Vous êtes sur la page 1sur 480

VMware NSX:

Install, Configure, Manage


Lecture Manual
NSX 6.0

VMware Education Services


VMware , Inc.
www.vmware.com/education

VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN -NSXICM6-LECT
Lecture Manual
Copyright/Trademark
Copyright 2014 VMware , Inc. All rights reserved . This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States
and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks
of the ir respective companies.
The training material is provided "as is," and all express or implied cond itions,
representations, and warranties, includ ing any implied warranty of merchantability, fitness for
a particular purpose or noninfringement, are discla imed , even if VMware, Inc., has been
advised of the possibility of such claims. This training mate rial is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The train ing material is not a standalone
tra ining tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel , John Tuffin, Jerry Ozbun
Technical review : Elver Sena, Chris McCain
Technical editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation ,
available at http://www.vmware .com/supportlpubs.

www.vmware.com/education

TABLE OF CONTENTS

MODULE 1

Course Introduction
Importance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Learner Objectives
".. "
Learner Objectives (2) .. " ". " ".. ".. "
"
You Are Here . " " " " " ". " ". " ".. " ". " ".. ".. "
"
Typographical Conventions. " ".. ".. "
References " " ". " " " " " ". " ". " ". . " ". " ". . ". . ". . . ". . "
".. "
About NSX " ". " " " " " ". " ". " ".. " ". " ".. ".. "
NSX Certification
VMware Learning Path Tool.
NSX Resources

MODULE 2

NSX Networking" " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "... "..
You Are Here " " " " " " " " " " " " " ". " ". " " ". " ". " ".. ".. " ".. "..
Importance" " " " " " " " " " " " " " " " ". " " " " " ". " ". " ".. " ". " ".. "..
"..
Module Lessons" " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "
Lesson I: Introduction to vSphere Virtualization
Learner Objectives
Virtual Machines
Benefits ofVirtuaI Machines
"
ESXi Hypervisor
"
vCenter Server. ".. " ".. ".. "
vCenter Server Management Features
".. "
vSphere vMotion .. "
"
Shared Storage. ".. " ".. ".. "
Features That Use Shared Storage
Virtual Networking
Virtual Switch Types
Networking Features
vSphere Product Placement.
Review of Learner Objectives
Lesson 2: Overview of the Software-Defined Data Center.
Learner Objectives. "
"
".. "
Choices for IT . ".. "
Data Center Models"
"
Advantage of Software-Defined Data Center
Choice for New IT
Software-Defined Data Center as New IT.
Components of a Software-Defined Data Center
Vision and Strategy
Virtual Compute, Storage, and Network
Data Center Hardware. . . . . . . . . . . . . . . . . . . .
Hypervisors and Virtual Switches

VMware NSX: Install, Configure, Manage

1
2
3
4
5
6
7
8
9
".. 10
11
"
"
"
"

13
14
15
16
17
18
19
".. 20
21
22
23
25
26
27
28
29
30
32
33
34
35
36
37
" .. 38
39
40
41
42
43
44
45

NSX: Network Virtualization Platform


About a Virtual Network
Network Virtualization: Layer 2
Network Virtualization: Layer 3
Concept Summary
Review of Learner Objeetives
Lesson 3: Introduction to NSX and NSX Manager.
Learner Objectives
NSX Capabilities
Prepare for Installation: Client and User Access
Prepare for Installation: Port Requirements
Installation: Manager OVA
Initial Configuration: Management UI
Initial Configuration: Time and Syslog Settings
Initial Configuration: Network Settings
Initial Configuration: vCenter Server Connection
NSX Overview: Planes
NSX Overview: Data Plane Components
NSX Overview: Control Plane Components
NSX Overview: Management Plane Component
NSX Overview: Consumption
Enterprise Topology
Servicer Provider: Multiple Tenant Topology
Multiple Tenant Topology: Scalable Desigu
Scalability
NSX for vSphere: Scale Boundaries
NSX Manager
Building the NSX Platform
Lab I: Introduction
Lab I: Configuring NSX Manager
Concept Summary
Review of Learner Objectives
Lesson 4: NSX Controller
Learner Objectives
NSX Controller
NSX Controller Cluster Deployment
Control Plane Interaction
Control Plane Security
Control Plane Security: Diagram
User World Agent
NSX Controller: Master Election
Master Failure Scenario
NSX Controller Workload Distribution
ii

46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
82
83
84
85
86
87
88
89

VMware NSX: Install, Configure, Manage

Slicing Assignment
Slicing Distribution
Slice Redistribution
Component Interaction: Configuration
"
Lab 2: Introduction (I) . " .. " " .. " .. "
Lab 2: Introduction (2) . ".. " ".. ".. "
"
Lab 2: Configuring and Deploying an NSX Controller Cluster
".. "
Review of Learner Objectives
Key Points

MODULE 3

Contents

90
91
92
93
94
95
96
97
98

" .. " .. " " . "99


Logical Switch Networks and VXLAN Overlays. ".. "
You Are Here
100
Importance" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "101
Module Lessons" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "102
"
103
Lesson 1: Ethernet Fundamentals " ". " ".. ".. "
Learner Objectives" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "104
Review: Networking Definitions. ".. " ".. ".. "
"
105
Ethernet
" .. " .. " " . " " . " " " " " " " " " " "106
MAC Tables
107
Broadcast Domain
108
Address Resolution Protocol
109
From Packets to Frames
110
111
Segmentation and Encapsulation
Layer 3: IPv4 Datagram
112
Layer 4: TCP Segment
113
Concept Summary. "
114
115
Review of Learner Objectives
Lesson 2: Overview ofvSphere Distributed Switch
" .116
Learner Objectives
" .117
VMkernel Networking
" .118
Advantages ofvSphere Distributed Switch
119
Distributed Switch Architecture
120
vSphere Distributed Switch Enhancements in ESXi 5.5
121
Design Considerations
122
Teaming Best Practices
123
Load-Based Teaming
124
Distributed Switch in Enterprise
125
Lab 3: Introduction (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Lab 3: Introduction (2)
127
Lab 3: Preparing for Virtual Networking
" .128
Concept Summary
129
130
Review of Learner Objectives
Lesson 3: Link Aggregation
131
iii

Learner Objectives
132
Ethernet Loop
133
Spanning Tree Protocol
134
STP Diagram" . " " " " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "135
Bandwidth Constraint " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "136
Link Aggregation Control Protocol.
137
Enhanced LACP in vSphere 5.5
138
Enhanced LACP ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "139
Concept Summary
140
Review of Learner Objectives
141
Lesson 4: Virtual LANs
142
Learner Objectives
143
Virtual LANs" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "144
Switches and Routers with VLANs .. "
"
145
VLANsand ARP" " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "146
VLANs Across switches" ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "147
VLAN Scalability " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "148
802.1Q
149
802.1Q Frame
150
Native VLAN
151
Concept Summary
152
Review of Learner Objectives
153
Lesson 5: VXLAN: Logical Switch Networks
154
Learner Objectives. " ".. ".. "
".. "
".. "
".. "
"
155
VXLAN Tenus" ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. "
".. "
"156
VXLAN Protocol Overview
157
Virtual Extensible LAN
158
NSX Use Cases
159
VXLAN Frame Format
160
Multicast: Network Components
161
Internet Group Management Protocol
162
Bidirectional PIM . "
".. "
".. "
"
"
"
163
NSX for vSphere VXLAN Replication Modes
164
VXLAN Replication: Control Plane
165
VXLAN Replication: Data Plane
166
Unicast Mode
167
Multicast Mode
168
Hybrid Mode
169
Unicast and Hybrid Mode: Same Host
" .170
Unicast Mode: Different Hosts
172
Hybrid Mode: Different Hosts
173
Multicast Mode: Different Hosts
174
Quality of Service
175
iv

VMware NSX: Install, Configure, Manage

MODULE 4

Contents

QoS Tagging
Physical Network Congestion
NSX Component Interaction: Configuration
NSX Logical Switching
Logical Switch
Lab 4: Introduction (l)
Lab 4: Introduction (2)
Lab 4: Configuring and Testing Logical Switch Networks
Concept Summary
Review of Leamer Objectives
Key Points

176
177
178
179
180
181
182
183
184
185
186

NSX Routing
You Are Here
Importance
Module Lessons
Lesson 1: NSX Routing
Learner Objectives
Supported Routing Protocols
OSPF Features
About OSPF
OSPF Neighbor Relationships
OSPF Packet Types
OSPF Hello Packets
Other OSPF Packets
OSPF Neighbor States
OSPF Router Types
OSPF Areas
OSPF Area Types
OSPF Normal Area
OSPF Stub Area
OSPF NSSA
OSPF Area and Router Types Example
Intermediate System to Intermediate System
IS-IS Features
IS-IS Areas
IS-IS Router Levels
IS-IS Neighbor Adjacency
IS-IS Design Considerations
BGP Features
Border Gateway Protocol
BGP AS Numbers
BGP Peers

187
188
189
190
191
192
193
194
195
196
197
198
200
201
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
v

BOP Peers Example


BOP Route Selection
Concept Summary
Review of Learner Objectives
Lesson 2: NSX Logieal Router
Learner Objectives
Layer 3 Networking Overview
Layer 3 Enables Larger Networks
Distributed Logical Router
Hairpinning
Distributed Logical Router: Logical View
Distributed Logical Router: Physical View
Data Path: Host Components
VLAN LIF
Designated Instance
VXLAN LIF
Control Plane: Components
Logical Router Control Virtual Machine
Management, Control, and Data Communication
Deployment Models: One Tier
Deployment Models: Two Tier
Distributed Router Traffic Flow: Same Host
Distributed Router Traffic Flow: Different Host.
Lab 5: Introduction (1)
Lab 5: Introduction (2)
Lab 5: Introduction (3)
Lab 5: Introduction (4)
Lab 5: Configuring and Deploying an NSX Distributed Router
Concept Summary
Review of Learner Objectives
Lesson 3: Layer 2 Bridging
Learner Objectives
VXLAN to VLAN Layer 2 Bridging
Use Cases
Layer 2 Bridging Details
Bridge Instance
Bridge Instance Failure
Layer 2 Bridging: Flow Overview
Design Considerations
ARP Request from VXLAN
ARP Response from the VLAN
Unicast Traffic
ARP Request from VLAN
vi

220
221
222
223
224
225
226
227
228
229
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
262
263
264

VMware NSX: Install, Configure, Manage

Concept Summary
265
Learner Objectives
266
Lesson 4: NSX Edge Services Gateway
267
Learner Objectives.. " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "268
NSX Edge Gateway" " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "269
"
270
Integrated Network Services" ".. ".. "
NSX Edge Services Gateway Sizing
271
Features Summary. " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "272
NSX Edge Routing
273
Routing Verification
274
275
Lab 6: Introduction (I)
Lab 6: Introduction (2)
276
Lab 7: Introduction" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " . "277
Lab 6: Deploying an NSX Edge Services Gateway and Configuring
Static Routing " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "278
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge
Appliances" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "279
" .280
Review of Learner Objectives
Key Points
281

MODULE 5

Contents

NSX Edge Services Gateway Features


" .. "
" .. " .. " " .283
You Are Here. ".. " ".. ".. " ".. ".. " ".. ".. "
".. "
".. "... "284
Importance" " " . " " . " " " . " " . " " " . " " . " " " . " " . " ".. " " . " ".. " " . " ".. "285
".. "
"286
Module Lessons" .. " ".. ".. " ".. ".. " ".. ".. "... ".. "
287
Lesson 1: NSX Edge Network Address Translation
".. "
".. "
".. "
"
288
Learner Objectives. " ".. ".. "
Private IPv4 IP addresses
289
IPv4 Overlapping Space
290
Managing NAT Rules
291
" .292
Source NAT Deployment Using NSX Edge
Example: Set Up External Access to Web Server.
"
" .293
Add a Second External IP Address for NAT Use
294
295
Destination NAT Deployment Using NSX Edge
296
Creating a Destination NAT Rule for Inbound External Access
297
Create a Destination NAT Rule and Test Inbound Connectivity
299
Creating a Source NAT Rule and Testing Outbound Connectivity
Lab 8: Introduction (I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300
Lab 8: Introduction (2)
301
302
Lab 8: Introduction (3)
Lab 8: Configuring and Testing Network Address Translation on
303
an NSX Edge Services Gateway
Concept Summary
304
Review of Learner Objectives
305
vii

Lesson 2: NSX Edge Load Balancing


306
Learner Objectives
307
NSX Edge Load Balancer
308
NSX Edge Load Balancer Modes
"
309
".. "
"310
Load-Balancer Operation .. " ".. ".. " ".. ".. " ".. ".. "
"
311
One-Ann Load Balancer" .. " ".. ".. "
One-Ann Load Balancer Traffic Flow
312
Inline Load Balancer" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "313
Inline Load Balancer Traffic Flow
" .314
Lab 9: Introduction
315
Lab 10: Introduction
316
Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" " " "317
Lab 9: Configuring Load Balancing with NSX Edge Gateway (2)
318
"
319
Lab 10: Advanced Load Balancing .. "
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "320
".. "
321
Review of Learner Objectives" .. " ". " ".. ".. "
Lesson 3: NSX Edge High Availability " " " " " " " ". " ". " " ". " ". " ".. "322
Learner Objectives
323
High Availability
324
NSX Edge High Availability Operation
325
Stateful High Availability
326
".. "
".. "
"
"
328
NSX Edge Failure. "
".. "
NSX Edge Services Gateway High Availability
329
330
Virtual Machine and Appliance Failure .. ".. "
ESXi Host Failure. "
".. "
".. "
".. "
"
"
331
Lab 11: Introduction
"
"
"
"
332
" .333
Lab II: Configuring NSX Edge High Availability
Concept Summary
334
335
Review of Learner Objectives
Lesson 4: NSX Edge and VPN
336
Learner Objectives
337
".. "
".. "
".. "
"
"
338
Logical L2 VPN .. "
339
Overview of Layer 2 VPN
Logical User (SSL) and Site-to-Site (IPsec) VPN
340
".. "
".. "
".. "
"
"
341
NSX IPsec VPN .. "
IPsec Security Protocols: Internet Key Exchange
" .. " . " " " "342
IPsec Security Protocols: Encapsulating Security Payload. " .. " . " " " "344
IPsec ESP Tunnel Mode Packet
" .. " .. " " .345
Configuration Example for IPsec VPN
" .346
IPsec with AES-NI
347
Add an IPsec VPN
348
" .349
NSX SSL VPN-Plus Service
" .. "
SSL VPN-Plus
350
viii

VMware NSX: Install, Configure, Manage

MODULE 6

Contents

NSX Edge SSL VPN-Plus Secure Management Access Server


Use Cases for SSL VPN-Plus Services
Lab 12: Introduction
Lab 13: Introduction
Lab 14: Introduction (1)
Lab 14: Introduction (2)
Lab 12: Configuring Layer 2 VPN Tunnels
Lab 13: Configuring IPsec Tunnels
Lab 14: Configuring and Testing SSL VPN-Plus
Concept Summary
Review of Leamer Objectives
Key Points

351
352
353
354
355
356
357
358
359
360
361
362

NSX Seeurity
You Are Here
Importance
Module Lessons
Lesson 1: NSX Edge Firewall
Leamer Objectives
NSX Edge and Distributed Firewall: Security Comparison
NSX Edge Firewall
Firewall Rule Types
Virtualization Context Awareness
Populating Firewall Rules
Source and Destination of a Rule
Firewall Service
Create a Firewall Serviee
Action Option
Publish Changes
NSX Edge Services Gateway: Form Factors
Lab 15: Introduction (I)
Lab 15: Introduction (2)
Lab 15: Using NSX Edge Firewall Rules to Control
Network Traffic
Concept Summary
Review of Learner Objectives
Lesson 2: Distributed Firewall
Learner Objectives
Evolution of Firewall Placement.
Distributed Firewall Overview
Distributed Firewall Filtering
Distributed Firewall Location and Policy Independence
Distributed Firewall Policy Enforcement

363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
ix

Distributed Firewall Components: Communication


392
Distributed Data Path
393
Policy Rule Objects
394
Layer 2 Policy Rules" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "395
Layer 3 and Layer 4 Policy Rules
396
397
Centralized Management of the Distributed Firewall
Using Distributed Firewall Sections
398
Policy Rule Objects" " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "399
" .400
Logical Switch Rule-Based Example
" .. "
Security Groups
401
Security Group Components
402
" .403
Rule-Based Security Group Example
" .. "
Applied To: Example "" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .404
Lab 16: Introduction" ". " " " " " ". " " " " " ". " " " " " ". " " " " " ". " ". " " ". .405
Lab 16: Using NSX Distributed Firewall Rules to Control
Network Traffic" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .406
Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "407
" .408
Review of Learner Objectives
Lesson 3: Flow Monitoring
.409
Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410
Flow Monitoring
411
Enable Flow Monitoring
.412
".. "
".. "
".. "
"
.413
Exclusion Settings. " ".. ".. "
".. "
.414
Viewing Flows. " ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. "
Flow Views by Service
.415
".. "
".. "
.416
Live Monitoring" .. " ".. ".. " ".. ".. " ".. ".. "
Live Monitoring Output Example
.417
Lab 17: Introduction
.418
Lab 17: Using Flow Monitoring
.419
Concept Summary
.420
.421
Review of Learner Objectives
Lesson 4: Role-Based Access Control
.422
".. "
".. "
"
"
.423
Learner Objectives. "
".. "
Authentication, Authorization, and Accounting Model
.424
".. "
".. "
".. "
.425
Identity Sources" .. " ".. ".. " ".. ".. "
Identity Source vSphere Requirements
" .426
Role-Based Access Control for NSX for vSphere
" .. " .. "" "427
NSX User Roles
428
Scopes
" .. " .. " " "429
NSX Role Guidelines
.430
Permission Inheritance Example: Single Group
431
Permission Inheritance Example: Multiple Groups
432
Configure Role-Based Access Control
433

VMware NSX: Install, Configure, Manage

Define Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434


Lab 18: Introduction
435
436
Lab 18: Managing NSX Users and Roles
Concept Summary
437
Review of Learner Objectives
.438
Lesson 5: Service Composer
439
Learner Objectives
440
Service Composer
441
Using Service Composer
442
NSX Integrated Partners
443
NSX: Third-Party End-to-End Workflow
444
Registering Partner Services
445
Partner Service Registration: Palo Alto Networks
446
Partner Service Registration: Symantec
447
Service Installation
448
Security Policy
449
Service Composer Canvas
450
Canvas View (1)
451
Canvas View (2)
452
Canvas View (3)
453
Service Composer: Vulnerability Scan Example
.454
Serviee Composer: Traffic Redirection with PAN Example (1)
.455
Service Composer: Traffic Redirection with PAN Example (2)
.456
Concept Summary
.457
458
Review of Learner Objectives
Lesson 6: Other Monitoring Options
459
Learner Objectives
.460
About Syslog
.461
Syslog Format
.462
vCenter Log Insight.
.463
Concept Summary
.464
.465
Review of Learner Objeetives
Key Points
.466

Contents

xi

xii

VMware NSX: Install , Config ure, Manage

MODULE 1

II

Course Introduction
Slide 1-1

oa
c
Cil
(1)

Module 1

:J

......

i3

c.
c

VMware NSX: Install, Configure, Manage

VMware NSX: Install , Configure , Manage

Q.

o'
:J

Importance
Slide 1-2

VMware NSXTM is the network virtualization and security platform for


the software-defined data center. NSX brings virtualization to your
existing network and transforms network operations and economics.

VMwa re NSX: Install , Configure, Manage

II

Learner Objectives
Slide 1-3

oa

By the end of this course, you should be able to meet the following
objectives:

c
Cil
(1)

Describe the evolution of the software-defined data center

::J

......

Describe how NSX is the next step in the evolution of the softwaredefined data center

ac.

Describe data center prerequisites for NSX deployment

o'
::J

Describe basic NSX layer 2 networking

Q.

Configure, deploy , and use logical switch networks


Configure and deploy NSX distributed routers to establish East-West
connectivity
Configure and deploy VMware NSX Edge services gateway appliances
to establish North-South connectivity
Configure and use all the main features of the NSX Edge services
gateway

Module 1

Cou rse Introduct ion

Learner Objectives (2)


Slide 1-4

By the end of this course, you should be able to meet the following
objectives:
Configure NSX Edge firewall rules to restrict network traffic
Configure Distributed Firewall rules to restrict network traffic
Use role-based access to control user account privileges

Use Activity Monitoring to determine if a security policy is effective

Use Flow Monitoring to monitor network traffic streams


Configure Service Composer policies

VMwa re NSX: Install , Configure, Manage

II

You Are Here


Slide 1-5

oa
c
Cil
(1)

VMware N5X: Install Configure Manage

:J

......

i3

c.

IE

Q.

o'
:J

Course Introduction
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway Features
NSX Security

Module 1 Course Introduction

Typographical Conventions
Slide 1-6

The following typographical conventions are used in this course.

Monospace

Filenames, folder names , path


names , and command names :
Navigate to the VMS folder.

Monospace bold

What the user types :


Enter ipconfig /release.

Boldface

User interface controls:


Click the Configuration tab.

Italic

Book titles and placeholder


variables :
vSphere Virtual Machine
Admin istration
ESXi- host- name

VMwa re NSX: Install , Configure, Manage

II

References
Slide 1-7

oa
c
Cil
(1)

::J

......

ac.
Title

Location

NSX Installation and Upgrade Guide

http://pubs .vmware .com/NSX-6/index.jsp

NSX Administration Guide

http://pubs.vmware.com/NSX-6/index.jsp

Module 1

Course Introduction

Q.

o'
::J

About NSX
Slide 1-8

NSX is a network virtualization platform that enables you to build a


rich set of logical networking services.
Logical Switching: Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing: Routing between virtual
networks without exiting the software
container
Logical Firewall: Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer: Application Load
Balancing in software
Any Network Hardware

Logical VPN: Site-to-site and remote


access VPN in software
NSX API: REST API for integration into
any cloud management platform
Partner Ecosystem

VMware NSX: Install, Configure, Manage

II

NSX Cert ification


Slide 1-9

oa

For details about VMware certifications, go to:

c
Cil
(1)

http://mylearn.vmware.com/portals/certification

::J

......

ac.
c

Q.

o'
::J

Module 1

Course Introduction

VMware Learning Path Tool


Slide 1-10

vmwareEDUCATION SERVICES

Learning Path Tool


Learn by SolutionTrack. Role. Product. or Certification

Choose YourPath'

Leamby

Leamby

Leamby

Solution Track

Role

Product

Achieve
Certification

To determine your learning path for VMware training, go to:


http://vmwarelearningpaths.com
To make the VMware training that you take most valuable, you must decide which learning path to
take. Your learning path can be based upon a solution track that you want to pursue or a role in your
organization that you want to take on. Your learning path can also be based on a product that you
want to master or a VMware certification that you want to achieve. Regard less of wh ich path you
choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.

10

VMware NSX : Install , Configure, Manage

II

NSX Resources
Slide 1- 11

oa

For NSX technical information, use the following resources:

c
Cil
(1)

NSX Resources
http://www.vmware.com/products/nsx/resources.html

::J

......

ac.

VMware Communities
http://communities.vmware.com/

VMware Support
http://www.vmware.com/support/

VMware Education
http://www.vmware.com/education

VMware Support Toolbar


http://vmwaresupport.toolbar.fm

Q.

o'
::J

Making full use of VMware technical resources can save you time and money. The following are
extensive VMwa re Web-based resources:
The VMware Communities Web page provides tools and know ledge to help users maximize
their invest ment in VMware products. VMware Communities provides information about
virtua lization technology in technical papers, documentation, a know ledge base , discussion
forums , user groups , and technical newsletters.
The VMware Support page provides a central point from which you can view support offerings,
create a support request, and download products, updates, drivers and tools, and patches.
You can view the course catalog and the latest schedu le of courses offered worldwide on the
VMwa re Education page. This page also provides access to informat ion about the latest
advanced courses offered worldwide.
For quick access to commu nities, documentation, downloads, support information, and more ,
install the VMware Support Toolbar, which is a free download .
VMware vSphere documentation is availab le on the VMware Web site. From this page, you
can access all the vSphere guides , which also include guides for optional modules or products.

Module 1

Cou rse Introduction

11

12

VMware NSX: Install , Configure, Manage

MODULE 2

N5X Networking
Slide 2- 1

Module 2

II
z
><
zCD
en

?o
.....

~
::J

to

VMwa re NSX: Install , Configure , Manage

13

You Are Here


Slide 2-2

VMware NSX: Install Configure Manage

IE

Course Introduction
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway
NSX Security

14

VMware NSX: Install , Configu re, Manage

Importance
Slide 2-3

Understanding the high level concepts of the software-defined data


center and network virtualization using VMware NSXTM is critical to
efficiently using NSX in the virtualized environment that enterprises
are moving to.

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

15

Module Lessons
Slide 2-4

Lesson 1:

Introduction to vSphere Virtualization

Lesson 2:

Overview of the Software-Defined Data Center

Lesson 3:

Introduction to NSX and NSX Manager

Lesson 4:

NSX Controller

16

VMware NSX: Install , Configu re, Manage

Lesson 1: Introduction to vSphere Virtualization


Slide 2-5

II
z
><

(j)

Lesson 1:
Introduction to vSphere Virtualization

CD

?o
.....

:::J

to

Module 2

NSX Networking

17

Learner Objectives
Slide 2-6

By the end of this lesson, you should be able to meet the following
objectives:

Discuss the features of VMware vSphere

Provide an overview of the challenges that vSphere is intended to


resolve

18

VMware NSX: Install , Configu re, Manage

Virtual Machines
Slide 2-7

II

Real Operating System

z
><

(j)

Dedicated Virtual Hardware

CD

?o
.....

Real Applications

:::J

to

Stable and Dependable

No Need for Modification

No Special Changes to

as

Virtual machines look and behave like physical servers .


Users might not be able to distinguish a virtua l machine from a physical server. Subtle differences
make virtual machines unique and helpful in the data center. The hardware of a virtual machine is
softwa re.
This feature gives you many advantages, such as the ability to replace and upgrade components of
the virtual hardware quickly.
Virtual hardware also allows you to add hardware devices such as network cards and processors
without rebooting the virtua l machine.
Ultimately, virtual hardware can help reduce your downtim e because you do not need to reboot your
virtual machin es every time you want to upgrade their capabilities.

Module 2

NSX Networking

19

Benefits of Virtual Machines


Slide 2-8

Image Backups
Bare-Metal Backups
File-Based Restores
Hardware Independence for Restores

Virtual machines can be used to host any application from file servers, database serve rs, email
serve rs, and even high-p erform ance application servers.
Organizations might choose to virtualize their servers for the followin g reasons:
Consolidate lightly used servers to conserve space and power in their data center. These
workloads are ideal for virtualization because you can often place many virtua l machines on a
single physic al host.
Increase availability, whether as a protection scheme against common hardware failures or
compl ete site-level disasters. Virtual machines are easy to move, copy, and restore, so they
make disaster recovery simple.
Provision new servers quickl y because new virtual machines can be created and deployed in
minut es.

20

VMware NSX: Install , Configure, Manage

ESXi Hypervisor
Slide 2-9

VMware ESXi benefits:


Direct hardware access

Type 1 Hypervisor

II

Type 2 Hypervisor

z
><
zCD

Less overhead than hosted hypervisors

en

Flexible installation options

?o
.....

~
::J

to

11
ESXi

I:l

---

=Lower resource overhead

VMware ESXi is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor
performs the role of resource management while enjoying direct access to the underlying physical
hardware.
This hypervisor can improve your resource efficiency because of less operating system overhead . In
addition, the stability of the ESX i hypervisor is not dependent on another operating system.
ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be
installed onto flash drives, SO cards, and USB drives.
You can also network-boot an ESX i host using traditional boot from network tools such as preboo t
execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers.
VMware provides several ways to deploy your ESXi hosts because each organization's needs vary.
ESXi hosts your virtua l machines and provides some basic management functions to help you
deploy and control your virtual mach ines.

Module 2

NSX Networking

21

vCenter Server
Slide 2-10

VMware vCenter Server"

Active Directory
dom ain

vSphere Client

is scalable

ESXi host

ESXi host

ESXi host

vCenter Server
Components:
Identity Management Server
Database Server

1,000 ESXi hosts

Application Server
Web Server

10,000 VMs

VMware vSphere Web Client

VMware vCenter Server" is a multitier application designed for the enterpris e, but is capabl e of
managing even the smallest of organizations. The vCenter Server system is designed to be highly
scalabl e and can expand with your data center virtu alization initiatives. The vCenter Server system
includes components for an Identity Management Server, Database Server, Application Server, Web
Server, and VMware vSph ere Web Client.
You can deploy the vCenter Server system in various forms and install the roles onto a single server
or multipl e servers depending on your needs. The vCenter Server system can be installed on a
Windows system or deployed as a virtual appliance to give you more flexibility.
A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi
hosts. The vCenter Server system can also manage up to 10,000 pow ered on virtual machin es, which
is ju st one vCenter Server instance.
As an organization expands, you can add more vCent er Server instances and even migrate into a
cloud-b ased configuration to provid e more management and provisioning abiliti es.

22

VMware NSX: Install, Configure, Manage

vCenter Server Management Features


Slide 2-1 1

The vCenter Server system is a centralized platform for management


features.

II

The vCenter Server system includes the following management


features:

z
><

VMware vSphere vMotion

(j)

VMware vSphere Distributed Resource Scheduler" (DRS)

VMware vSphere Distributed Power Manaqernent" (DPM)

?o

VMware vSphere Storage vMotion


VMware vSphere Storage DRS

CD

.....

VIT1W<lre

:::J

to

VMwar e v Center
Server

VMware vSphere Data Protection


VMware vSphere High Ava ilability
VMwa re vSphere Fault Tolera nce
VMware vSphere Replication

The vCenter Server system manag es each of your ESXi hosts. The vCenter Server system can
perform operations that require multiple ESXi hosts.
The vCen ter Server system includes the following featur es:
VMware vSphere vMotion enabl es you to migrate running virtua l machines from one ESXi
host to another without disrupting the virtua l machine.
VMware vSphere Distributed Resource Scheduler" (DRS) provid es load balancing for your
virtual machines acros s the ESXi hosts. DRS leverages vSphere vMo tion to balanc e these
worklo ads.
If configured, VMw are vSph ere Distribu ted Power Managem ent" (DPM) can be used to
power off unused ESXi hosts in your environment. DPM can also pow er on the unused EXI
hosts at the correct time.
VMware vSphere Storage vMotion allows you to migrate a running virtual machine 's hard
disks from one storage device to another devic e.
VMware vSphere Storage DRSTM automates load balancing from a storag e perspective.
VMware vSphere Data Protection" enab les you to back up your virtual machin es.

Module 2

NSX Networking

23

VMware vSphere also has availability features such as VMware vSphere High
Availability'P' to restart your virtual mac hines on another host if you have a hardware problem.
If a virtual machine restart is too slow, VMware vSphere Fault Toleranc e provid es
uninterrupted availability for your virtual machines.

VMware vSphere Replication" can copy your virtual machin es to another site for disaster
recovery.

24

VMware NSX: Install , Configure , Manage

vSphere vMotion
Slide 2- 12

en
X

ro
~
o
~

'"

<0

vSphere vMutiun allows yuu tu migrate a running virtual machine from one ESXi host to another,
even during norm al business hours.
You can usc vSphere vMotion to help load balance your ESX i hosts in a cluster.
vCenter Server orchestrates a copy process between the ESXi hosts. The memory is copied between
the hosts and the virtual machioe is transferred to the new host.
vSphere vMutiun can operate without shared storage, meaning that you can migra te a running
virtual machine between hosts, even if the ESXi hosts have no shared storage in common.

Module 2

NSX Networking

25

Shared Storage
Slide 2- 13

Shared Storage

Virtual Machines
Applications and Operating Systems

Visible to multiple ESXi hosts


Typically used to store
virtual machines and ISO files

ESXi Hosts

Storage Array

vSphere supports Fibre Channel, Fibre Channel over Ethernet (FCoE), iSCSI, and NFS for Shared
storage. vSphere also supports local storage .
Each storage option has its own strengths and weaknesses. So VMware does not cons ider one
storage type as better than another for virtua lization.

26

VMware NSX: Install, Configu re, Manage

Features That Use Shared Storage


Slide 2- 14

The following features use


shared storage:

DRS

II

Virtual Machines
Applications and Operating Systems

DPM

vSphere Storage DRS

vSphere HA

vSphere FT

z
><
zCD
en

?o
.....

~
::J

to

ESXi Hosts

Storage Array

Features that are listed in the slide require a shared storage infrastructure to work properly.

Module 2

NSX Networking

27

Virtual Networking
Slide 2- 15

Virtual networking is similar to physical networking. Each virtual machine and ESXi host on the
network has an address and a virtual network card. These virtual network cards are connected to
virtual Ethernet switc hes.
Virtual switches attach your virtual machin es to the physical network, or you can create isolated
networks to be used during testing and development. Virtual networking provides the same
flexibility as server virtualization.

28

VMware NSX: Install , Configu re, Manage

Virtual Switch Types


Slide 2-16

Virtual switches are of the following types:

Standard switch architecture: Manages virtual machine and networking


at the host level

VMware vSphere Distributed Sw itch architecture: Manages virtual


machine and networking at the data center level

II
z
><

(j)

CD

?o
.....

:::J

to

Virtual switches can be of different forms, each with a different feature set. vSphere supports two
main categories of virtua l switches: the standard switch and the VMware vSphere Distributed
Switcht>'. Both switches help you to reduce network clutter by reducing the number of physical
network cab les plugged into your ESXi hosts .
Each ESXi host is preb uilt with a standard switch that provides basic connectivity and management
features . The distributed switch expands upon that model by providing a central interface to manage
the different connections and features found in the virtual switches . The distributed switch can
provide more features as a resu lt of this centralized management approach.

Module 2

NSX Networking

29

Networking Features
Slide 2-17

Networking has the following features:


VLANs
Traffic shaping

Port mirrorin g

Q08, D8CP
CPD/LLDP

Virtual networking can be as simpl e or as comp lex as you need. The following features are
supported by vSphere:
VLANs provide logieal separation of your network traffic , and are often used to isolate different
subnetworks. such as a test or restore network.
Traffic shaping is a feature that allows you to restrict the inbo und and outbound network
bandwidth ofa group of virtual machine s. This feature can help reduc e congestion in your
virtual network.
Port mirroring enables you lu monitor a virtual machin e's traffic for troubleshooting or intrusion
prev ention. This feature allows you to capt ure all the traffic sent to or from a virtual machine
for later inspec tion.
Quality of service (QoS) and DSCP are networkin g standard s that allow network switches to
prioritize certain network traffic over others. An example is prioritizing the voice traffic from a
call manager server to improve performance .
NetFlow is a network monitoring tool that allows you to determin e your top talkers on the
network and other metadata about the comm unications that occur on your network.

30

VMware NSX: Install, Configure , Manage

Cisco Discovery Protoco l (CDP) and Link Layer Discovery Protocol (LLDP) are discovery
protoco ls used to identify neighboring physical network switches. CDP and LLDP can be used
to help discover and troubl eshoot misconfigurations.

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

31

vSphere Product Placement


Slide 2- 18
'-

>.

;t:::

1/1
.~

.c

..!!!

Q)

Q,

>.
J:

vSphere
Edition

32

en
w

r:::

III

0
:;:;

Q)

0
'0..

0
:;:;
0

..r:::

::!:

>

Cl

r:::

r:::

III
III

r:::

0
(1);
'- III

Q) u
..r::::=

Q,Q,

en

Q)

>0::

0
:;:;
0

Q)

u
r:::

en

--

::!:

III
'-

0::
0

"C

Q)

Q)

::l

>

Cl
III
'-

Q)

en

::l
III
LL

en

0::
0

::!:
0..

Essentials

Essentials Plus

Standard

Enterprise

Enterprise Plus

Q)

Cl
III
'-

.c..r:::
.u
'-.-

en

oen

.!!!

VMwa re NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 2-19

You should be able to meet the following objectives:

Discuss the features of vSphere

Provide an overview of the challenges that vSphere is intended to


resolve

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

33

Lesson 2: Overview of the Software-Defined Data Center


Slide 2-20

Lesson 2:
Overview of the Software-Defined Data
Center

34

VMware NSX: Install , Configu re, Manage

Learner Objectives
Slide 2-2 1

By the end of this lesson, you should be able to meet the following
objectives:

Describe advantages of the software-defined data center

Identify components of the software-defined data center

II
z
><

(j)

Explain the role of the virtual network in the software-defined data


center

CD

?o
.....

:::J

to

Module 2

NSX Networking

35

Choices for IT
Slide 2-22

Software is the foundation that is powering the evolution of networks


and data center infrastructure.

Software-Defined

New IT

Data Center

Hardware Defined
Data Center
(

No IT
Outsourced

Today, enterpris e busin ess leaders want their IT to create applic ations quickly and easily. Enterprise
business leaders must decide whether to build in-house IT or to outsourc e their IT and app lications.

