VMware NSX® for vSphere® 6.

2
Knowledge Transfer Kit
Overview

© 2016 VMware Inc. All rights reserved.

Agenda
• What is a Software-Defined Data Center?
• Network Virtualization with VMware NSX
• What’s New in NSX for vSphere 6.2.3
• NSX for vSphere 6.2
• Deploying VMware NSX for vSphere
• Ecosystem

2
What is a
Software-Defined Data Center?
What is a Software-Defined Data Center?

Software

Hardware Intelligence in ASICs

Software
Hardware Independent
Dedicated, Vendor-Specific Hardware
Automated
Manual Configuration
Configuration
andand
Management
Management

4 4
What is a Software-Defined Data Center? (cont.)

4 5

Application Consumption
Applications

Virtual Virtual Virtual

Software 3 Machines Networks Storage

Hardware Compute Network Storage

Capacity Capacity Capacity Desktop
Internet
2 Virtual Desktop
Laptop
Tablet
Mobile

1
Location Independence 5
Biggest Industry Transformation
Since Mainframe-to-Client Server
Computing

6
Enterprise IT Will Change

7
Why?

8
Enterprise Business Leaders Want Their IT to be Like Amazon

Internal Software-Defined
Data Center (SDDC)
New IT

or
or

Hardware-Defined
Data Center (HDDC)

No IT
Outsourced

9
Anatomy of the Most Agile and Efficient Data Centers is SDDC

Google / Facebook /
Amazon Data Centers
Custom Application
Software / Hardware Abstraction

Custom Platform
Software / Hardware Abstraction

Any x86

Any Storage

Any IP network

10
Choice for “New IT” – SDDC or HDDC

Software-Defined Google / Facebook / Hardware-Defined

Data Center (SDDC) Amazon Data Centers Data Center (HDDC)
Custom Application
Any Application Software / Hardware Abstraction
Any Application

SDDC Platform Custom Platform

Data Center Virtualization Software / Hardware Abstraction
HDDC Platform

Vertical Integration
Any x86 Any x86 Integrated x86

Any Storage Any Storage Integrated Storage

Any IP network Any IP network Vendor-Specific

Network

11
“New IT” Will Be SDDC

Software-Defined Inter-Data Center Hybrid-Data Center

Data Center (SDDC)

Any Application Any Application Any Application

SDDC
SDDCPlatform
Platform
Data Center Virtualization

Any x86 Any x86 Any x86

Any Storage Any Storage Any Storage

Any IP network Any IP network Any IP network

12
Remember, SDDC is Not a Product –
SDDC is an Approach

Application

Application Consumption
s
Virtual Virtual Virtual
Software Machines Networks Storage

Hardware Compute Network Storage

Capacity Capacity Capacity Desktop
Internet
Virtual Desktop
Laptop
Tablet
Mobile

Location Independence
13
Businesses Are Buying the Vision and Strategy
Products Strategic Approach
Building
Building Blocks
Blocks and
and Tools
Tools Data
Data Center
Center for
for the
the Next
Next 10
10 Years
Years

14
Selling SDDC
Customers want
Agility
• Service delivery speed
• Infrastructure flexibility
• Capacity elasticity
How they justify it
Efficiency
• OpEx and CapEx savings
• Business velocity
• Results measurement and
optimization
15
What Customers Want

Network
Virtualization
is
Missing

Resource Flexible Zero-Trust Security

Pools IPAM Micro-Segmentation

Elastic Self-Service IT Extensions to

Computer at Scale Public Clouds
Zones

16
What Must Happen

Data Center
Virtual Machine
Network
Operational Model

?
• Decouple from Hardware
• Create, Delete, Grow, Shrink
• Transparent to Application
• Programmatic Monitoring
• Extensible

Can we run networks like VMs …

17
Software-Defined Data Center – IT Outcomes

Secure
Secure Delivery
Delivery
IT
IT Service
Service Delivery
Delivery of
of Mobile
Mobile Apps
Apps in
in
Time
Time in
in Minutes
Minutes Minutes
Minutes
App and Business
Infrastructure Delivery Mobility Improved
Improved Security
Security
OpEx
OpEx Reduction
Reduction Automation to
to Effort
Effort Ratio
Ratio

Streamlined and
Security Controls
CapEx
CapEx Reduction
Reduction Automated Data Center
Native to Infrastructure
Operations

Data Center Improved

Improved Uptime
Uptime
Virtualization and
Hybrid Cloud Extensibility High Availability
and Resilient
Infrastructure

Business Priorities

18
Tied to VMware SDDC IT Outcomes
Professional service:
[T] = technical; [O] = operational

STAGE 1 STAGE 2 STAGE 3

• High Availability, Backup and Replication • Automated Disaster Recovery for vSphere • Self-Service, Policy-Based DR Protection for Apps
Across Sites and To Hybrid Cloud Environments
High Availability
and Resilient
Infrastructure
•• [T]
[T] BCDR
BCDR D&D
D&D •• [T]
[T] BCDR
BCDR D&D
D&D •• Custom
Custom Services
Services (T&M)
(T&M)
•• [T]
[T] SDDC
SDDC D&D
D&D

• Compute Virtualization • Software-Defined Storage • Management Across Hybrid and Heterogeneous

