Introduction to NSX

Carlo CavallinaSystems EngineerNSX Specialist

1

Agenda

1 Who am I?

2 The IT transformation and the SDDC approach

3 The Network Virtualization

4 Disaster Recovery – The new era

5 Microsegmentation

6 NSX – The use cases

Who am I?

Going beyond server virtualization

IT’S TIME FOR A NEW IT APPROACH

SLOW TECHNOLOGYADOPTION RATES

HIGH USER EXPECTATIONS

SLOW REPONSES

PRIVACYISSUES

INTEGRATION PROBLEMS

SERVICE OUTAGES

SHORTAGE OF RIGHT SKILLS

DECLINING BUDGET

DIFFERENT APPLICATIONS AGING INFRASTRUCTURE

SECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

LIMITED RESOURCES

CLOUD SILOSSECURITY

PROLIFERATIONOF DEVICES

FRAGMENTEDDATA CENTER

CLOUD SILOS

It’s Time to Virtualize the WHOLE Data Center

EFFICIENT SECURE

Optimized for rapid development and deliveryof all applications, for safe consumption on any device

The Software DefinedData Center

AGILE

Network Virtualization is Key

Data Center Virtualization Layer

Intelligence in SoftwareOperational Model of VM for Data CenterAutomated Configuration & Management

What is a Software Defined Data Center (SDDC)?

Intelligence in HardwareDedicated, Vendor Specific InfrastructureManual Configuration & Management

Software

Hardware Compute, Network and Storage CapacityPooled, Vendor Independent, Best Price/Performance InfrastructureSimplified Configuration & Management

Compute

Storage

Network

Enterprise Applications

Enterprise Data Center

SecurityLoad Balancing

RoutingService Chaining

Compute

Storage

Network

Custom Distributed Applications

(Security, Application Load Balancing, Routing, HA, etc.)

Google, Facebook, Amazon

Software AutomationAgility & Speed

Network Services Distributed out to Applications

Simplified

Increased Stability& Reliability

Lower Cost

Compute

Storage

Network

Custom Distributed Applications

(Security, Application Load Balancing, Routing, HA, etc.)

Google, Facebook, Amazon

Compute

Storage

Network

Enterprise Applications

Enterprise IT

Data CenterVirtualization Layer

Compute

Storage

Network

Custom Distributed Application Design

(Security, Application Load Balancing, Routing, HA, etc.)

Google, Facebook, Amazon

Compute

Storage

Network

Enterprise Applications

Enterprise IT

Data CenterVirtualization Layer

Compute

Storage

Network

Enterprise Applications

Enterprise IT

Data CenterVirtualization Layer

The operational model of a VM for the

entire data center

Programmatically CreateSnapshot

StoreMoveDelete

Restore

Sounds interesting, BUT… It sounds like a big change. I’m not even sure I understand what network virtualization is.

BridgingTwo Worlds

Software DefinedData Center Approach

Traditional Approach

Which pill do you want?

Network Virtualization is at the core of an SDDC approach

Network, storage, compute

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

HypervisorvSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

Virtualization layer

Non-Disrupting Deployment

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

HypervisorvSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor

vSwitch

Hypervisor

Network, storage, compute

Virtualization layer

“Network hypervisor”

Virtual Data Centers

Network Virtualization is at the core of an SDDC approach Non-Disrupting Deployment

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

HypervisorvSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor

vSwitch

Hypervisor

The Power of Distributed Services

vSwitch

HypervisorvSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor

vSwitch

Hypervisor

vSwitch

Hypervisor

Switching

Routing

Firewalling/ACLs

Load Balancing

Network and security services now distributed in the hypervisor

vSwitch

Hypervisor

Switching

Routing

Firewalling/ACLs

Load Balancing

vSwitch

HypervisorvSwitch

Hypervisor vSwitch

Hypervisor vSwitch

Hypervisor

High throughput rates

East-west firewalling

Native platform capability

The Power of Distributed Services

vSwitch

Hypervisor

Traditional Layer 3 Routing?

NSX vSwitchHypervisor

Physical NetworkHypervisor

VM

User Space

VMVM

User Space

NSX vSwitch

A Virtual Network?

NSX vSwitchHypervisor

Physical Network

Virtual Network

Hypervisor

VM

User Space

VMVM

DistributedNetwork Services

User Space

NSX vSwitch

Virtual Network

A Virtual Network?