36

VMwa re NSX: Install , Configure, Manage

Data Center Models


Slide 2-23

Businesses that want to deploy applications and their necessary


server infrastructure quickly, choose between the current hardwarebased model and the software-defined data center.
Hardware-Defined
Data Center

OR

Any Application

II

Software-Defined
Data Center

Applicatio n-Spec ific Policies

z
><

(j)

Any Application

CD

~~~~~~~~i5l
~
Data Center Virtualization

Any x86

Any Storage
App lication -Specific Policies

Any IP Network

The hardware-defined data center is the traditi onal model. This model includes racks of equipment
and each piece of hardware includes one or more specific defined tasks. Email, database, and other
business-criti cal applications run on specific servers . This mod el is not the answer for futur e
requir ements.

Module 2

NSX Networking

37

?o
.....

:::J

to

Advantage of Software-Defined Data Center


Slide 2-24

Some of the most agile providers and consumers are moving system
intelligence into software through custom applications or platforms.

Google I Facebook I
Amazon Data Centers
":oftwa re I Hard ware Abstraction

oftware I Hardware Abstraction

Any x86

Any Storage

Any IP network

Providers are decoupled from physical infrastructure, allowing them to use any x86, any storage,
and any IP networking hardware. This approac h increases agility, reduces cost, and provides a
highly scalable infrastructure with a softwa re-defined data center approac h. These benefits resu lt
from a hardware-abstraction layer software that runs on top.

38

VMwa re NSX: Install , Configu re, Manage

Choice for New IT


Slide 2-25

Software can innovate much faster than hardware.

Software-Defined
Data Center
Any Application

Google I Facebook I
Amazon Data Centers

II

Hardware-Defined
Data Cente r

z
><

(j)

Any Application

CD

?o
....

:::J

to
Any x86

Any Storage

Any IP network

~J

The software-defined data center is similar to the approac h taken by Amazon, Goog le, and
Facebook. This approac h does not include a vertically integrated hardware-specific approac h. For
example, with a hardware-centric infrastructure, you must buy in-unit networking hardware for the
network to function. With the software-defined data center approac h, you can run any network
switch.

Module 2

NSX Networking

39

Software-Defined Data Center as New IT


Slide 2-26

The software-defined data center can span across multiple data


centers and into hybrid service providers, independent of physical
infrastructure.
Software-Defined
Data Center

Inter-Data Center

Hybrid Data Center

Any Application

Any Application

Any Application

Any x86

Any x86

Any x86

Any Storage

Any Storage

Any Storage

Any IP network

Any IP network

Any IP network

. .

.. .... .
Data Center

. .

vutuanzauon

VMware NSX TM can do layer 2, SSL, and IPSEC VPNs . This functionality provi des business
continuance and disaster recovery capab ilities, whic h are not otherw ise avai lable. NSX can be
combined with VMware vCloud Hybrid Service" to provi de a hybrid cloud strategy.

40

VMwa re NSX: Install , Configu re, Manage

Components of a Software-Defined Data Center


Slide 2-27

The software-defined data center extends virtualization.


Applications

App lications

Applications

Software-Defined
Data Center

Software-De fi ned
Dat a Center

Software-Defined
Data Center

Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale

Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale

Virtual Compute
Virtual Storage
Virtual Network
Policy
Security
Scale

II
z
><
zCD
en

?o
.....

~
::J

Desktop
Storage

~ ---~--------------------------------------------_.
Admin
Policy Configuration
Operational Visibility
Clo ud Manageme nt

to

Internet

Virtual Desktop
Laptop
Tablet
Mobile

Hardware Independence

IP Network
Hardware

Server
Hardware

Sto rage
Hardware

Location Independence
Data Cen ter 1

Data Ce nter 2

Public DC

The software-defined data center extends the virtualization conc epts like abstraction, poolin g, and
automation to all data center resources and services. Components of the software-defined data center
can be implemented together, or in phases:
Compute virtualization, network virtualization, and software-defined storage deliver
abstraction, pooling, and automation of the compute, network, and storage infrastructure
services.
Automated management delivers a framework for policy-based management of data center
application and services.

Module 2

NSX Networking

41

Vision and Strategy


Slide 2-28

The software-defined data center is not a product, but it is an


approach.

The software-defined data center leverages products from VMwa re and other companies.
Manage ment and orchestration are used to configure, manage, monitor, and operationalize a
software-defined data center. Produc ts like VMware vCloud Automat ion Center'?', VMware
vCe nter Opera tions Management Suitet>', and VMware vCenter Log Insight" and also third party solutions or custom cloud management platform s can be used.
The software-defined data center has the followin g advantages :
A software-defined data center is decoupled from the und erlying hardware, and takes advantage
of underlying network, server, and storage hardware.
A software-defined data center is location-independent and can be in a single data center, span
multi ple private data centers, or span hybrid public data centers
A software-defined data center leverages a data center virtualization layer to enable
independent, isolated application environments to be deployed on top of the hardware and
location-independent infrastructure.

42

VMware NSX: Install , Configu re, Manage

Virtual Compute , Storage, and Network


Slide 2-29

The pooling of hardware resources provides many advantages.

II
z
><

(j)

Software

Virtual
Machines

Virtual
Networks

Virtual
Storage

-------------------------Hardware

Compute
Capacity

Network
Capacity

CD

.....

Application
Consumption

Storage
Capacity

Location Independence

?o
~

:::J

to
Desktop
Internet
Virtual Desktop
Laptop
Tablet
Mobi le

The software-defined data center is a unified data center platform that provides automation,
flexibility, and efficiency. Compute, storage , networking, security, and availability services are
pooled, aggregated, and delivered as softwa re. These services are also managed by intelligent,
policy-driven software.

Module 2

NSX Networking

43

Data Center Hardware


Slide 2-30

NSX uses existing data center hardware.

'cal Network

, ling phySI

EXl5u

NSX enables you to start with your existing network and server hardware in the data center.

44

VMware NSX: Install , Configu re, Manage

Hypervisors and Virtual Switches


Slide 2-3 1

ESXi hosts, virtual switches, and distributed switches run on the


hardware.

en
X

ro
~
o
~

'"

<0

Module 2

NSX Networking

45

NSX: Network Virtualization Platform


Slide 2-32

NSX handles the data across the virtual switches.

NSX adds nothing to the physic al switching environment. NSX exists in the ESXi environment and
is independent of the network hardware.

46

VMwa re NSX: Install , Configure, Manage

About a Virtual Network


Slide 2-33

A virtual network is a software container that delivers network


services. These network services are expected from a network by
connected workloads.

II
z
><
zCD
en

?o
.....

~
::J

to

Module 2

NSX Networking

47

Network Virtualization: Layer 2


Slide 2-34

NSX virtualizes logical switching.

The slide shows an example of layer 2 connectivity between two virtual machin es on the same
hypervisor and host. Traffic on the layer 2 network never leaves the hypervisor.

48

VMware NSX: Install , Configu re, Manage

Network Virtualization: Layer 3


Slide 2-35

NSX virtualizes logical routing.

II
z
><
zCD
en

?o
.....

~
::J

to

. INetwork
Existing PhyslC3

The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual
machin es on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP
subnets and logical switch es with out leaving the hypervisor to use a physical router. This
virtualization also provides routing between two virtual machin es on two different sides of the data
center across multipl e layer 3 subnets and availability zones.

Module 2

NSX Networking

49

Concept Summary
Slide 2-36

A review of concepts discussed in this lesson:

What is the layer where management components


operate?

The management plane

What is the layer where control components operate?


What is the layer where data is transmitted?

The data plane

What is a vSphere port group created on a distributed


switch with NSX modules installed called?

A logical switch

What are multiple tenants connected to the same egress


point segregated by isolating the tenant networks called?
What handles NSX communications between the
VMware NSX Manager!" , VMware NSX Controller!" ,
and ESXi host?
What uses layer 3 UDP encapsulation to extend logical
layer 2 networks across layer 3 boundaries?
What is used for integration into cloud management
platform?
What is the virtual machine used by NSX for control
plane operations?

50

The control plane

Multitenant
User World Agent (UWA)
Virtual Extensible Local Area Network
(VXLAN)
Representational State Transfer API
(REST API)

NSX Controller

VMware NSX: Install, Configure, Manage

Review of Learner Objectives


Slide 2-37

You should be able to meet the following objectives:

Describe advantages of the software-defined data center

Identify components of the software-defined data center

Explain the role of the virtual network in the software-defined data


center

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

51

Lesson 3: Introduction to NSX and NSX Manager


Slide 2-38

Lesson 3:
Introduction to NSX and NSX Manager

52

VMware NSX: Install , Configu re, Manage

Learner Objectives
Slide 2-39

By the end of this lesson, you should be able to meet the following
objectives:

Describe capabilities of NSX

Explain differences between the data, control, and management planes

Recognize NSX topologies

Illustrate the role of NSX Manager

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

53

NSX Capabilities
Slide 2-40

NSX has a number of features.

Lo gical Switching: Layer 2 over Layer 3,


decoupled from the physical network
Logical Routing : Routing between virtual
networks without exiting the software container
Logical Firewall: Distributed firewall, kernel
integrated, high performance
Logical Load Balancer: Application load
balancing in software

Any Network Hardware

Logical Virtual Private Network (VPN): Siteto-site and remote access VPN in software
VMware NSX APITM : REST API for integration
into any cloud management platform
Partner Ecosystem

NSX provides the following function al services:


Logical layer 2 to enable the extension of a layer 2 segment or IP subnet anyw here in the fabric
irrespective of the physical network design.
Distributed routin g to enable routin g between IP subnets without traffic going out to the
physical router.
Distributed firewall to enable security enforcement at the kernel and VNIC level.
Logical load balancing to provid e support for layer 4 throu gh layer 7 load balancin g with the
ability to do SSL termination,
SSL VPN services to enable layer 2 VPN services.

54

VMware NSX: Install, Configure, Manage

Prepare for Installation: Client and User Access


Slide 2-4 1

The requirements for deploying NSX to a vSphere environment are


the following:

II

Management system and browser requirements:


A supported web browser:
-

z
><

Internet Explorer 8, 9 (54-bit), and 10.

(j)

- The two most recent versions of Mozilla Firefox.

CD

- The two most recent versions of Google Chrome.

?o
.....

The vSphere Web Client.

:::J

Cookies enabled in the browser used for management.

to

Environment requirements:
Correct DNS configuration for ESXi hosts added by name.
User permissions to add and power on virtual machines.
Permissions to add files to the virtual machine datastore.

NSX has the following requirements:


vCenter Server 5.5 or later
ESXi 5.0 or later for each server
VMware Tools'P'

Module 2

NSX Networking

55

Prepare for Installation: Port Requirements


Slide 2-42

NSX components require a number of ports for NSX


communications:
443 between the ESXi hosts , vCenter Server, and NSX Manager.
443 between the REST client and NSX Manager.
TCP 902 and 903 between the vSphere Web Client and ESXi hosts.
TCP 80 and 443 to access the NSX Manager management user
interface and initialize the vSphere and NSX Manager connection.
TCP 22 for CLI troubleshooting.

NSX requires these port s for installation and daily operations.

56

VMware NSX: Install , Configu re, Manage

Installation: Manager OVA


Slide 2-43

After ensuring the correct preparation steps, install the OVA:

II

1. Obtain the NSX Manager OVA file.


2. Deploy the NSX Manager OVA file.
3. Log in to the NSX Manager.

z
><

(j)

4. Establish the NSX Manager and vCenter Server connection.

5. Back up the NSX Manager data.

CD

?o
.....

:::J

to

To install the OVA

1. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location access ible to
your vCenter server and ESXi hosts.
2. Import the OVA like any other virtua l machine.
During the import process you are prompted to configure the initial network settings .
3. Power on the NSX Manager.
4. Log in to the administrative interface to configure the NSX Manager.
5. Configure the different NSX settings.
The NSX features are ready to use.

Module 2

NSX Networking

57

Initial Configuration: Management UI


Slide 2-44

Access the NSX Manager user interface to configure the manager


initially.

--.,

I ..... ... J

"._"'
~

...

-----------------------1
NSX ManagerVirtualAppliance Management
Download Tech sccccn LOg

Manage Appll3nte settIf'lgs

BackUp & Restore

Manage vCenter PegrstranOll

upgraoe

After logging in to the NSX Manag er, click Manage App liance Settings to configure the initial
settings.

58

VMwa re NSX: Install , Configure, Manage

Initial Configuration: Time and Syslog Settings


Slide 2-45

Configure the time server and syslog settings.

. ..-

II

....-... ".,
I ' .. _,

st11lNC'J,

Gene ral

..

Spttll'1 P'lTP urvtr t1etow Fot 590 ton"atlon 10work cor~tIY It II reQulrt d 1tl0i1 tt..,
be In sync 11'5 lecOftlfMnd~ lo U'58the same

NTP$eM'1

192 168 no 10

Tim.lone

tJTC

01108f1Q14 21 35 U

e!Jlme

z
><
zCD
en

Uneontlgur. HTP serv!i!"] ~

rime s.n mg.


mpUM."t tJ'5edbY1M!'sao51-rver

on !tit, 'tIrtlJll aoppllinu

~n13

tffP UM'r ItlOuk!

?o
.....

~
::J

to
( Unc(Ml(lg urt

S}osIogSefwf

J~

You( an s~1ftthe IP ad4feu Ot ".me oftrle "rs," S.t"Mlf Sh.' elln De rnolYe'd uSIng1M!'abO'tementioned ONS Sel't'tf{'S)
Syttog StfWf

"<'C-I-Q1 a corp local

PM

51'

ProtocOl

UOP

l .....

...us

On the general page, configure the time and Syslog services.

Module 2

NSX Networking

59

Initial Configuration: Network Settings


Slide 2-46

Assign the NSX Manager to the correct IP address and configure


other IP settings.

51 II IHGS
Hostn~

ns:.mgrI-Ota

Dom aItl N ."...

SSL Ctl1U'Iutft

1PY4 lnfonn.allOn

Inl68"OU
Ne1mask

155255 ''55 0

Df'f~I1.

191 168110 :1

Oartway

IP6InfOfftUlllon
Acld,e ",
Prtl'ilLengttl
OtfaulOa~

~Il oblecti lert'n~nc:t'G ustng ill hOi~ilme , 'l'OO mus.l prtMde one 01' mQfe ONS Unotf'S commonlO ..c~r. ESXhOm and
~r ~tl.'. co~nts (Ifl)llmiliTYor st< ol\d ary UMf I S. ...mO\Ot<l.lle fleld Mllablt (Ins ......., In ItItllntwouhJ aUumt tnt ""POns.lbl!lt'J')

To rnOfwto

lPt ONSStrm1
PJ1m;wy~

In 168 110 10

Sf' COndiitY SeolWf

Ifl\ofiONSStt\l\"fs

Pr1rntSef'm
SecondaryStfWr

Verify that the network settings are correc t.

60

VMwa re NSX: Install , Configu re, Manage

Initial Configuration: vCenter Server Connection


Slide 2-47

Register the NSX Manager with a vCenter Server to begin using NSX
capabi Iities.

II

z
><
zCD

1'''''_

....... ~ , . "'IjI"+C.1~

'1'1'110;1' ' -

en

-'

lookup SeNe..
F'or~.'*r "r~",

s.rw:.

S 1 _~, lOU","confgur, LOOI<UD


""'d Pf~ tie sao MmInI'tr~fOr
lsotlAOn\It... IIIlto ~(~lM<JIlot..tlheNTP

?o

crt1lIff\ll.Io~'l"NSlC .... M~~I'lCS.Mt . . .


ttMl' lOt
ton6gu'.lIbtlrllOw()t', (NQ('"

sse

.....

...:-,,(: ~ ""Cl IlO "

~
::J

.c.,.., Urvtf .,..atI\f1I NSX

l1Wtntott HTTPS ll'Ol1{ ~ ~l'I"iU

to

E..
" 1!'lIQ'~~

StiNK' to dflotaYfJ ...........,.II'lft.W1I(t./rt'

IOll.OO'tflHfOf(Clf'lVnUl'll{a~ll"""tfl

H$l(

Ml nl9 tmt"' StMt:.

"~.'" IHtotI1:lltnllln(l U"rN.(.t.OfC",,~ "'.pannolol'


lMlIII~bon'lfIt1\ot 'N$XMtalIWOf'l and UP",ad'0\Ii".. WIl)ufI'C.'"
t1O$Uocf Dr

ESlCalIdVC For.U 1l.lafportS

S''''''-'''O~In( pl.n. trltvf''''iC~'CPV and

1(:,,.,..,.... N.me

.c'MltS.!'Wtr

10 . 1 0 .10 .1 1
roo!

SlIIIn

"l'Wf"

...c...,

IMfl'oOlYrn.,....-..ontl !JfWtfltot'M1 i1I~hlC'W

ConnIfd

Connect the NSX Manager to the desired vCenter Server and the initial configuration is complete.

Module 2

NSX Networking

61

NSX Overview: Planes


Slide 2-48

Each component operates in a specific plane.


Consumption
Model
Management
Plane
- - ----- - - - - - - - - - ------ - - - - - - ------ - - - - - - - - -- ---- - - - - - - --- ----.- - - - - - - ------- - - - - - -- ------- - - - - -- - - - ---- - -- - - - ---

Control
Plane
.--- - - ---_.- - - -- -------- ------- -- ---- ------------- .--- - -- ---- - ------_.- - - --- ------ - -- -----. -- - - --------- - ----------

Data
Plane

NSX uses the management plane, control plane, and data plane models. Compo nents on one plane
have minimal or no effec t on the functi ons of the planes below.

62

VMware NSX: Install , Configu re, Manage

NSX Overview: Data Plane Components


Slide 2-49

The data plane handles the flow of data between endpoints.

II

Consumption
Model

z
><

Management

(j)

Plane
--------------------------------------------------- ------ - - - - - - - - ------ - - - - - - - - - ------ - - - - - ---- - - - - - - - --- -------

CD

?o

Control
Plane

....

:::J

to

-- - ----- - - - - - ---- -- - - - - -_.- - - - - - - - --- - - - -- ----- - - --- - ----- - - - ------- - - - ---_.- -- - -- -------- -- ------ ---------- - ------

NSX Virtual Switch

NSX Edge
Services
+ ~ lti ~ ' G ateway

=-liDii,stil,rib~~u ted
. h

Data
Plane

: VXLAN
~

Distri but ed Firewall :


I.:C? g.i ~_<!I.f~.C?!J_t~_r
':

Hypervisor Kernel Modules

ESXi

'

VMware NSX Virtual Switch


Distributed network edge
Line rate performance
VMware NSX Edge gateway
virtual machine form factor
Data plane for North-South
traffic
Routing and advanced
services
Switch Security

The data plane is defined by the distributed switch. The distributed switch does only layer 2
switching. Hosts have to be on the same layer 2 network so that virtual machines on each host can
communicate with virtual machines on the other host.
NSX installs three vSphere Installation Bund les (VlB) that enable NSX functionality to the host.
One VlB enables the layer 2 VXLAN functionality, another VlB enables the distributed router, and
the final VlB enables the distributed firewall. After adding the VlBs to a distributed switch, that
distributed switch is called VMware NSX Virtual Switch . On NSX Virtual Switch, hosts are not
restricted to the same layer 2 domain for virtual machine to virtual machine communic ation across
hosts. You must migrate virtual machines from a host before installing the VlBs . If the VlBs must
be removed , the ESXi host requires a reboot.
VMware NSX Edge" gateway is not distributed and so the gateway lacks a contro l entity. NSX
Edge gateway handles control traffic. Conceptually, an NSX Edge gateway should be on the barrier
between the data and control planes.

Module 2

NSX Networking

63

NSX Overview: Control Plane Components


Slide 2-50

The control plane handles the implementation.


Consumption
Model
Management
Plane
- - ---- - - - - - - - -- -_.- - - - - - - - _. ------ - - - - - - - ------ - - - - - - - - --

Control
Plane

NSX Logical
Router Control VM

.--- ----- --- --- - - -_.-

User World Agent

~-

Manages lo gical networks


Run-time state
Does not sit in the dat a path
Control plane protocol

---------- - - --------- ------ - --- ---_.- - - - ----_.-- - - -------- - -- ---------- - -_.--- --- ------ - ----

NSX Virtual Sw itch

Data
Plane

----- - - - - - _. ---- - - - - - - - -------- - - - - - - - ------ - - - - - - - --

NSX Controller

NSX Edge .
Services
Gateway

NSX Virtual Sw itch


Distributed netwo rk edge
Li ne rat e performance
NSX Edge gateway
Virtual mach ine form factor
Data pl ane fo r North-So uth
t raffic
Routing and advanced
services
Switch Security

The NSX logica l router contro l virt ual machine and VMware NSX Con troller" are virtua l
machi nes that are dep loyed by VMware NSX Managert'<,
The user world agent (UWA) is composed of the ntcpad and vsfwd daemons on the ESXi host.
Communication related to NSX between the NSX Manager instance or the NSX Con tro ller
instance s and the ESXi hos t happen thro ugh the UWA.
The logical router control virtual machine hand les routing network relationships . This virtua l
mach ine gives the routing table to the NSX Manager instance .
The NSX Virtual Switch does not control routing plane traffic . So the NSX logical router control
virtua l mach ine is instant iated on its beha lf to handle that func tion. One NSX Controller virtual
machine gets dep loyed for each distributed logical router instance. The NSX Controller instanc e
retains information for the media access control (MAC), Address Resolution Protocol (ARP), and
Virtua l Tunne l End Poin t (VTEP) tab les. VMware reco mme nds that you deploy NSX Controller
instances in clusters of three to preve nt situatio ns where the NSX Contro ller clusters are split even ly.
If the control plane componen ts are lost, the ability to form new paths between virtual mac hines is
also lost and the current paths age out as the TTLs exp ire.

64

VMwa re NSX: Install , Configu re, Manage

NSX Overview: Management Plane Component


Slide 2-51

The management plane handles the user management input.

II

Consumption
Model
Management

NSX Manager

vCenter Server Message Bus


A ent

Plane

z
><
zCD

Single point of configuration


REST API and UI interface

en

- - - ----- - - - - - - - ----- -- - ------- ----- - - - - - - _. ----- - - - - - - -- ------ - - - - - - - - ---- - - - - - - - - ------- - - - - - - - ------ -- - - - - - - --

Control
Plane

NSX Logical
Router Control VM

NSX Controller
User World Agent

Manages logical networks


Run-time st ate
Does not sit in the data path
Con trol plane protocol

?o
.....

~
::J

to
NSX Virtual Switch
+ - ~- - - - - -dS - - - - - -~- - j

Distributed

Data
Plane

VXLAN

t.

.~

Distributed Firewall
!-~9 !l?~~ _~_~L!!~ ~

:
:

NSX Edge .
Services
Gateway

NSX Virtual Sw itch


Distributed netw ork edge
Line rate performance
NSX Edge gateway
vi rtu al machine form factor
Data plane for North-South
traffic
Routing and advanced
servic es
Switch Security

NSX Manager comm unicates with a vCenter Server system and is the interface for the VMware
NSX APJTM for third-party applicatio ns that integrate with NSX. The NSX Controller instances are
deployed by the NSX Manager instance. NSX Manager requests the vCenter Server system to
deploy the NSX Controller virtual machines from OVA files.

Module 2

NSX Networking

65

NSX Overview: Consumption


Slide 2-52

These planes build a virtualized network that is consumed by customers.


Self-service portal
Cloud management
VMware vCloud
Automation c enter w

,.,

Co nsumption

Model
NSX Manager

ve enter Server

Message Bus

Management

A ant

Plane

Con trol
Plane

NSX Logical
Router Contro l VM

NSX Controller
User World Agen t

NSX Virt ual Switch

EB~ i

Dat a
Plane

Dis t rib ut ed

Flm wal l

L\>9jc~ 1 RQI,lt \"

Hypervisor Kernel Modules

NSX Edg e
Services
Gatew ay

Single point of configuration

REST API and UI interface

Manages Logical networks


Run-t Ime state
Does n ot sit in the data path
Control plane protocol
NSX Virtual Swi tch
Distributed network edge
Line rate performance

NSX Edge gateway


Virtual machine form factor
Data plane fo r North-South
traffic
Routing and advanced
services
Switch Security

All of these components build an infrastruct ure for networking thai is consumed in the same fashion
as compute, memory, and storage resources in the software-defined data center.

66

VMware NSX: Install, Configure, Manage

Enterprise Topology
Slide 2-53

A common enterprise-level topology.

II

External Network

~------ -

z
><
zCD

Physical Router

en

VLAN 20
Uplink

?o
.....

NSX Edge Services


Gateway

~
::J

to
VXLAN 5020
Uplink
LR Instance 1

NSX Manager helps to configure and manage logical routin g services. During the configuration
process, you can deploy either a distributed or a centralized logical router. If the distributed router is
selected, the NSX Manager instance deploys the logical router control virtua l machine and pushes
the logical interface configurations to each host throu gh the NSX Controller cluster.
In centralized routing, NSX Manager deploys the NSX Edge services router virtual machin e. The
API interface of NSX Manager helps automate deployment and management of these logical routers
through a cloud management platform .

Module 2

NSX Networking

67

Servicer Provider: Multiple Tenant Topology


Slide 2-54

Multiple tenants to the same NSX Edge gateway.


External Network

NSX Edge Services


Gateway

Tenant 2

In a a service provider environment, multipl e tenants exist. Each tenant can have different
requirements in terms of number of isolated logical networks and other network services, such as
load balancing, firewall, and VPN. In such deployments, NSX Edge services router provides
network services capabilities and dynamic routing protocol support.
As shown in the slide, the two tenants are connected to the externa l network through the NSX Edge
services router. Each tenant has its logical router instance that provid es routin g in the tenant. A
dynamic routin g protocol is configured between the tenant logical router and the NSX Edge services
router. This routin g protoc ol provides the connectivity from the tenant virtual machin es to the
external network.
In this topolo gy the East-West traffic routing is handled by the distributed router in the hyperviso r
and the North-South traffic flows through the NSX Edge services router.

68

VMware NSX: Install , Configure, Manage

Multiple Tenant Topology: Scalable Design


Slide 2-55

This multitenant topology is more flexible.

II

External Network

z
><
zCD
en

NSX Edge Serv ices


Gatew ay

?o
.....

~
::J

to

Web logical
Switch

The service provider topology can be scaled out as shown in the slide. The diagram shows nine
tenants served by an NSX Edge instance on the left and the other nine tenants served by an NSX
Edge instance on the right. The service provider can easily provision another NSX Edge instance to
serve additional tenants.

Module 2

NSX Networking

69

Scalability
Slide 2-56

Scaling compute infrastructure:


Adding hosts to clusters
Add ing new clusters
Effect on distributed switch design : Distributed
switch can span across 1,000 hosts.

Scaling number of users or applications:


More virtual machines are connected to isolated
networks (VLANs)
Q;

Effects on distributed switch design:

Q)

Separate port groups for each application

c
o

.!!l
ro
o

10,000 port groups are supported


Cluster 1

Cluster 2

Cluster 3

The number of virtual ports is 60,000


Dynam ic port management (static ports)

The distributed switch supports up to 1,000 hosts that allow for a wide variety of scaling options.
These options range from a model where every clust er has its own distributed switch to a mod el
with a single distributed switch spanning all clust ers. NSX even supports multipl e distributed
switches in the same cluster.
If a distributed switch spans multipl e clust ers, when you create a port group, every host connected to
that distributed switch knows about the new port group. Thus , every new port group can cause
additional resourc e consumption. The main reason to span distributed switch across clusters is to
support virtual machin e migration with vSph ere vMo tion.

70

VMware NSX: Install, Configure, Manage

NSX for vSphere : Scale Boundaries


Slide 2-57

...

II

1:1 Mapping of
the
vCenter Server
System to the
NSX Cluster

z
><
zCD
en

?o
.....

~
::J

to

,. _ . _ . _ . _ . _. _ . _ . - .
. ------ -- ---- - ------. I

!i

I:
L

-.

:I

v8p here vnaonon

r'

' 1

I I

q .
i "L

I._ ._ ._._ ._._ ._ .~

.,
r]

-,

lI :I

'- '- '- '- '- '- '- '-'

based on DRS

Manua l

vSpherevMotlon

1-------.....

--------1

1-1

Logical Network Span

NSX is coupl ed with the vCenter Server system to provide enhanced functionality on VMware
hypervisors so that it scales in parallel with the vCenter Server system. Typically a cloud
management system is used to aggregate multiple vCenter Server systems and NSX Manager
instances to enable horizontal scalability.
NSX Manager and vCenter Server systems are linked I: I and NSX Controller clusters are deployed
by NSX Manager. In addition to the vSphere vMo tion bound aries, VMware NSXTM for vSphere
enables layer 2 connectivity that spans the entire vCenter Server using VXLAN . The vCenter Server
system includes 1,000 hosts and 10,000 virtual machines.
NSX provides a similar architecture. The main difference is that the NSX Controller cluster scales
independently from vCenter Server system. So the vSphere vMotion boundaries are the same, but
NSX allows logical network s and layer 2 boundaries to extend beyond a single vCenter Server
system. The limit is still 1,000 hypervisors, but multipl e hypervisor platforms are supported.

Module 2

NSX Networking

71

NSX Manager
Slide 2-58

NSX centralized management plane:

Provides the management UI and NSX API.

Installs UWA, VXLAN, distributed routing , and distributed firewall kernel


modules.

Configures the NSX Controller cluster through a REST API.


Configures hosts through
a message bus.

- '-

,,-,=,--_ o

Generates certificates to
secure control plane
communications.

- .............-

H$I.

.-.-,
...
w
-0
~

...-0-1 IIfMIN

__

tI'OII'-....._NSlI-., .
.....
_1IIOal_-OO:- _ _
1e9a1 _ _ III9CIII-"o.- _
fII~.....-.._

.~

.t_~

_
"' 1...
_ 111
_
. .......
_0..

.....
........ "...,..'*"4""""

...

- ,,- .......
-.-.~

_ _ ........

t l I _ ~

' " " - t I _ ..

-...-_~

"-"'-'..-d_

.....

-oo4~QIl...--.,

-~"........1 . . - . 4

.--..n ... "'-t....

....,...

___

NSX Manager is the only component that is installed. NSX Manager handles all the manage ment
tasks. A direct correlation of one vCenter Server system to one NSX Manager exists. So if vCloud
Automa tion Center is present with multiple vCenter Server systems, each of those vCenter Server
systems has an NSX Manager instance.
An installation ofNSX Manager includ es OVA files to deploy the NSX Edge gateways, NSX
Controller, and the VIBs that get pushed to the ESXi hosts for the distributed switches. NSX
Manage r uses REST API for external communications from third-party applications such as
firewa lls and security software that integrate with NSX.

72

VMware NSX: Install , Configu re, Manage

Building the NSX Platform


Slide 2-59
Consumption

You can deploy NSX by using this process.

~~~

Prerequisites:
Physical NetworkVXLAN Transport
Network, MTU
vCenter Server 5.5 and
ESXi 5.5
vSphere Distributed
Switch

II

P rogrammati
Virtual

Network Deployment

z
><
zCD

B ~ [!][i][!]
B [!] [I] [!] ~ B

en

VM

VM

?o

~[!]~ B

.....

~
::J

to

Logical Networks

Log ic al Network or Secu rity Serv ic es

Ql

Deploy Logical Switches per tier

j::

Ql

l:

0 1_ =--

Prepa rat ion

- - Host
- -Preparation
- - - - - ....
Logical Network Preparation

Deploy Distributed Logical Router


or Connect to Existing Router
Create Bridged Network
Connect to Centralized Router

NSX deploys into vSphere clusters. The NSX platform has basic requireme nts. Any serve r on which
you can install ESXi 5.5 can run NSX , connected to any physical network. Multicast over the
physical infrast ructure is an added benefit but not required. After you deploy NSX Manager, you
deploy NSX Controller instances, VIBs, and configure the virtual network.

Module 2

NSX Networking

73

Lab 1: Introduction
Slide 2-60

At the beginning of lab 1, the installation of NSX Manager is


complete. The focus of this lab is verification of the initial
configuration.
Manage
(jener 31network settings

SfTlIHC$
SETTltIGS

General

TimeSetlings

General

SpecifllNTP server betov

Network

Network

NTPServer

SSL Certificates

Timezone

Backups & Restore

sst. cenncates

NSXManagement Service

1P'f4 Information

Backup s s Restore

Address

UOQlacle

Netm ask

Manage

DefaultOalewav

Upgrade
COMPOtlEtlTS

Hos1n ame
Demain Name

t aervce

SETTINGS

General

looJ(upservice
Fcr vce nter verstons 5.1 a

IPv61nformabon
Address
PrefiXLength

Default Gateway

Netwo rk

Loo kup Service

SSL Certificates
ONSSerwrs

Backups & Resto re


Upgrade
COMPONENTS

vcenter server
Connecting to a vc enter s
Access' of Chapter 'Prepal

NSX Management Service

To resofve all objects refiner

1p.,.4 DNS sewers


Prima!y Server
Secondary Server

If your vcenter serveris he

vcenter Server
vcenter User Name

1M DNS sewers
Prima!y Server
Secondary Server
Search Domains

Status'

74

VMware NSX: Install , Configu re, Manage

Lab 1: Configuring NSX Manager


Slide 2-6 1

Attach an NSX Manager appliance to a vCenter Server system

II

1. Access Your Lab Environment


2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed

z
><

(j)

4. License vCenter Server, the ESXi Hosts, and NSX Manager

5. Clean Up for the Next Lab

?o

CD

.....

:::J

to

Module 2

NSX Networking

75

Concept Summary
Slide 2-62

A review of concepts discussed in this les son:


Routing Protocols

What is the set of rules used by routers to determine paths called?

Which protocol facilitates the propaga tion of multicast traffic across a routed network?

Protocol Independent Multicast (PIM)

What is used to acqu ire the MAC addresses asso ciated with IP add resses?

Address Resolution Protocol (ARP)


What is the layer 2 address of a network interface?

Media Access Control (MAC) address


What is used to issue textual commands to NSX components ?

Command Line Interface (CLI)


What is the file for mat used to store and import virtual machines?

Open Virtualization Format (OVF)


What is a network device used to restrict and filter traffic betwee n networks and endpo ints?

What is a serv ice embedded in the ESXi kernel that is used to protect virtual machine s calle d?

What is the method for dividing workloads among NSX controllers ?

What is an appliance deployed by the NSX manager , primarily used for perimeter services?

A Firewall
Distributed Firewall

Slice
NSX Edge

76

VMware NSX: Install, Configure, Manage

Review of Learner Objectives


Slide 2-63

You should be able to meet the following objectives:

Describe capabilities of NSX

Explain differences between the data , control, and management planes

Recognize NSX topologies

II
z
><

(j)

Illustrate the role of NSX Manager

CD

?o
.....

:::J

to

Module 2

NSX Networking

77

Lesson 4: NSX Controller


Slide 2-64

Lesson 4:
NSX Controller

78

VMware NSX: Install , Configu re, Manage

Learner Objectives
Slide 2-65

By the end of this lesson, you should be able to meet the following
objectives:

Describe NSX Controller instances

Explain NSX Controller clustering

II
z
><

(j)

Determine NSX Controller roles

CD

?o
.....

:::J

to

Module 2

NSX Networking

79

NSX Controller
Slide 2-66

NSX Controller provides:

VXLAN distribution and logical routing network information to ESXi


hosts.

Clustering for scale out and high availability.

Workload distribution within an NSX Controller cluster.

Removal of multicast routing and PIM dependency in the physical


network.

Suppression of ARP broadcast traffic in VXLAN networks.


NSX Controller
VXLAN Directory
Service
MAC table
ARPlable
VTEP table

VMware recommends that you have three NSX Controller instances for each NSX Controller
cluster. You should always have an odd number ofNSCX Controller instances to avoid a situation in
which the NSX Controller instances are split evenly on a decisio n.
NSX Contro ller stores four types of tables:
The ARP tab le
The MAC table
VTEP table
Routing table
The ESXi host, with NSX Virtual Switch, intercepts the following types of traffic:
Virtual machine broadcast
Virtual machine unicast
Virtual machine mult icast
Etherne t requests
Queries to the NSX Contro ller instance to retrieve the correct response to those requests

80

VMwa re NSX: Install , Configu re, Manage

For example, when a virtual machine sends an ARP request to get the MAC address for another
virtual machine, that ARP request is intercepted by the host and sent to the NSX Controller instance.
If the NSX Controller instance has the correct information , the informatio n is returned to the host
and the host replies to the virtual machin e locally. Thu s, broadcast traffic is reduced across the
VXLAN and the various tables on the NSX Controller instance are built. NSX Controller gets the
routing tables from the logical routing controller virtual machin e.

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

81

NSX Controller Cluster Deployment


Slide 2-67

NSX Controller nodes are deployed as virtual machines.


Each virtual machine consumes 4 vCPU and 4 GB of RAM.
NSX Controller password is defined during the deployment of the
first node and is consistent across all nodes.
NSX Controller nodes must be deployed in the same vCenter Server
instance that NSX Manager is connected to.
A cluster size of 3 NSX Controller nodes is recommended.
NSX Controller interaction is through CLI, and configuration
operations are available through NSX API.

The first NSX Controller instance that is deployed requests a password and all future NSX
Controller instances that are deployed use this password. This password is used by a user to connect
through SSH into NSX Manager or NSX Controller. NSX Controller must be connected to the same
vCenter Server system as NSX Manager. VMware recommends that you deploy NSX Controller
instances in clusters of three. Each NSX Controller instance in a cluster must be deployed
individually.

82

VMware NSX: Install, Configure, Manage

Control Plane Interaction


Slide 2-68

ESXi hosts and NSX logical router


virtual machines learn network
information and send it to NSX
Controller through UWA.

The NSX Controller CLI provides a


consistent interface to verify
VXLAN and logical routing
network state information.

II

NSX Manager

z
><
zCD
en

NSX Controller
Cluster

?o
.....

~
::J

to

NSX Manager also provides APls


to programmatically retrieve data
from the NSX Controller nodes in
future.

NSX Controller uses the UWA daemon s to communicate from the hosts management address . NSX
Controller instances in a cluster replicate the different ARP, MAC, and VTEP tables in that cluster.

Module 2

NSX Networking

83

Control Plane Security


Slide 2-69

All NSX Control communication is protected with SSL encryption


over the management network.
NSX Manager creates and installs self-signed certificates to each
ESXi host and NSX Controller cluster.
Mutual authentication of NSX entities occurs by verifying certificates.

The control plane is secure d with SSL encryption by using certifica tes that are managed by NSX
Ma nager.

84

VMware NSX: Install , Configu re, Manage

Control Plane Security: Diagram


Slide 2-70

The control plane requires certificate-based authentication.


NSX Manager

REST
API

A
W

~EJ

II

Create
certificate

NSX Manager
Database

z
><
zCD
en

Message
Bus

?o
.....

~
::J

to

NSX Manager creates certificates and stores them in a database. NSX Manager pushes these
certific ates to the NSX Contro ller instances as they are deployed . NSX Manager uses the message
bus to talk to the host for dep loying the VlBs . NSX Controller and the host go through the UWA
daemons .

Module 2

NSX Networking

85

User World Agent


Slide 2-71

The UWA has the following features:

Runs as a service daemon called netcpa .

Uses SSL to communicate with NSX Controller on the control plane.

Mediates between NSX Controller and the hypervisor kernel modules ,


except the distributed firewall

Retrieves information from NSX Manager through the message bus


agent.

The Distributed Firewall kernel modules communicate directly with


NSX Manager through the vsfwd service daemon.
-'-1

NSX Controller

NSX Controller

NSX Controller

i L_~:W== -

-~

iI

!1- ------ ------------- __---- - ----- -----__-- Kernel Modules

ll- - ---- -----

- ---- -

iL ESXi Host

.
------ - ---- - - ----

.---------.--.-----.---.--------.---------...- ------..-----1 i
!I

-..- - - - - - - - - - - - - - - - - - -...- ---.-----.---.-.....--..-...1 iI


"

The UWA includes two daemons that run on the host. The UWA is responsible for comm unication
between NSX Controller and ESXi host for layers 2 and 3, and for VXLAN communications. The
UWA can connect to multiple NSX Controller instances and maintains logs at / v a r /l o g /
ne tcpa . log. The distributed firewa ll has its own daemon. This daemon talks directly to NSX
Manager.

86

VMwa re NSX : Install , Configure, Manage

NSX Controller: Master Election


Slide 2-72

Each role needs a master.

II

Masters for different roles can sit on different nodes.


NSX Controller uses Paxos-based algorithm.

z
><
zCD

Guaranteed correctness (not necessarily convergence).

en

?o
.....

~
::J

to

Two roles are used for NSX Contro ller workloads. These roles are called logical switches and
logical routers. A master election determines the NSX Controller instance that is the master for a
particular role. Every role has a master. The master selects the NSX Controller instances and
allocates the portion of work for that role .
Paxos is a family of protocols for solving consens us in a network of unreliable processors.

Module 2

NSX Networking

87

Master Failure Scenario


Slide 2-73

A node failure triggers an election for roles when the master is no


longer available for that role.
A new node is promoted to master after the election process.

'ii.vXLAN

.-

If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from
the available NSX Controller instances. The new master NSX Controller instance for that role
reallocates the lost portions of work among the remaining NSX Controller instances.
NSX Controller instances are on the control plane. So an NSX Contro ller failure does not affect data
plane traffic. For example, if the host requests the MAC address for an lP address through an ARP
request, and the NSX Controller instance does not respond, then the ARP is processed. The normal
ARP request process does not wait for the NSX Controller instance.

88

VMware NSX: Install , Configu re, Manage

NSX Controller Workload Distribution


Slide 2-74

The NSX Controller cluster must:

II

Dynamically distribute workloads across all available NSX Controller


cluster nodes

Redistribute workloads when a cluster member is added

Have the ability to sustain failure of any cluster node

(j)

Perform the workload distribution so that it is transparent to applications

z
><
CD

?o
.....

:::J

Solution: Slicing

to

Slicing is the action of dividin g NSX Controller workloads into different slices so that each NSX
Controller instance has an equal portion of the work.

Module 2

NSX Networking

89

Slicing Assignment
Slide 2-75

For a given role, create a number of slices.


Define objects that are to be sliced.
Assign objects into their slices.

Logical Switches / VNls

Logical Switch Slices

Objects

Logical Routers

Logical Router Slices

After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the
different logical switches and routers among all available NSX Controllers in a cluster. Each
numbered box on the slide represents slices that the master uses to divide the workloads . The logical
switch master divides the logical switches into slices and assigns these slices to different NSX
Controller instances. The master for the logica l routers does the same .

90

VMware NSX: Install, Configure, Manage

Slicing Distribution
Slide 2-76

For a given role, create a number of slices

II

Define objects that are to be sliced.


Assign objects into their slices.

z
><
zCD

Distribute slices across NSX Controller cluster nodes.

en

?o
.....

~
::J

to

Logical Switch Slices

Logical Router Slices

These slices are assigned to the different NSX Controller instances in that cluster. The master for a
role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on
router slic e 6, the slice is to ld to connect to the third NSX Controller inst anc e. If a req uest comes in
on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.

Module 2

NSX Networking

91

Slice Redistribution
Slide 2-77

When an NSX Controller fails, the master for the role redistributes slices
among remaining nodes
Slice redistribution happens on:

Creation of the NSX Controller cluster.

A reduction in the number of available NSX Controller nodes in the cluster.

An increase in the number of available NSX Controller nodes in the cluster.

When one of the NSX Controller instances in a cluster fails, the masters for the roles redis tribute the
slices to the remaining available clusters.

92

VMwa re NSX: Install , Configure, Manage

Component Interaction: Configuration


Slide 2-78

The components of the NSX platform are configured in a specific


order.
vCenter
Server

A
V

Register with
vCenter Server

II

NSX Manager
. . DeployNSX
. . Manager

~epl~
oy
~

NSX .
Controller Cluster ~

z
><
zCD
en

Deploy the NSX Edge


gateway and configure
network services

:.

?o
.....

NSX Controller

~
::J

NSX Edge
Gateway

to
r- --- - ----- ---~

l .

' - - I~
;:::;:~
,~ ~
I r.::! ~ _

l_ vSpher e ClusteL 1

r --.. . I~,.

~=-::

~ L:

,._._.vSphere ClusteL2 _J

:::=::E I~ : ~~I
~ --=

._- .

l _.VSPhere CI,usteL N j

The components of the NSX platform are configured in the following order:
1. Only NSX Manager is installed.
2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided
and the NSX Manager instance conn ects to the vCenter Server system. The NSX Manager
instance enables the NSX components in the VMware vSphere Web Client.
3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager.
4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to
install the VIBs on the ESXi hosts in the cluster.
5. After the components are installed and deployed, you define the logical networking
components, such as adding distributed routers and creating firewall policies.
This procedur e is repeated for each vSphere clust er.

Module 2

NSX Networking

93

Lab 2: Introduction (1)


Slide 2-79

Add NSX Controller clusters in odd numbers.


~

Home

Net w orking & Security

E!NSXHome

I 'LO

Install atioll
Mana g ement

I Host Prepar ation

L ogical Netw

1 _0.- '

Manag em enl

Installation

1 Ho st Prepara tion

Logical NeIWo

NSXManayer

l:! LogicalSwitches

~ NSXEdges

NSX lJI, n, gtr

n Firewall

E! 192.168.110.42

Iif3 scoorouaro
't\ ServiceDefinitions
8 ServiceComposer
GlFlow Monitorin g
!!!B Activity Monito ring
.. Networking & Security Inventm y

.. >

+
N~m.

NSX M , n,~. ,

n Firewall

E!! 192 .168. 110.42

.. seetce Definitions

EJ Service Com pose r


~ DataSecurity

NSXliU'"'~8t

e L1 92 ~ 1 1 ~

~ Flow Monitor ing

ll_..".,

gg ActiVity Moniloring

(: Iu~.,-,: , Pil'Qt

-I

.. Networking & Se&ur ity Invent ory

C1IU~1Of4'

HNSX Controller node

~ NSXEdges

IiI5 SpoofGuard

.."....-

~ DataSecurity

E!! NSX Managers

Home

Networkin g & Security

R!N8XHome

NSX Manager

~ Logical Switc he s

.t ~

Conn"",-" ro
Fe. .

~ NSX Managers

.. >
NSX Cont roller nodes

N ~m .

Nod.

eonnoner-e
connouer-7

192.168110 201

confroner-a

192.16B.110.203

192 ,168,110,202

94

VMwa re NSX: Install , Configure, Manage

Lab 2: Introduction (2)


Slide 2-80

Use the CLI to confirm the NSX Controller status.


nvp-e co nt.r o I Le r
Type

II

# shOIJ co nt.r o.l c-c Lua te r status

Join status:
Majority status :
:Restart status:
ClustEr ID:
NodE UUID:

5tatus

5ince

Join complEtE
ConnEctEd to clustEr majority
This controller can be safely restarted

07/14 17:53:22
07/14 18:04:46
07/14 18:04:47

z
><

(j)

47b40b57-fbdf-4fcE-a171-bff6a36345bO
47b40b57-fbdf-4fcE-a171-bff6a36345bO

CD

?o
....

:::J

to

Module 2

NSX Networking

95

Lab 2: Configuring and Deploying an NSX Controller Cluster


Slide 2-8 1

Deploy a three-node NSX Controller Cluster


1. Prepare for the Lab
2. Deploy the First NSX Controller Instance
3. Verify That the First NSX Controller Instance Is Operational
4. Deploy the Second NSX Controller Instance
5. Verify That the Second NSX Controller Instance Is Operational
6. Deploy the Third NSX Controller Instance
7. Verify That the Third NSX Controller Instance Is Operational
8. Clean Up for the Next Lab

96

VMware NSX: Install , Configu re, Manage

Review of Learner Objectives


Slide 2-82

You should be able to meet the following objectives:

Describe NSX Controller instances

Explain NSX Controller clustering

Determine NSX Controller roles

II
z
><

(j)

CD

?o
.....

:::J

to

Module 2

NSX Networking

97

Key Points
Slide 2-83

Software is the foundation that is powering the evolution of networks


and data center infrastructure.
NSX uses the management plane, control plane, and data plane
models.
NSX Controller provides VXLAN distribution and logical routing network
information to ESXi hosts.
Questions?

98

VMware NSX: Install , Configu re, Manage

MODULE 3

Logical Switch Networks and VXLAN


Overlays
Slide 3- 1

Module 3

II
r

o
co

0"
OJ

(j)

s;:::;:
o

:::r
Z
CD

:?
o
...,

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

-c

en

VMware NSX: Install , Configure , Manage

99

You Are Here


Slide 3-2

VMware NSX: Install Configure Manage


Course Introduction
I

IE

NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway
NSX Security

100

VMware NSX: Install , Configu re, Manage

Importance
Slide 3-3

Virtual Extensible LAN (VXLAN) enables you to create a logical


network for your virtual machines across different networks. You can
create a layer 2 network on top of your layer 3 networks.

