NSX Whiteboarding

A Deep Dive into VMware NSX
NSX Seminar Series (Whiteboarding)
John Kuan
Sales Director
© 2014 VMware Inc. All rights reserved.
CISO Top of
Mind
Mitigate Risk
Ensure Compliance
Simplify Operations
2
Internal Security Approaches are Inadequate
Security realities by the numbers
~3 months $3.86M
Average number of months attackers dwelled in Average cost of a data
the network in 2018 1
breach in 20182
#1 75
Stolen credentials were the most Average number of security
common type of breach in 2018 3
products in an environment4
1
https://content.fireeye.com/m-trends
2
2018 Data Breach Investigations Report, Verizon
3
2018 Data Breach Investigations Report, Verizon
4
https://www.csoonline.com/article/3042601/defense-in-depth-stop-spending-start-consolidating.html
3
4
Vmware NSX IDS/IPS + NDR (Lastline)
Carbon Black + WS1 + Airwatch NSX ALB (AVI)
NSX FWaa
Cloud Web
+ SD- S
Security
WAN (H2)
Vmware NSX IDS/IPS (Replacing Internal FW) | FWaaS in H2 Carbon Black
Carbon Black + WS1 + Airwatch
VMware Log Insight *
WS1 (SSO)
Carbon Black
NSX IDS/IPS
NDR (Lastline) SASE POP
5
Everything is connected to Internet…
Internet
Traditional Networking & Security
VMware ESXi
Internet
DMZ
VMware ESXi Internet
MPLS
Let’s start now…
I have this new application

that need a new 3-tier
network… I wonder how fast
IT can come back with my
request?
Internet
The network guy:

Well, this is MPLS
easy…
Internet
MPLS
2. vLAN trunking on physical cable
3. Routing
1. Creating vLAN (web – 101, app – 102. db – 103)

Internet
MPLS
Is it done?
Yes, my job is
done.
But you need to talk to

security and Infra
???
vSwitch
6. Create VM and connect to PG
Internet
5. Create PG to map web, app and db vLAN
vSwitch vSwitch vSwitch

4. Configure vSwitch and Uplink
MPLS
Is it done?
Yes, my job is
done.
But you need to talk to

security
??????
vSwitch
Internet
MPLS
Hey, you there?
What do you want?
My VMs are live but can’t ping to other VM, why?
Pls submit the request form and port

required and we will review and
configure as needed
WT… Let me call AWS!

vSwitch
Internet
MPLS
7. Configure Firewall rules
I hope I did it right the first time…

Done now?
Ya, pls try…
Nope, still now working…
Hmm… You sure? Hang on…
WT…
vSwitch
Internet
MPLS
Oh, I forgot some ports…

That’s why Dev still can’t
get thing working… LOL
Hey, the Dev guy just walk through and he look pissed…
Of coz… LOL
LOL
LOL :D
Coffee?
vSwitch
Internet
MPLS
Traffic Flow – Web to App VM
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
5 hops for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Traffic Flow – Web to App VM
App00
VIP: 10.1.100.10/24
GW: 10.1.100.254
Web01 App01 App02

IP: 10.1.1.1/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.100.10
Internet
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Hey, can you find out why my application is running slow?
Of coz… It’s Infra
No, It’s Network
LOL!!! It can’t be network. It could be lousy coding.
Coffee?
Let’s transform…
Provides
A Faithful Reproduction of Network & Security Services
in Software
Switching Routing Firewalling Load VPN Connectivity

Balancing to Physical
Decoupling from hardware…
vSwitch
Internet
NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Decoupling from hardware…
vSwitch
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Configuring NSX: Day 1
My turn…
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.1 The network guy: Well, this is
easy… Even easier… Just
Internet
ESXi / NSX DC creating ONE vLAN for
Transporting Overlay network
(virtual network). LOL!
2. Configure Transport Network
MPLS
GW: 10.1.1.254
GW: 10.1.2.254 1. Creating vLAN for Overlay network
Day 2: Creating Network & Security like VM
IP remains and transparent to App

Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
2. Create VM and connect to PG

Internet
ESXi / NSX DC
1. Create PG (virtual network) without vLAN
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Let’s examine traffic flow with NSX
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
0 hop for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
1 hop for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Wait… What happen to my
Load Balancer?
NSX LoadVIP:Balander
App00
10.1.100.10/24 /
AVI Network with WAF
GW: 10.1.100.254
Web01 App00 App01 App02

IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Cool… My application
performance now increase
by 5x.
Can I have HA for load
balancer? Is it complex and
costly?
One Click to enable HA
NSX Load Balander /
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Wait… What happen to
firewall? You can’t just
remove my firewall…
Firewall is now distributed
NSX Load Balander /
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Firewall is with ATP (IDPS and NDR)
NSX Load Balander /
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi/ NSX DC
Distributed IDS IPS
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
That really sound crazy… 1 Firewall for every VM?
No, It’s centralized managed, and firewall filter

will be created on every vNIC
How about performance?
It only write firewall rule to the vNIC where the

VM is concerned. Unlike traditional firewall,
every packet has to go through the 3000 rules
we have in the past. Performance is up to
20Gbps throughout
Cool! How about securing VM

versus Virus/Malware?
Microsegmentation
Virus/Malware spread easily in traditional
networking & security design
Web01 Web02
IP: 10.1.1.1/24 IP: 10.1.1.2/24
GW: 10.1.1.254 GW: 10.1.1.254
vSwitch
Internet
??? MPLS
GW: 10.1.1.254
GW: 10.1.2.254
NSX Micro-segmentation with Zero Trust
Zero Trust - Source: Any | Destination: Any | Port: Any | Action: Block
Web01 Web02 Vmware

IP: 10.1.1.1/24 IP: 10.1.1.2/24 Log Insight
GW: 10.1.1.254 GW: 10.1.1.254
vSwitch
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
We have invested so
much on other advance
security solution. Can we
integrate them?
Deploying Security On-Demand
Security Groups
NSX Manager
CMP Deployment of VMs
Network &
Security Rules
Create Policy Rich Build Security Apply SG’s to

Templates Groups and App Blueprints
Firewall Rules
Automated Security with Service Composer
Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
r
nte
Security Group = Desktop VMs
Ce
ta
Da
ed
fin
De
Virtual Network
e
ar
ftw
So
rvice Composer
Cloud Managem
e nt
Muti-tenant | Why Not?
NSX NSX NSX vLAN User
App N… LB Distributed Edge & Network
Routing Routing Physical
App 2 NSX
Distributed
Web-Tier Router
App 1
Web-Tier
FW
Web-Tier
App-Tier
App-Tier
NSX App-Tier
Logical DB-Tier
Switch vSwitch
DB-Tier
> ECMP with
DB-Tier HA design
> NAT, FW,
VPN
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Muti-tenant | Why Not?
App N…
App 2
Web-Tier
App 1
Web-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
vSwitch
DB-Tier
DB-Tier
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
DMZ Anywhere | Why Not?
App N…
App 2
Web-Tier
App 1
Web-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
vSwitch
DB-Tier
DB-Tier
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
DMZ
DMZ-Tier
App-Tier
> ECMP with

App N… HA design
> NAT, FW,
App 2 VPN
Web-Tier
App 1
Web-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
DB-Tier
> ECMP with
DB-Tier HA design
> NAT, FW,
VPN
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
On-Demand Application Deployment
Web-Tier
DB-Tier
App-Tier
Cloud Management
VMs Connect to Platform
Virtual Networks Connect to
Virtual Networks Physical Workloads
Security Enforcement at With Physical Services
vnic level Integration
On-Demand Application Deployment
Application Continuity
App 1 App 1
Web-Tier
App-Tier
DB-Tier
ESXi / NSX DC ESXi / NSX DC
vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch
MPLS
Application Continuity – Disaster Recovery
VMware SRM – Orchestrate Disaster Recovery Process
App 1 App 1
Web-Tier Web-Tier
App-Tier App-Tier
DB-Tier DB-Tier
ESXi / NSX DC ESXi / NSX DC
vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch
MPLS
A Deep Dive into VMware NSX
NSX Seminar Series
John Kuan
Nov 26th 2019
© 2014 VMware Inc. All rights reserved.
Creating Sophisticated Application Topologies
Web-Tier
DB-Tier
App-Tier
VMs Connect to Virtual Networks Connect to

