7. NSX Logical Switching
• Per Application/Multi-tenant segmentation
• VM Mobility requires L2 everywhere
• Large L2 Physical Network Sprawl – STP
Issues
• HW Memory (MAC, FIB) Table Limits
• Scalable Multi-tenancy across data center
• Enabling L2 over L3 Infrastructure
• Overlay Based with VXLAN, etc.
• Logical Switches span across Physical Hosts
and Network Switches
Challenges Benefits
VMware NSX
Logical Switch 1 Logical Switch 2 Logical Switch 3
8. Generic IP Fabric
Host A
vSphere
Distributed Switch
NSX and VXLAN
8
dvUplink-PG
Logical SW A
VM1
dvPG-VTEP
VXLAN
VTEP
• VXLAN can be seen as service on the host
• VXLAN uses a vmknic and implements a VXLAN Virtual
Tunnel End Point (VTEP) functionality
• Depending on the uplink configuration, there might be
several VTEPs on a host
– A single dvPortGroup is created for all VTEPs
• A logical switch is a L2 broadcast domain implemented
using VXLAN
– A dvPortGroup is created for each logical switch
9. Generic IP Fabric
Host A Host B
vSphere Distributed Switch
Traffic Flowing on a VXLAN Backed VDS
9
• In this setup, VM1 and VM2 are on different hosts but belong to the same logical switch
• A VXLAN tunnel is established between the two hosts
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
VXLAN Tunnel
Logical SW A
VM2
10. Host BHost A
vSphere Distributed Switch
Traffic Flowing on a VXLAN Backed VDS
10
• Assume VM1 sends some traffic to VM2:
dvUplink-PG
Logical SW A
VM1
dvUplink-PG
dvPG-VTEP
VTEP
dvPG-VTEP
VTEP
Logical SW A
VM2L2 frame L2 frame
VM1 sends L2 frame to
local VTEP1
VTEP adds VXLAN, UDP
& IP headers2 Physical Transport
Network forwards as a
regular IP packet
3 Destination Hypervisor
VTEP decapsulates frame4 L2 frame delivered
to VM25
Generic IP Fabric
VXLAN Tunnel
IP/UDP/VXLAN L2 frame
11. NSX Routing: Distributed, Feature-Rich
• Physical Infrastructure Scale
Challenges – Routing Scale
• VM Mobility is a challenge
• Multi-Tenant Routing Complexity
• Traffic hair-pins
Challenges
• Distributed Routing in Hypervisor
• Dynamic, API based Configuration
• Full featured – OSPF, BGP, IS-IS
• Logical Router per Tenant
• Routing Peering with Physical Switch
Benefits
SCALABLE ROUTING – Simplifying Multi-tenancy
L2
L2
Tenant A
Tenant B
L2
L2
L2
Tenant C
L2
L2
L2
CMP
13. NSX Edge Services Gateway: Integrated Network Services
….
Firewall
Load Balancer
VPN
Routing/NAT
DHCP/DNS relayDDI
VM VM VM VM VM
• Integrated L3 – L7 services
• Virtual appliance model to provide
rapid deployment and scale-out
Overview
• Real time service instantiation
• Support for dynamic service
differentiation per tenant/application
• Uses x86 compute capacity
Benefits
14. VLAN 20
Edge Uplink
External Network
Physical Router
Web1 App1 DB1 Webn Appn DBn
NSX Edge
VXLAN 5020
Transit Link
Distributed
Routing
RoutingPeering
14
How it looks like a Basic NSX Topology
…
15. High Scale Multi Tenant Topology
External Network
Tenant 1
Web Logical
Switch App Logical Switch DB Logical Switch
…
Web Logical
Switch App Logical Switch DB Logical Switch
Tenant NSX Edge
Services Gateway
NSX Edge X-Large
(Route Aggregation Layer)
Tenant NSX Edge
Services Gateway
VXLAN Uplinks (or
VXLAN Trunk)
VXLAN Uplinks (or
VXLAN Trunk)
VXLAN 5100
Transit
15
16. NSX provides Highest Level of Visibility in the Network
16
Log Insight
NSX content pack
Native
capabilities
Integration with
partner ecosystem
NSX API
Syslog
IPFIX
Port mirroring
SNMP
Traceflow
And more.
