppVM
><
::0
o
c
~
:::J
(C
VLAN 10 VLAN 20
The distributed logical router rout es between YXLAN subnets. Two virtual machin es might be on
the same host and the Web YM on YXLAN 500 I might want to communicate with the App YM on
YXLAN 5002. The distributed logical router routes traffic between the two virtual machin es on the
same host.
The distributed logical router can also route between physical and virtua l subnets.

Distributed Logical Router: Physical View
Slide 4-43
The distributed logical routers run at the kernel module level.

Physical
NSX
Co ntrolle r
Cl u-ster
VXLAN Transport and

Management Network
VMware NSX Manager" configures and manages the routing service. During the configuration
process, NSX Manager deploys the logical router control virtual machine and pushes the logical
interface configurations to each host through the control cluster.
The logical router control virtual machine is the control plane component ofthe routin g process. The
logical router control virtual machin e supports the OSPF and BGP protocols.
The logical router kernel module is configured as part of the preparation through NSX Manager. The
kernel modul es are similar to line cards in a modul ar chassis supporting layer 3 routing. The kernel
modul es have a routing inform ation base that is pushed through the VMware NSX Controller"
cluster. The kernel modul e performs all the data plane functions of route lookup and Address
Resoluti on Protocol (ARP) entry lookup.
The NSX Controller cluster is responsible for distributing routes learned from the logical router
control virtual mach ine across the hypervisors. Each control node in the cluster takes responsibility
for distributing the information for a particular distributed logical router instanc e. In a deployment
where multipl e distributed logical router instances are deployed, the load is distributed across the
NSX Controller nodes .

Data Path: Host Components
Slide 4-44
The distributed logical router instance owns the logical interfaces (L1Fs):
IP addresses are ass igned on the L1Fs .
Multiple L1Fs can be configured on one distributed logical router instance.
The L1F configuration is distributed to every host.
An ARP table is maintained per L1F.
The virtual MAC (vMAC) is the MAC address of the L1F:
vMAC is the same across all the hosts and it is never seen by the physical
netwo rk, only by virtual machines.
Virtual machines use the vMAC as thei r default gateway MAC address .
The physical MAC (pMAC) is the MAC address of the uplink through
which traffic flows to the physical network:
II
z
(J)
><
For VLAN L1Fs the pMAC is seen by the physical network. ::0
o
c
~
:::J
(C
The distribu ted logica l router owns the logical interface (LIF). This concep t is simi lar to interfaces
on a physical router. But on the distribu ted router, the interfaces are called LIFs. The LIF connects to
logical switches or distributed port groups. A distributed logical router can have a maximum of
1,000 LIFs . For each segment that the distrib uted logical router is connected to, the distr ibuted
logical router has one ARP tab le.
The media access control (MAC) addresses in this environment are the virtua l MAC (vMAC)
addresses and the physical MAC (pMAC) addresses. If a LIF connects to a logical switch, the
virtual machines use the MAC addresses associated with that LIF as their next hop for the default
gateway. When a virtua l mach ine does an ARP request, the virtua l machine's MAC address is called
a vMAC. A virtual machine 's vMAC is never stored in the MAC table of a physical switch because
the virtua l machine's vMAC address is interna l to the VXLAN domain. Every host running the same
distributed logical router instance presents the same vMAC for each LIF to the virtual machines in
the logical switc h.
If an interface on the distrib uted logical router connects to a distrib uted port group , the distributed
router might talk to a physical entity by using the source MAC address . So a physica l switch sees
the pMAC and has the pMAC in the MAC table .

VLAN L1F
Slide 4-45
The distributed logical router supports distributed port groups that

are backed by VLAN:
First hop routing is handled on the host and traffic is switched to the
appropriate VLAN.
A designated instance is required per VLAN L1F.
A VLAN 10 must be defined on the distributed port group:
VLAN 10 of a is not supported.
VLAN L1Fs can only span one distributed virtual switch.
The logical interface can be one of the following types:

VXLAN LIF: You connect the router to a logical switch.
VLAN LIF: You connect the router to a distributed port group that has one or mor e VLANs.
When the LIF is connected to a VLAN , the LIF has a pMAC and when the LIF is connected to a
VXLAN, the LIF has a vMAC. VLAN LIFs can only span one distributed switch because the
VLAN LIF is a port group and can only belong to one distribut ed switch. But a logical switch can be
configured in mu ltiple distributed switches.

Designated Instance
Slide 4-46
The designated instance is the host responsible for resolving ARP on

a VLAN L1F:
One designated instance exists per VLAN L1F.
Any ARP request in the distributed port group is handled by the
designated instance.
VMware NSX Controller" selects the designated instance:
NSX Controller pushes designated instance selection to all other hosts.
When the designated instance fails, NSX Controller does the
following:

Elects another host as the designated instance
Informs the remaining host about the new designated instance
II
z
(J)
><
::0
o
c
~
:::J
(C
The distributed logica l router is connec ted to a port group that gives access to the physical network.
The physical network might not be able to determine which of the different hosts own the MAC
address for that VLAN LIF at any point in time . To overcome this problem, each host has its own
pMAC address for the VLAN LIF, but only one host responds to ARP requests for the VLAN LIF.
The host that responds to the ARP requests for the VLAN LIFs is called the designated instance and
this host is chosen by NSX Controller. The designated instance also sends ARP requests on behalf
of all other hosts . All ingress traffic to the VLAN LIF is received by the designated instance. All
egress traffic from the VLAN LIF leaves the originating host directly without going through the
designated instance.

VXLAN L1F
Slide 4-47
The distributed logical router supports logical switches that are

backed by VXLAN :
First hop routing is handled on the host and traffic is switched to the
appropriate logical switch:
If the destination is at another host, the Ethernet frame is placed in a
VXLAN frame and forwarded .
A designated instance is not required.
Only one VXLAN L1F can connect to a logical switch:
The next hop router can be an NSX Edge services gateway
VXLAN IF can span all distributed switches in the transport zone.
Distributed logical routers perform best with VXLAN L1Fs.
If the VXLAN LIF connects to a VXLAN port group or logical switch, the LIF has a vMAC that is
used by all hosts. No designated instance exists because the vMAC is never visible in the physical
network.
You can have only one VXLAN LIF connecti ng to a logical switch. Only one distributed logica l
router can be connected to a logical switch.

Control Plane: Components
Slide 4-48
Distributed logical router control plane is provided by a per instance

logical router control virtual machine and NSX Controller.
Supports dynamic routing protocols:
OSPF
BGP
High availability supported through active-standby configuration.
Logical router
control virtual
Communi cates with NSX Manager and NSX

Controller cluster :
- NSX Manager sends L1F information to the

machine
II
z
(J)
control virtual machine and NSX Controller
cluster. ><
::0
- Control virtual machine sends routing
o
c
updates to the controller cluster. ~
:::J
(C
When a distributed logical router is deployed, the logical router control virtua l machine is also
deployed. The logical router control virtua l machine handles all control plane communications for
the distributed logical router. To enable high availability, deploy two logical router control virtual
machines and designate one as active and one as passive. If the active logical router control virtual
machine fails, the passive logical router contro l virtual machine takes 15 secon ds to take over.
Because the control virtual machine is not in the data plane, data plane traffic is not affected.
Controlling high availability resu lts in the addition or remova l of additional logical router control
virtual machines. When high availability is enabled, NSX Manage r enables the VMwa re vCenter
Server" system to deploy another logical control router virtua l machine. The logical router control
virtua l machine handles the OSPF and BOP protocols. So without a passive logical router control
virtual machine, you might lose neighbor adjace ncies if the active logical router control virtual
machine has a problem.

Logical Router Control Virtual Machine
Slide 4-49
The logical router control virtual machine is a control plane
component:
The logical router control virtual machine does perform any routing.
Routing is performed by the distributed logical router in the data plane.
The firewall on the distributed logical router only secures the control
virtual machine.
NSX Log ical Does not sit in the data path
Router Control VM
<--
Control plane protocol
Control
Provides OSPF route updates
Plane to other routers (peering)
---- - - _.-- - ----- ----- ---- - --- -- ------ - ---- ---- - - ---- _.- --- - -------- -- - ----- -- --- - -- ----- - - - --- - - - - - - - ----- - - - -- --
The physical rou ting takes
NSX Virtual Sw itch NSX Edge place in the data plane
D,sl ibuled + !n~------Qf<---n---. serviCej

h VXLAN Dist rib ut ed Fir ew all :
Data ~ ~_C!g~~ ~J _~~1I ~~ ~ .. ;
Plane Hyp erv isor Kern el Modu les
ESXi
The logical router control virtual machine is a control plane component and does not perform any
routin g. The routin g is performed in the data plane by the distributed logical router.
The logical router control virtua l machine's function is to establish routing proto col sessions with
other routers. An IP address called the Protocol Address is assigned to the logical router control
virtual machin e. This address is used to form adjacencies with peers.
The firewall installed to the distributed router does not do East-West traffic filtering. The firewall is
strictly present to protect the logical router control virtual machine.

Management, Control, and Data Communication
Slide 4-50
To support OSPF, the logical router control virtual machine must

have a connection in the segment as the L1F of the distributed router.
Dynamic routing protoco l is
Exte rn al Netwo rk configured on the logical router
instance .
NSX Controller pushes new logical

router configuration including LiF s
NSX Manager to ESXi hosts.
Logical Router
Control VM
192 .168 .10.1 OSPF or BGP peering is
estab lished between the NSX Edge
and logical router contro l virtual
II
machine. The protocol address is
used for contro l communication .
192 .168 .10 .2 Learn routes are pushed to the

NSX Contro ller cluster for
LOgiCal ! distribution.
z
(J)
Router ~
><
172 .16.10 .1 172 .16 .20 .1 ::0
o
c
DB ~
Routing kernel modules on hosts :::J
VM handle the data path traffic. c.c
172 .16.20 .10
To support OSPF, the logical router control virtual machine must have a connection in the segment
as the LIF of the distributed router. OSPF configuration requires the following IP addresses:
An IP address for the uplink LIF on the distributed router for data plane communications.
An IP address used exclusively for control conversations to the logical router control virtual
machin e. This IP address is used by the control virtual machine to talk OSPF neighbor
adjacencies and update the routin g table. The control virtual machine also does BOP across this
IP address.
These machines do appear as virtual machines in the vCenter Server system inventory. These
machin es should only be manipulated from the Network and Security view of the VMware
vSphere Web Client, and never from VMs and Templates or other views.

Deployment Models: One Tier
Slide 4-51
One tier of routing:

Distributed for East-West Externa l
Designated instance Networks

for North-South
Dynamic routing
to advertise logical networks
'"
I
OSPF :
VLAN VX LA N
Uplink Uplin k
BGP 'of
'"fJ\....;...------...Oist ributed Logical Router
tor'tl~ ---
- - - - -10 ESe ES'- - - - - -.
Web App DB
The diagram shows a distributed logical router connected to multiple logical switches. These
switches can be VXLANs. An up link can be added and converted to a VLAN uplink by connecting
the uplink to a port group . After the uplink is connected, a designated instance is chosen and
connected to the phys ical network.
You can put an NSX Edge instance between the physical and the logical router. VMware
recommends this design. If you are deploying and NSX Edge instance, do not use a VLAN LIP. Use
a VXLAN LIF. Use a VLAN LIF only if you must go direct ly outside. If you use VXLAN with the
edge , no designated instance exists and every router can directly forward traffic.
240 VMware NSX : Install, Configure, Manage

Deployment Models: Two Tier
Slide 4-52
Two tiers of routing

Distributed for East-West
Extern al
Perimeter for North-South Networks
Dynamic routing to advertise ,-Dynamic Routing
A
logical networks I
: (OSPF, IS-IS, BGP)
't'
Perimeter NSX Edge
Transit Uplink1 Transit Uplink3
,,,- - - - - - - - - - - - - - -
II
~
,,,
Dynamic Routing
(OSPF, BGP)
~ z
(J)
><
::0
o
c
~
:::J
c.c
The topology needs firewa lling at the perimeter to restrict access between the distributed routers. On
each distr ibuted router, firewa ll rules only allow traffic between certa in devices and selected traffic
on the outside.
The topology can easily be converted to a multitenancy configuration by inserting an NSX Edge
instance above each of the three logical routers . The original NSX Edge instance becomes the
perimeter NSX Edge instance that is shared by the three NSX Edge instances . The NSX Edge
instances allow each tenant their own config uration. Often , the NAT dev ice also belongs to the
tenant.

Distributed Router Traffic Flow: Same Host
Slide 4-53
DA: vMAC r;;-:.,.=~=---:::----="':I

SA : MAC 1 ~~~~~
192 .168.10.10 Logical Router Control VM

DA: 192.168.10.10 .". ....
SA: 192 .168.20.10
~kLlF
L1 F1
Internal L1Fs
L1F2
L1F1 : 192.168. 20.1 ~
L1F2 : 192.168.10.1
vMAC
Host 1 Host 2
192.168.10.0 255.255.255.0 0.0.0.0 Direct

192. 168 .20.0 25 5.255.255.0 0.0.0.0 Direct
VXLAN Transport Network
The diagram is a packet walk through the network:

1. Virtual machine I (VM I) on VXLAN 500 I attempts to communicate with virtual machine 2
(VM2) on VXLAN 5002 .
2. VM I sends a frame with the layer 3 IP on the payload to its default gateway. The default
gateway uses the destination IP address to determine that it is directly conn ected to that subnet.
3. The default gateway checks its ARP table and sees the correct MAC address for that
destina tion.
4. VM2 is running on the same host. The default gateway passes the frame to VM2.

Distributed Router Traffic Flow: Different Host
Slide 4-54
DA: MAC2
SA: vMAC
Ho st 1 _-.III~ Host 2
VXLAN Transport Network

II
z
(J)
><
::0
DA: MAC2 o
SA: pMAC 1 c
~
t.t :::J
c.c
In the example, virtual machin e I (VMI ) on VXLAN 500 I attempts communication to virtual
machin e 2 (VM2) on VXLAN 5002 :
1. VM2 is on a different subnet. So VM I sends the frame to the default gateway.
2. The default gateway sends the traffic to the router and the router determin es that the destination
IP address is on a directly conn ected interface.
3. The router checks its ARP table to obtain the MAC address of the destination virtual machine.
But the MAC address is not listed. The router sends the frame to the logical switch for VXLAN
5002.
4. The source and destination MAC addresses on the internal frame are changed. So the
destination MAC address is the address for VM2 and the source MAC address is the vMAC
LIF for that subnet. The logical switch in the source host determin es that the destin ation is on
host number 2.
5. The logical switch puts the Ethernet frame in a VXLAN frame and sends the frame to host 2.
6. Host 2 takes out the layer 2 frame, looks at the destination mac address, and delivers it to the
destination virtual machine.

Slide 4-55
Add an NSX Edge as a distributed router virtual machine.
Ic _ O . wo.x f ~ j
U'...., HD:.~ 1 1t1 ' ' ' ,H! . 1 -,
1lI--
....--....... ""-h
-
l ~ "'I1 """'"
N.... NSl(Edge
'8 'ilflT.iiM" ,j,, _ N"",e lin d descript IO"

.
" '-.1
1. CU tredal1llals
Install Twa o E d ~e seot ces GatS'W<lY
] Coof";!Ule deplo"TlIl!1~
IIJ-
4 CoofillWelnlertdcas
. s-c. ~
S conr'llQ" pHA ( . j LogICal (DIstribu ted) Router
~ s.-. (: CIIlI(lOUt
~ o.. ~_
... --.... 6 Ready to c OfIJlIlel e
.-.....-
~, o Ena ble Hi gh AlIailabilily
i:3 ~""" ~
.... -...,
~tffDC llan~
Name -l I
Hostname I I
De5wpbQn
I I
't enant I I
, .. ~

Slide 4-56
Entering interface addresses.

Add NS)( Edge Int erfac e
vNIC#
Name *'li,.,..,_
:': .,....--",.,..,.,.... ~
Type: o Internal G Uplink
Connected To Select Remove
Connectiii ty Status Connected 0 Disconnec ted
Configu reeucnet Add Subnet Add Subnet

+ I'======~
Enter the IP
Specify the IP addresses in the sutmet * Specifythe IP addresses i Address .
"" x
II
Prima ry IP
MAC Addresses
"TU Confirm the IP

addre ss
z
Options sub net prefix length" '" L I_ _- - - - - '
Subne1prefix length: *1' - - - (J)
FenceParameter ><
::0
OK II Cancel
.t::
OK I[ Cancel o
c
~
:::J
c.c

Slide 4-57
The Transit-Interface must be configured with a prefix length of 29.
Add Subnet
Specify the IP addresses in the subnet: *

+ .;I X
Primary IP IP Addless
o '---------'1 0 Ca ncel I
Subnet prefi x length : C9

[ OK I[ Cancel L
If this setting is missed, the OSPF lab fails because OSPF does not
see the two edges on the same transit network.

Slide 4-58
Verifying the NSX Edge deployment.

nvp-controller 1# ShO ~001
n Co n t r o Iler nzs VTEPs
5001 10.10.10.1 2
nvp-Gontroller 1# I
The initial arp -n command may return a blank table.
II
z
(J)
><
::0
o
c
~
:::J
(C

Lab 5: Configuring and Deploying an NSX Distributed Router
Slide 4-59
Configure East-West routing by deploying a distributed logical router

2. Configure and Deploy an NSX Distributed Logical Router
3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use NSX Controller CLI Commands to Verify the Distributed Router
Deployment

Concept Summary
Slide 4-60

What is a virtualized router implemented by NSX
Logical distributed router
modules installed in each ESXi host kernel called?
What is send ing communications through part of the
same path already taken when forwarding it to a Hairpinning
destination called?
What is an uplink owned by a logical router that
VLAN L1F
connects to VLAN port groups called?
What is an uplink owned by a logical router that can
span all virtual distributed switches in the transport
zone called?
VXLAN L1F
II
z
(J)
><
::0
o
c
~
:::J
(C

Slide 4-61

Describe the role of the distributed logical router
Deploy a distributed logical router

Slide 4-62
Lesson 3:
Layer 2 Bridging
II
z
(J)
><
::0
o
c
~
:::J
(C

Learner Objectives
Slide 4-63
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging

VXLAN to VLAN Layer 2 Bridging
Slide 4-64
A VXLAN to VLAN bridge enables direct Ethernet connectivity

between virtual machines in a logical switch, and virtual machines in
a distributed port group:
This connectivity is called layer 2 bridging.
The Ethernet connectivity can also be extended to physical devices by
assigning an uplink to the distributed port group.
Distributed Router
II
z
(J)
><
::0
o
ESXi Host c
~
Designated Instance :::J
(C
VXLAN 973729
You create a layer 2 bridge between a logical switch and a VLAN , which enables you to migrate
virtual workloads to physical devices with no effect on IP addresses. A logical network can leverage
a physical gateway and access existing physical network and securi ty resources by bridging the
logical switch broadcast domain to the VLAN broadcast domain.

Use Cases
Slide 4-65
Sometimes you must enable virtual machines on logical switches to

have direct layer 2 access to the physical network:
During physical to virtual (P2V) migrations where changing IP
addresses is not an option
Extend virtual services in the logical switch to external devices
Extend physical network services to virtual machines in logical switches
Access existing physical network and security resources
Layer 2 bridging is not intended for use in the following cases:
VXLAN to VXLAN connectivity
VLAN to VLAN connectivity
Data center interconnect
Bridging can also be used in a migration strategy where you might be using P2V and you do not
want to change subnets.
VXLAN to VXLAN bridging or VLAN to VLAN bridging is not supported. Bridging between
different data centers is also not supported. All participants of the VLAN and VXLAN bridge must
be in the same data center.

