NSX Small DC - RainFocus€¦ · Shahzad Ali NSX For Small DC PSC Server VM Option#2 • Design...

Shahzad Ali, VMware Inc.Gilles Chekroun, VMware Inc.

NET1345BE

#VMworld #NET1345BE

NSX in Small Data Centers for Small and Medium Businesses

VMworld 2017 Content: Not fo

r publication or distri

bution

#NET1345BE CONFIDENTIAL

• This presentation may contain product features that are currently under development.

• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.

• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.

• Technical feasibility and market demand will affect final delivery.

• Pricing and packaging for any new technologies or features discussed or presented have not been determined.

Disclaimer

2



bution


Introduction

Shahzad Ali NSX For Small DC

Compute ClusterDB VMs

Compute ClusterWeb/App VMs

Compute ClusterVDI VMs

Edge Cluster Management Cluster

Collapsed Cluster



bution


Agenda

4

Disclaimer: Not all possible designs are discussed

only common options are shownShahzad Ali NSX For Small DC

1 Deployment Models

2 Design and Deployment Considerations

3 Growth – Business Needs

4 Case Studies



bution


Session Objective

5


No DC left behind Small DC does not

mean small customer

Start anywhere

Grow anywhereVMworld 2017 Content: Not fo


bution


NSX for vSphere Components

6

NSX-MGR

Logical Switch

vCenter (VC)

NSX

EDGENAT

Management Plane

Control Plane

Distributed Data Plane

Data Plane

Firewall Load Balancer (LB)

Router

NSX-Controller ClusterDLR Control VM

Distributed Logical Router (DLR)

Distributed Firewall(DFW)

Reference


VDS VMworld 2017 Content: Not fo


bution

#NET1345BE CONFIDENTIAL 7


Management

Cluster

WAN

Internet

L3

L2

Payload

Cluster

Host M1

Host M3

Host M2

Host P3

Host P2

Host P1

Host E1

Host E3

Host E2

Host P5

Host P4

Host E4

L3

L2

DC Fabric

Edge

Cluster

NSX

EDGENSX

EDGE

NSX

EDGE

NSX

EDGE

Payload

Cluster

Large DC: Hosts>100 ; N-S BW > 10G Medium DC: Hosts 10-100; N-S BW < 10G

Collapsed

Management

&

Edge Clusters

WAN

Internet

L3

L2

Payload

Cluster

Host ME1

Host ME3

Host ME2

Host P3

Host P2

Host P1

NSX

EDGE

NSX

EDGE



bution


Cluster Features

Collapse Mgmt.,

Edge and Payload • Mix of less I/O and High I/O requirement

Collapsed

Management

Edge and Payload

Cluster

WAN

Internet

L3

L2

Host C1

Host C3

Host C2

Host C4

NSX

EDGE

NSX

EDGE


Small DC: Number of Hosts 3-10 ; N-S BW Requirement < 10G

Resource reservation is the key to meet SLA in Small DC



bution

Deployment ModelsSmall does not mean Small Enterprise

9



bution


VXLAN Backed

Port Groups

(LS)

10

VDS

DFW

VLAN Backed

Port Groups

Physical ESG

VM

DFW

Physical

DLR

Transit LSUplink Port Group

Uplink Port Group

LB

Bridge


VLAN Backed

Port Groups

VDS

ESG

VM

DFW

Physical

Small DC Deployment Models

Security Focused

• Distributed Firewall

• Non disruptive

• VXLAN is not a requirement

• Existing setup

Full Stack

• Distributed Firewall

• Logical Switching (VXLAN)

• Distributed Routing (DLR)

• ESG Service (NAT, LAB, VPN etc.)