Security Enforcement at
vnic level
Creating Sophisticated Application Topologies
Web-Tier
DB-Tier
App-Tier

Topology Deployed in Demo
Web-Tier
DB-Tier
App-Tier

Agenda
NSX Components
Web-Tier
Switching DB-Tier
Routing
App-Tier
Security
Services
Virtual Networks Physicalit Workloads
Putting all Together
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
6 Putting it all Together

NSX Components
Cloud • Self Service Portal
Consumption • vCloud Automation Center,
OpenStack, Custom CMS
NSX Manager
Management
Logical Network
• Single configuration portal

Plane • REST API entry-point
NSX Controller
• Manages Logical networks
Control • Control-Plane Protocol
• Separation of Control and Data
Plane
Plane
Distributed Services
NSX Edge • High – Performance Data Plane
• Scale-out Distributed Forwarding
Data Model
Plane Logical Distributed Firewall
Switch Logical Router
Hypervisor Kernel Modules

ESXi
Physical
Network
Deploying VMware NSX
Consumption
Deploy VMware NSX
+ + +
Programmatic
Virtual
Network Deployment
NSX NSX
Mgmt Edge
Virtual Infrastructure
Logical Networks
Component Deployment
One Time
Logical Network/Security Services
Recurring
1 Deploy NSX Manager
2 Deploy NSX Controller Cluster 1 Deploy Logical Switches per tier
2 Deploy Distributed Logical Router

Preparation or connect to existing
1 Host Preparation 3 Create Bridged Network

2 Logical Network Preparation
NSX Preparation Steps
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services

NSX Logical Switching
Logical Switch 1 Logical Switch 2 Logical Switch 3
VMware NSX
Challenges Benefits
• Per Application/Multi-tenant segmentation • Scalable Multi-tenancy across data center
• VM Mobility requires L2 everywhere • Enabling L2 over L3 Infrastructure
• Large L2 Physical Network Sprawl – STP • Overlay Based with VXLAN, STT, GRE, etc,
Issues • Logical Switches span across Physical Hosts
• HW Memory (MAC, FIB) Table Limits and Network Switches
De-mystifying Overlay Networks
Outer Outer
L2 Frame L2 Frame VXLAN
HDR
UDP
HDR
IP
HDR
MAC
HDR
L2 Frame
1 2 3 4 5
VM Sends a Source Hypervisor Physical Network Destination Original L2 Frame

standard L2 Frame (VTEP) forwards frame as Hypevisor (VTEP) delivered to VM
Adds VXLAN, UDP & standard IP frame de-encapsulates
IP Headers headers
Myths about Overlay Networks
1 Software-based Overlays have performance limitations
2 Lack of visibility in software overlay networks
3 Cannot integrate physical workloads into a software overlay

Performance & Logical Networks
Software-based Overlays have performance limitations

1 20000
18000
16000
14000
12000
10000
8000
6000
4000
2000
0
VXLAN Bridge
Send Receive
VXLAN based Overlay and a native bridged network

have identical performance characteristics
No Additional Impact due to Encap/De-cap of Overlay Traffic
Providing Visibility in Overlay Networks
Lack of visibility in software overlay networks

2 Tools in your
chest
IPFIX / Netflow
Traffic Flow visibility
Flow Monitoring
RSPAN/ERSPAN (VM Traffic)

Traffic Analysis per VM
Packet Capture and Wireshark Plugins for VXLAN
Network Inventory, Fault Management NSX Manager, SNMP (MIBS for ports, Switch etc)
Multi-level logging, Event tracking &

