Professional Documents
Culture Documents
John Kuan
Sales Director
© 2014 VMware Inc. All rights reserved.
CISO Top of
Mind
Mitigate Risk
Ensure Compliance
Simplify Operations
2
Internal Security Approaches are Inadequate
Security realities by the numbers
~3 months $3.86M
Average number of months attackers dwelled in Average cost of a data
the network in 2018 1
breach in 20182
#1 75
Stolen credentials were the most Average number of security
common type of breach in 2018 3
products in an environment4
1
https://content.fireeye.com/m-trends
2
2018 Data Breach Investigations Report, Verizon
3
2018 Data Breach Investigations Report, Verizon
4
https://www.csoonline.com/article/3042601/defense-in-depth-stop-spending-start-consolidating.html
3
4
Vmware NSX IDS/IPS + NDR (Lastline)
Carbon Black + WS1 + Airwatch NSX ALB (AVI)
NSX FWaa
Cloud Web
+ SD- S
Security
WAN (H2)
Vmware NSX IDS/IPS (Replacing Internal FW) | FWaaS in H2 Carbon Black
WS1 (SSO)
Carbon Black
NSX IDS/IPS
NDR (Lastline) SASE POP
5
Everything is connected to Internet…
Internet
Traditional Networking & Security
VMware ESXi
Internet
Traditional Networking & Security
DMZ
MPLS
Let’s start now…
Internet
easy…
Traditional Networking & Security
Internet
MPLS
2. vLAN trunking on physical cable
3. Routing
Internet
MPLS
Is it done?
Yes, my job is
done.
???
Traditional Networking & Security
vSwitch
Internet
5. Create PG to map web, app and db vLAN
MPLS
Is it done?
Yes, my job is
done.
??????
Traditional Networking & Security
vSwitch
Internet
MPLS
Hey, you there?
vSwitch
Internet
MPLS
WT…
Traditional Networking & Security
vSwitch
Internet
MPLS
Of coz… LOL
LOL
LOL :D
Coffee?
Traditional Networking & Security
vSwitch
Internet
MPLS
Traffic Flow – Web to App VM
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
5 hops for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Traffic Flow – Web to App VM
App00
VIP: 10.1.100.10/24
GW: 10.1.100.254
vSwitch
9 hops for 1 way communications
S: 10.1.1.1
D: 10.1.100.10
Internet
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Hey, can you find out why my application is running slow?
Coffee?
Let’s transform…
Provides
A Faithful Reproduction of Network & Security Services
in Software
vSwitch
Internet
NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Decoupling from hardware…
vSwitch
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Configuring NSX: Day 1
My turn…
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
5 hops for 1 way communications
S: 10.1.1.1
D: 10.1.2.1 The network guy: Well, this is
easy… Even easier… Just
Internet
ESXi / NSX DC creating ONE vLAN for
Transporting Overlay network
vSwitch vSwitch vSwitch
(virtual network). LOL!
2. Configure Transport Network
MPLS
GW: 10.1.1.254
GW: 10.1.2.254 1. Creating vLAN for Overlay network
Day 2: Creating Network & Security like VM
vSwitch
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Let’s examine traffic flow with NSX
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
0 hop for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Let’s examine traffic flow with NSX
Web01 App01
IP: 10.1.1.1/24 IP: 10.1.2.1/24
GW: 10.1.1.254 GW: 10.1.2.254
vSwitch
1 hop for 1 way communications
S: 10.1.1.1
D: 10.1.2.1
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Wait… What happen to my
Load Balancer?
Let’s examine traffic flow with NSX
NSX LoadVIP:Balander
App00
10.1.100.10/24 /
AVI Network with WAF
GW: 10.1.100.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Cool… My application
performance now increase
by 5x.
Can I have HA for load
balancer? Is it complex and
costly?
Let’s examine traffic flow with NSX
One Click to enable HA
NSX Load Balander /
AVI Network with WAF
Web01 App00 App01 App02
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Wait… What happen to
firewall? You can’t just
remove my firewall…
Firewall is now distributed
NSX Load Balander /
AVI Network with WAF
Web01 App00 App01 App02
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Firewall is with ATP (IDPS and NDR)
NSX Load Balander /
AVI Network with WAF
Web01 App00 App01 App02
IP: 10.1.1.1/24 VIP: 10.1.2.10/24 IP: 10.1.2.1/24 IP: 10.1.2.2/24
GW: 10.1.1.254 GW: 10.1.2.254 GW: 10.1.2.254 GW: 10.1.2.254
vSwitch
S: 10.1.1.1
D: 10.1.2.10
Internet
ESXi/ NSX DC
Distributed IDS IPS
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
That really sound crazy… 1 Firewall for every VM?