Centralized Edge

• ESG VM based model

• Not much east/west traffic

• Intermediate/Transition step

• Multiple edges possible

Uplink Port Group



bution


Security Focused Model

• No physical routing/MTU change needed

• Use existing VLAN backed-port groups

• DFW enabled on all hosts

11


Important Use-Cases

Distributed Firewall

Agentless Anti-Virus (AV)

VDS

DFW

VLAN Backed

Port Groups

Physical

Uplink Port Group



bution


WAN

Internet


• Small footprint

– Min: 2 hosts required

– Easy expansion for additional workload

• Recommendation: At least 3 hosts in production

– Deploy more hosts to sustain a single host failure

12

Use-Case: Distributed Firewall

Single Cluster with NSX

L3

L2

Host 1

Host 3

Host 2

Function vCPU MEM (GB) Storage (GB) VMs

Tiny vCenter Appliance

with Embedded *PSC

2 8 120 1

NSX Manager 4 16 60 1

Total 6 24 180 2

NSX Footprint


*PSC (Platform Services Controller)



bution


WAN

Internet


• Requires additional Service VMs

– NSX GI-SVM (Guest Introspection Service VM)

– Partner Service VM (SVM)

• Cluster based SVM deployment

– Min: 2 hosts required

– Recommendation: At least 3 hosts in production

13

Use-Case: Distributed Firewall with Agentless Anti-Virus (AV)

Single Cluster with NSX

L3

L2

Host 1

Host 3

Host 2

NSX GI

SVMPartner

SVM

NSX GI

SVMPartner

SVM

NSX GI

SVMPartner

SVM



Tiny vCenter with

Embedded PSC

2 8 120 1


GI-SVM 2 1 4 Hosts#

Partner-SVM See Guest Introspection partner for details Hosts#



bution


Centralized Edge Deployment Model

• No DLR, VXLAN and Controllers needed

– Port groups attached to ESG VM

– No physical routing/MTU changes needed

– Availability improved by Edge HA and vSphere

14

Transitional Model: From Security Focused Full Stack


NSX

EDGE

NSX

EDGE

WAN

Internet

Single Cluster

L3

L2

Host 1

Host 3

Host 2VDS

Multi-Function GW

Routing

Firewall

LB

NAT

VPN GW

Supported Trunk

Interface (200 VLANs)

DFW

Port

Groups

Physical



bution


Full Stack Model

• VXLAN based overlay

– Optimized routing (DLR) and logical switching (LS)

– Separation of control and data plane

– VXLAN and DFW enabled on all hosts

• MTU of >=1600 for VTEP VLAN segment

15


VXLAN Backed

Port Groups

(LS)

ESG

VM

DFW

Physical

DLR

Transit LS

Uplink Port Group

LB

Bridge



bution


Full Stack Model: Deployment Considerations

• At least 3 hosts needed

– Recommendation: 4 ESXi hosts in Production

– Management and Edge functions co-exist with Payload

– No DLR Control VM needed with static routing

16


Tiny vCenter Appliance with

Embedded PSC

2 8 120 1


NSX Controllers 4 x 3 4 x 3 28 x 3 3

Edge VM (Large)* 2 x 2 0.5 x 2 ~1 x 2 2*

Total 22 37 ~ 266 7

* ESG with High Availability with static routing

Single Cluster

WAN

InternetL3

L2

Host 1

Host 3

Host 2

Host 4NSX

EDGE

NSX

EDGE




bution

vSphere Consideration

17



bution


vCenter (VC)

• Design Option#1: VC with Embedded PSC

– Recommended for small DC

– 1 single sign-on domain with single site

– No growth plans in near future

18

Robust vSphere and VC design is the foundation

Option#1


PSC Server VM

Option#2

• Design Option#2: External PSC

– Recommended for medium-large setups

– Multiple vCenters / Cross-VC / DR

– For Small DC: If planning to grow

vCenter Server

PSC Server

VM

VM

vCenter Server VM

VM



bution


vCenter Server VM Form Factor

• Tiny vCenter (VC) Appliance with Embedded PSC

– If minimizing resource utilization is key factor for deployment

• Majority Small DC Customers:

– Deploy Small VC appliance

– Future growth

• VC should be first to boot in VM boot order

Options Hosts VM Potential

NSX Deployment Type

vCPU MEM (GB) Disk (GB)

Embedded PSC

Tiny 10 100 Small DC 2 8 120

Small 100 1000 Small DC 4 16 150

Medium 400 4000 Medium DC 8 24 300

Large 1000 10,000 Large DC 16 32 450

http://tinyurl.com/DeployVC6

http://tinyurl.com/PerformanceVC6




bution

http://tinyurl.com/DeployVC6

http://tinyurl.com/PerformanceVC6


vSphere and NSX Licensing Options

– NSX supported for all vSphere licenses

– VDS included with NSX (vSphere 5.5 U3 or 6.0+)