Syslog Export
Auditing
NSX Manager Connectivity Check

Transport (Overlay) Health
NSX Controller Central CLI, Per host CLI
Full Visibility to traffic in the network

Connecting to Physical Workloads
Cannot integrate physical workloads into a software overlay

3
Virtual Bridge Physical Workloads
VXLAN VLAN
ToR VTEP
Physical Workloads
VXLAN VLAN
High-performance connectivity to Physical Workloads

Logical View: VMs in a Single Logical Switch
172.16.10.11 172.16.10.12 172.16.10.13
Web LS VM1 VM2 VM3

172.16.10.0/24
172.16.20.11 172.16.20.12
App LS
172.16.20.0/24 VM4 VM5
Physical View: VMs in a Single Logical
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
VM1 VM2 VM3
172.16.10.11 172.16.10.12 172.16.10.13

Logical Switch 5001
vSphere Distributed Switch
192.168.150.51 192.168.150.52 192.168.250.51
Physical Network
Physical Infrastructure & Logical Switching
• Support for 1600 byte MTU
Frames
• NSX removes dependency on
Multicast-based network fabric
• Unicast mode works without
any dependency on physical
infrastructure
• Hybrid or Multicast mode
provide efficient replication for
multicast and unicast VM
traffic
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
7
NSX Layer 3 Routing: Distributed, Feature-Rich
Tenant A
Tenant B
CMP L2
L2
Tenant C
L2 L2
L2
L2 L2
L2
VM to VM Routed Traffic Flow
Challenges Benefits
• Physical Infrastructure Scale • Distributed Routing in Hypervisor
Challenges – Routing Scale • Dynamic, API based Configuration
• VM Mobility is a challenge • Full featured – OSPF, BGP, IS-IS
• Multi-Tenant Routing Complexity • Logical Router per Tenant
• Traffic hair-pins • Routing Peering with Physical Switch
SCALABLE ROUTING – Simplifying Multi-tenancy

Logical View: VMs in a Single Logical Switch
172.16.10.11 172.16.10.12 172.16.10.13
Web LS VM1 VM2 VM3

172.16.10.0/24
172.16.20.11 172.16.20.12
App LS
172.16.20.0/24 VM4 VM5
Logical View: VMs with Distributed Routing
172.16.10.11 172.16.10.12 172.16.10.13
Web LS VM1 VM2 VM3

172.16.10.0/24
172.16.10.1
192.168.10.1
172.16.20.11 172.16.20.12
192.168.10.0/29
App LS
172.16.20.0/24 VM4 VM5
172.16.20.1
Distributed Logical
Router Service
Physical View: VMs in a Single Logical
VM1 VM2 VM3
172.16.10.11 172.16.10.12 172.16.10.13

Logical Switch 5001
192.168.150.51 192.168.150.52 192.168.250.51
Physical Network
Physical View: Logical Routing
VM4 VM5
VM1 VM2 VM3 Controller
Logical Switch 5002
Logical Switch 5001
192.168.150.51 192.168.150.52 192.168.250.51 Management Cluster
Physical Network
L3 Control Plane Programming
Data Plane
Logical Switching and Routing
Example: Enterprise Routing Topology
External Network
Physical Router
Routing Peering
VLAN 20
Uplink
NSX Edge
VXLAN 5020
Uplink
Distributed
Routing
Web1 App1 DB1 Web2 App2 DB2 Webn Appn DBn

Example: Multi Tenant Routing Topology
External Network
NSX Edge
ROUTING PEERING
VXLAN 5020 VXLAN 5030
Uplink Uplink
Tenant 1 Tenant 2
LR Instance 1 LR Instance 2
Web Logical Web Logical

