VMware NSX - All In The Loop Operations –Summary of ... Arkin Confidential 31 VIRTUAL: VMware...
-
Upload
nguyendieu -
Category
Documents
-
view
254 -
download
4
Transcript of VMware NSX - All In The Loop Operations –Summary of ... Arkin Confidential 31 VIRTUAL: VMware...
VMware NSXThe Platform for Network and Security Virtualization
Frederick [email protected], Sr. Specialist Systems Engineer,Networking & Security
What VMware does best…
2
…
…
App
VM
Server Virtualization
x86
Server Virtualisation
Create + Snapshot+ Store+ Move+ Delete+ Restore------------------------------------------------------= Automated and Programmatical Model
Physical Network
App
VM
App
VM
Physical Network has not evolved.
Static Services remain unchanged last decade(s)
Operational Overhead:- to link the Automated with Static- to secure the Automated with Static- to extend the Automated with Static
The foundation remains unchanged;Everything needed for end-to-end, secure communications is static and not programmable
DHCP
L2L3
FW
VPN
IPS
LB
“ANY”
“MANY”
What VMware does best… applied to network services
3
…
…
App
VM
Network and Server
Virtualization
x86
Physical Network
App
VM
App
VM
L2 L3 FW
VPNIPS LB
“ANY”
“MANY”
Pooled compute and network capacity
Vendor and topology independent
Simplified configuration & Management
Intelligence in the Virtualization Layer
!! …No longer tied to a box…!!
An SDN platform to enable true SDDC
Network Virtualisation
Create + Snapshot+ Store+ Move+ Delete+ Restore------------------------------------------------------= Automated and Programmatical Network
VMware NSX: Virtualize the Network
LogicalSwitching
LogicalRouting
LoadBalancing
Physicalto Virtual
Firewalling& Security
Layer 2 over Layer 3, decoupled from the physical network
Routing between virtual and physical networks
Application Load Balancing for VMs or entire networks
Bridging physical workloads with virtual ones(VXLAN <> VLAN)
Distributed Firewall, Kernel Integrated, High Performance, 3rd Party integration
VPNDistributed Firewall, Kernel Integrated, High Performance, 3rd Party integration
APIRESTful API for integration and consumption from any Cloud Management Platform
Virtual Networks – Like Virtual Machines for the Network
Internet
Creating Sophisticated Application Topologies
Web-Tier
App-Tier
DB-Tier
VMs Connect to Virtual Networks
Virtual Networks Connect tonon-virtualized Workloads
Security Enforcement atvnic level
With Physical ServicesIntegration
NSX Components
Cloud Consumption • Self Service Portal
• vCloud Automation Center, OpenStack,
Custom CMP
Data Plane
NSX Edge
ESXi Hypervisor Kernel Modules
Distributed Services
• High – Performance Data Plane
• Scale-out Distributed Forwarding Model
Management Plane
NSX Manager
• Single configuration portal
• REST API entry-point
Control Plane
NSX Controller
• Manages Logical networks
• Control-Plane Protocol
• Separation of Control and Data Plane
Distributed
Firewall
Distributed
Router
Logical
Switch
Lo
gic
al N
etw
ork
Ph
ys
ica
l
Ne
two
rk
…
…
Backplane
From the POV of a switch
8
RE / Control Plane
B
L
A
D
E
B
L
A
D
E
B
L
A
D
E
B
L
A
D
E
B
L
A
D
E
B
L
A
D
E
Management NSX Manager vCenter1:1
ESXi
(vSwitch)
NSX ControllerNSX Controller
NSX Controller
ESXi
(vSwitch)
ESXi
(vSwitch)
ESXi
(vSwitch)
ESXi
(vSwitch)
IP NETWORK
USE CASES
Ground-breaking use cases
10
Enterprises can often justify the cost of NSX through a single use case
Micro segmentation
DMZ anywhere
Secure end user
Security
IT automating IT
Multi-tenant infrastructure
Developer cloud
IT automation
Disaster recovery
Metro pooling
Hybrid cloud networking
Application continuity IT optimization
Server asset utilization
Price | performance
Hardware lifecycle
$
Breaches still occur in data centers with a secure perimeter
1 2 3
4 5 6
Today’s data centers are protected by strong perimeter defense…
But threats and exploits still infect servers. Low-priority systems are often the target, and SSL is no guarantee of protection.
