NSXTICM24 M08 Security

NSX-T Data Center Security
© 2019 VMware, Inc.

Importance
A primary objective of NSX-T Data Center is to provide a secure environment for your IT
operations. To this end, NSX-T Data Center includes features such as micro-segmentation,
distributed firewall, gateway firewall, and service insertion. Thorough understanding and proper
use of these features helps you create a secure environment.
© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-2

Module Lessons
Lesson: NSX-T Data Center Micro-Segmentation
Lesson: NSX-T Data Center Distributed Firewall
Lesson: NSX-T Data Center Gateway Firewall
Lesson: NSX-T Data Center Service Insertion

NSX-T Data Center Micro-Segmentation
© 2019 VMware Inc. All rights reserved.

Learner Objectives
After completing this lesson, you should be able to meet the following objectives:
• Identify the challenges associated with traditional data center security
• Describe the NSX-T micro-segmentation zero-trust security model
• Recognize micro-segmentation use cases
• Identify benefits of micro-segmentation
• Explain how to enforce the zero-trust model of micro-segmentation

Traditional Data Center Security
Traditional data centers face many security
challenges:
• Traditional security policies align with the
environment rather than with applications.
• Shared services can traverse tier boundaries
without being checked.
• Traditional segmentation does not prevent
lateral communication between workloads in
a tier.
• Low-priority systems are often targeted first.
• Attackers can move freely around the data
center and access valuable data.

Data Center Security Requirements
With built-in zero-trust at the most granular
level:
• Every VM can have:
— Individual firewalls
— Individual security policies
• Security policies can be based on:
— VM attributes
— Network attributes
— Application attributes
• Security controls can be applied to any
application:
— Service insertion and chaining
— Agentless antivirus

Micro-Segmentation in NSX-T Data Center
Micro-segmentation performs
several functions:
• Logically divides a data
center into distinct security
segments down to the
individual workload VM level
• Defines distinct controls and
security services
• Attaches the centrally
controlled and operationally
distributed firewalls directly to
each VM

Enforcing the Zero-Trust Security Model of Micro-Segmentation (1)
The zero-trust (least privilege) model trusts

nothing and verifies everything.
Micro-segmentation establishes a security
perimeter around each VM or container
workload with a dynamically defined policy.
To build a zero-trust model:
Step 1: Identify applications and their
boundaries.

Step 2: Create micro-segments for applications to reduce their exposure to unnecessary network
traffic.
© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 10

Step 3: Secure through context.

Micro-Segmentation Use Cases
The main use cases of micro-segmentation in a
data center include:
• Critical application protection with micro-
segmentation
• Secure virtual desktop infrastructures and
mobile devices
• Agentless antivirus with Guest Introspection
• Dynamic security service insertion of third-
party solutions
• Creation of DMZs anywhere

Micro-Segmentation Benefits
Micro-segmentation operationalizes the zero-trust model for applications in NSX-T Data Center,
using isolation, segmentation, and advanced security services, such as partner service insertion,
service chaining, and traffic steering.
Micro-segmentation offers key business and functional benefits:
• Limits lateral movement within the data center
• Minimizes risks and the impact of security breaches
• Simplifies network traffic flows
• Uses existing infrastructure (network topology agnostic)
• Lowers capital expenditures and operating expenses
• Automates IT service delivery
• Securely enables business agility

Review Learner Objectives
• Identify the challenges associated with traditional data center security
• Describe the NSX-T micro-segmentation zero-trust security model
• Recognize micro-segmentation use cases
• Identify benefits of micro-segmentation
• Explain how to enforce the zero-trust model of micro-segmentation

NSX-T Data Center Distributed Firewall

Learner Objectives
• Identify types of firewalls in NSX-T Data Center
• Describe features of distributed firewalls
• Create firewall policies
• Configure firewall rules for policies
• Configure firewall rule attributes: domains, groups, services, and profiles
• Describe distributed firewall architecture
• Explain how distributed firewalls operate on ESXi and KVM hosts

NSX-T Data Center Firewalls (1)
NSX-T Data Center includes two types of firewalls: the distributed firewall (east-west) and the
gateway firewall (north-south).
A distributed firewall is a hypervisor, kernel-embedded stateful firewall:
• It resides outside the VM guest OS.
• It controls the I/O path to and from the vNIC.
• It monitors the state of active connections and uses this information to determine which
packets traverse the VM vNIC.