Data Centers
Data Center • Virtualization for Business Critical Apps • Network Virtualization
Virtualization • Big-Data App Support • Extension to Hybrid Cloud
and • Data Center Migration
Standardization •• [T] •• [T] •• [T]
[T] Virtualization
Virtualization D&D
D&D [T] Network
Network Virtualization
Virtualization D&D
D&D [T] SDDC
SDDC D&D
D&D
•• [T]
[T] SDDC
SDDC D&DD&D •• [T]
[T] SDS
SDS Accelerator
Accelerator •• [T] Cloud Automation
[T] Cloud Automation D&D
D&D
• Layer 2 to Layer 7 Network Virtualization & • Advanced Third-Party Security Services • Extension of Network and Security Services to
Network Security Tied to Workloads Integrated Into Network Platform Hybrid Cloud
Security • Micro-Segmentation and Multi-Tenancy
Controls Native
to Infrastructure
•• [T]
[T] Network
Network Virtualization
Virtualization D&D •• [T] •• [T]
[T] SDDC
SDDC D&D;
D&D; Cloud
Cloud Automation
Automation D&D
D&D [T] Network
Network Virtualization
Virtualization D&D
D&D D&D
•• [T]
[T] SDDC
SDDC D&D
D&D •• [T] SDDC
[T] SDDC D&D
D&D

• Performance and Capacity Optimization, • 3rd Party Integration, Customized • App Health Monitoring
Streamlined and • Infrastructure Health Monitoring Dashboards • Quality of Service Management
Automated Data • Compliance Monitoring
Center
Operations •• [T] ••
[T] Performance
Performance && Capacity
Capacity Mgmt
Mgmt D&D
D&D •• [O]
[O] Ops
Ops Trans
Trans for
for Compliance
Compliance
[T]
[T] Performance
Performance && Capacity
Capacity Mgmt
Mgmt D&D
D&D
•• [O]
[O] Ops
Ops Trans
Trans for
for Performance
Performance &
& Capacity
Capacity •• [T]
[T] Compliance
Compliance D&D
D&D •• [O]
[O] Ops
Ops Trans
Trans for
for Performance
Performance &
& Capacity
Capacity

• Automated VM Delivery (IaaS) • Automated Middleware and Apps Delivery; • Hybrid Cloud (for example. AWS, OpenStack)
App and • Infrastructure Costing Policy-Based Network/Storage Services • Application Release Automation (DevOps)
Infrastructure • Service Costing • Custom Services (for example, Desktops)
Delivery
Automation •• [T]
[T] SDDC
SDDC D&D;
D&D; [T]
[T] Cloud
Cloud Automation
Automation D&D
D&D •• [O]
[O] Ops
Ops Trans
Trans for
for Cloud
Cloud Automation
Automation •• [T]
[T] SDDC
SDDC D&D
D&D
•• [O]
[O] Ops
Ops Trans
Trans for
for Cloud
Cloud Automation
Automation •• [T]
[T] SDDC
SDDC D&D;
D&D; [T]
[T] Cloud
Cloud Automation
Automation D&D
D&D •• [T]
[T] Cloud
Cloud Automation
Automation D&D
D&D

19
IT Outcomes Drive Journey to SDDC

Phase III
Business
Phase II Partner
Service
Phase I Provider
Cost
Speed and Agility
Center
QoS and Control
CapEx and OpEx
Savings
App
App and
and Infrastructure
Infrastructure Delivery
Delivery Automation
Automation

Security
Security Controls
Controls Native
Native to
to Infrastructure
Infrastructure

High
High Availability
Availability and
and Resilient
Resilient Infrastructure
Infrastructure

Streamlined
Streamlined and
and Automated
Automated Data
Data Center
Center Operations
Operations

Data
Data Center
Center Virtualization
Virtualization and
and Standardization
Standardization

20
Network Virtualization with
VMware NSX
VMware NSX Vision: Driving VMware NSX Everywhere
Managing Security and Connectivity for Many Heterogeneous End Points

Public clouds
Branch offices
(Partner)

New app frameworks

Internet of things

Mobile devices
(VMware Airwatch®)
Virtual Desktop
On-premises data center (VDI)

Automation Security Application Continuity

IT at the Speed Inherently Secure Data Center
of Business Infrastructure Anywhere

22
VMware NSX is Mainstream – Current Customer Projects

Automation Security Application Continuity

IT at the Speed Inherently Secure Data Center
of Business Infrastructure Anywhere

Lead IT automating IT Micro-segmentation Disaster recovery

projects

Other Developer cloud DMZ anywhere DC pooling

projects

Multi-tenant Secure end user Public cloud

infrastructure

23
VMware NSX Enables the Next-Gen Networking Model

Automated operational model Network and Security Services

of the SDDC Now in the Hypervisor

OS
Applications Software
VSWITCH
Virtual Virtual Virtual
Machines Networks Storage

Data Center Virtualization Hypervisor

Software Load Balancing L3 Routing

Compute Network Storage Hardware

Capacity Capacity Capacity

Pooled compute, network and L2 Switching Firewalling/ACLs

storage capacity. Vendor
independent, best
price/performance. Simplified
configuration and management

Location Independence

24
Data Center Network

Internet

Existing Physical Network

25
Compute Infrastructure

Internet

Existing Physical Network

26
Hypervisors and VMware NSX Virtual Switch

Internet

Existing Physical Network

27
NSX for vSphere | Network Virtualization Platform

Internet

NSX

Existing Physical Network

28
Operational Model of Virtual Networks

Internet

NSX

Virtual Networks Existing Physical Network

Software Containers, Like VMs
Virtual Network Topology

29
A Complete Virtual Network in Software –
Logical Switching
1.1.2.0/24

Logical Switch (L2)

Virtual Network
In Software

Egress
1.1.1.0/24

L2
Logical Switch (L2)
Ingress

Network Hypervisor

IDS
Load Balancer
General Purpose IP Hardware Physical Network

30 30
A Complete Virtual Network in Software –
Distributed Routing
Egress
1.1.2.0/24