Threats can lie dormant, waiting for the right moment to strike.
Attacks spread inside the data center, where internal controls are often weak. Critical systems are targeted.
Server-server traffic growth has outpaced client-server traffic. The attack spreads and goes unnoticed.
Possibly after months of reconnaissance, the infiltration relays secret data to the attacker.
11
Targeted system
Critical system
The solution is Micro-SegmentationAssume everything is a threat and act accordingly.
SegmentationIsolation Advanced services
Controlled communication path within
a single network
Advanced services: addition of 3rd
party security, as needed by policy
No communication path between
unrelated networks
12
Central Policies, Distributed Enforcement, Move with VMs
Internet
Security PolicySecurity Policy
- Reduce Choke Point Security
- Centrally Define Policies, Distribute Rule Enforcement for Segmentation
- Security Policies Move with VMs
- Changes to central policies automatically
distributed to affected VMs
Service Insertion – Example: Palo Alto Networks Next Gen Firewall
Internet
Security Policy
Security Admin
TrafficSteering
Standard Desktop VM Policy
Anti-Virus – Scan
Quarantined VM Policy
Firewall – Block all except security tools
Anti-Virus – Scan and remediate
Automated Security in a Software Defined Data CenterQuarantine Vulnerable Systemsuntil Remediated
15
Security Group = Quarantine Zone
Members = {Tag = ‘ANTI_VIRUS.VirusFound’, L2 Isolated Network}
Security Group = Desktop VMs
Policy Definition
16
A ubiquitous software layer means security is
everywhere
Visibility Policy
Service Insertion
Context
Ubiquitous software layer
Ground-breaking use cases
17
Enterprises can often justify the cost of NSX through a single use case
Micro segmentation
DMZ anywhere
Secure end user
Security
IT automating IT
Multi-tenant infrastructure
Developer cloud
IT automation
Disaster recovery
Metro pooling
Hybrid cloud networking
Application continuity IT optimization
Server asset utilization
Price | performance
Hardware lifecycle
$
Why can’t IT move as fast as the business today?
The business
wants their
applications
now! Physical Network Complexities
Manual Config& Processes
3
More for Less
slow restrictive riskyinconsistent
Application with on-demand networking & securityDeployed and managed in the application context
19
Logical Switch
Logical Router
NSX
Logical Firewalling
Logical Load Balancer
On-Demand Application Delivery
Web
App
Database
vRealize Automation
Network Profiles
Security Policies Security Groups
Multi-Machine Blueprint
Service Catalog
API
APIs
Support for multi-tier apps on multiple
networks or single flat network
Automating app updates and changes App blueprints can be updated and changes automatically pushed out
Standardize configurations
Avoid configuration drift
Centrally update policiesChanges made to blueprintblueprint
20
Accelerate workload deployment Avoid risk from human errors Compliance and auditability
Ground-breaking use cases
21
Enterprises can often justify the cost of NSX through a single use case
Micro segmentation
DMZ anywhere
Secure end user
Security
IT automating IT
Multi-tenant infrastructure
Developer cloud
IT automation
Disaster recovery
Metro pooling
Hybrid cloud networking
Application continuity IT optimization
Server asset utilization
Price | performance
Hardware lifecycle
$
NSX Logical Networking and Security (6.1 and earlier)
CONFIDENTIAL
Single NSX Domain can spanmore than one site
vC with NSX Manager
vC with NSX Manager
vC with NSX Manager
Logical Switch
Local VC Inventory Local VC Inventory Local VC Inventory
vCenter A vCenter B vCenter C
NSX ControllerCluster
NSX ControllerCluster
NSX ControllerCluster
