nsx small dc - rainfocus€¦ · shahzad ali nsx for small dc only common options are shown 1...
Post on 27-Jun-2020
2 Views
Preview:
TRANSCRIPT
Shahzad Ali, VMware Inc.,Dillon Doxey, VMware Inc.,
NET1345BU
#VMworld #NET1345BU
NSX in Small Data Centers for Small and Medium Businesses
VMworld 2017 Content: Not fo
r publication or distri
bution
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Introduction
Shahzad Ali NSX For Small DC
Compute ClusterDB VMs
Compute ClusterWeb/App VMs
Compute ClusterVDI VMs
Edge Cluster Management Cluster
Collapsed Cluster
VMworld 2017 Content: Not fo
r publication or distri
bution
4Disclaimer: Not all possible designs are discussed
only common options are shownShahzad Ali NSX For Small DC
1 Deployment Models
2 Design and Deployment Considerations
3 Growth – Business Needs
4 Case Studies
No DC left behind Small DC does not
mean small customer
Start anywhere, go
anywhere
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX for vSphere Components
5
NSX-MGR
Logical Switch
vCenter (VC)
NSX
EDGENAT
Management Plane (VMs)
Control Plane (VMs)
Data Plane (ESXi Hypervisor)
Data Plane (ESG VMs)
Firewall Load Balancer (LB)
Router
NSX-Controller ClusterDLR Control VM
Distributed Logical Router (DLR)
Distributed Firewall(DFW)
Reference
Shahzad Ali NSX For Small DC
VDS VMworld 2017 Content: Not fo
r publication or distri
bution
6
Management
Cluster
WAN
Internet
L3
L2
Payload
Cluster
Host M1
Host M3
Host M2
Host P3
Host P2
Host P1
Host E1
Host E3
Host E2
Host P5
Host P4
Host E4
L3
L2
DC Fabric
Edge
Cluster
NSX
EDGENSX
EDGE
NSX
EDGE
NSX
EDGE
Payload
Cluster
Large DC: Hosts>100 ; N-S BW > 10G Medium DC: Hosts 10-100; N-S BW < 10G
Collapsed
Management
&
Edge Clusters
WAN
Internet
L3
L2
Payload
Cluster
Host ME1
Host ME3
Host ME2
Host P3
Host P2
Host P1
NSX
EDGE
NSX
EDGE
VMworld 2017 Content: Not fo
r publication or distri
bution
7
Cluster Features
Collapse Mgmt.,
Edge and Payload • Mix of low and high I/O requirement
Collapsed
Management
Edge and Payload
Cluster
WAN
Internet
L3
L2
Host C1
Host C3
Host C2
Host C4
NSX
EDGE
NSX
EDGE
Shahzad Ali NSX For Small DC
Small DC: Number of Hosts 3-10 ; N-S BW Requirement < 10G
Resource reservation is the key to meet SLA in Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
Deployment ModelsSmall DC does not mean small customer
VMworld 2017 Content: Not fo
r publication or distri
bution
VXLAN Backed
Port Groups
(LS)
9
VDS
DFW
VLAN Backed
Port Groups
Physical ESG
VM
DFW
Physical
DLR
Transit LSUplink Port Group
Uplink Port Group
LB
Bridge
Shahzad Ali NSX For Small DC
VLAN Backed
Port Groups
VDS
ESG
VM
DFW
Physical
Small DC Deployment Models
Security Focused
• Distributed Firewall
• Non disruptive
• VXLAN is not a requirement
• Existing setup
Full Stack
• Distributed Firewall
• Logical Switching (VXLAN)
• Distributed Routing (DLR)
• ESG Service (NAT, LAB, VPN etc.)