20

NSX

vSphere Enterprise is EoA: https://kb.vmware.com/kb/2143987

Compare License Options: http://www.vmware.com/products/vsphere.html#compare

Essential+ • Up to 3 hosts, vSphere HA

Standard • 1000 hosts per vCenter, vSphere HA

Enterprise+ • vSphere HA, DRS, VDS etc.

vSphere

Features Standard Advance Enterprise

Distributed Routing and Switching (DLR/VXLAN) ✓ ✓ ✓

NSX ESG (except load balancer) ✓ ✓ ✓

SW L2 bridging ✓ ✓ ✓

Distributed Firewall (DFW – Micro-Segmentation) ✓ ✓

NSX Edge load balancing ✓ ✓

Cross vCenter NSX ✓

Reference




bution

https://kb.vmware.com/kb/2143987

http://www.vmware.com/products/vsphere.html#compare

NSX Component Consideration

21

NSX - Modular and Flexible



bution


NSX Manager

• Management and API entry point

• Reservation enabled by default

• vCPU and Mem modification allowed

– Recommended to stick with the defaults

• Add VC VM in the NSX “VM Exclusion List”

– Or create fine grained rules in DFW

– NSX components are automatically part of exclusion list

• NSX manager backup

• Not in the data-path

• Second in VM boot order

22

16 GB

reserved

by default




bution


NSX Controllers

• Needed for VXLAN and DLR

• Must deploy 3

– Manually create “SHOULD” anti-affinity rules

– Use 4 hosts for additional redundancy

• 4 vCPU and 4GB MEM

– Reserved: 4GB MEM

• Locked down VM

– vCPU/MEM modification disabled

• Not in the data-path

• 3rd in VM boot order

23

4GB reserved by

default

MEM: 4GB




bution


DLR Control VM

• Needed only if dynamic routing is used

• Deploy in HA mode (Active/Standby)

• vCPU/MEM modification disabled

• Anti-affinity rule is created automatically

24


- Light weigh VM

- Reservation

enabled



bution


Edge Service Gateway

• VM Form factor

– Large: Good for small DC design/features

– X-Large: For L7 NSX Load Balancer (LB)

– Form factor can be upgraded any time later

• vCPU and MEM reservation enabled by default

– Locked down VM

25

VM Size vCPU MemoryHD

(GB)Suitable For

Compact 1 512 M 1 LAB/PoC

Large 2 1 GB 1 Small DC

Quad Large 4 2 GB 1Medium/

Large DC

X-Large 6 8 GB 3 L7 LB




bution


ESG Design Choices

Stateful Services?

Yes

Throughput Requirement

>10GMulti-tiered

Design

< 10GESG-HA

No

Throughput Requirement

< 10 GESG-HA

>10G

2 or more ESG-ECMP

26

ESG in

HA or

ECMP?

Shahzad Ali NSX For Small DC[Other designs are also possible depending on scale]



bution


ESG with HA

– Anti-affinity rules automatically created (DRS)

– Avoid: Active ESG and Active DLR Control VM on same host

Automatic Rule

ESG with ECMP

– Manually create anti-affinity rules

– Avoid: Active ESG and Active DLR Control VM on same host

ESG Deployment

Host 1

Host 2

Active

ESG

Standby

ESGActive DLR

Control VM

Standby DLR

Control VM

Host 1

Host 3

Host 2

Host 4

ECMP

ESG

Active DLR

Control VM

Standby DLR

Control VM

ECMP

ESG

ECMP

ESG

ECMP

ESG



bution


vSphere High Availability (HA) and NSX

Admission Control policy options

28

vSphere HA Admission Control ensures VM failover capacity


Slot Policy Cluster Resource Percentage Dedicated FailoverN+1 10% Standby Host



bution


vSphere HA Restart Priority

• Cluster percentage based admission control means more flexibility with workloads

– A lack of resources may require that some VMs not be restarted during an HA event

– HA restart priority allows you to designate high priority vs. low priority workloads

