NSX-T 3.1 Federation Presentation-V1.0

NSX-T Federation
Presentation
NSX-T 3.1
od e is st rongly
ly
W m
DE SHO
Use of SLIID d ed
recommen
im a d e s)
ted sliid
s a n im
(numerou
Dimitri Desmidt – NSBU Technical Product Manager
xx/xx/xxxx
Agenda NSX-T Federation Positioning
Management
Federation Components
Management Flows
Security Use Cases

Multi Locations / Simple and Central Configuration
Network Use Cases

Supported Network Topologies from GM
Terminology for T0 and T1
Couple of Examples of Packet Walks L2 + L3
Other points
Requirements / Licensing / Orchestration / Scale / Design Examples 2
Management
Management Flows
Security Use Cases

Network Use Cases

Other points
Each Data Center has Network and Security Needs
Each Data Center has:
• Local Network needs

• Local Security needs
DLR
DFW But also global Network and Security

needs
VM VM VM VM VM VM VM VM VM
Location-A Location-B Location-C
4
NSX Federation
Operational Simplicity + Consistent Policy Configuration and Enforcement
Global Manager
UI/API
Global config
Local Manager Local Manager Local Manager
T1 T0 T1 T0 T1 T0
VM VM VM VM VM VM •••• VM VM VM
Hypervisors Hypervisors Hypervisors

(ESXi/KVM) (ESXi/KVM) (ESXi/KVM)
Location 1 Location 2 Location N+1
Networks and Security

objects shared
5
Management
Management Flows
Security Use Cases

Network Use Cases

Other points
LM in each Location
Federation Component GM Active in One Location
Multiple Locations View GM Standby in second Location
Global Manager Global Manager Register LMs to GM
Active Cluster Standby Cluster

LM Cluster LM Cluster LM Cluster
vCenter vCenter vCenter

Compute Compute Compute
Location 1 Location 2 Location 3 7

GM stores configuration and pushes
GM and LM Communication Flows configuration to the relevant LM.
GM to LM Communication Flows Example with Network in 2 Locations (Loc1
+ Loc2)
Global Manager Config Sync
between GM Global Manager a. Admin pushes config to GM Active,
Active Cluster Standby Cluster which synchronizes with GM standby
UI/API
b. GM pushes config to LM-Loc1 and LM-
Loc2
Config Push
To relevant LM
No push to LM Loc3
because those objects are not in Loc3



New LM to LM communication
GM and LM Communication Flows channel.
LM to LM Communication Flows • Group which spans Multiple
Locations
Global Manager Global Manager
Active Cluster Each LM tells remote LM about its
Standby Cluster
Dynamic Groups members
Sync between LM

LM LM LM
Group1 VM1 + VM2 + VM3 Group1 VM2+ VM1 + VM3 Group1 VM3 + VM1 + VM2

Management
Federation UI
Location Selector
Active/Standby
Global Manager
Clusters
New
Local Manager Clusters
10
Configuration to GM
Management (configuration pushed down to LM)
Global and Local configuration Configuration to LM always possible
(configuration not pushed up to GM)
Global Manager Global Manager
Active Cluster Standby Cluster
UI/API
to GM
UI/API
to LM Push local intent config



Management
Management Flows
Security Use Cases

Network Use Cases

Other points
Global Manager
Security Use Cases

UI/API
Simple and Central Security Policy Configuration

GM groups can be Global
And Groups can be DYNAMIC can be Region
based on Tag on any dynamic information  can be Local
Firewalls rules can mix groups span
Global Services (DNS, NTP, …)

Tag1
Region Services (AD, proxies, …)

Tag2
Local Services (Apps) Tag3 Local Services (Apps) Tag4 Local Services (Apps) Tag5

Management
Management Flows
Security Use Cases

Network Use Cases

Other points
Network Topologies from GM
Supported Topologies in NSX-T 3.1
Topologies T0 and T1:
• Span
• Can be Local or Stretched
NAT T0-Not_Stretched NAT T0-Stretched • T1 spans is equal or a
subset of T0 span
Segment-Not_Stretched Segment-Stretched
– T1 DR-Only span equals to
attached T0 span
• Services
NAT T1-Not_Stretched
NAT T1-Stretched • GW-NAT
NAT T1-Not_Stretched
Segment-Not_Stretched Segment-Stretched
• GW-FW
Segment-Not_Stretched • IPv6
• DHCP/DNS (See Notes)
NAT T1-Stretched Topologies Segment:

Segment-Stretched • Requires T0 or T1 connectivity for
realization
• Span
T1-Stretched DR-Only • Equals span of T0/T1
Segment-Stretched
15
Location 1 Location 2 Location 3
T0 and T1 Deployments
Terminology for T0 and T1 (1/2)
T0 in Loc P/S T0 and T1 Primary and Secondary Locations:

T1 in Loc P/S
• With Locations Primary/Secondary (P/S)
All Locations receive traffic from South (Segments and T1).
EN EN EN EN EN EN 1 single Location is Active to send traffic North for a
primary primary secondary secondary secondary secondary destination.

• With Locations All Primaries (All_P)
T0 Loc All_P Note: Only supported for T0
All Locations receive traffic from South (Segments and T1).

All Locations are Active to send traffic North for a
destination.
EN EN EN EN EN EN
primary primary primary primary primary primary
Note: North/South Routing is detailed in section “Routing Protocols
(Dynamic and Static)”

18
T0 and T1 Deployments
Terminology for T0 and T1 (2/2)
T0 A/S T0 and T1 Active and Standby within a Location

T1 A/S
• Active/Standby
1 Edge Node Active, 1 Edge Node Standby
NAT
EN EN
active standby
Location 1
• Active/Active
T0 A/A All Edge Nodes Active
EN EN
active active
Location 1
19
Supported T0-Stretched modes in NSX-T 3.1
T0 A/S in Loc P/S T0 A/A in Loc P/S
Topologies T0:
NAT
EN1 EN2 EN3 EN4 EN1 EN2 EN3 EN4
• T0 Active/Standby in Locations
prim-stby prim-act sec-act sec-stby prim-act prim-act sec-act sec-act Primary/Secondary
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi • T0 Active/Active in Locations
VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM Primary/Secondary
Location 1 Location 2 Location 1 Location 2
• T0 Active/Active in Locations
T0 A/A in Loc All_P All_Primaries (also called A/A Local_Egress)
EN1 EN2 EN3 EN4

prim-act prim-act prim-act prim-act
ESXi ESXi ESXi ESXi

VM VM VM VM VM VM VM VM
Location 1 Location 2 20
Supported T1-Stretched modes in NSX-T 3.1
T1 No Service T1 with Service A/S in Loc P/S Topologies T1:

• T1 No Service
T1-DR only
T0-Stretched T0-Stretched
• T1 with Service
T1-SR Active/Standby in Locations
T1-Stretched
NAT Primary/Secondary
EN1 EN2 EN3 EN4
DR only prim-stby prim-act sec-act sec-stby
ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi

VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM VM
22
L2 Connectivity
Packet Walk
Physical View
Logical View
. Segment Stretching is offered by Edge Nodes VNI 5002
(RTEP)
. Each Segment Stretching is offered by specific Edge Nodes in
Active/Standby
Span of the Segment is driven by the T0/T1 where it’s attached to.
Seg-Stretch Seg-Stretch Seg-Stretch Seg-Stretch

T0/T1 active standby active standby
Seg-Stretch Seg-Stretch Seg-Stretch Seg-Stretch

standby active standby active
EN1 EN2 EN3 EN4 EN1 EN2 EN3 EN4

active standby remote-act remote-stby
Edge Cluster 1 Edge Cluster 2
VNI 5001 VNI 6003

(TEP) (TEP)
VM1 VM2
ESXi1 ESXi2
VM1 VM2
VM3 VM4
23
One specific Location primary active per destination.
T0 (2/4) – T0 A/A in Locations Prim/Sec Within one location T0 Active/Active.
Physical View
Logical View
Internet Storage Internet Storage
EN1 EN2 EN3 EN4 T0 A/A T0-SR T0-SR T0-SR T0-SR

prim-act prim-act sec-act sec-act Loc P/S EN1 p-act EN2 p-act EN3 s-act EN4 s-act
Tier1-DR_Only
ESXi1 ESXi2
VM1 VM2 T0-DR T0-DR
T1-DR VM1 T1-DR VM2
24
T0 (2/4) – T0 A/A in Locations Prim/Sec
Packet Walk – Case1: VM-Site1 to Internet
Physical View
Logical View