Centralized Edge
• ESG VM based model
• Not much east/west traffic
• Intermediate/Transition step
• Multiple edges possible
Uplink Port Group
VMworld 2017 Content: Not fo
r publication or distri
bution
Security Focused Model
• No physical routing/MTU change needed
• Use existing VLAN backed-port groups
• DFW enabled on all hosts
10
Shahzad Ali NSX For Small DC
Important Use-Cases
Distributed Firewall
Agentless Anti-Virus (AV)
VDS
DFW
VLAN Backed
Port Groups
Physical
Uplink Port Group
VMworld 2017 Content: Not fo
r publication or distri
bution
WAN
Internet
Security Focused Model
• Small footprint
– Min: 2 hosts required
– Easy expansion for additional workload
• Recommendation: At least 3 hosts in production
– Deploy more hosts to sustain a single host failure
11
Use-Case: Distributed Firewall
Single Cluster with NSX
L3
L2
Host C1
Host C3
Host C2
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter Appliance
with Embedded PSC
2 8 120 1
NSX Manager 4 16 60 1
Total 6 24 180 2
NSX Footprint
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
WAN
Internet
Security Focused Model
• Requires additional Service VMs
– NSX GI-SVM (Guest Introspection Service VM)
– Partner Service VM (SVM)
• Cluster based SVM deployment
– Min: 2 hosts required
– Recommendation: At least 3 hosts in production
12
Use-Case: Distributed Firewall with Agentless Anti-Virus (AV)
Single Cluster with NSX
L3
L2
Host C1
Host C3
Host C2
NSX GI
SVMPartner
SVM
NSX GI
SVMPartner
SVM
NSX GI
SVMPartner
SVM
Shahzad Ali NSX For Small DC
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter with
Embedded PSC
2 8 120 1
NSX Manager 4 16 60 1
GI-SVM 2 1 4 Hosts#
Partner-SVM See Guest Introspection partner for details Hosts#
VMworld 2017 Content: Not fo
r publication or distri
bution
Centralized Edge Deployment Model
• No DLR, VXLAN and Controllers needed
– Port groups attached to ESG VM
– No physical routing/MTU changes needed
– Availability improved by Edge HA and vSphere
13
Transitional Model: From Security Focused Full Stack
Shahzad Ali NSX For Small DC
NSX
EDGE
NSX
EDGE
WAN
Internet
Single Cluster
L3
L2
Host C1
Host C3
Host C2
VDS
Multi-Function GW
Routing
Firewall
LB
NAT
VPN GW
Supported Trunk
Interface (200 VLANs)
DFW
Port
Groups
Physical
VMworld 2017 Content: Not fo
r publication or distri
bution
Full Stack Model
• VXLAN based overlay
– Optimized routing (DLR) and logical switching (LS)
– Separation of control and data plane
– VXLAN and DFW enabled on all hosts
• MTU of >=1600 for VTEP VLAN segment
14
Shahzad Ali NSX For Small DC
VXLAN Backed
Port Groups
(LS)
ESG
VM
DFW
Physical
DLR
Transit LS
Uplink Port Group
LB
Bridge
VMworld 2017 Content: Not fo
r publication or distri
bution
Full Stack Model: Deployment Considerations
• At least 3 hosts needed
– Recommendation: 4 ESXi hosts in Production
– Management and Edge functions co-exist with Payload
– No DLR Control VM needed with static routing
15
Function vCPU MEM (GB) Storage (GB) VMs
Tiny vCenter Appliance with
Embedded PSC
2 8 120 1
NSX Manager 4 16 60 1
NSX Controllers 4 x 3 4 x 3 28 x 3 3
Edge VM (Large)* 2 x 2 0.5 x 2 ~1 x 2 2*
Total 22 37 ~ 266 7
* ESG with High Availability with static routing
Single Cluster
WAN
InternetL3
L2
Host C1
Host C3
Host C2
Host C4NSX
EDGE
NSX
EDGE
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere Consideration
VMworld 2017 Content: Not fo
r publication or distri
bution
vCenter (VC)
• Design Option#1: VC with Embedded PSC
– Recommended for small DC
– 1 single sign-on domain with single site
– No growth plans in near future
17
Good vSphere and VC is the foundation
Design Option#1
Shahzad Ali NSX For Small DC
PSC Server VM
Design Option#2
• Design Option#2: External PSC
– Recommended for medium-large setups with multiple vCenter
– For Small DC: If planning to grow
vCenter Server
PSC Server
VM
VM
vCenter Server VM
VM
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
vCenter Server VM Form Factor
• Tiny vCenter (VC) Appliance with Embedded PSC
– If minimizing resource utilization is key factor for deployment
• Majority Small DC Customers:
– Deploy Small VC appliance
– Future growth
• VC should be first to boot in VM boot order
Options Hosts VM Potential
NSX Deployment Type
vCPU MEM (GB) Disk (GB)
Embedded PSC
Tiny 10 100 Small DC 2 8 120
Small 100 1000 Small DC 4 16 150
Medium 400 4000 Medium DC 8 24 300
Large 1000 10,000 Large DC 16 32 450
http://tinyurl.com/DeployVC6
http://tinyurl.com/PerformanceVC6
Shahzad Ali NSX For Small DC
#NET1345BU CONFIDENTIAL 18
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere and NSX Licensing Options
– NSX supported for all vSphere licenses
– VDS included with NSX (vSphere 5.5 U3 or 6.0+)
19
NSX
vSphere Enterprise is EoA: https://kb.vmware.com/kb/2143987
Compare License Options: http://www.vmware.com/products/vsphere.html#compare
Essential+ • Up to 3 hosts, vSphere HA
Standard • 1000 hosts per vCenter, vSphere HA
Enterprise or Enterprise+ • vSphere HA, DRS, VDS etc.