Layer 2 Bridging Details
Slide 4-66
Distributed router is required to configure bridging :

Multiple bridges are supported per distributed router
Bridge instance runs on the host where the logical router
control virtual machine is active.
Layer 2 bridging data path is entirely in the VMkernel:
A special dvPort type called a sink port is used to steer packets to the
bridge.
You cannot enable both distributed routing and bridging on a
logical switch at present. II
z
(J)
><
::0
o
c
~
:::J
(C
The layer 2 bridge runs on the host that has the NSX Edge logical router virtual machine. The layer
2 bridging path is entirely in the VMkernel. The sink port connects to the distributed port group
from the VMkernel on the distributed router. The sink port steers all traffic related to bridg ing on to
the switch . You cannot have routing enabled on those interfaces that you connect to the distributed
router.
The distrib uted router that performs the bridging cannot perform routing on that logical switc h. The
virtual machines on that switch cannot use the distributed router as their default gateway. Because
logical switches cannot be connec ted to more than one distrib uted router, those virtual machines
must have a default gateway. The default gateway must be either externally in the physical network
or in an appliance, such as the NSX Edge gateway. The NSX Edge gateway must be connected to
the logical switc h on the port group .

Bridge Instance
Slide 4-67
The host where the logical router control virtual machine runs is
selected as the designated instance to perform the VXLAN to VLAN
bridging function:
The bridge instance sends a copy of learned MAC address table entries
to the NSX Controller.
If the bridge instance fails, the control virtual machine pushes a copy of
the MAC address table to the new designated instance.
If every host is allowed to go directly to the physical network with the broadcast traffic, the network
might be overwhelmed. So one of the hosts is chosen as a bridge instance. NSX Controller chooses
a host to be the brid ge instance. The bridge instance is usually the host that is runnin g the logical
router controller.
If the brid ge instance fails, the NSX Controller instance pushes a copy of the media access control
(MAC) address table to the new bridge instance to keep it synchronized.

Bridge Instance Failure
Slide 4-68
Standby Logical Router Active Logical Router

Control Virtual Machine Control Virtual Machine
VXLAN 5001
Runs on the host with logical router

II Physical Workload
II
z
(J)
control virtual machine ~ Physical. Router ><
> .'
~ ~""
::0
Multiple bridges supported per logical o
c
~
router :::J
(C
In the example, a logical distributed router controller has failed and NSX HA is enabled. When the
bridge instance fails, the bridge instance is moved to the new active host and gets the physical MAC
addresses that were on the failed bridge instance. You can have multiple bridges on the same logical
router.

Layer 2 Bridging: Flow Overview
Slide 4-69
Traffic flow from the VXLAN to the VLAN through the bridge instance.
ARP Request
,
192.168 .100.4
~
VM1 VM2 VM 3
V NI50001 1
VXLAN SW01 VLAN100
VTEP 1 VT EP 2
Physical Host
vLan 100
192 .168 .100.4
In the example, VM2 wants to communicate with a physical host on VLAN 100. ESXi host numb er
3 is the bridge instance.

Design Considerations
Slide 4-70
Multiple bridge instances versus separate distributed routers:

Bridge instances are limited to the throughput of a single ESXi host.
Interoperability:
VLAN and VXLAN logical switch are on the same distributed switch.
Bridging a VLAN 10 of 0 is not supported.
Scalability targets:
Line rate throughput.

Latency and CPU usage comparable with standard VXLAN.
Loop prevention:
Only one bridge active per VXLAN-VLAN.
II
z
(J)
Detect and filter if the same packet is received through a different uplink ><
::0
by matching MAC address . o
c
~
:::J
(C
A bridg e instance is assigned to the ESXi host that runs the logical distributed controll er. If you have
to use multipl e bridges, consider usin g multipl e distributed routers so that the bridge instances can
be spread out among the different ESXi hosts to get greater throughput.
The VLAN-VXLAN logical switch must be on the same distributed switch. The port group that you
are bridging must have a VLAN numb er associated with it.
You must consider the throughput that goes throu gh the designated instance and also the latency.
Because all the bridge traffic is hairpinn ed to the bridge instance, you should only have one bridge
from VXLAN to VLAN to avoid loops.
Detect and filter is a function of the brid ge instance to ensure that duplic ate packets are not coming
through.

ARP Request from VXLAN
Slide 4-71
Layer 2
Network
Port, MACl
The exampl e is a packet walk of an Address Resolution Protocol (ARP) requ est from a virtual
machin e to a physic al host on the network. In the example, the virtual machine on this VXLAN
segment attempts to contact this physical host for the first time:
1. The ARP request from VM I comes to the ESXi host with the IP addre ss of a host on the
physical network.
2. The ESXi host does not know the destination MAC addre ss. So the ESXi host contacts NSX
Controller to find the destination MAC address.
3. The NSX Controller instanc e is unawar e of the MAC address. So the ESXi host sends a
broadcast to the VXLAN segment 500 I.
4. All ESXi hosts on the VXLAN segment receive the broadcast and forward it up to their virtual
machines.
5. VM2 receives the request becaus e it is a broadcast and disregards the frame and drops it.
6. The designated instance receives the broadcast.
7. The designated instanc e forwards the broadcast to VLAN 100 on the physical network.

8. The physical switch receives the broadcast on VLAN 100 and forwards it out to all ports on
VLAN 100.
The physical server receives the broadcast and determin es whether the frame belongs to it.
II
z
(J)
><
::0
o
c
~
:::J
(C

ARP Response from the VLAN
Slide 4-72
MAC3
IP3 MAC3
DA~
o ~~ ;;':';''-_ _
Port 1 MAC1
Port 2 MAC3
The slide shows an example of the response from the physical host back to the virtual machine:
1. The physical host creates an ARP response for the machine. The source MAC address is the
physical host's MAC and the destination MAC is the virtual machine's MAC address.
2. The physical host puts the frame on the wire.
3. The physical switch sends the packet out of the port where the ARP request originated.
4. The frame is received by the bridge instance.
5. The bridge instance examines the MAC address table, sends the packet to the VNl that contains
the virtual machine's MAC address, and sends the frame. The bridge instance also stores the
MAC address of the physical server in the MAC address table.
6. The ESXi host receives the frame and stores the MAC address of the physical server in its own
local MAC address table.
The virtual machine receives the frame.

Unicast Traffic
Slide 4-73
MAC3
8i
'"
5001 IP3 MAC3
II
z
(J)
DA~ '-:":":':;;~:":':" _
><
::0
o
c
~
Port 1 MAC 1
:::J
Port2 MAC3 c.c
The example shows the traffic flow from the virtual machin e to the physical server after the initial
ARP request is resolved:
1. The virtual machine sends a packet destined for the physical server.
2. The ESXi host locates the destination MAC address in its MAC address table.
3. The ESXi host sends the traffic to the bridge instanc e.
4. The bridge instance receives the packet and locates the destination MAC address.
5. The bridg e instance forwards the packet to the physical network.
6. The switch on the physical server receives the traffic and forwards the traffic to the physical
host.
The physical host receives the traffic.

ARP Request from VLAN
Slide 4-74
MAC3
Layer 2
Network
The slide shows an example of an ARP request from a physical host on a VLAN to a virtual
machine on VXLAN :
1. An ARP request is receive d from the physical server on the VLAN that is destined for a virtual
machine on the VXLAN through broadcast.
2. The frame is sent to the physical switch where it is forwarded to all ports on VLAN 100.
3. The ESXi host receives the frame and passes it up to the bridge instance.
4. The bridge instance receives the frame and looks up the destination IP address in its MAC
address table.
5. Because the bridge instance does not know the destination MAC address, it sends a broadcast
on VXLAN 500 1 to resolve the MAC address.
6. All ESX i hosts on the VXLAN receive the broadcast and forwar d the frame to their virtual
machines.
VM2 drops the frame, but VM 1 sends an ARP response.

Concept Summary
Slide 4-75

Which action connects a VLAN and a VXLAN
Bridging
network as the same logical network?
II
z
(J)
><
::0
o
c
~
:::J
(C

Learner Objectives
Slide 4-76
objectives:
Describe layer 2 bridging between VXLANs and VLANs
Describe the traffic flow between VXLAN and VLAN
Configure layer 2 bridging

Lesson 4: NSX Edge Services Gateway
Slide 4-77
Lesson 4:
II
z
(J)
><
::0
o
c
~
:::J
(C

Learner Objectives
Slide 4-78
objectives:
Deploy NSX Edge gateway
Deploy OSPF on NSX Edge

NSX Edge Gateway
Slide 4-79
The NSX Edge gateway connects isolated stub networks to shared

(uplink) networks.
NSX
NSX Edge logic al
Services Router NSX
Ga teway C ontr ol Manager
II
z
(J)
><
::0
o
Physical Network
---- c
~
:::J
c.c
NSX Edge supports OS PF, an lOP that routes IP packets only in a single routing domain. NSX Edge
gathers link state information from avai lable routers and constructs a topology map of the network.
The topology determines the routing table presented to the Internet layer, which makes routing
decisions based on the destination IP address found in IP packe ts.

Integrated Network Services
Slide 4-80
NSX Edge provides common gateway services such as DHCP, VPN,

NAT, dynamic routing, and load balancing.
Firewall Overview
Load balancer
Integrated L3 to L7 services
VPN Virtual appliance model to
Routing and NAT provide rapid deployment and
scale-out
DHCP and DNS relay
Benefits
Real-time service instantiation
Support for dynamic service

differentiation per tenant or
application
Uses x86 compute capacity
Several perimeter services are available for the NSX Edge gateway. These services are not
embedded in the distributed router. NSX Edge gateway is a virtual machine that has one interface
connected to the virtual mach ine segment through logical switches or distributed and standard port
groups.
These services are meant to work in environments where a third-p arty solution might not exist.
Sometimes a third-p arty solution might be more effective than NSX Edge service because that
solution is a dedicated device and not a multipurpose device like NSX Edge . All of these services
can be disabled to allow a third-party solution to be deployed.
In a multitenancy environment, NSX Edge for NAT might exist if duplicate IP segments exist.

NSX Edge Services Gateway Sizing
Slide 4- 81
NSX Edge can be deployed in four different configurations.
X-Large
Suitable for high performance
6vCPU layer 7 load balancer
8192 MB vRAM
Quad-Large
Suitable for high
4vCPU
II
performance firewall and
1024 MB routing
vRAM
Large
2vCPU z
(J)
1024 MB vRAM ><
::0
o
Compact c
~
:::J
1 vCPU , 512 MB vRAM c.c
When NSX Edge gateway is deployed, the wizard asks for the desired size. If a gateway with the
wrong size is deployed, the gateway can be replaced with minim al effort by deploying a new NSX
Edge gateway. The existing NSX Edge gateway is removed and an NSX Edge gateway with the
desired size is created. The configuration from the old NSX Edge gateway is applied by NSX
Manager to the new NSX Edge gateway. The name of the new NSX Edge gateway instance is
different.
A service interruption might occur when the old NSX Edge gateway instance is remove d and the
new NSX Edge gateway instance is redeployed.

Features Summary
Slide 4-82
r;I."_l NSX Edge

~ Gateway Services
F ire w all 5-Tuple rule configuration with IP, port ranges, grouping objects .
Network Address Translation Source and destination NAT capabi lities .
DHCP Configuration of IP Pools, gateways , DNS servers, and search domains.
Rou ting Static and dynamic routing protocols support (OSPF, BGP, IS-IS).
Load Balancing Configure virtual servers and backend pools using IP addresses or VC objects.
Site-to-Site V PN IPsec site-to-site VPN between two NSX Edge instances or other vendor VPN terminators .
SS L V PN Allow remote users to access the internal networks behind NSX Edge gateway
L2VPN Stretch your layer 2 across data centers.
High Availabi lity Active-Standby HA capability that works with VMwa re vSphere High Availability.
DNS/Syslog Allow configuring DNS relay and remote Syslog servers .
Traditional firewalls operate by applying a set of rules containing a few criteria including source IP
address and port , destination IP address and port, and protocol. Advanced third-p arty firewalls have
a few additional options. In addition to the traditional criteria, the NSX Edge firewall, NSX Edge, or
Distributed Firewall, can use additional vSphere criteria. The vSphere criteria include resource
pools, clusters, networks, and many other metadata details from the vCenter Server system.

NSX Edge Routing
Slide 4-83
The NSX Edge appliance supports static and dynamic routing:

OSPF
IS-IS
BGP
Route redistribution
Routing is configured by selecting NSX Edge Gateway> Manager>
Routing.
II
z
(J)
><
::0
o
c
~
:::J
(C

Routing Verification
Slide 4-84
To verify that routing works as expected, access the NSX Edge

gateway eLi by using SSH or console connection:
show ip ospf neighbors
show ip ospf database
show ip ospf interface
show ip bgp
show ip bgp neighbors
show isis neighbors
show isis database
show isis interface
show ip route

Slide 4-85
Deploy an NSX Edge as a perimeter gateway.

New NSX Edlll!
"I
..... , I.'; i ' :r.'gW!! I ;
N<HIM!and description Atld NSl< Edge Int e rf ac e
C!
"I. UJ ereeeuuers
Install Type (!' Edgesereces Gateway IINle l 0
J CorlfMJuredepl~l1e'Ilt
Name Ii
4 ConfIljure neerreces
o L ogi cal (Distributed) R outer
WI" O lntemal o Upl ink
5 Default Od(ll'WdYsellmljs
6 firewllll and HA
Connected To I I Sele ct Remove-
7 Ready-In complete D Enable High AvailaPill1y ccn nectrofv Status Connecteo o Disconnected
Configure subnets
Nam e
Hostname
- , Perimeter G alew~
[

IPAdd,u .
X
Subn.t P.. ~ ~ L ongltl
nescnou on
II
I
Tenant I MAC Addresses I I
You can speclflo' a MAC address or leaveit blank for auto ueneranon In
case ofHA, fWQ dltrerent MAC addresses ere required
,
MTU r 500 ,
~
z
N,~ --
Cancel
Options
Fence Parameters
o
[
En able Pr o)(\{ARP 0 Se nd le MP Re dire ct
, (J)
><
::0
Example: ethernellJ.f111er1pa raml"'t o
c
~
~ I c'""' : ~ :::J
c.c

Slide 4-86
Configure the static routes.
+
Global Cnnfi quratie n
Typ@ NebAlork Next Hop Interrace MTU
Static Routes
internal_high 1 0 10.10 0/ 2 4 10 .9 9 .2 Uplink-lntel1ace
OSPF user 1 0 10.7.0/ 2 4 1 0. 7 7 . 2 Uplink-Interface 1500
BGP user 1 0 10.9.0/ 2 4 10 . 5 5 . 2 Tran sit-Interfac e 1500
1515
Route Redistrihution

Lab 7: Introduction
Slide 4-87
You delete the static routes in the lab.

OSPF initially fails, but the lab guides troubleshooting to resolve.
Default Gateway
Global Configuration
upnnk-mterrece
Static Routes
Gateway IP: 192.168.1002
OSPF
MTU: Area to Interfa ce Mapping:
BGP
IS-IS
Descriptio + I EditDynamicRouting Configuration
vNIC
RouteRedistribution
DynamicRl:
Uplink-Interface Router 10 : * [ Uplink-Interface - 1... I I
II
Trans it-Interfa ce
G"l Enable 08P F
Router 10:
11 Enable BGP
08PF :
f"J Enable 18-18
BGP:
D Enable Logging
18-18 :
Log Level: I I_
nl_
O ~_
z
(J)
Logging: o ><
LogLevel: ::0
I Save II Cancel L o
c
~
:::J
(C

Lab 6: Deploying an NSX Edge Services Gateway and
Configuring Static Routing
Slide 4-88
Configure and deploy an NSX Edge services gateway to provide

perimeter routing and other network services
2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
4. Configure Static Routes on the NSX Edge Gateway
5. Configure Static Routes on the Distributed Router
6. Test Connectivity Between an External Network and a Logical Switch
Network

Lab 7: Configuring and Testing Dynamic Routing on NSX Edge
Appliances
Slide 4-89
Configure OSPF to establish bidirectional connectivity between the

Management network and the Web-Tier, App-Tier, and DB-Tier logical
switch networks
2. Remove Static Routes from Perimeter Gateway
3. Configure OSPF on Perimeter Gateway
4. Redistribute Perimeter Gateway Subnets
5. Remove Static Route on Distributed Router
6. Configure OSPF on Distributed Router
7. Redistribute Distributed Router Internal Subnets
II
z
(J)
8. Troubleshoot Connectivity Between Logical Switch Networks and the ><

::0
Management Network o
c
~
:::J
9. Resolve the Connectivity Issue (C
10.Clean Up for the Next Lab

Slide 4-90

Deploy NSX Edge gateway
Deploy OSPF on NSX Edge

Key Points
Slide 4-91
OSPF is a link-state protocol. Each router maintains a database that

describes the AS topology.
The distributed logical router optimizes the routing and data path, and
supports single-tenant or multitenant deployments.
NSX Edge supports OSPF, an interior gateway protocol that routes IP
packets only within a single routing domain .
Layer 2 bridging is intended for VXLAN to VLAN connectivity.
Questions?
II
z
(J)
><
::0
o
c
~
:::J
(C

MODULE 5

Features
Slide 5- 1
Module 5
II
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

You Are Here
Slide 5-2
Course Introduction
NSX Networking
NSX Routing
IE NSX Edge Services Gateway Features
NSX Security

Importance
Slide 5-3
The services gateway gives you access to all VMware NSX Edge
services such as firewall, network address translation (NAT),
Dynamic Host Configuration Protocol, virtual private network (VPN),
load balancing, and high availability.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl
Module 5 NSX Edge Services Gateway Features 285

Module Lessons
Slide 5-4
Lesson 1: NSX Edge Network Address Translation

Lesson 2: NSX Edge Load Balancing
Lesson 3: NSX Edge High Availability
Lesson 4: NSX Edge and VPN

Lesson 1: NSX Edge Network Address Translation
Slide 5-5
Lesson 1:
NSX Edge Network Address Translation
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Learner Objectives
Slide 5-6
objectives:
Determine when to use a destination network address translation rule
and a source network address translation rule
Add an internal interface to the NSX Edge gateway
Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic

Private IPv4 IP addresses
Slide 5-7
Private IPv4 IP addresses are IP addresses reserved for the internal

use of corporations:
Defined in RFC1918 .
Private IP addresses cannot be advertised in the public Internet.
Three blocks of IP addresses are reserved for private use: 10.0.0.0/8,
172.16.0.0/12, and 192.168.0.0/16.
ACME Corpo ration

Intern al Netw ork External
network
II
z
(J)
><
The number of IPv4 TCP/IP addresse s that are available is limit ed. Many applications in an m
0..
(Q
enterprise requir e conn ectivity only in one enterprise and do not need external connectivity for most CD
internal hosts. Request for change (RFC) 1918 defines address allocation for private Internet. You (J)
CD
can only use IPv4 private IP addresses to address all devices on your network. Private IP addresses <:
cannot be advertised in the publi c Internet. n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

IPv4 Overlapping Space
Slide 5-8
VMware vCloud Automation Center" tenant, ACME Corporation,

needs to communicate with vCloud Automation Center tenant, XYZ
Industries.
Both tenants have many networks and now need end systems on
both sides for direct communications.
ACME Corporation XYZ Industries

vCloudAutomation vCloudAutomation
Center Networks Ce nter Networks
Hosts assigned with private IP addresses cannot communicate with other hosts through the Internet.
The solution to this problem is to use network address translation (NAT) with private addressi ng.