NSX-T Data Center Firewalls (2)
The gateway firewall, also known as the perimeter firewall, protects traffic to and from physical
environments:
• It is similar to the port-based firewall and applies to Tier-0 and Tier-1 Gateway nodes.
• NSX gateways must be backed by an NSX Edge cluster.
• Destination NAT and source NAT rules are implemented on uplink and back plane interfaces of
the service router (SR).
• The gateway firewall is implemented only on the uplink of Tier-0 and Tier-1 Gateway nodes.

Features of the Distributed Firewall
The distributed firewall provides visibility and
control for virtualized workloads and networks.
Its main features include:

• Centralized configuration through the NSX
Manager simplified UI
• Layer 2 stateless firewall rules
• Layer 3 stateless and stateful firewall rules
• Context-aware (layer 7) firewall rules
• Identity Firewall for virtual desktops and
virtual user sessions

Distributed Firewall: Key Concepts (1)
Several key concepts apply to distributed firewalls:
• Domain: A logical construct representing a security zone with all rules and groups
• Security policy: A collection of firewall rules and service configurations
• Firewall rule: Set of instructions that determine whether a packet should be allowed or blocked

Distributed Firewall: Key Concepts (2)
• Group: A construct with multiple objects statically or dynamically pooled together. Groups are
used in firewall rules to specify the source and destination fields.
• Service: Defines a port and protocol combination and is used to specify the type of traffic to be
blocked or allowed in firewall rules.
• Context profile: Inspects the layer 7 application content of packets to allow or deny them.

Creating a Domain
A domain is a collection of workloads and communication rules that are related to each other
through some business criteria:
• The domain defines the scope of security policies.
• The preconfigured default domain represents the entire NSX-T Data Center environment.
• Additional domains can be added as needed.

Security Policy Overview
A security policy is a structure that encompasses various security elements, including firewall
rules and service configurations.

Distributed Firewall Policy
A Distributed Firewall policy is a collection of firewall rules applied to east-west traffic.
The NSX Manager simplified UI enables you to group distributed firewall rules into different
categories.

Configuring Distributed Firewall Policies (1)
A firewall policy is made up of one or more firewall rules, which contain specific instructions for
handling various types of traffic.
A policy can contain stateful or stateless rules for enforcement.
Policies are enforced in top-to-bottom order.

Configuring Distributed Firewall Policies (2)
Firewall rules are processed in top-to-bottom order:
• You can move rules up and down within a policy.
• The first match triggers rule enforcement.
• Nonmatching packets are enforced by the default catch-all rule, which applies to all workloads.

Configuring Distributed Firewall Policy Settings
When creating a new Distributed Firewall policy, you specify settings such as TCP Strict, Stateful,
Locked, and so on.

Creating Distributed Firewall Rules
Rules are a set of criteria used to evaluate traffic flows. They contain instructions that determine
whether a packet should be allowed or blocked.

Configuring Distributed Firewall Rule Parameters
A firewall rule includes parameters such as source, destination, service context profile, logging,
and tag, and defines which action should be taken on a rule match.

Specifying Sources and Destinations for a Rule
When specifying Sources and Destinations for a firewall rule, you can use an IP or MAC
address, or an object (such as a group). If you do not specify these parameters, they match to
Any.

Creating Groups
A group defines a collection of assets on which security policies can be applied.
A group can contain VMs, vNICs, logical segments, logical ports, IP and MAC addresses, AD
user groups, and so on.

Adding Members and Member Criteria for a Group
Groups can be defined by using static or dynamic membership criteria:
• Static group inclusion criteria apply to VMs, logical ports, IP sets, MAC sets, AD user groups,
and nested groups.
• Dynamic group inclusion for VMs can be based on tags, machine names, OS names, or
computer names.

Viewing the Configured Groups
In the NSX Manager simplified UI, you can view the list of groups and their locations.

Specifying Services for a Rule
When configuring distributed firewall rules, you specify one or more services, such as HTTP,
ICMP, SSH, and so on.

Predefined and User-Created Services
The NSX Manager simplified UI
includes an extensive list of
predefined services. You cannot
modify or delete these services.
You can create additional
services to meet your
communication requirements.

Adding a Context Profile to a Rule
You can apply a context profile to a distributed firewall rule to enable a layer 7 firewall.

Predefined and User-Created Context Profiles
NSX Manager includes a list of predefined context profiles.
You can also configure custom context profiles for your firewall rules.