vSphere
Features Standard Advance Enterprise
Distributed Routing and Switching (DLR/VXLAN) ✓ ✓ ✓
NSX ESG (except load balancer) ✓ ✓ ✓
SW L2 bridging ✓ ✓ ✓
Distributed Firewall (DFW – Micro-Segmentation) ✓ ✓
NSX Edge load balancing ✓ ✓
Cross vCenter NSX ✓
Reference
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Components Consideration
20
NSX - Modular and Flexible
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Manager
• Reservation enabled by default
• vCPU and Mem modification allowed
– Stick with the defaults
• Add VC VM in the NSX “VM Exclusion List”
– Or create fine grained rules in DFW
– NSX components are automatically part of exclusion list
• NSX manager backup
• Not in the data-path
• Second in VM boot order
21
16 GB
reserved
by default
Shahzad Ali NSX For Small DC#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
NSX Controllers
• Only needed for VXLAN and DLR
• Must deploy 3
– Manually create “SHOULD” anti-affinity rules
• 4 GB MEM reserved by default
• Locked down VM
– vCPU/MEM modification disabled
• Not in the data-path
• 3rd in VM boot order
22
Shahzad Ali NSX For Small DC
#NET1345BU CONFIDENTIAL
4GB reserved by
default
MEM: 4GB
VMworld 2017 Content: Not fo
r publication or distri
bution
DLR Control VM
• Needed if dynamic routing is configured
• Deploy in HA mode (Active/Standby)
• vCPU/MEM modification disabled
• Anti-affinity rule is created automatically
23
Shahzad Ali NSX For Small DC#NET1345BU CONFIDENTIAL
- Light weigh VM
- Reservation
enabled
VMworld 2017 Content: Not fo
r publication or distri
bution
Edge Service Gateway
• VM Form factor
– Large: Good for small DC design/features
– X-Large: For L7 NSX Load Balancer (LB)
– Form factor can be upgraded any time later
• Reservation enabled by default
– Locked down VM
24
Shahzad Ali NSX For Small DC
#NET1345BU CONFIDENTIAL
VM Size vCPU MemoryHD
(GB)Suitable For
Compact 1 512 M 1 LAB/PoC
Large 2 1 GB 1 Small DC
Quad Large 4 2 GB 1Medium/
Large DC
X-Large 6 8 GB 3 L7 LB
VMworld 2017 Content: Not fo
r publication or distri
bution
ESG Design Choices
Stateful Services?
Yes
Throughput Requirement
>10GMulti-tiered
Design
< 10GESG-HA
No
Throughput Requirement
>10G
2 or more ESG-ECMP
< 10GESG-HA
25
ESG in
HA or
ECMP?