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

101

Module Lessons
Slide 3-4

Lesson 1:

Ethernet Fundamentals

Lesson 2:

Overview of vSphere Distributed Switch

Lesson 3:

Link Aggregation

Lesson 4:

Virtual LANs

Lesson 5:

VXLAN: Logical Switch Networks

102

VMware NSX: Install , Configu re, Manage

Lesson 1: Ethernet Fundamentals


Slide 3-5

II

Lesson 1:
Ethernet Fundamentals

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

103

Learner Objectives
Slide 3-6

By the end of this lesson, you should be able to meet the following
objectives:

Describe Ethernet frames

Describe segmentation and encapsulation

Explain the Address Resolution Protocol (ARP) process

104

VMware NSX: Install , Configu re, Manage

Review: Networking Definitions


Slide 3-7
Network: Physical connection that enables computers to communicate
Frame: Unit of transfer, Layer 2 of the OSI model

Packets (a layer 3 unit of transfer) are segmented into Frames for transmission
Frames are transmitted across the physical medium and assembled by the target/destination device

Protocol: An agreement between two devices about how information is to be transmitted.

II

Broadcast Domain: Shared communication medium.


Delivery: The way a receiver identifies the destination of a frame :

The header is in the front of the frames [Header][Payload]

o
co

Many nodes might receive a frame, but only the identified destination keeps the frame (all others
discard)

n'
0)

Arbitration : The act of negotiating the use of a shared medium.

(j)

s;:::;:

Point-to-point network: A network in which every physical wire is connected to only two devices.

o
::r

Switch: A bridge that transforms a shared-bus (broadcast) configuration into a point-to-point


network.

CD

~
o
...,

Router: A device that acts as a junction between two layer 3 networks to transfer packets between
them.

en
'"
0)

Gateway: A device that connects two networks communicating over different protocols.

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

105

Ethernet
Slide 3-8

Source and destination identification uses media access control (MAC)


addresses:

Listen and wait for channel to be available

Carrier Sense Multiple Access with Collision Detection (CSMA-CD): If a


collision occurs, wait a random period before retrying.

IPreamble 1Destination I Source 1 Type 1---'-.-.--r-I-c-R-c-I


8 bytes

6 bytes

6 bytes

2 bytes

46 to 1,500 bytes

4 bytes

Destination and source are 48-bit MAC addresses (for example ,


OO:26:4a:18:f6:aa)

The Type indicates the protocol that the Data portion of the frame contains:

Type Ox0800 is IPv4

Type Ox0806 is ARP

Type Ox86DD is IPv6

Data part of layer 2 frame contains a layer 3 datagram

Ethernet is the most commo nly used layer 2 system in data centers . The main purpose of Etherne t is
to define the source and destination of frames and ensure that the shared medium is used efficiently
among all hosts.

106

VMwa re NSX: Install , Configu re, Manage

MAC Tables
Slide 3-9

The MAC address tables associate MAC addresses with LAN ports
on the switch.
VlaIl

All
All
1
1
1
1
1
1
1
1
1
1

Ifac Addr ess

Type

Po r ts

- --- ---- -- -

- --- - - --

-- -- -

657 0 .7367 .745 0


gefa .2 054 .4465
Ob 9 f. 5 a g e. 7 6 a8
7 1d5 .5 1c4 .dcc4
d7cb .463d . e5dc
6fb2 .eb09 .f9ac
l a 4 7. 9 400. e 4 6 7
d 8fd . 8d8f .9ged
b7 05 .be 8b .6 2 8 e
13 5 3.0 7 2 a. b 9 4b
c6cb .73g e . lb2c
f3 8c .3 17b .b9 0 0

S TATIC
S TATIC
DYNAMI C
DYNAlofIC
DYNAlofI C
DYNAlofIC
DYNAlofIC
DYNAlofIC
DYNAlofI C
DYNAlofIC
DYNAlofIC
DYNAlofI C

CPU
CPU
Fa O/5
FaO/ 8
FaO/ 2
FaO/ l l
FaO/ 9
FaO/7
Fa O/4
FaO/ 13
FaO/6
FaO/3

II
r

o
co

n'
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

A switch uses a media access control (MAC) address table to direct frames from a sending network
device to a destination network device. The switch builds this table as it receives frames. The switch
associates the MAC address of the sending device with the LAN port on which the frame is received
by using the source MAC address in the frame.
When the switch receives a communication for an unknown destination address, the switch sends
the frame to all other LAN ports of the same VLAN . When the destination device replies, the switch
adds the relevant MAC source address and port ID in the address table. The switch sends all
subsequent frames for that destination to the correct LAN port without sending to all LAN ports.

Module 3

Logical Switch Networks and VXLAN Overlays

107

~
z

<

CD
...,
0)

-c

en

Broadcast Domain
Slide 3- 10

A broadcast domain is a logical division of a computer network, in


which all hosts can reach each other by broadcast at the data link
layer.
Router

/~

Switch

Switch

Hub

/\
Broadcast Domain

108

/
/\
Hub

Collision Domain

VMware NSX: Install, Configure, Manage

Address Resolution Protocol


Slide 3- 11

ARP provides a mechanism for a device to map an IP address to a


MAC address.
When a device needs to communicate with another device for which
the IP address is known but the MAC address is unknown:

The source device creates an ARP packet with the destination's IP


address.

II

The source places the packet in a Broadcast Ethernet frame.

The Broadcast Ethernet Frame is transmitted across the local subnet.

o
co

The destination device receives a copy of the frame and opens the
copy to check the IP address in the destination field.

n'
0)

The destination responds to the ARP request with a frame to the source
with the destination's MAC address as the source MAC address.

o
::r

(j)

s;:::;:
Z

CD

The source receives frames and reads the destination's MAC address.

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

109

From Packets to Frames


Slide 3- 12

An Ethernet Ethertype of Ox0800 indicates that the payload is an IP


packet:
When putting a packet into a frame, the end station uses the
destination MAC address that corresponds to the destination IP
address.

If the destination IP address is not in the same subnet as the source


end station, the end station uses the MAC address of the default
gateway as the destination MAC address.

If the end station does not know the destination MAC address that
corresponds with the destination IP address, the end station cannot
send the frame.

All network data moves through a network as frames

110

VMware NSX: Install , Configure, Manage

Segmentation and Encapsulation


Slide 3- 13

Lower layers add headers (and sometimes trailers) to data from


higher layers.
Network entities (switches/routers) move traffic based on header
information at the appropriate 051 layer.
Advanced features like intrusion detection and firewalls look deeper
beyond the header.
Application

II
r

Data

o
co

n"
0)

Transport
Network

(j)

s;:::;:

o
::r

CD

~
o
...,

Data Link

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

111

Layer 3: IPv4 Datagram


Slide 3-14

IP packets are carried in Ethernet frames.


Version I IHL

IDifferentiated Services

Identification
Time to Live

Total Length
Flags I

Protocol

Fragment Offset
Header Checks um

Source Address (32-bit IPv4 address)


Destination Address (32-bit IPv4 address)
Options

IilmDr

.. In.

Version =4
If no options, IHL =5
Source and Destination are 32 bit
IPv4 addresses

. ,.... .

Padding

-'"

Protocol =6 means that the data


portion contains a TCP segment.
Protocol = 17 means UDP

Routers and switches review the header information of the frame to route and switch traffic , app ly
policy contro ls, and build routing and switching tables. IP headers enab le quality of service (QoS)
application, control layer 3 loops using Time To Live (TTL), and congestion control using explicit
congestion notification bits. In the IP packet, UDP/TCP segments are embedded with their protoco l
numbers identified in the header for the host or gateway to process.

112

VMwa re NSX: Install , Configure, Manage

Layer 4: TCP Segment


Slide 3-15

Source and destination are 16bit TCP port numbers.

Source Port

Destination Port
Sequence Number

II

Acknowledgement Number
Data
Offset

UA E R S F
RC0 S Y I
GK L T N N

Reserved

Window

o
co

n"
0)
(j)

Checksum

s;:::;:

Urgent Pointer
Options

.
. 1I11e.' .
IilmDr

... III

- .--m"-

o
::r

Padding

CD

~
o
...,

.JiUi.'

"en
0)

:::J
C.

TCP is a connection-based protocol with guaran teed delivery. Devices send data over a connection
socket.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

113

Concept Summary
Slide 3- 16

A review of terms used in this lesson:


What is the data encapsulation for layer 2
transmission across the physical network
medium called?

114

Ethernet frame

What is the data encapsu lation fo r layer 3 for


transm ission across routed networks called?

Packet

Which is the data link layer of the OSI model of


a network?

Layer 2

Which is the network layer of the OSI model of a


network?

Layer 3

Which is the transport layer of the OSI model of


a network?

Layer 4

VMwa re NSX: Install , Configu re, Manage

Review of Learner Objectives


Slide 3- 17

You should be able to meet the following objectives:

Describe Ethernet frames

Describe segmentation and encapsulation

Explain the ARP process

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

115

Lesson 2: Overview of vSphere Distributed Switch


Slide 3-18

Lesson 2:
Overview of vSphere Distributed Switch

116

VMwa re NSX: Install , Configu re, Manage

Learner Objectives
Slide 3- 19

By the end of this lesson, you should be able to meet the following
objectives:

Describe VMware vSphere Distributed Switch

Configure a distributed switch

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

117

VMkernel Networking
Slide 3-20
Teaming recommendations:

Link Aggregation Control Protocol (LACP) 802.3ad is a good


option for optimal use of available bandwidth and quick
convergence .

Load-based teaming is recommended to simplify configuration


and reduce dependencies on the physical network, while still
effectively using multiple uplinks.

VMware NSXTMintroduces support for multiple VTEPs per host


with VXLANs.

Network partitioning technologies tend to increase complexity.

Overlay networks are used for virtual machines.


Use VLANs for VMkernel interfaces to avoid circular
dependencies.
DHCP relay and IP helper support are important for VMware

Physical
Switch

vSphere Auto DeployTM.

Link Aggregation Control Protocol (LACP) requires configuration on the upstream switch . You can
use load-based teaming to simpl ify configuration and reduce dependencies on the physical network ,
whil e effectively using multipl e uplinks .

118

VMware NSX: Install , Configure, Manage

Advantages of vSphere Distributed Switch


Slide 3-2 1

The advantages of using a vSphere Distributed Switch are the


following:

Manage all switches in a data center versus individual switches per


host

Advanced feature support

II

Higher scale
Foundation for your network virtualization journey

o
co
VM
~

VM

NETWORK

NETWORK

STATE

STATE

0"

VM

OJ

(j)

NETWORK
STATE

s;:::;:
o

:::r
Z
CD

:?
o
...,

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

119

Distributed Switch Architecture


Slide 3-22

Management plane: Configures various parameters of the distributed switch


Data plane: Handles the packet switching function

Management Plane

Legend:
_

dvPGA

dvPGB

dvUplink PG

dvUplink

Host 1
vmnicO

vmnic1

vmmcO

vmnic1

In VMwa re vSphere, the host handles the data plane. The host has information about which MAC
addresses are in which port groups. The VMwa re vCen ter Server" system controls the management
plane and if the vCen ter Server system fails, nothing changes on the contro l plane. Hosts and virtual
machines continu e to function. Features that rely on the vCenter Server system, like VMware
vSphere vMoti on, are unavailable until the management plane is restored.
The VMware NSX Virtual Switch'Y, which is a normal distributed switch with the VMware NSXTM
VIBs installed, is different. If a VXLAN port group exists, only the data is managed at the data
plane. The control plane is handled by VMware NSX Controller" and management is handled by
VMware NSX Managerr.

120

VMware NSX: Install , Configu re, Manage

vSphere Distributed Switch Enhancements in ESXi 5.5


Slide 3-23

Performance and Scale


Enhanced LACP
Enhanced SR-IOV

II

40 GigE NIC support


Packet Classification

o
co

Traffic Filtering (ACLs)

0"
OJ

DSCP Marking (OoS)

(j)

s;:::;:
o

Visibility and Troubleshooting

:::r
Z

Host Level Packet Capture


Tool (tcpdump)

:?
o

CD

...,

"en

OJ

:::J
C.

In vSphere 5.5, LACP handles more than port aggregation and supports all LACP features. vSphere
5.5 also supports Mellanox 40 GB network interface cards. vSphere uses traffic filtering and access
control lists (ACLs) to enable traffic, drop traffic, or change tags. Layer 2 Class of Service (CoS)
and layer 3 Differentiated Services Code Point (DSCP) tagging is fully supported.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

121

Design Considerations
Slide 3-24

Available infrastructure:

Type of servers

Type of physical switches

Servers:

Rack mount or blade

Number of ports and speed. For example: Ten 1 Gb links or one 10Gb
link

Physical switches:

Managed and unmanaged

Protocol and features support

You must make several design consideratio ns when planning a distributed switch deployment. In the
software-defined data center ecosys tem the most frequently depleted resource is memory, not CPU .
Not every virtual machin e has the same proportionality of CPU to memory.
Understanding where enviro nment constraints are, and how your design can consider these
constraints is critical. The type of network interfaces in hosts is also important. In today 's data
center 10 GB interfaces are common with some instances of 40 GB interfaces. Dependin g on the
infrastructure, various switches with different features and functions might exist.

122

VMwa re NSX: Install , Configu re, Manage

Teaming Best Practices


Slide 3-25

Link aggregation mechanisms do not double the bandwidth:

Hashing algorithm performs better in some scenarios. For example:


Web servers that are accessed by different users have enough
variation in IP source and destination addresses and can utilize links
effectively.

However, few workloads accessing a NAS array have no variation in


the packet header fields. Traffic might end up on only one physical NIC.

II
r

o
co

Load-based teaming has the following advantages:

n
0)

Takes link utilization into account

(j)

s;:::;:

Checks the utilization of links every 30 seconds

o
::r

No special configuration required on the physical switches

CD

~
o
...,

"en
0)

:::J
C.

Hashing algorithms are not perfect. For serve rs where the systems connecting are varied, the
hashing works we ll. In scenarios where a few high-consumption endpoints exist, the hashing can
result in one link being busier than the others. An example is IP storage with NFS . Typically, NFS
datastores or servers are on the same logic layer 2 as the VMke me l port that uses that data. Little to
no load sharing happens.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

123

Load-Based Teaming
Slide 3-26

Load-based teaming splits traffic to utilize all available links.

VM2

VM1

10

Network

Traffic

an

d 'dl h
WI

vSphere
vMotion

7Gig

VM1

5Gig

VM2

2Gig

VM1

VM2

L..---_>
Rebalance

11

....._ _......~.;;.'--~;...;..._ _Distributed


Switch

12 GB

2GB

Distributed
Switch

7GB

The examp le shows the advantage of load-based teaming. The diagram on the left has 14 GB of data
going out to two 10GB lines. vSphere vMotion consumes 7 GB, virtual machine 1 (VM I)
consumes 5 GB, and virtua l machine 2 (VM2) consumes 2 GB. Virtual machine 1 and vSphere
vMotion try to send a total of 12 GB of data out of the same 10 GB link. Virtual machine 2 sends 2
GB of data out of the second 10 GB link. Thus , 2 GB is lost on the first link.
The diagram on the right shows that by implementing load-based teaming, virtua l mach ine I is
forced to use the other interface. All machines and services get the bandwidth that they need . This
feature should be configured on distributed switch before NSX is installed.

124

VMwa re NSX: Install , Configure, Manage

Distributed Switch in Enterprise


Slide 3-27

The distributed switch has many features that are useful in an


enterprise setting.
vCenter Server

- - - Distributed
Switch

2c

<ll

U
ro

ro

Cluster 1

Cluster 2

Cluster 3

Cluster 4

ROBO 1

________

1 1- I I
I I

I
I
I
I
I
I
I
I

I
I
I
I
I
I
I
I

II

- - - - - - - 1
Distributed
Switch

I
I

ROBO 2

I
I
I
I
I
I
I
I

~L

o
co
0
OJ
(j)

s;:::;:

o
::r

Multiple distributed switches per VC (128)

Distributed switches can span multiple clusters

Central management for DC and ROBO


environments

Role-based management control

CD

~
o
...,

"en

Hundreds of hosts per distributed switch

OJ

:::J
C.

~
z

Distributed switches must be in the same vCenter Server system as NSX Manager so that NSX
Manager can use the distributed switch.

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

125

Lab 3: Introduction (1)


Slide 3-28

Install NSX modules on hosts.

1--- ---'-- - -' Host Preparation


NSX Manag er: ( 192.168.110.42

Logical Network Preparation

I~ )

Installation of network virtualization componentsonvSphere hosts


Clusters & Hosts

liB SpoofGuard
~

s er-tce Definitions

EJ Servi ce Composer

0lJ Data Securrty


Gl Flow Monitoring
Ii!8 Activity Monitoring

126

.. 1Jb Managementand Edge Cluster


~

l!lJ Com pute Cluster A


I}b Compute Cluster B

Installation Status

-r: Installing
r: Installing
Install

VMware NSX: Install , Configu re, Manage

Lab 3: Introduction (2)


Slide 3-29

Prepare hosts for VXLAN networking.


Eb

Add IP Pool

(?l, ..

- - New T' ansport lone

Name:

eatewav

*1
*1

A gateway

OesUlpbon

Prefix Length:

*1
I
Secondary DNS:
I
DNS Suffix
I

Primary DNS:

* lOIObarTranspon Zone

Name

C onlrol Plan e Mode

Ia

MlJ~iJ~on Pf'I/$J(fI '-

I Unicasl
IIXt,ANcQT1lrolpl.af*

Static IP Pool:

II

1
Murbcasl

Hybrid

Segment 10 pool
Provide a segmentiD pool and m ulticast range uniq ue to this NSX

manager.

o
co

Op:1IYlJ!edUmc8$l n

*1

Segment10 pool:
Selec t clu ste rS II) add

A static IP P

ab cd:87 :87:

OJ

(In the range of 5000-16777216)


N. ",.

a list orcorn
for example

0"

*11

0
0
0

tt

Mana geme nt and Edge Clusle r


Compute Cluster A

{) ccrnoute Cluster 8

"

(j)

s;:::;:

o Enable multicast addressing

Multicast addresses are required only for Hybrid and Multica.st control

:::r
Z

plane modes

CD

:?
o

Multicast must be enabled if you are using 5.1 host.

OK

II

Cancel

...,

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

127

Lab 3 : Preparing for Virtual Networking


Slide 3-30

Install NSX for vSphere modules in ESXi hosts and configure the
VXLAN IP pools and a transport zone
1. Prepare for the Lab
2. Install NSX for vSphere Modules on the ESXi Hosts
3. Configure VXLAN on the ESXi Hosts
4. Configure the VXLAN 10 Pool
5. Configure a Global Transport Zone
6. Clean Up for the Next Lab

128

VMwa re NSX: Install , Configu re, Manage

Concept Summary
Slide 3-3 1

A review of terms used in this lesson:


What is a virtual switch shared across multiple
ESXi hosts called?

Distributedswitch

(Hint: VMware NSX Virtual Switch" is defined as a port


group on this.)

What is the configuration of multiple NICs to


share workloads for higher bandwidth called?

II

Teaming

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

129

Review of Learner Objectives


Slide 3-32

You should be able to meet the following objectives:


Describe vSphere Distributed Switch

130

Configure a distributed switch

VMware NSX: Install , Configu re, Manage

Lesson 3: Link Aggregation


Slide 3-33

II

Lesson 3:
Link Aggregation

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

131

Learner Objectives
Slide 3-34

By the end of this lesson, you should be able to meet the following
objectives:

Describe the Spanning Tree Protocol (STP)

Describe the purpose of LACP

Create an overlay network

132

VMware NSX: Install , Configu re, Manage

Ethernet Loop
Slide 3-35

Host A sends a
broadcast frame.

The Ethernet switch notices t


it is a broadcast frame and
sends a copy out of every
interface .

The third Ethernet switch notices that it is a


broadcast frame and sends a copy out to the
first switch , thus creating an Ethernet Loop.

II
r

o
co

0'
OJ

(j)

s;:::;:

o
::r
Z

CD

The second Ethernet switch notices


that it is a broadcast frame and
sends a copy out of every interface.

~
o
...,

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

133

Spanning Tree Protocol


Slide 3-36

STP is a Link Layer protocol that helps maintain a loop free LAN:
STP is standardized in IEEE 802.1 D.
STP assigns a switch as root bridge.

Every other switch in the LAN creates only one data path back to the
bridge.

All other data paths leading to the bridge are prevented from forwarding
traffic.
All paths not leading to the bridge are allowed to forward traffic.
NSX does not participate in STP.

134

VMware NSX: Install , Configu re, Manage

STP Diagram
Slide 3-37

In STP, only one of the two switches blocks the data path. The other
switch keeps the link in a forwarding state.
Root Bridge

II
r

o
co

0"
OJ

(j)

s;:::;:

o
::r
Z

CD

- - - Blocking

~
o
...,

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

135

Bandwidth Constraint
Slide 3-38

STP always blocks all paths except the one leading up to the root
bridge.
If the forwarding path goes down, the switch activates one of the
block paths.

Root Bridge
Forwarding

Forwardi ng

~ BI O Cki n g
With Spanning Tree Protocol (STP) , you can gain additional bandw idth between switches by going
to the next speed in Ethernet, for example, from 100 Mb to 1Gb.

136

VMware NSX: Install, Configure, Manage

Link Aggregation Control Protocol


Slide 3-39

LACP:

Is a standards-based link aggregation method: 802.3ad

Provides automatic negotiation of link aggregation parameters between


virtual and physical switches

Advantages:

Provides higher bandwidth and redundancy

Detects link failures and cabling mistakes

Reconfigures links automatically

II
r

o
co

n"
0)

Deployments with static link aggregation groups (LAGs) have


problems such as PXE boot.

(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

LACP is a type of port aggregation. Port aggrega tion is the bundling of interfaces to tell the STP
that only a single link exists instead of multiple links. LACP ensures that link aggregation
parameters match at both ends of the link aggregation.

<

The different types of LACP negotiation are the following:

CD
...,
0)

1. Enable port aggregation on the links. Switches do the port aggregation and must be manually
configured to be compatible at each end of that link.
2. One switch sends repeated requests to the other switch that is requesting the port aggregation
status. The two switches negotiate the status of the links and proceed.
3. Switches wait until they receive an aggregation request, negotiate the status of the links, and
proceed.
The LACP negotiation verifies that the link aggregation configurations between switches are
compatible. For the second or third type of LACP negotiation , switches negotiate details. The details
might includ e the number ofli nks that exist in the port group, the speed of the port group, and MTU.
Each switch determines the hashing that it uses to load balance its links independent of the other.

Module 3

Logical Switch Networks and VXLAN Overlays

137

-c

en

Enhanced LACP in vSphere 5.5


Slide 3-40

Comprehensive load balancing algorithm support includes 20


hashing algorithm options.
Multiple LAGs:
64 LAGs per host

64 LAGs per distributed switch

Workflow:
New workflow to configure LACP using templates

Useful in large environments

Hosts and distributed switches can support up to 64 Link Aggregat ion Groups (LAGs) .

138

VMwa re NSX: Install , Configu re, Manage

Enhanced LACP
Slide 3-4 1

Host
Active Link :
LAG 1

II

LACP:
LAG 1 - 2 Uplinks; LB
algorithm - Source IP
address .

o
co

0'
OJ

LAG 2 - 2 Uplinks; LB
algorithm - Destination
IP address

(j)

s;:::;:
o

:::r
Z
CD

:?
o
...,

LAG 1 - Port 1,2


Physical Switch 2

"en

LAG 2 - Port 1,2

OJ

:::J
C.

~
z

The example shows the use of different switches for LACP, with each link aggregation using a
different hashing algorithm.

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

139

Concept Summary
Slide 3-42

A review of terms used in this lesson:


What is the condition where there are multiple
layer 2 paths between two endpoints called?
Which protocol ensures that there are no
Ethernet loops?
Which is the standards-based link aggregation
method used in NSX?

140

Ethernet loop

Spanning Tree Protocol (STP)

Link Aggregation Control Protocol (LACP)

VMware NSX: Install , Configu re, Manage

Review of Learner Objectives


Slide 3-43

You should be able to meet the following objectives:

Describe the STP

Describe the purpose of LACP

Create an overlay network

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

141

Lesson 4: Virtual LANs


Slide 3-44

Lesson 4:
Virtual LANs

142

VMware NSX: Install , Configu re, Manage

Learner Objectives
Slide 3-45

By the end of this lesson, you should be able to meet the following
objectives:

Explain how VLANs are used

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

143

Virtual LANs
Slide 3-46

Split switches into separate virtual switches:


Only members of a virtual LAN (VLAN) can see that VLAN 's traffic.
Traffic between VLANs must go through a router.
Switch

VLAN X Nodes

VLAN Y Nodes

VLANs address scalability, security, and network management by enab ling a switch to serve
multipl e virtual subnets from its LAN ports. Routers in VLAN topologies provide broadcast
filtering, security, and traffic flow management. Switches must not bridge traffic between VLANs
because the integrity of the VLAN broadcast domain might be violated.

144

VMwa re NSX: Install, Configu re, Manage

Switches and Routers with VLANs


Slide 3-47

Without VLANs , each group is on a different IP network and on a different


switch.
. - . - . _ . _ . - . -. - .
.-. . .-.
'- .
....
\

10.2.0.0/16

...

II

I.:a!!!::-----~~

-'- -'- '-'-'-'-'- ".-. .'-'


One link per VLAN or a single VLAN Trunk later.
._ 0-'-'
.
.-.
....

- .-

o
co

0'

-'- . -'- '-

OJ

(j)

s;:::;:

..-

FaOIO

:::r
Z

FaO/1

:?
o

CD

....

... ...

- '- 0_. _ . _. _ . _ . -. - . - ".-.

...,

"en

OJ

'

:::J
C.

By default, all ports on a switch are in a single broadcast domain. Devices belonging to different
domains must be isolated using individual switches. VLANs enable a single swi tch to serve multiple
switching domains . The forwarding table on the sw itch is parti tioned be tween all ports belonging to
a common VLAN.
With this change, devices belonging to multiple domains can be collocated on a single switch. Also,
hosts can be spread around in the data center on different L2 segments and maintain domain and
subnet isolation.

Module 3

Logical Switch Netwo rks and VXLAN Overlays

145

~
z

<

CD
...,
OJ

-c

en

VLANs and ARP


Slide 3-48

Without VLAN, the ARP is seen on all subnets on a switch. All ports
on a switch are part of the broadcast domain.
Assigning a host to the correct VLAN is a two-step process:

Connect the host to the correct port on the switch with a VLAN
configured.
Assign an IP address to the host for that subnet. Otherwise the host
cannot find peers on the same subnet.

ARP
f Request
1
1
1

3 4 5 6 . Po rt
1 2 2 1 . VLAN

172.30.1.21/24
VLAN 1

172.30.2. rO/24
VLAN 2

146

172.30.1.23/24
VLAN 1

VMware NSX: Install , Configu re, Manage

VLANs Across switches


Slide 3-49

VLAN tagging is used when a single link needs to carry traffic for
more than one VLAN.
Interswitch links are configured as trunks, carrying frames from
multiple VLANs for that switch.
Each frame carries a tag that identifies which VLAN it belongs to.

II

----------Tagged Frames

o
co

802.1Q Trunk

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

Without tagging, one physical connection per VLAN is required


between switches. This is not scalable.

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

147

VLAN Scalability
Slide 3-50

How does host A communicate with host E?


How does host F communicate with host B?
Host A, MAC A

Host B, MAC B

Hoste, MAC C

Int erf ac e 5
VLA N 20

Host 0 , MAC 0

148

Host E, MAC E

HostF, MAC F

VMwa re NSX: Install , Configu re, Manage

802.10
Slide 3-5 1

802.1 Q is an extension to the Ethernet standards to enable VLAN


information to be carried in an Ethernet frame:

802 .10 is configured in interfaces, typically Ethernet switches.

Interfaces that are configured to support 802.10 Ethernet frames are


called Trunk interfaces.

Interfaces that are not configured to support 802.10 frames are called
Access interfaces.

II

The 802.10 standard has support for 4096 VLANs.

o
co

VLANs 0 and 4095 are not used for production traffic.

n'
0)

The 802.10 EtherType is Ox8100.

(j)

s;:::;:

.. .-.

802.10 frames increase the standard Ethernet frame to 1522 bytes.

o
::r

Up to 1500

6 bytes

6 bytes

2 bytes

1 :11

2 bytes

2 bytes

;1

bytes

6 bytes

CD

~
o
...,

"en

Standard Ethernet Frame

0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

149

802.10 Frame
Slide 3-52

Normal Ethernet Frame


SA: 6

Type/Length: 2

Data: 46 to 1500

IEEE 802.1q Tagged Frame

C12 bits of VLAN ID to identify 4,096 possible VLANs

3 bits

150

12 bits

VMware NSX: Install, Configure, Manage

Native VLAN
Slide 3-53

A Trunk interface expects every ingress frame to be tagged with a


VLAN number. If an ingress frame is received without a VLAN tag, the
frame is dropped by the Ethernet switch.
To avoid dropping frames, a trunk can be configured to assign all
ingress frames without a VLAN tag to a default VLAN. This default
VLAN is called the native VLAN.

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

151

Concept Summary
Slide 3-54

A review of terms used in this lesson:


What are groups of devices on separate physical
networks that communicate as if on the same logical
network called?

Virtual Local Area Networks (VLAN)

What is broadcasting communications from a single


source endpoint to multiple destination endpoints called?

Multicast

What is broadcasting communications from a single


source endpoint to a single dest ination endpoint called?

Unicast

Which is the communications protocol for establishing


multicast group memberships?

152

Internet Group Management Protocol (IGMP)

VMware NSX: Install, Configure, Manage

Review of Learner Objectives


Slide 3-55

You should be able to meet the following objectives:

Explain how VLANs are used

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

153

Lesson 5: VXLAN: Logical Switch Networks


Slide 3-56

Lesson 5:
VXLAN: Logical Switch Networks

154

VMware NSX: Install , Configu re, Manage

Learner Objectives
Slide 3-57

By the end of this lesson, you should be able to meet the following
objectives:

Describe VXLAN overlay networks

Define the VXLAN frame format

Compare unicast, multicast, and hybrid modes

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

155

VXLAN Terms
Slide 3-58

A Virtual Tunnel End Point (VTEP) is an entity that encapsulates an Ethernet


frame in a VXLAN frame or de-encapsulates a VXLAN frame and forwards the
inner Ethernet frame.
A VTEP proxy is a VTEP that forwards VXLAN traffic to its local segment from
another VTEP in a remote segment.
A transport zone defines members or VTEPs of the VXLAN overlay:

Can include ESXi hosts from different VMware vSphere clusters

A cluster can be part of multiple transport zones

A VXLAN Number Identifier (VNI) is a 24-bit number that gets added to the VXLAN
frame:

The VNI uniquely identifies the segment to which the inner Ethernet frame belongs

Multiple VNls can exist in the same transport zone

VMware NSXTMfor vSphere starts with VNI 5000

VXLAN is an Ethernet in IP overlay technology, where the original layer 2 frame is encapsulated in
a User Datagram Protocol (UDP) packe t and delivered over a transport network. This technology
provides the ability to extend layer 2 networks across layer 3 boundaries and consume capacity
across clusters. The maximum transmission unit (MTU) requirement is for a minimum of 1,600
bytes to support IPv4 and IPv6 guest traffic . The Virtual Tunnel End Point (VTE Ps) do not support
fragmentation. VXLAN also provi des increased scalability as it is no longer tied to the 802.1q
protocol limit of 4,096. The 24-bit address space theoretica lly enables up to 16 million VXLAN
netwo rks. Each VXLAN network is an isolated logical network.

156

VMwa re NSX: Install , Configu re, Manage

VXLAN Protocol Overview


Slide 3-59

VXLAN VTEP is the VMkernel interface that serves as the endpoint


for encapsulation or de-encapsulation of VXLAN traffic.
Ethernet in IP overlay network:

Entire L2 frame encapsulated in User Datagram Protocol (UDP)

50+ bytes of overhead

II

VXLAN can cross layer 3 network boundaries.


VXLAN is an overlay between VMware ESXi hosts. Virtual
machines do not see VXLAN 10.

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

The VTEP Proxy, used in UTEP and MTEP, replicates the frame that it rece ives. The VXLAN
Number Identifier (VNI) is 24 bits.

A transport zone is a configurab le boundary for a VNI. A single transport zone is usually sufficient.
All clusters in the same transport zone share the same VNI. A transport zone can contain multiple
clusters and a cluster can be a part of multiple transport zones. A transport zone tells the host or
cluster which logical switch has been created. If you do not want logical switches to show up on
certa in hosts, you can create a transport zone to constrain tenants. The underlying port group still
exists across the distributed switch.

Module 3

Logical Switch Netwo rks and VXLAN Overlays

157

<

CD
...,
0)

-c

en

Virtual Extensible LAN


Slide 3-60

VXLAN is an IP overlay technology that eliminates virtual network


segmentation.
VXLAN functionality:
Allows network boundary devices to extend virtual network boundaries
over physical IP networks
Expands the number of available logical Ethernet segments from 4094
to over 16 million logical segments
Encapsulates the source Ethernet frame in a new UDP packet
VXLAN is transparent to virtual machines
Adds 50 bytes to the original frame
Submitted to IETF for standardization
In April 2013, lANA reserved UDP port 4789 for VXLAN.

VXLAN is a network overlay technology. VXLAN encapsulates frames at layer 2 into a UDP
header. The traffic is encapulated into and deencapsulated from a VXLAN header by the VTEP.
The VXLAN adds 50 to 54 bytes of information to the frame, depending on whether VLAN tagging
is used. VMwa re recommends increasing the MTU to at least 1,600 bytes to support NSX . Larger
MTUs might already be in place depending on what other technologies are in use on the network. If
a custom MTU size is already set, either ensure that enough unused space exists in the MTU to
enable the additional 54 bytes or increase the MTU size to accommodate the addition.

158

VMwa re NSX: Install , Configu re, Manage

NSX Use Cases


Slide 3-61

II
r

o
co
Speed up network
provisioning
Simplify service
insertion, both virtual
and physical
Streamline DMZ
changes

Automate network
and service
provisioning for
private clouds and
tesUdev
environments

0"

Automate network
provisioning for
tenants with
customization

OJ

(j)

s;:::;:

o
::r
Z

Maximize hardware
sharing across
tenants

CD

~
o
...,

"en

OJ

:::J
C.

The most common use cases for NSX are data center autom ation , self-service IT, and multitenant
cloud environments.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

159

VXLAN Frame Format


Slide 3-62

IP
Header
Data'

Outer
Dest
MAC

I I
IP
Protoco
I

I I
Outer
Source
MAC

Header
Checksum

Optional
802.1Q
EtherType

Outer Outer
Source Dest
IP
IP

I I

Optiona l
Outer
EtherType
802.1Q

VXLAN
Flags

I I
RSVD

VXLAN
NI
(VNI)

RSVD

The VXLAN fram e forma t is shown here. The top frame is the original frame from the virtua l
machin es, minus the Frame Check Sequence (FCS), encapsu lated in a VXLAN frame. A new FCS
is created by the VTEP to includ e the entire VX LAN frame . The VLAN tag in the layer 2 Etherne t
frame exists if the port group that your VX LAN VMke rnel port is connected to has an assoc iated
VLAN numb er. When the port group is associated with a VLAN number, the port group tags the
VXLAN frame with that VLAN numb er.

160

VMware NSX: Install , Configu re, Manage

Multicast: Network Components


Slide 3-63

The goal of multicast is to send a single packet from a source device


to multiple destinations, likely on different subnets.
Server

Layer 2 switch
with IGMP snooping

Router 1

Client

II
r

r+--

o
co
IGMP

~ IIII

IGMP

0"

---+t

OJ

(j)

s;:::;:

UDP / RTP
Multicast Traffic

\.

o
::r

CD

~
o
...,

"en

LAN

OJ

:::J
C.

The idea is to use the network to replicate and prevent the source from creating a large numb er of
individual unicast sessions to each destination. Some key applications of multic ast include
multim edia content delivery, financial institutions such as stock exchanges and high-frequency
trading centers, and IPTV networks. Multic ast is a necessary component of many enterprise
networks.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

161

Internet Group Management Protocol


Slide 3-64

Hosts use the Internet Group Management Protocol (IGMP) to tell


routers about group membership.
Routers or layer 3 switch solicits group membership from directly
connected hosts.
Versions:

Version 1: RFC 1112 is supported on Windows 95.

Version 2: RFC 2236 is supported on the latest service pack for Windows and
most UNIX systems.

Version 3: RFC 3376 is supported in Window XP and various UNIX systems.

162

VMware NSX: Install , Configu re, Manage

Bidirectional PIM
Slide 3-65
Source/Receiver

- - - Shared Tree

1t-rwa--

--....,)~

Upstream Forwarding

---')~

Downstream Forwarding

II
r

o
co

0"

OJ

RP- Rendezvous Point

(j)

s;:::;:

Notation: 1*,G)

:::r
Z

* = All Source
G = Group
Receiver 1

CD

:?
o

Receiver 2

...,

"en

OJ

:::J
C.

For network virtualization using VXLAN , bidirectional Protocol-Independent Multicast (PIM) is


import ant. VXLAN relies on a many-to-many multicast infrastructure. The most efficient way is to
use bidirectional PIM.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

163

NSX for vSphere VXLAN Replication Modes


Slide 3-66

Three modes of traffic replication exist:

two modes are based on VMware NSX

Name

Controller" based and one mode is

1Ql, ..

New Transport Zone

IGIObal-Transport-Zone

>II

Description

based on data plane

Control Plane Mode

Unicast mode is all replication using

a Multicast
Multicast on Physical rJeMJolf< used (or VXLAN con lrol plane

a unrcast

unicast.

VXLAN controfpftJnehaOOIOO ty NSX coreoser Cluster

'2) Hybrid

Hybrid mode is local replication that is


offloaded to the physical network and

Optimized Unless! mode. Offloads local traffic repticsston to pttysical nel'MJrll

Clusters to Add

(2) Selected Objects

remote replication through unicast.

(Q.
N~m.

Multicast mode requires IGMP for a


layer 2 topology and multicast routing

--

Select clusters 10add

IIG1 U
~

IJ

Management & Edge Cluster


Compute Clus ter 01

.)

Filler

NSX ",S..,Id',

Sb IU$

C vest

t) Norma l

vost

&

Norma!

for L3 topology.
All modes require at least a 1,GOO-byte
MTU.

--

I~

QQ~

Replication mode relates to the hand ling of broadcast, unknown unicast , and multicast (BUM)
traffic. Unicast has no physical network requirements apart from the MTU . All traffic is replicated
by the VTEPs. In the same VXLAN segment, traffic is rep licated by the source VTEP. In remote
VXLAN segments, the NSX Contro ller instance selects a proxy VTEP. Hybrid mode uses IOMP
layer 2 multicast to offload local replication to the physical network. Remote replication uses unicast
proxies, so multicast routing is not necessary. Hybrid is recommended for most deploymen ts.
Multicast is seen frequent ly in upgrade scenarios from VMware vCloud Networking and
Security'P' 5.1 or environments that already have multicast routing.

164

VMwa re NSX: Install , Configure, Manage

VXLAN Replication: Control Plane


Slide 3-67
In unicast or hybrid mode, the NSX Controller instance
selects one VTEP in every remote segment from its
VTEP mapping table as a proxy. This selection is per VNI
(balances load across proxy VTEPs).

In unicast mode, this proxy is called a Unicast Tunnel


End Point (UTEP).

In hybr id mode, this proxy is called a Multicast Tunnel


End Point (MTEP).

This list of UTEPs or MTEPs is synced to each VTEP.

NSX Controller
VXLAN Directory
Service

[
[

II

MAC Table
ARPTable

o
co

VTEPTable

0'
OJ

If a UTEP or MTEP leaves a VNI, the NSX Controller


instance selects a new proxy in the segment and
updates the participating VTEPs:

VTEP report

VTEP failure

(j)

s;:::;:
o

:::r
Z
CD

:?
o
...,

"en

OJ

:::J
C.

~
z

The VTEPs to which the list of UTEPs or MTEPs are synced are memb ers of the associated
VXLAN Network Identifi er (VN I).

VTEPs leave a VNI either voluntarily because the VMware ESXi host is gracefully powered off,
or all virtual machin es connected to the VNI are migrated or shut down. VTEPs also leave the VNI
if the VTEP fails. When a VTEP fails, it cannot invalidate its VTEP VNI mappin g entry with the
NSX Controller instance. The NSX Controller instance detects that the keep-alive has expired and
invalidates the entry.

Module 3 Logical Switch Networks and VXLAN Overlays

165

<

CD
...,
OJ

-c

en

VXLAN Replication: Data Plane


Slide 3-68

The VXLAN header format is updated in NSX


for vSphere:
A new REPLICATE LOCALLY bit is used in
the VXLAN header for unicast and hybrid
modes.

VXLAN Header Format

When a UTEP or MTEP receives a unicast


frame with the REPLICATE_LOCALLY bit set,
the UTEP or MTEP is responsible for injecting
the frame to the local transport network.
The behavior of the proxy depends on its
traffic replication mode.

The first field of eight bits is used for VXLAN flags. Seven of these bits are reserved in vCloud
Networking and Security 5.1. These reserved bits are set to zero . The fifth bit is set to 1 when the
header includes a valid VNI. VMwa re NSXTM for vSphere adds a bit for a replicate locally flag
which is set to 1 for delivery to a UTEP or MTE P.

166

VMware NSX: Install , Configu re, Manage

Unicast Mode
Slide 3-69

Source UTEP:

Replicates encapsulated frame to each local VTEP through unicast

Replicates encaps ulated frame to each remote UTEP through unicast

Destination UTEP:

Receives the encapsulated frame from the source VTEP

Replicates encapsulated frame to each local VTEP through unicast

II

Unicast mode considerations:

No multicast configuration needed on the physical network

Higher overhead on the source VTEP and UTEP

o
co

n
0)
(j)

s;:::;:

Configurable per VNI during logical switch provisioning

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

In NSX, the default mode of traffic replication is unicast. Initially no multicast support is required
on the physical network.
This mode reduces network dependencies to only increase in maximum transmission unit (MTU) .
Each layer 2 transport subnet has one dynam ically assigned VTEP that acts as a proxy and is
responsible for replica ting traffic to other VTEPs within the segment. This proxy addresses the most
common objections and allows VXLAN deployment with minimal physical network support.
One downside of unicast mode is the higher overhead. In unicast mode the source VTEP and
proxies must copy the same frame multiple times to every VTEP within the layer 2 subnet. Copying
the same frame multiple times results in higher CPU utilization on the host as the VXLAN transport
zone and clusters increase in size.

