Post on 21-Mar-2017
Introduction to NSX
Carlo CavallinaSystems EngineerNSX Specialist
1
Agenda
1 Who am I?
2 The IT transformation and the SDDC approach
3 The Network Virtualization
4 Disaster Recovery – The new era
5 Microsegmentation
6 NSX – The use cases
Who am I?
Going beyond server virtualization
IT’S TIME FOR A NEW IT APPROACH
SLOW TECHNOLOGYADOPTION RATES
HIGH USER EXPECTATIONS
SLOW REPONSES
PRIVACYISSUES
INTEGRATION PROBLEMS
SERVICE OUTAGES
SHORTAGE OF RIGHT SKILLS
DECLINING BUDGET
DIFFERENT APPLICATIONS AGING INFRASTRUCTURE
SECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
LIMITED RESOURCES
CLOUD SILOSSECURITY
PROLIFERATIONOF DEVICES
FRAGMENTEDDATA CENTER
CLOUD SILOS
It’s Time to Virtualize the WHOLE Data Center
EFFICIENT SECURE
Optimized for rapid development and deliveryof all applications, for safe consumption on any device
The Software DefinedData Center
AGILE
Network Virtualization is Key
Data Center Virtualization Layer
Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management
What is a Software Defined Data Center (SDDC)?
Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management
Software
Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management
Compute
Storage
Network
Enterprise Applications
Enterprise Data Center
SecurityLoad Balancing
RoutingService Chaining
Compute
Storage
Network
Custom Distributed Applications
(Security, Application Load Balancing, Routing, HA, etc.)
Google, Facebook, Amazon
Software AutomationAgility & Speed
Network Services Distributed out to Applications
Simplified
Increased Stability& Reliability
Lower Cost
Compute
Storage
Network
Custom Distributed Applications
(Security, Application Load Balancing, Routing, HA, etc.)
Google, Facebook, Amazon
Compute
Storage
Network
Enterprise Applications
Enterprise IT
Data CenterVirtualization Layer
Compute
Storage
Network
Custom Distributed Application Design
(Security, Application Load Balancing, Routing, HA, etc.)
Google, Facebook, Amazon
Compute
Storage
Network
Enterprise Applications
Enterprise IT
Data CenterVirtualization Layer
Compute
Storage
Network
Enterprise Applications
Enterprise IT
Data CenterVirtualization Layer
The operational model of a VM for the
entire data center
Programmatically CreateSnapshot
StoreMoveDelete
Restore
Sounds interesting, BUT… It sounds like a big change. I’m not even sure I understand what network virtualization is.
BridgingTwo Worlds
Software DefinedData Center Approach
Traditional Approach
Which pill do you want?
Network Virtualization is at the core of an SDDC approach
Network, storage, compute
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
HypervisorvSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
Virtualization layer
Non-Disrupting Deployment
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
HypervisorvSwitch
Hypervisor vSwitch
Hypervisor vSwitch
Hypervisor
vSwitch
Hypervisor
Network, storage, compute
Virtualization layer
“Network hypervisor”
Virtual Data Centers
Network Virtualization is at the core of an SDDC approach Non-Disrupting Deployment
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
HypervisorvSwitch
Hypervisor vSwitch
Hypervisor vSwitch
Hypervisor
vSwitch
Hypervisor
The Power of Distributed Services
vSwitch
HypervisorvSwitch
Hypervisor vSwitch
Hypervisor vSwitch
Hypervisor
vSwitch
Hypervisor
vSwitch
Hypervisor
Switching
Routing
Firewalling/ACLs
Load Balancing
Network and security services now distributed in the hypervisor
vSwitch
Hypervisor
Switching
Routing
Firewalling/ACLs
Load Balancing
vSwitch
HypervisorvSwitch
Hypervisor vSwitch
Hypervisor vSwitch
Hypervisor
High throughput rates
East-west firewalling
Native platform capability
The Power of Distributed Services
vSwitch
Hypervisor
Traditional Layer 3 Routing?
NSX vSwitchHypervisor
Physical NetworkHypervisor
VM
User Space
VMVM
User Space
NSX vSwitch
A Virtual Network?
NSX vSwitchHypervisor
Physical Network
Virtual Network
Hypervisor
VM
User Space
VMVM
DistributedNetwork Services
User Space
NSX vSwitch
Virtual Network
A Virtual Network?