Managing NAT Rules
Slide 5-9
NSX Edge provides NAT service to assign a public address to a

computer or group of computers in a private network:
NAT rules provide access to services running on privately addressed
virtual machines.
The NAT service configuration is separated into the following sets of
rules:
Source NAT rules translate the source IP address of outbound packets
so that packets appear as originating from a different network.
Destination NAT rules translate the destination IP address of inbound
packets so that packets are delivered to a target address on some
other network.
II
z
(J)
X
VMware NSX Edge" provides NAT service to assign a publi c address to a computer or group of m
0..
(Q
computers in a private network . Using this technology limits the numb er of public IP addresses that CD
an organization or company must use, for econo my and security purposes. (J)
CD
You must configure NAT rules to provide access to services running on privately addressed virtual
<:
n"
CD
machines. The NAT service config uration is separate d into source NAT and destination NAT rules. rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Source NAT Deployment Using NSX Edge
Slide 5-10
Server 1 Server 2 Server 3
VM VM VM
192.168.1.2
192.168.1 .3 192.168.1.4
Test-Network
192.168.1.1
NSX Edge Gateway
10.20.181.170: Primary IPAddress

10.20.181.171: Source NAT Translated IP
Address
External-Network
Source NAT is used to translate a private internal IP address into a publi c IP address for outbo und
traffic. In the slide, NSX Edge gateway is translating Test-Network using addresses 192.168.1.0
through 192.1 68.1.24 and 10.20.181.171. This technique that the source NAT uses is called
masquerading. In this type of source NAT, the whole Lab-Network behind the NSX Edge gateway is
masquerading as a single host with IP address 10.20.18 1.171. You can also use the primary IP
address 10.20.1 81.170 as the source NAT translated IP address .

Example: Set Up External Access to Web Server
Slide 5- 11
Make a Web server on the HQ VXLAN network available to external

users:
1. Add an internal interface (HQ VXLAN Network) to NSX Edge.
2. Add a second IP address to the external interface subnet:
The second address is used by the external client.
3. Create a destination NAT rule that translates the external-facing
address to the Web server's IP address . No other IP address
combination is allowed through the NAT service.
If multiple Web servers exist, use the load balancer service in NSX
Edge to distribute connections.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Add a Second External IP Address for NAT Use
Slide 5-12
Add a second IP address in the existing subnet for the external

interface:
The second IP address is to be used for the destination NAT and
source NAT rules.
Summary
______ o_n_i
lo_r_ l t.1anage l _
_ a_1I " " ' - _ - - - J L - _ . l -_ _~
( Settings l_F_ir_ew "___ __L_
Gr
Configure Interlaces of this NSX Edge .

Con II ur ton
Interfaces vlIlC# 1 ... lI.t m IP ddress
Certificates 192 .168 .100 .3"
o Uplink-Interlace 1192.168.100.10 I
To add a second IP address to the already-defined subnet for the external interface
1. In the VMwa re NSX Manager" page, select Edges and double-cli ck edge-I to display the
management page for HQ-E dge .
2. Select Configure > Interface s to display the list of interfaces.
3. Click the Ed it (pencil) icon to add the second IP address .
The second address is used to define both destination NAT and source NAT rules.

Destination NAT Deployment Using NSX Edge
Slide 5-13
Web Server App Server DB Server
VM VM VM
192.168.1.2
192.168.1.3 192.168.1.4
Test-Network
192.168.1 .1
NSX Edge Gateway

10.20.181.170: Primary IP Address
10.20.181 .171: Destination NAT
Public IP Address
External-Network II
z
(J)
X
Destination NAT is commonly used to publish a service located in a private network on a publicly m
0..
(Q
accessib le IP address . In the example, NSX Edge NAT is publishing the Web Server 192.168.1.2 on CD
an externa l network as 10.20.181.171. You can also use the primary IP address 10.20.181.170 as (J)
CD
destination NAT. <:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Creating a Destination NAT Rule for Inbound External Access
Slide 5-14
Destination NAT rules can be defined for any IP address or range of

IP addresses that has been configured on a network interface.
For example, create a destination NAT rule to enable an external
client to access a Web server that is on an internal network.
A Web server's internallP address is 192.168.20.10.
The IP address added to the NSX Edge external interface is
172.20.11.12.
All packets destined for 172.20.11.12 arrive on the NSX Edge external
interface.
The destination NAT rule performs a destination IP address translation
from 172.20.11.12 to 192.168.20.10.
You can test the rule by displaying the administrative share for the C:
drive on the internal system with \ \172. 20 .11.12\C$:
Ensure that the response for a command that you use is from the
internal system , not the NSX Edge appliance.
You can create a destination NAT rule to map a public IP address to a private internal IP address .
The rule translates the destination IP address in the inbound packet to an interna l IP address and
forwar ds the packet.
The original (public) IP address must be added to the NSX Edge interface on which you want to add
the rule, that is, on the external interface.

Create a Destination NAT Rule and Test Inbound Connectivity
Slide 5-15
To create the destination NAT rule:

1. Click the Add icon and select Add DNAT Rule.
Add DNATRJJle
[ Setting s I Firewall ~ Routing [ Applied On: I Upli nk-Ingterface I- I

OnglnaIIP/Ran ge : _I 1
Protocol : I I- I
A ctio n Original Port/Ra nge : I-1
Translated IP/Rang e: *I 1
~==~
Tran slated Port/Range : I-1
2. Enable the rule in the dialog box Description"
or after the rule is added. _ _ _I
D Enabled
3. Enable logging while testing D Enable loggin g
the rule.
OK I[ Cancel I,
II
z
(J)
X
To create the destination NAT rule m
0..
(Q
CD
1. In the NSX Edge management page, doubl e-click the NSX Edge instance that handles the NAT (J)
operations. CD
<:
2. Click the NAT tab. n
CD
rJl
In the slide, the rule is configured for the HQ- Edge instance. G)
til
......
CD
3. Click the Add icon and select Add DNAT Rule. stil
'<
In the Add DNAT Rule dialog box, configure the following settings : "Tl
CD
til
The interface on which to apply the destination NAT rule, for example, External. ......
C
.....
CD
The drop-d own menu displays the names of all 10 interfaces for this NSX Edge instance, rJl
but not in alphabetical order.
The original (public) IP address in one of the following formats:
IP address: 192.168.10.1
IP address range: 192.168.10.1-192.168.10.10
IP address/subnet: 192.168.10. 1/24

The protocol s that can be used are the following:
UDP
TCP
Any
The origina l port or port range:
Port number: 80
Port range: 80-85
Any port
Tran slated IPlran ge: Th e trans lated IP address is in one of the form ats listed for the original
(public) IP address.
Tran slated Port/ran ge: Th e transl ated port rang e, as described for the original port or port
range .

Creating a Source NAT Rule and Testing Outbound Connectivity
Slide 5-16
You can create a source NAT rule to translate a private internallP

address into a public IP address for outbound traffic.
For the selected NSX Edge instance, select Add> Add SNAT Rule.
Add SNAT Rule ?
Appl ied On: [ Uplink- Ingterface
o Enabled
o Enable logging
OK I[ Cancel L
You can test the outbound connectivity by pinging a translated

address from a system with one of the source IP addresses. II
z
(J)
X
In the NSX Edge Manage page , double -click the NSX Edge instanc e for a source NAT rule and m
0..
(Q
click the NAT tab. In the example, the rule is configured for the HQ-Edge instance. CD
(J)
Click the Add icon and select Add SNAT Rule to open the dialog box . The trans lated (public) IP CD
address must be added to the NSX Edge interface on which you want to add the rule. The IP address
<:
n"
CD
formats are the same formats that are used for the Add DNAT Rule choices. The source NAT rule rJl
can be enabled in the dialog box or enabled later. G)

til
......
CD
You can test the outbound rule by pinging a trans lated IP address from a system on the internal stil
network. The internal virtual machine sends the ping request. The source IP address of each Internet '<
Control Message Protocol packet ( 192.168.20.10 in the examp le) is trans lated to the public NAT "Tl
CD
til
......
address (172.20 .11.12). The public NAT address is defined by the source NAT rule. Replies to the C
ping command are from the upstream router. The upstream router responds to ping requests from the .....
CD
rJl
172.20. 11.12 IP address, which is the trans lated IP address . The router has no knowledge of the
interna l network.

Slide 5-17
A traffic capture has a specific format.
Destination
Address
Source Destination
Port Port

Slide 5-18
Adding an IP address to an interface.

EditSubnet
Adding a destination NAT
EditIP addresses in this subnet: *
and source NAT rule.
+ lC
Primary IP IP Address
o Appl ied On: I Upli nk-Inlerfa ce I I

II 1i~ 1 Cancel I
o 192,168,100,3
Original lP/Range:
1 1
Proto col: [ I I
SubnetPrefix Length >I< c
J 24-,-------.J
::.
Original PortlRange:
1 1 1
OK II Cancel I, Translated IP/Range: >I< I I
Translated PortiRange:
1 1 1
Descnptron:
1_ _ 1
o Enabled
o Enable logging
OK II Cancel I, II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
.....
til
CD
stil
'<
"Tl
CD
.....
til
C
....
CD
rJl
Module 5 NSX Edge Services Gateway Featu res 301

Slide 5-19
Resetting VMware NSX Controller" credentials.
~ e" NSX Edges
NSXMana ger : ( t 92.t 68.1 t O.42 I- I

NSXHome
+ I X " ....
EI I @ ACtlons _
@ Ins ta llation Id 1 .. Nam e
~ Logi cal Switches
edge-5 Distributed Router
: NSX Edges
edge-6
Actions - Perimeter Gateway
I'] Firew all
X Delete
iiEI SpoofGua rd " Force Sync
~ Service Defi nition s Deploy
f!J Service Composer IItIil Redepl oy
~ Data Secu rity Change auto rule configuration

~ Flow Monitoring ~ Downl oad Tech Suppo rt Logs
t!!3 Activity Monitorin g Upgrade version

Convertto Compact
... Networking & Security Inventory
Convert to Large
N SX Man ag ers
Convert to X-Large
(iiOO;; ; ,

Lab 8: Configuring and Testing Network Address Translation on
an NSX Edge Services Gateway
Slide 5-20
Use destination NAT and source NAT rules to establish a one-to-one relationship
between the IP address of a Web server on an internal subnet and an IP address
in an externally accessible subnet
2. Verify Non-Translated Packet Addressing
3. Configure an AdditionallP Address on the Uplink Interface of Perimeter
Gateway
4. Configure a Destination NAT Rule
5. Test Connectivity Using the Destination NAT Translation
6. Verify Non-Translated Packet Addressing Before Defining a Source NAT Rule
II
7. Configure a Source NAT Rule
8. Test Connectivity Using the Source NAT Translation
9. Use What You Have Learned
z
(J)
10. Clean Up for the Next Lab X
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Concept Summary
Slide 5-2 1

What is version 4 of the Internet Protocol calle d? IPv4
What are IPv4 networks with overlapping IP IPv4 Overlapping

address configurations called?
What translates either the source or the
Network Address Translation (NAT)
destination address to a pre-determined value?
What is used to change the source IP address in
Source NAT rule
an IP communication?
What is used to change the destination IP
Destination NAT rule
address in an IP communication?

Slide 5-22

Decide when to use a destination network address translation rule and
a source network address translation rule
Add an internal interface to the NSX Edge gateway
Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lesson 2: NSX Edge Load Balancing
Slide 5-23
Lesson 2:
NSX Edge Load Balancing

Learner Objectives
Slide 5-24
objectives:
Describe the NSX Edge load balancing
Configure load balancing
Compare one-armed load balancing to inline load balancing
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

NSX Edge Load Balancer
Slide 5-25
The NSX Edge load balancer enables network traffic to follow

multiple paths to a specific desti;. .:n=a=ti-=o..:. .:n,,--" -----,
Load sharing:
~
w c Load is distributed across
~ multiple backend servers
Service high availability:
Servers or applications that fail
are automatically removed from
the pool
Use cases:
Per-tenant cloud load balancing
Dynamic virtual IP (viP) for
applications
The NSX Edge load balanc er enables network traffic to follow multiple paths to a specific
destination. The NSX Edge load balancer distributes incoming service requests evenly among
multiple servers in such a way that the load distribution is transparent to users. Load balancing thus
helps in achieving optimal resource use, maximi zing throughput, minimizing response time, and
avoiding overload. NSX Edge provides load balancing up to layer 7.
In the example in the slide , access to the Web server network is load balanced.
The load balancer does not do global balancing, but it does local load balancing. If multiple virtual
machines provide a Web service , the NSX Edge load balancer can provide load balancing across
those virtual machines. One of the virtual machines being load balanced might become unreachable,
or the service might become unresponsive. The load balancer service detects that condition and
removes that Web server from the load balance rotation.
Clients do not open a Web browser and go to the IP address of the Web server. Instead, the client
points to an IP that is owned or hosted by the load balanc er itself. The load balancer redirects the
client traffic by changing the destination IP address. The load balancer 's IP address is chang ed to the
IP address of the Web server that was selected to establish your session. The IP address that was
used by the client to connect to the Web site is called the virtual IP (vIP).

NSX Edge Load Balancer Modes
Slide 5-26
Features
TCP, HTTP, HTTPS with stateful high

ava ilability
Multiple viP addresses, each with
separate server pool and
configurat ions
Multiple load balancing algo rithms
and session persistence methods
Configurable health checks
Application rules
SSL te rminat ion with certificate
management, SS L pass-through ,
and SSL initiation
IPv6 support
Modes
One-arm mode
Inline mode
II
z
(J)
><
The load balanc er accepts TCP, HTT P, or HTTPS reques ts on the externa l IP ad dress and decides m
0..
(Q
w hich internal server to use. CD
(J)
You can ad d a server pool to manage and share backend servers flex ibly and efficient ly. A pool CD
manages load balance r distributi on meth od s and has a service mo nitor attac hed to it for health check
<:
0'
CD
parameters. rJl
G)
Implement ation models for load ba lanc ing can eithe r be one -arm or inline. til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Load-Balancer Operation
Slide 5-27
Multiple virtual servers are supported.

Each virtual server is identified by a VIP address.
VIP is an IP address and also contains the service port number.
A VIP has an associated back-end pool of server IP addresses.
For example:
VIP: 163.63.63.63 and port 80
Backend pool addresses: 10.10.10.1 through 10.10.10.3
Two modes
Layer 7-proxy based (for example, HTTP)
Layer 4-based (Tep)
Layer 7 load balancing combines standard load balancing features for specific types of content. An
application delivery network can be optimized to serve specific types of content. For example, data
security, such as data scrubbing, is likely not necessary for l PG or GIF images , so the scrubbing
might be applied to only HTML and PHP.

One-Arm Load Balancer
Slide 5-28
The one-arm load balancer mode is also called proxy mode. The NSX
Edge gateway uses one interface to advertise the viP address and to
connect to the Web servers.
Design considerations:
Increases the number of NSX Edge appliances deployed
Client IP address is not preserved :
Web traffic can use the x-forward ed-for HTTP header
II
z
(J)
X
The one-arm load balancer has several advan tages and disadvantages. The advantages are that the m
0..
(Q
design is simple and can be deployed easily. The main disadvantage is that you must have a load CD
balancer per segment, leading to a large number of load balancers. (J)
CD
<:
The one-arm implementation uses the HTTP X-Forwarded-For standard to redirect traffic to a n
CD
different IP address . rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

One-Arm Load Balancer Traffic Flow
Slide 5-29
One-arm load balancers must be on the same segment as the Web

servers that are load balanced
1. Client IP address > VIP address
2. Edge IP address > Server IP address
3. Server IP address> Edge IP address
4. VIP address > Client IP address
__ ~Ojl~~ ~e~~o!:..k ~ _
---------- ..... ,
I
I
~
Router: NSX Edge ,
or Distributed I
I
Router (Layer 3) I
I
I
I Source NAT I
I
I
+ -:-jtt~==1~=1if~
0'
Destination NAT
I
I
I
~ NSX Edge Router ,
" Load Balancer I
---------------------------------~
In the one-ann design, when you deploy the NSX Edge instance, the interface advertises the vIP.
This vIP is the IP address that clients use to reach the load balanced servers. When traffic reaches
the vIP, the destination IP address is changed to the Web server IP address. This IP address is sent to
the Web server that is chosen by the load balancer. The NSX Edge instance uses NAT to change the
source IP address of the requestor to an IP address on the same subnet as the vIP. So when the Web
server replies, it is replying to the translated IP address on the NSX Edge load balancer. The NSX
Edge instance does the reverse NAT and sends the traffic back to the requestor.
In this design, the load balancer has to be on the same segment as the Web servers to which it is
providing the load balancing service.
If you do not use NAT to change the source IP address, the virtual machines reply directly to the
requestor and use their source IP address instead of the vIP. The requestor does not recognize the
serve r and discards the traffic.

Inline Load Balancer
Slide 5-30
Inline load balancer mode is also called transparent mode. The NSX
Edge gateway uses the following distinct interfaces:
An interface to advertise the viP address
An interface to connect to the Web servers
Design considerations:
Client IP address is preserved
An NSX Edge gateway must exist and the Web servers must point to
the NSX Edge gateway as the default gateway.
II
z
(J)
X
Inline proxy is another design option. The advan tage is that the client IP address is preserved m
0..
(Q
because the proxies are not doing source NAT. This design also requires fewer load balancers CD
because a single NSX Edge instance can service multiple segments. (J)
CD
With this configuration, you cannot have a distr ibuted router beca use the Web servers must point at
<:
n'
CD
the NSX Edge instance as the default gateway. rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Inline Load Balancer Traffic Flow
Slide 5-3 1
The inline proxy design is like the traditional firewall design.
1. Client IP address > VIP address

2. Client IP address > Server IP address
3. Server IP address> Client IP address
4. VIP address > Client IP address
Logical network
I
;--------------
NSX Edge Router
,
\
I (Destination NAT) (Layer 3 + Load Balancer) I
I
I
I
I
I
I
I
I
I
I
I
I
I
, /
J
,-------------------------------,
The inline proxy design is similar to the traditional firewall design. The device has at least two
interfaces. The vIP resides on the external interface. The internal interface is connected to the
segment for the Web servers. In this model the only IP address that uses NAT is the destination IP
address. The vIP is changed to one of the virtual machine IP addresses. The load balancer perform s
a hashing algorithm to decide which of the Web servers gets that traffic.
You must not change the source IP address because you must set up your Web serve rs to use your
NSX Edge instance as the default gateway. Traffic comes back the same way so that externa l IP
address can remain.

Lab 9: Introduction
Slide 5-32
Create an application profile.

New Profil e ml Create a server pool.
Name I I I
Typ' G TCP 0 HTTP 0 HTT New Pool (JJ
Enable SSL Passjhrouc
HITP Redirect URL Name: -I 1
Persistence: I None I
Cookie Name
Des cription: 1 I
Mode
. -; Algorithm : [ ROUN D-ROBIN I I
Insert x.Porwstoeo-rur HTTPheader Monitors : [ NONE I I
Enab le Pool Side SSL
Members
! I

Vir1l1alServer ce nmca...
l Service cernncetes J CA Certific ates TCRl 1

En abl @d Nam e IP Ad dress Weight Monitor Port Pe rt Ma x Conn ... Min Co nn e.. .
Common N~m. Ill<ue,
1721610,1 172 16.10 ,1

MED-APP CORP lAED-APP C'
o Transparent
Cipher
Client Authentication Ignore

.;
~~
[ OK I[ Can cel
L
II
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
11
CD
til
......
C
.....
CD
rJl

Lab 10: Introduction
Slide 5-33
When deleting interfaces it is critical to select the correct interface.

Configure interfaces of this NSX Edge.
Edll ProfIle
'1NIC# 1 . Nam e IP Address Name l Ap p- p ro~ l e
192.168.100.3* Type o TCP a HIT ? HTTPS ,~'I
o Enable SSL Pa s slhrough

Uplink-Interface 192.168.100.7 HTI? Redirect URL
ShowAIl Persistence [ None 11

ccc ae Name
Transit-Interface 192.168.10.1*
Mode
WebTier-Temp 172.16.10.1*
o Inse rt X-Forw arded-Fof HTTPh eade r
o Enab le Pool Side SSL
Virtual SefW'f Cert IfICiiI_. 1 Pool C.. mscates 1

SeMceCe rtl1kales 1 ( "'C ertificate s I CRl j
I~ 172,16,\0,1 1721610,1 rue J ul 15 2014

o IllED-APP CORP MEOAPPCO RP Wed J ul16 2014
Reconfigure the App-Pool.