Switch App Logical Switch DB Logical Switch Switch App Logical Switch DB Logical Switch
What have we seen thus far ..
1. An on-demand application deployment
2. Logical Switching Configuration
3. Understand Overlay Networks
4. Logical Routing
5. Examples of Designs
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services

NSX Distributed Firewalling
PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING
Firewall Mgmt CMP
API
VMware NSX
Challenges Benefits
• Centralized Firewall Model • Distributed at Hypervisor Level
• Static Configuration • Dynamic, API based Configuration
• IP Address based Rules • VM Name, VC Objects, Identity-based Rules
• 40 Gbps per Appliance • Line Rate ~20 Gbps per host
• Lack of visibility with encapsulated traffic • Full Visibility to encapsulated traffic
Distributed Firewall Features
VM5
VM4
App-LS1
VM1 VM2
Web-LS1
Capabilities
• Firewall rules are enforced at VNIC Level
• Policy independent of location (L2 or L3 adjacency)
• State persistent across vMotion
• Enforcement based on VM attributes like Tags, VM Names, Logical Switch, etc
NSX Distributed Firewall Performance
VM1 VM2 VM3 VM4
Test
Setup
10G 10G
Interfaces Interfaces
• Two Hypervisors with two VMs each

• Two 10G Physical NICs per server
• VM1 talks to VM3 & VM2 talks to VM4
CPS Measurement
80K CPS with 100+ Rules per Host
A Typical Virtual Appliance does ~6K CPS per VM

A Physical Appliance performs 300K – 400K CPS per appliance
Throughput Measurement
20Gbps Per Host of Firewall Performance

with Negligible CPU Impact
Distributed Firewall Rules
VM5
VM4
App-LS1
VM1 VM2
Web-LS1
Rules Based on VM Names

Distributed Firewall Rules
VM5
VM4
App-LS1
VM1 VM2
Web-LS1
Rules Based on Logical Switches

Example Building a Web DMZ
STOP
Client to Web HTTPS Traffic
Web-Tier
Web to App
TCP/8443 External Network
App-Tier
Source Destination Service Policy

Web-VM1 Web-VM2 Block
Any Web-Tier LS HTTPS Allow
Any Web-Tier LS Block
Web-Tier LS App-Tier LS TCP 8443 Allow
Any App-Tier LS Block
Distributed Firewalling
Deploying Security On-Demand
Security Groups
NSX Manager
CMP Deployment of VMs
Network &
Security Rules
Create Policy Rich Build Security Apply SG’s to

Templates Groups and App Blueprints
Firewall Rules
Automated Security with Service Composer
Quarantine Vulnerable Systems until Remediated
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
r
nte
Security Group = Desktop VMs
Ce
ta
Da
ed
fin
De
Virtual Network
e
ar
ftw
So
rvice Composer
Cloud Managem
e nt
Policy-based Security Enforcement
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services

VMware NSX Load Balancing
Tenant A Tenant B L3
VM1 VM2 VM3
VM1 VM2
L2 L2 L2
Challenges Benefits
• Application Mobility • On-demand load balancer service
• Multi-tenancy • Simplified deployment model for
• Configuration complexity – manual applications – one-arm or inline
deployment model • Layer 7, SSL, …
LOAD BALANCER – Per Tenant Application Availability Model

Load Balancing Logical View
VIP
Gateway
172.16.10.10
172.16.10.11 .12 .13 172.16.10.1
One-Arm
Load Balancing Mode
Web LS
172.16.10.0/24
.12 Gateway VIP

172.16.20.11 .13
172.16.20.1 192.168.100.3
Inline
Web LS Load Balancing Mode
172.16.20.0/24
Physical View: Logical Routing
VM4 VM5
VM1 VM2 VM3
Logical Switch 5002
Logical Switch 5001
Physical Network
Physical View: Logical Load Balancing
Edge Services
Gateway VM
VM4 VM5
VM1 VM2 VM3
Logical Switch 5002
Logical Switch 5001
Physical Network
NSX Logical VPN Services
• VPN Services are
delivered as a service
Internet / WAN via Edge
Site to Site
• Interoperable with
IPSEC
IPSec Clients
• Hardware Offload for
Performance
Internet / WAN Public Cloud
Public Cloud
• Ability to extend L2
Inter DC or
across sites for active-