NSX vSwitchHypervisor

Hypervisor

VM

User Space

VMVM

Physical Network

DistributedNetwork Services

NSX vSwitch

Virtual Network

Non-Disruptive Deployment

NSX vSwitchHypervisor

NSX vSwitchHypervisor

VM

User Space

VMVM

Physical Network

VM

User Space

VMVM

DistributedNetwork Services

Virtual Network

Programmatically Provisioned

NSX vSwitchHypervisor

VM VMVM

Physical NetworkCloud Mgt Platform

NSX vSwitchHypervisor

VM

User Space

VMVM

Cluster Controller

DistributedNetwork Services

DistributedNetwork Services

Virtual Network

Network & Security Services Distributed to the Virtual Switch

Physical Host

NSX vSwitch

VM VMVM

NSX vSwitch

User Space

VMVM

Hypervisor

User Space

Hypervisor

Cluster Controller

Simplified IP Backplane No VLANs, No ACLs, No Firewall RulesPhysical Network

Cloud Mgt Platform

Physical Network becomes high-speed IP backplane

Virtual Network

Native Isolation

Physical Host

NSX vSwitch

VM VMVM

NSX vSwitch

VM

User Space

VMVM

Hypervisor

User Space

Hypervisor

192.168.2.10

192.168.2.10

192.168.2.11

192.168.2.11

DR Today (simple view)

10.0.10/24 10.0.20/24

10.0.10.21 10.0.20.21 MajorRTOImpact

Change IP AddressReconfig Security4

Primary Site Recovery Site

Recoverthe VM

3

Replicate VM & Storage

2Physical Network Infrastructure Physical Network Infrastructure

SAN

1Snapshot VM

SAN

Step 1&2(e.g VMware SRM)

28

DR with NSX Network Virtualization (simple view)

SAN SAN

10.0.30.21 10.0.30.21

Virtual Network10.0.30/24

80%RTONSX Controller NSX Controller

Snapshot Network & Security

2b

Primary Site Recovery Site

1Snapshot VM Network & Security

already exists

Recoverthe VM

3

Physical Network Infrastructure Physical Network Infrastructure2aReplicate

VM & Storage

10.0.10/24 10.0.20/24

Step 1&2(e.g VMware SRM)

29

Virtual Network10.0.30/24

Virtual Network

Support for Physical Workloads and VLANs

VLANPhysical or Virtual

Workloads

Physical Host

NSX vSwitch

VM VMVM

NSX vSwitch

VM

User Space

VMVM

Hypervisor

User Space

Hypervisor

Physical Workload

x86 Gateway

Cluster Controller

VLANPhysical or Virtual

Workloads

Virtual Network

Support for Physical Workloads and VLANs

Physical Host

NSX vSwitch

VM VMVM

NSX vSwitch

VM

User Space

VMVM

Hypervisor

User Space

Hypervisor

Top-of-Rack Switches(OVS/DB – VTEP)

Cluster Controller

Physical Workload

Non-Disruptive Deployment

The Power of Distributed Network & Security Services & Policies

Why traditional approaches are operationally infeasible…

34

Internet

Hypervisor

Physical Host

VM VM

vSwitchHypervisor

Physical Host

vSwitch

VM VM

Perimeter Firewalls

• Create firewall rules before provisioning• Update Firewall rules when move or change• Delete firewall rules when app decommissioned• Problem increases with more East-West traffic

How an SDDC approach makes micro-segmentation feasible

35

Internet

Hypervisor

Physical Host

VM VMVM

vSwitchHypervisor

Physical Host

vSwitch

VM VMVM

Security Policy

Perimeter Firewalls

VM

CloudManagement

Platform

There is a BIG difference…

Host

VM VMVM

Hypervisor

Host

VM VMVM

Hypervisor

Host

VM VMVM

Hypervisor

Host

VM VMVM

Hypervisor

Hypervisor

Host

VM VMVM

• Traditional Rule Mgt & Operations

• Chokepoint Enforcement• Virtual Firewalls (~1Gbps)

Virtual Firewalls

Physical Firewalls• Traditional Rule Mgt &

Operations• Chokepoint Enforcement• Physical Firewalls (~100 Gbps)

Distributed Firewalling• Automated Policy Mgt & Operations• Distributed Enforcement• vSphere Kernel-based Performance• Distributed Scale-out Capacity (20

Gbps/host)

Align type of controls to what you are protecting

Isolation Explicit Allow Comm. Secure Communications

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

VM VM VM

NGFW

IPS

IPS

NGFW

Ser

vice

Inse

rtion

Application A

Application B

App Tier

DB Tier

(e.g

TC

P,14

33)

No Communication Path

NSX Controller

Advanced Services Insertion – Example: Palo Alto Networks NGFW

Internet

Hypervisor

Physical Host

VMVM

vSwitchHypervisor

Physical Host

vSwitch

VMVM

Security Policy

Security Admin

TrafficSteering

Intelligent groupingGroups defined by customized criteria

Operating System Machine Name

Application Tier

Services

Security PostureRegulatory Requirements

DDD

Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation

CONFIDENTIAL 40

A AA

W W W

Automated Security in a Software-Defined Data CenterData Center Micro-Segmentation

CONFIDENTIAL 41

A

WD

AD

A

W

D

W

W

42

Benefits of Taking a Software Defined Data Center Approach

Multi-tenant Infrastructure

IT Automating IT

Developer CloudDMZ Anywhere

Micro-segmentation

Secure End User

Metro Pooling

Hybrid Cloud Networking

Reduce infrastructure provisioning time from weeks to minutes

Secure infrastructure at 1/3 the cost

Reduce RTO by 80%

Disaster Recovery

Security Speed & Agility Application Continuity

Value

Thank you