Ci pher: L:J
cneot Authenlication [ Ignore I I

Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)
Slide 5-34
Configure a round-robin load balancer to distribute traffic between

two Web servers, and verify round-robin operation using traffic
capture tools
2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lab 9: Configuring Load Balancing with NSX Edge Gateway (2)
Slide 5-35
Configure a round-robin load balancer to distribute traffic between

two Web servers, and verify round-robin operation using traffic
capture tools
7. Use the Packet Capture Capabilities of NSX Edge to Verify Round-
Robin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10.Reposition the Virtual Server and Examine NAT Rule Changes
11.Use a Packet Capture to Verify Round-Robin Operation
12.Clean Up for the Next Lab

Lab 10: Advanced Load Balancing
Slide 5-36
Configure a load balancer to provide SSL security for a Web site

2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to Distributed Router
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Concept Summary
Slide 5-37

What distributes serve r load among multiple
Load balancing
servers using an intermediate proxy?
What are a number of separate serve rs or
applications that are pooled together as a single Server pool
resource for load balancing called?

What IP address is assigned to a load balancing
Virtual IP address (viP)
proxy (server)?
Which load balancer uses a single path and
One-arm-load balancer
interface for ingress and egress traffic?
Which load balancer uses separate paths and
Inline load balancer
interfaces for ingress and egress traffic?

Slide 5-38

Describe the NSX Edge load balancing
Configure load balancing
Compare one-armed load balancing to inline load balancing
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lesson 3: NSX Edge High Availability
Slide 5-39
Lesson 3:
NSX Edge High Availability

Learner Objectives
Slide 5-40
objectives:
Explain benefits of stateful high availability
Configure the high availability service
Test and verify the high availability service before placing the service in
production
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

High Availability
Slide 5-41
The NSX Edge gateway can be deployed in pairs for a highly

available, network-services solution provider:
Active and standby NSX Edge gateways are placed in different hosts.
Heartbeat and sync packets are sent over the same internal vNIC .
On VMware ESXi host failure, an attempt is made to maintain NSX
Edge gateways in separate hosts.
,---- I,----
- - I
,----
I -- I
,----
I -
,----1
...... 1 I - '11'''
I - - II I _ _ I I _ _ I
I _ va. I I _ I I _ ...1lilI II
I __
l____'
I I __ I
L ___'
I "'l1li
L ___'
_ I
t-----,
- t-----,
-
I I
Internal Port Group

U
NSX Edge high availability (HA) ensures that an NSX Edge appliance is always available by
installing an active pair ofNSX Edge gateways on your virtualized infrastructure . You can enable
high avai lability either when installing NSX Edge or on an installed NSX Edge instance.
The primary NSX Edge appliance is in the active state and the secondary app liance is in the standby
state . NSX Edge replicates the configuration of the primary appliance for the standby appliance or
you can manually add two appliances. VMware recommends that you create the primary and
secondary applianc es on separate resource pools and datastores. If you create the prima ry and
secondary appliances on the same datastore, the datastore must be shared across all hosts in the
cluster. Thus, the high avai lability app liance pair can be dep loyed on different VMware ESXi
hosts . If the datastore is a local storage , both virtual mach ines are deployed on the same host.
324 VM wa re NSX: Install , Configure, Manage

NSX Edge High Availability Operation
Slide 5-42
The heartbeat and synchronization traffic use one internal interface

on each NSX Edge instance, connected to the same internal subnet:
The NSX Edge appliances must be enabled to communicate without
layer 2 restrictions .
Heartbeat
--- Data Synchronization
High availability protection mechanisms:

Network high availability: Secondary NSX
Edge
vSphere HA: Protection against host
failure
Process high availability: Protection
against process failure
II
z
(J)
X
High availability ensures that an NSX Edge appliance is always available on your virtua lized m
0..
(Q
network. You can enable high availability when installing NSX Edge or later. NSX Edge HA CD
supports two NSX Edge appliances (peers) per cluster, runnin g in active-standby mode. (J)
CD
NSX Manager manages the lifecycle of both peers and pushes user configurations because they are
<:
n"
CD
connected to both NSX Edge instances simultaneously. rJl
G)
NSX Edge pushes runtime state inform ation to the standby, such as VMware vCenter Single Sign- til
......
CD
On" information. stil
'<
NSX Edge HA peers communicate with each other for heartbeat messages and runtim e state "Tl
synchronization. Each peer has a designated IP address to communicate with the other peer. The IP CD
til
......
addresse s are for high availability purposes only and cannot be used for any other services . The IP C
.....
CD
addresses must be allocated on one of the internal interfaces of the NSX Edge. rJl
Heartbeat and data synchronization both use the same internal vNIC. Layer 2 connectivity is
through the same port group.

Stateful High Availability
Slide 5-43
The primary NSX Edge appliance is in the active state and the
secondary appliance is in the standby state:
All NSX Edge services run on the active appliance.
The primary appliance maintains a heartbeat with the standby
appliance and sends service updates through an internal interface .
If a heartbeat is not received from the primary appliance in the
specified time, the primary appliance is declared dead and the
standby moves to the active state. The standby appliance:
Takes over the interface configuration of the primary appliance
Starts the NSX Edge services that were running on the primary
appliance
The NSX Edge gateway replicates the configuration of the primary
appliance to create the standby appliance.
The primary NSX Edge appliance is in the active state and the secondary appliance is in the standby
state. All NSX Edge services run on the active appliance . The primary appliance maintains a
heartbeat with the standby appliance and sends service updates through an internal interface.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 6
seconds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were runnin g on the primary appliance. When the switch over
takes place, a system event is displayed in the System Events tab of Settings & Reports. Load
balancer and virtual private network (VPN) services must reestablish TCP connection with NSX
Edge, so the service is disrupt ed for some time. Virtual wire connections and firewall sessions are
synchronized between the primary and standby appliances, so that service is not disrupted during
switch over.
If the NSX Edge appliance fails and a bad state is reported, high ava ilability force-synchroni zes the
failed appliance to revive it. When the appliance is revived, it takes on the configuration of the now
active appliance and stays in a standby state. If the NSX Edge appliance is dead, you must delete the
appliance and add an appliance.
The NSX Edge appliance replicates the configuration of the primary appliance for the standby
appliance or you can manually add two appliances . VMware recommends that you create the

primary and secondary appliances on separate resource pools and datastores. You can create the
primary and secondary appliances on the same datastore. The datast ore must be shared across all
hosts in the cluster so that the high availability appliance pair can be deployed on different ESXi
hosts. If the datastore is local storage, both virtual machines are deployed on the same host.
NSX Edge ensures that the two high availability NSX Edge virtual machin es are not on the same
ESXi host. This feature works even after you migrate virtual machines with VMware vSphere
Distributed Resource Scheduler" (DRS) and VMware vSphere vMotion. But this feature does
not work when you manually migrate the virtual machines to the same host. Two virtual machin es
are deployed on the VMware vCenter Server" instance in the same resource pool and datastore as
the appliance that you configured. Local link IP addresses are assigned to high availability virtual
machin es in the NSX Edge HA so that they can communicate with each other. You can specify
management IP addresses to override the local links. If Syslog servers are configured, logs on the
active appliance are sent to the Syslog servers.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

NSX Edge Failure
Slide 5-44
If the primary NSX Edge appliance fails, the secondary NSX Edge
detects the failure:
Default dead timer is 15 seconds:
Can be changed
Minimum 6 seconds
Secondary NSX Edge assumes the primary role:
The CLI command shows service high availability to verify primary
After secondary NSX Edge becomes primary, all new flows go
through it:
Connections must be re-established for all flows existing at the time of
primary failure .
Load balance persistence is synchronized.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 15
secon ds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were running on the primary appliance. When the switch over
takes place, a syste m event is displayed in the System Events tab of Settings & Reports. Load
balancer and VPN services must re-establish TCP connection with NSX Edge, so the service is
disrupted for some time. Virtual wire connections and firewall sessions are synchronized between
the primary and standby appliances, so no service disrupti on occurs during switch over.

NSX Edge Services Gateway High Availability
Slide 5-45
Heartbeat and synchronization: Anti -affi nity:

Heartbeat and sync both use the o Act ive and standby NSX Edge gateways
same internal vNIC. are placed on different ESXi hosts.
Layer 2 connectivity using same o On ESXi host failure, VMware NSX
port group . Manaqer" attempts to place NSX Edge
o Stateful failover for features . gateways on different hosts again .
,----l I,----
I - YM - - II
,----
I - - II
,----
I -
,----
- II II -_ -_ II
I VM _ I
I _ I I v .. I I "M _ I
11'''' _
I __ I I __ I I __ I I __ I
I _ Willi I
L ___' L ___' L ___' L ___' L ___'
Internal Port Group
II
z
(J)
><
NSX Edge ensures that the two highly available NSX Edge virtual machines are not on the same m
0..
(Q
ESXi host. This feature works even after you migrate virtual machines with DRS and vSphere CD
vMotion. But this feature does not work when you manually migrate the virtual machines to the (J)
CD
same host. Two virtual machines are deployed on a vCenter Server host in the same resource pool <:
0'
and datastore as the appliance that you configured. Local link IPs are assigned to high availability CD
rJl
virtual machines in the NSX Edge HA so that they can communicate with each other. You can G)
specify management lP addresses to override the local links. til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Virtual Machine and Appliance Failure
Slide 5-46
NSX Edge health checks detect virtual machine or application failure:

Delay is dependent on the health check configuration. The default
configuration is 3x5 seconds.
Virtual machines that do not respond to health checks are taken out
of service:
Edge - Manage> I ShowPo04 Slatlstlcs
Load Balancer> Pools Pool and Member Slacus

Pool Status andSla slles
P OOI ID
PlXlJ. , SSH-Web-Pool1 UP
Virtual machine Appl icat ion Health Check pOOl-2 HTTPWeb-Pool UP
has to be configured for the pool.
For clients with persistence to that server, a

new pers istence is created when clients
recon nect. lI,mb" S1>lIJ. .nd St"'be'.
IT1Wt>b4 10.0.1.14 DOWN member-'
T1Web5 10 0 1 ' 5 UP memberS
When setting up load balancing , you place different destination servers into different pools . Pools
includ e the virtual machin es that are hosting the Web server. When you select the pool in the
VMware vSph ere Web Client, you can see members of that pool and members that are marked as
unavailable.

ESXi Host Failure
Slide 5-47
The response to an ESXi host failure is the same as when the NSX
Edge primary appliance fails:
If VMware vSphere Distributed Resource Scheduler" is enabled in
the cluster, the secondary NSX Edge gateway runs in a different ESXi
host from the primary NSX Edge gateway:
Anti-affinity rules are automatically created.
II
z
(J)
X
Host failure is handled in the same way as an NSX Edge failure. The keep-alive packets between the m
0..
(Q
standby and active NSX Edge devices time out if the virtual machine fails or if the host that contains CD
the active device fails. The recovery process is the same as for NSX Edge failure. If a host (J)
CD
configured with DRS fails , the anti-affinity rule ensures that the second virtual mach ine is relocated <:
to a different host when the new virtual machin e powers on. n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lab 11 Introduction
Slide 5-48
You use the load balancing from the previous lab and expand upon
it.
Genefal" CSR I?J. HI
Common Name
,
I I
OrganlzabonNam" ,, Ed~ Protile I:!
O,gamzahon UnI1 Name I Ap p P rO~ le I
Localil\" TW' o rep 0 HTTP '0 . HTIPS
State , D Enable SSLPa ssth, ough
Country I HTTPRed i'ect URL I I
hl"ssayeAlgo rrthm I RSA Pers,stence I None I- I
CookJe Name
Descnpbon
lIlod ..
o Insert >(.Fo.......a'dedFor KTTPheader Edit P1Iol ijJ;

D Enab le Pool Side SSL Name '" I sewer-soot 1
VI1udl SeNef Cert rf,ca._ I Pool artl , Ie
1 Description [ ]
Service Ce rtifica tes ce ceneeatee eRL I ROUND-ROBIN
Algori thm t- I
,,,.", I NONE
[."' .. o. N... .
171.16 .10.1 172.15 .10,1

Monitors I- I
.
Members
+ / X
En . bl . d N.",. IP Add'.... W. ;ght Mo njl. , Po rt eo, ..... ~Co"n lA,nConn
web-s. 17216 I 443 443 0 0

'" Web-s ...... 172.16 ,.. 1 443 443 0 0
Cipher
I I-
'"
Client Aulll enbcation [ IgnOre I- o Transparent
OD~

Lab 11: Configuring NSX Edge High Availability
Slide 5-49
Configure high availability and use the NSX Edge command line to
determine current HA status and view heartbeat traffic
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Concept Summary
Slide 5-50

Which term refers to ensuring that an application
High availability
or service remains available?
Which type of high availability uses primary and
backup devices that synchronize to minimize Stateful high availability
service interruptions when the active node fails?

Slide 5-5 1

Explain benefits of stateful high availability
Configure the high availability service
Test and verify the high availability service before placing the service in
production
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lesson 4: NSX Edge and VPN
Slide 5-52
Lesson 4:
NSX Edge and VPN

Learner Objectives
Slide 5-53
objectives:
Configure a layer 2 VPN on the NSX Edge gateway
Explain how an IPsec VPN enables systems at a branch location to
access systems securely on a private network at headquarters
Configure an IP address on an external interface for use by an IPsec
VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet
Describe the use case that SSL VPN-Plus addresses
Decide whether Web-access mode or full-access mode is optimal for a
use case
Configure the SSL VPN-Plus server settings that enable SSL on the
external interface II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Logical L2 VPN
Slide 5-54
Features
SSL-based
Web-proxy Support
L2 Bridge to Cloud
Broadcast support
Scale and
- - - - - - - - - - -i"lrl-- ...I..- ..I.....I Performance
High Performance:
AES-NI acceleration
2 Gb/s throughput per
tenant
Use Cases
Cloud On-boarding
Cloud Burst ing
Layer 2 VPN allows you to configure a tunnel between two sites. Virtual machines remain on the
same subnet in spite of being moved between these sites, which enables you to extend your data
center. An NSX Edge gateway at one site can provide all services to virtual machines on the other
site.

Overview of Layer 2 VPN
Slide 5-55
To create the L2 VPN tunnel, you configure a layer 2 VPN server and
layer 2 VPN client:
You enable the layer 2 VPN service on the NSX Edge instance and
configure a server and a client.
The layer 2 VPN server is the source NSX Edge gateway to which the
L2 VPN is to be connected.
The layer 2 VPN client is the destination NSX Edge.
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Logical User (SSL) and Site-to-Site (IPsec) VPN
Slide 5-56
Features
Interoperable IPsec tested with major
vendors
Clients on all major os (Windows,
Apple , Linux)
Remote authentication through Active
Directory, RSA Secure 10, LDAP,
Radius
TCP Acceleration
Encryption : 3DES , AES128 , AES256
AESNI HIW Offload
NAT and perimeter firewall traversal
Scale and Performance

High performance: AES-NI
acceleration
2 Gb /s throughput per tenant
Use Cases
Cloud to corporate
Cloud on-boarding
Remote office or branch office
Remote management
NSX Edge supports several types of VPNs. SSL VPN-Plus allows remote users to access private
corporate applications. IPsec VPN offers site-to-site connec tivity between an NSX Edge instance
and remote sites. Layer 2 VPN enables you to extend your data center by allowing virtual machines
to keep network connectivity across geographica l boundaries.

NSX IPsec VPN
Slide 5-57
Encapsulating Security Payload (ESP) tunnel mode is used:

64 tunnels are supported across a maximum of 10 sites.
Internet Key Exchange v1
Multiple nonoverlapping local and peer subnets can be configured.
Industry standard IPsec implementation:
Full interoperability with Cisco, Juniper, Sonicwall , and others
Supports both the preshared key (PSK) and certificate authentication
mode.
Supported encryption algorithms are AES (default), AES256, and
TripleDES.
II
z
(J)
X
NSX Edge supports certificate authentication, preshared key mode, IP unicast traffic, and no m
0..
(Q
dynamic routing protocol between the NSX Edge instance and remote VPN routers . Behind each CD
remote VPN router, you can configure multipl e subnets to connect to the internal network behind an (J)
CD
NSX Edge instance through IPsec tunn els. These subnets and the internal network behind an NSX <:
Edge instance must have address ranges that do not overlap . n"
CD
rJl
You can deploy an NSX Edge gateway behind a NAT device. In this deployment, the NAT device G)
til
......
translates the VPN address of a NSX Edge instance to a publi cly access ible address facing the CD
Internet. Remote VPN routers use this public address to access the NSX Edge instance. You can also stil
'<
place remote VPN routers behind a NAT device. You must provide the VPN native address and the "Tl
VPN Gateway ID to set up the tunn el. On both ends, static one-to-one NAT is required for the VPN CD
til
......
address. You can have a maximum of 64 tunn els across a maximum of 10 sites. C
.....
CD
rJl

IPsec Security Protocols: Internet Key Exchange
Slide 5-58
Internet Key Exchange (IKE) v1 :

IKE is a standard method that is used to arrange secure, authenticated
communications.
IKE uses UDP port 500.
IKE has two phases:
Phase 1 sets up mutual authentication of the peers, negotiates
cryptographic parameters, and creates session keys.
Phase 2 negotiates an IPsec tunnel by creating keying material for the
IPsec tunnel to use, either by using the IKE phase-one keys as a base
or by performing a new key exchange.
IPsec is a framework of open standards. Many technical terms are in the logs of the NSX Edge
instance and other VPN appliances that you can use to troubleshoot the IPsec VPN. You might
encounter some of these standards:
Internet Security Assoc iation and Key Management Protoco l (ISAKMP): This protocol is
defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an
Internet enviro nment. ISAKMP only provides a framework for authentication and key exchange
and is designed to be key exchange independent.
Oakley: This protocol is a key agreement protoco l that allows authenticated parties to exchange
keying materia l across an insecure connection by using the Diffie-Hellman key exchange
algorithm.
Internet Key Exchange (IKE): This protoco l is a combination of ISAKMP framework and
Oakley. NSX Edge provides IKEv2.
IKE has two phases. Phase 1 sets up mutual authentication of the peers , negotiates
cryptograp hic parameters, and creates session keys. Phase 2 negotiates an IPsec tunnel by
creating keying material for the IPsec tunn el to use. Phase 2 either uses the IKE phase one keys
as a base or performs a new key exchange .

The following phase I parameters are used by NSX Edge:
Main mode
3DES or AES (configurable)
SHA-I
MODP group 2 (I 024 bits)
Preshared secret (configurable)
Security association lifetime of28800 seconds (eight hours)
ISAKMP aggressive mode disab led
The following IKE phase 2 parame ters are supported by NSX Edge:
3DES or AES (matches the phase I setting)
SHA-I
ESP tunne l mode
MODP group 2 (1024 bits)
Perfect forward secrecy for rekeying
Security association lifetime of3600 seconds (one hour)
Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets
II
z
(J)
X
Diffie-Hellman (DH) key exchange: This protocol is a cryptographic protocol that allows two m
0..
(Q
parties that have no previo us know ledge of one another to jointly establish a shared secret key CD
over an insecure communications channel. NSX Edge supports DH group 2 (I 024 bits) and (J)
CD
group 5 (1536 bits) . <:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

IPsec Security Protocols: Encapsulating Security Payload
Slide 5-59
ESP tunnel mode:

Confidentiality (encryption)
Connection less integrity
Data origin authentication
Protection against replay attacks
Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec, it provides
origin authenticity, integrity, and confidentiality protection of packets. ESP in Tunnel Mode
encapsulates the entire original IP packet with a new packet header. ESP protects the whole inner IP
packet (including the inner header). The outer header remains unprot ected. ESP operates directly on
IP, using IP protocol number 50.