Distributed Logical RouterDistributed Logical Router Distributed Logical Router
Logical Switch
Logical Switch
22
Distributed Logical Router
Cross-VC NSX Logical Networking and Security
CONFIDENTIAL 23
vC with NSX Manager
vC with NSX Manager
vC with NSX Manager
Logical Switch
Local VC Inventory Local VC Inventory Local VC Inventory
vCenter A vCenter B vCenter C
NSX ControllerCluster
Logical Switch
NSX ControllerCluster
NSX ControllerCluster
Distributed Logical Router
Logical Switch
Distributed Logical Router Distributed Logical Router
LogicalSwitches
Beyond the
Datacenter
Public
CloudInternet/
WAN
VM VM VM APP
CONTINUITY
BURSTING
AUTOMATION
Monitoring and Troubleshooting
NSX Operations – Summary of Capabilities
NSX for vSphere
Logical Network HealthUI: NSX Manager
CLI: Central NSX Controller, NSX Edge
VM to VM connectivity (Logical) NSX Controller Central CLI, Host level CLI
Traffic Flow visibilityIPFIX (VDS)
NSX Edge – Flow Monitoring
Traffic Analysis per VMRSPAN/ERSPAN (VM Traffic)
UW Packet Capture (Overlay)
Network Inventory, Fault Management NSX Manager, SNMP (MIBS for ports, Switch etc)
Multi-level logging, Event tracking & Auditing Syslog Export (NSX controller, NSX Manager, NSX Edge etc.)
Transport (Overlay) HealthNSX Manager Connectivity Check
NSX Controller Central CLI, Per host CLI
Upgrade Management NSX Manager (Automated VIB and Controller upgrades)
API visibility NSX Manager API
External Tools vROPs, Log Insight
DFW Dashboard - Overview
27
DFW Dashboard - Traffic
28
DFW Dashboard - Hypervisor
29
Big Data applied onphysical and virtual networks
Platform Overview
Arkin Confidential 31
VIRTUAL:
VMware vSphere, VMware NSX
(Edge, Controller, LDR), Palo Alto
Virtual Firewalls
PHYSICAL:
Cisco, Juniper, Arista, Brocade,
Dell, HP, VCE, Palo Alto, ..
HYBRID CLOUD:
IBM Softlayer, AWS
ARKIN SDDC MODELS, SEARCH & ANALYTICS
APPLICATION
CONNECTIVITY ACROSS
OVERLAY & UNDERLAY
VXLAN MANAGEMENT
AND ANALYTICS
MICRO-SEGMENTATION
MODELING & DFW
OPERATIONS
Application Visibility Across Overlay And Underlay
Arkin Confidential 32
Connectivity Graphs
VM to VM, VM to Physical, VM to
Internet
Hop-by-Hop Path across Overlay
(LDRs, Edge Gateways) and Underlay
(Physical VDCs & VRFs). See V-To-P
Boundary
Correlated Problems And Performance
Metrics Across Virtual and Physical
See Effective Firewall Rules and
Security Policies in Distributed
Environment
Confidential 33
Security Planning: Flow Analysis & NSX Micro-Segmentation
Arkin Confidential 34
Breakdown of Data Center Traffic by
East-West, VM-to-VM, VM-to-Physical,
Switched, Routed, etc.
Risk Analysis and SDDC Benefits
Compilation
NSX Micro-Segmentation Examples
(Security Groups and Firewall Rules)
Confidential 35
Confidential 36
SummaryVMware NSX is The Platform for Network Virtualization
Reliability: Built for high availability and business continuity. No single point of failure. Distributed architecture
Security: Native multi-tenancy capabilities. Secure workload separation and segregation. Compliance
Scalability: Unmatched oversubscription ratios and performance. Thousands of logical entities
Flexibility: VMware NSX operates on anyone’s Ethernet/IP fabric. No changes in fabric and/or compute topology required
Visibility: Sophisticated tools for troubleshooting, traffic pattern characterization and traffic statistics
37
Reducing the friction from before
Faster time to market and time
to value
OpEx savings and productivity
gains
Increased competitive advantage
23
IT as leader and innovator
speed agility securitystandardization
39
Questions ?
TitleArtificial Intelligence
Visit our partners
11:30 – 12:00
15:30 – 16:00
17:30 – 18:00
Leader in virtualization Solutions for DataCenters