Microsegmentation
Virus/Malware spread easily in traditional
networking & security design
Web01 Web02
IP: 10.1.1.1/24 IP: 10.1.1.2/24
GW: 10.1.1.254 GW: 10.1.1.254
vSwitch
Internet
??? MPLS
GW: 10.1.1.254
GW: 10.1.2.254
NSX Micro-segmentation with Zero Trust
Zero Trust - Source: Any | Destination: Any | Port: Any | Action: Block
vSwitch
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
We have invested so
much on other advance
security solution. Can we
integrate them?
Deploying Security On-Demand
Security Groups
NSX Manager
CMP Deployment of VMs
Network &
Security Rules
r
nte
Security Group = Desktop VMs
Ce
ta
Da
ed
fin
De
Virtual Network
e
ar
ftw
So
rvice Composer
Cloud Managem
e nt
Muti-tenant | Why Not?
NSX NSX NSX vLAN User
App N… LB Distributed Edge & Network
Routing Routing Physical
App 2 NSX
Distributed
Web-Tier Router
App 1
Web-Tier
FW
Web-Tier
App-Tier
App-Tier
NSX App-Tier
Logical DB-Tier
Switch vSwitch
DB-Tier
> ECMP with
DB-Tier HA design
> NAT, FW,
VPN
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
Muti-tenant | Why Not?
App N…
App 2
Web-Tier
App 1
Web-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
vSwitch
DB-Tier
DB-Tier
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
DMZ Anywhere | Why Not?
App N…
App 2
Web-Tier
App 1
Web-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
vSwitch
DB-Tier
DB-Tier
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
DMZ
DMZ-Tier
App-Tier
Web-Tier
App-Tier
App-Tier
App-Tier
DB-Tier
DB-Tier
> ECMP with
DB-Tier HA design
> NAT, FW,
VPN
Internet
ESXi / NSX DC
MPLS
GW: 10.1.1.254
GW: 10.1.2.254
On-Demand Application Deployment
Web-Tier
DB-Tier
App-Tier
Cloud Management
VMs Connect to Platform
Virtual Networks Connect to
Virtual Networks Physical Workloads
Security Enforcement at With Physical Services
vnic level Integration
On-Demand Application Deployment
Application Continuity
App 1 App 1
Web-Tier
App-Tier
DB-Tier
MPLS
Application Continuity – Disaster Recovery
App 1 App 1
Web-Tier Web-Tier
App-Tier App-Tier
DB-Tier DB-Tier
MPLS
A Deep Dive into VMware NSX
NSX Seminar Series
John Kuan
Nov 26th 2019
© 2014 VMware Inc. All rights reserved.
Creating Sophisticated Application Topologies
Web-Tier
DB-Tier
App-Tier
Web-Tier
DB-Tier
App-Tier
Web-Tier
DB-Tier
App-Tier
NSX Components
Web-Tier
Switching DB-Tier
Routing
App-Tier
Security
Services
VMs Connect to Virtual Networks Connect to
Virtual Networks Physicalit Workloads
Putting all Together
Security Enforcement at With Physical Services
vnic level Integration
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
NSX Controller
• Manages Logical networks
Control • Control-Plane Protocol
• Separation of Control and Data
Plane
Plane
Distributed Services
NSX Edge • High – Performance Data Plane
• Scale-out Distributed Forwarding
Data Model
Plane Logical Distributed Firewall
Switch Logical Router
Programmatic
Virtual
Network Deployment
NSX NSX
Mgmt Edge
Virtual Infrastructure
Logical Networks
Component Deployment
One Time
Recurring
1 Deploy NSX Manager
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
VMware NSX
Challenges Benefits
• Per Application/Multi-tenant segmentation • Scalable Multi-tenancy across data center
• VM Mobility requires L2 everywhere • Enabling L2 over L3 Infrastructure
• Large L2 Physical Network Sprawl – STP • Overlay Based with VXLAN, STT, GRE, etc,
Issues • Logical Switches span across Physical Hosts
• HW Memory (MAC, FIB) Table Limits and Network Switches
De-mystifying Overlay Networks
Outer Outer
L2 Frame L2 Frame VXLAN
HDR
UDP
HDR
IP
HDR
MAC
HDR
L2 Frame
1 2 3 4 5
Send Receive
Network Inventory, Fault Management NSX Manager, SNMP (MIBS for ports, Switch etc)
ToR VTEP
Physical Workloads
VXLAN VLAN
172.16.20.11 172.16.20.12
App LS
172.16.20.0/24 VM4 VM5
Physical View: VMs in a Single Logical
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
Physical Network
Physical Infrastructure & Logical Switching
• Support for 1600 byte MTU
Frames
• NSX removes dependency on