IPsec ESP Tunnel Mode Packet
Slide 5-60
The original packet that is transmitted is both encrypted and

authenticated.
Original Data
IP Header
Outer ESP Original Data ESP ESP

IP Header Header IP Header Trailer Authentication
Data
Encrypted
( )
Authenticated
( )
II
z
(J)
X
When a packet is processed by ESP in tunnel mode , the entire packet is surro unded by the ESP m
0..
(Q
header, ESP trailer, and ESP authentication data: CD
(J)
ESP header: Contains two fields, the SPI and Sequence Number, and comes before the CD
encrypted data .
<:
n"
CD
rJl
ESP trai ler: Placed after the encrypted data . The ESP trai ler contains padding that is used to G)
align the encrypted data through a Padding and Pad Length field. til
......
CD
ESP authen tication data: Contains an integrity check value. stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Configuration Example for IPsec VPN
Slide 5-61
Use the NSX Edge instances at HQ and Branch. Each instance is a

VPN gateway:
The NSX Edge gateway at HQ connects the internal network
192.168.20.0/24 to the Internet
The internal interface is 192.168.20.1.
The uplink interface is 10.15.25.13.
The NSX Edge gateway at the Branch location connects internal
network 192.168.30.0/24 to the Internet
The internal interface is 192.1 68.30.1.
'. '. b
'!<
192 .168 .20 .0/24

.
1 92. 1 6~~0. 1
NSX Edge Gateway
Internet r-- - -P,lK
Branch
,92.,68.30., 119: ';;;0.0124
NSX Edge Gateway
The slide contains config uration examples for a basic point-to-point IPsec VPN connection between
an NSX Edge instance at headquarters and an NSX Edge instance at the remote location . VPN
gateways from Cisco, WatchGuard, and others can also be used at the remote location.
For this scenario, the NSX Edge instance at headquarters connects the interna l network,
192.168.20.0 through 192.168.20.24, to the Internet. The NSX Edge interfaces are configured as
follows:
The interna l interface is 192.168.20.1.
The remote gateway connects the 172.16.0.0 through 172.16.0. 16 internal network to the Internet.
The remote gateway interfaces are configured as follows:
The internal interface is 192.168.30 .1.

IPsec with AES-N I
Slide 5-62
Up to 40 percent performance increase by supporting the Intel AES-NI

(AES New Encryption Instruction Set):
NSX Edge offloads the AES encryption of data to the hardware on
supported Intel Xeon and second-generation Intel Core processors.
No user configuration is necessary AES-NI support in hardware is
autodetected.
II
Supports certificate authentication, preshared key mode, and IP unicast
traffic.
z
(J)
X
The encryption overhead for packet traffic in a VPN application can be high. The Intel AES-NI m
0..
(Q
feature can substantially reduce the demand on the CPUs of the ESXi hosts. CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Add an IPsec VPN
Slide 5-63
You must configure at least one externallP address on the NSX Edge
gateway to provide IPsec VPN service: Add IPSec VP N
For the local NSX Edge GZI Enabled
instance, enter the following: Name: 1

Localld
1
An ID, the external IP LocalEndpoint
'1
address , and the CIDR block LocalSubnets
1
for the local subnets SlJbnets.shouldbe entered in CJDR format
with comma as separator
The same set of information Peer Id .(

for the peer endpoint Peer Endpoint
1
Endpoint should be a valid JP address o r leff
For the remote NSX Edge blank to represent AN Y
instance, enter the same

Peersuonets:
'1
SlJbnels should be entered in CJDRformal
information , but from the remote wilh comma as ::.eparator
Encryption Algorithm I AES I I

perspective. Authentication: 0 P8K Certificate
Select an encryption algorithm, Pre-Shared Key:
,+.
type of authentication , Diffie-
Hellman group, and MTU. ~~
"

NSX SSL VPN-Plus Service
Slide 5-64
Enables individual remote users to connect securely to private

networks behind an NSX Edge gateway:
Remote users can access applications and servers from the private
networks.
Provides two access modes:
Web access mode (without a client)
Full network access mode (requires that a client is installed)
Supports the following operating systems:
Windows XP and above , including Windows 8
Mac as x Tiger, Leopard , and Snow Leopard
Performance optimization:
The TCP optimization option avoids TCP-over-TCP meltdown .
Dynamic compression is an option. II
z
(J)
X
Conventional full access SSL VPNs send TCP/IP data in a second TCP/IP stack for encryption over m
0..
(Q
the Internet. The result is that application layer data is encapsulated twice in two separate TCP CD
streams. When packet loss occurs (which happens even under optimal Internet condi tions) , a (J)
CD
performance degradation effect called TCP-over-TCP meltdown occurs . In essence, two TCP <:
0'
instances are correcting a single packet of IP data, undermining network throughput and causing CD
rJl
connection timeo uts. TCP optimization eliminates this TCP-over-TCP problem, ensuring optimal G)
performance. til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

SSL VPN-Plus
Slide 5-65
Access your corporate LAN by using the Web-access mode or with a

downloadable SSL client:
No special hardware or NSX Manager
Co rporate LAN
software is required.
:0.
Adm in
Remote users connecting

through Web access mode. i
Remote Desktop
,< Connection
~ ShowQpbom
With SSL VPN-Plus, remote users can connect securely to private network s behind an NSX Edge
gateway. Remote users can acce ss servers and applications in the private networks.
NSX Edge provides users with access to protected resources by establishing an SSL encrypted
tunnel between a laptop (Mac OS X or Windows) and NSX Edge.
The SSL VPN-Plus service is intended to be deployed as a substitute for more complicated IPsec
c1ient-to- site or jump serve r solut ions. SSL VPN-Plus does not support mobile clients, nor does it
deliver common end-user features such as reverse proxy, custom portal, and SSL offload.
The use cases and capabilities ofNSX Edge SSL VPN-Plus are different from capabiliti es that are
provided by Horizon" View'>' . View is the VMware comprehensive approac h to virtual desktop
infrastructure, secure mobility, and end-user remote access .

NSX Edge SSL VPN-Plus Secure Management Access Server
Slide 5-66
Features
Supports up to 25
users
Full tunnel client
SSL-encrypted AES,
SHA
Authentication through
Local, RADIUS , LDAP
Windows and Mac as
clients
Web browser or thick-
client choice II
z
(J)
><
NSX Edge provides administrative users with full tunnel access to protected reso urces by m
0..
(Q
establishing an SSL encrypted tunn el between a laptop (Mac or Windows) and NSX Edge . CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Use Cases for SSL VPN-Plus Services
Slide 5-67
The primary use case is secure remote access without the use of a
jump box.
Another use case is to secure Web access with the thick client:
In full-tunnel mode, any traffic initiated at the client is tunneled to the
SSL VPN-Plus gateway and directed to the respective networks.
No traffic is sent from the client system directly to the Internet.
Access can be enforced for the client system's local network (LAN).
The administrator can direct the traffic to a Web filtering or caching
device .

Slide 5-68
Creating a layer 2 VPN requires two NSX Edge instances with the
correct VPN configuration.
.. Chent DetaIls : ~
Server Address: I
,
Server Port
:J
Inlema l lnlertate " IWElb-TIer I. I
OescnptlOn
.. User Detaus: The VPN tunnel is confirmed from

User Id: '
""
the configuration screen.
Pass word:
ge . TYile PdSS WOfd:

I
I I
I Fetch Status I
PrOlCVSettlngs ~ Tunnel Status
cert mcete DeCalls:
Status : ~ UP
o Validate server c ernnc ete
.,
CAC e rtlfltale
Establi shed Date : 0
"'-n HI"'.
II
Byte Received : 1876
Byte Tran sm itted : 56696
""
QQ I Can CElI JI ~ z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Slide 5-69
The headquarters connection. The remote branch NSX Edge.

ean IPSec VP N al Edit IPSec VPN c::
~ Enabl ed ~ Enabled
Name: IHQ-Branch I Name : I HQ-Branch I

tocauo * IHQ I Localld '" I sranch I
Local Endpoint * 11 0 . 1 0 . 1 0 0 . 1 0 IPSec VPN stat ist ics 0(1< 11 0 . 1 0 . 13 0 . 1 0 I
tocer subnets : * 11 0 . 1 6 . 0 . 0 / 1 9 IPSecVPNStatus and Statistics 11 0 . 1 6 . 4 0 . 0 / 2 4 I
N,m~ Local Endl PUIEndp ChanMIS TunnelSl.
Sutme!s should be ent Subnets srouta be entered in CfOR formal
with comma &5 6epa ral 10.10.100.10 10.10.130.10 with comma as separator,
Pee r Id Isranch
'" IHQ I
Peer End point * 11 0 . 1 0 . 1 3 0 . 1 0 . 11 0 . 1 0 . 1 0 0 . 10 I
Endpom l should tJ;:Ja v Endpomt fjhouid be a valid IP address or let!
blank /0 repre:;;enlAN':>' blank to rep/esenlANY
Peer subn ete: * 11 0 . 1 6 . 4 0 . 0 / 2 4

IPSec VPN Tunnel Status and stansncs :
_ 11 0 . 1 6 . 0 . 0 / 1 9 I
Subnels sroota be em Subnels srovta be entered in C/OR formal
LOCiI Subn~ts PurSubne ls Lt>llnIQ" 'ut,o TunMI state
wllh comma as {)epa/at, with comma as seoecnor.
En cryption Algori thm I AES m IAES I I

Authen tication 0 PSK cemn 0 PSK Certificate
Pre-Shared Key I I I
o Dis play shared key o Display sha red key
Diffie- Hei lman Group 0 DH 2 O DH5 up 0 0 H2 O OH5
[;?I En abl e perfect forw ard se crecy(PFS) [;?I Enable perfect forward secrecy(PFS)
QQ~ QQ~

Slide 5-70
Add an authentication source.

Add Authentication server
Authentication ServerType I LOCAL I .. I

~ Enable password policy
Password Length ' E:J TO ~

Minimum no.or aipnaoets: ~I=====~
Minimum no, ofDigits ~I=====~
Minimum no. of special characters LI ----'
Configure SSL VPN-Plus. Password should not contain user 10 D

Password expiresin
Cllange SImle r 5etl illIlS
Expirynotification in
I 192 .16B.130((pnm.JY) 11 ~ Enable accountlockoutpolicy:
IPv6 Ad dr ~ s s I None I- I Retry Count
User account will get locked
CipherLisl IRcHms after specific number of
IAES12B-SHA unsuccessful retries
RetryDuration:
s e....a r c erme ete [;?J Use Default Certificate
Lockout Duration
II
Status o Enabled 0 Disabled
o Use this setverror secondaryauthentication
rermrnate Session if authentication fails
z
(J)
><
m
0..
(Q
CD
(J)
CD
<:
n'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Slide 5-71
Configure an IP Pool. Configure the VPN

installation package.
Add Inst alldl ion PllCk~
'I
,,
Profile N ame
*1
I),t_ . ...
IU3
I I OK I career ,
Create mstarlauonpackages for

Windows 0 L,nux D Mac
Des cription
,
I
Status (! i Enabled 0 Disabled
lnst all1ltioll p ar amet ers for WIndows;
o Start Client on 10Qon o Hide chent system lr<IV Icon

Network .~(===========i D Allow remember pas swo rd G?l Create de sktop icon
Netmask: .~I============i o Enable eueramode mstauaucn o Enab le silent mode opera tion
Des cription D Hide SSL cnentn~rk adapter o SelVEl ' secullly certificate vahoaton
Send Traffic 0 OverTunnel 0 Bypass Tunnel ~~
~ Enable TC P Optimiz ation
Ports
staius 0 Enabled 0 Disabled

Lab 12: Configuring Layer 2 VPN Tunnels
Slide 5-72
Configure a layer 2 VPN tunnel between two NSX Edge services

gateway appliances
2. Migrate a Web Server Virtual Machine to a Different Cluster
3. Create a Logical Switch and Migrate Virtual Machine Networking
4. Deploy the Branch Edge
5. Configure Branch Gateway as a Layer 2 VPN Client
6. Add an IP Address to the Uplink Interface
7. Add a Web-Tier Interface to Perimeter Gateway
8. Configure Perimeter Gateway as a Layer 2 VPN Server
9. Test Tunnel Connectivity
10.Verify Tunnel Connectivity
11.Clean Up for the Next Lab II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
0'
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Lab 13: Configuring IPsec Tunnels
Slide 5-73
Configure, test, and troubleshoot an IPsec tunnel designed to

connect two sites (HQ and Branch)
2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPSec Tunnel Endpoint
4. Prepare the Branch Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server with the New Web-Tier Subnet
Specification
6. Configure Branch Gateway as an IPsec Tunnel Endpoint
7. Test VPN Tunnel Connectivity
8. Troubleshoot and Resolve VPN Tunnel Connectivity

Lab 14: Configuring and Testing SSL VPN-Plus
Slide 5-74
Configure an SSL VPN-Plus portal page and a direct-access client

package
2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Concept Summary
Slide 5-75

Which protocol suite is used as network-to-
IPsec
network connections to secure internet
communications?
Virtual Private Network (VPN)
Which is the connection between two network
devices that is encrypted in some way?
Secure Socket Layer (SSL)
What is used to secure and connect an individual
computer to a network?

Slide 5-76

Configure a layer 2 VPN on the NSX Edge gateway
Explain how an IPsec VPN enables systems at a branch location to
access systems securely on a private network at headquarters
Configure an IP address on an external interface for use by an IPsec
VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet
Describe the use case that SSL VPN-Plus addresses
Decide whether Web-access mode or full-access mode is optimal for a
use case
Configure the SSL VPN-Plus server settings that enable SSL on the
external interface
II
z
(J)
X
m
0..
(Q
CD
(J)
CD
<:
n"
CD
rJl
G)
til
......
CD
stil
'<
"Tl
CD
til
......
C
.....
CD
rJl

Key Points
Slide 5-77
NSX Edge provides NAT service to assign a public address to a

computer or group of computers in a private network.
With load balancing, traffic load is distributed across multiple backend
servers.
High availability ensures that an NSX Edge appliance is always
available by installing an active pair of edges on your virtualized
infrastructure.
NSX Edge supports several types of VPNs.
Questions?

MODULE 6
NSX Security
Slide 6- 1
Module 6
II
z
(f)
X
(f)
(1)
o
c
....
~

You Are Here
Slide 6-2
Course Introduction
NSX Networking
NSX Routing
.. . ..
~ NSX Security

Importance
Slide 6-3
Virtualizing the network abstracts application workload

communications from the physical network and hardware topology.
This virtualization is critical in allowing network security to break free
from the physical constraints. Virtualization enables the network
security to be based on user, application, and business context.
z
(J)
><
(J)
(J)
o
c...,
~
Module 6 NSX Security 365

Module Lessons
Slide 6-4
Lesson 1: NSX Edge Firewall

Lesson 2: Distributed Firewall
Lesson 3: Flow Monitoring
Lesson 4: Role-Based Access Control
Lesson 5: Service Composer
Lesson 6: Other Monitoring Options

Lesson 1: NSX Edge Firewall
Slide 6-5
Lesson 1:
NSX Edge Firewall
II
z
(f)
X
(f)
(1)
o
c
....
~

Learner Objectives
Slide 6-6
objectives:
Describe where the VMware NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules

NSX Edge and Distributed Firewall: Security Comparison
Slide 6-7
Typical deployment of a firewall

in a software-defined data center:
Distributed Firewall positioned ~N
........~ ,... Internet
for East-West traffic filtering.
NSX Edge services gateway
Perime ter FW
positioned for North-South (Physica l)
N-S
protection
traffic filtering.
A logical firewall provides security mechanisms for dynamic virtua l data centers. A logical firewall
includ es components to addres s different dep loyment use cases.
The Distributed Firewall focuses on East-West access and the VMware NSX Edge" Firewall
II
z
(f)
focuses on the North -South traffic enforcement at the tenant or data center perimeter. Together, these X
(f)
components addr ess the end-to-end firewall needs of virtual data centers. You can dep loy either or (1)
both of these technologies. o
c
....
~

NSX Edge Firewall
Slide 6-8
The NSX Edge appliance provides a stateful firewall for North-South

and East-West traffic flows:
Supports dynamic routing
Virtualization context aware
Provides line rate performance
All NSX Edge firewall configurations are done from Manage> Firewall
Firewall rules are applied in ascending number order
...... - I ~ C"
+ c..nllf.ll.03 N1u~r. C1I!f_' lno."", 14olI'~ I/iIlIMUI
.....
-;
O '
~ .
.. ,
_M
,.- -.
,-
0 '" ~ .
O ll$llI' M1 ,-an,
"<tt,t
-..
.,......
-""
~ ,
"""
The NSX Edge firewall provides perimeter security functionality including firewall , network
address translation (NAT), and site-to-site IPSec and SSL virtua l private network (VP N)
functio nality. This solution is avai lable in the virtual machine form factor and can be deployed in a
high availability mode .

Firewall Rule Types
Slide 6-9
The types of firewall rule are the following:

Default: Rules created during the deployment of the NSX Edge
gateway
Internal: Rules created by the NSX Edge gateway in support of services
configured by the user
User: Rules created by the user
The firewall rule type does not affect the application of the rule.
Ty PE
Internal
Internal
User
Default
II
z
(f)
X
(f)
(1)
o
c
....
~

Virtualization Context Awareness
Slide 6-10
The NSX Edge firewall can filter traffic flows based on IP and
TCP/UDP header information.
The NSX Edge firewall can also filter traffic flows based on
virtualization-specific information:
Data center
Cluster
Resource pool
Port group
Logical switch
vApp
Virtual machine name

Populating Firewall Rules
Slide 6- 11
Point to each rule and click the white cross:

Assign a descriptive name to the rule.
Select a source.
Select a destination.
Select a service.
Select an action.
eo 2 roultng mtemat any ,"y o os pr.anyan y Accept
u any Acc ept

" 3 Rule Name
"
e 4 Default Rule
Isnareoornt I Accept
"
~~
II
z
(f)
X
(f)
(1)
o
c
....
~

Source and Destination of a Rule
Slide 6-12
The rule's source and destination can include the IP address in the
packet or information provided by VMware vCenter Server, such as
virtual machine name or resource pool:
The source and destination can be compounded to include multiple
criteria.
If any of the criteria listed in the source matches, the rule is applied.
No . Nam@ Type Source Destination
~ 1 firewall Internal O vse any
~ 2 routing Inlernal any any
~ 3 Sharepoint User 0 10.10.10.1 tl'!J Compute Cluster 8

l:!App-Tier01 ~ oo-sv-o t a
When you select a virtua l NIC (vNIC) Group, and select vse, the rule applies to the traffic generated
by the NSX Edge instance. If you selec t interna l or external, the rule applies to traffic coming from
any internal or uplink interface of the selected NSX Edge instance. The rule is updated when you
configure additional interfaces.

Firewall Service
Slide 6-13
A service in the firewall context is a collection of TCP/UDP ports that

form the components for successful communication with an end
system:
A service can be all the source and destination ports needed to access
an Oracle database.
A service group is a collection of services.
'"'
any O ospf:any:any
D "A'Data RecoveryAppliance
o ~ H e a rttl e a t
o ~ ll4 i co rs on Exctlange2010
D ~ M S Exchange 2010 Client Access Servers
D ~ MS Exchange 2010 Transport Servers

D ~ MS Exdlange 2010 MailboxServers
New
Avoid specifying the source port when you create rules. Instead, you can create a service for a
protocol-port combination. II
z
(f)
X
(f)
(1)
o
c
....
~
Module 6 NSX Secu rity 375

Create a Firewall Service
Slide 6-14
After you create the service, it is automatically added to the Service

column.
- Add Service
New... Service An Application can beviewed as a tag on network traffic of specrned

protoco l thai is trans mitted through speci fie d port or set of ports
Service Grou p
'~
I =====::;
Name
Descnpnon:
Protocol ITCP I I
Destination ports:
e.c.: 700 1-7020,7100,8000-9 000
.. Advanced options
So urce ports
e.a.: 700 1-7020,7 100.8000-9000

Action Option
Slide 6-15
The Action option allows the rule to accept or deny the traffic:
Logging can be enabled for the rule.
Network Address Translation support can be enabled.
The rule can be applied on ingress or egress.
Action: o Deny o Accept

Log: O Log 0 0 0 not log
comments:
... Advanced options

Match on: 0 Translated 0 Original
o Enable Rule Direction
Incoming Outgoing
OK II Cancel
II
z
(f)
X
(f)
(1)
o
c
....
~

Publish Changes
Slide 6-16
After the rule is created , publish the changes to NSX Edge.