vRealize
Operations Suite
18. Traditional approaches to Micro-Segmentation
18
Centralized
firewalls
• Create firewall rules before provisioning
• Update firewall rules when moving or changing
• Delete firewall rules when app decommissioned
• Problem increases with more east-west traffic
Internet
19. Internet
How an SDDC approach makes Micro-Segmentation feasible
19
Security policy
Perimeter
firewalls
Cloud
Management
Platform
20. NSX Distributed Firewalling
• Centralized Firewall Model
• Static Configuration
• IP Address based Rules
• 40 Gbps per Appliance
• Lack of visibility with encapsulated traffic
• Distributed at Hypervisor Level
• Dynamic, API based Configuration
• VM Name, VC Objects, Identity-based Rules
• Line Rate ~20 Gbps per host
• Full Visibility to encapsulated traffic
Challenges Benefits
PHYSICAL SECURITY MODEL DISTRIBUTED FIREWALLING
Firewall Mgmt
VMware NSX
API
CMP
21. NSX Distributed Firewall Enablement
DFW enforces rules at
vNIC layer:
• DFW independent of
transport network (VLAN
or VXLAN)
• All VM ingress and egress
packets are subject to
DFW processing
• Security Policy
independent of
VM location
• V-to-V and P-to-V support
21
DFW has NO Dependancy on Network Topology !
VXLAN 5001
vSphere Host
VM1
MAC1
IP1
VTEP IP: 10.20.10.10
vSphere Distributed Switch
vSphere Host
VM2
VTEP IP: 10.20.10.11
VM3
MAC2
IP2
MAC3
IP3
DFW Policy Rules:
Source Destination Service Action
VM1 VM2, VM3 TCP port 123 Allow
VM1 VM2, VM3 any Block
DVS port-group
vSphere Host
VM1
MAC1
IP1
VTEP IP: 10.20.10.10
vSphere Distributed Switch
vSphere Host
VM2
VTEP IP: 10.20.10.11
VM3
MAC2
IP2
MAC3
IP3
DFW Policy Rules:
Source Destination Service Action
VM1 VM2, VM3 TCP port 123 Allow
VM1 VM2, VM3 any Block
VLAN 501 VLAN 501 VLAN 501
VXLAN 5001
Logical Switch
VXLAN 5001
22. CONFIDENTIAL
NSX DFW Policy Objects
• Policy rules construct:
• Rich dynamic container based rules apart from just IP addresses:
VC containers
• Clusters
• datacenters
• Portgroups
• VXLAN
VM containers
• VM names
• VM tags
• VM attributes
Identity
• AD Groups
IPv6 compliant
• IPv6 address
• IPv6 sets
Services
• Protocol
• Ports
• Custom
IPv6 Services
Choice of PEP (Policy
Enforcement Point)
• Clusters
• VXLAN
• vNICs
• …
Rule ID Rule Name Source Destination Service Action Applied To
Action
• Allow
• Block
• Reject
22
23. 23
Configure Policies with Security Groups
Select elements to uniquely identify
application workloads
Use attributes to create Security Groups Apply policies to security groups
1 2 3
ABC
DEF
Group
XYZ
App 1
OS: Windows 8
TAG: “Production”
§ Enforce policy based on logical constructs
§ Reduce configuration errors
§ Policy follows VM, not IP
§ Reduce rule sprawl and complexity
Use security groups to abstract policy from application workloads.