Module 3

Logical Switch Networks and VXLAN Overlays

167

~
z

<

CD
...,
0)

-c

en

Multicast Mode
Slide 3-70

Source VTEP:

Replicates encapsulated frame to each remote VTEP through multicast

Replicates encapsulated frame to each local VTEP through multicast

No UTEP or MTEP roles


Multicast mode considerations:

IGMP and IGMP snooping configuration needed on the physical


network

Multicast address required over physical network

Lowest overhead on the source VTEP

Configurable per VNI during logical switch provisioning

Multicast mode uses the VTEP as a proxy. In multicast, the VTEP never goes to the NSX Controller
instance. As soon as the VTEP receives the broadcast traffic, the VTEP multicasts the traffic to all
devices .

168

VMwa re NSX: Install , Configu re, Manage

Hybrid Mode
Slide 3-7 1

Source MTEP:

Replicates encapsulated frame to each remote MTEP through unicast

Replicates encapsulated frame to each local VTEP through multicast

Destination MTEP role:

Receives the encapsulated frame from the source MTEP

Replicates encapsulated frame to each local VTEP through multicast

II

Unicast mode considerations:

o
co

IGMP Snooping configuration needed on the physical network

n"
0)

VTEPs send IGMP joins and IGMP reports

(j)

s;:::;:

Multicast address required over physical network

o
::r

Configurable per VNI during logical switch provisioning

CD

~
o
...,

"en
0)

:::J
C.

To reduce the overhead of traffic replication, multicas t proxy is used for optimization. The VTEP
does not replicate all traffic in software. The VTEP leverages the physical network to replicate
through multicast by selecting one VTEP in each L2 transport network to serve as a multi cast proxy.
This mode is L2 IOMP only, and PIM is not needed in hybrid mode . This mode is not the defau lt
mode of operation in NSX for vSphere, but is important for larger scale operations. Also the
configuration overhead or complexity of L2 IOMP is significantly lower than multicast routing.

Module 3

Logical Switch Networks and VXLAN Overlays

169

~
z

<

CD
...,
0)

-c

en

Unicast and Hybrid Mode: Same Host


Slide 3-72

VM1 communicates with VM2 on the same host.

Management Network

- - - - - - - - - - - - t~..-1
- :;';;;;
- i'-:l:''''-J~---:i-<-.;.;;..;;.o"",.

: ,,"--U

'-..

Transport Network

-0

Transport Network

~- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -~~~~~~~!! ~~~~- - - - - - - - - - - - - - - - - - - - - - - - - - - - -_:

The diagram shows the process by which virtual machine I (VM I) communicates with virtual
machine 2 (VM2) on the same host in the same VXLAN when VM I lacks the MAC address for
VM2 :
1. VM I sends Address Resolution Protoco l (ARP) request for the MAC address of VM2 on the
same logical switch (VNI 500 I) on the same host.
2. Broadcast is sent to all virtual machines on the logical switch of the same host. The switch
securi ty module uses the management network to query the NSX Controller instances ARP
table for VM2 ARP entry.
3. Because VM2 is on the same logical switch, VM2 sends an ARP reply before NSX Controll er
respon ds to the switch security module:
a. IfVM2 has not participated in previous ARP reply or Dynam ic Host Configuration Protoco l
(DHCP), the NSX Controller instance lacks the inform ation.
b. Switch security module updates local ARP table and notifies NSX Controller to update the
ARP entry for VM2 (in the ARP table).

170

VMwa re NSX: Install , Configu re, Manage

4. Logical switch delivers a unicast ARP reply to VM 1.

This scena rio does not incur VXLAN encapsulation . If the transport zone is configured as a
multicast , the ARP request broadcast is forwarded in a VXLAN encaps ulation to all the other
VTEPs in the multicast group.

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

171

Unicast Mode: Different Hosts


Slide 3-73

Initial communications of VM1 with VM3 on another host.

Management Network

The diagram shows the process in unicast mod e. Virtual mach ine I (VM 1) communicates with
virtual machine 3 (VM3) on different host s in the same VXLAN when VMl lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
5001) on a different host in a different cluster.
2. Broadcast is sent on the local logical switch and the switch security modul e queries the NSX
Controller instance for an ARP entry for VM3.
3. The NSX Controller instance lacks the information on VM3. So the broadc ast is forw arded as
encapsulated unicast from VTEPx to all local VTEPs and the remote proxy VTEP.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, and is sent to VTEPx, and
return ed to VM 1.
5. VTEPx learns the MAC address ofVM3 for all subsequent communication from local virtual
machin es to VM3.

172

VMware NSX: Install , Configure, Manage

Hybrid Mode: Different Hosts


Slide 3-74

Initial communications of VM1 with VM3 on another host.

II
r

o
co

0"
OJ

(j)

s;:::;:
o

Management Network

---.~~~~
- - -~
- - -~
- - -~
- - -~
----------------, ,
O
Transport N etwork
Transport Networ k
:'
,: ~
:
:
~,----------------------------------~~~~~p~-~ ~~~~------------------------------;
,

- - --

----

----

The diagram shows the process in hybr id mode. Virtual machin e I (VM I) communicates with
virtual machin e 3 (VM3) on different hosts in the same VXLAN when VM I lacks the MAC address
for VM3:

:::r
Z
CD

:?
o
...,

"en

OJ

:::J
C.

~
z

<

1. VM I sends an ARP request for the MAC address of VM3 on the same logical switch (VNI
500 I) on a different host in a different cluster.

CD
...,
OJ

-c

en

2. The broadcast is sent on the local logical switch and the switch security modul e queries the
NSX Controller instance and ARP entry for VM3.
3. The NSX Controller lacks the information on VM3. So the broadcast is forwarded from VTEPx
to all local VTEPs using multicast and to the remote proxy VTEP using unicast.
4. VM3 sends a unicast ARP reply that is encapsulated by VTEPy, sent to VTEPx, and returned to
VM I.
5. VTEPx learns the MAC address of VM3 for all subsequent communication from local virtual
machin es to VM3.

Module 3

Logical Switch Networks and VXLAN Overlays

173

Multicast Mode: Different Hosts


Slide 3-75

Initial communication of VM1 with VM3.

..'

Management Network
r

-----------Transport Network

Transport Network

~-----------------------------------~~~~~~~-~ ~~~~-----------------------------_:

The diagram shows the process in multicast mode . Virtua l machine 1 (VM 1) com municates with
virtual machine 3 (VM3) on different hosts in the same VXLAN when VM l lacks the MAC address
for VM3:
1. VM 1 sends an ARP request for the MAC address of VM3 on the same logical switch (VN I
500 1) on a different host in a different cluster.
2. The broadcast is sent on local logical switch and the switch security modul e is checked.
3. If the switch security module lacks the information for VM3 , the broa dcast is encapsulated as a
mult icast and forwarded to all VTE Ps.
4 . VM3 sends a uni cast ARP reply that is encapsula ted by VTEPy, sent to VTEPx, and delivered
to VM l.

5. VTEPx learns the MAC of virt ual machine 3 (VM3) for all subseq uen t comm unication from
local virtua l machines to VM3 .
The fact that the virtua l machine is on a differen t cluster does not change the packet walk proc ess . In
all these cases the same events occur when communication is taking place between two virtua l
machin es on different hosts of the same clus ter or different cluster.

174

VMwa re NSX: Install , Configu re, Manage

Quality of Service
Slide 3-76

You can ensure that the application traffic flowing through the
physical network infrastructure is prioritized by using the following
ways:
Class of Service (CoS): Layer 2 Tag

Differentiated Services Code Point (DSCP) Marking: Layer 3 Tag

II

802.1 Q Header
6 bits

2 bits

DSCP

16 bits

3 bits

1 bit

o
co

12 bits

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en

IP Header

0)

:::J
C.

Traffic can be classified in different ways. In a layer 2 fram e, the 802.1q header contains the
inform ation for the Class of Service (CoS). The first 16 bits are always Ox8100 , which means that
the header contains a VLAN tag. The class of service is in the next 3 bits follow ed by a flag that
indicates whether to fragment.
Layer 3 has a different field called Differentiated Services Code Point (DSCP) that has 6 bits . The
first three values typically match the first three CoS bits. At the bound ary between layers 2 and 3,
the switch can take the CoS and other factors like the source or destination address and match that to
a layer 3 DSCP value . Because DSCP has more potential values, it can be more specific about the
service that it is going to provid e.

Module 3

Logical Switch Networks and VXLAN Overlays

175

~
z

<

CD
...,
0)

-c

en

QoS Tagging
Slide 3-77

Guest Tagging

..
1

Virtual Switch Tagg ing

Ell

vSphereil

Ell

II vSphere'1 .:::l'=

Physical
Network

Distributed switches pass VM CoS


markings downstream
NIOe cannot assign separate queue
based on the tag
Administrators lose control

..
1

Physical Switch Tagging

Physical
Network

vSphere Distributed Switch

II vSphere I

..l
Ell

Physical
Networ k

- - - --

Distributed switch implements CoS and


DSCP marking, or both

OoS marking or remarking done in the


phys ical switch and/or router

Preferred option

Burdensome OoS management on each


edg e device (for example : ToR)

Single edge OoS enforcement point

Traffic that comes from a virtua l machine can be tagged at several levels. Traffic can be tagged by
the virtua l machi ne, by NSX Virtual Switch, or at the physical switch.

176

VMwa re NSX: Install , Configu re, Manage

Physical Network Congestion


Slide 3-78

----+
----+
----+

"Sphere Distributed Switch

II vSphere:1

Higher Tagged Traffic


Lower Tagged Traffic
Untagged Traffic

II
r

Congested Switch

o
co
0
OJ
(j)

s;:::;:
o

:::r
Z
CD

:?
o
...,

Physical Network

"en

OJ

:::J
C.

In the example, the virtual machine traffic is tagged from the hypervisor. The traffic goes through
the physical network. Depending on the QoS settings and cong estion , the virtual machin e traffic
reaches its destination or is dropp ed. In most cases of congestion, the traffic with the highest QoS
priority is the most likely to reach its destination.

~
z

<

CD
...,
OJ

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

177

NSX Component Interaction: Configuration


Slide 3-79

Configuring the NSX platform.

vCenter
Server

__

. :-=-:: I~ '
'"_"'"

'II -

~
I ~ a.: .--=t
I.
I
I

NSX Controller
Configuration
(Logical switches ,
Distributed logical routers)

Host Configuration
(Logical switches,
Distributed logical routers)

Service
Configuration
(LB , FW, VPN, and so on)

__ ,. ... . f8E ----I"


_-I
,

;.=~

~ I~ : [BE .......

The components of the NSX platform are configured in the followin g order:
1. The NSX Manager is connected to vCenter Server and prepares the infrastructure.
2. Provisioning of logical switches and distributed logical routers occurs throu gh the VMware
vSphere Web Client or VMware NSX APFM. After switches and routers are provisioned, they
are published to NSX Controller and the slicing process determin es which NSX Controller node
is active .
3. NSX Controller proactively syncs inform ation to the active ESXi hosts through the UWA. For
VXLAN logical switches, the host becomes activ e for a given VNI after a virtual machine is
conn ected to that VNI and powered on. The UWA reports to the NSX Controller, syncs the
VTEP list, and starts popul ating MAC and IP address information .
4. The Distributed Firewall configuration is sent directly to the ESXi hosts through the secured
message bus. The VMware NSX Edge" configuration is sent directly to the NSX Edge
gateway through the message bus.
5. As the virtual infrastructure scales and additional hosts are added, the logical switches, routers,
and firewalls are scaled with the compute infrastructure. The scaling occurs as the same clust er
is expanded, or as new clusters are prepared for network virtualization.

178

VMware NSX: Install , Configure, Manage

NSX Logical Switching


Slide 3-80

~~

II

co

Per application or multitenant segmentation


Virtual machine mobility requires L2
everywhere
Large L2 physical network sprawl : STP
issues
HW memory (MAC , FIB) table limits

Logical Switching: Usin

r
o
0'

Benefits

Challenges

Scalable multitenancy across data


center
Enabling L2 over L3 infrastructure
Overlay based with VXLAN , STT, GRE ,
and so on
Logical switches span across physical
hosts and network switches

OJ

(j)

s;:::;:

o
::r
Z

CD

~
o
...,

N to scale the network

"en

OJ

:::J
C.

~
z

<

CD
...,
OJ

'<
en

Module 3

Logical Switch Networks and VXLAN Overlays

179

Logical Switch
Slide 3-81

The logical switch is a virtual network segment that has been


identified with a VNI:

Each logical switch gets its own unique VNI.

A VXLAN distributed switch port group is created in all the VTEPs in the
same transport zone where the logical switch is created .
Virtual machine 's vNICs get connected to logical switches.
Logical switches support mobility and availability features in vSphere
such as:
VMware vSphere vMotion
VMware vSphere High Availability

The logical switch is a distributed port group on the distrib uted switch . The logical switch can
expand distributed switches by being associated with a port group in each distributed switch . The
vCenter Server system creates the port group for the NSX Manager. vSphere vMo tion is supported,
but only among those hosts that are part of the same distributed switch.

180

VMwa re NSX: Install , Configure, Manage

Lab 4: Introduction (1)


Slide 3-82

Creating logical switches.


Logical Swit ches
N ~X M::m:::.npr'

n ... 1 en

11

n . ... I ... 1

~ New logical Switch

Name
:::::: NSX Edge s

[I

De scription

~.

II

===========~

* :=
1

Firewa ll

15 Spo ofGuard
Il!\ Service Definition s
tJ Service Composer
I'flJ Data Se curity
61 Flow Monitoring

TransportZone
Control Plane Mode

I I

o
co

o Multi cast

n"
0)

Multicast on Physical neM'ork used for VXl.AN control plane.

o Unicast

(j)

s;:::;:

VXLAN control plane handfed by NSX Controller Cluster.

gg ActivityMonitoring

o Hybrid

... Networking & Security Inventory

NSX Managers

* I Globa l Transport Zo ne

o
::r

OptimizedUnic&st mode. Off/oads focal traffic replication to physical ne~il'Ork.

CD

OK

I[

~
o
...,

"en

Cance l
.d .

0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

181

Lab 4: Introduction (2)


Slide 3-83

Migrating virtual machines to the logical switches.

~ Iransit-Netwnrk - AddVirtual Machines


1 Select Virtual Ma chines

Select Virtual Machines


Select VMs to connect to this network

2 Select VNICs

J Ready to complete

V irtual ma chine

o
o
o
o
o
o
o
o
o

182

/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ
/'IJ

app-sv-01 a
br-s v-02a
db-s v-01a
mgt- sv-01a
N8 XJ ontroller_af c9ddf4-eee2-4 39a-800 b-6318e d
N8XJ ontroll er_b 1033456- cbea-4be O-832 9-35224
N8XJ ontroll er_bb1 c4724-4g e3-48d9- a2ed-a a504
w eb-sv-0 1a
web -sv-02 a

VMware NSX: Install , Configu re, Manage

Lab 4: Configuring and Testing Logical Switch Networks


Slide 3-84

Create and test logical switches for the Web-Tier, App-Tier, DB-Tier,
and transport networks
1. Prepare for the Lab
2. Create Logical Switches
3. Verify That Logical Switch Port Groups Appear in vSphere

II

4. Migrate Virtual Machines to Logical Switches


5. Test Connectivity

o
co

6. Clean Up for the Next Lab

n
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

183

Concept Summary
Slide 3-85
A review of terms used in this lesson:
What is the tunnel endpoint for VXLAN communication
between ESXi hosts , across a transport network , using Layer 3
encapsulation called?
What is the tunnel endpoint for VXLAN communications using
multicast called ?
What is the tunnel endpoint for VXLAN communications using
unicast called?
What is a port group on a vSphere Distributed Switch with NSX

VXLAN Tunnel Endpoint (VTEP)

Multicast Tunnel Endpoint (MTEP)

Logical switch
Unicast Tunnel Endpoint (UTEP)

modules installed called?


What is the transmission of different multicast traffic across
VXLAN networks called ?
Which mode uses both unicast and multicast to conserve
bandwidth while ensuring a speedy delivery?
Which feature ensures that high-value traffic is prioritized
during periods of network conge stion?

184

VXLAN replication

Hybrid

Quality of Service (QoS)

VMware NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 3-86

You should be able to meet the following objectives:

Describe VXLAN overlay networks

Define the VXLAN frame format

Compare unicast, multicast, and hybrid modes

II
r

o
co

n"
0)
(j)

s;:::;:

o
::r
Z

CD

~
o
...,

"en
0)

:::J
C.

~
z

<

CD
...,
0)

-c

en

Module 3

Logical Switch Networks and VXLAN Overlays

185

Key Points
Slide 3-87

VLANs split switches into separate virtual switches.


A distributed switch is used to manage all switches in a data center
versus individual switches per host.
LACP provides automatic negotiation of link aggregation parameters
between virtual and physical switches.
A VXLAN VTEP is the VMkernel interface which serves as the endpoint
for encapsulation/de-encapsulation of VXLAN traffic.
Questions?

186

VMware NSX: Install , Configu re, Manage

MODULE 4

N5X Routing
Slide 4-1

Module 4

II
z
><
(J)

::0
o
c
~

:::J

c.c

VMwa re NSX: Install , Configure , Manage

187

You Are Here


Slide 4-2

VMware NSX: Install Configure Manage


Course Introduction
NSX Networking

IE

Logical Switch Networks and VXLAN Overlays


NSX Routing
NSX Edge Services Gateway Features
NSX Security

188

VMware NSX: Install , Configure, Manage

Importance
Slide 4-3

The distributed routing capability in the VMware NSXTM platform


provides an optimized and scalable way of handling East-West traffic
in a data center.
The VMware NSX Edge services router provides the traditional
centralized routing support in the NSX platform.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

189

Module Lessons
Slide 4-4

Lesson 1:

NSX Routing

Lesson 2:

NSX Logical Router

Lesson 3:

Layer 2 Bridging

Lesson 4:

NSX Edge Services Gateway

190

VMwa re NSX: Install , Configure, Manage

Lesson 1: NSX Routing


Slide 4-5

Lesson 1:
NSX Routing

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

191

Learner Objectives
Slide 4-6

By the end of this lesson, you should be able to meet the following
objectives:

Compare Open Shortest Path First (OSPF), Intermediate System to


Intermediate System (IS-IS), and Border Gateway Protocol (BGP)

Describe OSPF area types

Describe IS-IS routing levels

Describe the BGP

192

VMware NSX: Install , Configure, Manage

Supported Routing Protocols


Slide 4-7

The following routing protocols are supported by NSX:

OSPF

IS-IS

BGP:
Internal BGP (iBGP)
External BGP (eBGP)

II
z
><
(J)

::0
o
c
~

:::J
(C

The TCP/IP protocol suite offers different routing protocols that provide a router with methods for
building valid routes. The following routing protocols are supported:
Open Shortest Path First (OSPF) : This protocol is a link-state protoco l that uses a link-state
routing algorithm. This protocol is an interior routing protocol.
Intermediate System to Intermediate System (IS-IS): This protocol determines the best route for
datagrams through a packet switched network.
Border Gateway Protocol (BGP): This protocol is an exterior gateway protocol that is designed
to exchange routing information between autonomous systems (AS) on the Internet.

Module 4

NSX Routing

193

OSPF Features
Slide 4-8

OSPF distributes routing information between different routers


belonging to a single autonomous system (AS):

Area level support: Default area 51

Backbone and NSSA support

Clear text and MD5 peer authentication

Interface-level support

Helio interval and dead interval configuration

Priority for designated router and backup designated router election

Interface cost configuration

OSPF is a link-state protocol. Each router maintains a database describ ing the AS topo logy. When
you enable OSPF, area 0 and area 5 1 are created by default. Area 51 can be deleted and replaced
with a desired area .
By default, OSPF adjacency negotia tions use clear authentication by assuming that the segment is
secure. If installed in an insecure segment, enabling authentication ensure s that a third party cannot
corrup t the routing table or hijack connection by injecting a compromised default route .

194

VMware NSX : Install , Configure, Manage

About OSPF
Slide 4-9

OSPF is a routing protocol that uses the router's link states to


determine the optimal path to reach a destination:

OSPF is an Internal Gateway Protocol (IGP) because it is under the


management control of a single institution or AS.

OSPF uses Dijkstra's algorithm to find the shortest path, or the lowest
cost, to a destination .

Every OSPF router creates a path tree to each subnet. The OSPF
router is at the center of the tree.

OSPF routers that share an Ethernet segment form neighbor


adjacencies.

Latest supported OSPF version is version 2.

II
z
><
(J)

::0
o
c
~

:::J
(C

OSPF maintains a link-state database that describes the AS topology. Each part icipating router has
an identical database. The router shares this database with routers in the AS by a mechanism called
flooding . All routers in the AS run the same algori thm used to construct the shortest path between
the router and the root. This algori thm gives each router the route to each destination in the AS.
When multiple paths to a destination exist and those paths are of equa l cost, traffic is distributed
equally among those paths.

Module 4

NSX Routing

195

OSPF Neighbor Relationships


Slide 4-10

Routers on the same network segment with the same area 10 are
neighbors.
Neighbor relationships are established through a discovery process:

1. The router determines its OSPF router 10 (RID).


2. The router starts the OSPF process.
3. The router sends out Hello packets using multicast.
4. When a Hello packet is received from anothe r router containing the RID
for itself, the routers become neighbors.

OSPF-enabled routers must find neighboring OSPF-enab led routers and form neighbor adjacencies
with those routers . OSPF-enabled routers form neighbor adjacenc ies by multicasting information to
other OSPF-enabled routers . Each router is responsible for main taining a Neighbor Table of the
OSPF-enab led routers that it has formed adjacencies with . The router is also responsible for sharing
this table with other routers . This multicast uses Hello packets that contain the necessary
information to form adjacencies.

196

VMware NSX: Install, Configure, Manage

OSPF Packet Types


Slide 4-11

OSPF has many different packet types used for communicating


OSPF information:

Hello packets

Database Descriptor packets

Link State Request packets

Link State Update packets

Link State Acknowledgement packets


Version #

Type

II

I Packet Length

Router 10

z
><

Area 10
Checksum

(J)

AuType

::0
o
c

Authentication

:::J

Authentication

(C

A ll OSPF packets have a header of 24 bytes. This header contai ns the information required for any
OSPF communica tion:
The version of OSPF in use by the originatin g router.
The packet type : A total of five packet types are sent by OS PF.
The total length of the packet.
The Router ID (RID) of the originating router.
The Area ID for the area to which the originating interface on the originating router belongs.
A checksum va lue for the packet to verify it has not been corru pted. This checksum excludes
the authentication fie lds.
The Authentication type (AuType) currently in use. Authentication can be none, plain text
password, or MD5 authentication.
The authentication data needed if any authentication type is used.

Module 4

NSX Routing

197

OSPF Hello Packets


Slide 4-12
OSPF He l lo Packet
Ne two r k Mask : 255 .255 .255 . 0
Hello I n t e r v a l : 1 0 se c o n ds
Opt i ons : 0 ,, 1 2 (L . E )
= DN: DN- b i t i s NOT se t
0. ..
= 0 : O- b i t i s NOT s et
.0. .
= DC: Dereand circuit s a re NOT s u p p o r te d
. .0.
= L : Th e p ac ket c ont ain3 LLS data b lock
. . .0
.... 0 ... = NP : N ,9s a i s NOT s uppo rt ed
. 0 .. = MC: NOT mu l t i c a s t capabl e
. . . . . . 1- = E : E"te r na lRouti ngCapacity
Ro ut e r Priorit y : 1
Rout e r De ad Inte r v a l : ~ O se c on ds
Network Mask
Desi gnated Ro ut e r : 0 .0 .0 .0
Ba c kup De sign at ed Route r : 0 .0 .0 .0
Hellolnterval Options Router Priority
Ac t i ve Ne ighbour : 1 0 . 1 0 .2 .2

. . ..
. ...
0

. . ..

... .

RouterDeadlnterval
Designated Route r
Backup Designa ted Router
Neighbor

The OSPF-enabled router builds neighbor adjacencies by periodic ally sending out packets called
Hello packets from all OSPF- enabl ed interfaces on the router. OSPF-enabled routers see Hello
packets from other OSPF- enabl ed routers and add these routers to a record called a Neighbor Table.
After the routers have added each other to their tables, those routers have formed an adjacency.
To form a neighbor adjacency, both OSPF- enabled routers must pass certain parameters specified in
their respectiv e Hello packets:
The subnet included is that of the originating interface.
The HelloInt erval is the interval at which the Hello packet is sent from an OSPF-enabled
router 's interfaces. The default interval is 10 seconds but the HelloInt erval is configured per
interface.
Options includ e the capabilities of the originating router.
Router Priority is the priority of the originating router, used in designated router elections.
The originating router sets the Router Dead Interval to guide how long the router is silent before
other routers mark it as a dead link .
The IP address of the current Designated Router.

198

VMware NSX: Install, Configure, Manage

The IP address of the current Back up Designated Router.


The RIDs of all OSPF neighbor routers for the originating router.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

199

Other OSPF Packets


Slide 4-13

Database Descriptor
Interface MTU

Options

00 Sequence Number

Link State Request


LS Type
Link State 10
Advertising Router

LSA Header

Link State Update

Link State Acknowledgement

# LSAs
Header
LSAs

The other OSP F packets are used as part of the process for keeping the Link State tables
synchronized between all OSPF-enabled routers:
1. Type 2 packets are Database Descriptor packets. Database Descriptor packets are used to
synchronize the router link states between all neighbors. This synchroni zation is important for
keeping the router paths accurate and not sending traffic to dead links. The OSPF router
summarizes the local database and the packets carry a set of LSAs inside the Database
Descriptor packet.
2. Type 3 packets are Link State Request packets. OSPF-enabled routers use Link State Request
packets to request neighbor database updates when their own link state databases are old based
on the Database Descriptor packet data. Adjacent rout ers that detect an LSA that is more
updated than their own database copy, request the newer LSA from the neighbor.
3. Type 4 packets are Link State Update (LSU) packets. The request for an update takes the form
of a Link State Request (LSR) packet that contains requests for any LSA updates needed. The
router with the updated database responds to the LSR with a LSU packet that contains all of the
requested LSAs .
4. Type 5 packets are Link State Acknowledgment (LSAck) packets. After the LSU packet is
received, the receiving router sends an LSAck packet to the originating router.
200

VMware NSX: Install, Configure, Manage

OSPF Neighbor States


Slide 4-14

OSPF Neighbors have different states depending on their status:

Down

Attempt

Init

2-Way

Exstart

Exchange

Loading

Full
Designated / Backup Designated
Ne i ghbo r 1 0
10.10.1. 2 5 4
10.10 . 2. 2 5 4
10. 20.10. 2 5 4
10. 20.11.2 5 4
10 . 20.1 2. 2 5 4

Pr i
10
1
0
0
0

S tat e
FULL/ DR
FULL/BDR
2WAY
2'11AY

DO'I/N

Dead Ti me
00:0 0: 2 7
00:0 0: 31
00:00: 3 3
00:00: 2 9
00:00 :35

II
Ad d r e ss
1 9 2.1 68.0. 3
1 9 2.1 68.0. 7
192.16 8 .0.11
1 9 2. 1 68.0.13
1 9 2.1 68.0.17

Interfa c e
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t
Fas te t he r ne t

z
><
(J)

0 /0
0 /0
0/ 0
0/0
0/0

::0
o
c
~

:::J
(C

OSPF -enabled routers keep the link state databas e curren t at all times. This database is used to
determine where to send traffic by the most efficient path:
Down indicates that the neighbor has not been heard from within the RouterDeadInterval time .
Attempt is only used for manually configured neighbors. The current router is send ing Hello
packe ts to any router in the Attemp t state.
When the status is Init, the router has received a Hello packet from this neighbor and replied but
has not completed the process for establishing adjacency.
A 2-Way state indicates that bidirectional comm unication is established with the neighbor
router.
Exstart indica tes that the routers are beginning the link state information exchange.
Exchange is the state when neighbor routers exchange the Databas e Descriptor packets.
In the Loading state, based on the information in the Database Descrip tor packets, routers are
exchanging the link state information.
The Full state indica tes that routers are synced and in adjacency.

Module 4

NSX Routing

201

The Designated Router (DR) is an OSP F-enabled router interface. This interface is elected by all the
other routers in an area to be a centralized router that keeps a topology table of the entire network.
The Backup Designated Router (BDR) is designated if the DR fails. When a DR is present, other
OSPF-enabled routers form adjacencies only with the DR and BDR. Non-DR or BDR rout ers send
updates directl y to the DR and BDR. The DR multi casts updates out to all other routers in the area.
The use of this centra lized maintenance coupled with the use of multi casting conserves network
bandwidth.
The DR is determi ned throu gh an election proc ess where the OSP F-enabled router interface with the
highest priority is elected as the DR. The BDR is the OSPF-enabled router interface with the next
highest priority. If the DR fails, the BDR assumes the DR role and a new BDR is elected.

202

VMware NSX: Install , Configure, Manage

OSPF Router Types


Slide 4-15

The OSPF router type is a property of the OSPF process. A physical


router can host more than a single OSPF router type with one type on
each port.
Routers can have the following OSPF router types:
Area Border Routers (ABR): Connect one or more areas to the
backbone network.
Autonomous System Boundary Routers (ASBR): Connect to other
autonomous systems and exchange routing information.

II

Internal Routers (IR): Connect all interfaces in a single OSPF area .

z
><
(J)

::0
o
c
~

:::J
(C

The main router types are the following:


Area Border Routers (ABR) connect one or more OSPF areas to the backbone network. The
ABR keeps an individual copy of the link-sta te database in memory for each connec ted area .
Autonomous System Boundary Routers (ASBR) connect to other routers that belong to other
areas using other routing protcols or static routing. The static routing or additional routing
protoco l, such as IS-IS is in addition to OSPF. The ASBRs distrib ute routes discovered from
external systems to other OSPF -enab led routers .
The Interna l Router (IR) is an OSPF-enabled router that belongs to only one area and has
neighbors only within that area .

Module 4

NSX Routing

203

OSPF Areas
Slide 4- 16

An OSPF AS includes all routers that run OSPF and these routers
exchange link-state information with each other:
An AS is also called a routing domain .
In the OSPF AS, each router interface that is participating in the
OSPF process is placed in an area:
A router can have interfaces in more than one area.
A router with interfaces in more than one area must have one of those
interfaces in the backbone area, or area O.
A router only forms neighbor adjacencies with another router in a local
segment if both routers are in the same area .
The default OSPF area for NSX is Area 51.

Areas are sets of networks that are grouped together. Areas are a collection of routers, links, and
networks that have the same area identification. Each OSPF area can combine with other areas and
form a backbone area . Backbone areas combine multipl e indepe ndent areas into one logical routing
domain. This backbone area has an ID of 0 or (0.0.0.0). The primary responsibility of the backbone
area is to distribute routing information between nonbackbone areas .

204

VMwa re NSX: Install , Configure, Manage

OSPF Area Types


Slide 4- 17

OSPF defines the following types of areas:

Normal area

Stub area
Not so stubby area (NSSA)

II
z
><
(J)

::0
o
c
~

:::J
(C

Each area maintains a separa te link-state database. Stub areas are areas that do not receive route
advertisements externa l to the AS. Not so stubby area (NSSA) is a stub area that can import AS
external routes and send them to other areas . But NSSA cannot receive AS externa l routes from
other areas .

Module 4

NSX Routing

205

OSPF Normal Area


Slide 4- 18

An OSPF normal area is a nonbackbone area that receives full


routing updates from the backbone:

Routers in the area have full visibility of all networks in the OSPF AS.

No special configuration is needed in the routers.

In an OSPF normal area, routers have full visibility to all networks in the AS. Every router in a
normal area knows about every route.

206

VMwa re NSX: Install , Configure, Manage

OSPF Stub Area


Slide 4-19

An OSPF stub area is a nonbackbone area that receives only a


default route from the backbone.
Routers within the area continue to exchange routing updates and
intra-area routes:

Routers in the area have full visibility of only networks in their area .

The stub area is configured at the area border router.

II
z
><
(J)

::0
o
c
~

:::J
(C

A stub area is usefu l if routers do not need to know about every route. Routers contin ue to exchange
information in their area but not external destinations. Instead, routers in the area must send external
packe ts to an area border router (ABR). The area border router advertises a default route in place of
external routes and generates a network summary link-state advertisement (LSA). Packets destined
for an external route are sent to the ABR .

Module 4

NSX Routing

207

OSPF NSSA
Slide 4-20

An OSPF NSSA is a nonbackbone area that receives only a default


route from the backbone:
The NSSA also has an AS boundary router that injects external routes
to the area.
The external routes are advertised to the backbone area.

Routers in the area continue to exchange routing information for intraarea networks.

The NSSA is configured on an area border router.

An OSPF NSSA allows external routing information to be imported in a limited fashion into the
stub area. OSPF NSSA is useful for making an area aware of a non-O SPF router. This information
can be flooded within the area, but the area remai ns protected from being flooded with all routes.

208

VMwa re NSX: Install , Configure, Manage

OSPF Area and Router Types Example


Slide 4-21

Areas are logical groupings of hosts, networks, and routers.


Area 0

Area 813
Normal
) Internal

:l"t~lf-----{O

Router

II
z
><
(J)

Internal
Router

::0
o
c

Area 829 Stub

:::J

c.c

The diagram shows the interaction s of the different areas with each other.

Module 4

NSX Routing

209

Intermediate System to Intermediate System


Slide 4-22

IS-IS is a routing protocol that uses the router's link states to


determine the optimal path to reach a destination:
Similar in design to OSPF.

IS-IS can route non-IP traffic.

IS-IS was originally defined by OSI/IEC 10589:2002.

IS-IS is the preferred IGP used by large Internet Service Providers


(ISPs) globally.

In ISO terminology, IS-IS is a router.

IS-IS is an interdomain dynamic routing protocol used to support large routing domains. OSPF is
designed to support only TCP/IP networks whereas IS-IS started as an ISO protoco l. Both protoco ls
are interior gateway protocols (lOP), but IS-IS runs over layer 2 and is intended to support multiple
routed protocols.

210

VMwa re NSX: Install , Configure, Manage

IS-IS Features
Slide 4-23

Router-level support:
Area 10, system 10 (default router-id), IS-Type (default level -1-2),
domain password , and area password

Area-level support:

Up to 3 IP addresses per area

Interface-level support:
vNIC name

Hello timer, hello multiplier

Metric, priority

Circuit type

LSP interval

z
><

Mesh group

::0
o
c

Password

II
(J)

:::J
(C

IS-IS and OSPF have similar features. VMware NSXTM supports up to three IP addressees per area
and a wide range of interface levels.

Module 4

NSX Routing

211

IS-IS Areas
Slide 4-24

Like OSPF, IS-IS associates routers into areas:

Areas should be contiguous.

IS-IS defines two areas: level 1 areas and level 2 areas.


Level 1 areas are equivalent to normal OSPF nonbackbone areas:

Routers in this area advertise intra-area route information in the area.

A router can be a part of multiple level 1 areas.

Level 2 areas only advertise inter-area route information in the area:

This area is close to an OSPF backbone area.

Like OSPF , IS-IS area has numbers.

IS-IS uses a two-level hierarchy for managing and scaling large networks. A routing domain is
partitioned into areas . Level I routers know the topology of their area including all routers and
endpoints in their area. Leve l I routers do not know the identity of routers or destinations outside
their areas . Level I routers forward all traffic that is outside their area to a level 2 router in their
area .
Level 2 routers know the level 2 area and know which addresses can be reached by contacting other
level 2 routers. A level 2 router does not know the topology of a layer I area . Level 2 routers can
exchange packets or routing information directly with external routers located outside of the routing
domain.

212

VMwa re NSX: Install , Configure, Manage

IS-IS Router Levels


Slide 4-25

IS-IS assigns an area type to the entire router rather than the router
links.
Leve l 1 Area

Leve l 2 Backbone

Level 1 Area

II
z
><
(J)

::0
o
c
~

:::J

c.c

Leve l l routers belonging to a level 1 area only form neighbor adjacencies with level 1 routers in the
same area and have full visibi lity of their area . Leve l 2 routers belonging to a level 2 area can form
neigh bor adjace ncies with any level 2 router, including in other areas and advertise interarea routes.
Level 1-2 routers belong to both level 1 and level 2 areas at the same time. Similar to OSPF 's AB R,
level 1-2 routers can form neighbor adjace ncies with any othe r router in any area. Level 1-2 router
takes level 1 area routing updates and propagates them to level 2 areas and the other way round.
Only level 2 routers can connect to an external netwo rk.

Module 4

NSX Routing

213

IS-IS Neighbor Adjacency


Slide 4-26

ISIS routers exchange Hello Protocol Data Units (Hello PDU) to


discover ISIS speakers in the segment and to form neighbor
adjacencies.
Level 1 Area

Level 2 Backbone

All IS-IS speakers in a segment form neighbor adjacencies with each other:
Levell routers send and listen for level I Hello Protocol Data Units (PDUs).
Level 2 routers send and listen for level 2 Hello PDUs.
Level 1-2 routers send and listen for levell and level 2 Hello PDUs.

214

VMware NSX: Install , Configure, Manage

IS-IS Design Considerations


Slide 4-27

IS-IS has more flexible rules than OSPF regarding neighbor


adjacencies and route advertisement:

Level 2 only routers are not needed.

Multiple level 1 areas can be joined with level 1 or 2 routers .

An area cannot be disjointed.


All routers in the same area should have an area path to every other
router in the area.
Area boundaries exist in the links, not routers.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

215

BGP Features
Slide 4-28

iBGP and eBGP support


Router-level configuration
Local AS
Neighbor-level configuration:

Keep alive timer (default 60)

Hold-down timer (default 180)

Authentication MD5

Per neighbor filtering


Inbound or outbound accept or deny by prefix range

The BOP is an interAS routing protocol.


BOPs can be either internal BOP (iBOP) or externa l BOP (eBOP) . eBO P is used when talking to a
router that has an AS number that is different from its own. iBOP is used with routers in the same
local AS.
You can use neighbor-level configurations to configure various settings to customize the BOP
configuration.

216

VMwa re NSX: Install , Configure, Manage

Border Gateway Protocol


Slide 4-29

BGP is a routing protocol that provides route reachability while


avoiding path loops:

BGP is an external gateway protocol (EGP) because BGP is used


between different AS under different management controls to advertise
routes.

Each AS administrator chooses which routes to advertise through BGP.

Each AS administrator chooses which routes to receive through BGP.

BGP is the standard route advertisement protocol on the Internet.

Latest BGP version is 4, RFC 4271.

II
z
><
(J)

::0
o
c
~

:::J
(C

BOP is a standardize d exterior gateway protocol designed to exchange routin g and reachability
inform ation between AS on the Internet.

Module 4

NSX Routing

217

BGP AS Numbers
Slide 4-30

BGP speakers are assigned an AS number (ASN).


An ASN uniquely identifies all the BGP speaking routers under the
same management control:

The Internet Assigned Numbers Authority (lANA) assigns public ASNs.


Originally BGP supported 2 A16, or 65,536 ASNs:

RFC 6793 expanded ASN support for 2"32, or 4,294,967,296 ASNs.


ASNs 64,512 through 65,534 and 4,200,000,000 through
4,294,967,294 are internal ASNs for anyone to use.
These internal ASNs cannot be advertised on the Internet.

An AS is a set of routers under a single technical administration . The AS uses an interior gateway
protocol (lOP) and common metr ics to determin e how to route packe ts in the AS. The AS uses an
interAS routing protocol to determine how to route packe ts to other AS. Each of these AS is
uniquely identified using an AS numb er (ASN) .

218

VMwa re NSX: Install , Configu re, Manage

BGP Peers
Slide 4-31

BGP neighbor adjacencies, called peers, are manually configured.


Each BGP speaker must have information about the other BGP router
before the BGP speaker starts sending hello packets:

rep

BGP peers establish a communication over

port 179.

If two BGP peers have different BGP ASNs , the peers are called eBGP
and BGP assumes that they are under different management control.

If two BGP peers have the same BGP ASN, the peers are called iBGP
and BGP assumes that they are under one management control.

II
z
><
(J)

::0
o
c
~

:::J
(C

Peers are manually configured to exchange routing information and form TCP connections. A peer
in a different AS is called an external peer, while a peer in the same AS is called an internal peer.

Module 4

NSX Routing

219

BGP Peers Example


Slide 4-32

A BGP router is only aware of its BGP neighbors and conducts all
control plane communication with them.

AS 90

iBG P

220

VMwa re NSX: Install , Configure, Manage

BGP Route Selection


Slide 4-33

A BGP router only installs one path to a route in its routing table.
If multiple paths exist for the route, the BGP router selects the best
route based on the following criteria:

1. Prefer the path with the highest local preference.


2. Prefer the locally originated path.
3. Prefer the shortest AS path.
4. Choose the path with the lowest origin code .
5. Choose the path with the lowest multiexit discriminator.
6. Choose an eBGP over an iBGP.
7. Choose a route through the nearest IGP neighbor as determined by the
lowest IGP metric .
8. Choose a path with the lowest router 10.

II
z
><
(J)

::0
o
c
~

:::J
(C

BOP routers typically receive multipl e paths to the same destination. The BOP best path algorithm
is used to determin e which path is best to install in the BOP routing table.

Module 4

NSX Routing

221

Concept Summary
Slide 4-34

A review of terms used in this lesson:


Which is the interior routing protocol that uses
link state tables to map network topology?

222

Open Shortest Path First (OSPF)

Which protocol floods link state information


through a network of routers to map network
topology?

Intermediate System to
Intermediate System (IS-IS) protocol

Which protocol manually configures and uses


rep to connect to peers?

Border Gateway Protocol (BGP)

VMwa re NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 4-35

By the end of this lesson, you should be able to meet the following
objectives:

Compare OSPF , IS-IS, and BGP

Describe OSPF area types

Describe IS-IS routing levels

Describe the BGP

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

223

Lesson 2: NSX Logical Router


Slide 4-36

Lesson 2:
NSX Logical Router

224

VMware NSX: Install , Configure, Manage

Learner Objectives
Slide 4-37

By the end of this lesson, you should be able to meet the following
objectives:

Describe the role of the distributed logical router

Deploy a distributed logical router

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

225

Layer 3 Networking Overview


Slide 4-38

The network layer handles the following:


Selecting routes
Knowing the addresses of neighboring network nodes

Prioritizing traffic based on quality of service

Forwarding messages for local host domains to the transport layer

Router
Endpoint

These tasks are performed by the router that allows the routing between different nodes without
broadcasting all traffic to all nodes.

226

VMware NSX: Install , Configure, Manage

Layer 3 Enables Larger Networks


Slide 4-39

Layer 3 routers can be linked to other routers and endpoints.