Configuring Context Profile Attributes
When creating a context profile, you configure two attributes: application ID and domain name.
After the context profile is created, you can apply it to your distributed firewall rules.

Setting the Scope of Rule Enforcement
The Applied To attribute optimizes the resource utilization on the ESXi and KVM hosts. It also
helps in defining targeted policies at specific zones or tenants without affecting the policy defined
on other zones or tenants.

Specifying Distributed Firewall Settings
You configure distributed firewall rules settings, such as logging, direction, IP Protocol, tag, and
so on.

Filtering the Display of Firewall Rules
For easier firewall rule management, you can use filters to display a list only of rules of interest.
You can filter rules by policy name, rule name, policy path, rule path, domain, source, destination,
service, and action.

Determining the Default Firewall Behavior
Whitelist and blacklist define the default firewall behavior.

Viewing the Default Firewall Rules
You can view the default firewall behavior (whitelist or blacklist) on the Advanced Network &
Security tab.

Distributed Firewall Architecture
The steps in the high-level distributed firewall workflow:
1. Users configure distributed firewall policies through the NSX
Manager simplified UI.
2. These policies are processed by the policy role.
3. Distributed firewall policies are then pushed to the manager
role.
4. The manager role forwards the distributed firewall rule
configuration to the central control plane (CCP).
5. The CCP stores the distributed firewall configuration in the
transport nodes, which configure the data path accordingly.
6. NSX Manager polls rule statistics and status from the
transport nodes, using the management plane agent (MPA).

Distributed Firewall Architecture: ESXi
On an ESXi host, the distributed firewall
includes several components:
• nsx-proxy: Retrieves the configuration
changes from the CCP and configures data
path modules
• Data path modules:
– VSIP: Receives firewall rules and
downloads them on each VM’s vNIC
– VDPI: Performs L7 packet inspection
• Stats Exporter: Collects flow records from the
distributed firewall data plane kernel modules
and generates rules statistics
• MPA: Passes rules statistics and real-time
data to the management plane

Distributed Firewall Architecture: KVM
On a KVM, the distributed firewall includes the
several components:
• nsx-proxy: Retrieves configuration changes
from the CCP and configures data path
modules
• Data path modules:
– OVS: Handles stateless rules
– Conntrack: Tracks established
connections for stateful rules
– VDPI: Performs L7 packet inspection
• Stats Exporter: Collects flow records and
generates rules statistics
• MPA: Passes rules statistics and real-time
data to the management plane

Lab: Configuring the NSX Distributed Firewall
Create NSX distributed firewall rules to allow or deny application traffic
1. Prepare for the Lab
2. Test the IP Connectivity
3. Create IP Set Objects
4. Create Firewall Rules
5. Create an Intratier Firewall Rule to Allow SSH Traffic
6. Create an Intratier Firewall Rule to Allow MySQL Traffic
7. Prepare for the Next Lab

Review of Learner Objectives
• Identify types of firewalls in NSX-T Data Center
• Describe features of distributed firewalls
• Create firewall policies
• Configure firewall rules for policies
• Configure firewall rule attributes: domains, groups, services, and profiles
• Describe distributed firewall architecture
• Explain how distributed firewalls operate on ESXi and KVM hosts

NSX-T Data Center Gateway Firewall

Learner Objectives
• Describe the functions of the gateway firewall
• Explain the purpose of a gateway policy
• Create gateway firewall policies and rules
• Describe the gateway firewall architecture

About NSX-T Data Center Gateway Firewall
Characteristics of the gateway firewall:
• A stateful firewall for north-south traffic
• Independent of distributed firewall from policy
configuration and enforcement perspective
• Implemented per NSX gateway node and
supported at both Tier-0 and Tier-1
• Applied to uplinks on Tier-0 or Tier-1
Gateways backed by an NSX Edge cluster
• A centralized service requiring the SR
component of the router
• Supports stateless and stateful firewall rules

Gateway Firewall on Tier-0 Gateway for Perimeter Protection
The Tier-0 Gateway firewall can be used as a perimeter firewall at the virtual and physical
boundary.

Gateway Firewall Policy
A Gateway Firewall policy is made up of one or more individual firewall rules and is applied to
north-south traffic.
Gateway policies can be applied to Tier-0 and Tier-1 Gateways and their interfaces.

Predefined Gateway Firewall Categories
The gateway firewall includes predefined categories under the ALL SHARED RULES tab, where
rules across all gateways are visible.
You can change the category names by using the API.