L2
Logical Switch (L2)
L3 Virtual Network
In Software

L3
1.1.1.0/24
L2

Logical Switch (L2)

Ingress

Network Hypervisor

IDS
Load Balancer
General Purpose IP Hardware Physical Network

31 31
Distributed Routing
OSPF BGP
A logical router control VM is
deployed and exchanges
routing updates with peers
NSX vSwitch

Hypervisor

NSX vSwitch

Hypervisor

NSX vSwitch

Hypervisor

The VMware NSX® for vSphere® The logical router VM sends which distribute the routes to
admin creates a new logical router route updates to the VMware each hypervisor data plane
NSX Controller™ instances…
NSX for vSphere routing: Highly available routing
with fully distributed data plane
 Distributed in each hypervisor  Controllers are clustered
 Central configuration
32
A Complete Virtual Network in Software –
Distributed Firewalling
Egress
1.1.2.0/24
L2
FW
Logical Switch (L2)
L3 Virtual Network
In Software

L3
1.1.1.0/24
L2
FW
Logical Switch (L2)

Ingress

Network Hypervisor

IDS
Load Balancer
General Purpose IP Hardware Physical Network

33 33
Distributed Firewalling

V
V
V M
V V M
M V
M M
V M
V
M
M

NSX vSwitch
VM
V NSX vSwitch
Hypervisor V M
V
Hypervisor
VM VM
M M
V
M
VM

NSX vSwitch
Hypervisor
V
V M V
V
M V M NSX vSwitch
M V
V M M
M V Hypervisor
M
NSX vSwitch
NSX vSwitch
Hypervisor
Hypervisor

An NSX for vSphere network

is made up of distributed enabling each VM to
network elements embedded have its own firewall
in each hypervisor,

NSX for vSphere firewalling: fully distributed, embedded

in every hypervisor in the data center
 Firewalls/policies provisioned  Retiring a VM deprovisions its
simultaneously with VMs firewall – no possibility of stale
 Policies move with their VMs rules
 State persistent across VMware
vMotion®
34
Virtual Network

Virtual Network
NSX vSwitch
Hypervisor
VM
VM
VM

NSX vSwitch
Hypervisor Existing Physical Network

35
Virtual Network (cont.)

Virtual Network
NSX vSwitch
Hypervisor
VM
VM
VM
User Space

NSX vSwitch
Hypervisor Existing Physical Network

36
Non-Disruptive Deployment

VM
VM

Virtual Network
NSX vSwitch
Hypervisor
VM
VM
VM
User Space

NSX vSwitch
Hypervisor Existing Physical Network

37
Programmatically Provisioned

Cluster Controller VM VM
VM

Virtual Network
NSX vSwitch
Hypervisor

VM VM
VM
User Space

al Network
NSX vSwitch
Hypervisor Existing Physic Cloud Mgt Platform

38
Services Distributed to the NSX Virtual Switch
Cluster Controller
VM VM
VM
User Space

Virtual Network
NSX vSwitch
Hypervisor
Physical Host
VM VM
VM
User Space

Network
NSX vSwitch
ti ng P h ys ic al
Hypervisor Exis Cloud Mgt Platform
Simplified IP Backplane No VLANs, No ACLs, No Firewall Rules

39
Physical Workloads and Legacy VLANs
Cluster Controller
VM VM
VM
User Space

Virtual Network
NSX vSwitch
Hypervisor
Physical Host
VM VM
VM
User Space

NSX vSwitch VLAN

Hypervisor
L2 Bridging Service
VM, ToR,x86
Appliance

40
More Efficient Routing with VMware NSX

East-West L3 / Same Host East-West L3 / Host-to-Host

Before
Before VMware
VMware NSX
NSX With
With VMware
VMware NSX
NSX Before
Before VMware
VMware NSX
NSX With
With VMware
VMware NSX
NSX

Distributed Logical Router Distributed Logical Router

Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000

UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B

UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 2
2 UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 2
2
UCS
UCS Blade
Blade 1
1
NSX
NSX vSwitch
vSwitch vswitch vswitch NSX
NSX vSwitch
vSwitch

vswitch

4 wire hops 0 wire hops 4 wire hops 2 wire hops

Fewer hops, more efficient and precise VM networking

41
More Efficient Firewalls with VMware NSX

East-West Firewalling / Same Host East-West Firewalling / Host-to-Host

Before
Before VMware
VMware NSX
NSX With
With VMware
VMware NSX
NSX Before
Before VMware
VMware NSX
NSX With
With VMware
VMware NSX
NSX

Distributed Virtual Firewall Distributed Virtual Firewall

Nexus 7000 Nexus 7000 Nexus 7000 Nexus 7000

UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B UCS
UCS Fabric
Fabric A
A UCS
UCS Fabric
Fabric B
B

UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 2
2 UCS
UCS Blade
Blade 1
1 UCS
UCS Blade
Blade 2
2
UCS
UCS Blade
Blade 1
1
NSX
NSX vSwitch
vSwitch vswitch vswitch NSX
NSX vSwitch
vSwitch

vswitch

6 wire hops 0 wire hops 6 wire hops 2 wire hops

Fewer hops, more efficient and precise VM networking

42
I Didn’t Know NSX for vSphere
Could Do That

43
Better Security

44
Achieving Isolation with NSX for vSphere
Virtual networks are isolated
from each other 192.168.2.20
(overlapping IP addresses)
192.168.2.20
Virtual Network VM 2607:f0d0:1002:51::7
VM
VM
IPv6
Virtual Network
NSX vSwitch
Hypervisor
192.168.2.10