Inter-router links allow for much larger networks.
Series

Central

II
z
><
(J)

::0
o
c
~

:::J

c.c

In addition to being linked to endpoints in a local network, the router can be linked to other routers .
Nodes that are separated by distance communicate with each other witho ut extending miles of
network cables. Placing a router at each group of endpoints and running a single line from router to
router is a practica l solution . Rout ers can be chain ed in series , or connected by a centra l router.

Module 4

NSX Routing

227

Distributed Logical Router


Slide 4-40

The distributed routing capability in the NSX platform provides an


optimized and scalable way of handling East-West traffic in a data
center.
Overview
Routing between virtual netwo rks
without leaving virtual space
'Layer 3 data plane distriOOOOOObuted in
hypervisor

;:..)

Layer 3 control plane running in a virtual

machine
-Dynarnic routing protocols for route discovery
and adve rtiseme nt
'Simplified deployment using VMwa re NSX
Manaqer " UI or API
Scale & Performance
' 1000 Logical Interfaces per distributed logical
router instance
'1 200 distributed logical router instances total
'1 00 per VMware ESXi host
'Line rate performance per hyperviso r

MM

Use Cases
' Optimize routing and data path in virtual
networks
' Supports single tenant or multitenant
deployment models

Routin g between virtual networks, layer 3 is distributed in the hypervisor. The distributed logical
router optimizes the routing and data path, and supports single-tenant or mult itenant deployments.
For example, a network that contains two VNls that have the same IP address ing. Two different
distribut ed routers must be deployed with one distribut ed router conn ecting to tenant A and one to
tenant B.

228

VMware NSX: Install , Configure, Manage

Hairpinning
Slide 4-41

The distributed logical router prevents hairpinning.


NSX

Edge Galeway

Packet is de livered to the


destination .

Packet is
delivered to the
gateway interface

t:l~ ii
VM on green logical
switch communicates
with VM on red logical ..... "" ,
switch.

for routing.

Com pu te

NSX

Rack 1

Edge/Managemen
l
Rack
Frame are sent over
VXLAN transport

fter the Routing decision ,


the frame is sent to the
VM on Red Logical Switch

network to the
gateway IP of green
logical switch.

II

z
><

Frame delive red

o the destinatio
VTEP

(J)

::0
o
c

>

VXLAN Transport Network

:::J
(C

Without the distributed router, routin g is done in one of the following ways:
A physical appliance is used. All traffic has to go to a physical appliance and come back
regardless of whether the virtual machin es are on the same host.
Routing is perform ed on a virtual router such as the VMwa re NSX Edge" gateway. This
method uses a virtual machine runnin g on one of the hosts to act as the router.
If virtual machin es runnin g on a hypervisor are connected to different subnets, the communication
between these virtual machines has to go throu gh a router. This nonoptimal traffic flow is sometimes
called hairpinning.
The example in the slide illustrates the traffic flow without the distributed logical router:
1. A virtual machine on the first VMware ESXi

host wants to communicate with a virtual


machin e on the same ESXi host. The two virtual machines are on separate subnets.

2. A frame is sent by the green virtual machine to the distributed switch. Because the virtual
machin es are on different subnets, the host forwards the frame to the default gateway.
3. The frame is received by the ESXi host that is hosting the NSX Edge gateway.

4. The packet is delivered to the NSX Edge gateway for routin g.


Module 4

NSX Routing

229

5. The NSX Edge gateway makes a routing decision and sends the packet back to the ESXi host,
which forwards the packe t back to the red logical switch.
6. The ESXi host that is hosting the red virtual machine receives the packe t and forwards the
frame to the red virtual machine.
7. The packet is delivered to the red virtual machine. If the red virtual machine responds, the
traffic flow is reversed.

230

VMware NSX: Install , Configure, Manage

Distributed Logical Router: Logical View


Slide 4-42

The distributed logical router kernel modules can route between


physical and virtual subnets.
VXLAN

logical Router Instance 1

WebVM

AppVM

VXLAN 5001

II

Router Instance 2

VLAN

z
><
(J)

AppVM

::0
o
c
~

:::J
VLAN 10

(C

VLAN 20

The distributed logical router rout es between YXLAN subnets. Two virtual machin es might be on
the same host and the Web YM on YXLAN 500 I might want to communicate with the App YM on
YXLAN 5002. The distributed logical router routes traffic between the two virtual machin es on the
same host.
The distributed logical router can also route between physical and virtua l subnets.

Module 4

NSX Routing

231

Distributed Logical Router: Physical View


Slide 4-43

The distributed logical routers run at the kernel module level.


Physical

NSX
Co ntrolle r

Cl u-ster

VXLAN Transport and


Management Network

VMware NSX Manager" configures and manages the routing service. During the configuration
process, NSX Manager deploys the logical router control virtual machine and pushes the logical
interface configurations to each host through the control cluster.
The logical router control virtual machine is the control plane component ofthe routin g process. The
logical router control virtual machin e supports the OSPF and BGP protocols.
The logical router kernel module is configured as part of the preparation through NSX Manager. The
kernel modul es are similar to line cards in a modul ar chassis supporting layer 3 routing. The kernel
modul es have a routing inform ation base that is pushed through the VMware NSX Controller"
cluster. The kernel modul e performs all the data plane functions of route lookup and Address
Resoluti on Protocol (ARP) entry lookup.
The NSX Controller cluster is responsible for distributing routes learned from the logical router
control virtual mach ine across the hypervisors. Each control node in the cluster takes responsibility
for distributing the information for a particular distributed logical router instanc e. In a deployment
where multipl e distributed logical router instances are deployed, the load is distributed across the
NSX Controller nodes .

232

VMware NSX: Install, Configure, Manage

Data Path: Host Components


Slide 4-44

The distributed logical router instance owns the logical interfaces (L1Fs):

IP addresses are ass igned on the L1Fs .

Multiple L1Fs can be configured on one distributed logical router instance.

The L1F configuration is distributed to every host.

An ARP table is maintained per L1F.

The virtual MAC (vMAC) is the MAC address of the L1F:

vMAC is the same across all the hosts and it is never seen by the physical
netwo rk, only by virtual machines.

Virtual machines use the vMAC as thei r default gateway MAC address .

II

The physical MAC (pMAC) is the MAC address of the uplink through
which traffic flows to the physical network:

z
><
(J)

For VLAN L1Fs the pMAC is seen by the physical network.

::0
o
c
~

:::J
(C

The distribu ted logica l router owns the logical interface (LIF). This concep t is simi lar to interfaces
on a physical router. But on the distribu ted router, the interfaces are called LIFs. The LIF connects to
logical switches or distributed port groups. A distributed logical router can have a maximum of
1,000 LIFs . For each segment that the distrib uted logical router is connected to, the distr ibuted
logical router has one ARP tab le.
The media access control (MAC) addresses in this environment are the virtua l MAC (vMAC)
addresses and the physical MAC (pMAC) addresses. If a LIF connects to a logical switch, the
virtual machines use the MAC addresses associated with that LIF as their next hop for the default
gateway. When a virtua l mach ine does an ARP request, the virtua l machine's MAC address is called
a vMAC. A virtual machine 's vMAC is never stored in the MAC table of a physical switch because
the virtua l machine's vMAC address is interna l to the VXLAN domain. Every host running the same
distributed logical router instance presents the same vMAC for each LIF to the virtual machines in
the logical switc h.
If an interface on the distrib uted logical router connects to a distrib uted port group , the distributed
router might talk to a physical entity by using the source MAC address . So a physica l switch sees
the pMAC and has the pMAC in the MAC table .

Module 4

NSX Routing

233

VLAN L1F
Slide 4-45

The distributed logical router supports distributed port groups that


are backed by VLAN:

First hop routing is handled on the host and traffic is switched to the
appropriate VLAN.

A designated instance is required per VLAN L1F.

A VLAN 10 must be defined on the distributed port group:


VLAN 10 of

a is not supported.

VLAN L1Fs can only span one distributed virtual switch.

The logical interface can be one of the following types:


VXLAN LIF: You connect the router to a logical switch.
VLAN LIF: You connect the router to a distributed port group that has one or mor e VLANs.
When the LIF is connected to a VLAN , the LIF has a pMAC and when the LIF is connected to a
VXLAN, the LIF has a vMAC. VLAN LIFs can only span one distributed switch because the
VLAN LIF is a port group and can only belong to one distribut ed switch. But a logical switch can be
configured in mu ltiple distributed switches.

234

VMware NSX: Install, Configure , Manage

Designated Instance
Slide 4-46

The designated instance is the host responsible for resolving ARP on

a VLAN L1F:
One designated instance exists per VLAN L1F.
Any ARP request in the distributed port group is handled by the
designated instance.
VMware NSX Controller" selects the designated instance:

NSX Controller pushes designated instance selection to all other hosts.

When the designated instance fails, NSX Controller does the


following:

Elects another host as the designated instance

Informs the remaining host about the new designated instance

II
z
><
(J)

::0
o
c
~

:::J
(C

The distributed logica l router is connec ted to a port group that gives access to the physical network.
The physical network might not be able to determine which of the different hosts own the MAC
address for that VLAN LIF at any point in time . To overcome this problem, each host has its own
pMAC address for the VLAN LIF, but only one host responds to ARP requests for the VLAN LIF.
The host that responds to the ARP requests for the VLAN LIFs is called the designated instance and
this host is chosen by NSX Controller. The designated instance also sends ARP requests on behalf
of all other hosts . All ingress traffic to the VLAN LIF is received by the designated instance. All
egress traffic from the VLAN LIF leaves the originating host directly without going through the
designated instance.

Module 4

NSX Routing

235

VXLAN L1F
Slide 4-47

The distributed logical router supports logical switches that are


backed by VXLAN :

First hop routing is handled on the host and traffic is switched to the
appropriate logical switch:
If the destination is at another host, the Ethernet frame is placed in a
VXLAN frame and forwarded .

A designated instance is not required.


Only one VXLAN L1F can connect to a logical switch:
The next hop router can be an NSX Edge services gateway
VXLAN IF can span all distributed switches in the transport zone.
Distributed logical routers perform best with VXLAN L1Fs.

If the VXLAN LIF connects to a VXLAN port group or logical switch, the LIF has a vMAC that is
used by all hosts. No designated instance exists because the vMAC is never visible in the physical
network.

You can have only one VXLAN LIF connecti ng to a logical switch. Only one distributed logica l
router can be connected to a logical switch.

236

VMwa re NSX: Install , Configure, Manage

Control Plane: Components


Slide 4-48

Distributed logical router control plane is provided by a per instance


logical router control virtual machine and NSX Controller.
Supports dynamic routing protocols:

OSPF

BGP

High availability supported through active-standby configuration.


Logical router
control virtual
machine

II

Communi cates with NSX Manager and NSX


Controller cluster :
-

NSX Manager sends L1F information to the


control virtual machine and NSX Controller
cluster.

Control virtual machine sends routing


updates to the controller cluster.

z
><
(J)

::0
o
c
~

:::J
(C

When a distributed logical router is deployed, the logical router control virtua l machine is also
deployed. The logical router control virtua l machine handles all control plane communications for
the distributed logical router. To enable high availability, deploy two logical router control virtual
machines and designate one as active and one as passive. If the active logical router control virtual
machine fails, the passive logical router contro l virtual machine takes 15 secon ds to take over.
Because the control virtual machine is not in the data plane, data plane traffic is not affected.
Controlling high availability resu lts in the addition or remova l of additional logical router control
virtual machines. When high availability is enabled, NSX Manage r enables the VMwa re vCenter
Server" system to deploy another logical control router virtua l machine. The logical router control
virtua l machine handles the OSPF and BOP protocols. So without a passive logical router control
virtual machine, you might lose neighbor adjace ncies if the active logical router control virtual
machine has a problem.

Module 4

NSX Routing

237

Logical Router Control Virtual Machine


Slide 4-49

The logical router control virtual machine is a control plane


component:
The logical router control virtual machine does perform any routing.

Routing is performed by the distributed logical router in the data plane.

The firewall on the distributed logical router only secures the control
virtual machine.
Control
Plane

NSX Log ical


Router Control VM

---- - - _.-- - ----- -----

<--

---- - --- -- ------ - ---- ---- - - ---- _.- --- - -------- -- - ----- -- --- - -- ----- - - - --- - - - - - - - ----- - - - -- --

NSX Virtual Sw itch

NSX Edge

+ !n~------Qf<---n---.

D,sl ibuled

Data
Plane

Does not sit in the data path


Control plane protocol
Provides OSPF route updates
to other routers (peering)

VXLAN

Dist rib ut ed

Fir ew all

~_C!g~~ ~J _~~1I ~~ ~

The physical rou ting takes


place in the data plane

serviCej

.. ;

Hyp erv isor Kern el Modu les

ESXi

The logical router control virtual machine is a control plane component and does not perform any
routin g. The routin g is performed in the data plane by the distributed logical router.
The logical router control virtua l machine's function is to establish routing proto col sessions with
other routers. An IP address called the Protocol Address is assigned to the logical router control
virtual machin e. This address is used to form adjacencies with peers.
The firewall installed to the distributed router does not do East-West traffic filtering. The firewall is
strictly present to protect the logical router control virtual machine.

238

VMware NSX: Install , Configure, Manage

Management, Control, and Data Communication


Slide 4-50

To support OSPF, the logical router control virtual machine must


have a connection in the segment as the L1F of the distributed router.
Dynamic routing protoco l is
configured on the logical router
instance .

Exte rn al Netwo rk

NSX Manager
Logical Router
Control VM

192 .168 .10.1

OSPF or BGP peering is


estab lished between the NSX Edge
and logical router contro l virtual
machine. The protocol address is
used for contro l communication .

192 .168 .10 .2

LOgiCal !
Router ~
172 .16.10 .1

NSX Controller pushes new logical


router configuration including LiF s
to ESXi hosts.

II

Learn routes are pushed to the


NSX Contro ller cluster for
distribution.

z
><
(J)

::0
o
c

172 .16 .20 .1

DB

VM
172 .16.20 .10

Routing kernel modules on hosts


handle the data path traffic.

:::J

c.c

To support OSPF, the logical router control virtual machine must have a connection in the segment
as the LIF of the distributed router. OSPF configuration requires the following IP addresses:
An IP address for the uplink LIF on the distributed router for data plane communications.
An IP address used exclusively for control conversations to the logical router control virtual
machin e. This IP address is used by the control virtual machine to talk OSPF neighbor
adjacencies and update the routin g table. The control virtual machine also does BOP across this
IP address.

These machines do appear as virtual machines in the vCenter Server system inventory. These
machin es should only be manipulated from the Network and Security view of the VMware
vSphere Web Client, and never from VMs and Templates or other views.

Module 4

NSX Routing

239

Deployment Models: One Tier


Slide 4-51

One tier of routing:

Distributed for East-West

Externa l

Designated instance
for North-South

Networks

Dynamic routing
to advertise logical networks

'"
I

OSPF :

VLAN VX LA N
Uplink Uplin k

BGP 'of
'"fJ\....;...------...Oist ributed Logical Router

tor'tl~ ---

- - - - -10 ESe ES'- - - - - -.

Web

App

DB

The diagram shows a distributed logical router connected to multiple logical switches. These
switches can be VXLANs. An up link can be added and converted to a VLAN uplink by connecting
the uplink to a port group . After the uplink is connected, a designated instance is chosen and
connected to the phys ical network.

You can put an NSX Edge instance between the physical and the logical router. VMware
recommends this design. If you are deploying and NSX Edge instance, do not use a VLAN LIP. Use
a VXLAN LIF. Use a VLAN LIF only if you must go direct ly outside. If you use VXLAN with the
edge , no designated instance exists and every router can directly forward traffic.

240

VMware NSX : Install, Configure, Manage

Deployment Models: Two Tier


Slide 4-52

Two tiers of routing

Distributed for East-West

Perimeter for North-South

Extern al
Networks

Dynamic routing to advertise


logical networks

,-Dynamic Routing

A
I

: (OSPF, IS-IS, BGP)


't'

Perimeter NSX Edge


Transit Uplink3

Transit Uplink1

,,,- - - - - - - - - - - - - - Dynamic Routing


,,,
(OSPF, BGP)

II

z
><
(J)

::0
o
c
~

:::J

c.c

The topology needs firewa lling at the perimeter to restrict access between the distributed routers. On
each distr ibuted router, firewa ll rules only allow traffic between certa in devices and selected traffic
on the outside.

The topology can easily be converted to a multitenancy configuration by inserting an NSX Edge
instance above each of the three logical routers . The original NSX Edge instance becomes the
perimeter NSX Edge instance that is shared by the three NSX Edge instances . The NSX Edge
instances allow each tenant their own config uration. Often , the NAT dev ice also belongs to the
tenant.

Module 4

NSX Routing

241

Distributed Router Traffic Flow: Same Host


Slide 4-53

DA: vMAC r;;-:.,.=~=---:::----="':I


SA : MAC 1 ~~~~~

Logical Router Control VM

192 .168.10.10

.".

DA: 192.168.10.10

....

~kLlF

SA: 192 .168.20.10

L1 F1

Internal L1Fs
L1F1 : 192.168. 20.1
L1F2 : 192.168.10.1

Host 1

L1F2
~

vMAC

Host 2

192.168.10.0

255.255.255.0

0.0.0.0

Direct

192. 168 .20.0

25 5.255.255.0

0.0.0.0

Direct

VXLAN Transport Network

The diagram is a packet walk through the network:


1. Virtual machine I (VM I) on VXLAN 500 I attempts to communicate with virtual machine 2
(VM2) on VXLAN 5002 .
2. VM I sends a frame with the layer 3 IP on the payload to its default gateway. The default
gateway uses the destination IP address to determine that it is directly conn ected to that subnet.
3. The default gateway checks its ARP table and sees the correct MAC address for that
destina tion.
4. VM2 is running on the same host. The default gateway passes the frame to VM2.

242

VMware NSX : Install , Configure, Manage

Distributed Router Traffic Flow: Different Host


Slide 4-54

DA: MAC2
SA: vMAC

Ho st 1 _-.III~

Host 2

II
z
><
(J)

VXLAN Transport Network

::0
o
c

DA: MAC2
SA: pMAC 1

:::J

t.t

c.c

In the example, virtual machin e I (VMI ) on VXLAN 500 I attempts communication to virtual
machin e 2 (VM2) on VXLAN 5002 :
1. VM2 is on a different subnet. So VM I sends the frame to the default gateway.

2. The default gateway sends the traffic to the router and the router determin es that the destination
IP address is on a directly conn ected interface.
3. The router checks its ARP table to obtain the MAC address of the destination virtual machine.
But the MAC address is not listed. The router sends the frame to the logical switch for VXLAN
5002.
4. The source and destination MAC addresses on the internal frame are changed. So the
destination MAC address is the address for VM2 and the source MAC address is the vMAC
LIF for that subnet. The logical switch in the source host determin es that the destin ation is on
host number 2.

5. The logical switch puts the Ethernet frame in a VXLAN frame and sends the frame to host 2.
6. Host 2 takes out the layer 2 frame, looks at the destination mac address, and delivers it to the
destination virtual machine.

Module 4

NSX Routing

243

Lab 5: Introduction (1)


Slide 4-55

Add an NSX Edge as a distributed router virtual machine.


Ic _

O .

1lI--

'8 'ilflT.iiM" ,j,, _


1. CU tredal1llals

" '-.1

] Coof";!Ule

IIJ-

Install Twa

deplo"TlIl!1~

~ s.-. (: CIIlI(lOUt

S conr'llQ" pHA

~ o.. ~_

6 Ready to c OfIJlIlel e

... --....

.-.....~tffDC llan~

N"",e lin d descript IO"

E d ~e seot ces GatS'W<lY

4 CoofillWelnlertdcas

. s-c. ~

i:3 ~""" ~

-,

N.... NSl(Edge

l ~ "'I1 """'"

~,

wo.x f ~

U'...., HD:.~ 1 1t1 ' ' ' ,H! . 1

....--....... ""-h

.... -...,

( . j LogICal (DIstribu ted) Router

o
Name

Hostname

Ena ble Hi gh AlIailabilily

-l
I

I
I

De5wpbQn

't enant

..

244

VMwa re NSX: Install , Configure, Manage

Lab 5: Introduction (2)


Slide 4-56

Entering interface addresses.


Add NS)( Edge Int erfac e
vNIC#

*'li,.,..,_
:':
.,....--",.,..,.,....

Name

o Internal

Type:

G Uplink
Select Remove

Connected To
Connectiii ty Status

Configu reeucnet

Connected

Disconnec ted

Add Subnet

Add Subnet

I'======~

+
Specify the IP addresses in the sutmet

Enter the IP

Specifythe IP addresses i Address .

"" x

II

Prima ry IP

MAC Addresses

Confirm the IP
addre ss

"TU

Options

sub net prefix length"

'"

Subne1prefix length:

L I_ _- - - - - '

FenceParameter

OK

II

z
><

*1' - - -

(J)

OK

Cancel
.t::

I[

::0
o
c

Cancel

:::J

c.c

Module 4

NSX Routing

245

Lab 5: Introduction (3)


Slide 4-57

The Transit-Interface must be configured with a prefix length of 29.


Add Subnet

Specify the IP addresses in the subnet:

.;I

Primary IP

Subnet prefi x length :

IP Addless

'---------'1 0

Ca ncel

C9
[

OK

I[

Cancel

If this setting is missed, the OSPF lab fails because OSPF does not
see the two edges on the same transit network.

246

VMwa re NSX: Install , Configure, Manage

Lab 5: Introduction (4)


Slide 4-58

Verifying the NSX Edge deployment.


nvp-controller 1# ShO ~001
n
Co n t r o Iler
nzs VTEPs
5001
10.10.10.1
2
nvp-Gontroller 1# I

The initial arp -n command may return a blank table.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

247

Lab 5: Configuring and Deploying an NSX Distributed Router


Slide 4-59

Configure East-West routing by deploying a distributed logical router


1. Prepare for the Lab
2. Configure and Deploy an NSX Distributed Logical Router
3. Verify the Distributed Router Deployment and Configuration
4. Test Connectivity
5. Use NSX Controller CLI Commands to Verify the Distributed Router
Deployment
6. Clean Up for the Next Lab

248

VMware NSX: Install , Configure, Manage

Concept Summary
Slide 4-60

A review of terms used in this lesson:


What is a virtualized router implemented by NSX
modules installed in each ESXi host kernel called?
What is send ing communications through part of the
same path already taken when forwarding it to a
destination called?
What is an uplink owned by a logical router that
connects to VLAN port groups called?
What is an uplink owned by a logical router that can
span all virtual distributed switches in the transport
zone called?

Logical distributed router

Hairpinning

VLAN L1F

II

VXLAN L1F

z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

249

Review of Learner Objectives


Slide 4-61

You should be able to meet the following objectives:


Describe the role of the distributed logical router

250

Deploy a distributed logical router

VMware NSX: Install , Configure, Manage

Lesson 3: Layer 2 Bridging


Slide 4-62

Lesson 3:
Layer 2 Bridging

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

251

Learner Objectives
Slide 4-63

By the end of this lesson, you should be able to meet the following
objectives:

Describe layer 2 bridging between VXLANs and VLANs

Describe the traffic flow between VXLAN and VLAN

Configure layer 2 bridging

252

VMwa re NSX: Install , Configure, Manage

VXLAN to VLAN Layer 2 Bridging


Slide 4-64

A VXLAN to VLAN bridge enables direct Ethernet connectivity


between virtual machines in a logical switch, and virtual machines in
a distributed port group:
This connectivity is called layer 2 bridging.
The Ethernet connectivity can also be extended to physical devices by
assigning an uplink to the distributed port group.

II

Distributed Router

z
><
(J)

::0
o
c

ESXi Host

Designated Instance

:::J
(C

VXLAN 973729

You create a layer 2 bridge between a logical switch and a VLAN , which enables you to migrate
virtual workloads to physical devices with no effect on IP addresses. A logical network can leverage
a physical gateway and access existing physical network and securi ty resources by bridging the
logical switch broadcast domain to the VLAN broadcast domain.

Module 4

NSX Routing

253

Use Cases
Slide 4-65

Sometimes you must enable virtual machines on logical switches to


have direct layer 2 access to the physical network:

During physical to virtual (P2V) migrations where changing IP


addresses is not an option

Extend virtual services in the logical switch to external devices

Extend physical network services to virtual machines in logical switches

Access existing physical network and security resources


Layer 2 bridging is not intended for use in the following cases:
VXLAN to VXLAN connectivity
VLAN to VLAN connectivity

Data center interconnect

Bridging can also be used in a migration strategy where you might be using P2V and you do not
want to change subnets.
VXLAN to VXLAN bridging or VLAN to VLAN bridging is not supported. Bridging between
different data centers is also not supported. All participants of the VLAN and VXLAN bridge must
be in the same data center.

254

VMwa re NSX: Install , Configure, Manage

Layer 2 Bridging Details


Slide 4-66

Distributed router is required to configure bridging :

Multiple bridges are supported per distributed router

Bridge instance runs on the host where the logical router


control virtual machine is active.
Layer 2 bridging data path is entirely in the VMkernel:
A special dvPort type called a sink port is used to steer packets to the
bridge.

II

You cannot enable both distributed routing and bridging on a


logical switch at present.

z
><
(J)

::0
o
c
~

:::J
(C

The layer 2 bridge runs on the host that has the NSX Edge logical router virtual machine. The layer
2 bridging path is entirely in the VMkernel. The sink port connects to the distributed port group
from the VMkernel on the distributed router. The sink port steers all traffic related to bridg ing on to
the switch . You cannot have routing enabled on those interfaces that you connect to the distributed
router.
The distrib uted router that performs the bridging cannot perform routing on that logical switc h. The
virtual machines on that switch cannot use the distributed router as their default gateway. Because
logical switches cannot be connec ted to more than one distrib uted router, those virtual machines
must have a default gateway. The default gateway must be either externally in the physical network
or in an appliance, such as the NSX Edge gateway. The NSX Edge gateway must be connected to
the logical switc h on the port group .

Module 4

NSX Routing

255

Bridge Instance
Slide 4-67

The host where the logical router control virtual machine runs is
selected as the designated instance to perform the VXLAN to VLAN
bridging function:

The bridge instance sends a copy of learned MAC address table entries
to the NSX Controller.

If the bridge instance fails, the control virtual machine pushes a copy of
the MAC address table to the new designated instance.

If every host is allowed to go directly to the physical network with the broadcast traffic, the network
might be overwhelmed. So one of the hosts is chosen as a bridge instance. NSX Controller chooses
a host to be the brid ge instance. The bridge instance is usually the host that is runnin g the logical
router controller.
If the brid ge instance fails, the NSX Controller instance pushes a copy of the media access control
(MAC) address table to the new bridge instance to keep it synchronized.

256

VMware NSX: Install , Configure, Manage

Bridge Instance Failure


Slide 4-68
Standby Logical Router
Control Virtual Machine

Active Logical Router


Control Virtual Machine

VXLAN 5001

Runs on the host with logical router


control virtual machine
Multiple bridges supported per logical
router

>

II

Physical Workload

II
z
><
(J)

Physical. Router

.'

~ ~""

::0
o
c
~

:::J
(C

In the example, a logical distributed router controller has failed and NSX HA is enabled. When the
bridge instance fails, the bridge instance is moved to the new active host and gets the physical MAC
addresses that were on the failed bridge instance. You can have multiple bridges on the same logical
router.

Module 4

NSX Routing

257

Layer 2 Bridging: Flow Overview


Slide 4-69

Traffic flow from the VXLAN to the VLAN through the bridge instance.

ARP Request
,
192.168 .100.4
~

VM1

VM2

VXLAN SW01
VTEP 1

VM 3
V NI50001 1
VLAN100

VT EP 2

Physical Host
vLan 100
192 .168 .100.4

In the example, VM2 wants to communicate with a physical host on VLAN 100. ESXi host numb er
3 is the bridge instance.

258

VMwa re NSX: Install , Configure, Manage

Design Considerations
Slide 4-70

Multiple bridge instances versus separate distributed routers:

Bridge instances are limited to the throughput of a single ESXi host.

Interoperability:

VLAN and VXLAN logical switch are on the same distributed switch.

Bridging a VLAN 10 of 0 is not supported.

Scalability targets:

Line rate throughput.

Latency and CPU usage comparable with standard VXLAN.

II

Loop prevention:

Only one bridge active per VXLAN-VLAN.

z
><
(J)

Detect and filter if the same packet is received through a different uplink
by matching MAC address .

::0
o
c
~

:::J
(C

A bridg e instance is assigned to the ESXi host that runs the logical distributed controll er. If you have
to use multipl e bridges, consider usin g multipl e distributed routers so that the bridge instances can
be spread out among the different ESXi hosts to get greater throughput.
The VLAN-VXLAN logical switch must be on the same distributed switch. The port group that you
are bridging must have a VLAN numb er associated with it.
You must consider the throughput that goes throu gh the designated instance and also the latency.
Because all the bridge traffic is hairpinn ed to the bridge instance, you should only have one bridge
from VXLAN to VLAN to avoid loops.
Detect and filter is a function of the brid ge instance to ensure that duplic ate packets are not coming
through.

Module 4

NSX Routing

259

ARP Request from VXLAN


Slide 4-71

Layer 2
Network
Port,

MACl

The exampl e is a packet walk of an Address Resolution Protocol (ARP) requ est from a virtual
machin e to a physic al host on the network. In the example, the virtual machine on this VXLAN
segment attempts to contact this physical host for the first time:
1. The ARP request from VM I comes to the ESXi host with the IP addre ss of a host on the
physical network.
2. The ESXi host does not know the destination MAC addre ss. So the ESXi host contacts NSX
Controller to find the destination MAC address.
3. The NSX Controller instanc e is unawar e of the MAC address. So the ESXi host sends a
broadcast to the VXLAN segment 500 I.
4. All ESXi hosts on the VXLAN segment receive the broadcast and forward it up to their virtual
machines.
5. VM2 receives the request becaus e it is a broadcast and disregards the frame and drops it.
6. The designated instance receives the broadcast.
7. The designated instanc e forwards the broadcast to VLAN 100 on the physical network.

260

VMware NSX: Install , Configure, Manage

8. The physical switch receives the broadcast on VLAN 100 and forwards it out to all ports on
VLAN 100.
The physical server receives the broadcast and determin es whether the frame belongs to it.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

261

ARP Response from the VLAN


Slide 4-72

MAC3

IP3

DA~

MAC3

~~

;;':';''-_ _

Port 1

MAC1

Port 2

MAC3

The slide shows an example of the response from the physical host back to the virtual machine:
1. The physical host creates an ARP response for the machine. The source MAC address is the
physical host's MAC and the destination MAC is the virtual machine's MAC address.
2. The physical host puts the frame on the wire.
3. The physical switch sends the packet out of the port where the ARP request originated.
4. The frame is received by the bridge instance.
5. The bridge instance examines the MAC address table, sends the packet to the VNl that contains
the virtual machine's MAC address, and sends the frame. The bridge instance also stores the
MAC address of the physical server in the MAC address table.
6. The ESXi host receives the frame and stores the MAC address of the physical server in its own
local MAC address table.
The virtual machine receives the frame.

262

VMware NSX: Install , Configure, Manage

Unicast Traffic
Slide 4-73

MAC3

5001

8i

IP3

II

MAC3

'"
DA~

'-:":":':;;~:":':"

z
><
(J)

::0
o
c
Port 1

Port2

MAC 1

:::J

c.c

MAC3

The example shows the traffic flow from the virtual machin e to the physical server after the initial
ARP request is resolved:
1. The virtual machine sends a packet destined for the physical server.

2. The ESXi host locates the destination MAC address in its MAC address table.
3. The ESXi host sends the traffic to the bridge instanc e.

4. The bridge instance receives the packet and locates the destination MAC address.
5. The bridg e instance forwards the packet to the physical network.
6. The switch on the physical server receives the traffic and forwards the traffic to the physical
host.

The physical host receives the traffic.

Module 4

NSX Routing

263

ARP Request from VLAN


Slide 4-74

MAC3

Layer 2
Network

The slide shows an example of an ARP request from a physical host on a VLAN to a virtual
machine on VXLAN :
1. An ARP request is receive d from the physical server on the VLAN that is destined for a virtual
machine on the VXLAN through broadcast.
2. The frame is sent to the physical switch where it is forwarded to all ports on VLAN 100.
3. The ESXi host receives the frame and passes it up to the bridge instance.
4. The bridge instance receives the frame and looks up the destination IP address in its MAC
address table.
5. Because the bridge instance does not know the destination MAC address, it sends a broadcast
on VXLAN 500 1 to resolve the MAC address.
6. All ESX i hosts on the VXLAN receive the broadcast and forwar d the frame to their virtual
machines.
VM2 drops the frame, but VM 1 sends an ARP response.

264

VMwa re NSX: Install , Configure, Manage

Concept Summary
Slide 4-75

A review of terms used in this lesson:


Which action connects a VLAN and a VXLAN
network as the same logical network?

Bridging

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

265

Learner Objectives
Slide 4-76

By the end of this lesson, you should be able to meet the following
objectives:

Describe layer 2 bridging between VXLANs and VLANs

Describe the traffic flow between VXLAN and VLAN

Configure layer 2 bridging

266

VMwa re NSX: Install , Configure, Manage

Lesson 4: NSX Edge Services Gateway


Slide 4-77

Lesson 4:
NSX Edge Services Gateway

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

267

Learner Objectives
Slide 4-78

By the end of this lesson, you should be able to meet the following
objectives:

Deploy NSX Edge gateway

Deploy OSPF on NSX Edge

268

VMware NSX: Install , Configure, Manage

NSX Edge Gateway


Slide 4-79

The NSX Edge gateway connects isolated stub networks to shared


(uplink) networks.
NSX

NSX Edge
Services
Ga teway

logic al
Router
C ontr ol

NSX
Manager

II
z
><
(J)

Physical Network

::0
o
c

----

:::J

c.c

NSX Edge supports OS PF, an lOP that routes IP packets only in a single routing domain. NSX Edge
gathers link state information from avai lable routers and constructs a topology map of the network.
The topology determines the routing table presented to the Internet layer, which makes routing
decisions based on the destination IP address found in IP packe ts.

Module 4

NSX Routing

269

Integrated Network Services


Slide 4-80

NSX Edge provides common gateway services such as DHCP, VPN,


NAT, dynamic routing, and load balancing.

Firewall
Load balancer

VPN
Routing and NAT
DHCP and DNS relay

Overview
Integrated L3 to L7 services
Virtual appliance model to
provide rapid deployment and
scale-out
Benefits
Real-time service instantiation
Support for dynamic service
differentiation per tenant or
application
Uses x86 compute capacity

Several perimeter services are available for the NSX Edge gateway. These services are not
embedded in the distributed router. NSX Edge gateway is a virtual machine that has one interface
connected to the virtual mach ine segment through logical switches or distributed and standard port
groups.

These services are meant to work in environments where a third-p arty solution might not exist.
Sometimes a third-p arty solution might be more effective than NSX Edge service because that
solution is a dedicated device and not a multipurpose device like NSX Edge . All of these services
can be disabled to allow a third-party solution to be deployed.
In a multitenancy environment, NSX Edge for NAT might exist if duplicate IP segments exist.

270

VMware NSX: Install , Configure, Manage

NSX Edge Services Gateway Sizing


Slide 4- 81

NSX Edge can be deployed in four different configurations.


X-Large
6vCPU

Suitable for high performance


layer 7 load balancer

8192 MB vRAM

Quad-Large
4vCPU
1024 MB
vRAM

Suitable for high


performance firewall and
routing

II

Large

z
><

2vCPU

(J)

1024 MB vRAM

::0
o
c

Compact

:::J

c.c

1 vCPU , 512 MB vRAM

When NSX Edge gateway is deployed, the wizard asks for the desired size. If a gateway with the
wrong size is deployed, the gateway can be replaced with minim al effort by deploying a new NSX
Edge gateway. The existing NSX Edge gateway is removed and an NSX Edge gateway with the
desired size is created. The configuration from the old NSX Edge gateway is applied by NSX
Manager to the new NSX Edge gateway. The name of the new NSX Edge gateway instance is
different.

A service interruption might occur when the old NSX Edge gateway instance is remove d and the
new NSX Edge gateway instance is redeployed.

Module 4

NSX Routing

271

Features Summary
Slide 4-82

r;I."_l

NSX Edge
Gateway Services

F ire w all

5-Tuple rule configuration with IP, port ranges, grouping objects .

Network Address Translation

Source and destination NAT capabi lities .

DHCP

Configuration of IP Pools, gateways , DNS servers, and search domains.

Rou ting

Static and dynamic routing protocols support (OSPF, BGP, IS-IS).

Load Balancing

Configure virtual servers and backend pools using IP addresses or VC objects.

Site-to-Site V PN

IPsec site-to-site VPN between two NSX Edge instances or other vendor VPN terminators .

SS L V PN

Allow remote users to access the internal networks behind NSX Edge gateway

L2VPN

Stretch your layer 2 across data centers.

High Availabi lity

Active-Standby HA capability that works with VMwa re vSphere High Availability.

DNS/Syslog

Allow configuring DNS relay and remote Syslog servers .

Traditional firewalls operate by applying a set of rules containing a few criteria including source IP
address and port , destination IP address and port, and protocol. Advanced third-p arty firewalls have
a few additional options. In addition to the traditional criteria, the NSX Edge firewall, NSX Edge, or
Distributed Firewall, can use additional vSphere criteria. The vSphere criteria include resource
pools, clusters, networks, and many other metadata details from the vCenter Server system.

272

VMware NSX: Install , Configure, Manage

NSX Edge Routing


Slide 4-83

The NSX Edge appliance supports static and dynamic routing:

OSPF

IS-IS

BGP
Route redistribution

Routing is configured by selecting NSX Edge Gateway> Manager>


Routing.

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

273

Routing Verification
Slide 4-84

To verify that routing works as expected, access the NSX Edge


gateway eLi by using SSH or console connection:

show ip ospf neighbors

show ip ospf database

show ip ospf interface

show ip bgp

show ip bgp neighbors

show isis neighbors

show ip route

274

show isis database


show isis interface

VMware NSX: Install , Configure, Manage

Lab 6: Introduction (1)


Slide 4-85

Deploy an NSX Edge as a perimeter gateway.


"I

New NSX Edlll!

..... , I.';

i ' :r.'gW!!

I ;

"I. UJ ereeeuuers

N<HIM!and description

Install Type

IINle l

WI"

O lntemal

Connected To

J CorlfMJuredepl~l1e'Ilt

Ii

Name

4 ConfIljure neerreces
5 Default Od(ll'WdYsellmljs

L ogi cal (Distributed) R outer

6 firewllll and HA

D Enable High AvailaPill1y

7 Ready-In complete

C!

Atld NSl< Edge Int e rf ac e

(!' Edgesereces Gateway

Connecteo

ccn nectrofv Status

o Upl ink
o Disconnected

Sele ct

Remove-

Configure subnets
Nam e
Hostname

- , Perimeter G alew~

IPAdd,u .

Subn.t P.. ~ ~ L ongltl

nescnou on

Tenant

I
I

MAC Addresses

II

You can speclflo' a MAC address or leaveit blank for auto ueneranon In
case ofHA, fWQ dltrerent MAC addresses ere required
MTU

N,~

-Cancel

500

,
,

Options

Fence Parameters

En able Pr o)(\{ARP

Se nd le MP Re dire ct

z
><
(J)

::0
o
c

Example: ethernellJ.f111er1pa raml"'t

~ I c'""' : ~

Module 4

NSX Routing

275

:::J

c.c

Lab 6: Introduction (2)


Slide 4-86

Configure the static routes.

+
Global Cnnfi quratie n

Typ@

NebAlork

internal_high

1 0 10.10 0/ 2 4

OSPF

user

1 0 10.7.0/ 2 4

1 0. 7 7 . 2

Uplink-Interface

1500

BGP

user

1 0 10.9.0/ 2 4

10 . 5 5 . 2

Tran sit-Interfac e

1500

Static Routes

Next Hop

10 .9 9 .2

Interrace

MTU

Uplink-lntel1ace

1515
Route Redistrihution

276

VMwa re NSX: Install , Configure, Manage

Lab 7: Introduction
Slide 4-87

You delete the static routes in the lab.


OSPF initially fails, but the lab guides troubleshooting to resolve.
Default Gateway

Global Configuration

Static Routes

upnnk-mterrece
Gateway IP:

192.168.1002

OSPF

MTU:

BGP

Descriptio

IS-IS

Area to Interfa ce Mapping:

EditDynamicRouting Configuration

vNIC

RouteRedistribution
DynamicRl:

Uplink-Interface

Trans it-Interfa ce
Router 10:

I I

II

G"l Enable 08P F


f"J
D

BGP:
18-18 :

LogLevel:

* [ Uplink-Interface - 1...

11 Enable BGP

08PF :

Logging:

Router 10 :

Enable 18-18
Enable Logging

Log Level:

I I_
nl_
O

z
><

~_

(J)

Save

II

Cancel

::0
o
c
~

:::J
(C

Module 4

NSX Routing

277

Lab 6: Deploying an NSX Edge Services Gateway and


Configuring Static Routing
Slide 4-88

Configure and deploy an NSX Edge services gateway to provide


perimeter routing and other network services

1. Prepare for the Lab


2. Configure and Deploy an NSX Edge Gateway
3. Verify the NSX Edge Gateway Deployment
4. Configure Static Routes on the NSX Edge Gateway
5. Configure Static Routes on the Distributed Router
6. Test Connectivity Between an External Network and a Logical Switch
Network
7. Clean Up for the Next Lab

278

VMware NSX: Install , Configure, Manage

Lab 7: Configuring and Testing Dynamic Routing on NSX Edge


Appliances
Slide 4-89

Configure OSPF to establish bidirectional connectivity between the


Management network and the Web-Tier, App-Tier, and DB-Tier logical
switch networks

1. Prepare for the Lab


2. Remove Static Routes from Perimeter Gateway
3. Configure OSPF on Perimeter Gateway
4. Redistribute Perimeter Gateway Subnets

II

5. Remove Static Route on Distributed Router


6. Configure OSPF on Distributed Router

z
><

7. Redistribute Distributed Router Internal Subnets

(J)

8. Troubleshoot Connectivity Between Logical Switch Networks and the


Management Network

::0
o
c
~

:::J

9. Resolve the Connectivity Issue

(C

10.Clean Up for the Next Lab

Module 4

NSX Routing

279

Review of Learner Objectives


Slide 4-90

You should be able to meet the following objectives:


Deploy NSX Edge gateway

280

Deploy OSPF on NSX Edge

VMwa re NSX: Install , Configure, Manage

Key Points
Slide 4-91

OSPF is a link-state protocol. Each router maintains a database that


describes the AS topology.
The distributed logical router optimizes the routing and data path, and
supports single-tenant or multitenant deployments.