The changes take effect immediately.
This rule se t has unsaved manges . Click on PUblish Changes button 10start deplo ying
~~
.0 X _t - . Generated rulesarecurrently shown Hiderules ISea rch I ~ C'
T..,. s.-
"" No- Des!.inelion SoM~ ActIon
~ 1 firewall mtemat 0 "'" any any Accep t
~ 2 routing Internal ,"y any o osp tany:any Accept
~ 3 snareccmt User 0 10.10 10.1 Oh Compute Cluster 8 ~ SharePoinl2010 Accept

~ Ap p-Ti e r0 1 81 db-sv-01a
~ 4 Default Rule Defaul t ,"y any ,"y Accept

NSX Edge Services Gateway: Form Factors
Slide 6-17
The NSX Edge services gateway provides several virtual machine form
factors.
Number of NAT rules: 2,000.
Size vCPU RAM Total Number of Number of Firewall Comments

Firewall Rules
Connections
Compact 1 64 MB 64 ,000 2,000 Suitable for basic
firewall
Large 2 1 GB 1,000 ,000 2,000 Suitable for medium-
level firewall
Quad Large 4 1 GB 1,000 ,000 2,000 I Suitable for high-
performance firewall
XLarge 6 8GB 1,00 0,000 2,000 Suitable for high-
performance firewall +
load balan cer
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-18
Firewall rules are processed in order. The first rule that matches the
traffic being examined is applied and the traffic is passed or dropped.
No . Name Type Source Destination Service Action
e. 1 firewall Internal O vse any any Accept
e. 2 ipsec Internal 0 192.168.130.4 0 192.168.130.4 e udp500,4500 :any Accept

0 192.168.100.10 0 192.168.100.10 o esp :any:any
e. 3 sslvpn Internal any 0 192.168.130.4 o tcp.443 any Accept
e. 4 Default Rule Default any any any Deny

Slide 6-19
Restrict the destination.

Destination
IP Addre ss: 0 1PV4 O lPV6
Value: I I
eg192168200 1,192.168.200.1124, 192.166.200 .1-
192.168.200 24
Restrict the protocol.
[ OK II C ancel I
Ihttp]
Available (30) .01 Selected (0)
0 Q CIM-HTI P
0 CIM-HTI PS
ffi
0
0
HTIP
HTIPS

0
0
HTTPS , net.tcp binding
Offi ce Server Web serv.. a

New...
I OK II Cancel I
II
z
(f)
X
(f)
(1)
o
...c
~

Lab 15: Using NSX Edge Firewall Rules to Control Network
Traffic
Slide 6-20
Define NSX Edge firewall rules to restrict traffic to one or more Web
servers
2. Enable Flow Monitoring for Future Reference
3. Restrict Inbound Web Server Traffic to HTTP and HTTPS
4. Determine How the Firewall Rule Interacts with Other NSX Edge
Features

Concept Summary
Slide 6-2 1

Which network device is used to restrict and filter
traffic between networks and endpoints? Firewall
Which NSX Edge virtual appliance is deployed as

a perimete r firewall? NSX Edge firewall
What performs packet inspection and tracks

the state of connections passing through the Stateful firewall
firewall?
Which are the set of rules by which a firewall
Firewall rules
bases its decisions to allow or deny traffic?
What is the ability to use details about a virtual
Virtualization context awareness
machine known to the host for firewall rule
construction called?
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-22

Describe where the NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules

Lesson 2: Distributed Firewall
Slide 6-23
Lesson 2:
Distributed Firewall
II
z
(f)
X
(f)
(1)
o
c
....
~

Learner Objectives
Slide 6-24
objectives:
Compare the Distributed Firewall to traditional firewalls
Describe the policy enforcement of the Distributed Firewall
Configure rules on the Distributed Firewall

Evolution of Firewall Placement
Slide 6-25
The firewall has evolved in recent years.

Yesterday 's Virtual NSX
Infrastructure Virtual Infrastructure
cd
I
The firewa ll has evolved in recent years. Originally, the firewall was a physical device that was
placed at the perimeter of the network to inspect traffic entering the data center.
The next stage in the evo lution was firewall appliances runnin g in virtual machines. From a
II
z
(f)
hypervisor perspective, one virtual machine talked to another virtual machine. The virtual machine X
(f)
acting as the firewa ll had to be the default gateway for the other virtual machines runnin g on that (1)
host. Sometimes, firewa lls also ran in the virtual machine to provide an additional layer of security. o
c
....
The Distributed Firewall is a hypervisor kernel-embedded firewa ll that provides visibility and ~
control for virtualized workloads and networks. The Distributed Firewa ll offers multiple sets of
configurab le rules for netwo rk layers 2, 3, and 4.

Distributed Firewall Overview
Slide 6-26
The distributed firewall module is embedded in the VMkernel.
VM
Kernel-Embedded Firewall
The hypervisor-embedded nature of the firewall delivers close to line rate throu ghput to enable
higher workload consolidation on physical servers . The distributed nature of the firewa ll provides a
scale-out architecture that extends firewall capac ity when additional hosts are added to a data center.
No virtua l machine can circumvent the firewa ll. Egress and ingress packet are always processed by
the firewall. In extreme load exists, such as CPU satura tion or if memory is full, the Distributed
Firewa ll behaves as a fail close firewall. No packet passes through the firewall.

Distributed Firewall Filtering
Slide 6-27
Distributed Firewall provides security filtering functions on every

host, in the hypervisor, and at kernel level:
Distributed Firewall is a East-West stateful L2-L4 firewall
Distributed enforcement of policy rules
Distributed Firewall offers centralized configuration using the
vSphere Web Client.
..[)
The Distributed Firewall provid es security filtering functions on every host in the hypervisor at the
kem el level. The Distrib uted Firewall is an East-West statefu l layer 2, 3, and 4 firewall. The
Distributed Firewall provid es distrib uted enforcement of policy rules. The Distributed Firewall is
configured usin g the VMware vSph ere Web Client. The Distributed Firewall is independent of the
II
z
(f)
X
distributed router. (f)
(1)
The Distributed Firewall is meant for East-West traffic or horizontal traffic . The NSX Edge firewall o
c
....
focuses on the North -South traffic enforcement at the tenant or data center perimeter. ~
The NSX Edge services gateway firewall protects the data path traffic. The firewall on the contro l
virtual machin e for the distrib uted router contro ls access to the distributed router, for example, to
enable SSH access to the contro l virtual mach ine. So the firewall rules have no effect on the data
path traffic for the distributed router.

Distributed Firewall Location and Policy Independence
Slide 6-28
Policies are virtual machine name-based, attribute-based, and

vCenter Server container-based.
Policy is independent of virtual machine location:
The distributed firewall can enforce security rules between two virtual
machines even if they are on the same L2 segment ( VXLAN or VLAN).
Policy rules always follow the virtual machine , even if a migration with
VMware vSphere vMotion occurs.
The Distributed Firewall policy is independent of where the virtual machin e is located. If a virtua l
machin e is migra ted to another host using VMware vSphere vMo tion, the firewall policy
follows the virtua l machin e.

Distributed Firewall Policy Enforcement
Slide 6-29
Distributed Firewall enforces rules at the vNIC layer before

encapsulation (or after de-encapsulation):
Independent of transport network (VXLAN or VLAN)
Independent of underlying virtual switch: VMware NSX Virtual Switch"
or distributed switch
IP1 IP3
MAC1 MAC3
VTEP IP: 10.20.10.10 VTEP IP: 10.20.10.11

- - Policy Rules: - - - -
vSphere Host vSphere Host

,
'".""",,,,
.
, .. ,, t,,'
Source Destination Service Action
VM1 VM2, VM3 TCP port 123

VM1 VM2, VM3 any
No relationship exists between distributed switch ACL or security capabilities and Distributed Firewall.
Distributed Firewall rules are enforced at the vNIC layer before encapsulation or after de-
encapsulation. The distribut ed firewa ll policies are independent of whether a virtual machine is
connected to a VXLAN or VLAN . Distributed Firewall rules are independent of virtual machine
location.
II
z
(f)
X
(f)
The Distributed Firewa ll can enforce rules even if the virtual machines are on the same layer 2 (1)
segment. Policy rules always follow a virtual machine if the virtual machine is migrated to another o
c
....
host. ~

Distributed Firewall Components: Communication
Slide 6-30
Firewall rules are configured in the vSphere Web Client and pushed
to VMware NSX Manager.
REST API
Client
vSphe re
We b
Client
Distributed
Firewall
Security VXLAN DR DFW
Using a Web browser, you can connect to the vSphere Web Client that accesses the VMware
vCen ter Server" system . The vCenter Server system provides the user interface to manage policy
rules and mon itor distrib uted firewa ll activity.
The vCenter Server system communicates with VMware NSX Managert'". NSX Manager pushes
the rules down to the VMware ESXi host into the distr ibuted firewa ll kernel module.
The distributed firewa ll module on the ESXi host runs in the kerne l space and is responsible for
firewa ll rules enforcement at the vNIC level.
VMware NSX APFM can also be used to comm unicate with and configure the Distributed Firewall.
VMware NSX Controller" is not responsible for distributed firewa ll functiona lity.

Distributed Data Path
Slide 6-31
Distributed Firewall rules are enforced on each vNIC.

Source Destination Source Destination
i ------"j
1 ,
1~-----------------------,
~ 1
i---- -------------- ----.
, -, 1
1 1 , 1
1 , 1 1 , 1
:1 VM :, 1
1
1
1
1
1
,
,
1
1
, 1
1 I 1 1 , 1
1 1
1 , 1 1 , 1
, 1
1 I 1
1._ _ 1
" L_ _ __ J
L
1 . ''
vSwitch vSwitch vSwitch
The Distributed Firewall provid es hypervisor-based firewall enforcement on every vNIC . The data
path is optimized for performance and scalability. This daemon checks rules on both the ingress and
egress on the source and destination virtual machine. No virtua l machine traffic can circumvent the
firewal l.
II
z
(f)
X
(f)
(1)
o
c
....
~

Policy Rule Objects
Slide 6-32
The Distributed Firewall supports security rules, called policy rules,

at the layer 2, layer 3, and layer 4 levels:
Layer 2 rules are created on the Ethernet tab.
Layer 3 and layer 4 rules are created on the General tab :
General rules are enforced after Ethernet policy rules are applied .
TCP/IP Model OSI Model
. .. ~ .
Application Layer Presentation Layer
_ _Session Lave r_ _ L3/L4 rules control traffic at network and

transport layer. Use L3/L4 rules to filter specific
I Tran sport Layer
Inte rnet La yer

Transpo rt La yer
Ne twork La ye r
source or destination IP addresses or L4
protocols. Some examples of L4 protocols are
SSH (TCP port 22), HTIP (TCP port 80).
I I I
Da ta Li nk Lay er L2 rules control traffic at data link layer. Use L2
Ne twork Access Lay er rules to filter specific source or destination
Physi cal Lay er MAC addresses or L2 protocols. Some
examples of L2 protocols are ARP, RARP, and
LLDP.
The Distributed Firewall supports security rules at the layer 2, layer 3, and layer 4 levels. Layer 2
rules are configured in the Ethernet tab of the NSX Controller instance. These rules are meant for
actions that happen at layer 2 such as Cisco Discovery Protoco l (CDP) and ARP.
The rules for layer 3 and layer 4 are defined in the Ge neral tab. The Ge neral tab policies define
rules to manage traditional traffic between virtual machines in different subnets or from East-West
traffic.

Layer 2 Policy Rules
Slide 6-33
You define firewall rules for layer 2 on the Ethernet tab.
....;;- .
.-
~ &.I..:""'"Y
f! Nl>XHoIN
_. Ib)Ic.Il ~
'" ..-
"'--
~":'y2~
-- _.
-
; ;;' NSXE"OI4
... .
u
. ~I '
- - - -
1-..
- J~
-
'!l -
.--
DI"WeTttMl:'l\M~ll
..., ....
,
, + lll / "
l!J s.rn:. ~ It." N"P'--" 08""'.-. ...
"'"- . 1:- ' 1
'"
1'3--
Cil Fbo1r ~
~1119 . ~ ~
!!I ~ M"-' I'll '

,
---
~....-, L.I)W7l'1* lJ
.
' ' .... .... ....
-
+0 / - "
In the vSphere Web Client, under the Network and Security section, you find the Firewall tab. The
Firewall tab is where distributed firewall policies are defined. On the Co nfigu ration tab of the
Firewall tab are General policies and Ethernet policies. Ethernet policies are rules that are enforced
at layer 2.
II
z
(f)
X
(f)
(1)
o
c
....
~

Layer 3 and Layer 4 Policy Rules
Slide 6-34
You define firewall rules for layer 3 and layer 4 rules on the General
tab.
~.-.. .--., f ~l sa-:l1 ~
-
t! NS.I: _
;,==-
...
"<Sll:~, [ tN. ' ~ ~ .lOD .1
: ':': : " _------------------------=:;01

dt~=....c':-
~====:JI ~
'!I '-"'-"
. :s.r..a ~
l'J:sr.a e:crntc-r
..,.

.
DfW~
-. ~ .1
' -71
-
DllllSoKutfIy
:<- -..
Q N2MlfMl:mtR'lO
.
&1
,
~L.$ . _ U _~OCX
..
'
...""'-
, n ..
~ Ing " kunfr ~
E!W!;X " ' - - > .... "'"

.
..
. o... ~ ~ I1'uiIf I SI
"

Centralized Management of the Distributed Firewall
Slide 6-35
The Firewall tab allows centralized management of all Distributed Firewall rules.
rCtlllllfolrU IllrI SaYId C~

l,l SXII I ~ ~~.~
.- __
-. , irtual Center Serv er
Con tai ners
Identity - Clusters 01
- User identity - Data centers
a Ie - , - - Groups - Port groups Services ==~I !Q:I
- VXLAN - Protocol
- Ports r1 / lC
&1 8IcI:1ItnnlOtrU lOCll.nmnl - Custom .....
N... or~no" "'1lIIY Irtrtrl101Y
t!l Ni5Ji.... ~ E >
e,
e. .....
VM Co ntainers
- VM names OHC~ ..,. ...,
""
e. "" ..... ... - VM tags
- VM attributes ..
. DHC P-C~"' I
- ...
The Firewall tab allows centrali zed manag ement of all Distributed Firewall rules. When you add a
rule, you provide a name , source, destina tion, service , action , and where the rules are enforced.
The source and destination can be an IP set, but it can also be a security group that you define . A
II
z
(f)
security group is a collection of assets or grouping objects from your VMware vSphere inventory. X
(f)
You can also create sections to separate rules for different lines of busine sses, for example, different (1)
departments . o
c
....
The last rule or the default rule is typically set to deny. In most cases, an administrator wants to ~
explicitly allow certain types of traffic and block everything else by default. Internet rules get
applied before genera l rules so they are processed from top to bottom . When the traffic matches a
particular rule, the processing stops and the rule actio n is processed .

Using Distributed Firewall Sections
Slide 6-36
Distributed Firewall sections segment policy rules for easier

manageability and better performance. Sections do not affect the
overall security policies.
To merge two sections together, click the symbol and select the section to merge with.
s.a _ _ . ..... _ _
-....---
. ~ - -"-::::""'\I~~
-
... . -
"1- -
-.
,,-............
tj -
-..--.
.""
_.
.---.
!t ""5ll ~
.......,.~

--
..,
.""
....
.""
..-- -..:uoo ....... _
~~---""
...
."" .""
The Distributed Firewall can have different rules based on sections such as a department. For
example, you might separate rules for human resources and for engineering departments in separate
sections. If you later decide to combine rules from different sections, you can merge sections and
consolidate the rules in those sections. You merge sections together by clicking the Merge icon.
Although sections have no effect on security, sectioning can ease management by allowing
administrators to apply rules to specific groups or job roles.

Policy Rule Objects
Slide 6-37
Datacenter vCente r Dalacen

Rule will apply fa
DataCenter
Cluster vCenler Cluster a
Rule will apply fOI Cluster VMware Cluster attribute
Network vCenter Network
Rule will apply fa Distributed Virtual Port Port Group of a distributed
Virtual App vCenter vAPP at Group switch
Rule will apply101
Network Network attribute
Resource Pool vCenter Resoure
Rule will applyfat Virtual Machine VM attribute
Virtual Machine VM name attribut Ports (Destination L4 port vN IC vN1Cattribute

vNIC VM vNIC attribut Advancedoptions: Logical Switch VXLAN logical switch
E-~--------+-N-
Logical Switch
S-X-IO~gj-Ca-'sw
---'
iIC Source Ports (Source L4 P -'-i-'-'= = = = = = = L-- - - - - - - - ---"
Rule will apply fO I all VI.".'.' ..... \.AJ,,,'c....'cu LV ""'" IU~'\"CI' ", n'''.,11
Security Group NSX security group attribute (defined through Service Composer tab)
Rule will apply for all VM/ vNIC part of the Security Group
lP sets Listof IPv4 or IPv6 address
VMware NSX Services" enable you to put multiple ports into a nam e, for example, ports 20 and 21
into NSX Services called FTP. You can use protocol ports or you can create NSX Services in new
port new ranges. Several predefined NSX Services are created on the Distributed Firewall by
default.
II
z
(f)
X
(f)
You can perform various actions on the traffic. Actions define what the firewall should do with the (1)
traffic after a rule match occurs , such as block or allow or log or not log. o
c
....
Using the Applied To text box, you can specify which virtual machin e, and hence which vNICs, ~
receive the rule. The Applied To text box enables you to specify where the rules are enforced. The
rule action can be applied to a logical switch and is applied to every virtual machin e on the virtual
switch. You can apply the rule action to a clust er and every virtual machin e in that clust er is affected
by that firewall rule. If a new virtual machine is added to the clust er, the firewall rule is also applied
to that virtual machine. You can apply the rules to a data center, a clust er, a distributed port group, a
network, a logical switch , or a virtual machine vNIC.
When search ing Syslogs for firewall values, you must look for the BSIP value in the firewall entries.

Logical Switch Rule-Based Example
Slide 6-38
Rules can be enforced between virtual machines on the same

segment and between virtual machines on different segments.
.-
- '- -_.-
1lI ""-
a-
~-- -
O'
r- iRl _~
,tano .tQI .
1'fSJI,~
:::i:1lIP ' " + o. -.I~ 1l
- _. - -
Ie.-
- IEEl
.....
~
e _-_
:"!-
..1'J-. --
1~
...,
,
1.71
'ZaEi .
....
tB ROOt
""".'.Mal"nPS_ ..
X6
- ..
" .....-.-..
. -- I
+ 1 / . ..
'i
G ____ ' 5I UNUlI _ JoWUl'
~ =_!WI
- ___
........
.-
!!""-
...... ..-,--,
1m >
e-. ...... "-J""'"'S ,J r:/ . ..
Router Inst anc e 1
Source Dest Action
WebVM
-------------
VM1NM2 Block
VM1 Allow
VM2 VM1 Block
(assuming
APP lo gical- sw itch-2 default rule is
VXLAN 5002 VM4 VM3 set to block)
In the example on the slide, traffic coming from the Web logical switch that is destined for the App
logical switch is blocked by rule I . Thus, VM I and VM2 cannot talk to VM3 and VM4 .
Rule 2 states that traffic from VM I destined for VM2 is allowed. Th e two virtual machines are on
the same logical switch segm ent. Assuming that the default ru le is set to block all other traffic,
traffic from VM2 is not allow ed to VM I and traffic between VM3 and VM4 is block ed.