Configuring the Gateway Firewall Policy Settings
To create a Gateway Firewall policy, you assign a policy name, specify the domain, and configure
the settings.

Configuring Firewall Rules

Configuring Gateway Firewall Rules Settings
You can specify the logging, direction, and IP protocol settings for the gateway firewall rule. A
firewall rule must be published for it to take effect.

Gateway Firewall Architecture
You can add gateway firewall rules to Tier-1 or Tier-0 Gateways. The NSX Edge transport node
receives the gateway firewall configuration and enforces the rules on the traffic.

Lab: Configuring the NSX Gateway Firewall
Configure and test the NSX gateway firewall rules to control north-south traffic
1 Prepare for the Lab
2 Test SSH Connectivity
3 Configure an Edge Firewall Rule to Block External SSH Requests
4 Test the Effect of the Configured Gateway Firewall Rule
5 Prepare for the Next Lab

• Describe the functions of the gateway firewall
• Explain the purpose of a gateway policy
• Create gateway firewall policies and rules
• Describe the gateway firewall architecture

NSX-T Data Center Service Insertion

Learner Objectives
• Identify types of service insertion
• Explain how north-south service insertion works for Network Introspection
• Explain how east-west service insertion works for Network Introspection
• Describe how Endpoint Protection works
• Recognize use cases for Endpoint Protection

About Service Insertion
Service Insertion enables users to seamlessly
add third-party network and security services at
various points throughout the network.
Service Insertion includes Network
Introspection and Endpoint Protection:
• Network Introspection examines the network
by offering services such as IDS, IPS, and
next-generation firewall.
• Endpoint Protection examines guest VMs
from inside by offering services such as
antivirus and antimalware solutions.

About Network Introspection
NSX-T Data Center supports both north-south
and east-west service insertion for Network
Introspection.
Network Introspection enables third-party
services to examine north-south or east-west
traffic passing through a gateway and to take
appropriate actions.
Using the provided framework and APIs,
technology partners can integrate their network
and security solutions with NSX-T Data Center.
Partner services typically provide advanced
security features such as IDS, IPS, next-
generation firewall, URL filtering, and so on.

North-South Network Introspection Overview
The north-south partner security service is
typically inserted at the data center perimeter,
between tenant boundaries, or between
containers.
The insertion points are the uplinks of the Tier-0
or Tier-1 Gateway.
The L2 insertion mode of partner services is
supported.
A partner service virtual machine (SVM) is
deployed close to the NSX Edge node.
Policy-based routing redirection is used for
north-south traffic.

Configuring North-South Network Introspection
To set up a service insertion for Network Introspection:
1. Register a partner’s service:
• Service registration makes a service available in the catalog.
• Partners use APIs to register their services with the NSX Manager simplified UI.
2. Deploy a service instance:
• Instances of a registered service can be deployed using the NSX Manager simplified UI.
• Users can select the appropriate Tier-0 or Tier-1 Gateway and host on which to deploy the
SVM.
3. Configure traffic redirection:
• Redirection rules can be configured from the NSX Manager simplified UI or API.
• Classification and redirection occur for traffic entering the uplink interface of the Tier-0 or
Tier-1 Gateway.

Registering a Partner Service
Before a partner security service is available to a security policy, it must be registered with NSX-T
Data Center with an API call or partner CLI.

Deploying a Partner Service Instance
You select the partner service from the catalog and specify instance parameters:
• The service instance must be deployed on a host that is a transport node.
• The service instance is commonly deployed on the same host as the NSX Edge node.
• Each SVM can only be applied to one gateway.
• NSX Manager creates and attaches segments to the gateway and the SVM.

Configuring Traffic Redirection to Partners
After you deploy the partner service instance, you can create a north-south Network Inspection
policy.
The Network Inspection policy determines the type of traffic the gateway redirects to the partner
service.
Redirection rules are stateless.
Reflexive redirection rules are automatically created and applied to the return traffic.

East-West Network Introspection Overview
Partner SVMs for East-West Network Introspection can be deployed either on compute hosts or
in a service cluster.
Common use cases are VM-integrated next-generation firewall and micro-segmentation.
Insertion points are at each guest VM’s vNIC.

Configuring East-West Network Introspection
Steps for configuring east-west Network Introspection:

Registering Partner Services
Partners must register their services with NSX-T Data Center using the API. Registered services
are listed in the Catalog tab.

Deploying an Instance of a Registered Service
When deploying a partner service, you specify values for several settings, including Service
Deployment Name, Compute Manager, Cluster, Datastore, Networks, Service Segments.