– NSX workloads should be designated as the highest priority

– HA Dependencies can also be used

29




bution


vSphere HA Calculations

• Total your cluster resources and make notes of how much CPU and Memory are available

30

Know what you have to work with


Small LAB Deployment with 2 hostsVMworld 2017 Content: Not fo


bution


vSphere HA Calculations

Slot Based HA Policy

31

Know what you have to work with

Total Cluster CPU = 11.20 GHzTotal Cluster MEM = 10.00 GB


Cluster Percentage Based Policy

11200MHz * .75 = 8400MHz

10000MB *.75 = 7500MB

5600MHz / 32MHz = 175 Slots

5000MB / 100MB= 50 Slots



bution


vSphere Resource Pools and NSX

• Use Resource Pools to guarantee CPU and Memory to priority workloads

CAUTION!

• Resource pools can be detrimental to VM performance if not used and maintained correctly

• Use cluster resources calculations and VM requirements to build Pools properly

• Plan for growth!

32

Resource Pools can be used to guarantee resources to priority workloads




bution


VDS (vSphere Distributed Switch)

• VDS requires vSphere Enterprise+

– Free with NSX (vSphere 5.5 U3 or 6.0+)

• Use single VDS – keep it simple

• Recommended VTEP vmknic teaming policy is Route Based on Originating Port (Source-ID)

– VXLAN multipath with multiple VTEPs per host

– VM-to-VTEP pinning based on the VM source virtual port ID

• For simplicity (single VTEP) - use “Fail Over”




bution

Growing NSX Small DC Deployments

34

Start Anywhere – Grow Anywhere – Without Any Boundaries



bution


Grow As Per Business Requirements

35

Starting Small – Less Upfront Cost – Phased Approach

Grow

NSX

Compute Capacity

Throughput

Feature/Services

Migration

More Sites



bution


Use-Case1: DFW Service Insertion Full Stack

36

Enhancing DC Security Beyond DFW

Note: Other topologies are possible – the pictures shown are representative only

Partner

SVM

GI

SVM

VDS

Distributed

Firewall

Partner

SVM

GI

SVM

VLAN Backed Port Groups

NSX

EDGE

VXLAN Backed Port Groups

NSX

EDGE

VXLAN Transit

Logical Switch

Uplink Port Group

Uplink Port Group


Casino Customer

with VDI



bution


Use-Case2: Single Site Multi-Site (Cross-VC NSX)

37

Site-A Site-B

DLR Universal DLR


Note: Other topologies are possible – the pictures shown are representative only

Gov. Customer with

DR



bution



All DCs are equal in the

eyes of NSX

Small DC does not

mean small customer

Start anywhere,

Grow anywhere

Key Takeaways



bution


Join VMUG for exclusive access to NSX

vmug.com/VMUG-Join/VMUG-Advantage

Connect with your peers

communities.vmware.com

Find NSX Resources

vmware.com/products/nsx

Network Virtualization Blog

blogs.vmware.com/networkvirtualization

Where to get started

Dozens of Unique NSX Sessions

Spotlights, breakouts, quick talks & group discussions

Visit the VMware Booth

Product overview, use-case demos

Visit Technical Partner Booths

Integration demos – Infrastructure, security, operations,

visibility, and more

Meet the Experts

Join our Experts in an intimate roundtable discussion

Free Hands-on Labs

Test drive NSX yourself with expert-led or self-paces

hands-on labs

labs.hol.vmware.com

Training and Certification

Several paths to professional certifications. Learn

more at the Education & Certification Lounge.

vmware.com/go/nsxtraining

Engage and Learn Experience

Try TakeVMworld 2017 Content: N

ot for publicatio

n or distribution

https://www.vmug.com/VMUG-Join/VMUG-Advantage

https://communities.vmware.com/community/vmtn/nsx

http://vmware.com/products/nsx

http://blogs.vmware.com/networkvirtualization

http://labs.hol.vmware.com/

http://www.vmware.com/go/nsxtraining

40



bution



bution

NSX Small DC - RainFocus€¦ · Shahzad Ali NSX For Small DC PSC Server VM Option#2 • Design...

Documents

Transcript of NSX Small DC - RainFocus€¦ · Shahzad Ali NSX For Small DC PSC Server VM Option#2 • Design...