Physical Host
192.168.2.10
2607:f0d0:1002:51::4
VM VM
VM

Virtual networks are

NSX vSwitch isolated from the underlying
physical network (IPv6 over IPv4)
Hypervisor IPv4
Physical Host
NSX for vSphere virtual networks
• Decoupled from physical • Networks completely isolated
networks
• No communication between 45
unrelated networks
Distributed Enforcement and Central Policies that Migrate with
the VMs
• Reduce choke point security
• Centrally define policies and distribute rule enforcement for segmentation
• Security policies move with VMs
• Changes to central policies are automatically distributed to affected VMs
Security Policy
Security Policy

VM VM VM VM
Internet VM

vSwitch vSwitch
Hypervis Hypervis
or or

Physical Physical
Host Host

46
Service Insertion –
Palo Alto Networks Next-Gen Firewall Example

VMware
NSX Security Admin

Security Policy

VM VM
Internet VM

Traffic
Steering vS vSwitch
witch
Hypervis Hypervis
or or

Physical Physical
Host Host

47
What’s New in
NSX for vSphere 6.2.3?
What’s New in VMware NSX
Network & Edge Services
• Top-of-Rack Support: expanding physical
connectivity options via HW-VTEP
• Edge Firewall: SYN flood protection
• Edge Appliance: reduced traffic disruption in Edge
redeploy / upgrade operations
• Edge DHCP: DHCP option for static route, PXE Boot
• Edge LB: serviceability enhancements
Security Services
•• Firewall: Rule Filtering, TFTP ALG
• Guest Introspection: Windows 10 support
• Network Introspection: Copy Packet support
• VPN: Client support for MacOS El Capitan
• Service Composer: Performance improvements
Operations & Troubleshooting
• Increased visibility and operational readiness
• VMware NSX Dashboard: central view into overall
health of VMware NSX components
•• Flow Monitoring: filter support
• Traceflow: enhanced to trace packets forwarded
through third-party NetX services
• SNMP Support: configure SNMP traps for VMware
NSX events
• VMware NSX Central CLI: enhancements to host
health, packet capture, and more
•• Customer Experience Improvement Program
• Accelerating VMware NSX adoption & market enablement
• Licensing: enablement for new license editions,
improved license usage reporting
49
What’s New with VMware NSX Licensing?
VMware NSX for vSphere 6.2.3

New VMware NSX

licensing tiers are being Enterprise

introduced on May 3, 2016 Advanced capabilities and ability to create multi-DC

for all geos
Differentiated product
offerings aligned to use cases
Enables market expansion
extensions, ToR integration, VPN services and
more
Advanced
Standard capabilities and security with distributed
firewall, advanced services like VMware NSX Edge™
load-balancing and more

Standard / Advanced /
Standard
Enterprise Tiers
Agility and automation for the data center

50
New VMware NSX Offerings: Standard, Advanced, and
Enterprise
Standard Advanced Enterprise
Agility and automation Standard, plus a fundamentally Advanced, plus networking and
of the network more secure data center security across multiple domains
Distributed switching and routing ✓ ✓ ✓
NSX Edge firewall ✓ ✓ ✓
NAT ✓ ✓ ✓
SW L2 bridging to physical environment ✓ ✓ ✓
Dynamic routing with ECMP (Active-active) ✓ ✓ ✓
API-driven automation ✓ ✓ ✓
Integration with vRealize® and OpenStack1 ✓ ✓ ✓
Automation of security policies with vRealize ✓ ✓
NSX Edge load balancing ✓ ✓
Distributed firewalling ✓ ✓
Integration with Active Directory ✓ ✓
Server activity monitoring ✓ ✓
Service insertion (3rd party integration) ✓ ✓
Cross-vCenter® NSX ✓
Multi-site VMware NSX optimizations ✓
VPN (IPSEC and SSL) ✓
Remote gateway ✓
Integration with HW VTEPs ✓
1
L2, L3 & NSX Edge Integration Only. No consumption of Security Groups
Detailed Feature List Available here: http://kb.vmware.com/kb/2145269

51
New VMware NSX Offerings: Standard, Advanced, and
Enterprise
Standard Advanced Enterprise
Agility and automation Standard, plus a fundamentally Advanced, plus networking and
of the network more secure data center security across multiple domains
Distributed switching and routing ✓ ✓ ✓
NSX Edge firewall ✓ ✓ ✓
NAT ✓ ✓ ✓
SW L2 bridging to physical environment ✓ ✓ ✓
Dynamic routing with ECMP (Active-active) ✓ ✓ ✓
API-driven automation ✓ ✓ ✓
Integration with vRealize and OpenStack 1 ✓ ✓ ✓
Automation of security policies with vRealize ✓ ✓
NSX Edge load balancing ✓ ✓
Distributed firewalling ✓ ✓
Integration with Active Directory ✓ ✓
Server activity monitoring ✓ ✓
Service insertion (3rd party integration) ✓ ✓
Cross-vCenter NSX ✓
Multi-site VMware NSX optimizations ✓
VPN (IPSEC and SSL) ✓
Remote Gateway ✓
Integration with HW VTEPs ✓
1
L2, L3 & NSX Edge Integration Only. No consumption of Security Groups
Detailed Feature List Available here: http://kb.vmware.com/kb/2145269