Creating a Service Profile for East-West Network Introspection
A service profile is a specific instantiation of a vendor template.
You can customize attributes of a vendor template to create an instance of the template.

Creating Service Chains
A service chain specifies the sequence of service profiles applied to network traffic.

Configuring Redirection Rules
After a service chain is created, it can be used in a redirection rule.

Endpoint Protection Overview and Use Cases
Endpoint Protection is a process of constantly
looking deep into the OS and file data,
providing visibility into in-guest events.
NSX-T Data Center supports the following

capabilities for Guest Introspection:
• Integration and offloading to third-party
services
• Policy-based agentless antivirus and
antimalware protection
• Protection for Windows VMs running on
vSphere

Endpoint Protection Process
Steps in the Endpoint Protection process:
1. Modules for Endpoint Protection are installed on hosts as part of host preparation.
2. The partner’s integrated service is deployed as a SVM.
3. The administrator defines Endpoint Protection policies for the VMs.
4. The partner SVM uses the Endpoint Protection API library to introspect and protect guest VMs
from malware.

Automatic Policy Enforcement for New VMs
Endpoint Protection policies are automatically
applied and enforced when a new VM is added.
Automatic policy enforcement follows these
steps:
1. A new ESXi host is added to the cluster.
2. NSX-T Data Center automatically deploys
the Endpoint Protection framework and
SVMs.
3. When a new guest VM comes online on the
host, appropriate security policies are
applied.
4. The security policies follow the VM even
when the VM migrates (vMotion).

Automated Virus or Malware Quarantine with Tags Example
Endpoint Protection policies and tags can be used to automatically quarantine compromised
workloads.

Creating a Service Profile for Endpoint Protection
Endpoint Protection service profiles define the level of protection for a group of workloads.
Services profiles are created from a template provided by the partner.

Configuring Endpoint Protection Rules
Administrators can create rules to associate a service profile to a specific VM or group of VMs.

• Identify types of service insertion
• Explain how north-south service insertion works for Network Introspection
• Explain how east-west service insertion works for Network Introspection
• Describe how Endpoint Protection works
• Recognize use cases for Endpoint Protection

Key Points (1)
• Micro-segmentation enables an organization to logically divide its data center into distinct
security segments down to the individual workload level.
• Micro-segmentation defines distinct controls and security services, and attaches the centrally
controlled and operationally distributed firewalls directly to each VM.
• NSX-T Data Center micro-segmentation supports a zero-trust architecture for IT security. It
establishes a security perimeter around each VM or container workload with a dynamically
defined policy.
• The distributed firewall is a hypervisor kernel-embedded stateful firewall.
• The distributed firewall resides outside the VM guest OS, controls the I/O path to and from the
vNIC, and monitors the state of active connections. The distributed firewall uses this
information to determine which packets traverse the VM vNIC.

Key Points (2)
• The gateway firewall, also known as the perimeter firewall, protects traffic from physical
environments.
• NSX-T Data Center provides the framework and APIs that allow service insertion partners to
integrate their security solutions with NSX-T Data Center.
• Network Introspection examines the network by offering services such as IDS, IPS, and next-
generation firewall.
• Endpoint Protection examines inside guest VMs by offering services such as antivirus and
antimalware solutions, vulnerability management, data security, and data loss prevention
solutions.
Questions?

NSXTICM24 M08 Security

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSXTICM24 M08 Security

Uploaded by

Copyright:

Available Formats

NSX-T Data Center Security

© 2019 VMware, Inc.

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-2

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-3

© 2019 VMware Inc. All rights reserved.

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-5

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-6

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-7

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-8

The zero-trust (least privilege) model trusts

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8-9

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 10

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 11

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 12

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 13

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 14

© 2019 VMware Inc. All rights reserved.

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 16

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 17

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 18

Its main features include:

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 19

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 20

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 21

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 22

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 23

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 24

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 25

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 26

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 27

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 28

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 29

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 30

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 31

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 32

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 33

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 34

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 35

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 36

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 37

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 38

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 39

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 40

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 41

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 42

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 43

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 44

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 45

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 46

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 47

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 48

© 2019 VMware Inc. All rights reserved.

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 50

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 51

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 52

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 53

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 54

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 55

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 56

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 57

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 58

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 59

© 2019 VMware, Inc. VMware NSX-T: Install, Configure, Manage | 8 - 60