NSX Edge supports OSPF, an interior gateway protocol that routes IP


packets only within a single routing domain .

Layer 2 bridging is intended for VXLAN to VLAN connectivity.

Questions?

II
z
><
(J)

::0
o
c
~

:::J
(C

Module 4

NSX Routing

281

282

VMware NSX: Install , Configure, Manage

MODULE 5

NSX Edge Services Gateway


Features
Slide 5- 1

Module 5

II
z
><
(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

VMwa re NSX: Install , Configure , Manage

283

You Are Here


Slide 5-2

VMware NSX: Install Configure Manage


Course Introduction
NSX Networking
Logical Switch Networks and VXLAN Overlays

IE

NSX Routing
NSX Edge Services Gateway Features
NSX Security

284

VMware NSX: Install , Configure, Manage

Importance
Slide 5-3

The services gateway gives you access to all VMware NSX Edge
services such as firewall, network address translation (NAT),
Dynamic Host Configuration Protocol, virtual private network (VPN),
load balancing, and high availability.

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

285

Module Lessons
Slide 5-4

Lesson 1:

NSX Edge Network Address Translation

Lesson 2:

NSX Edge Load Balancing

Lesson 3:

NSX Edge High Availability

Lesson 4:

NSX Edge and VPN

Lesson 5:

Layer 2 Bridging

286

VMware NSX: Install , Configure, Manage

Lesson 1: NSX Edge Network Address Translation


Slide 5-5

Lesson 1:
NSX Edge Network Address Translation

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

287

Learner Objectives
Slide 5-6

By the end of this lesson, you should be able to meet the following
objectives:

Determine when to use a destination network address translation rule


and a source network address translation rule

Add an internal interface to the NSX Edge gateway


Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic

288

VMwa re NSX: Install , Configure, Manage

Private IPv4 IP addresses


Slide 5-7

Private IPv4 IP addresses are IP addresses reserved for the internal


use of corporations:

Defined in RFC1918 .

Private IP addresses cannot be advertised in the public Internet.

Three blocks of IP addresses are reserved for private use: 10.0.0.0/8,


172.16.0.0/12, and 192.168.0.0/16.

II

ACME Corpo ration


Intern al Netw ork

External
network

z
><
(J)

The number of IPv4 TCP/IP addresse s that are available is limit ed. Many applications in an
enterprise requir e conn ectivity only in one enterprise and do not need external connectivity for most
internal hosts. Request for change (RFC) 1918 defines address allocation for private Internet. You
can only use IPv4 private IP addresses to address all devices on your network. Private IP addresses
cannot be advertised in the publi c Internet.

m
0..

(Q

CD
(J)

CD

<:
n'
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

289

IPv4 Overlapping Space


Slide 5-8

VMware vCloud Automation Center" tenant, ACME Corporation,


needs to communicate with vCloud Automation Center tenant, XYZ
Industries.
Both tenants have many networks and now need end systems on
both sides for direct communications.

ACME Corporation

XYZ Industries

vCloudAutomation
Center Networks

vCloudAutomation
Ce nter Networks

Hosts assigned with private IP addresses cannot communicate with other hosts through the Internet.
The solution to this problem is to use network address translation (NAT) with private addressi ng.

290

VMwa re NSX: Install , Configure, Manage

Managing NAT Rules


Slide 5-9

NSX Edge provides NAT service to assign a public address to a


computer or group of computers in a private network:

NAT rules provide access to services running on privately addressed


virtual machines.

The NAT service configuration is separated into the following sets of


rules:
Source NAT rules translate the source IP address of outbound packets
so that packets appear as originating from a different network.

Destination NAT rules translate the destination IP address of inbound


packets so that packets are delivered to a target address on some
other network.

II
z

(J)

VMware NSX Edge" provides NAT service to assign a publi c address to a computer or group of
computers in a private network . Using this technology limits the numb er of public IP addresses that
an organization or company must use, for econo my and security purposes.
You must configure NAT rules to provide access to services running on privately addressed virtual
machines. The NAT service config uration is separate d into source NAT and destination NAT rules.

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

291

Source NAT Deployment Using NSX Edge


Slide 5-10

Server 1

Server 2

Server 3

VM

VM

VM

192.168.1.2

192.168.1 .3

192.168.1.4

Test-Network
192.168.1.1

NSX Edge Gateway


10.20.181.170: Primary IPAddress
10.20.181.171: Source NAT Translated IP
Address

External-Network

Source NAT is used to translate a private internal IP address into a publi c IP address for outbo und
traffic. In the slide, NSX Edge gateway is translating Test-Network using addresses 192.168.1.0
through 192.1 68.1.24 and 10.20.181.171. This technique that the source NAT uses is called
masquerading. In this type of source NAT, the whole Lab-Network behind the NSX Edge gateway is
masquerading as a single host with IP address 10.20.18 1.171. You can also use the primary IP
address 10.20.1 81.170 as the source NAT translated IP address .

292

VMware NSX: Install, Configure, Manage

Example: Set Up External Access to Web Server


Slide 5- 11

Make a Web server on the HQ VXLAN network available to external


users:
1. Add an internal interface (HQ VXLAN Network) to NSX Edge.
2. Add a second IP address to the external interface subnet:

The second address is used by the external client.

3. Create a destination NAT rule that translates the external-facing


address to the Web server's IP address . No other IP address
combination is allowed through the NAT service.
If multiple Web servers exist, use the load balancer service in NSX
Edge to distribute connections.

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

293

Add a Second External IP Address for NAT Use


Slide 5-12

Add a second IP address in the existing subnet for the external


interface:

The second IP address is to be used for the destination NAT and


source NAT rules.

Summary
______
o_n_i
lo_r_ l t.1anage

( Settings l_F_ir_ew
_ a_1I " " ' - _ - - - J L - _ . l -_ _~

Gr

"___

__L_

Configure Interlaces of this NSX Edge .

Con

II

ur ton

Interfaces

vlIlC#

IP

1 ... lI.t m

Certificates

ddress

192 .168 .100 .3"

Uplink-Interlace 1192.168.100.10

To add a second IP address to the already-defined subnet for the external interface

1. In the VMwa re NSX Manager" page, select Edges and double-cli ck edge-I to display the
management page for HQ-E dge .
2. Select Configure > Interface s to display the list of interfaces.
3. Click the Ed it (pencil) icon to add the second IP address .
The second address is used to define both destination NAT and source NAT rules.

294

VMwa re NSX: Install , Configure, Manage

Destination NAT Deployment Using NSX Edge


Slide 5-13

Web Server

VM

App Server

DB Server

VM
192.168.1.2

VM

192.168.1.3

192.168.1.4

Test-Network
192.168.1 .1

NSX Edge Gateway


10.20.181.170: Primary IP Address
10.20.181 .171: Destination NAT
Public IP Address

II

External-Network

(J)

Destination NAT is commonly used to publish a service located in a private network on a publicly
accessib le IP address . In the example, NSX Edge NAT is publishing the Web Server 192.168.1.2 on
an externa l network as 10.20.181.171. You can also use the primary IP address 10.20.181.170 as
destination NAT.

m
0..

(Q

CD
(J)

CD

<:
n'
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

295

Creating a Destination NAT Rule for Inbound External Access


Slide 5-14

Destination NAT rules can be defined for any IP address or range of


IP addresses that has been configured on a network interface.
For example, create a destination NAT rule to enable an external
client to access a Web server that is on an internal network.
A Web server's internallP address is 192.168.20.10.
The IP address added to the NSX Edge external interface is
172.20.11.12.
All packets destined for 172.20.11.12 arrive on the NSX Edge external
interface.
The destination NAT rule performs a destination IP address translation
from 172.20.11.12 to 192.168.20.10.
You can test the rule by displaying the administrative share for the C:
drive on the internal system with \ \172. 20 .11.12\C$:

Ensure that the response for a command that you use is from the
internal system , not the NSX Edge appliance.

You can create a destination NAT rule to map a public IP address to a private internal IP address .
The rule translates the destination IP address in the inbound packet to an interna l IP address and
forwar ds the packet.
The original (public) IP address must be added to the NSX Edge interface on which you want to add
the rule, that is, on the external interface.

296

VMwa re NSX: Install , Configure, Manage

Create a Destination NAT Rule and Test Inbound Connectivity


Slide 5-15

To create the destination NAT rule:


1. Click the Add icon and select Add DNAT Rule.
Add DNATRJJle

[ Setting s

I Firewall ~

Routing [

I Upli nk-Ingterface

Applied On:
OnglnaIIP/Ran ge :

Tran slated Port/Range :

2. Enable the rule in the dialog box


or after the rule is added.
3. Enable logging while testing
the rule.

I-

I-1

Original Port/Ra nge :


Translated IP/Rang e:

_I

Protocol :

A ctio n

I-

*I
~==~

I-1

Description"

_ _ _I
D Enabled
D Enable loggin g
OK

I[

Cancel

II

I,

(J)

To create the destination NAT rule

0..

(Q

1. In the NSX Edge management page, doubl e-click the NSX Edge instance that handles the NAT
operations.
2. Click the NAT tab.

CD
(J)

CD

<:
n
CD

rJl

G)

In the slide, the rule is configured for the HQ- Edge instance.

til
......

CD

stil

3. Click the Add icon and select Add DNAT Rule.

'<

In the Add DNAT Rule dialog box, configure the following settings :

"Tl
CD

til
......
C
.....

The interface on which to apply the destination NAT rule, for example, External.
The drop-d own menu displays the names of all 10 interfaces for this NSX Edge instance,
but not in alphabetical order.
The original (public) IP address in one of the following formats:
IP address: 192.168.10.1
IP address range: 192.168.10.1-192.168.10.10
IP address/subnet: 192.168.10. 1/24
Module 5

NSX Edge Services Gateway Features

297

CD

rJl

The protocol s that can be used are the following:


UDP
TCP
Any
The origina l port or port range:
Port number: 80
Port range: 80-85
Any port
Tran slated IPlran ge: Th e trans lated IP address is in one of the form ats listed for the original
(public) IP address.
Tran slated Port/ran ge: Th e transl ated port rang e, as described for the original port or port
range .

298

VMware NSX: Install , Configure, Manage

Creating a Source NAT Rule and Testing Outbound Connectivity


Slide 5-16

You can create a source NAT rule to translate a private internallP


address into a public IP address for outbound traffic.
For the selected NSX Edge instance, select Add> Add SNAT Rule.
?

Add SNAT Rule

Appl ied On:

[ Uplink- Ingterface

o Enabled
o Enable logging
OK

I[

Cancel

II

You can test the outbound connectivity by pinging a translated


address from a system with one of the source IP addresses.

(J)

In the NSX Edge Manage page , double -click the NSX Edge instanc e for a source NAT rule and
click the NAT tab. In the example, the rule is configured for the HQ-Edge instance.

0..

(Q

CD
(J)

Click the Add icon and select Add SNAT Rule to open the dialog box . The trans lated (public) IP
address must be added to the NSX Edge interface on which you want to add the rule. The IP address
formats are the same formats that are used for the Add DNAT Rule choices. The source NAT rule
can be enabled in the dialog box or enabled later.
You can test the outbound rule by pinging a trans lated IP address from a system on the internal
network. The internal virtual machine sends the ping request. The source IP address of each Internet
Control Message Protocol packet ( 192.168.20.10 in the examp le) is trans lated to the public NAT
address (172.20 .11.12). The public NAT address is defined by the source NAT rule. Replies to the
ping command are from the upstream router. The upstream router responds to ping requests from the
172.20. 11.12 IP address, which is the trans lated IP address . The router has no knowledge of the
interna l network.

Module 5

NSX Edge Services Gateway Features

299

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Lab 8: Introduction (1)


Slide 5-17

A traffic capture has a specific format.

Destination
Address

Source
Port

300

Destination
Port

VMwa re NSX: Install , Configure, Manage

Lab 8: Introduction (2)


Slide 5-18

Adding an IP address to an interface.


EditSubnet

EditIP addresses in this subnet:

Adding a destination NAT


and source NAT rule.

lC

Primary IP

o
o

IP Address

1i~ 1

II

Cancel

I Upli nk-Inlerfa ce

Appl ied On:

Original lP/Range:

192,168,100,3

Proto col:
SubnetPrefix Length

>I<

I I

I I

1
I

1 1
I

1 1

24-,-------.J

c
J
::.

Original PortlRange:
OK

II

Cancel

I,

Translated IP/Range:

Translated PortiRange:

>I<

Descnptron:
1_ _ 1

o Enabled
o Enable logging
OK

II

Cancel

II

I,

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
.....
CD

stil

'<
"Tl
CD

til
.....
C

....
CD

rJl

Module 5

NSX Edge Services Gateway Featu res

301

Lab 8: Introduction (3)


Slide 5-19

Resetting VMware NSX Controller" credentials.


~

e"

NSX Edges

I- I

NSXMana ger : ( t 92.t 68.1 t O.42


NSXHome

@ Ins ta llation
~ Logi cal Switches
:

I']

NSX Edges
Firew all

iiEI SpoofGua rd
~ Service Defi nition s

f!J Service Composer


~ Data Secu rity

~ Flow Monitoring

t!!3 Activity Monitorin g


... Networking & Security Inventory

"

EI I @

....

edge-5
edge-6

ACtlons _

1 .. Nam e

Id

Distributed Router
Actions - Perimeter Gateway

X Delete
"

Force Sync

Deploy
IItIil Redepl oy

Change auto rule configuration


~ Downl oad Tech Suppo rt Logs

Upgrade version

Convertto Compact
Convert to Large

N SX Man ag ers

Convert to X-Large

(iiOO;; ; ,

302

VMware NSX: Install , Configure, Manage

Lab 8: Configuring and Testing Network Address Translation on


an NSX Edge Services Gateway
Slide 5-20

Use destination NAT and source NAT rules to establish a one-to-one relationship
between the IP address of a Web server on an internal subnet and an IP address
in an externally accessible subnet

1. Prepare for the Lab


2. Verify Non-Translated Packet Addressing
3. Configure an AdditionallP Address on the Uplink Interface of Perimeter
Gateway
4. Configure a Destination NAT Rule
5. Test Connectivity Using the Destination NAT Translation
6. Verify Non-Translated Packet Addressing Before Defining a Source NAT Rule

II

7. Configure a Source NAT Rule


8. Test Connectivity Using the Source NAT Translation
9. Use What You Have Learned

(J)

10. Clean Up for the Next Lab

m
0..

(Q

CD
(J)

CD

<:

0'
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

303

Concept Summary
Slide 5-2 1

A review of terms used in this lesson:


What is version 4 of the Internet Protocol calle d?
What are IPv4 networks with overlapping IP
address configurations called?

IPv4 Overlapping

What translates either the source or the


destination address to a pre-determined value?
What is used to change the source IP address in
an IP communication?
What is used to change the destination IP
address in an IP communication?

304

IPv4

Network Address Translation (NAT)

Source NAT rule

Destination NAT rule

VMwa re NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 5-22

You should be able to meet the following objectives:

Decide when to use a destination network address translation rule and


a source network address translation rule

Add an internal interface to the NSX Edge gateway


Create a destination network address translation rule to enable inbound
access from an external source by translating a public IP address to a
private IP address
Create a source network address translation rule to translate a private
IP address to a public IP address for outbound traffic

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

305

Lesson 2: NSX Edge Load Balancing


Slide 5-23

Lesson 2:
NSX Edge Load Balancing

306

VMware NSX: Install , Configure, Manage

Learner Objectives
Slide 5-24

By the end of this lesson, you should be able to meet the following
objectives:

Describe the NSX Edge load balancing

Configure load balancing

Compare one-armed load balancing to inline load balancing

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

307

NSX Edge Load Balancer


Slide 5-25

The NSX Edge load balancer enables network traffic to follow


multiple paths to a specific desti;. .:n=a=ti-=o..:. .:n,,--"
Load sharing:
~
w c
~

-----,

Load is distributed across


multiple backend servers

Service high availability:


Servers or applications that fail
are automatically removed from
the pool
Use cases:
Per-tenant cloud load balancing
Dynamic virtual IP (viP) for
applications

The NSX Edge load balanc er enables network traffic to follow multiple paths to a specific
destination. The NSX Edge load balancer distributes incoming service requests evenly among
multiple servers in such a way that the load distribution is transparent to users. Load balancing thus
helps in achieving optimal resource use, maximi zing throughput, minimizing response time, and
avoiding overload. NSX Edge provides load balancing up to layer 7.
In the example in the slide , access to the Web server network is load balanced.
The load balancer does not do global balancing, but it does local load balancing. If multiple virtual
machines provide a Web service , the NSX Edge load balancer can provide load balancing across
those virtual machines. One of the virtual machines being load balanced might become unreachable,
or the service might become unresponsive. The load balancer service detects that condition and
removes that Web server from the load balance rotation.
Clients do not open a Web browser and go to the IP address of the Web server. Instead, the client
points to an IP that is owned or hosted by the load balanc er itself. The load balancer redirects the
client traffic by changing the destination IP address. The load balancer 's IP address is chang ed to the
IP address of the Web server that was selected to establish your session. The IP address that was
used by the client to connect to the Web site is called the virtual IP (vIP).

308

VMware NSX: Install , Configure, Manage

NSX Edge Load Balancer Modes


Slide 5-26

Features
TCP, HTTP, HTTPS with stateful high
ava ilability
Multiple viP addresses, each with
separate server pool and
configurat ions
Multiple load balancing algo rithms
and session persistence methods
Configurable health checks
Application rules
SSL te rminat ion with certificate
management, SS L pass-through ,
and SSL initiation
IPv6 support

II

Modes
One-arm mode
Inline mode

z
><
(J)

The load balanc er accepts TCP, HTT P, or HTTPS reques ts on the externa l IP ad dress and decides
w hich internal server to use.

m
0..

(Q

CD
(J)

You can ad d a server pool to manage and share backend servers flex ibly and efficient ly. A pool
manages load balance r distributi on meth od s and has a service mo nitor attac hed to it for health check
parameters.

CD

<:

0'
CD

rJl

G)

Implement ation models for load ba lanc ing can eithe r be one -arm or inline.

til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

309

Load-Balancer Operation
Slide 5-27

Multiple virtual servers are supported.


Each virtual server is identified by a VIP address.
VIP is an IP address and also contains the service port number.
A VIP has an associated back-end pool of server IP addresses.

For example:
VIP: 163.63.63.63 and port 80
Backend pool addresses: 10.10.10.1 through 10.10.10.3

Two modes
Layer 7-proxy based (for example, HTTP)

Layer 4-based (Tep)

Layer 7 load balancing combines standard load balancing features for specific types of content. An
application delivery network can be optimized to serve specific types of content. For example, data
security, such as data scrubbing, is likely not necessary for l PG or GIF images , so the scrubbing
might be applied to only HTML and PHP.

310

VMwa re NSX: Install , Configure, Manage

One-Arm Load Balancer


Slide 5-28

The one-arm load balancer mode is also called proxy mode. The NSX
Edge gateway uses one interface to advertise the viP address and to
connect to the Web servers.
Design considerations:

Increases the number of NSX Edge appliances deployed

Client IP address is not preserved :


Web traffic can use the x-forward ed-for HTTP header

II
z

(J)

The one-arm load balancer has several advan tages and disadvantages. The advantages are that the
design is simple and can be deployed easily. The main disadvantage is that you must have a load
balancer per segment, leading to a large number of load balancers.

m
0..

(Q

CD
(J)

CD

<:
n

The one-arm implementation uses the HTTP X-Forwarded-For standard to redirect traffic to a
different IP address .

CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

311

One-Arm Load Balancer Traffic Flow


Slide 5-29

One-arm load balancers must be on the same segment as the Web


servers that are load balanced
1.
2.
3.
4.

__

Client IP address > VIP address


Edge IP address > Server IP address
Server IP address> Edge IP address
VIP address
> Client IP address

~Ojl~~ ~e~~o!:..k ~

I
I
I
I
I
I

---------- ..... ,
Router: NSX Edge
or Distributed
Router (Layer 3)

Source NAT

-:-jtt~==1~=1if~

0'

Destination NAT

,
I
I
I
I
I
I
I

~ NSX Edge Router


,
" Load Balancer
I
---------------------------------~

In the one-ann design, when you deploy the NSX Edge instance, the interface advertises the vIP.
This vIP is the IP address that clients use to reach the load balanced servers. When traffic reaches
the vIP, the destination IP address is changed to the Web server IP address. This IP address is sent to
the Web server that is chosen by the load balancer. The NSX Edge instance uses NAT to change the
source IP address of the requestor to an IP address on the same subnet as the vIP. So when the Web
server replies, it is replying to the translated IP address on the NSX Edge load balancer. The NSX
Edge instance does the reverse NAT and sends the traffic back to the requestor.
In this design, the load balancer has to be on the same segment as the Web servers to which it is
providing the load balancing service.

If you do not use NAT to change the source IP address, the virtual machines reply directly to the
requestor and use their source IP address instead of the vIP. The requestor does not recognize the
serve r and discards the traffic.

312

VMware NSX: Install , Configure, Manage

Inline Load Balancer


Slide 5-30

Inline load balancer mode is also called transparent mode. The NSX
Edge gateway uses the following distinct interfaces:

An interface to advertise the viP address


An interface to connect to the Web servers
Design considerations:

Client IP address is preserved

An NSX Edge gateway must exist and the Web servers must point to
the NSX Edge gateway as the default gateway.

II
z

(J)

Inline proxy is another design option. The advan tage is that the client IP address is preserved
because the proxies are not doing source NAT. This design also requires fewer load balancers
because a single NSX Edge instance can service multiple segments.

0..

(Q

CD
(J)

CD

With this configuration, you cannot have a distr ibuted router beca use the Web servers must point at
the NSX Edge instance as the default gateway.

<:
n'
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

313

Inline Load Balancer Traffic Flow


Slide 5-3 1

The inline proxy design is like the traditional firewall design.


1.
2.
3.
4.

Client IP address > VIP address


Client IP address > Server IP address
Server IP address> Client IP address
VIP address
> Client IP address

Logical network

;--------------

I
I
I
I
I
I
I

(Destination NAT)

NSX Edge Router


(Layer 3 + Load Balancer)

,-------------------------------,

,
\
I
I
I
I
I
I
I
J
/

The inline proxy design is similar to the traditional firewall design. The device has at least two
interfaces. The vIP resides on the external interface. The internal interface is connected to the
segment for the Web servers. In this model the only IP address that uses NAT is the destination IP
address. The vIP is changed to one of the virtual machine IP addresses. The load balancer perform s
a hashing algorithm to decide which of the Web servers gets that traffic.
You must not change the source IP address because you must set up your Web serve rs to use your
NSX Edge instance as the default gateway. Traffic comes back the same way so that externa l IP
address can remain.

314

VMware NSX: Install , Configure, Manage

Lab 9: Introduction
Slide 5-32

Create an application profile.


New Profil e

Name

G TCP 0

Typ'

HTTP

HTT

ml
I

Create a server pool.


(JJ

New Pool

Enable SSL Passjhrouc

Name:

HITP Redirect URL

I None

Persistence:

Des cription:

Cookie Name

. -;

Mode

Insert x.Porwstoeo-rur HTTPheader


Enab le Pool Side SSL
Vir1l1alServer ce nmca...

1721610,1

Algorithm :

[ ROUN D-ROBIN

Monitors :

[ NONE

En abl @d
N~m.

I
I I
I I

Members

l Service cernncetes J CA Certific ates TCRl 1


Common

-I

Nam e

IP Ad dress

Weight

Monitor Port

Pe rt

Ma x Conn ...

Min Co nn e.. .

Ill<ue,

172 16.10 ,1

MED-APP CORP lAED-APP C'

o Transparent
[

.;

Cipher
Client Authentication

OK

I[

Can cel

Ignore

~~

II
z
><
(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
11
CD
til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

315

Lab 10: Introduction


Slide 5-33

When deleting interfaces it is critical to select the correct interface.


Configure interfaces of this NSX Edge.
Edll ProfIle

'1NIC#

1 .

Nam e

Uplink-Interface

IP Address

Name

192.168.100.3*

Type

192.168.100.7
ShowAIl

Transit-Interface

192.168.10.1*

WebTier-Temp

172.16.10.1*

l Ap p- p ro~ l e

o TCP a HIT ? HTTPS


o Enable SSL Pa s slhrough
,~'I

HTI? Redirect URL

Persistence

11

[ None

ccc ae Name
Mode

Inse rt X-Forw arded-Fof HTTPh eade r


Enab le Pool Side SSL
Virtual SefW'f Cert IfICiiI_.

1 Pool C.. mscates 1

SeMceCe rtl1kales 1 ( "'C ertificate s

I~

172,16,\0,1

I CRl

1721610,1

rue J ul 15 2014

IllED-APP CORP MEOAPPCO RP Wed J ul16 2014

Reconfigure the App-Pool.


L:J

Ci pher:

cneot Authenlication

316

[ Ignore

I I

VMware NSX: Install , Configure, Manage

Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)


Slide 5-34

Configure a round-robin load balancer to distribute traffic between


two Web servers, and verify round-robin operation using traffic
capture tools
1. Prepare for the Lab
2. Verify the Lack of Connectivity
3. Add an IP Address to the Uplink Interface
4. Enable the Load Balancer Service and Configure an Application Profile
5. Create a Server Pool
6. Create a Virtual Server

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

317

Lab 9: Configuring Load Balancing with NSX Edge Gateway (2)


Slide 5-35

Configure a round-robin load balancer to distribute traffic between


two Web servers, and verify round-robin operation using traffic
capture tools
7. Use the Packet Capture Capabilities of NSX Edge to Verify RoundRobin Load Balancing
8. Examine NAT Rule Changes
9. Migrate the Web-Tier Logical Switch to the Perimeter Gateway
10.Reposition the Virtual Server and Examine NAT Rule Changes
11.Use a Packet Capture to Verify Round-Robin Operation
12.Clean Up for the Next Lab

318

VMware NSX: Install , Configure, Manage

Lab 10: Advanced Load Balancing


Slide 5-36

Configure a load balancer to provide SSL security for a Web site


1. Prepare for the Lab
2. Generate a Certificate
3. Modify the Existing Load Balancer
4. Capture Network Traffic at Perimeter Gateway
5. Migrate the Web-Tier Logical Switch Back to Distributed Router
6. Clean Up for the Next Lab

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

319

Concept Summary
Slide 5-37

A review of terms used in this lesson:


What distributes serve r load among multiple
servers using an intermediate proxy?
What are a number of separate serve rs or
applications that are pooled together as a single
resource for load balancing called?

Server pool

What IP address is assigned to a load balancing


proxy (server)?

Virtual IP address (viP)

Which load balancer uses a single path and


interface for ingress and egress traffic?

One-arm-load balancer

Which load balancer uses separate paths and


interfaces for ingress and egress traffic?

320

Load balancing

Inline load balancer

VMware NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 5-38

You should be able to meet the following objectives:

Describe the NSX Edge load balancing

Configure load balancing

Compare one-armed load balancing to inline load balancing

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

321

Lesson 3: NSX Edge High Availability


Slide 5-39

Lesson 3:
NSX Edge High Availability

322

VMware NSX: Install , Configure, Manage

Learner Objectives
Slide 5-40

By the end of this lesson, you should be able to meet the following
objectives:

Explain benefits of stateful high availability

Configure the high availability service


Test and verify the high availability service before placing the service in
production

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

323

High Availability
Slide 5-41

The NSX Edge gateway can be deployed in pairs for a highly


available, network-services solution provider:

Active and standby NSX Edge gateways are placed in different hosts.

Heartbeat and sync packets are sent over the same internal vNIC .

On VMware ESXi host failure, an attempt is made to maintain NSX


Edge gateways in separate hosts.

,---- I,---- I

,---,---,----1
I ...... 1 I - I

II
I
I

I _ _ I
I __ I

I I

l____'

L ___'

L ___'

I I _ va.
I __

"'l1li

I _

'11'''

I _

...1lilI II

t-----,
- t-----,
I

Internal Port Group


U

NSX Edge high availability (HA) ensures that an NSX Edge appliance is always available by
installing an active pair ofNSX Edge gateways on your virtualized infrastructure . You can enable
high avai lability either when installing NSX Edge or on an installed NSX Edge instance.
The primary NSX Edge appliance is in the active state and the secondary app liance is in the standby
state . NSX Edge replicates the configuration of the primary appliance for the standby appliance or
you can manually add two appliances. VMware recommends that you create the primary and
secondary applianc es on separate resource pools and datastores. If you create the prima ry and
secondary appliances on the same datastore, the datastore must be shared across all hosts in the
cluster. Thus, the high avai lability app liance pair can be dep loyed on different VMware ESXi
hosts . If the datastore is a local storage , both virtual mach ines are deployed on the same host.

324

VM wa re NSX: Install , Configure, Manage

NSX Edge High Availability Operation


Slide 5-42

The heartbeat and synchronization traffic use one internal interface


on each NSX Edge instance, connected to the same internal subnet:
The NSX Edge appliances must be enabled to communicate without
layer 2 restrictions .

Heartbeat
--- Data Synchronization
High availability protection mechanisms:
Network high availability: Secondary NSX
Edge
vSphere HA: Protection against host
failure
Process high availability: Protection
against process failure

II
z

(J)

High availability ensures that an NSX Edge appliance is always available on your virtua lized
network. You can enable high availability when installing NSX Edge or later. NSX Edge HA
supports two NSX Edge appliances (peers) per cluster, runnin g in active-standby mode.

0..

(Q

CD
(J)

CD

NSX Manager manages the lifecycle of both peers and pushes user configurations because they are
connected to both NSX Edge instances simultaneously.

<:
n"
CD
rJl

G)

NSX Edge pushes runtime state inform ation to the standby, such as VMware vCenter Single SignOn" information.
NSX Edge HA peers communicate with each other for heartbeat messages and runtim e state
synchronization. Each peer has a designated IP address to communicate with the other peer. The IP
addresse s are for high availability purposes only and cannot be used for any other services . The IP
addresses must be allocated on one of the internal interfaces of the NSX Edge.
Heartbeat and data synchronization both use the same internal vNIC. Layer 2 connectivity is
through the same port group.

Module 5 NSX Edge Services Gateway Features

325

til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Stateful High Availability


Slide 5-43

The primary NSX Edge appliance is in the active state and the
secondary appliance is in the standby state:
All NSX Edge services run on the active appliance.
The primary appliance maintains a heartbeat with the standby
appliance and sends service updates through an internal interface .
If a heartbeat is not received from the primary appliance in the
specified time, the primary appliance is declared dead and the
standby moves to the active state. The standby appliance:
Takes over the interface configuration of the primary appliance
Starts the NSX Edge services that were running on the primary
appliance
The NSX Edge gateway replicates the configuration of the primary
appliance to create the standby appliance.

The primary NSX Edge appliance is in the active state and the secondary appliance is in the standby
state. All NSX Edge services run on the active appliance . The primary appliance maintains a
heartbeat with the standby appliance and sends service updates through an internal interface.
If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 6
seconds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were runnin g on the primary appliance. When the switch over
takes place, a system event is displayed in the System Events tab of Settings & Reports. Load
balancer and virtual private network (VPN) services must reestablish TCP connection with NSX
Edge, so the service is disrupt ed for some time. Virtual wire connections and firewall sessions are
synchronized between the primary and standby appliances, so that service is not disrupted during
switch over.
If the NSX Edge appliance fails and a bad state is reported, high ava ilability force-synchroni zes the
failed appliance to revive it. When the appliance is revived, it takes on the configuration of the now
active appliance and stays in a standby state. If the NSX Edge appliance is dead, you must delete the
appliance and add an appliance.
The NSX Edge appliance replicates the configuration of the primary appliance for the standby
appliance or you can manually add two appliances . VMware recommends that you create the

326

VMware NSX: Install , Configure, Manage

primary and secondary appliances on separate resource pools and datastores. You can create the
primary and secondary appliances on the same datastore. The datast ore must be shared across all
hosts in the cluster so that the high availability appliance pair can be deployed on different ESXi
hosts. If the datastore is local storage, both virtual machines are deployed on the same host.
NSX Edge ensures that the two high availability NSX Edge virtual machin es are not on the same
ESXi host. This feature works even after you migrate virtual machines with VMware vSphere
Distributed Resource Scheduler" (DRS) and VMware vSphere vMotion. But this feature does
not work when you manually migrate the virtual machines to the same host. Two virtual machin es
are deployed on the VMware vCenter Server" instance in the same resource pool and datastore as
the appliance that you configured. Local link IP addresses are assigned to high availability virtual
machin es in the NSX Edge HA so that they can communicate with each other. You can specify
management IP addresses to override the local links. If Syslog servers are configured, logs on the
active appliance are sent to the Syslog servers.

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

327

NSX Edge Failure


Slide 5-44

If the primary NSX Edge appliance fails, the secondary NSX Edge
detects the failure:

Default dead timer is 15 seconds:


Can be changed
Minimum 6 seconds

Secondary NSX Edge assumes the primary role:


The CLI command shows service high availability to verify primary

After secondary NSX Edge becomes primary, all new flows go


through it:
Connections must be re-established for all flows existing at the time of
primary failure .
Load balance persistence is synchronized.

If a heartbeat is not rece ived from the primary appliance in the specified time (default value is 15
secon ds), the primary appliance is declared dead. The standby appliance moves to the active state
and takes over the interface configuration of the primary appliance. The standby appliance also
starts the NSX Edge services that were running on the primary appliance. When the switch over
takes place, a syste m event is displayed in the System Events tab of Settings & Reports. Load
balancer and VPN services must re-establish TCP connection with NSX Edge, so the service is
disrupted for some time. Virtual wire connections and firewall sessions are synchronized between
the primary and standby appliances, so no service disrupti on occurs during switch over.

328

VMwa re NSX: Install , Configure, Manage

NSX Edge Services Gateway High Availability


Slide 5-45
Heartbeat and synchronization:
Heartbeat and sync both use the
same internal vNIC.
Layer 2 connectivity using same
port group .
o
Stateful failover for features .

Anti -affi nity:


o
Act ive and standby NSX Edge gateways
are placed on different ESXi hosts.
o
On ESXi host failure, VMware NSX
Manaqer" attempts to place NSX Edge
gateways on different hosts again .

,---,---,---,----l I,---- II
I - II
I - II II -_ -_ II
I _
I
I
I
I "M _ I

I YM
I VM _ I
I __ I

v ..

I __ I

L ___' L ___'

11''''

I _

Willi

I __ I

I __ I

L ___' L ___' L ___'

Internal Port Group

II
z
><
(J)

NSX Edge ensures that the two highly available NSX Edge virtual machines are not on the same
ESXi host. This feature works even after you migrate virtual machines with DRS and vSphere
vMotion. But this feature does not work when you manually migrate the virtual machines to the
same host. Two virtual machines are deployed on a vCenter Server host in the same resource pool
and datastore as the appliance that you configured. Local link IPs are assigned to high availability
virtual machines in the NSX Edge HA so that they can communicate with each other. You can
specify management lP addresses to override the local links.

m
0..

(Q

CD
(J)

CD

<:

0'
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

329

Virtual Machine and Appliance Failure


Slide 5-46

NSX Edge health checks detect virtual machine or application failure:


Delay is dependent on the health check configuration. The default
configuration is 3x5 seconds.
Virtual machines that do not respond to health checks are taken out
of service:
Edge - Manage>
Load Balancer> Pools

ShowPo04 Slatlstlcs

Pool and Member Slacus

Pool Status andSla slles


P OOI ID

Virtual machine Appl icat ion Health Check


has to be configured for the pool.
For clients with persistence to that server, a
new pers istence is created when clients
recon nect.

PlXlJ. ,

SSH-Web-Pool1

UP

pOOl-2

HTTPWeb-Pool

UP

lI,mb" S1>lIJ. .nd

St"'be'.

T1Wt>b4

10.0.1.14

DOWN

member-'

T1Web5

10 0 1 ' 5

UP

memberS

When setting up load balancing , you place different destination servers into different pools . Pools
includ e the virtual machin es that are hosting the Web server. When you select the pool in the
VMware vSph ere Web Client, you can see members of that pool and members that are marked as
unavailable.

330

VMware NSX: Install, Configure, Manage

ESXi Host Failure


Slide 5-47

The response to an ESXi host failure is the same as when the NSX
Edge primary appliance fails:

If VMware vSphere Distributed Resource Scheduler" is enabled in


the cluster, the secondary NSX Edge gateway runs in a different ESXi
host from the primary NSX Edge gateway:
Anti-affinity rules are automatically created.

II
z

(J)

Host failure is handled in the same way as an NSX Edge failure. The keep-alive packets between the
standby and active NSX Edge devices time out if the virtual machine fails or if the host that contains
the active device fails. The recovery process is the same as for NSX Edge failure. If a host
configured with DRS fails , the anti-affinity rule ensures that the second virtual mach ine is relocated
to a different host when the new virtual machin e powers on.

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

331

Lab 11 Introduction
Slide 5-48

You use the load balancing from the previous lab and expand upon
it.
I?J. HI

Genefal" CSR
Common Name
OrganlzabonNam"

O,gamzahon UnI1

,
,,

I:!
I Ap p P rO~ le

o rep 0

TW'

I
HTTP

'0 .

HTIPS

D Enable SSLPa ssth, ough

Country

HTTPRed i'ect URL

hl"ssayeAlgo rrthm

I RSA

Pers,stence

Descnpbon

Protile

Name

Localil\"
State

I
Ed~

I
I None

I
I- I

CookJe Name
lIlod ..

o Insert >(.Fo.......a'dedFor KTTPheader


VI1udl SeNef Cert rf,ca._

I Pool

Name
artl

, Ie

ce ceneeatee eRL

Service Ce rtifica tes

'" I sewer-soot

Description

,,,.",

171.16 .10.1

172.15 .10,1

I ROUND-ROBIN
I NONE

Algori thm

[."' .. o. N... .

ijJ;

Edit P1Iol

D Enab le Pool Side SSL

Monitors

t- I
I- I

Members

En . bl . d

'"
Cipher

I-

Client Aulll enbcation

[ IgnOre

I-

'"

N.",.

IP Add'....

eo,

..... ~Co"n

web-s.

17216

443

443

Web-s ......

172.16 ,..

443

443

W. ;ght

Mo njl. , Po rt

lA,nConn

o Transparent
OD~

332

VMware NSX: Install , Configure, Manage

Lab 11: Configuring NSX Edge High Availability


Slide 5-49

Configure high availability and use the NSX Edge command line to
determine current HA status and view heartbeat traffic
1. Prepare for the Lab
2. Configure NSX Edge High Availability
3. Examine the High Availability Service Status and Heartbeat
4. Force a Failover Condition
5. Restore the Failed Node
6. Clean Up for the Next Lab

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

333

Concept Summary
Slide 5-50

A review of terms used in this lesson:

334

Which term refers to ensuring that an application


or service remains available?

High availability

Which type of high availability uses primary and


backup devices that synchronize to minimize
service interruptions when the active node fails?

Stateful high availability

VMwa re NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 5-5 1

You should be able to meet the following objectives:

Explain benefits of stateful high availability

Configure the high availability service


Test and verify the high availability service before placing the service in
production

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

335

Lesson 4: NSX Edge and VPN


Slide 5-52

Lesson 4:
NSX Edge and VPN

336

VMwa re NSX: Install , Configure, Manage

Learner Objectives
Slide 5-53

By the end of this lesson, you should be able to meet the following
objectives:
Configure a layer 2 VPN on the NSX Edge gateway

Explain how an IPsec VPN enables systems at a branch location to


access systems securely on a private network at headquarters

Configure an IP address on an external interface for use by an IPsec


VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet

Describe the use case that SSL VPN-Plus addresses

Decide whether Web-access mode or full-access mode is optimal for a


use case

II

Configure the SSL VPN-Plus server settings that enable SSL on the
external interface

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

337

Logical L2 VPN
Slide 5-54

Features

- - - - - - - - - - -i"lrl--

...I..-

..I.....I

SSL-based
Web-proxy Support
L2 Bridge to Cloud
Broadcast support

Scale and
Performance
High Performance:
AES-NI acceleration
2 Gb/s throughput per
tenant
Use Cases
Cloud On-boarding
Cloud Burst ing

Layer 2 VPN allows you to configure a tunnel between two sites. Virtual machines remain on the
same subnet in spite of being moved between these sites, which enables you to extend your data
center. An NSX Edge gateway at one site can provide all services to virtual machines on the other
site.

338

VMware NSX: Install , Configure, Manage

Overview of Layer 2 VPN


Slide 5-55

To create the L2 VPN tunnel, you configure a layer 2 VPN server and
layer 2 VPN client:
You enable the layer 2 VPN service on the NSX Edge instance and
configure a server and a client.
The layer 2 VPN server is the source NSX Edge gateway to which the
L2 VPN is to be connected.
The layer 2 VPN client is the destination NSX Edge.

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

339

Logical User (SSL) and Site-to-Site (IPsec) VPN


Slide 5-56
Features
Interoperable IPsec tested with major
vendors
Clients on all major os (Windows,
Apple , Linux)
Remote authentication through Active
Directory, RSA Secure 10, LDAP,
Radius
TCP Acceleration
Encryption : 3DES , AES128 , AES256
AESNI HIW Offload
NAT and perimeter firewall traversal
Scale and Performance
High performance: AES-NI
acceleration
2 Gb /s throughput per tenant
Use Cases

Cloud to corporate
Cloud on-boarding
Remote office or branch office
Remote management

NSX Edge supports several types of VPNs. SSL VPN-Plus allows remote users to access private
corporate applications. IPsec VPN offers site-to-site connec tivity between an NSX Edge instance
and remote sites. Layer 2 VPN enables you to extend your data center by allowing virtual machines
to keep network connectivity across geographica l boundaries.

340

VMwa re NSX: Install , Configure, Manage

NSX IPsec VPN


Slide 5-57

Encapsulating Security Payload (ESP) tunnel mode is used:


64 tunnels are supported across a maximum of 10 sites.
Internet Key Exchange v1
Multiple nonoverlapping local and peer subnets can be configured.
Industry standard IPsec implementation:

Full interoperability with Cisco, Juniper, Sonicwall , and others

Supports both the preshared key (PSK) and certificate authentication


mode.
Supported encryption algorithms are AES (default), AES256, and
TripleDES.

II
z

(J)

NSX Edge supports certificate authentication, preshared key mode, IP unicast traffic, and no
dynamic routing protocol between the NSX Edge instance and remote VPN routers . Behind each
remote VPN router, you can configure multipl e subnets to connect to the internal network behind an
NSX Edge instance through IPsec tunn els. These subnets and the internal network behind an NSX
Edge instance must have address ranges that do not overlap .

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

You can deploy an NSX Edge gateway behind a NAT device. In this deployment, the NAT device
translates the VPN address of a NSX Edge instance to a publi cly access ible address facing the
Internet. Remote VPN routers use this public address to access the NSX Edge instance. You can also
place remote VPN routers behind a NAT device. You must provide the VPN native address and the
VPN Gateway ID to set up the tunn el. On both ends, static one-to-one NAT is required for the VPN
address. You can have a maximum of 64 tunn els across a maximum of 10 sites.