52
Examples: VMware NSX Standard Topologies

Active-Active NSX Edge Features

Dynamic Routing
Routing
Firewall
NAT

Software
DLR L2 Bridge DLR

Note: Other topologies are possible – the pictures shown are representative only

53
New VMware NSX Offerings: Standard, Advanced, and
Enterprise
Standard Advanced Enterprise
Agility and automation Standard, plus a fundamentally Advanced, plus networking and
of the network more secure data center security across multiple domains
Distributed switching and routing ✓ ✓ ✓
NSX Edge firewall ✓ ✓ ✓
NAT ✓ ✓ ✓
SW L2 bridging to physical environment ✓ ✓ ✓
Dynamic routing with ECMP (Active-active) ✓ ✓ ✓
API-driven automation ✓ ✓ ✓
Integration with vRealize and OpenStack 1 ✓ ✓ ✓
Automation of security policies with vRealize ✓ ✓
NSX Edge load balancing ✓ ✓
Distributed firewalling ✓ ✓
Integration with Active Directory ✓ ✓
Server activity monitoring ✓ ✓
Service insertion (3rd party integration) ✓ ✓
Cross-vCenter NSX ✓
Multi-site VMware NSX optimizations ✓
VPN (IPSEC and SSL) ✓
Remote Gateway ✓
Integration with HW VTEPs ✓
1
L2, L3 & NSX Edge Integration Only. No consumption of Security Groups
Detailed Feature List Available here: http://kb.vmware.com/kb/2145269

54
Examples: VMware NSX Advanced Topologies

Active-Active NSX Edge Features

Dynamic Routing
Routing
Firewall
NSX NAT
Load- LB
balancing
LB Partner
DLR Integration DLR

Security Partner Distributed Distributed

Integrations Firewall Firewall

Note: Other topologies are possible – the pictures shown are representative only

55
New VMware NSX Offerings: Standard, Advanced, and
Enterprise
Standard Advanced Enterprise
Enterprise
Agility and automation Standard, plus a fundamentally Advanced,
Advanced, plus
plus networking and
of the network more secure data center security across multiple domains
Distributed switching and routing ✓ ✓ ✓
NSX Edge firewall ✓ ✓ ✓
NAT ✓ ✓ ✓
SW L2 bridging to physical environment ✓ ✓ ✓
Dynamic routing with ECMP (Active-active) ✓ ✓ ✓
API-driven automation ✓ ✓ ✓
Integration with vRealize and OpenStack 1 ✓ ✓ ✓
Automation of security policies with vRealize ✓ ✓
NSX Edge load balancing ✓ ✓
Distributed firewalling ✓ ✓
Integration with Active Directory ✓ ✓
Server activity monitoring ✓ ✓
Service insertion (3rd party integration) ✓ ✓
Cross-vCenter NSX ✓
Multi-site VMware NSX optimizations ✓
VPN (IPSEC and SSL) ✓
Remote Gateway ✓
Integration with HW VTEPs ✓
1
L2, L3 & NSX Edge Integration Only. No consumption of Security Groups
Detailed Feature List Available here: http://kb.vmware.com/kb/2145269

56
Examples: VMware NSX Enterprise Topologies

Universal distributed logical router

57
VMware NSX Enterprise Topologies Cross-vCenter

Universal distributed logical router

58
VMware NSX Enterprise Topologies

VPN Tunnel
VPN VPN

DLR DLR

59
VMware NSX Hardware Layer 2 Gateway Integration
• Hardware based low latency forwarding for E/W bridged traffic
• High port density
• Central management from VMware NSX UI
• Strengthen VMware NSX ecosystem:
all major networking vendors participate

Hardware
Layer 2
Gateway

Non-virtualized appliances

60
Edge SYN-Flood Protection Improvement
Protect workloads from Denial-of-Service attacks

Overview

• Protect VMs from N/S SYN-Flood attacks

• Leverage SYN-Cookies
• Note that this SYN-Flood protection mechanism was already

3-Way
3-Way
HS
available for traffic proxied by the NSX Edge, like SSL/VPN,

HS
SSYY

NN
SSYY
NN

LB.

Benefits

• Prevent DoS/DDoS attacks on applications

NSX Edge Session
• Increase security for public-facing workloads
established

61
Edge Upgrade Process With VMware NSX 6.2(3)
Upgrade from 6.2(n)  6.2(n+1)

• Edge-0 running Overview

6.2(n+1) and Edge-1
Edge-0 Edge-1 running
• During 6.2(n+1)
upgrades, brought
the NSX Edge VMs areupredeployed one at a
6.2(n+1) 6.2(n+1) time after state synchronization
Standby
•• Same mechanism6.2(n)
appliesbrought down
to DLR Control VMs and
Edge-1
Edge-0 uplink
6.2(n)
uplink
replaced
• Traffic impact isby Standby
reduced 6.2(n+1)
to 2-3 seconds
6.2(n)
Standby
Active Active
Standby • State sync between active Edge-0
HA-0 HA-1
6.2(n) and standby Edge-1 6.2(n+1)
Benefits
 Switchover
sync 
Fast switchover
•• Improved availability during(2-3 secs):
VMware NSX version upgrades
Standby
• Simplified Edge-1
operations 6.2(n+1)
and planning becomes
active
• Edge-0 running 6.2(n) taken down and
replaced by Edge-0 running 6.2(n+1)

62
New Edge DHCP Options
Support options for PXE boot and static routes

Overview

• NSX Edge DHCP servers support additional options:

• 121 (static routes)
• 66, 67 and 150 (PXE boot)
NSX Edge External
Boot Server

Benefits
D
DH

TP
HC

TF • Allows additional use cases for cloud environments

CPP

(for example, OpenStack metadata service, separate

management interface on VMs, and so on)
• Allows NSX Edge DHCP to be used with VMs that boot from
network

63
NSX Edge High Availability Enhancements

Overview

• New heartbeat mechanism advertises current role

• Allows user initiated on-demand failover HA event
• Advanced dual-active detection
uplink uplink (peer liveliness detection mechanism based on ARP)
I’m standby
Standby
Active HA-0 HA-1 Standby
Active

internal
I’m active internal

Benefits

• Increased reliability of HA mechanism

• Improved availability for NSX Edge HA deployments with
User services such as NAT, load balancing, VPN
initiated
failover