Security Groups
Slide 6-39
A security group is a construct that allows dynamic grouping of objects:

Based on inclusion and exclusion of objects defined under vCenter Server:
Done internally under NSX Manager
Network and Security> Service Composer> Security Groups tab
--------------------------------
\II'TlWMe' vSpheno web Client ,, " u.-.ecUPW () I . . . . . - . I ..
.-- '-
O' ..J"j e-
11 1oISll _
ll. -......
ENSlI.I~
<-~
~.-~
......- -
- .-
.--
"-
'!l - -
.
"
Dynamic membership criteria can be defined to include objects into the

security group:
Match any or all of the following criteria :
Computer as name, Computer Name, VM Name, Security Tag , Entity
The Grouping feature enables you to create custom containers to which you can assig n resources,
such as virtual machines and network adapters, for distributed firewa ll protection. After a group is
defined, you can add the group as source or destination to a firewa ll rule for protection.
II
z
(f)
Using the dynamic mapping capabi lity of security groups, you can define the criteria that an object X
(f)
must meet to be added to the security group that you are creating. This capability enables you to (1)
include virtual machines by defining a filter criteria with several parameters supported to match the o
c
....
search criteria. ~
For examp le, you may include a criteria to add all virtua l machines that run a specific operating
system (such as Microsoft Windows 2003) to the security group. Securi ty tags are case-sensitive.

Security Group Components
Slide 6-40
When you create a security group, you specify its expression, inclusions, and
exclusion parts
Expression:
Defined the dynamic membersh ip criteria of vCenter Server objects
Configured in the Defined dynamic membership tab in the New Security Group wizard
Inclusions:
Static membership selection of vCenter Server objects
Configured in the Select objects to include tab in the New Security Group wizard
Exclusions:
Static membersh ip rejection of vCenter Server objects
Configured in the Select objects to exclude tab in the New Security Group wizard
Objects identified in the inclusion part are added to the objects identified in the
expression
Any objects identified in the exclusions part is removed from the security group

Rule-Based Security Group Example
Slide 6-41
.~: ' I
. G/ . L I
SECURITY-GROUP-WINDOWS: dynamic membership: Computer OS name contains Windows
SECURITY-GROUP-L1NUX: dynamic membership: Computer OS name contains Linux

Source Destination Action
Router Instance 1 VM1 VM2 Block
VM1 I VM4 I Block
VM3
,,-",
VM2 Block
Windows Linux VM# I VM4 I Block
VM1 VM3 Allow
VM3 VM 1 Allow
r- .,
VM2 VM4 Allow
W EB logical-switch -1
VXL AN 5001 VM4 VM2 Allow
When the security group is created, it can be used as a source or destination when creating a firewall
policy. This ability gives organizations the flexibility in designing their firewall rules and reducing
the numb er of lines they have to enter. When the security group is created, you can add virtual
machin es to a security group by editing the security group. Securit y groups can be nested in other
II
z
(f)
X
security groups. (f)
(1)
In the example, two securit y groups exist. One group contains virtual machin es running the o
..,c
Windows operating system and the other contains virtual machin es running the Linux operating ~
system. The firewall policy is set so that Windows traffic sent to Linux is blocked. Linux virtual
machin e traffic sent to Windows is allowed. The Windows and Linux virtual machines are in the
same segment and yet one line enforces this policy. If you add virtual machines, they fall into the
security groups depending on the operating system and the policy is applied.

Applied To: Example
Slide 6-42
Source Destination Service Actio Appli ed To
n
VM1 ,VM2 ,VM3

vCenter Server ::::::>
Allow VM1 , VM4

NSX Manager
Allow
Allow
The Applied To text box allows you to specify which destination component receives the rules. The
rule might contain a virtual machine, vNIC, cluster, distributed port group, network , data center, or
logical switch in the source or destination text boxes. VMware recomm ends that you add these
comp onents into the Applied To text box so that the rule is optim ally offloaded to the ESXi hosts.
When dealing with large rule sets or overlappin g IP addresses , use the Applied To text box to
restrict the scope of Distributed Firewall rules.
Rules are created on the vSphere Web Client and sent through the vCenter Server instance which
passes them on to the NSX Manager. The NSX manager instance evaluates the rule and pushes the
rule to the corresponding host to apply to the corresponding virtual machin es. So both rules are
attached to VMI , only the first rule is attached to VM2, only the first rule is attached to VM3, and
only the second rule is attached to VM4.
In the example, you have two rules. Rule lone allows VM I to communicate with VM2 and VM3
on port 123. The second rule says that VMI can communicate with VM4 on port 321.
Traffic going to VM4 does not need to check rule I. The second rule applies to VM I and VM4 , so
the traffic going to VM3 does not go throu gh this rule.

Slide 6-43
Add a section to the rules.

Select theoptions tocreate newsection
Section name *1.".... _

Section Position 0 Add section above
oj<
The Distributed Firewall configuration
Add section below is backed up at regular intervals.
OK II Cancel
Search
AutoSaved_2014-Jul-1618:49 :39 root 71161201411:49:39. Auto saved dran
AutoSaved_2014-Jul-16 18:49:26 root 7/161201411:49:26 , Auto saveddraft
AutoSaved_2014-Jul-1618:45:29 root 71161201411:45:28 . Auto saved urart
AutoSaved_2014-Jul-16 18:41:31 root 711612014 11:41:31 . Auto saved draft
AutoSaved_2014-Jul-16 18:38:19 root 711612014 11:38:19 . Auto saved draft
AutoSaved_2014-Jul-16 18:29:58 root 711612014 11:29:58. Auto saved draft
OK I[ Cancel
II
z
(f)
X
(f)
(1)
o
c
....
~

Lab 16: Using NSX Distributed Firewall Rules to Control Network
Traffic
Slide 6-44
Define NSX Distributed Firewall rules to restrict traffic to one or more

Web servers and between application tiers
2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration

Concept Summary
Slide 6-45

What is a firewall rule set for distributed firewalls
Firewall policy
called?
What filters different traffic types by the firewall? Firewall filtering
What are firewall policies that are independent of

Policy independence
the virtua l machine location called?
What allows dynamic grouping of virtual
Security groups
machines based on defined criteria?
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-46

Compare the Distributed Firewall to traditional firewalls
Describe the policy enforcement of the Distributed Firewall
Configure rules on the Distributed Firewall

Lesson 3: Flow Monitoring
Slide 6-47
Lesson 3:
Flow Monitoring
II
z
(f)
X
(f)
(1)
o
c
....
~

Learner Objectives
Slide 6-48
objectives:
Describe how Flow Monitoring can be used to enhance security
Configure a Distributed Firewall rule to block a traffic flow

Flow Monitoring
Slide 6-49
Flow Monitoring is a traffic analysis tool that provides a detailed view

of the traffic to and from protected virtual machines.
Flow Monitoring configures the distributed firewall to capture flows
and send them to NSX Manager for retention.
1 Home e... Flow Monitoring
Networking & Security Dashboard Details By Service Live Flow

E!! NSX Hom e NSXMan ager ( 1g2.16B.110.42 I~ )
ii Installation
~ Logical Switches Global Flow Collection Status: D isabled I Enable
=
o
NSX Edges
Firewall
Systemis configured to NOT collectfirewall relatedffows
~ SpOOfGuard
Service DefiniUons
B Service Composer
J Data Secu rity
m, Flow Momtorlng
The Distributed Firewall has visibility of all traffic flows that have taken place in the logica l
switches. By drillin g down into the traffic data, you can eva luate the use of your resources and send
session information to the Distributed Firewall to create a rule or block rule at any level.
II
z
(f)
X
(f)
(1)
o
c
....
~

Enable Flow Monitoring
Slide 6-50
Flow collection must be enabled for you to view traffic information.

You can choose what flows you want to enable and what flows you
do not want to see.
........ I
N.~,&kc.nty
p'! NSXHO",.
iQt.,.tIll.. on
CiIobIIflow CGIiKuo. SUtvt;; En.bled ( (M,abllt ]
1J: L O~ ~'
=NSX[~ .. ~o,~"'/J;!a; r ~~.'~~l"1.IT'.t" ~'Kol'ed~
"r....... h dlo. a S.II Il'Uil .

o'IOfCO&'.ct~"iJllftC/l""a"ec.oI'",~
15- '
, . s.Mce OtllrlrDonl
S)SlIo'n
8 $tMo;t ComNStl'
QlD"' _
I
~. .-r-u.g
I- -' & s.c".r ~1orY 138137
~ tfS;l; "Jl'l~WJ > .......
By default , Flow Monitoring is disabled. To enab le Flow Monitoring, click the Enable button.
Flows that should not be collect ed can be added to the exclusion lists in the Exclus ion Settings of
the Configuratio n tab.

Exclusion Settings
Slide 6-51
You can filter the data being displayed by specifying exclusion

criterion.
You can exclude flows from collection based on multiple criteria:
DFW blocked flows
Layer 2 flows
Source and destination IP sets, MAC sets, Virtual machine, and vNICs
Srir.d ('.on~'f!1
Source and destination IP

Destination port e - .",.. ,,_
",
C~td la,.. ~ rl lJ'IiII'\ y"
Service ...... 'J$lftm oel\4lr""a etOOl.M1

U 'otllC
0 !JJ ' ~i>'
o til ou-.70 1d
U ijl 0.4'#00 1.10
o BJ l)f-s....o2.
o ttl d b "w ~1 .1
II
z
(f)
X
(f)
(1)
o
c
....
~

Viewing Flows
Slide 6-52
After Flow Monitoring is enabled, the captured flows can be viewed

from the dashboard, with the default views: Top Flows, Top
Destinations, and Top Sources.
........""
f:
-\
~1"....i-~~L:",.
, _ .t..... .t . . . ..t..=-
... _ .I"NI"
., .... .'.
.._ ..."
_
a~

I ....... .
0._ !.
t a...
...... . .
,. ,.
I~' _
I"' UI "
...... 10.. ...
...... 1'1."
.....

Flow Views by Service
Slide 6-53
The Details By Service tab provides information on all the flows

grouped by service:
You can view blocked flows by service.
You can modify the rule that allowed the flow .
~ ..- . Uoo'" ~
........... ,lQ .... d "
-
--
_ _ _ '1l;J')
~"'H
-~
n,.
--
"'"
_
,
-
_~--.e--.-1Il ;JQ;.I
,.
-- --
- 'Ill!
..
--
.. ... ....
. .-.-.- -,.....
On."1'"''
----... ........---
~,~
.-.-
.. t.
.-,....
.~"lt
~ . . . . .1' .. ,. -~ (,.-
.'...... ......
__ r __
.!II!IIIII""
--__ l._
I n ' ''U!'I''
Il'1l1'lt"'"''
a-Ull'tl. ' . "
_"1ol1'1hII
."'Mn.,.
II
~- ,
If you click the Details by Service button at the top, you might see a flow that you do not want. You
can add a rule to block the flow or edit the existing rule that is permitting the flow.
z
(f)
X
(f)
(1)
o
c
....
~

Live Monitoring
Slide 6-54
You can view UDP and TCP connections from and to a selected vNIC .

l.,.
5 00 ....0 .
(jI _ _
dl ~ "
/J ~ "
Dash board Details By Service I Live Flow I Configu ~ ::::..

M
NSX Manager: ( 192.168.11 0.42 I~ )
Live Flow will be show n for th e selected vNIC. Please se l he live ftows
vNIC(row s0 Start I[ Stop
I ~l e-'
To view traffic between two virtual machines, you can view live traffic for one virtual machine on
one computer and the other virtual machine on a second computer. You can view traffic for a
maximum of two vNICs per host and for 5 vNICs per infrastructure.

Live Monitoring Output Example
Slide 6-55
The screenshot shows the output from Live Monitoring for the
selected vNIC.
Dashboard Details By Service I Live Flow I Configuratio n

NSX Manacer: ( 192.168.1 10.42 1-)
Live Ftowwnt be sh own for the se lected vNIC . Please select a vNlC and press start to see the live rtows
---
vN1C: apacne-w-nta - Network adapter 1 Browse Start
~
Refresh Ra te: 15Seconds I I Ne w a cti ve f1ow~ Flows wi th stJte c ha nge Term i n.ated flows
Destination Incoming InlXlming Outgoing

Ruleld Direaion Flow Type Proloool Source IP Source Pon. DoStinalion IP Stille
PM B~~ Paclle15 B~~
1002 OUT Active UDP 192.168.100.75 138 192.168.100.255 138 229 1 0 I

~OO2 IN ;4,tlive ODP 192.168.100 .76 138 192.168.100.255 138 236 1 0 1
I
I
I
-
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-56
Flow monitoring has been enabled in a previous lab.
4 Home OS ... Flow Monito r ing
Networking & Secur ity Dashboard Details By Service Live Flow

Eft NSX Home NSXM,mag er ( 19 2.166.110.42 I)
@ Installatio n Filter the results.
~ Logical Switches Global Flow Collect ion Status: Enabled I Disa ble )
System is confio;}wed 10collect &JJ firewall re lated flo'l't"s except those /1
~ NSXEdges Change Time Int erval
1"'1 Firewall Exclusion Settings
ii5scoorcuaro System will not collect f/owr, thai ma tch tile soeceea coraoon
. . Service Defi nitions o Las115 min utes
t1 Service Composer Collect BlockedFlows
4i Data Security couect Layer2Flows

o La st1 hour
It! Flow MonitOring Source o La st 12 hours
L!'8 Activit!" Monitoring
.. Netwo rking & Secu rity Invent ory
Destination
Destination ports
o La st 24 hours
(II NSX Managers .. ) Service o Last 1 week
o Last 2 we eks
Review flows by service. o From : 51B 42ffi
ro : ~~~=51B . 57ffi
Dashboard Details By Service Live Flow Configuration
N8XManager: [ 192.168.1104 2 I ~I
OK II Cancel I
~ Allowed FIOWS ~ Blo cked Flows 1

Lab 17: Using Flow Monitoring
Slide 6-57
Examine network flows using the Flow Monitoring feature and define
a firewall rule based on a flow
2. Examine Dashboard Details
3. Review Allowed Flows by Service
4. Add a Firewall Rule Based on a Flow
II
z
(f)
X
(f)
(1)
o
c
....
~

Concept Summary
Slide 6-58

What provides a detailed view of traffic to and
Flow monitoring
from virtual machines?

Slide 6-59

Describe how Flow Monitoring can be used to enhance security
Configure a Distributed Firewall rule to block a traffic flow
II
z
(f)
X
(f)
(1)
o
c
....
~

Lesson 4: Role-Based Access Control
Slide 6-60
Lesson 4:
Role-Based Access Control

Learner Objectives
Slide 6-6 1
objectives:
Describe authentication , authorization, and accounting (AAA)
Describe role-based access control
Describe the roles available in NSX Manager
Explain the scope options
Configure role-based access control in NSX Manager
II
z
(f)
X
(f)
(1)
o
c
....
~

Authentication, Authorization, and Accounting Model
Slide 6-62
AAA is a security model for providing user access to restricted

systems:
Authentication is the process of validating the user.
Authorization is the process of granting partial or full access to the
authenticated user to the restricted system.
Accounting is the process of logging the activities of the user after
authorization is granted .
AAA is flexible because it allows the implementation of parts of the
model.
You use the vSphere Web Client to configure AAA through VMware
vCenter Single Sign-On
VMware NSXTMuses vCenter Single Sign-On AAA configuration
through vCenter Server.
In many organizations, networkin g and security operations are handled by different teams or
members. Such organizations might require a way to limit certain operations to specific users.

Identity Sources
Slide 6-63
An identity source is an entity that provides full or partial AAA

services.
vCenter Single Sign-On supports the following identity sources:
Microsoft Active Directory
Network Information Service (NIS)
Lightweight Directory Access Protocol (LDAP)
vCenter Single Sign-On is based on Security Assertion Markup
Language (SAML) tokens.
VMware NSX TM supports VMware vCenter Single Sign-Ont> vCen ter Sing le Sign-On enables
NSX to authenticate users from other identity services such as Active Directory, Network
Information Serv ice (NIS), and LDAP.
II
z
(f)
X
(f)
(1)
o
c
....
~

Identity Source vSphere Requirements
Slide 6-64
To correctly add an identity source to the VMware vSphere

environment, the following vCenter Server services must be
configured:
vCenter Single Sign-On must be installed.
NTP must be configured on all the vSphere systems.
DNS must be populated for all vSphere systems.

Role-Based Access Control for NSX for vSphere
Slide 6-65
Role-based access control is a method of granting user access to

restricted systems based on the function, or role, that the user has
been assigned:
Users can be assigned a role directly or indirectly by belonging to a
user group.
NSX users and user groups can be identified from existing vCenter
Server users or identity sources configured with vCenter Single Sign-
On.
The default NSX admin user cannot be disabled.
NSX has predefined roles .
NSX system access can be restricted for users by using scopes.
A permission is the combination of the user, scope, and role.
A user 's role defines the actions that the user is allowed to perform on a given resource. The role
determines the user 's authorized activities on the given resource, ensuring that a user has access
only to functions necessary to complete applicable operations. This role allows domain control over
specific resources, or system-wide control if the user 's right has no restrictions.
II
z
(f)
X
(f)
(1)
o
c
....
~

NSX User Roles
Slide 6-66
NSX provides roles that users can be assigned to:

Enterprise Administrator: Has read and write access to all areas of
NSX.
NSX Administrator: Has read-write access to NSX operations area,
such as installing virtual appliances and configuring port groups , and
has read-only access to other areas.
Security Administrator: Has read-write access to NSX security area,
such as defining data security policies , creating port groups and
creating reports for NSX modules , and has read-only access to other
areas.
Auditor: Has read-only access to all areas.
New roles cannot be created.
NSX Manager provides four default roles that allow you to determine a user's authorized level of
activity.

Scopes
Slide 6-67
NSX provides scopes to restrict the area that a user can access in
the NSX system:
Global: The user has access to all areas of NSX.
Limited Access: The user has access to only the NSX areas defined in
the user profile .
The scope of a role determin es resources that a particular user can view.
II
z
(f)
X
(f)
(1)
o
c
....
~

NSX Role Guidelines
Slide 6-68
The following guidelines can be used for creating roles in NSX:

User management for the vSphere Web Client is separate from CLI
user management.
NSX permiss ions are independent of vCenter Server permissions.
Users inherit the permission of the user group that they belong to.
Users can have multiple permissions if they belong to multiple user
groups.
A user cannot be defined without a role.
After a role is assigned to users, the role can be changed.
The Enterprise Administrator and NSX Administrator roles have a
global scope.

Permission Inheritance Example: Single Group
Slide 6-69
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is an NSX Auditor with read-only access to all areas.
User Option Value Group Option Value
Name John Name Groundhog
Belongs to group Groundhog Role assigned Auditor
Role assigned N/A Scope Global
II
z
(f)
X
(f)
(1)
o
c
....
~

Permission Inheritance Example: Multiple Groups
Slide 6-70
John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is a Security Administrator with read-write access to all objects in
Datacenter1.
John is an NSX Auditor with read-only access to all other areas.
Group User Group

" Value tl Value ti Value
O pion
t O pion O pion
Name Groundhog Name John Name Spider
Role Belongs to Groundhog, Role Security

Auditor
assigned group Spider assigned Administrator
Role
Scope Global N/A Scope Datacenter1
assigned

Configure Role-Based Access Control
Slide 6-7 1
To grant user access to NSX:

1. Navigate to NSX Managers and select NSX Manager.
2. Select Manage> Users.
3. Select the user or user group.
4. Assign a role.
5. Define the scope.
K-4 NSX Managers e
It 192.168 .110 .42
+ I Change Role e (3.:

Origin Role, Status
"'"'
aumm vCenter System Admin ist rator Enabled
root vce nter Enterpris e Adm inistr... Enabled
II
z
(f)
X
(f)
(1)
o
c
....
~

Define Scope
Slide 6-72
The choices for the scope are the following:

Data center
Port group
Logical switch
Virtual machine
Virtual appliance 1""'-=--'--- - - - - - - - - - - .....
.." , l6fIoIot"rlJotoN 11fM !icq:.e-
$ .. ~ ... _ l' . b ........
Multiple objects can be selected. :11

:'';'"'
=
t!= ' -~_
st ~'di"~\m. -uou ....... "",

0 .........
o c.-T!w<Ol

Slide 6-73
Add a user to the N5X server.