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Featu res

341

IPsec Security Protocols: Internet Key Exchange


Slide 5-58

Internet Key Exchange (IKE) v1 :


IKE is a standard method that is used to arrange secure, authenticated
communications.

IKE uses UDP port 500.

IKE has two phases:

Phase 1 sets up mutual authentication of the peers, negotiates


cryptographic parameters, and creates session keys.

Phase 2 negotiates an IPsec tunnel by creating keying material for the


IPsec tunnel to use, either by using the IKE phase-one keys as a base
or by performing a new key exchange.

IPsec is a framework of open standards. Many technical terms are in the logs of the NSX Edge
instance and other VPN appliances that you can use to troubleshoot the IPsec VPN. You might
encounter some of these standards:
Internet Security Assoc iation and Key Management Protoco l (ISAKMP): This protocol is
defined by RFC 2408 for establishing Security Associations (SA) and cryptographic keys in an
Internet enviro nment. ISAKMP only provides a framework for authentication and key exchange
and is designed to be key exchange independent.
Oakley: This protocol is a key agreement protoco l that allows authenticated parties to exchange
keying materia l across an insecure connection by using the Diffie-Hellman key exchange
algorithm.
Internet Key Exchange (IKE): This protoco l is a combination of ISAKMP framework and
Oakley. NSX Edge provides IKEv2.
IKE has two phases. Phase 1 sets up mutual authentication of the peers , negotiates
cryptograp hic parameters, and creates session keys. Phase 2 negotiates an IPsec tunnel by
creating keying material for the IPsec tunn el to use. Phase 2 either uses the IKE phase one keys
as a base or performs a new key exchange .

342

VMwa re NSX: Install , Configure, Manage

The following phase I parameters are used by NSX Edge:


Main mode
3DES or AES (configurable)
SHA-I
MODP group 2 (I 024 bits)
Preshared secret (configurable)
Security association lifetime of28800 seconds (eight hours)
ISAKMP aggressive mode disab led
The following IKE phase 2 parame ters are supported by NSX Edge:
3DES or AES (matches the phase I setting)
SHA-I
ESP tunne l mode
MODP group 2 (1024 bits)

II

Perfect forward secrecy for rekeying


Security association lifetime of3600 seconds (one hour)

Selectors for all IP protocols, all ports, between the two networks, using IPv4 subnets

(J)

Diffie-Hellman (DH) key exchange: This protocol is a cryptographic protocol that allows two
parties that have no previo us know ledge of one another to jointly establish a shared secret key
over an insecure communications channel. NSX Edge supports DH group 2 (I 024 bits) and
group 5 (1536 bits) .

X
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Featu res

343

IPsec Security Protocols: Encapsulating Security Payload


Slide 5-59

ESP tunnel mode:


Confidentiality (encryption)

Connection less integrity

Data origin authentication

Protection against replay attacks

Encapsulating Security Payload (ESP) is a member of the IPsec protocol suite. In IPsec, it provides
origin authenticity, integrity, and confidentiality protection of packets. ESP in Tunnel Mode
encapsulates the entire original IP packet with a new packet header. ESP protects the whole inner IP
packet (including the inner header). The outer header remains unprot ected. ESP operates directly on
IP, using IP protocol number 50.

344

VMwa re NSX: Install , Configure, Manage

IPsec ESP Tunnel Mode Packet


Slide 5-60

The original packet that is transmitted is both encrypted and


authenticated.
Original Data
IP Header
Outer
IP Header

ESP
Header

Original
IP Header

Data

ESP
Trailer

ESP
Authentication
Data

Encrypted
(

Authenticated
(

II
z

(J)

When a packet is processed by ESP in tunnel mode , the entire packet is surro unded by the ESP
header, ESP trailer, and ESP authentication data:

0..

(Q

CD
(J)

ESP header: Contains two fields, the SPI and Sequence Number, and comes before the
encrypted data .

CD

<:
n"
CD
rJl

ESP trai ler: Placed after the encrypted data . The ESP trai ler contains padding that is used to
align the encrypted data through a Padding and Pad Length field.

til
......

ESP authen tication data: Contains an integrity check value.

stil

G)
CD

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Featu res

345

Configuration Example for IPsec VPN


Slide 5-61

Use the NSX Edge instances at HQ and Branch. Each instance is a


VPN gateway:
The NSX Edge gateway at HQ connects the internal network
192.168.20.0/24 to the Internet
The internal interface is 192.168.20.1.
The uplink interface is 10.15.25.13.

The NSX Edge gateway at the Branch location connects internal


network 192.168.30.0/24 to the Internet
The internal interface is 192.1 68.30.1.
The uplink interface is 10.24.20.90.

'. '. b
'!<

192 .168 .20 .0/24

1 92. 1 6~~0. 1
NSX Edge Gateway

Internet

r--

- -P,lK

,92.,68.30., 119: ';;;0.0124

Branch
NSX Edge Gateway

The slide contains config uration examples for a basic point-to-point IPsec VPN connection between
an NSX Edge instance at headquarters and an NSX Edge instance at the remote location . VPN
gateways from Cisco, WatchGuard, and others can also be used at the remote location.
For this scenario, the NSX Edge instance at headquarters connects the interna l network,
192.168.20.0 through 192.168.20.24, to the Internet. The NSX Edge interfaces are configured as
follows:
The uplink interface is 10.15.25.13.
The interna l interface is 192.168.20.1.
The remote gateway connects the 172.16.0.0 through 172.16.0. 16 internal network to the Internet.
The remote gateway interfaces are configured as follows:
The uplink interface is 10.15.25.13.
The internal interface is 192.168.30 .1.

346

VMware NSX : Install , Configure, Manage

IPsec with AES-N I


Slide 5-62

Up to 40 percent performance increase by supporting the Intel AES-NI


(AES New Encryption Instruction Set):
NSX Edge offloads the AES encryption of data to the hardware on
supported Intel Xeon and second-generation Intel Core processors.

No user configuration is necessary AES-NI support in hardware is


autodetected.

Supports certificate authentication, preshared key mode, and IP unicast


traffic.

II
z

(J)

The encryption overhead for packet traffic in a VPN application can be high. The Intel AES-NI
feature can substantially reduce the demand on the CPUs of the ESXi hosts.

0..

(Q

CD
(J)

CD

<:

CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

347

Add an IPsec VPN


Slide 5-63

You must configure at least one externallP address on the NSX Edge
gateway to provide IPsec VPN service:

348

Add IPSec VP N

For the local NSX Edge


instance, enter the following:
An ID, the external IP
address , and the CIDR block
for the local subnets
The same set of information
for the peer endpoint
For the remote NSX Edge
instance, enter the same
information , but from the remote
perspective.
Select an encryption algorithm,
type of authentication , DiffieHellman group, and MTU.

GZI Enabled
Name:

Localld

LocalEndpoint

LocalSubnets

'1

SlJbnets.shouldbe entered in CJDR format


with comma as separator
Peer Id

.(

Peer Endpoint

1
Endpoint should be a valid JP address o r leff
blank to represent AN Y

Peersuonets:

'1
SlJbnels should be entered in CJDRformal
wilh comma as ::.eparator

Encryption Algorithm

I AES

Authentication:

0 P8K

I I
Certificate

Pre-Shared Key:

,+.
~~

"

VMwa re NSX: Install , Configure, Manage

NSX SSL VPN-Plus Service


Slide 5-64

Enables individual remote users to connect securely to private


networks behind an NSX Edge gateway:

Remote users can access applications and servers from the private
networks.

Provides two access modes:


Web access mode (without a client)

Full network access mode (requires that a client is installed)

Supports the following operating systems:


Windows XP and above , including Windows 8

Mac

as x Tiger, Leopard , and Snow

Leopard

Performance optimization:

II

The TCP optimization option avoids TCP-over-TCP meltdown .

Dynamic compression is an option.

(J)

Conventional full access SSL VPNs send TCP/IP data in a second TCP/IP stack for encryption over
the Internet. The result is that application layer data is encapsulated twice in two separate TCP
streams. When packet loss occurs (which happens even under optimal Internet condi tions) , a
performance degradation effect called TCP-over-TCP meltdown occurs . In essence, two TCP
instances are correcting a single packet of IP data, undermining network throughput and causing
connection timeo uts. TCP optimization eliminates this TCP-over-TCP problem, ensuring optimal
performance.

m
0..

(Q

CD
(J)

CD

<:

0'
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

349

SSL VPN-Plus
Slide 5-65

Access your corporate LAN by using the Web-access mode or with a


downloadable SSL client:

No special hardware or
software is required.

NSX Manager
Co rporate LAN
:0.

Adm in
Remote users connecting
through Web access mode.

Remote Desktop

,< Connection

ShowQpbom

With SSL VPN-Plus, remote users can connect securely to private network s behind an NSX Edge
gateway. Remote users can acce ss servers and applications in the private networks.
NSX Edge provides users with access to protected resources by establishing an SSL encrypted
tunnel between a laptop (Mac OS X or Windows) and NSX Edge.
The SSL VPN-Plus service is intended to be deployed as a substitute for more complicated IPsec
c1ient-to- site or jump serve r solut ions. SSL VPN-Plus does not support mobile clients, nor does it
deliver common end-user features such as reverse proxy, custom portal, and SSL offload.
The use cases and capabilities ofNSX Edge SSL VPN-Plus are different from capabiliti es that are
provided by Horizon" View'>' . View is the VMware comprehensive approac h to virtual desktop
infrastructure, secure mobility, and end-user remote access .

350

VMware NSX: Install , Configure, Manage

NSX Edge SSL VPN-Plus Secure Management Access Server


Slide 5-66

Features
Supports up to 25
users
Full tunnel client
SSL-encrypted AES,
SHA
Authentication through
Local, RADIUS , LDAP
Windows and Mac
clients
Web browser or thickclient choice

as

II
z
><
(J)

NSX Edge provides administrative users with full tunnel access to protected reso urces by
establishing an SSL encrypted tunn el between a laptop (Mac or Windows) and NSX Edge .

0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Featu res

351

Use Cases for SSL VPN-Plus Services


Slide 5-67

The primary use case is secure remote access without the use of a
jump box.
Another use case is to secure Web access with the thick client:

In full-tunnel mode, any traffic initiated at the client is tunneled to the


SSL VPN-Plus gateway and directed to the respective networks.

No traffic is sent from the client system directly to the Internet.


Access can be enforced for the client system's local network (LAN).
The administrator can direct the traffic to a Web filtering or caching
device .

352

VMware NSX: Install , Configure, Manage

Lab 12: Introduction


Slide 5-68

Creating a layer 2 VPN requires two NSX Edge instances with the
correct VPN configuration.
~

.. Chent DetaIls :
I

Server Address:

Server Port

:J

IWElb-TIer

Inlema l lnlertate "

I. I

OescnptlOn

The VPN tunnel is confirmed from


the configuration screen.

.. User Detaus:
User Id: '
""

Pass word:

ge . TYile PdSS WOfd:

I
~

PrOlCVSettlngs

cert mcete DeCalls:


CAC e rtlfltale

"'-n

o Validate server c ernnc ete

HI"'.

.,

""

QQ I

Can CElI

Fetch Status

Tunnel Status

UP

Status :

Establi shed Date :

Byte Received :

1876

Byte Tran sm itted :

56696

JI

II

z
><
(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

353

Lab 13: Introduction


Slide 5-69

The headquarters connection.

The remote branch NSX Edge.

al

ean IPSec VP N

~ Enabled

~ Enabl ed

Name:

c::

Edit IPSec VPN

IHQ-Branch

I
I

tocauo

* IHQ

Local Endpoint

* 11 0 . 1 0 . 1 0 0 . 1 0

tocer subnets :

* 11 0 . 1 6 . 0 . 0 / 1 9

Isranch

Peer End point

* 11 0 . 1 0 . 1 3 0 . 1 0

0(1<

IPSec VPN stat ist ics

N,m~

11 0 . 1 0 . 13 0 . 1 0

11 0 . 1 6 . 4 0 . 0 / 2 4

Local Endl

PUIEndp

10.10.100.10

10.10.130.10

ChanMIS

TunnelSl.

Subnets srouta be entered in CfOR formal


with comma as separator,

'"

IHQ

I
I

. 11 0 . 1 0 . 1 0 0 . 10

Endpom l should tJ;:Ja v


blank /0 repre:;;enlAN':>'
Peer subn ete:

I
I
I

I HQ-Branch

'" I sranch

IPSecVPNStatus and Statistics

Sutme!s should be ent


with comma &5 6epa ral
Pee r Id

Name :

Localld

Endpomt fjhouid be a valid IP address or let!

blank to rep/esenlANY

* 11 0 . 1 6 . 4 0 . 0 / 2 4

_ 11 0 . 1 6 . 0 . 0 / 1 9
IPSec VPN Tunnel Status and stansncs :

Subnels sroota be em
wllh comma as {)epa/at,
En cryption Algori thm

I AES

Authen tication

Pre-Shared Key

Diffie- Hei lman Group

LOCiI Subn~ts

PurSubne ls

Subnels srovta be entered in C/OR formal


with comma as seoecnor.

TunMI state

cemn

PSK

I I

IAES
0 PSK

Certificate

Dis play shared key

DH 2

O DH5

[;?I En abl e perfect forw ard se crecy(PFS)

up

[;?I Enable

QQ~

354

Lt>llnIQ" 'ut,o

Display sha red key

0 0 H2

O OH5

perfect forward secrecy(PFS)

QQ~

VMware NSX: Install , Configure, Manage

Lab 14: Introduction (1)


Slide 5-70

Add an authentication source.


Add Authentication server

Authentication ServerType

I LOCAL

I .. I

~ Enable password policy

Password Length

Minimum no.or aipnaoets:


Minimum no, ofDigits

Minimum no. of special characters

Configure SSL VPN-Plus.

Password should not contain user 10

' E:J TO ~

~I=====~
~I=====~
LI

----'

Password expiresin
Cllange SImle r 5etl illIlS

Expirynotification in

IPv6 Ad dr ~ s s

I 192 .16B.130((pnm.JY)
I None

CipherLisl

IRcHms

after specific number of

IAES12B-SHA

unsuccessful retries

11
I- I

Enable accountlockoutpolicy:
Retry Count
User account will get locked

s e....a r c erme ete

[;?J Use

Default Certificate

RetryDuration:
Lockout Duration

II

Status
o Enabled 0 Disabled
o Use this setverror secondaryauthentication
rermrnate Session if authentication fails

z
><
(J)

m
0..

(Q

CD
(J)

CD

<:
n'
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

355

Lab 14: Introduction (2)


Slide 5-71

Configure an IP Pool.

Configure the VPN


installation package.
Add Inst alldl ion
Profile N ame

'I
,,

PllCk~

*1

...

I),t_ .

IU3

OK

career ,

Create mstarlauonpackages for


Windows

L,nux

D Mac

Des cription

I
Status

(! i Enabled

Disabled

lnst all1ltioll p ar amet ers for WIndows;

Network

Netmask:
Des cription

Send Traffic

.~(===========i
.~I============i
0

OverTunnel

Bypass Tunnel

o Start Client on 10Qon

o Hide chent system lr<IV Icon

D Allow remember pas swo rd

G?l Create de sktop icon

Enable eueramode mstauaucn

D Hide SSL cnentn~rk adapter

Enab le silent mode opera tion

o SelVEl ' secullly certificate vahoaton


~~

~ Enable TC P Optimiz ation

Ports

staius

356

Enabled

Disabled

VMware NSX: Install , Configure, Manage

Lab 12: Configuring Layer 2 VPN Tunnels


Slide 5-72

Configure a layer 2 VPN tunnel between two NSX Edge services


gateway appliances
1. Prepare for the Lab
2. Migrate a Web Server Virtual Machine to a Different Cluster
3. Create a Logical Switch and Migrate Virtual Machine Networking
4. Deploy the Branch Edge
5. Configure Branch Gateway as a Layer 2 VPN Client
6. Add an IP Address to the Uplink Interface
7. Add a Web-Tier Interface to Perimeter Gateway
8. Configure Perimeter Gateway as a Layer 2 VPN Server
9. Test Tunnel Connectivity

II

10.Verify Tunnel Connectivity


11.Clean Up for the Next Lab

(J)

m
0..

(Q

CD
(J)

CD

<:

0'
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

357

Lab 13: Configuring IPsec Tunnels


Slide 5-73

Configure, test, and troubleshoot an IPsec tunnel designed to


connect two sites (HQ and Branch)
1. Prepare for the Lab
2. Prepare the Perimeter Gateway for IPsec Tunneling
3. Configure Perimeter Gateway as an IPSec Tunnel Endpoint
4. Prepare the Branch Gateway for IPsec Tunneling
5. Update the web-sv-02a Web Server with the New Web-Tier Subnet
Specification
6. Configure Branch Gateway as an IPsec Tunnel Endpoint
7. Test VPN Tunnel Connectivity
8. Troubleshoot and Resolve VPN Tunnel Connectivity
9. Clean Up for the Next Lab

358

VMwa re NSX: Install , Configure, Manage

Lab 14: Configuring and Testing SSL VPN-Plus


Slide 5-74

Configure an SSL VPN-Plus portal page and a direct-access client


package
1. Prepare for the Lab
2. Configure SSL VPN-Plus Server Settings
3. Configure a Local Authentication Server and a Local User
4. Enable SSL VPN-Plus and Test Portal Access
5. Configure an IP Pool and Private Networks
6. Create and Test an Installation Package
7. Test Network Access by Using the SSL VPN-Plus Client Application
8. Review the Client Configuration and Examine Traffic
9. Clean Up for the Next Lab

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n
CD

rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

359

Concept Summary
Slide 5-75

A review of terms used in this lesson:


Which protocol suite is used as network-tonetwork connections to secure internet
communications?

IPsec

Virtual Private Network (VPN)

Which is the connection between two network


devices that is encrypted in some way?
What is used to secure and connect an individual
computer to a network?

360

Secure Socket Layer (SSL)

VMware NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 5-76

You should be able to meet the following objectives:


Configure a layer 2 VPN on the NSX Edge gateway

Explain how an IPsec VPN enables systems at a branch location to


access systems securely on a private network at headquarters

Configure an IP address on an external interface for use by an IPsec


VPN
Configure an IPsec VPN service that connects the private networks at
two locations across the Internet

Describe the use case that SSL VPN-Plus addresses

Decide whether Web-access mode or full-access mode is optimal for a


use case

Configure the SSL VPN-Plus server settings that enable SSL on the
external interface

II
z

(J)

m
0..

(Q

CD
(J)

CD

<:
n"
CD
rJl

G)
til
......

CD

stil

'<
"Tl
CD

til
......
C
.....

CD

rJl

Module 5

NSX Edge Services Gateway Features

361

Key Points
Slide 5-77

NSX Edge provides NAT service to assign a public address to a


computer or group of computers in a private network.

With load balancing, traffic load is distributed across multiple backend


servers.

High availability ensures that an NSX Edge appliance is always


available by installing an active pair of edges on your virtualized
infrastructure.

NSX Edge supports several types of VPNs.

Questions?

362

VMwa re NSX: Install , Configure, Manage

MODULE 6

NSX Security
Slide 6- 1

Module 6

II
z

(f)

X
(f)
(1)

c
....

VMwa re NSX: Install , Configure , Manage

363

You Are Here


Slide 6-2

VMware NSX: Install Configure Manage


Course Introduction
NSX Networking
Logical Switch Networks and VXLAN Overlays

.. .
~

364

NSX Routing
..

NSX Security

VMware NSX: Install , Configure, Manage

Importance
Slide 6-3

Virtualizing the network abstracts application workload


communications from the physical network and hardware topology.
This virtualization is critical in allowing network security to break free
from the physical constraints. Virtualization enables the network
security to be based on user, application, and business context.

z
><

(J)
(J)
(J)

c...,

Module 6

NSX Security

365

Module Lessons
Slide 6-4

Lesson 1:

NSX Edge Firewall

Lesson 2:

Distributed Firewall

Lesson 3:

Flow Monitoring

Lesson 4:

Role-Based Access Control

Lesson 5:

Service Composer

Lesson 6:

Other Monitoring Options

366

VMwa re NSX: Install , Configure, Manage

Lesson 1: NSX Edge Firewall


Slide 6-5

Lesson 1:
NSX Edge Firewall

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

367

Learner Objectives
Slide 6-6

By the end of this lesson, you should be able to meet the following
objectives:

Describe where the VMware NSX Edge firewall is typically deployed

Compare the NSX Edge firewall to the distributed firewall

Configure the NSX Edge firewall rules

368

VMware NSX: Install , Configure, Manage

NSX Edge and Distributed Firewall: Security Comparison


Slide 6-7

Typical deployment of a firewall


in a software-defined data center:

Distributed Firewall positioned


for East-West traffic filtering.
NSX Edge services gateway
positioned for North-South
traffic filtering.

~N

........~ ,...

Internet

Perime ter FW
(Physica l)

N-S
protection

A logical firewall provides security mechanisms for dynamic virtua l data centers. A logical firewall
includ es components to addres s different dep loyment use cases.
The Distributed Firewall focuses on East-West access and the VMware NSX Edge" Firewall
focuses on the North -South traffic enforcement at the tenant or data center perimeter. Together, these
components addr ess the end-to-end firewall needs of virtual data centers. You can dep loy either or
both of these technologies.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

369

NSX Edge Firewall


Slide 6-8

The NSX Edge appliance provides a stateful firewall for North-South


and East-West traffic flows:
Supports dynamic routing
Virtualization context aware

Provides line rate performance

All NSX Edge firewall configurations are done from Manage> Firewall

Firewall rules are applied in ascending number order

O '

~ .

.. ,
~

-;

c..nllf.ll.03 N1u~r. C1I!f_' lno."",

_M

,..,......

14olI'~

-.
,-

-""

0 '"

...... -

.....

I ~ C"

I/iIlIMUI

O ll$llI' M1 ,-an,

"<tt,t

-..
"""

The NSX Edge firewall provides perimeter security functionality including firewall , network
address translation (NAT), and site-to-site IPSec and SSL virtua l private network (VP N)
functio nality. This solution is avai lable in the virtual machine form factor and can be deployed in a
high availability mode .

370

VMware NSX : Install , Configure, Manage

Firewall Rule Types


Slide 6-9

The types of firewall rule are the following:

Default: Rules created during the deployment of the NSX Edge


gateway

Internal: Rules created by the NSX Edge gateway in support of services


configured by the user

User: Rules created by the user

The firewall rule type does not affect the application of the rule.
Ty PE

Internal
Internal

User

Default

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

371

Virtualization Context Awareness


Slide 6-10

The NSX Edge firewall can filter traffic flows based on IP and
TCP/UDP header information.
The NSX Edge firewall can also filter traffic flows based on
virtualization-specific information:

Data center
Cluster

Resource pool

Port group

Logical switch

vApp
Virtual machine name

372

VMwa re NSX: Install , Configure, Manage

Populating Firewall Rules


Slide 6- 11

Point to each rule and click the white cross:


Assign a descriptive name to the rule.
Select a source.
Select a destination.
Select a service.
Select an action.

eo 2
"

roultng

mtemat

u
Default Rule

,"y

any

Rule Name

Isnareoornt

I
~~

"
"

o os pr.anyan y

Accept

any

Acc ept
Accept

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

373

Source and Destination of a Rule


Slide 6-12

The rule's source and destination can include the IP address in the
packet or information provided by VMware vCenter Server, such as
virtual machine name or resource pool:
The source and destination can be compounded to include multiple
criteria.

If any of the criteria listed in the source matches, the rule is applied.

No .

Nam@

Type

Source

Destination

~ 1

firewall

Internal

O vse

any

~ 2

routing

Inlernal

any

any

~ 3

Sharepoint

User

0 10.10.10.1

tl'!J Compute Cluster 8

l:!App-Tier01

oo-sv-o t a

When you select a virtua l NIC (vNIC) Group, and select vse, the rule applies to the traffic generated
by the NSX Edge instance. If you selec t interna l or external, the rule applies to traffic coming from
any internal or uplink interface of the selected NSX Edge instance. The rule is updated when you
configure additional interfaces.

374

VMwa re NSX: Install , Configure, Manage

Firewall Service
Slide 6-13

A service in the firewall context is a collection of TCP/UDP ports that


form the components for successful communication with an end
system:
A service can be all the source and destination ports needed to access
an Oracle database.
A service group is a collection of services.

'"'
any

O ospf:any:any

"A'Data RecoveryAppliance

~ H e a rttl e a t

o
D
D
D

~ ll4 i co rs on

Exctlange2010

~ M S Exchange 2010 Client Access Servers

~ MS

Exchange 2010 Transport Servers

~ MS

Exdlange 2010 MailboxServers

New

II

Avoid specifying the source port when you create rules. Instead, you can create a service for a
protocol-port combination.

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

375

Create a Firewall Service


Slide 6-14

After you create the service, it is automatically added to the Service


column.

Add Service

New...

Service
Service Grou p

An Application can beviewed as a tag on network traffic of specrned


protoco l thai is trans mitted through speci fie d port or set of ports

Name
Descnpnon:

'~
I =====::;

Protocol

ITCP

I I

Destination ports:

e.c.: 700 1-7020,7100,8000-9 000


.. Advanced options

So urce ports

e.a.: 700 1-7020,7 100.8000-9000

376

VMwa re NSX: Install , Configure, Manage

Action Option
Slide 6-15

The Action option allows the rule to accept or deny the traffic:

Logging can be enabled for the rule.

Network Address Translation support can be enabled.

The rule can be applied on ingress or egress.

Action:

Log:

O Log

Deny

Accept

0 0 not log

comments:

... Advanced options


Match on:

Translated

o Enable Rule Direction


Incoming

Original

Outgoing
OK

II

Cancel

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

377

Publish Changes
Slide 6-16

After the rule is created , publish the changes to NSX Edge.


The changes take effect immediately.

This rule se t has unsaved manges . Click on PUblish Changes button 10start deplo ying

~~

.0 X

ISea rch

Generated rulesarecurrently shown Hiderules


T..,.

s.-

Des!.inelion

I ~ C'

""

No-

~ 1

firewall

mtemat

0 "'"

any

any

Accep t

~ 2

routing

Internal

,"y

any

osp tany:any

Accept

~ 3

snareccmt

User

0 10.10 10.1

Oh Compute Cluster 8

SharePoinl2010

Accept

~ Ap p-Ti e r0 1

81

,"y

any

~ 4

378

_t - .

Default Rule

Defaul t

SoM~

ActIon

db-sv-01a

,"y

Accept

VMwa re NSX: Install , Configure, Manage

NSX Edge Services Gateway: Form Factors


Slide 6-17

The NSX Edge services gateway provides several virtual machine form
factors.

Number of NAT rules: 2,000.

Size

vCPU

RAM

Total Number of
Firewall
Connections

Number of Firewall
Rules

Comments

Compact

64 MB

64 ,000

2,000

Suitable for basic


firewall

Large

1 GB

1,000 ,000

2,000

Suitable for mediumlevel firewall

Quad Large

1 GB

1,000 ,000

2,000

XLarge

8GB

1,00 0,000

2,000

I Suitable for highperformance firewall


Suitable for highperformance firewall +
load balan cer

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

379

Lab 15: Introduction (1)


Slide 6-18

Firewall rules are processed in order. The first rule that matches the
traffic being examined is applied and the traffic is passed or dropped.

380

No .

Name

Type

Source

Destination

Service

Action

e. 1

firewall

Internal

O vse

any

any

Accept

e. 2

ipsec

Internal

0 192.168.130.4

0 192.168.130.4

0 192.168.100.10

0 192.168.100.10

e. 3

sslvpn

Internal

any

0 192.168.130.4

e udp500,4500 :any
o esp :any:any
o tcp.443 any

e. 4

Default Rule

Default

any

any

any

Accept

Accept
Deny

VMwa re NSX: Install , Configure, Manage

Lab 15: Introduction (2)


Slide 6-19

Restrict the destination.


Destination
IP Addre ss:

0 1PV4 O lPV6

Value:

eg192168200 1,192.168.200.1124, 192.166.200 .1192.168.200 24

OK

II

C ancel

Restrict the protocol.

Ihttp]
Available (30)

0
0
0
0
0
0

.01

Selected (0)

Q CIM-HTI P
CIM-HTI PS

ffi

HTIP
HTIPS
HTTPS , net.tcp binding

Offi ce Server Web serv..

New...

OK

II

Cancel

II
z

(f)

X
(f)
(1)

...c

Module 6

NSX Secu rity

381

Lab 15: Using NSX Edge Firewall Rules to Control Network


Traffic
Slide 6-20

Define NSX Edge firewall rules to restrict traffic to one or more Web
servers

1. Prepare for the Lab


2. Enable Flow Monitoring for Future Reference
3. Restrict Inbound Web Server Traffic to HTTP and HTTPS
4. Determine How the Firewall Rule Interacts with Other NSX Edge
Features
5. Clean Up for the Next Lab

382

VMware NSX: Install , Configure, Manage

Concept Summary
Slide 6-2 1

A review of terms used in this lesson:


Which network device is used to restrict and filter
traffic between networks and endpoints?

Firewall

Which NSX Edge virtual appliance is deployed as


a perimete r firewall?

NSX Edge firewall

What performs packet inspection and tracks


the state of connections passing through the
firewall?

Stateful firewall

Which are the set of rules by which a firewall


bases its decisions to allow or deny traffic?

Firewall rules

What is the ability to use details about a virtual


machine known to the host for firewall rule
construction called?

Virtualization context awareness

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

383

Review of Learner Objectives


Slide 6-22

You should be able to meet the following objectives:


Describe where the NSX Edge firewall is typically deployed
Compare the NSX Edge firewall to the distributed firewall
Configure the NSX Edge firewall rules

384

VMwa re NSX: Install , Configure, Manage

Lesson 2: Distributed Firewall


Slide 6-23

Lesson 2:
Distributed Firewall

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

385

Learner Objectives
Slide 6-24

By the end of this lesson, you should be able to meet the following
objectives:

Compare the Distributed Firewall to traditional firewalls

Describe the policy enforcement of the Distributed Firewall

Configure rules on the Distributed Firewall

386

VMwa re NSX: Install , Configure, Manage

Evolution of Firewall Placement


Slide 6-25

The firewall has evolved in recent years.


Yesterday 's Virtual
Infrastructure

NSX
Virtual Infrastructure

cd
I

The firewa ll has evolved in recent years. Originally, the firewall was a physical device that was
placed at the perimeter of the network to inspect traffic entering the data center.
The next stage in the evo lution was firewall appliances runnin g in virtual machines. From a
hypervisor perspective, one virtual machine talked to another virtual machine. The virtual machine
acting as the firewa ll had to be the default gateway for the other virtual machines runnin g on that
host. Sometimes, firewa lls also ran in the virtual machine to provide an additional layer of security.

NSX Secu rity

(f)

X
(f)
(1)

c
....

The Distributed Firewall is a hypervisor kernel-embedded firewa ll that provides visibility and
control for virtualized workloads and networks. The Distributed Firewa ll offers multiple sets of
configurab le rules for netwo rk layers 2, 3, and 4.

Module 6

II

387

Distributed Firewall Overview


Slide 6-26

The distributed firewall module is embedded in the VMkernel.

VM

Kernel-Embedded Firewall

The hypervisor-embedded nature of the firewall delivers close to line rate throu ghput to enable
higher workload consolidation on physical servers . The distributed nature of the firewa ll provides a
scale-out architecture that extends firewall capac ity when additional hosts are added to a data center.
No virtua l machine can circumvent the firewa ll. Egress and ingress packet are always processed by
the firewall. In extreme load exists, such as CPU satura tion or if memory is full, the Distributed
Firewa ll behaves as a fail close firewall. No packet passes through the firewall.

388

VMwa re NSX: Install , Configure, Manage

Distributed Firewall Filtering


Slide 6-27

Distributed Firewall provides security filtering functions on every


host, in the hypervisor, and at kernel level:

Distributed Firewall is a East-West stateful L2-L4 firewall

Distributed enforcement of policy rules

Distributed Firewall offers centralized configuration using the


vSphere Web Client.

..[)

The Distributed Firewall provid es security filtering functions on every host in the hypervisor at the
kem el level. The Distrib uted Firewall is an East-West statefu l layer 2, 3, and 4 firewall. The
Distributed Firewall provid es distrib uted enforcement of policy rules. The Distributed Firewall is
configured usin g the VMware vSph ere Web Client. The Distributed Firewall is independent of the
distributed router.

II
z

(f)

X
(f)
(1)

The Distributed Firewall is meant for East-West traffic or horizontal traffic . The NSX Edge firewall
focuses on the North -South traffic enforcement at the tenant or data center perimeter.
The NSX Edge services gateway firewall protects the data path traffic. The firewall on the contro l
virtual machin e for the distrib uted router contro ls access to the distributed router, for example, to
enable SSH access to the contro l virtual mach ine. So the firewall rules have no effect on the data
path traffic for the distributed router.

Module 6

NSX Security

389

c
....

Distributed Firewall Location and Policy Independence


Slide 6-28

Policies are virtual machine name-based, attribute-based, and


vCenter Server container-based.
Policy is independent of virtual machine location:

The distributed firewall can enforce security rules between two virtual
machines even if they are on the same L2 segment ( VXLAN or VLAN).
Policy rules always follow the virtual machine , even if a migration with
VMware vSphere vMotion occurs.

The Distributed Firewall policy is independent of where the virtual machin e is located. If a virtua l
machin e is migra ted to another host using VMware vSphere vMo tion, the firewall policy
follows the virtua l machin e.

390

VMwa re NSX: Install , Configure, Manage

Distributed Firewall Policy Enforcement


Slide 6-29

Distributed Firewall enforces rules at the vNIC layer before


encapsulation (or after de-encapsulation):

Independent of transport network (VXLAN or VLAN)

Independent of underlying virtual switch: VMware NSX Virtual Switch"


or distributed switch
IP3

IP1

MAC3

MAC1

VTEP IP: 10.20.10.10


-

vSphere Host
,

'".""",,,,

VTEP IP: 10.20.10.11

Policy Rules:

Source

Destination

- - - -

Service

Action

vSphere Host

, .. ,, t,,'

VM1

VM2, VM3

TCP port 123

VM1

VM2, VM3

any

No relationship exists between distributed switch ACL or security capabilities and Distributed Firewall.

II

Distributed Firewall rules are enforced at the vNIC layer before encapsulation or after deencapsulation. The distribut ed firewa ll policies are independent of whether a virtual machine is
connected to a VXLAN or VLAN . Distributed Firewall rules are independent of virtual machine
location.

(f)

The Distributed Firewa ll can enforce rules even if the virtual machines are on the same layer 2
segment. Policy rules always follow a virtual machine if the virtual machine is migrated to another
host.

Module 6

NSX Security

391

(f)
(1)

c
....

Distributed Firewall Components: Communication


Slide 6-30

Firewall rules are configured in the vSphere Web Client and pushed
to VMware NSX Manager.
REST API
Client
vSphe re
We b
Client

Distributed
Firewall

Security VXLAN DR DFW

Using a Web browser, you can connect to the vSphere Web Client that accesses the VMware
vCen ter Server" system . The vCenter Server system provides the user interface to manage policy
rules and mon itor distrib uted firewa ll activity.
The vCenter Server system communicates with VMware NSX Managert'". NSX Manager pushes
the rules down to the VMware ESXi host into the distr ibuted firewa ll kernel module.
The distributed firewa ll module on the ESXi host runs in the kerne l space and is responsible for
firewa ll rules enforcement at the vNIC level.
VMware NSX APFM can also be used to comm unicate with and configure the Distributed Firewall.

VMware NSX Controller" is not responsible for distributed firewa ll functiona lity.

392

VMwa re NSX: Install , Configure, Manage

Distributed Data Path


Slide 6-31

Distributed Firewall rules are enforced on each vNIC.


Source

Destination

Source

i ------"j
1
1

,
,

:1 VM :,
1

L
1

vSwitch

''

Destination

1~-----------------------,
~
1
1

1
1
1

1._

vSwitch

1
1
1

"

i---- -------------- ----.

-, 1

,
,
,
,
,
,
,
,

1
1
1
1
1
1
1
1

_ __ J

L_

vSwitch

The Distributed Firewall provid es hypervisor-based firewall enforcement on every vNIC . The data
path is optimized for performance and scalability. This daemon checks rules on both the ingress and
egress on the source and destination virtual machine. No virtua l machine traffic can circumvent the
firewal l.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

393

Policy Rule Objects


Slide 6-32

The Distributed Firewall supports security rules, called policy rules,


at the layer 2, layer 3, and layer 4 levels:

Layer 2 rules are created on the Ethernet tab.

Layer 3 and layer 4 rules are created on the General tab :


General rules are enforced after Ethernet policy rules are applied .
TCP/IP Model

Application Layer

OSI Model

. ..

Presentation Layer
_ _Session Lave r_ _

I
I

Tran sport Layer

Transpo rt La yer

Inte rnet La yer

Ne twork La ye r
Da ta Li nk Lay er

Ne twork Access Lay er


Physi cal Lay er

L3/L4 rules control traffic at network and


transport layer. Use L3/L4 rules to filter specific
source or destination IP addresses or L4
protocols. Some examples of L4 protocols are
SSH (TCP port 22), HTIP (TCP port 80).

L2 rules control traffic at data link layer. Use L2


rules to filter specific source or destination
MAC addresses or L2 protocols. Some
examples of L2 protocols are ARP, RARP, and
LLDP.

The Distributed Firewall supports security rules at the layer 2, layer 3, and layer 4 levels. Layer 2
rules are configured in the Ethernet tab of the NSX Controller instance. These rules are meant for
actions that happen at layer 2 such as Cisco Discovery Protoco l (CDP) and ARP.
The rules for layer 3 and layer 4 are defined in the Ge neral tab. The Ge neral tab policies define
rules to manage traditional traffic between virtual machines in different subnets or from East-West
traffic.

394

VMware NSX : Install , Configure, Manage

Layer 2 Policy Rules


Slide 6-33

You define firewall rules for layer 2 on the Ethernet tab.

....;;-

.... .

~ &.I..:""'"Y

'"

f! Nl>XHoIN

"'--

; ;;' NSXE"OI4

'!l -

~I '

N"P'--"

Cil Fbo1r ~

DI"WeTttMl:'l\M~ll

It."
'"

l!J s.rn:. ~

---

~....-,

~1119 . ~ ~

!!I ~ M"-'

--

~":'y2~

_. Ib)Ic.Il ~

.-1'3--

..-

08""'.-.

L.I)W7l'1* lJ

_.
...,

"'"-

....

' '

...

. 1:-

....

1-..

'

....
....

J~

+ lll / "

+0 / - "

I'll '

In the vSphere Web Client, under the Network and Security section, you find the Firewall tab. The
Firewall tab is where distributed firewall policies are defined. On the Co nfigu ration tab of the
Firewall tab are General policies and Ethernet policies. Ethernet policies are rules that are enforced
at layer 2.

II
z

(f)

X
(f)
(1)

c
....

Module 6 NSX Security

395

Layer 3 and Layer 4 Policy Rules


Slide 6-34

You define firewall rules for layer 3 and layer 4 rules on the General
tab.
~.-.. .--.,

f ~l sa-:l1 ~

t! NS.I: _

"<Sll:~, [ tN. ' ~ ~ .lOD .1

;,==...

dt~=....c':: ':': : " _------------------------=:;01

'!I '-"'-"

..,.

. :s.r..a ~

l'J:sr.a e:crntc-r

DfW~

DllllSoKutfIy

&1

:<- -..

' -71

~L.$ . _ U _~OCX

Q N2MlfMl:mtR'lO
~ Ing " kunfr ~

E!W!;X " ' - -

..

>

~====:JI ~

-. ~ .1

. o... ~ ~ I1'uiIf I SI

..

'

...""'....
"'"
, n ..

"

396

VMwa re NSX: Install , Configure, Manage

Centralized Management of the Distributed Firewall


Slide 6-35

The Firewall tab allows centralized management of all Distributed Firewall rules.

SaYId C~

CtlllllfolrU IllrI

__
-.

l,l SXII I ~

a Ie - ,
&1

~~.~
.-

Identity
- User identity
- Groups

irtual Center Serv er


Con tai ners
- Clusters
- Data centers
- Port groups
- VXLAN

01
==~I !Q:I

Services
- Protocol
- Ports
- Custom

8IcI:1ItnnlOtrU lOCll.nmnl

r1 /

.....

lC

N... or~no" "'1lIIY Irtrtrl101Y


t!l Ni5Ji.... ~

E >

e,

e.

""
e.

.....

""

...

VM Co ntainers
- VM names
- VM tags
- VM attributes

OHC~

. DHC P-C~"' I

..,.

.....
...,

- ...

The Firewall tab allows centrali zed manag ement of all Distributed Firewall rules. When you add a
rule, you provide a name , source, destina tion, service , action , and where the rules are enforced.
The source and destination can be an IP set, but it can also be a security group that you define . A
security group is a collection of assets or grouping objects from your VMware vSphere inventory.
You can also create sections to separate rules for different lines of busine sses, for example, different
departments .
The last rule or the default rule is typically set to deny. In most cases, an administrator wants to
explicitly allow certain types of traffic and block everything else by default. Internet rules get
applied before genera l rules so they are processed from top to bottom . When the traffic matches a
particular rule, the processing stops and the rule actio n is processed .

Module 6

NSX Security

397

II
z

(f)

X
(f)
(1)

c
....

Using Distributed Firewall Sections


Slide 6-36

Distributed Firewall sections segment policy rules for easier


manageability and better performance. Sections do not affect the
overall security policies.
To merge two sections together, click the symbol and select the section to merge with.
s.a _ _ . ..... _ _

-....---

. ~ - -"-::::""'\I~~
-

... . "1- -

-.

,,-............
-..
--.
tj

.---.

.""

.......,.~

!t ""5ll ~

..,

....

.""

.""
.""

..-

-..:uoo ....... _

~~---""

_.
-...
.""

The Distributed Firewall can have different rules based on sections such as a department. For
example, you might separate rules for human resources and for engineering departments in separate
sections. If you later decide to combine rules from different sections, you can merge sections and
consolidate the rules in those sections. You merge sections together by clicking the Merge icon.
Although sections have no effect on security, sectioning can ease management by allowing
administrators to apply rules to specific groups or job roles.