64
DFW Granular Rule Filtering
Simplify management and troubleshooting of distributed firewall

Overview

• UI rule filtering option for distributed firewall

• Granularity based on Source, Destination, Action,
Enabled/Disabled, Logging, Name, Comments, Rule ID, Tag,
Service, Protocol

Benefits

• Reduce administrative effort on DFW rule management

• Simplify VMware NSX firewall troubleshooting

65
DFW Extended Application Layer Gateway Support
• DFW supports Application Layer Gateways (ALGs)
• VMware NSX releases up to version 6.2.2 support the following ALGs:
– FTP
– CIFS
– ORACLE TNS
– MS-RPC
– SUN-RPC

• VMware NSX 6.2.3 adds support for TFTP ALG:

– Enables use cases such as network boot for VMs

• ALGs are one of the key features that differentiate a stateful firewall from ACLs

66
Guest Introspection
Windows 10 Support

Overview

• Guest Introspection support for Windows 10, leveraging

Microsoft WFP (Windows Filtering Platform)
• Aligned with EPSec partner support

Benefits

• Identify firewall now supported in Windows 10

• Agentless anti-virus on a broader set of Microsoft platforms
• Increased security for VDI use cases

67
SSLVPN Refresh
VMware NSX SSLVPN client support and security

Overview

• SSLVPN installable client support for Mac OS El Capitan

• Front-end architecture refresh to increase SSLVPN stability
and security

Benefits

• Increased stability and security for VPN service

• Additional support for Mac clients

68
Operations and Troubleshooting: New in VMware NSX

Monitor Troubleshoot Extend

• SNMP Support: configure SNMP
traps for VMware NSX events
• NSX Dashboard: central view into
overall health of VMware NSX
components
• Channel Health Checks
• Traceflow: enhanced to trace packets
forwarded thru third-party NetX
services
•• VMware NSX Central CLI:
enhancements to host health, packet
capture, and more
• Flow Monitoring: filter support
• Third-party monitoring with ability to
copy packets via NetX
• Customer Experience Improvement
Program
• VMware vRealize®® Log Insight™ for
VMware NSX

69
SNMP Support for NSX Manager
Traps generated by NSX Manager

Overview
OPS Team
• SNMP traps generated by VMware NSX Manager™ in case of
errors
• SNMPv2c support
• System events related to hypervisors, controllers, edges and
NSX Manager can be sent as traps (up to 4 collectors)
• When enabled, Critical and High severity events are reported
SNMP
SNMP Trap
Trap
by default (can be customized)

NSX Manager SNMP

Collector Benefits

• Operations teams can get notified when anomaly events occur

• Integration with existing network operations tools
NSX Components

70
VMware NSX Troubleshooting Dashboard
Troubleshooting single pane of glass

Overview

• Single dashboard in the UI with real time status of VMware NSX

• Displays status of: NSX Manager, controllers, hosts, firewall
publish status, logical switch status

Benefits

• Quickly identify issues in VMware NSX

• Better availability and reduced MTTR

71
Enhanced Communication Channel Health
• Provide error details during communication faults
• Generate an event when a channel goes into a wrong status
• Heartbeat messages now generated from NSX Manager to hosts

NSX Controller Cluster NSX Manager OPS Team

Alert
Alert

Hosts

72
Traceflow Visibility Through Third-Party NetX Services

Overview

• Traceflow relies on some metadata maintained with the frame

ABC DEF being switched
SVM SVM
• Pre-6.2(3), this metadata was lost when frame was going
DFW through a Service VM  Traceflow could not work with SVM
1
1
2
2 • 6.2(3) lifts this limitation
3
3 4
4
6 5
5
6

7
7
8
8
1
1
2
2
Benefits
3
3
9
9
VDS 4
4
• Increased application visibility, security and compliance
5
5 • Customers can leverage existing 3rd rd party solutions
6
6
7
7
8
8 same
8
8
step
9
9

73

73
Enhanced Central CLI for VMware NSX Troubleshooting
Additional capabilities and support

Overview

• Support for host health status (VIBs, uplinks, network

interfaces, connections to vCenter and VMware NSX, sync
state, and so on)
• Packet capture from central CLI

Benefits

VM VM
• Simplify troubleshooting
VM
VM
VM VM
VM
VM
• Reduce time to resolution
• No more access to hosts required for VMware NSX
NSX vSwitch NSX vSwitch
administrators
Hypervisor Hypervisor

74
Flow Monitoring Enhancements
Live flow filtering, performance improvements

Overview

• Allow filtering of addresses during live flow monitoring

• Filtering based on: source IP, destination IP, or both

Benefits

• Optimized live security troubleshooting

• Simplified micro-segmentation planning

75
Packet Copy Service Support
NetX support of packet copy

Service Service Overview

VM VM
• Allow copying packets to third-party Service VMs (SVMs) for
SVM SVM inspection/visibility
• Uses VMware NSX policy engine for granular control
• Initial integration launch with Gigamon
DFW DFW
• Note that the copy is done after DFW  cannot see packets
dropped by DFW
Packet Copy

Benefits
VDS VDS • Increased application visibility, security and compliance
• Customers can leverage existing third-party solutions
Without With
Packet Copy Packet Copy

76
vRealize Log Insight for VMware NSX 3.3.2

vRealize Log Insight for NSX

Intelligent Log Analytics for VMware NSX

• Includes
Includes two
two content
content packs:
packs: VMware
VMware vSphere
vSphere®®,, VMware
VMware NSX
NSX Logs
• Centralized big data log management built for VMware
Centralized big data log management built for VMware NSX NSX
•• Monitoring
Monitoring and
and dashboards
dashboards for
for network
network virtualization
virtualization and
and security
security