Shahzad Ali NSX For Small DC[Other designs are also possible depending on scale]
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
26
ESG with HA
– Anti-affinity rules automatically created (DRS)
– Avoid: Active ESG and Active DLR Control VM on same host
Automatic Rule
ESG with ECMP
– Manually create anti-affinity rules
– Avoid: Active ESG and Active DLR Control VM on same host
ESG Deployment
Host 1
Host 2
Active
ESG
Standby
ESGActive DLR
Control VM
Standby DLR
Control VM
Host 1
Host 3
Host 2
Host 4
ECMP
ESG
Active DLR
Control VM
Standby DLR
Control VM
ECMP
ESG
ECMP
ESG
ECMP
ESG
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere High Availability (HA) and NSX
Admission Control policy options
27
vSphere HA Admission Control ensures VM failover capacity
Shahzad Ali NSX For Small DC
Slot Policy Cluster Resource Percentage Dedicated FailoverN+1 10% Standby Host
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere HA restart priority
• Cluster percentage based admission control means more flexibility with workloads
– A lack of resources may require that some VMs not be restarted during an HA event
– HA restart priority allows you to designate high priority vs. low priority workloads
– NSX workloads should be designated as the highest priority
– HA Dependencies can also be used
28
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere HA Calculations
29
Know what you have to work with
Total your cluster resources and make notes of how much CPU and Memory are available
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere HA Calculations
Slot Based HA Policy
30
Know what you have to work with
Total Cluster CPU = 11.20 GHzTotal Cluster MEM = 10.00 GB
Shahzad Ali NSX For Small DC
Cluster Percentage Based Policy
11200MHz * .75 = 8400MHz
10000MB *.75 = 7500MB
5600MHz / 32MHz = 175 Slots
5000MB / 100MB= 50 Slots
VMworld 2017 Content: Not fo
r publication or distri
bution
vSphere Resource Pools and NSX
• Use Resource Pools to guarantee CPU and Memory to priority workloads
CAUTION!
• Resource pools can be detrimental to VM performance if not used and maintained correctly
• Use cluster resources calculations and VM requirements to build Pools properly
• Plan for growth!
31
Resource Pools can be used to guarantee resources to priority workloads
Shahzad Ali NSX For Small DC#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
VDS (vSphere Distributed Switch)
• VDS requires vSphere Enterprise+
– Free with NSX (vSphere 5.5 U3 or 6.0+)
• Use single VDS – keep it simple
• Recommended VTEP vmknic teaming policy is Route Based on Originating Port (Source-ID)
– VXLAN multipath with multiple VTEPs per host
• For simplicity (single VTEP) - use “Fail Over”
Shahzad Ali NSX For Small DC
VMworld 2017 Content: Not fo
r publication or distri
bution
Growing NSX Small DC DeploymentsStart Anywhere – Grow Anywhere – Without Any Boundaries
VMworld 2017 Content: Not fo
r publication or distri
bution
Grow as Per Business Requirements
34
Starting Small – Less Upfront Cost – Phased Approach
Grow
NSX
Compute Capacity
Throughput
Feature/Services
Migration
More Sites
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Case-Study1: DFW Service Insertion Full Stack
35
Enhancing DC Security Beyond DFW
Note: Other topologies are possible – the pictures shown are representative only
Partner
SVM
GI
SVM
VDS
Distributed
Firewall
Partner
SVM
GI
SVM
VLAN Backed Port Groups
NSX
EDGE
VXLAN Backed Port Groups
NSX
EDGE
VXLAN Transit
Logical Switch
Uplink Port Group
Uplink Port Group
Shahzad Ali NSX For Small DC
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
Case-Study2: Single Site Multi-Site (Cross-VC NSX)
36
Site-A Site-B
DLR Universal DLR
Shahzad Ali NSX For Small DC
Note: Other topologies are possible – the pictures shown are representative only
#NET1345BU CONFIDENTIAL
VMworld 2017 Content: Not fo
r publication or distri
bution
37
Key Takeaways
All DCs are equal for
NSX
Small DC does not
mean small customer
Start anywhere,
grow anywhere
Key Takeaways
VMworld 2017 Content: Not fo
r publication or distri
bution
Join VMUG for exclusive access to NSX
vmug.com/VMUG-Join/VMUG-Advantage
Connect with your peers
communities.vmware.com
Find NSX Resources
vmware.com/products/nsx
Network Virtualization Blog
blogs.vmware.com/networkvirtualization
Where to Get Started
#NET1345BU CONFIDENTIAL 38
Dozens of Unique NSX Sessions
Spotlights, breakouts, quick talks & group discussions
Visit the VMware Booth
Product overview, use-case demos
Visit Technical Partner Booths
Integration demos – Infrastructure, security, operations,
visibility, and more
Meet the Experts
Join our Experts in an intimate roundtable discussion
Free Hands-on Labs
Test drive NSX yourself with expert-led or self-paces
hands-on labs
labs.hol.vmware.com
Training and Certification
Several paths to professional certifications. Learn
more at the Education & Certification Lounge.
vmware.com/go/nsxtraining
Engage and Learn Experience
Try TakeVMworld 2017 Content: N
ot for publicatio
n or distribution
VMworld 2017 Content: Not fo
r publication or distri
bution
VMworld 2017 Content: Not fo
r publication or distri
bution
top related