L2 VPN
active DC
1
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services

VMware NSX – Deployment Use Cases
Self-Service IT Data Center Public Clouds
Automation
Dev X
Test X
Acquisition A
Dev A
Examples Examples Examples

DevOps Cloud Micro-segmentation of App XaaS Clouds
On-boarding M&A Simplifying Compute Silos Vertical Clouds
DMZ Deployments
Key Capabilities Key Capabilities Key Capabilities

Application specific networking Programmatic Consumption Multi-tenant Deployment
Flexible IP Address Mgmt Full featured stack Programmatic L2, L3, Security
Simplified consumption Visibility and ops Overlapping IP Addressing
Any Hypervisor, Any CMP
Imagine the Possibilities ..
Install
Network Fabric Spine, Cable Plant
Deploy Infrastructure Services

VMware NSX, CMS
NSX, REST API

CMP
Build a Flexible Infrastructure
Connect Rack Utilities
Network Uplinks, Power
Auto-provision Top of Rack Switches

Image is loaded, IP, L3 Fabric
Auto-Deploy Hypervisors
Drivers, NSX Components
NSX
CMP
Just “Rack N’ Roll”
Deploy Applications from CMP
VMs, Logical Networks and Security
Add Capacity on Demand
NSX
CMP
What’s Next ..
Play Learn Deploy
VMware NSX Network Virtualization Blog NSX Technical Resources

Hands-on Labs blogs.vmware.com/networkvirtualization www.vmware.com/products/nsx/resources.html
Reference Designs
labs.hol.vmware.com NSX Landing Page
www.vmware.com/go/nsx
Whitepapers
Thank You
John Kuan
jkuan@vmware.com

NSX Whiteboarding

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

NSX Whiteboarding

Uploaded by

Copyright:

Available Formats

A Deep Dive into VMware NSX

NSX Seminar Series (Whiteboarding)

Carbon Black + WS1 + Airwatch

VMware Log Insight *

VMware ESXi Internet

I have this new application

The network guy:

1. Creating vLAN (web – 101, app – 102. db – 103)

But you need to talk to

6. Create VM and connect to PG

vSwitch vSwitch vSwitch

But you need to talk to

vSwitch vSwitch vSwitch

What do you want?

My VMs are live but can’t ping to other VM, why?

Pls submit the request form and port

WT… Let me call AWS!

vSwitch vSwitch vSwitch

7. Configure Firewall rules

I hope I did it right the first time…

Ya, pls try…

Nope, still now working…

Hmm… You sure? Hang on…

vSwitch vSwitch vSwitch

Oh, I forgot some ports…

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

Web01 App01 App02

vSwitch vSwitch vSwitch

Of coz… It’s Infra

No, It’s Network

LOL!!! It can’t be network. It could be lousy coding.

Switching Routing Firewalling Load VPN Connectivity

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

IP remains and transparent to App

2. Create VM and connect to PG

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

Web01 App00 App01 App02

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

No, It’s centralized managed, and firewall filter

How about performance?

It only write firewall rule to the vNIC where the

Cool! How about securing VM

vSwitch vSwitch vSwitch

Web01 Web02 Vmware

vSwitch vSwitch vSwitch

Create Policy Rich Build Security Apply SG’s to

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

vSwitch vSwitch vSwitch

> ECMP with

vSwitch vSwitch vSwitch

ESXi / NSX DC ESXi / NSX DC

vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch

VMware SRM – Orchestrate Disaster Recovery Process

ESXi / NSX DC ESXi / NSX DC

vSwitch vSwitch vSwitch vSwitch vSwitch vSwitch

VMs Connect to Virtual Networks Connect to

VMs Connect to Virtual Networks Connect to