Now available with VMware NSX Standard, Advanced,

Enterprise
• 1
1 CPU
CPU of
of vRealize
vRealize Log
Log Insight
Insight for
for every
every CPU
CPU
•• 1 CPU
1 CPU of
of vRealize
vRealize Log
Log Insight
Insight for
for every
every 50
50 CCU
CCU of
of VMware
VMware NSX
NSX
for desktop

Upgrade to full VMware vRealize Operations™ for

VMware NSX

• vRealize
vRealize Operations
Operations Management
Management Pack™
Pack™ for
for VMware
VMware NSX:
NSX:
•• Virtual
Virtual +
+ physical
physical network
network topology
topology views
views
•• Troubleshooting action frameworks
• vRealize Log Insight extensibility – 40+ third-party content packs The best real-time management
available
available for SDDC

77
NSX for vSphere 6.2
Enhancements and Features
Introduced in the 6.2 Release
 Released August 2015
VMware NSX 6.2
Accelerating SDDC adoption
and driving new opportunities

Automation Security Application

Continuity

IT at the Speed Inherently Secure Data Center Anywhere

of Business Infrastructure
Expand VMware NSX Control Within and across data centers

Operational Excellence Accelerating path to production

Ecosystem with VMware NSX Delivering solutions TO customers WITH Ecosystem

Why Recommend NSX for vSphere 6.2.x?

Operational Long-Lived Largest Significant

Manageability Release – Engineering Quality
and 6.2.x support thru Effort for Bug Investment
Serviceability 2018 Fixes
Improvements

80
NSX for vSphere 6.2 Major Enhancements

Licensing changes: Standard, Advanced and Enterprise

Pooling network capacity across multiple vCenter instances

Enhanced network and security services

New connectivity options for physical workloads and

services

Improved operations and visibility

81
VMware NSX Support for VMware vSphere 6.0
VMware NSX builds on top of industry-first hypervisor technologies
Overview
• Builds upon next generation of vSphere vMotion
innovation
• Support for cross-vCenter vSphere vMotion
over VXLAN
• Dedicated TCP/IP stack for vSphere
vMotion
• VMware vSphere Network I/O Control v3 support

+
for VMware NSX logical switches
• VMware NSX plug-In to VMware vSphere Web
Client, with improved browser support,
responsiveness and 5x performance gains

Benefits
• Builds upon foundation of the software-defined
data center
• Leverages existing investments and skill sets

82
VMware NSX Support for Multiple vCenter Instances
• NSX for vSphere 6.2 introduces support for multiple vCenter instances with vSphere 6.0
– L2 and L3 extended across vCenter boundaries
– Consistent firewall policy across multiple VMware vCenter Server® instances
– Support for cross-vCenter vSphere vMotion with L2/L3/distributed firewall support

• Key considerations
– 1 VMware NSX Manager:1 vCenter relationship
– Up to eight vCenter instances / VMware NSX managed by a single VMware NSX Controller™ cluster
– One active NSX Manager as configuration primary, rest as secondary

83
L2 and L3 Extended across vCenter Boundaries
Seamlessly extend the software-defined data center
Overview

• Single NSX Controller supporting unified L2

across vCenter instances, and distributed L3
across vCenter instances
• Universal logical switches
• Universal logical routers
Universal Distributed Logical Router • Egress localization

Universal
Universal Logical
Logical Switch
Switch

Benefits
• Non-siloed logical networks
• Capacity pooling (across vCenter instances
and across sites)
• Logical network infrastructure for cross-
vCenter vSphere vMotion
• Metro multisite logical networks (metro area
capacity pooling with site egress)

84
Consistent Firewall Policy Across vCenter Boundaries
Seamlessly extend software-defined data center security

Overview

• Single point of configuration for firewall

policy
Universal Firewall Rule • Supports IP and MAC addresses
• Universal compared with local firewall
sections
• Synchronization of firewall rules across
VMware NSX / vCenter pairs

Benefits
• Unified security policies across vCenter
resources
• Define once, apply everywhere

85
Multi-vCenter Distributed Firewall

Policy Rule Sample

• Universal Section

• Local Section

86
VMware NSX with Ecosystem Delivers Key Services for
Applications

Connectivity Security

Traditional Modern
Applications Applications

Any Hypervisor VPN

Switching Routing Firewalling

Availability
Data Security Activity Monitoring
Connectivity to
Physical Networks

Load
Balancing

Enhancing VMware NSX services to enable new use cases and simplify operations

87
Distributed Firewall Rule Enforcement Without VMware Tools
Operational improvements of distributed firewall

Overview

• Provides an alternate mechanism to associate

V
VMs / virtual NICs to IP addresses when
M
VMware Tools™ is not present
• Introduces “Secure Mode,” where Spoofguard
V
M is used as a trusted source for the IP address-
to-VM mapping
V
M
Benefits
• Prevents security risk when VMware Tools is
not present

88
Load Balancer Enhancements
Improves usability

Overview
• Scale: Increases number of VIPs supported
from 64 to 1024
• Operation: Provides LB monitor information on
failure (last check, status last change, and fail
L3 reason)
VM1 VM2 VM3
• LB feature: Supports VIP and pool port ranges
VM1 VM2

L2 L2 L2 • VMware NSX / F5 integration: Supports BIG-

IP appliances and Virtual Edition (VM) and
supports HA

Benefits
• Improves manageability and troubleshooting
• Leverages third-party LB vendor capabilities
inside VMware NSX model
• Simplifies migration of applications load-
balanced by third-party LB to the VMware
NSX environment