(TEP)
Tier1-DR_Only
ESXi1 ESXi2
VM1 VM2 T0-DR T0-DR
T1-DR VM1 T1-DR VM2
25
Packet Walk – Case2: VM-Site2 to Internet
Physical View
Logical View
(RTEP)

Tier1-DR_Only (TEP)
ESXi1 ESXi2
VM1 VM2 T0-DR T0-DR
T1-DR VM1 T1-DR VM2
26
Packet Walk – Case3: VM-Site1 to Storage
Physical View
Logical View
(RTEP)

(TEP)
Tier1-DR_Only
ESXi1 ESXi2
VM1 VM2 T0-DR T0-DR
T1-DR VM1 T1-DR VM2
27
Packet Walk – Case4: VM-Site2 to Storage
Physical View
Logical View

Tier1-DR_Only (TEP)
ESXi1 ESXi2
VM1 VM2 T0-DR T0-DR
T1-DR VM1 T1-DR VM2
28
Management
Management Flows
Security Use Cases

Network Use Cases

Other points
Requirements
• Site to Site traffic

• All GM and LM running NSX-T 3.1
• Latency (RTT) < 150 ms between any site
• IP + FW connectivity
– GM-LM and LM-LM: Connectivity without NAT + Allow Management traffic
– Edge Nodes: Connectivity without NAT + Allow Data Plane (RTEP traffic)
• No WAN bandwidth requirement
– However recommended no congestion for Management Plane (GM-LM and LM-LM traffic)
– and as much as possible no congestion for Data Plane (Edge Nodes RTEP)
• No WAN MTU requirement
– However recommended 1700+ to avoid Edge Node RTEP traffic fragmentation
• For Data Plane recovery

• Public IP@ (advertised segments, NAT) must be advertisable from both locations
– In case of different Internet Providers (Verizon in Site-A and Orange in Site-B), both will advertise Logical Networks. In such
30
case, be sure the public IP@ belong to the customer and not the Internet Provider.
Licensing
• All LM must have Enterprise+ licenses

• GM controls the correct LM license at the LM onboarding phase
31
Orchestration
NSX-T Federation can be 100% orchestrated:
• Via "VMware" 3rd-party orchestration:

• VMware TKGI (former PKS)
• vRA
Each Orchestration solution is responsible to come with a “GM
• vRO plugin”.
• VIO / OpenStack Contact the Orchestration owner for details.
• vCD
• Via "customer" orchestration

• Orchestration using NSX-T API
• Orchestration using Terraform
• Orchestration using Ansible
• etc
32
Scale
Always check configmax.vmware.com for the latest and more information.
33
Design Examples (1/3)
Active/Standby Disaster Recovery
UI/API
GM
Gateways
Loc1Activation
Network
Primary
Recovery
in Loc1 Global Manager Global Manager
• Network and Security Centrally
Active Standby
Active configured
Gateways are Primary in Loc1
• In case of Location 1 failure

• If GMNote:
Important Active is lost, activate GM
Local Manager Local Manager
If thereStandby
is no Service on T0/T1 (no GW-
FW,• noNetwork
NAT), then the Network
Recovery Service
for Location1
is automatically
(if servicesrecovered.
on T0 and/or T1)
VM VM VM SRM VM VM VM
• Location2
Only is advertising
SRM recovers computethe Blue
in Loc2
subnet(notandNSX
North/South
related) just works.
T1 The example here has Services on T0
Primary in Loc1 NAT Primary
Secondary
in Loc2
in Loc2
and/or T1 and Network Service is
recovered with the following steps.
T0
Primary in Loc1 NAT Secondary
Primary in in
Loc2
Loc2
Hypervisors Hypervisors
(ESXi/KVM) (ESXi/KVM)
Location 1 34
Location 2
Active/Active Disaster Recovery
UI/API Global Manager Global Manager
GM
Gateways
Loc1Activation
Network
Primary
Recovery
in Loc1 Active Standby
Active • Network and Security Centrally
and Loc2 configured
Some Gateways are Primary in Loc1, others
in Loc2
VM VM VM
VM VM VM • In case of Location 1 failure
• If GM
Important Note:
Active is lost, activate GM
T1
Primary in Loc1 Primary
Secondary
in Loc2
in Loc2
If thereStandby
is no Service on T0/T1 (no GW-
NAT FW,• noNetwork
NAT), then the Network
Recovery Service
for Location1
T0
Primary
Secondary
in Loc2
in Loc2
is automatically
(if servicesrecovered.
on T0 and/or T1)
Primary in Loc1
VM VM VM NAT VM VM VM
Only Location2 is advertising the Blue
subnet and North/South just works.
T1
The example here has Services on T0
Secondary in Loc1 Primary in Loc2 and/or T1 and Network Service is
NAT
recovered with the following steps.
T0
Secondary in Loc1 Primary in Loc2
NAT
35
Location 1 Location 2
Active/Active Datacenters with Local egress
UI/API
Gateways Primary in Loc1 Global Manager Global Manager
• Network and Security Centrally
and Loc2 Active Standby configured
Gateways are Primary in Loc1 and Loc2
• Be careful:
• Potential asymmetric routing
Local Manager Local Manager
• No local ingress done by NSX
VM VM VM VM VM VM
T1
DR-Only
T0
Primary in Loc1 Primary in Loc2
Location 1 Location 2
36
Thank You