Multicast-based network fabric
• Unicast mode works without
any dependency on physical
infrastructure
• Hybrid or Multicast mode
provide efficient replication for
multicast and unicast VM
traffic
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
7
NSX Layer 3 Routing: Distributed, Feature-Rich
Tenant A
Tenant B
CMP L2
L2
Tenant C
L2 L2
L2
L2 L2
L2
Challenges Benefits
• Physical Infrastructure Scale • Distributed Routing in Hypervisor
Challenges – Routing Scale • Dynamic, API based Configuration
• VM Mobility is a challenge • Full featured – OSPF, BGP, IS-IS
• Multi-Tenant Routing Complexity • Logical Router per Tenant
• Traffic hair-pins • Routing Peering with Physical Switch
172.16.20.11 172.16.20.12
App LS
172.16.20.0/24 VM4 VM5
Logical View: VMs with Distributed Routing
192.168.10.1
172.16.20.11 172.16.20.12
192.168.10.0/29
App LS
172.16.20.0/24 VM4 VM5
172.16.20.1
Distributed Logical
Router Service
Physical View: VMs in a Single Logical
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
Physical Network
Physical View: Logical Routing
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
VM4 VM5
VM1 VM2 VM3 Controller
Logical Switch 5002
Physical Network
Data Plane
Logical Switching and Routing
Example: Enterprise Routing Topology
External Network
Physical Router
Routing Peering
VLAN 20
Uplink
NSX Edge
VXLAN 5020
Uplink
Distributed
Routing
NSX Edge
ROUTING PEERING
VXLAN 5020 VXLAN 5030
Uplink Uplink
Tenant 1 Tenant 2
LR Instance 1 LR Instance 2
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
API
VMware NSX
Challenges Benefits
• Centralized Firewall Model • Distributed at Hypervisor Level
• Static Configuration • Dynamic, API based Configuration
• IP Address based Rules • VM Name, VC Objects, Identity-based Rules
• 40 Gbps per Appliance • Line Rate ~20 Gbps per host
• Lack of visibility with encapsulated traffic • Full Visibility to encapsulated traffic
Distributed Firewall Features
VM5
VM4
App-LS1
VM1 VM2
Web-LS1
Capabilities
• Firewall rules are enforced at VNIC Level
• Policy independent of location (L2 or L3 adjacency)
• State persistent across vMotion
• Enforcement based on VM attributes like Tags, VM Names, Logical Switch, etc
NSX Distributed Firewall Performance
Test
Setup
10G 10G
Interfaces Interfaces
CPS Measurement
VM1 VM2
Web-LS1
VM1 VM2
Web-LS1
Web-Tier
Web to App
TCP/8443 External Network
App-Tier
r
nte
Security Group = Desktop VMs
Ce
ta
Da
ed
fin
De
Virtual Network
e
ar
ftw
So
rvice Composer
Cloud Managem
e nt
Policy-based Security Enforcement
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
Tenant A Tenant B L3
VM1 VM2
L2 L2 L2
Challenges Benefits
• Application Mobility • On-demand load balancer service
• Multi-tenancy • Simplified deployment model for
• Configuration complexity – manual applications – one-arm or inline
deployment model • Layer 7, SSL, …
VIP
Gateway
172.16.10.10
172.16.10.11 .12 .13 172.16.10.1
One-Arm
Load Balancing Mode
Web LS
172.16.10.0/24
Inline
Web LS Load Balancing Mode
172.16.20.0/24
Physical View: Logical Routing
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
VM4 VM5
VM1 VM2 VM3
Logical Switch 5002
Physical Network
Physical View: Logical Load Balancing
Transport Subnet A 192.168.150.0/24 Transport Subnet B 192.168.250.0/24
Edge Services
Gateway VM
VM4 VM5
VM1 VM2 VM3
Logical Switch 5002
Physical Network
NSX Logical VPN Services
• VPN Services are
delivered as a service
Internet / WAN via Edge
Site to Site
• Interoperable with
IPSEC
IPSec Clients
• Hardware Offload for
Performance
Internet / WAN Public Cloud
Public Cloud
• Ability to extend L2
Inter DC or
1
Agenda
1 NSX Components
2 Switching
3 Routing
4 Security
5 Services
Test X
Acquisition A
Dev A
Auto-Deploy Hypervisors
Drivers, NSX Components
NSX
CMP
Just “Rack N’ Roll”
Deploy Applications from CMP
VMs, Logical Networks and Security
NSX
CMP
What’s Next ..
Reference Designs
labs.hol.vmware.com NSX Landing Page
www.vmware.com/go/nsx
Whitepapers
Thank You
John Kuan
jkuan@vmware.com