89
Routing Enhancements
Enhanced routing configuration and troubleshooting

Overview
• Supports administrative distance for static routes
• No DLR control VM with static routing
• Supports exact match for redistribution rules
• Enable/disable strict uRPF interface checks on the
edge
• Show AS path in show ip bgp route CLI
command
• Do not announce management interface from DLR
control VM
• Automatic consistency check for logical routing
• Transport of VLAN tags over VXLAN

Benefits
VM VM VM VM VM
VM VM VM VM VM • Ease of configuration and enhanced troubleshooting
• Enhanced routing functionality and operations

90
Physical Services Integration Through VMware NSX Hardware
VTEPs
Provide connectivity to physical workloads and services

Overview
• VMware NSX hardware VTEP-enabled
physical appliance
VM1 VM2 • Attach any physical services appliance
• Extensible (schema-based)
LS – VNI • Integration not dependent on multicast
5001

VLAN 100 Benefits

• High density of physical ports to connect
physical workloads
• Broad ecosystem of VMware NSX partners
• Compatible with HA M-LAG solution

91
Distributed Logical Router and Bridging Integration

VMware NSX 6.0 / 6.1 VMware NSX 6.2

A logical switch could NOT simultaneously: On a given logical switch, distributed logical routing can
coexist with bridging
• Participate in distributed routing
Benefits: Optimizes traffic flow by eliminating the need to
• Extend layer 2 to a VLAN route through a VMware NSX central edge

NSX Edge DB LS extended to NSX Edge

VLAN must use
DB LS extended to VLAN
VMware NSX Edge for and uses DLR for routing
routing
DLR
DLR

DB-LS DB-VLAN APP-LS DB-LS DB-VLAN

APP-LS

VM
VM VM
VM
VM
VM VM
VM Bridging Physical
Bridging Physical instance server
APP instance server
APP LS
LS not
not extended
extended to
to
VLAN can use
VLAN can use DLR
DLR

92
Improving Visibility
• L2 and L3 trace flow • Central CLI
– Tests connectivity through logical and physical paths – Reduces troubleshooting time for distributed network
– Shows where the packet is dropped
functions
– Provides access to control and data plane Information
– Provides per logical service (LS/LR/DFW/Edge) statistics
• Enhancement to VMware NSX APIs and tables
– New APIs that provide additional controller, hypervisor and – Provides commands to check out-of-synch states
edge info
– APIs detect health of communication channels

VMware NSX Components and Distributed Network Functions

Troubleshooting through Logical and Physical Paths

Enhanced Supportability and Operations

93
Deploying
NSX for vSphere
Deploying Network Virtualization with
NSX for vSphere
1 2 3

Deploy NSX for vSphere,

Leverage Existing Consumption of
NSX Manager,
Network Infrastructure Applications Any Network Vendor
NSX Edge, and
VMware NSX Services™ CMP Portal
Any Network Topology
Self-Service

Programmatic
Virtual
Network Deployment
NSX NSX
Mgmt Edge

Compute Virtual Infrastructure

VMware NSX Infrastructure
Logical Networks

95
Multi-vCenter Deployment Considerations
• Greenfield deployments of multi-vCenter are straightforward
– Assign NSX Manager roles
– Deploy universal controller cluster
– Consume universal or local objects

• In-place upgrade of existing VMware NSX environments to multi-vCenter is fully supported

– Requires some planning
– NSX Manager Segment ID pools must be unique
– VMware NSX 6.2 introduces an API to migrate existing VXLAN logical switches to a new Segment ID
pool
– Where required, existing networks and workloads can be migrated to universal objects after the
upgrade

96
NSX for vSphere
Supports Complex Application Topologies

WEB

WEB APP DATABASE

APP

DATABASE

Multiple Networks Flat Network

Automation
Deploy full automation through
VMware vRealize Automation™,
VMware vCloud Director®, Openstack, or any CMP

97
Ecosystem
NSX for vSphere
Ecosystem Technology Partners

99
SDDC and NSX for vSphere
Enable Enterprise IT as Agile as Amazon

“We need a cost

“Our IT needs to effective way to
become more like develop a PCI-
Amazon.” compliant, secure
SDDC .”

“We are developing “Our intention is to

a new kind of IT – move our entire
service broker.” infrastructure to SDDC.”

100
NSX for vSphere Deployment Use Cases
Self-Service IT Data Center Public Clouds
Automation
Dev X

Test X
Acquisition
A
Dev A

Examples Examples Examples

DevOps Cloud Micro-Segmentation of Apps XaaS Clouds
Onboarding M&A Simplifying Compute Silos Vertical Clouds
DMZ Deployments
Key Capabilities Key Capabilities Key Capabilities
Application-Specific Networking Programmatic Consumption Multi-Tenant Deployment
Flexible IP Address Full-Featured Stack Programmatic L2, L3
Management Visibility and Operations Security
Simplified Consumption Overlapping IP Addressing
Any Hypervisor, Any CMP

101
The Big Picture – Why VMware NSX is Needed
• VMware NSX introduces a higher level of security to the data center
• IT organizations can streamline their networking and security operations
• Businesses lay the foundation for the software-defined data center

Better security Speed and agility SDDC Foundation

Unmatched security inside Deploy faster and adapt to Flexible network foundation for
the data center changes more easily the software-defined data
center

102
Questions

103
VMware NSX for vSphere 6.2
Knowledge Transfer Kit

VMware, Inc.
3401 Hillview Ave
Palo Alto, CA 94304

Tel: 1-877-486-9273 or 650-427-5000

Fax: 650-427-5001