NSX vSwitchHypervisor
Hypervisor
VM
User Space
VMVM
Physical Network
DistributedNetwork Services
NSX vSwitch
Virtual Network
Non-Disruptive Deployment
NSX vSwitchHypervisor
NSX vSwitchHypervisor
VM
User Space
VMVM
Physical Network
VM
User Space
VMVM
DistributedNetwork Services
Virtual Network
Programmatically Provisioned
NSX vSwitchHypervisor
VM VMVM
Physical NetworkCloud Mgt Platform
NSX vSwitchHypervisor
VM
User Space
VMVM
Cluster Controller
DistributedNetwork Services
DistributedNetwork Services
Virtual Network
Network & Security Services Distributed to the Virtual Switch
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
User Space
VMVM
Hypervisor
User Space
Hypervisor
Cluster Controller
Simplified IP Backplane No VLANs, No ACLs, No Firewall RulesPhysical Network
Cloud Mgt Platform
Physical Network becomes high-speed IP backplane
Virtual Network
Native Isolation
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
VM
User Space
VMVM
Hypervisor
User Space
Hypervisor
192.168.2.10
192.168.2.10
192.168.2.11
192.168.2.11
DR Today (simple view)
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21 MajorRTOImpact
Change IP AddressReconfig Security4
Primary Site Recovery Site
Recoverthe VM
3
Replicate VM & Storage
2Physical Network Infrastructure Physical Network Infrastructure
SAN
1Snapshot VM
SAN
Step 1&2(e.g VMware SRM)
28
DR with NSX Network Virtualization (simple view)
SAN SAN
10.0.30.21 10.0.30.21
Virtual Network10.0.30/24
80%RTONSX Controller NSX Controller
Snapshot Network & Security
2b
Primary Site Recovery Site
1Snapshot VM Network & Security
already exists
Recoverthe VM
3
Physical Network Infrastructure Physical Network Infrastructure2aReplicate
VM & Storage
10.0.10/24 10.0.20/24
Step 1&2(e.g VMware SRM)
29
Virtual Network10.0.30/24
Virtual Network
Support for Physical Workloads and VLANs
VLANPhysical or Virtual
Workloads
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
VM
User Space
VMVM
Hypervisor
User Space
Hypervisor
Physical Workload
x86 Gateway
Cluster Controller
VLANPhysical or Virtual
Workloads
Virtual Network
Support for Physical Workloads and VLANs
Physical Host
NSX vSwitch
VM VMVM
NSX vSwitch
VM
User Space
VMVM
Hypervisor
User Space
Hypervisor
Top-of-Rack Switches(OVS/DB – VTEP)
Cluster Controller
Physical Workload
Non-Disruptive Deployment
The Power of Distributed Network & Security Services & Policies
Why traditional approaches are operationally infeasible…
34
Internet
Hypervisor
Physical Host
VM VM
vSwitchHypervisor
Physical Host
vSwitch
VM VM
Perimeter Firewalls
• Create firewall rules before provisioning• Update Firewall rules when move or change• Delete firewall rules when app decommissioned• Problem increases with more East-West traffic
How an SDDC approach makes micro-segmentation feasible
35
Internet
Hypervisor
Physical Host
VM VMVM
vSwitchHypervisor
Physical Host
vSwitch
VM VMVM
Security Policy
Perimeter Firewalls
VM
CloudManagement
Platform
There is a BIG difference…
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Host
VM VMVM
Hypervisor
Hypervisor
Host
VM VMVM
• Traditional Rule Mgt & Operations
• Chokepoint Enforcement• Virtual Firewalls (~1Gbps)
Virtual Firewalls
Physical Firewalls• Traditional Rule Mgt &
Operations• Chokepoint Enforcement• Physical Firewalls (~100 Gbps)
Distributed Firewalling• Automated Policy Mgt & Operations• Distributed Enforcement• vSphere Kernel-based Performance• Distributed Scale-out Capacity (20
Gbps/host)
Align type of controls to what you are protecting
Isolation Explicit Allow Comm. Secure Communications
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
VM VM VM
NGFW
IPS
IPS
NGFW
Ser
vice
Inse
rtion
Application A
Application B
App Tier
DB Tier
(e.g
TC
P,14
33)
No Communication Path
NSX Controller
Advanced Services Insertion – Example: Palo Alto Networks NGFW
Internet
Hypervisor
Physical Host
VMVM
vSwitchHypervisor
Physical Host
vSwitch
VMVM
Security Policy
Security Admin
TrafficSteering
Intelligent groupingGroups defined by customized criteria
Operating System Machine Name
Application Tier
Services
Security PostureRegulatory Requirements
DDD
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 40
A AA
W W W
Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation
CONFIDENTIAL 41
A
WD
AD
A
W
D
W
W
42
Benefits of Taking a Software Defined Data Center Approach
Multi-tenant Infrastructure
IT Automating IT
Developer CloudDMZ Anywhere
Micro-segmentation
Secure End User
Metro Pooling
Hybrid Cloud Networking
Reduce infrastructure provisioning time from weeks to minutes
Secure infrastructure at 1/3 the cost
Reduce RTO by 80%
Disaster Recovery
Security Speed & Agility Application Continuity
Value
Thank you