398

VMwa re NSX: Install , Configure, Manage

Policy Rule Objects


Slide 6-37

Datacenter

vCente r Dalacen

Cluster

vCenler Cluster a

Rule will apply fa

DataCenter

Rule will apply fOI

Cluster

VMware Cluster attribute

Distributed Virtual Port

Port Group of a distributed


switch

Network

vCenter Network
Rule will apply fa

Virtual App

vCenter vAPP at
Rule will apply101

Resource Pool

vCenter Resoure
Rule will applyfat

Virtual Machine

VM name attribut Ports (Destination L4 port vN IC

vNIC

VM vNIC attribut

E-~--------+-NS-X-IO~gj-Ca-'sw
---'
iIC
Logical Switch

Group

Network

Network attribute

Virtual Machine

VM attribute

Advancedoptions:
Logical Switch
Source Ports (Source L4 P -'-i-'-'= = = =

Rule will apply fO I all VI.".'.' ..... \.AJ,,,'c....'cu

LV ""'"

vN1Cattribute

VXLAN logical switch


= = = L-- - - - - - -

---"

IU~'\"CI' ", n'''.,11

Security Group

NSX security group attribute (defined through Service Composer tab)


Rule will apply for all VM/ vNIC part of the Security Group

lP sets

Listof IPv4 or IPv6 address

VMware NSX Services" enable you to put multiple ports into a nam e, for example, ports 20 and 21
into NSX Services called FTP. You can use protocol ports or you can create NSX Services in new
port new ranges. Several predefined NSX Services are created on the Distributed Firewall by
default.
You can perform various actions on the traffic. Actions define what the firewall should do with the
traffic after a rule match occurs , such as block or allow or log or not log.
Using the Applied To text box, you can specify which virtual machin e, and hence which vNICs,
receive the rule. The Applied To text box enables you to specify where the rules are enforced. The
rule action can be applied to a logical switch and is applied to every virtual machin e on the virtual
switch. You can apply the rule action to a clust er and every virtual machin e in that clust er is affected
by that firewall rule. If a new virtual machine is added to the clust er, the firewall rule is also applied
to that virtual machine. You can apply the rules to a data center, a clust er, a distributed port group, a
network, a logical switch , or a virtual machine vNIC.

When search ing Syslogs for firewall values, you must look for the BSIP value in the firewall entries.

Module 6

NSX Security

399

II
z

(f)

X
(f)
(1)

c
....

Logical Switch Rule-Based Example


Slide 6-38

Rules can be enforced between virtual machines on the same


segment and between virtual machines on different segments.

.-

- '- -_.O'

1lI ""-

r- iRl _~
,tano .tQI .
1'fSJI,~

a-

~-- -

+ o.

:::i:1lIP ' "

e _-_
:"!-

..1'J-. -.-

1~

.
..,

'i
G ____
- ___

...... ..-,--,

!!""-

.....

1.71

'ZaEi .

tB ROOt

-.I~ 1l

....

""".'.Mal"nPS_

_.

..
X6

'

5I UNUlI _

JoWUl'

..

" .....-.-..

IEEl

Ie.-

~ =_!WI

........

e-. ...... "-J""'"'S ,J

1m >

-- I

+ 1 / . ..

r:/ . ..

Router Inst anc e 1

Source

Dest

Action

------------VM1NM2
Block

WebVM

VM1
VM2
APP lo gical- sw itch-2
VXLAN 5002

VM4

Allow

VM1

Block

VM3

(assuming
default rule is
set to block)

In the example on the slide, traffic coming from the Web logical switch that is destined for the App
logical switch is blocked by rule I . Thus, VM I and VM2 cannot talk to VM3 and VM4 .
Rule 2 states that traffic from VM I destined for VM2 is allowed. Th e two virtual machines are on
the same logical switch segm ent. Assuming that the default ru le is set to block all other traffic,
traffic from VM2 is not allow ed to VM I and traffic between VM3 and VM4 is block ed.

400

VMware NSX: Install, Configure, Manage

Security Groups
Slide 6-39

A security group is a construct that allows dynamic grouping of objects:

Based on inclusion and exclusion of objects defined under vCenter Server:

Done internally under NSX Manager

Network and Security> Service Composer> Security Groups tab


-------------------------------\II'TlWMe' vSpheno

.-- '-

web Client

,,

O' ..J"j

11 1oISll _

"

u.-.ecUPW () I . . . . . - .

I ..

e-

.-

<-~
......- ~.-~

ll. -......

ENSlI.I~

.-"-

'!l - -

.
"

Dynamic membership criteria can be defined to include objects into the


security group:

Match any or all of the following criteria :

Computer

as name,

Computer Name, VM Name, Security Tag , Entity

The Grouping feature enables you to create custom containers to which you can assig n resources,
such as virtual machines and network adapters, for distributed firewa ll protection. After a group is
defined, you can add the group as source or destination to a firewa ll rule for protection.
Using the dynamic mapping capabi lity of security groups, you can define the criteria that an object
must meet to be added to the security group that you are creating. This capability enables you to
include virtual machines by defining a filter criteria with several parameters supported to match the
search criteria.
For examp le, you may include a criteria to add all virtua l machines that run a specific operating
system (such as Microsoft Windows 2003) to the security group. Securi ty tags are case-sensitive.

Module 6 NSX Security

401

II
z

(f)

X
(f)
(1)

c
....

Security Group Components


Slide 6-40

When you create a security group, you specify its expression, inclusions, and
exclusion parts

Expression:

Defined the dynamic membersh ip criteria of vCenter Server objects

Configured in the Defined dynamic membership tab in the New Security Group wizard

Inclusions:

Static membership selection of vCenter Server objects

Configured in the Select objects to include tab in the New Security Group wizard

Exclusions:

Static membersh ip rejection of vCenter Server objects

Configured in the Select objects to exclude tab in the New Security Group wizard

Objects identified in the inclusion part are added to the objects identified in the
expression

402

Any objects identified in the exclusions part is removed from the security group

VMware NSX: Install , Configure, Manage

Rule-Based Security Group Example


Slide 6-41

.~: ' I
. G/ . L

SECURITY-GROUP-WINDOWS: dynamic membership: Computer OS name contains Windows


SECURITY-GROUP-L1NUX: dynamic membership: Computer OS name contains Linux
Router Instance 1

Source

Destination

VM1

VM2

Block

VM1

I VM4

I Block

VM3

VM2

Block

VM#

I VM4

I Block

,,-",

Windows Linux

W EB logical-switch -1
VXL AN 5001

Action

VM1

VM3

Allow

VM3
rVM2

VM 1

Allow

VM4

Allow

VM4

VM2

Allow

.,

When the security group is created, it can be used as a source or destination when creating a firewall
policy. This ability gives organizations the flexibility in designing their firewall rules and reducing
the numb er of lines they have to enter. When the security group is created, you can add virtual
machin es to a security group by editing the security group. Securit y groups can be nested in other
security groups.

II
z

(f)

X
(f)
(1)

In the example, two securit y groups exist. One group contains virtual machin es running the
Windows operating system and the other contains virtual machin es running the Linux operating
system. The firewall policy is set so that Windows traffic sent to Linux is blocked. Linux virtual
machin e traffic sent to Windows is allowed. The Windows and Linux virtual machines are in the
same segment and yet one line enforces this policy. If you add virtual machines, they fall into the
security groups depending on the operating system and the policy is applied.

Module 6

NSX Secu rity

..,c

403

Applied To: Example


Slide 6-42
Source

Destination

Service

Actio
n

Appli ed To

VM1 ,VM2 ,VM3


Allow

Source

Destination

Service

Action

VM1 , VM4

vCenter Server ::::::>

NSX Manager

Allow
Allow

Source

Destination

Service

Action

The Applied To text box allows you to specify which destination component receives the rules. The
rule might contain a virtual machine, vNIC, cluster, distributed port group, network , data center, or
logical switch in the source or destination text boxes. VMware recomm ends that you add these
comp onents into the Applied To text box so that the rule is optim ally offloaded to the ESXi hosts.
When dealing with large rule sets or overlappin g IP addresses , use the Applied To text box to
restrict the scope of Distributed Firewall rules.
Rules are created on the vSphere Web Client and sent through the vCenter Server instance which
passes them on to the NSX Manager. The NSX manager instance evaluates the rule and pushes the
rule to the corresponding host to apply to the corresponding virtual machin es. So both rules are
attached to VMI , only the first rule is attached to VM2, only the first rule is attached to VM3, and
only the second rule is attached to VM4.
In the example, you have two rules. Rule lone allows VM I to communicate with VM2 and VM3
on port 123. The second rule says that VMI can communicate with VM4 on port 321.
Traffic going to VM4 does not need to check rule I. The second rule applies to VM I and VM4 , so
the traffic going to VM3 does not go throu gh this rule.

404

VMware NSX: Install , Configure, Manage

Lab 16: Introduction


Slide 6-43

Add a section to the rules.


Select theoptions tocreate newsection
Section name
Section Position

*1."....
0 Add section above

oj<

Add section below


OK

II

The Distributed Firewall configuration


is backed up at regular intervals.

Cancel

Search

AutoSaved_2014-Jul-1618:49 :39

root

71161201411:49:39. Auto saved dran

AutoSaved_2014-Jul-16 18:49:26

root

7/161201411:49:26 , Auto saveddraft

AutoSaved_2014-Jul-1618:45:29

root

71161201411:45:28 . Auto saved urart

AutoSaved_2014-Jul-16 18:41:31

root

711612014 11:41:31 . Auto saved draft

AutoSaved_2014-Jul-16 18:38:19

root

711612014 11:38:19 . Auto saved draft

AutoSaved_2014-Jul-16 18:29:58

root

711612014 11:29:58. Auto saved draft


OK

I[

Cancel

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

405

Lab 16: Using NSX Distributed Firewall Rules to Control Network


Traffic
Slide 6-44

Define NSX Distributed Firewall rules to restrict traffic to one or more


Web servers and between application tiers

1. Prepare for the Lab


2. Create a Distributed Firewall Section
3. Configure Cross-Tier Rules
4. Restrict Inbound Web Server Traffic to HTTP and HTTPS
5. Review Distributed Firewall Log Entries
6. Restore a Saved Distributed Firewall Configuration
7. Clean Up for the Next Lab

406

VMwa re NSX: Install , Configure, Manage

Concept Summary
Slide 6-45

A review of terms used in this lesson:


What is a firewall rule set for distributed firewalls
called?

Firewall policy

What filters different traffic types by the firewall?

Firewall filtering

What are firewall policies that are independent of


the virtua l machine location called?
What allows dynamic grouping of virtual
machines based on defined criteria?

Policy independence

Security groups

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

407

Review of Learner Objectives


Slide 6-46

You should be able to meet the following objectives:


Compare the Distributed Firewall to traditional firewalls

Describe the policy enforcement of the Distributed Firewall

Configure rules on the Distributed Firewall

408

VMwa re NSX: Install , Configure, Manage

Lesson 3: Flow Monitoring


Slide 6-47

Lesson 3:
Flow Monitoring

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

409

Learner Objectives
Slide 6-48

By the end of this lesson, you should be able to meet the following
objectives:

Describe how Flow Monitoring can be used to enhance security

Configure a Distributed Firewall rule to block a traffic flow

410

VMware NSX: Install , Configure, Manage

Flow Monitoring
Slide 6-49

Flow Monitoring is a traffic analysis tool that provides a detailed view


of the traffic to and from protected virtual machines.
Flow Monitoring configures the distributed firewall to capture flows
and send them to NSX Manager for retention.

1 Home
Networking & Security

e...

Flow Monitoring

Dashboard

Details By Service

E!! NSX Hom e


ii Installation

NSXMan ager ( 1g2.16B.110.42

~ Logical Switches

Global Flow Collection Status:

=
o

NSX Edges

Live Flow

I~ )
D isabled

Enable

Systemis configured to NOT collectfirewall relatedffows

Firewall

~ SpOOfGuard

Service DefiniUons

Service Composer

J Data Secu rity


m,

Flow Momtorlng

The Distributed Firewall has visibility of all traffic flows that have taken place in the logica l
switches. By drillin g down into the traffic data, you can eva luate the use of your resources and send
session information to the Distributed Firewall to create a rule or block rule at any level.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

411

Enable Flow Monitoring


Slide 6-50

Flow collection must be enabled for you to view traffic information.


You can choose what flows you want to enable and what flows you
do not want to see.

........

N.~,&kc.nty

p'! NSXHO",.

iQt.,.tIll.. on
1J: L O~ ~'

CiIobIIflow CGIiKuo. SUtvt;; En.bled

=NSX[~ ..

~o,~"'/J;!a;

"r.......

( (M,abllt ]

~~.'~~l"1.IT'.t"

~'Kol'ed~

h dlo. a S.II Il'Uil .

15'
, . s.Mce OtllrlrDonl
8

S)SlIo'n

o'IOfCO&'.ct~"iJllftC/l""a"ec.oI'",~

$tMo;t ComNStl'

QlD"' _

~. .-r-u.g
I- -'
&

s.c".r ~1orY

~ tfS;l; "Jl'l~WJ

>

.......

138137

By default , Flow Monitoring is disabled. To enab le Flow Monitoring, click the Enable button.
Flows that should not be collect ed can be added to the exclusion lists in the Exclus ion Settings of
the Configuratio n tab.

412

VMware NSX: Install, Configure, Manage

Exclusion Settings
Slide 6-51

You can filter the data being displayed by specifying exclusion


criterion.
You can exclude flows from collection based on multiple criteria:

DFW blocked flows

Layer 2 flows
Source and destination IP sets, MAC sets, Virtual machine, and vNICs
Srir.d ('.on~'f!1

Source and destination IP

Destination port

e - .",.. ,,_
C~td

Service

......

la,.. ~ rl lJ'IiII'\

",
y"

'J$lftm oel\4lr""a etOOl.M1

U 'otllC
0 !JJ ' ~i>'

til ou-.70 1d

ijl 0.4'#00 1.10

o
o

BJ l)f-s....o2.
ttl

d b "w ~1 .1

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

413

Viewing Flows
Slide 6-52

After Flow Monitoring is enabled, the captured flows can be viewed


from the dashboard, with the default views: Top Flows, Top
Destinations, and Top Sources.

........""

f:

-\

~1"....i-~~L:",.
.t..... .t . . . ..t..=.'.
, _

414

... _

.I"NI"

., ....

.._

..."
_
a~

I ....... .
0._

!.

t a...

...... . .

,. ,.
I~' _

I"' UI "
10.. ...
1'1."
......
......
.....

VMwa re NSX: Install , Configure, Manage

Flow Views by Service


Slide 6-53

The Details By Service tab provides information on all the flows


grouped by service:
You can view blocked flows by service.
You can modify the rule that allowed the flow .
..- . Uoo'"

~
...........

,lQ ....

"

--

_ _ _ '1l;J')

-~

_~--.e--.-1Il

--

--

.. ... ....
.
.'...... ......
~

I n ' ''U!'I''

Il'1l1'lt"'"''
a-Ull'tl. ' . "
~- ,

.~"lt

n,.

-,.
-_
"'"

~"'H

..

;JQ;.I

'Ill!

.. t.

. . . . .1' .. ,.

.!II!IIIII""

.-.-..-.-

-,.....
.-,....

On."1'"''
_"1ol1'1hII

."'Mn.,.

----... ........----__ l._


~,~

-~
__

(,.r __

If you click the Details by Service button at the top, you might see a flow that you do not want. You
can add a rule to block the flow or edit the existing rule that is permitting the flow.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

415

Live Monitoring
Slide 6-54

You can view UDP and TCP connections from and to a selected vNIC .

l.,.

5 00 ....0 .

(jI _ _

dl ~ "

Dash board

Details By Service

NSX Manager: ( 192.168.11 0.42

I Live Flow I Configu

I~ )

/J ~ "

~ ::::..
M

Live Flow will be show n for th e selected vNIC. Please se l


vNIC(row s0

Start

I[

he live ftows

Stop

~l e-'

To view traffic between two virtual machines, you can view live traffic for one virtual machine on
one computer and the other virtual machine on a second computer. You can view traffic for a
maximum of two vNICs per host and for 5 vNICs per infrastructure.

416

VMware NSX: Install, Configure, Manage

Live Monitoring Output Example


Slide 6-55

The screenshot shows the output from Live Monitoring for the
selected vNIC.

Dashboard

Live

Ftowwnt be sh own

vN1C:

1002

~OO2

1-)

for the se lected vNIC . Please select a vNlC and press start to see the live rtows

apacne-w-nta - Network adapter 1

Refresh Ra te:
Ruleld

I Live Flow I Configuratio n

Details By Service

NSX Manacer: ( 192.168.1 10.42

Browse

--Start

15Seconds I I

Direaion

Flow Type

OUT

Active

IN

;4,tlive

Proloool

UDP
ODP

Source IP

Source Pon.

DoStinalion IP

Ne w a cti ve f1ow~

Destination
PM

Stille

Flows wi th stJte c ha nge

Incoming

InlXlming

B~~

Paclle15

Term i n.ated flows

Outgoing
B~~

192.168.100.75

138

192.168.100.255 138

229

192.168.100 .76

138

192.168.100.255 138

236

1
I
I
I

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

417

Lab 17: Introduction


Slide 6-56

Flow monitoring has been enabled in a previous lab.


OS ...

4 Home

Networking & Secur ity

Flow Monito r ing

Dashboard

Eft NSX Home

Details By Service

NSXM,mag er ( 19 2.166.110.42

Live Flow

I)

@ Installatio n
Global Flow Collect ion Status:

~ Logical Switches

Enabled

Filter the results.


Disa ble

~ NSXEdges

System is confio;}wed 10collect &JJ firewall re lated flo'l't"s except those /1

1"'1

Exclusion Settings

Firewall

ii5scoorcuaro

System will not collect f/owr, thai ma tch tile

o Las115 min utes

t1 Service Composer

Collect BlockedFlows

4i Data Security

couect Layer2Flows

It! Flow MonitOring


L!'8 Activit!" Monitoring

Source
Destination

.. Netwo rking & Secu rity Invent ory


(II NSX Managers

.. )

Destination ports

Service

Review flows by service.


Dashboard

Details By Service

Live Flow

N8XManager: [ 192.168.1104 2 I ~I

~ Allowed FIOWS ~

Change Time Int erval

soeceea coraoon

. . Service Defi nitions

418

o La st1 hour
o La st 12 hours
o La st 24 hours
o Last 1 week
o Last 2 we eks
o From :
51B 42ffi
ro : ~~~=51B . 57ffi

Configuration

OK

II

Cancel

Blo cked Flows 1

VMware NSX: Install , Configure, Manage

Lab 17: Using Flow Monitoring


Slide 6-57

Examine network flows using the Flow Monitoring feature and define
a firewall rule based on a flow
1. Prepare for the Lab
2. Examine Dashboard Details
3. Review Allowed Flows by Service
4. Add a Firewall Rule Based on a Flow
5. Clean Up for the Next Lab

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

419

Concept Summary
Slide 6-58

A review of terms used in this lesson:


What provides a detailed view of traffic to and
from virtual machines?

420

Flow monitoring

VMwa re NSX: Install , Configure, Manage

Review of Learner Objectives


Slide 6-59

You should be able to meet the following objectives:

Describe how Flow Monitoring can be used to enhance security

Configure a Distributed Firewall rule to block a traffic flow

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

421

Lesson 4: Role-Based Access Control


Slide 6-60

Lesson 4:
Role-Based Access Control

422

VMwa re NSX: Install , Configure, Manage

Learner Objectives
Slide 6-6 1

By the end of this lesson, you should be able to meet the following
objectives:

Describe authentication , authorization, and accounting (AAA)

Describe role-based access control

Describe the roles available in NSX Manager

Explain the scope options

Configure role-based access control in NSX Manager

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

423

Authentication, Authorization, and Accounting Model


Slide 6-62

AAA is a security model for providing user access to restricted


systems:
Authentication is the process of validating the user.
Authorization is the process of granting partial or full access to the
authenticated user to the restricted system.
Accounting is the process of logging the activities of the user after
authorization is granted .
AAA is flexible because it allows the implementation of parts of the
model.
You use the vSphere Web Client to configure AAA through VMware
vCenter Single Sign-On
VMware NSXTMuses vCenter Single Sign-On AAA configuration
through vCenter Server.

In many organizations, networkin g and security operations are handled by different teams or
members. Such organizations might require a way to limit certain operations to specific users.

424

VMware NSX: Install , Configure, Manage

Identity Sources
Slide 6-63

An identity source is an entity that provides full or partial AAA


services.
vCenter Single Sign-On supports the following identity sources:

Microsoft Active Directory

Network Information Service (NIS)

Lightweight Directory Access Protocol (LDAP)

vCenter Single Sign-On is based on Security Assertion Markup


Language (SAML) tokens.

VMware NSX TM supports VMware vCenter Single Sign-Ont> vCen ter Sing le Sign-On enables
NSX to authenticate users from other identity services such as Active Directory, Network
Information Serv ice (NIS), and LDAP.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

425

Identity Source vSphere Requirements


Slide 6-64

To correctly add an identity source to the VMware vSphere


environment, the following vCenter Server services must be
configured:
vCenter Single Sign-On must be installed.
NTP must be configured on all the vSphere systems.

426

DNS must be populated for all vSphere systems.

VMwa re NSX: Install , Configure, Manage

Role-Based Access Control for NSX for vSphere


Slide 6-65

Role-based access control is a method of granting user access to


restricted systems based on the function, or role, that the user has
been assigned:

Users can be assigned a role directly or indirectly by belonging to a


user group.

NSX users and user groups can be identified from existing vCenter
Server users or identity sources configured with vCenter Single SignOn.

The default NSX admin user cannot be disabled.

NSX has predefined roles .

NSX system access can be restricted for users by using scopes.

A permission is the combination of the user, scope, and role.

A user 's role defines the actions that the user is allowed to perform on a given resource. The role
determines the user 's authorized activities on the given resource, ensuring that a user has access
only to functions necessary to complete applicable operations. This role allows domain control over
specific resources, or system-wide control if the user 's right has no restrictions.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

427

NSX User Roles


Slide 6-66

NSX provides roles that users can be assigned to:

Enterprise Administrator: Has read and write access to all areas of


NSX.

NSX Administrator: Has read-write access to NSX operations area,


such as installing virtual appliances and configuring port groups , and
has read-only access to other areas.

Security Administrator: Has read-write access to NSX security area,


such as defining data security policies , creating port groups and
creating reports for NSX modules , and has read-only access to other
areas.
Auditor: Has read-only access to all areas.
New roles cannot be created.

NSX Manager provides four default roles that allow you to determine a user's authorized level of
activity.

428

VMwa re NSX: Install , Configure, Manage

Scopes
Slide 6-67

NSX provides scopes to restrict the area that a user can access in
the NSX system:
Global: The user has access to all areas of NSX.

Limited Access: The user has access to only the NSX areas defined in
the user profile .

II

The scope of a role determin es resources that a particular user can view.

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

429

NSX Role Guidelines


Slide 6-68

The following guidelines can be used for creating roles in NSX:


User management for the vSphere Web Client is separate from CLI
user management.

NSX permiss ions are independent of vCenter Server permissions.

Users inherit the permission of the user group that they belong to.

Users can have multiple permissions if they belong to multiple user


groups.

A user cannot be defined without a role.


After a role is assigned to users, the role can be changed.
The Enterprise Administrator and NSX Administrator roles have a
global scope.

430

VMwa re NSX: Install , Configure, Manage

Permission Inheritance Example: Single Group


Slide 6-69

John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:

John is an NSX Auditor with read-only access to all areas.

User Option

Value

Group Option

Value

Name

John

Name

Groundhog

Belongs to group

Groundhog

Role assigned

Auditor

Role assigned

N/A

Scope

Global

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

431

Permission Inheritance Example: Multiple Groups


Slide 6-70

John does not have permissions defined in NSX, but John belongs to
the user group Groundhog:
John is a Security Administrator with read-write access to all objects in
Datacenter1.
John is an NSX Auditor with read-only access to all other areas.

Group
"

Value

User
tl
O pion

Value

ti
O pion

Value

Name

Groundhog

Name

John

Name

Spider

Role
assigned

Auditor

Belongs to
group

Groundhog,
Spider

Role
assigned

Security
Administrator

Scope

Global

Role
assigned

N/A

Scope

Datacenter1

O pion
t

432

Group

VMware NSX: Install, Configure , Manage

Configure Role-Based Access Control


Slide 6-7 1

To grant user access to NSX:


1. Navigate to NSX Managers and select NSX Manager.
2. Select Manage> Users.
3. Select the user or user group.
4. Assign a role.
5. Define the scope.
K-4 NSX Managers
It 192.168 .110 .42

+
"'"'

Change Role

Origin

(3.:
Role,

Status

aumm

vCenter

System Admin ist rator

Enabled

root

vce nter

Enterpris e Adm inistr...

Enabled

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

433

Define Scope
Slide 6-72

The choices for the scope are the following:


Data center

Port group

Logical switch

Virtual machine
Virtual appliance

1""'-=--'--- - - - - - - - - - - .....
.." , l6fIoIot"rlJotoN

11fM !icq:.e$ .. ~ ... _ l' . b ........

Multiple objects can be selected. :11


:'';'"'
=
t!=
' -~_
st

~'di"~\m. -uou ....... "",

0 .........

434

c.-T!w<Ol

VMwa re NSX: Install , Configure, Manage

Lab 18: Introduction


Slide 6-73

Add a user to the N5X server.

, .-. ......

,,'

-"""""

vCenter privileges are


required.

Sll<tll.wCMlIItt u... orgrvwIV .IIIQn rol.

] Um l 'kupe

U\ t'I (

oWl

109 0tI ...... tII<t (ll'lJtf"t;..I,

..... Inventory lists

I'TY,,"'.IO<t" .l yC."",

GJ vCenter Servers

(Itt 1!'i1@ilP~", IOC.II' or l,,~omlll'l com )

SPt<11lfill ~ ""I(lf O'CtuCl

eMIt.'

Eb. Datacenters
Id Hosts
\J Clusters

_~

Limit the user's N5X access.

;I Resou rce Pools

..

Edit Role AssVlffleut fOf \/Center user

1 SCIedRo lcs

Q
NO resmeuoo, use' may

accessN$X

gloOal conl'lgura llon

-----,}
~

ume aHen to 1Ft. port group , datacenter, or NSX Edgl' lis ted be-low

Type0011group. dal aeemer, or NS)( Edgen<lmelol'lnd

Ad,

(OJ Datastore Clusters

ft Standard Networks

limit SCope
5e-1 access st ope forunr

EJ Datastores

Distributed Switches

~ Virtual Machines

00 vApps
Q VM Templates

E
E
E
E
E
E
E
E
E
E
E
E

>
>
>
>
>
>
>
>
>
>
>
>

9 rilnch-Wob-Tie,

t Compule_VDS- HOAccess (ABC Medical)

I(} Compult_VDS Mgml ~BC Medlta l)

Cancel

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

435

Lab 18: Managing NSX Users and Roles


Slide 6-74

Add an
user

ssa user as an NSX Administrator and change the role of the

1. Prepare for the Lab


2. Add an SSG User with NSX Administration Rights
3. Restrict an NSX User to Administration of a Specific NSX Edge
4. Explore Roles and Scope Limitations
5. Clean Up for the Next Lab

436

VMwa re NSX: Install , Configure, Manage

Concept Summary
Slide 6-75

A review of terms used in this lesson:


What is a permissions model that defines users '
access to a system by their role?

Role Based Access Control (RBAC)

What describes a general category of users that


perform a specific type of task within a system?

User role

What is the security model for providing user


access to restricted systems?

Authentication, authorization,
and accounting (AAA)

What is the VMware implementation of AAA?

VMware vCenter Single Sign-On

What is an entity that provides full or partial


AAA services?

Identity source

What restricts users based on areas of NSX


that they are allowed to access?

Scope

When the permission settings of a role are


inherited to the user with in that role, what is
the inheritance called?

Permissions inheritance

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

437

Review of Learner Objectives


Slide 6-76

You should be able to meet the following objectives:


Describe AAA
Describe role-based access control

Describe the roles available in NSX Manager

Explain the scope options


Configure role-based access control in NSX Manager

438

VMwa re NSX: Install , Configure, Manage

Lesson 5: Service Composer


Slide 6-77

Lesson 5:
Service Composer

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

439

Learner Objectives
Slide 6-78

By the end of this lesson, you should be able to meet the following
objectives:

Explain how Service Composer enhances security

Create a policy and security group

Create a rule in Service Composer

440

VMware NSX: Install , Configure, Manage

Service Composer
Slide 6-79

Service Composer helps you to provision and assign network and


security services to applications in a virtual infrastructure.

What you want to


protect
..............................

..

Security Groups

............................
~

Members (VM , vNIC) and


Context (user identity, security
posture)

. _

How you want to


protect it

Security Policies

..................................
Services (Firewall , antivirus)
and Profiles (labels representing
specific policies)

You map services to a security group, and the services are applied to the virtual machines in the
securi ty group. Define security policies based on service profiles already defined (or blessed) by the
security team . Apply these policies to one or more security groups where your workloads are
members .

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

441

Using Service Composer


Slide 6-80

A security policy is created and consists of the following:

Endpoint services from VMware or partners

Antivirus and malware


Vulnerability management
Data security

Data loss prevention

Distributed Firewall rules

Network introspection services from VMware or partners

Security policy is then applied to one or more security groups.


A weight is given to the Security Policy to control precedence in the
following situations:

Multiple security policies applied to the same security group.

Virtual machines that are members of two different security groups .


A security policy is a collection of the following service configurations:
Firewa ll rules that define the traffic to be allowed to, from, or within the security group that
apply to vNICs.
Endpoint services which are data security or third-party solution provider services, such as
antivirus or vulnerabi lity management services that apply to virtua l machines. Endpoint
services must be installed for identity firewa ll.
Network introspection services which are services that monitor your network, such as intrus ion
prevention systems that apply to virtua l machines.
A virtual machine might belong to more than one security group . Services that are applied to the
virtual machine depend on the prece dence of the security policy mapped to the security groups .

442

VMwa re NSX: Install , Configure, Manage

NSX Integrated Partners


Slide 6-8 1

NSX collects all third-party security tools in one place where the team
can manage, control, and apply security.

NSXAPI
NSX Controller and NSX Manager
_ _ _ _ _ _ _ _ _ _ _ Partner Extensions

Security Services

6)

:+

ADC/LB

L2 Gateway

Firewa ll

IDS/IPS

6)
AV/FIM

6)
Vulnerability
Management

I Service Composer =Service Consumption

Traffic leaves the virtual machine and is sent to the integrated partner product. Some partners have
integrated products into NSX. This traffic flow happens before the traffic reaches the network.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

443

NSX: Third-Party End-to-End Workflow


Slide 6-82

You can extend the NSX operation model to third-party services:

Register the third-party management platform with NSX Manager.

Deploy the third-party virtual machine appliance per VMware ESXi


cluster.

Consume the service.

444

VMwa re NSX: Install , Configure, Manage

Registering Partner Services


Slide 6-83

Before a partner security service is available to a security policy, the


service must be registered with NSX.

.1_

-,.--""-.........
--

O'

... 0 . - .

....... ' ~

IGlIliIlNIIIf ;t:l... nf~

!I HSI _

..=I$IU,..

"'-

_..

...............
MMI..... ~

.....

""-

:i....-.e

~-.

!l teP "-'-'

....
I
__

.....".

~ .............

.
.

........ . .

If the partner solutions management console does not provide a mechanism to register the solution
with NSX Manager, you must register the solution manually.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

445

Partner Service Registration: Palo Alto Networks


Slide 6-84

Ask the partner for instructions on how to register the service with
NSX.
You need t he followi ng :
~~~p~aIO~alt;O~~~~~~~~i~~
NSX Manager IP address or FQDN ~ ..

F'-::

NSX Manager credentials

&-

.._._.. -.-.....

- _.
----_--.... -.......

---....
::"..~:-.:-.o:r-- ...._ c . - s ...
~- --'

,1-. ----'-

'-

g .. r-.

ft _

446

--------_-.... -..

VMware NSX: Install, Configure, Manage

Partner Service Registration: Symantec


Slide 6-85

Symantec protection is delivered as an agentless service on the NSX


platform.
~~""'-Ocw.m

Ill .

lI ' .....- , _ -

.Ol-.--- _
._..-- L _

e-

._

-----_.

----,_ .
_ _ _ _

~ - -.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

447

Service Installation
Slide 6-86

After you register the partner service, you must deploy the partner
service virtual machine.

(~~.1I-"7'
- .-_::-:':":"'---.-

I :=-==
~

'"
.

--

- =:--- .=-- I
:=- -=;-: --- ;-

.. - - - - - - -

Palo Alto Networks


~~~Oltftt

.-=

il .

CJ,

1--.__-- _----._-_..- .....:..;---.


."C-" ,,__
- t="
'
"
...-..-.1
. _ .e--_. 1--.-.-..
, -O '

, _ ",

I~~~iiiiiiiiil~
1' 7 _ = ...':":'"......
..
-

eft __ _

, ~ -
:i.... _

.-==--~ ~

-~

'.

uI ...._

-~

...
...

..

-~

~ .-.

~.-.

", e . -.__

Symantec

If the partn er solution includes a host-resident virtual appliance, you can install the service after you
register the solution.

448

VMwa re NSX: Install , Configure, Manage

Security Policy
Slide 6-87

A security policy is a set of endpoint, firewall, and network


introspection services that can be applied to a security group.

l ....IE
i.

' ,

" 1._ ...., .,1_-

.:; ., .=-

-0-_.-..
_"'_1 ....

......

~.-.-

_ _ _ . . . . . . . t,

..

.~

...

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

449

Service Composer Canvas


Slide 6-88

The Service Composer canvas is a container that associates the


security group with the service policy to apply to the security group.

1
2

pel DSS ZOlne


1

~1
Service Composer offers a canvas view that displays all security groups in the selected NSX
Manager. The view also displays details such as members of each security grou p and the security
policy that is applied to the member.

450

VMware NSX: Install , Configure, Manage

Canvas View (1)


Slide 6-89

Containers: Grouping of VMs , IPs, and more to define


what you want to protect.
Example: Financial Applications, Desktop Users,
Quarantine Zone

Policies are a collection of service


profiles that are assigned to this
container to define how you want to
protect this container.
Example: PCI Compliance or
Quarantine Policy

Nested containe rs are


other groupings within the
container.
Example: Quarantine
Zone is a subgroup within
My Data Center.

2
WHAT You Wan ...

VMs (workloads) that belong to this container.

Service profiles for deployed


services, assigned to these policies
Services supported today:
Distributed Virtual Firewall
Antivirus
Vulnerability Management
Network IPS
Data Security (DLP scan)
User Activity Monitoring
File Integrity Monitoring

Example: Apache -Web-VM , Exchange Server -VM

All security groups in the selected NSX Manager, which are not contained in another security group,
are displayed with the policies applied on them.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

451

Canvas View (2)


Slide 6-90

Members: Applica tions and workloads that belong to this container.

Examp les: Apache-Web-VM , Exchange Server-VM


ard
WHAT tWant to Protect - Virtual Machines

Virtual MaChines ]L.. _


(0_
) E_rra
_' s
( C( Filter

Na""

EO
EO

win7_AV
Win7_Vuln

EJ 2

:1

What I want to protect

WHAT I Want to...


1

~1

II

Membersasaf 8/16/13 5:29 PM

The slide shows virtual machines that are currently part of the main security group and nested
security groups.

452

VMware NSX: Install , Configure, Manage

Canvas View (3)


Slide 6-9 1

--

.
'-.- ..
Q

-8]0

8Jo

, ......

1&

61 0

61 0

,. -

--""'V'

Each rectangular box in the canvas represents a security group. Icons in the box represent security
group members and details about the security policy mapped to the security group.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

453

Service Composer: Vulnerability Scan Example


Slide 6-92
1.

The Web server virtual machine that is running 115 is deployed, unknowingly having a
vulnerability.

2.

A vulnerab ility scan is initiated on Web server, for example, Rapid7's Nexpose product.

3.

The virtual machine is tagged in NSX Manager with the eVE and evss Score.

4.

NSX Manager associates the virtual machine with the Quarantine (VSM FfW Deny).

5.

The adm inistrator applies patches, Nexpose re-scans vi rtual machine and clears tag.

6.

NSX Manager removes the virtual machine from Quarantine and the v irtual machine returns to
its normal duties.
Membe rship: Includ e V Ms
that have been provisioned
as WebServer

SG: Web Servers

1-------I
I r--

NSX Mana9 L.-er_ -,


Membership: Incl ude VMs
which have CVSS score >= 9

Services

r - - ,..-;'I~

In the examp le, the virtua l machine powers on and is a part of the group . So polices are applied to
the virtua l machine. Rapid 7 gets the traffic and determines the rating of the virtual machine and
labels the traffic as untrustworthy. The virtua l machine is moved to a new security group and denies
all the traffic. The virtua l machine is moved from the trusted security group to the untrusted security
group based on input from the Rapid 7 device .
The virtual machines can be a part of the first security group because they meet the criteria of both
groups . However, the highest weight gets the policy applied . The weighting determines which
policy is applied to the virtual mach ine when the virtua l machine is a part of multip le groups.

454

VMware NSX : Install , Configure, Manage

Service Composer: Traffic Redirection with PAN Example (1)


Slide 6-93

Traffic redirection (or traffic steering) can be configured in the


following ways:
Any new virtual machine added to the corresponding Security-Group
(S-G) is automatically subject to associated traffic redirection.
S-GWEB

S-GAPP

S-G DB

User

Security-Group to Security-Group
--------

Security-Group to Any

Traffic redirection or (traffic steering) from a guest virtual machine to a Palo Alto Networks VMSeries firewa ll is performed internally at the hypervisor level using shared memory space . The NSX
admin istrator specifies which DVS port-group or logical switch (VXLAN) needs to be served by the
Palo Alto Networks VM-Series firewa ll.

X
(1)

c
....

Traffic redirectio n (defined in the Network Introspection Service window) can be defined in the
following ways:
From Security Group (SG- I for instance) to Security Group (SG-2 for instance)
From Any to Security Group (SG- I for instance)
From Securi ty Group (SG- I for instanc e) to Any
Any means any source or destination IP address respectively.

NSX Security

(f)
(f)

Using Service Composer or Security Policy, the security team can define traffic flows that are
redirected to the Palo Alto Networks VM-Series firewa ll for inspection and enforcement. Traffic
allowed by the VM-Series Firewall is then returne d to the VMware NSX Virtual Switch" for
delivery to the final destina tion. The final destinat ion is either the guest virtua l machine or the
physica l device.

Module 6

II

455

Service Composer: Traffic Redirection with PAN Example (2)


Slide 6-94

Security Policy or Network Introspection Services:


Define traffic that is steered to PAN VM-Series FW
Source or Destination:
Any
Policy 's Security Group
Select Security Groups

Action:

~ I. -- ---- --

.... _

_ _Od - .

.... _ _ ttrI'/II'

Redirect to service
Do not redirect

Protocol:
Any
Specified: TCP/UDP destination
port and source port

.-.. .
.

",.

,~

456

VMwa re NSX: Install , Configure, Manage

Concept Summary
Slide 6-95

A review of terms used in this lesson:


What is a third-party security tool able to be
managed from within Service Composer called?

Integrated partner

What is extending the NSX operational model to


third-party services called?

Third-Party End-to-End Workflow

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

457

Review of Learner Objectives


Slide 6-96

You should be able to meet the following objectives:

Explain how Service Composer enhances security

Create a policy and security group

Create a rule in Service Composer

458

VMwa re NSX: Install , Configure, Manage

Lesson 6: Other Monitoring Options


Slide 6-97

Lesson 6:
Other Monitoring Options

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

459

Learner Objectives
Slide 6-98

By the end of this lesson, you should be able to meet the following
objectives:

Describe how to find firewall entries in the Syslog

Analyze Syslog security entries

460

VMware NSX: Install , Configure, Manage

About Syslog
Slide 6-99

Syslog is supported across all NSX components

NSX Manager

VMware NSX
Controller"

Action

[)elMS;

Gett,ng Started

Summ ary

Mo.nllQf

RelatedObJeds

Sire

Large

Aulo cenerate rules

Enabled

SyslGg seMlIS

NSX Edge

Serve Edit 5yslog


Aclvanc &d Syslem 5etllfl ll &

Serve

Hosl profile

ESXi

Se~e r5

ConOgurllDon

SyslOllserver1 syslOll.corplocal

Time Con fig ul illiOfI

Powe r Milnagement

M"'-Wl'M"h
System Resour ce AIoc.lI bl

SETTINGS

General

NelwOf1(
SSL

cemncates

saoaes & Restore


Upgrade
CO MPO NENTS

Syslog Server

vShreldManager serace

You can specify the IP address or name of the syslog server mat can be reserved usnc me above mentioned DNS Server(s)
syslog corp loca l
Sys~

Server

p,"

51'
TCP

Protocol

You can enable Syslog for the NSX components even on NSX Controller and NSX Edge . You
specify a Syslog serve r where all the Syslog messages are collected. Management plane logs are
available through NSX Manager and data plane logs are available through vCenter Server. VMware
recommends that you specify the same Syslog server for the NSX component and vCenter Server to
get a complete picture when viewing logs on the Syslog serve r.

II
z

(f)

X
(f)
(1)

C
....

Module 6

NSX Security

461

Syslog Format
Slide 6-100

The system event message logged in the Syslog has the following
structure:
Syslog header

Event 10

Timestamp
Application name
Event code
Severity

Message

The system event message that is logged in the Syslog has the structure listed in the slide.

462

VMware NSX: Install , Configure, Manage

vCenter Log Insight


Slide 6-101

Consolidate, visualize, and correlate Syslog data from multiple


related components in a software-defined data center.
Build custom dashboards for real-time monitoring and trending.
Customize log interpretation logic to parse using regex, int, and str.
..-:::I-=::r::=-

.--

::;;-..-

--_ ._- ~~

II~I
VMware vCenter Log Insight" provides faster analytical queries and aggregation than tradit ional
tools, especially on larger data sets. vCenter Log Insight identifies key-value pairs and adds
structure to all types of unstructured log data, enabling administrators to troubleshoot quickly,
without needing to know the data beforehand.

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Secu rity

463

Concept Summary
Slide 6-102

A review of terms used in this lesson:


What is a computer message logging standard
called?
Which is the VMware product that delivers realtime log management and analysis?

464

Syslog
VMware vCenter Log InsightTM

VMwa re NSX: Install , Configu re, Manage

Review of Learner Objectives


Slide 6-103

You should be able to meet the following objectives:

Describe how to find firewall entries in the Sysloq

Analyze Sysloq security entries

II
z

(f)

X
(f)
(1)

c
....

Module 6

NSX Security

465

Key Points
Slide 6-104

Distributed Firewall focuses on East-West access controls.

The NSX Edge firewall focuses on the North-South traffic enforcement


at the tenant or data center perimeter.
A user's role defines actions that the user is allowed to perform on a
given resource.

Flow Monitoring provides a detailed view of the traffic to and from


protected virtual machines.

Service Composer helps you to provision and assign network and


security services to applications in a virtual infrastructure.
Syslog can be enabled for all NSX components.
Questions?

466

VMwa re NSX: Install , Configu re, Manage