Group
XYZ
Policy 1
“IPS for Desktops”
“FW for Desktops”
Policy 2
“AV for Production”
“FW for Production”
Element type
Static Dynamic
Data center
Virtual net
Virtual machine
vNIC
VM name
OS type
User ID
Security tag
24. Micro-segmentation simplifies network security
§ Each VM can now be its own perimeter
§ Policies align with logical groups
§ Prevents threats from spreading
App
DMZ
Services
DB
Perimeter
firewall
AD NTP DHCP DNS CERT
Inside
firewall
Finance EngineeringHR
25. WAN
Internet
Compute Cluster Compute Cluster
Perimeter
Firewall
(Physical)
NSX
EDGE
Service
Gateway
Compute Cluster
SDDC (Software Defined DC)
DFW DFW DFW
DFW: E-W
NSX EDGE Service
Gateway positioned to
protect border of the
SDDC:
EDGE: North – South
traffic protection
NSX DFW positioned for
internal SDDC traffic
protection:
DFW: East – West
traffic protection
Physical
Virtual
Compute Cluster
EDGE:N-S
NSX Security in SDDC
25
26. Micro-segmentation in detail
SegmentationIsolation Advanced services
Controlled communication path within
a single network
• Fine-grained enforcement of security
• Security policies based on logical
groupings of VMs
Advanced services: addition of 3rd
party security, as needed by policy
• Platform for including leading
security solutions
• Dynamic addition of advanced
security to adapt to changing
security conditions
No communication path between
unrelated networks
• No cross-talk between networks
• Overlay technology assures networks
are separated by default
27. Third-Party Firewall, Network Security Options for
NSX Integration
Src Dst Action
ANY Shared Service Allow
Desktop WEB_GROUP Redirect to
3rd party
Platform for Distributed Services
Redirect via global rule to 3rd party
WEB_ GROUP
“Web Policy”
þ Firewall – redirect to 3rd
party
þ 3rd party – do deep packet
inspection
Redirect via policy template,
for reuse in automation
workflows
3rd party can program NSX
distributed firewall directly –
and set/get context to inform
policy
27
28. Example : Orchestrating Security Between Multiple Services
(Vulnerability Scan)
SG: QuarantineSG: Web Servers
1.Web Server VM running IIS is deployed, unknowingly having a vulnerability
2.Vulnerability Scan is initiated on web server (3rd party AV product)
3.VM is tagged in NSX Manager with the CVE and CVSS Score
4.NSX Manager associates the VM with the Quarantine (F/W Deny)
5.[Externally] Admin applies patches, 3rd party AV product re-scans VMs, clears tag
6.NSX Manager removes the VM from Quarantine ; VM returns to it’s normal duties
Services Services
Membership: Include VMs which have CVSS score >= 9Membership: Include VMs which have been provisioned as “WebServer”
NSX Manager
antivirus antivirus
29. NSX Partners and Service Categories
Application
Delivery Services
Physical-to-Virtual
Services Operations and Visibility Security
NSX Partner Extensions
http://www.vmware.com/products/nsx/resources.html
30. Ground-breaking use cases
30
Enterprises can often justify the cost of NSX through a single use case
Micro segmentation
DMZ anywhere
Secure end user
Security
IT automating IT
Multi-tenant
infrastructure
Developer cloud
IT automation
Disaster recovery
Metro pooling
Hybrid cloud
networking
Application continuity IT optimization
Server asset utilization
Price | performance
Hardware lifecycle
$
31. Use Case: Infrastructure Management with vRealize Automation
New Features
§ Simplified Multi-Tier App Deployment
§ Improved Connectivity
− Deployment of logical switches and networks
§ Enhanced Security
− Intelligent placement of workloads in security groups
protected by firewalls
§ Increased Availability
− Via deployment of NSX distributed
firewalls and load balancers
Benefits
§ Deliver secure, scalable, performing
application-specific infrastructure on-demand
Dynamically Provision and Decommission
NSX Logical Services
32. Use Case: Disaster recovery with NSX network virtualization
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network
10.0.30/24
Virtual Network
10.0.30/24
NSX Controller NSX Controller
Snapshot
network
security
2b
1
Snapshot VM
Network and security
already exists
Recover
the VM
3
Physical network infrastructure Physical network infrastructure2a
Replicate
VM and storage
10.0.10/24 10.0.20/24
Step 1 & 2
(e.g VMware SRM)
32
Primary site Recovery Site
33. Use Case: A True Hybrid Cloud powered by VMware NSX
Local Data Center
InternetIPSec VPN
(vCloud Air Network)(vCloud Air Network)
vCloud Air
L2 VPN
Some Benefits:
• L2VPN for DC Extension
• Granular Network Security with Trust Groups
• Bi-directional workload migration using
vSphere web client
33
Some Benefits:
• Today with vCloud AIR
• Tomorrow with Amazon AWS,
Azure, Google and other
Public Cloud Providers
34. NSX Vision: Driving NSX Everywhere
Managing Security and Connectivity for many Heterogeneous End Points
34
Automation
IT at the Speed
of Business
Security
Inherently Secure
Infrastructure
Application Continuity
Data Center
Anywhere
On-Premise Data Center
New app frameworks
Mobile Devices
(Airwatch)
Virtual Desktop
(VDI)
Branch offices
(Partner)
Internet of things
Public clouds