vmware nsx @ vmug.it 20150529

© 2010 VMware Inc. All rights reserved

VMUG IT Meeting – PI 29/05/2015

VMware NSX

2

Chi sono

Andrea Mauro

• IT Architect, VCP/VCAP/VCDX-DCV, VCP/VCAP-Cloud/DT, VCP/VCIX-NV

• vExpert 2010-2015

• http://vinfrastructure.it

• @Andrea_Mauro

• it.linkedin.com/in/andreamauro

• https://about.me/amauro

3

Key functions of network virtualization

4

VMware NSX

General Purpose Server Hardware

(Dell, HP, IBM, OpenCompute, Quanta)

General Purpose IP Hardware

(Arista, Cisco, HP, Juniper, Accton)

5

Come provarlo?

Problema dell’accesso al codice e/o licenze

Trial mode, ma non per il download

Licenze «free» per vExpert

HoL

• HOL-SDC-1424 – VMware NSX in the SDDC

• HOL-SDC-1403 – VMware NSX Introduction

• HOL-SDC-1425 – VMware NSX Advanced

http://vinfrastructure.it/it/2015/03/come-studiare-vmware-nsx-

senza-poterlo-provare/

The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.

Building an SDN

7

A data center network…

Internet

8

Compute infrastructure….

Internet

9

Hypervisors and vSwitches…

Internet

10

NSX | The “Network Hypervisor”

Internet

11

Virtual Networks – Like Virtual Machines for the Network

Internet

12

Servizi

13

A Virtual Network?

14

A Virtual Network?

15

Non-Disruptive Deployment

16

Programmatically Provisioned

17

Services Distributed to the Virtual Switch

18

Physical Workloads and Legacy VLANs

19

How does it work?

20

NSX Components

21

VMware NSX management, control, and data planes

The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.

Micro Segmentation

23

Scenari di protezione

Dev

Test

Production

Isolation

Web

App

DB

No Communication Path

Controlled Communication Path

Web

App

DB

Advanced Services Controlled Communication Path

Segmentation Service Insertion

24

The Problem: Data Center Network Security

Perimeter-centric network security has proven insufficient

Internet

2

4

IT Spend Security Spend

Today’s security model focuses on perimeter defense

But continued security breaches show this model is not enough

25

But micro-segmentation has been

operationally infeasible

2

5

Internet

…

2 firewalls

1000 workloads

vs

A typical data center has:

Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient

And a physical firewall per workload is cost prohibitive

26

Achieving Micro segmentation with NSX

2

6

Location (physical, logical) of VMs is constrained by the networks and systems they need to access

Communication within a VLAN is uncontrolled

Addition of new VMs is slowed by web of policies

DMZ/Web VLAN

App VLAN

HR

Finance

Services/Mana

gement VLAN

DB VLAN

HR Finance

NSX enables grouping by logical functions – no change to the underlying topology necessary

Policies align with security groups – not location

Streamlines new VM deployment – security policies automatically inherited

Services Mgmt

Finance HR

Perimeter

firewall

Inside firewall

Perimeter

firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

Traditional Data Center NSX Data Center

27

Configure policy with Security Groups

Select elements to

uniquely identify

application workloads

Use attributes to

create Security Groups

Apply policies to

security groups

1 2 3

ABC

DEF

Group XYZ

App 1

OS: Windows

8

TAG:

“Production

”

Enforce policy based

on logical constructs

Reduce configuration

errors

Policy follows VM, not

IP

Reduce rule sprawl

and complexity

Use security groups to abstract

policy from application workloads.

Group XYZ

Policy 1 “IPS for Desktops” “FW for Desktops”

Policy 2 “AV for Production” “FW for Production”

Element type

Static Dynamic

Data center

Virtual net

Virtual

machine

vNIC

VM name

OS type

User ID

Security tag

28

Use case 1: Network segmentation

2

8

Controlling traffic within a

network Perimeter

firewall

DMZ/Web

App

DB

HR Group

App

DMZ/Web

DB

Finance Group

Services Mgmt

Services/Management

Group

NSX Data Center

Control traffic between groups within a network

Secure traffic based on logical grouping – rather than physical topology

Create network segments flexibly – even between systems on the same VLAN

29

Use case 2: Multi-tenancy with segmentation and advanced

services

isolation

Tenant 1

Tenant 2

Perim

eter

firewa

ll

DMZ/

Web

A

p

p

D

B

HR Group

App

DMZ/Web

DB

Finance

Group

Servic

es

Mg

mt

Services/Manage

ment

Group

Perim

eter

firewa

ll

DMZ/

Web

A

p

p

D

B

HR Group

App

DMZ/Web

DB

Finance

Group

Servic

es

Mg

mt

Services/Manage

ment

Group

No traffic

between networks

Completely separate unrelated networks

Add advanced services based on virtual network, network segment, or Security Group

30

Use case 3: VDI

3

0

Eliminate complex

policy sets and

topologies for different

VDI users

Align policies to logical

grouping

Decouple network

topology from VDI

security

Simplify VDI deployments

AP

P1

We

b 1

Ap

p 1

AP

P2

We

b 2

Ap

p 2

Engineering External Contract

or 1

External Contract

or 2

Eng Eng net 4

“External 1*” APP 1 4

“External 2*” APP 2 4 AP

P1

We

b 1

Ap

p 1

AP

P2

We

b 2

Ap

p 2

Engineering External Contract

or 1

External Contract

or 2

Traditional Data Center NSX Data Center

VLANs

Engineering

External

Contractor 1

External

Contractor 2

En

g

Web

1 4

En

g

App

1 4

En

g

Web

2 4

En

g

App

2 4

Ext

1

Web

1 4

Ext

1

App

1 5

Ext

2

Web

2 4

Ext

2

App

2 5

VLAN IP Identity Security Group

Eng

The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.

The power of

distribution

32

The Power of Distribution

33

The Power of Distribution

http://blogs.vmware.com/networkvirtualization/2013/09/vmware_nsx_cisco.html

34

Differenza di prestazioni

35

Lab live

36

Per saperne di più

http://vcdx133.com/2014/10/05/nsx-link-o-rama/

http://virtualpatel.blogspot.ca/2013/11/vmware-nsx-resources.html

http://networkinferno.net/nsx-compendium

http://vinfrastructure.it/it/2015/03/come-studiare-vmware-nsx-

senza-poterlo-provare/

http://vinfrastructure.it/it/2014/09/micro-segmentare-rete-nsx/

http://vinfrastructure.it/it/2014/06/report-seminario-nsx/

37

Enjoy The Day!

Join the Conversation!

@vmugit

@MyVMUG

#VMUGIT

www.vmug.com/italy