,,' vCenter privileges are
, .-. ...... -"""""
Sll<tll.wCMlIItt u... orgrvwIV .IIIQn rol.
required.
] Um l 'kupe
..... Inventory lists

U\ t'I ( oWl 109 0tI ...... tII<t (ll'lJtf"t;..I, I'TY,,"'.IO<t" .l yC."",
(Itt 1!'i1@ilP~", IOC.II' or l,,~omlll'l com )
GJ vCenter Servers E >
( SPt<11lfill ~ ""I(lf O'CtuCl
Eb. Datacenters E >
eMIt.' _~ Id Hosts E >
\J Clusters E >
Limit the user's N5X access. ;I Resou rce Pools E >
EJ Datastores
Edit Role AssVlffleut fOf \/Center user .. (OJ Datastore Clusters
E
E
>
>
1 SCIedRo lcs limit SCope
5e-1 access st ope forunr
ft Standard Networks E >
Q Distributed Switches E >
o NO resmeuoo, use' may accessN$X gloOal conl'lgura llon
~ Virtual Machines E >
-----,}
~ ume aHen to 1Ft. port group , datacenter, or NSX Edgl' lis ted be-low
Type0011group. dal aeemer, or NS)( Edgen<lmelol'lnd

00 vApps E >
Ad,
Q VM Templates E >
6 9 rilnch-Wob-Tie,
t Compule_VDS- HOAccess (ABC Medical)
Cancel
I(} Compult_VDS Mgml ~BC Medlta l)
II
z
(f)
X
(f)
(1)
o
c
....
~

Lab 18: Managing NSX Users and Roles
Slide 6-74
Add an ssa user as an NSX Administrator and change the role of the
user
2. Add an SSG User with NSX Administration Rights
3. Restrict an NSX User to Administration of a Specific NSX Edge
4. Explore Roles and Scope Limitations

Concept Summary
Slide 6-75

What is a permissions model that defines users '
Role Based Access Control (RBAC)
access to a system by their role?
What describes a general category of users that
User role
perform a specific type of task within a system?
What is the security model for providing user Authentication, authorization,
access to restricted systems? and accounting (AAA)
What is the VMware implementation of AAA? VMware vCenter Single Sign-On
What is an entity that provides full or partial

Identity source
AAA services?
What restricts users based on areas of NSX Scope
that they are allowed to access?
When the permission settings of a role are
Permissions inheritance
inherited to the user with in that role, what is
the inheritance called?
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-76

Describe AAA
Describe role-based access control
Describe the roles available in NSX Manager
Explain the scope options
Configure role-based access control in NSX Manager

Lesson 5: Service Composer
Slide 6-77
Lesson 5:
Service Composer
II
z
(f)
X
(f)
(1)
o
c
....
~

Learner Objectives
Slide 6-78
objectives:
Explain how Service Composer enhances security
Create a policy and security group
Create a rule in Service Composer

Service Composer
Slide 6-79
Service Composer helps you to provision and assign network and

security services to applications in a virtual infrastructure.
What you want to How you want to

protect protect it
................................ .
~
. _ .

Security Groups Security Policies
............................ ~
..................................
Members (VM , vNIC) and Services (Firewall , antivirus)
Context (user identity, security and Profiles (labels representing
posture) specific policies)
You map services to a security group, and the services are applied to the virtual machines in the
securi ty group. Define security policies based on service profiles already defined (or blessed) by the
security team . Apply these policies to one or more security groups where your workloads are
members .
II
z
(f)
X
(f)
(1)
o
c
....
~

Using Service Composer
Slide 6-80
A security policy is created and consists of the following:

Endpoint services from VMware or partners
Antivirus and malware
Vulnerability management
Data security
Data loss prevention
Distributed Firewall rules
Network introspection services from VMware or partners
Security policy is then applied to one or more security groups.
A weight is given to the Security Policy to control precedence in the
following situations:
Multiple security policies applied to the same security group.
Virtual machines that are members of two different security groups .
A security policy is a collection of the following service configurations:

Firewa ll rules that define the traffic to be allowed to, from, or within the security group that
apply to vNICs.
Endpoint services which are data security or third-party solution provider services, such as
antivirus or vulnerabi lity management services that apply to virtua l machines. Endpoint
services must be installed for identity firewa ll.
Network introspection services which are services that monitor your network, such as intrus ion
prevention systems that apply to virtua l machines.
A virtual machine might belong to more than one security group . Services that are applied to the
virtual machine depend on the prece dence of the security policy mapped to the security groups .

NSX Integrated Partners
Slide 6-8 1
NSX collects all third-party security tools in one place where the team
can manage, control, and apply security.
NSXAPI
NSX Controller and NSX Manager

_ _ _ _ _ _ _ _ _ _ _ Partner Extensions
-
:+
L2 Gateway ADC/LB Firewa ll
Security Services
6)
IDS/IPS
6)
AV/FIM
6)
Vulnerability
Management
I Service Composer =Service Consumption
Traffic leaves the virtual machine and is sent to the integrated partner product. Some partners have
integrated products into NSX. This traffic flow happens before the traffic reaches the network. II
z
(f)
X
(f)
(1)
o
c
....
~

NSX: Third-Party End-to-End Workflow
Slide 6-82
You can extend the NSX operation model to third-party services:

Register the third-party management platform with NSX Manager.
Deploy the third-party virtual machine appliance per VMware ESXi
cluster.
Consume the service.

Registering Partner Services
Slide 6-83
Before a partner security service is available to a security policy, the

service must be registered with NSX.
.1_
-
....... ' ~
--
!I HSI _
..=I$IU,..
I O' ... 0 . - .
IGlIliIlNIIIf ;t:l... nf~
+ / x _ .

.... . -
,.--""--
"'-
_..
...............
MMI..... ~
..... .....".
I
__
~ .
.

-- ""- ~ ............. 1
:i....-.e
.........
!l teP "-'-'
~-.

........ . .
If the partner solutions management console does not provide a mechanism to register the solution
with NSX Manager, you must register the solution manually. II
z
(f)
X
(f)
(1)
o
c
....
~

Partner Service Registration: Palo Alto Networks
Slide 6-84
Ask the partner for instructions on how to register the service with
NSX.
You need t he followi ng : ~~~p~aIO~alt;O~~~~~~~~i~~

NSX Manager IP address or FQDN ~ ..
NSX Manager credentials F'-:: _.. -.-.....
.._.-
&-
- _.
---.... ::"..~:-.:-.o:r-- ....-
_ c . - s ...
---
--_--.... -.......
~- --'
.
,1-. ---
--'-
'-
g .. r-.
-
ft _
_
------_-.... -..
---

Partner Service Registration: Symantec
Slide 6-85
Symantec protection is delivered as an agentless service on the NSX

platform.
~~""'-Ocw.m Ill . lI ' .....- , _ -
--
--_.
---
.Ol--
L _
.--- -
e- _ _ ._ t
----,_ .
_ _ _ _ I
-
._.- _
.-- -
~ - -.
II
z
(f)
X
(f)
(1)
o
c
....
~

Service Installation
Slide 6-86
After you register the partner service, you must deploy the partner
service virtual machine.
. --
(~~.1I-"7'
- .-_::-:':":"'-
---.- 4
~ .
'"
:=- -=;-: --- ;-
- =:--
-- .=-- I
- - - - - .. - - - - - - -
I :=-==
~
Palo Alto Networks

~~~Oltftt il . CJ, , _ ",
.-=
1--.__-- _----._-_..- .....-
O ' -
_ 1
:..;--
I~~~iiiiiiiiil~
- - - - -
1' 7 _ = ...':":'"......
.. ---
- t=-
eft __ _
. .- "C-" ,,__ -~ -~ -~
.--
, ~ -
.-- .. "' - "
. _ .e--_. 1---
...-..-.1 1 '. 2 uI ...._
...
...
..
~ .-.
~.-.
-
", e . -.__
~
~
, --
~
:i.... _
.-==--~ ~ Symantec
If the partn er solution includes a host-resident virtual appliance, you can install the service after you
register the solution.

Security Policy
Slide 6-87
A security policy is a set of endpoint, firewall, and network

introspection services that can be applied to a security group.
-0-_.--
l ....IE ' ,
i." 1._ ....-
, .,1_-
.:; ., .=-
..
_"'_1 ....
......
~.-.- -
_ _ _ . . . . . . . t,
.. .~ ...
II
z
(f)
X
(f)
(1)
o
c
....
~

Service Composer Canvas
Slide 6-88
The Service Composer canvas is a container that associates the

security group with the service policy to apply to the security group.
1
2
pel DSS ZOlne
1
~1
Service Composer offers a canvas view that displays all security groups in the selected NSX
Manager. The view also displays details such as members of each security grou p and the security
policy that is applied to the member.

Canvas View (1)
Slide 6-89
Containers: Grouping of VMs , IPs, and more to define Policies are a collection of service
what you want to protect. profiles that are assigned to this
container to define how you want to
Example: Financial Applications, Desktop Users, protect this container.
Quarantine Zone
Example: PCI Compliance or
Quarantine Policy
Nested containe rs are

other groupings within the
container. 2
Service profiles for deployed
services, assigned to these policies
Example: Quarantine
Zone is a subgroup within
WHAT You Wan ... Services supported today:
My Data Center. Distributed Virtual Firewall
Antivirus
Vulnerability Management
Network IPS
Data Security (DLP scan)
User Activity Monitoring
VMs (workloads) that belong to this container. File Integrity Monitoring
Example: Apache -Web-VM , Exchange Server -VM
All security groups in the selected NSX Manager, which are not contained in another security group,
are displayed with the policies applied on them. II
z
(f)
X
(f)
(1)
o
c
....
~

Canvas View (2)
Slide 6-90
Members: Applica tions and workloads that belong to this container.

Examp les: Apache-Web-VM , Exchange Server-VM
ard
WHAT tWant to Protect - Virtual Machines
J Virtual MaChines ]L.. _

(0_
) E_rra
_' s 1
:1 EJ 2
( C( Filter
What I want to protect
Na"" WHAT I Want to...
EO win7_AV
1
EO Win7_Vuln
~1
II Membersasaf 8/16/13 5:29 PM
The slide shows virtual machines that are currently part of the main security group and nested
security groups.

Canvas View (3)
Slide 6-9 1
-
'-.- ..
. --
Q
--
8]0 - . 1& , ...... ,. -
8Jo 61 0 61 0 Q
---
""'V'
Each rectangular box in the canvas represents a security group. Icons in the box represent security
group members and details about the security policy mapped to the security group. II
z
(f)
X
(f)
(1)
o
c
....
~

Service Composer: Vulnerability Scan Example
Slide 6-92
1. The Web server virtual machine that is running 115 is deployed, unknowingly having a
vulnerability.
2. A vulnerab ility scan is initiated on Web server, for example, Rapid7's Nexpose product.
3. The virtual machine is tagged in NSX Manager with the eVE and evss Score.
4. NSX Manager associates the virtual machine with the Quarantine (VSM FfW Deny).
5. The adm inistrator applies patches, Nexpose re-scans vi rtual machine and clears tag.
6. NSX Manager removes the virtual machine from Quarantine and the v irtual machine returns to
its normal duties.
Membe rship: Includ e V Ms

that have been provisioned
F NSX Mana9 L.-er_ -,
Membership: Incl ude VMs
which have CVSS score >= 9
as WebServer
SG: Web Servers Services

1--------
I
I r-- r - - ,..-;'I~
In the examp le, the virtua l machine powers on and is a part of the group . So polices are applied to
the virtua l machine. Rapid 7 gets the traffic and determines the rating of the virtual machine and
labels the traffic as untrustworthy. The virtua l machine is moved to a new security group and denies
all the traffic. The virtua l machine is moved from the trusted security group to the untrusted security
group based on input from the Rapid 7 device .
The virtual machines can be a part of the first security group because they meet the criteria of both
groups . However, the highest weight gets the policy applied . The weighting determines which
policy is applied to the virtual mach ine when the virtua l machine is a part of multip le groups.

Service Composer: Traffic Redirection with PAN Example (1)
Slide 6-93
Traffic redirection (or traffic steering) can be configured in the

following ways:
Any new virtual machine added to the corresponding Security-Group
(S-G) is automatically subject to associated traffic redirection.
S-GWEB S-GAPP S-G DB
User
Security-Group to Security-Group
--------
Security-Group to Any
Traffic redirection or (traffic steering) from a guest virtual machine to a Palo Alto Networks VM-
Series firewa ll is performed internally at the hypervisor level using shared memory space . The NSX
admin istrator specifies which DVS port-group or logical switch (VXLAN) needs to be served by the
Palo Alto Networks VM-Series firewa ll.
II
z
(f)
X
(f)
Using Service Composer or Security Policy, the security team can define traffic flows that are (1)
redirected to the Palo Alto Networks VM-Series firewa ll for inspection and enforcement. Traffic o
c
....
allowed by the VM-Series Firewall is then returne d to the VMware NSX Virtual Switch" for ~
delivery to the final destina tion. The final destinat ion is either the guest virtua l machine or the
physica l device.
Traffic redirectio n (defined in the Network Introspection Service window) can be defined in the
following ways:
From Security Group (SG- I for instance) to Security Group (SG-2 for instance)
From Any to Security Group (SG- I for instance)
From Securi ty Group (SG- I for instanc e) to Any
Any means any source or destination IP address respectively.

Service Composer: Traffic Redirection with PAN Example (2)
Slide 6-94
Security Policy or Network Introspection Services:

Define traffic that is steered to PAN VM-Series FW
Source or Destination:
Any ~ I. -- ---- --
Policy 's Security Group

Select Security Groups - _ _Od - .
Action: .... _ .... _ _ ttrI'/II'
Redirect to service
Do not redirect
o
Protocol:
Any - ",.
Specified: TCP/UDP destination
port and source port
.--
.
.. .
,~

Concept Summary
Slide 6-95

What is a third-party security tool able to be Integrated partner
managed from within Service Composer called?
What is extending the NSX operational model to
Third-Party End-to-End Workflow
third-party services called?
II
z
(f)
X
(f)
(1)
o
c
....
~

Slide 6-96

Explain how Service Composer enhances security
Create a policy and security group
Create a rule in Service Composer

Lesson 6: Other Monitoring Options
Slide 6-97
Lesson 6:
Other Monitoring Options
II
z
(f)
X
(f)
(1)
o
c
....
~

Learner Objectives
Slide 6-98
objectives:
Describe how to find firewall entries in the Syslog
Analyze Syslog security entries

About Syslog
Slide 6-99
Syslog is supported across all NSX components

NSX Manager
[)elMS; Action
VMware NSX Sire Large
Controller" Gett,ng Started Summ ary Mo.nllQf ~ RelatedObJeds Aulo cenerate rules Enabled
SyslGg seMlIS
NSX Edge Aclvanc &d Syslem 5etllfl ll &

Serve Edit 5yslog
Serve
Se~e r5 ConOgurllDon
Hosl profile SyslOllserver1 syslOll.corplocal
ESXi Time Con fig ul illiOfI
Powe r Milnagement
M"'-Wl'M"h
System Resour ce AIoc.lI bl
SETTINGS
General
NelwOf1(
SSL cemncates
saoaes & Restore
Upgrade
CO MPO NENTS Syslog Server

vShreldManager serace You can specify the IP address or name of the syslog server mat can be reserved usnc me above mentioned DNS Server(s)

syslog corp loca l
Sys~ Server
p,"
51'
TCP
Protocol
You can enable Syslog for the NSX components even on NSX Controller and NSX Edge . You
specify a Syslog serve r where all the Syslog messages are collected. Management plane logs are
available through NSX Manager and data plane logs are available through vCenter Server. VMware
recommends that you specify the same Syslog server for the NSX component and vCenter Server to
II
z
(f)
X
get a complete picture when viewing logs on the Syslog serve r. (f)
(1)
o
C
....
~

Syslog Format
Slide 6-100
The system event message logged in the Syslog has the following
structure:
Syslog header
Event 10
Timestamp
Application name
Event code
Severity
Message
The system event message that is logged in the Syslog has the structure listed in the slide.

vCenter Log Insight
Slide 6-101
Consolidate, visualize, and correlate Syslog data from multiple

related components in a software-defined data center.
Build custom dashboards for real-time monitoring and trending.
Customize log interpretation logic to parse using regex, int, and str.
..-:::I-=::r::=- ::;;-..- --_ ._- ~~
.--
II~I
VMware vCenter Log Insight" provides faster analytical queries and aggregation than tradit ional
tools, especially on larger data sets. vCenter Log Insight identifies key-value pairs and adds
structure to all types of unstructured log data, enabling administrators to troubleshoot quickly,
without needing to know the data beforehand.
II
z
(f)
X
(f)
(1)
o
c
....
~

Concept Summary
Slide 6-102

What is a computer message logging standard Syslog
called?
VMware vCenter Log InsightTM
Which is the VMware product that delivers real-
time log management and analysis?

Slide 6-103

Describe how to find firewall entries in the Sysloq
Analyze Sysloq security entries
II
z
(f)
X
(f)
(1)
o
c
....
~

Key Points
Slide 6-104
Distributed Firewall focuses on East-West access controls.

The NSX Edge firewall focuses on the North-South traffic enforcement
at the tenant or data center perimeter.
A user's role defines actions that the user is allowed to perform on a
given resource.
Flow Monitoring provides a detailed view of the traffic to and from
protected virtual machines.
Service Composer helps you to provision and assign network and
security services to applications in a virtual infrastructure.
Syslog can be enabled for all NSX components.
Questions?

VmWare NSX Student Guide PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

VmWare NSX Student Guide PDF

Uploaded by

Copyright:

Available Formats

VMware NSX:

Install, Configure, Manage

VMware Education Services

MODULE 1 Course Introduction 1

VMware NSX: Install, Configure, Manage

ii VMware NSX: Install, Configure, Manage

iv VMware NSX: Install, Configure, Manage

MODULE 4 NSX Routing 187

vi VMware NSX: Install, Configure, Manage

viii VMware NSX: Install, Configure, Manage

MODULE 6 NSX Seeurity 363

x VMware NSX: Install, Configure, Manage

VMware NSX: Install , Configure , Manage 1

VMware NSXTM is the network virtualization and security platform for

2 VMwa re NSX: Install , Configure, Manage

Describe basic NSX layer 2 networking

Module 1 Cou rse Introduct ion 3

4 VMwa re NSX: Install , Configure, Manage

VMware N5X: Install Configure Manage :J

Logical Switch Networks and VXLAN Overlays

NSX Edge Services Gateway Features

Module 1 Course Introduction 5

The following typographical conventions are used in this course.

Monospace Filenames, folder names , path

6 VMwa re NSX: Install , Configure, Manage

NSX Installation and Upgrade Guide http://pubs .vmware .com/NSX-6/index.jsp

NSX Administration Guide http://pubs.vmware.com/NSX-6/index.jsp

Module 1 Course Introduction 7

NSX is a network virtualization platform that enables you to build a

Logical Switching: Layer 2 over Layer 3,

8 VMware NSX: Install, Configure, Manage

For details about VMware certifications, go to: oa

Module 1 Course Introduction 9

Learning Path Tool

Leamby Leamby Leamby Achieve

To determine your learning path for VMware training, go to:

10 VMware NSX : Install , Configure, Manage

For NSX technical information, use the following resources: oa

Module 1 Cou rse Introduction 11

VMwa re NSX: Install , Configure , Manage 13

VMware NSX: Install Configure Manage

Logical Switch Networks and VXLAN Overlays

NSX Edge Services Gateway

14 VMware NSX: Install , Configu re, Manage

Understanding the high level concepts of the software-defined data

Module 2 NSX Networking 15

Lesson 1: Introduction to vSphere Virtualization

16 VMware NSX: Install , Configu re, Manage

Module 2 NSX Networking 17

18 VMware NSX: Install , Configu re, Manage

Real Operating System II

Dedicated Virtual Hardware ><

Stable and Dependable No Need for Modification No Special Changes to as

Virtual machines look and behave like physical servers .

Module 2 NSX Networking 19

Hardware Independence for Restores

20 VMware NSX: Install , Configure, Manage

VMware ESXi benefits:

Direct hardware access

Less overhead than hosted hypervisors

=Lower resource overhead

Module 2 NSX Networking 21

vSphere Client Active Directory