NSX-T 3.1 Federation Presentation-V1.0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSX-T 3.1 Federation Presentation-V1.0

Uploaded by

Copyright:

Available Formats

NSX-T Federation

​Security Use Cases

​Network Use Cases

​Security Use Cases

​Network Use Cases

​Each Data Center has:

• Local Network needs

DFW But also global Network and Security

Location-A Location-B Location-C

Local Manager Local Manager Local Manager

Hypervisors Hypervisors Hypervisors

Location 1 Location 2 Location N+1

Networks and Security

​Security Use Cases

​Network Use Cases

Hypervisors Hypervisors Hypervisors

vCenter vCenter vCenter

Location 1 Location 2 Location 3 7

Hypervisors Hypervisors Hypervisors

vCenter vCenter vCenter

Location 1 Location 2 Location 3 8

Hypervisors Hypervisors Hypervisors

Location 1 Location 2 Location 3 9

Local Manager Clusters

Hypervisors Hypervisors Hypervisors

vCenter vCenter vCenter

Location 1 Location 2 Location 3 11

​Security Use Cases

​Network Use Cases

Security Use Cases

Simple and Central Security Policy Configuration

Global Services (DNS, NTP, …)

Region Services (AD, proxies, …)

Location 1 Location 2 Location 3 13

​Security Use Cases

​Network Use Cases

NAT T1-Stretched Topologies Segment:

T0 in Loc P/S T0 and T1 Primary and Secondary Locations:

Location 1 Location 2 Location 3

All Locations receive traffic from South (Segments and T1).

Location 1 Location 2 Location 3

T0 A/S T0 and T1 Active and Standby within a Location

EN1 EN2 EN3 EN4

ESXi ESXi ESXi ESXi

T1 No Service T1 with Service A/S in Loc P/S Topologies T1:

ESXi ESXi ESXi ESXi ESXi ESXi ESXi ESXi

Location 1 Location 2 Location 1 Location 2

Seg-Stretch Seg-Stretch Seg-Stretch Seg-Stretch

Seg-Stretch Seg-Stretch Seg-Stretch Seg-Stretch

EN1 EN2 EN3 EN4 EN1 EN2 EN3 EN4

VNI 5001 VNI 6003

T0 (2/4) – T0 A/A in Locations Prim/Sec Within one location T0 Active/Active.

EN1 EN2 EN3 EN4 T0 A/A T0-SR T0-SR T0-SR T0-SR

Edge Cluster 1 Edge Cluster 2

T1-DR VM1 T1-DR VM2

EN1 EN2 EN3 EN4 T0 A/A T0-SR T0-SR T0-SR T0-SR

Edge Cluster 1 Edge Cluster 2

T1-DR VM1 T1-DR VM2

EN1 EN2 EN3 EN4 T0 A/A T0-SR T0-SR T0-SR T0-SR

Edge Cluster 1 Edge Cluster 2

T1-DR VM1 T1-DR VM2

EN1 EN2 EN3 EN4 T0 A/A T0-SR T0-SR T0-SR T0-SR

Edge Cluster 1 Edge Cluster 2

Security Use Cases

Network Use Cases

Security Use Cases

Network Use Cases

Each Data Center has:

Security Use Cases

Network Use Cases

Security Use Cases

Network Use Cases

Security Use Cases

Network Use Cases

Security Use Cases

Network Use Cases

NSX-T Federation can be 100% orchestrated: