© 2010 VMware Inc. All rights reserved
VMUG IT Meeting – PI 29/05/2015
VMware NSX
2
Chi sono
Andrea Mauro
• IT Architect, VCP/VCAP/VCDX-DCV, VCP/VCAP-Cloud/DT, VCP/VCIX-NV
• vExpert 2010-2015
• http://vinfrastructure.it
• @Andrea_Mauro
• it.linkedin.com/in/andreamauro
• https://about.me/amauro
3
Key functions of network virtualization
4
VMware NSX
General Purpose Server Hardware
(Dell, HP, IBM, OpenCompute, Quanta)
General Purpose IP Hardware
(Arista, Cisco, HP, Juniper, Accton)
5
Come provarlo?
Problema dell’accesso al codice e/o licenze
Trial mode, ma non per il download
Licenze «free» per vExpert
HoL
• HOL-SDC-1424 – VMware NSX in the SDDC
• HOL-SDC-1403 – VMware NSX Introduction
• HOL-SDC-1425 – VMware NSX Advanced
http://vinfrastructure.it/it/2015/03/come-studiare-vmware-nsx-
senza-poterlo-provare/
The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.
Building an SDN
7
A data center network…
Internet
8
Compute infrastructure….
Internet
9
Hypervisors and vSwitches…
Internet
10
NSX | The “Network Hypervisor”
Internet
11
Virtual Networks – Like Virtual Machines for the Network
Internet
12
Servizi
13
A Virtual Network?
14
A Virtual Network?
15
Non-Disruptive Deployment
16
Programmatically Provisioned
17
Services Distributed to the Virtual Switch
18
Physical Workloads and Legacy VLANs
19
How does it work?
20
NSX Components
21
VMware NSX management, control, and data planes
The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.
Micro Segmentation
23
Scenari di protezione
Dev
Test
Production
Isolation
Web
App
DB
No Communication Path
Controlled Communication Path
Web
App
DB
Advanced Services Controlled Communication Path
Segmentation Service Insertion
24
The Problem: Data Center Network Security
Perimeter-centric network security has proven insufficient
Internet
2
4
IT Spend Security Spend
Today’s security model focuses on perimeter defense
But continued security breaches show this model is not enough
25
But micro-segmentation has been
operationally infeasible
2
5
Internet
…
2 firewalls
1000 workloads
vs
A typical data center has:
Directing all traffic (virtual + physical) through chokepoint firewalls is inefficient
And a physical firewall per workload is cost prohibitive
26
Achieving Micro segmentation with NSX
2
6
Location (physical, logical) of VMs is constrained by the networks and systems they need to access
Communication within a VLAN is uncontrolled
Addition of new VMs is slowed by web of policies
DMZ/Web VLAN
App VLAN
HR
Finance
Services/Mana
gement VLAN
DB VLAN
HR Finance
NSX enables grouping by logical functions – no change to the underlying topology necessary
Policies align with security groups – not location
Streamlines new VM deployment – security policies automatically inherited
Services Mgmt
Finance HR
Perimeter
firewall
Inside firewall
Perimeter
firewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
Traditional Data Center NSX Data Center
27
Configure policy with Security Groups
Select elements to
uniquely identify
application workloads
Use attributes to
create Security Groups
Apply policies to
security groups
1 2 3
ABC
DEF
Group XYZ
App 1
OS: Windows
8
TAG:
“Production
”
Enforce policy based
on logical constructs
Reduce configuration
errors
Policy follows VM, not
IP
Reduce rule sprawl
and complexity
Use security groups to abstract
policy from application workloads.
Group XYZ
Policy 1 “IPS for Desktops” “FW for Desktops”
Policy 2 “AV for Production” “FW for Production”
Element type
Static Dynamic
Data center
Virtual net
Virtual
machine
vNIC
VM name
OS type
User ID
Security tag
28
Use case 1: Network segmentation
2
8
Controlling traffic within a
network Perimeter
firewall
DMZ/Web
App
DB
HR Group
App
DMZ/Web
DB
Finance Group
Services Mgmt
Services/Management
Group
NSX Data Center
Control traffic between groups within a network
Secure traffic based on logical grouping – rather than physical topology
Create network segments flexibly – even between systems on the same VLAN
29
Use case 2: Multi-tenancy with segmentation and advanced
services
isolation
Tenant 1
Tenant 2
Perim
eter
firewa
ll
DMZ/
Web
A
p
p
D
B
HR Group
App
DMZ/Web
DB
Finance
Group
Servic
es
Mg
mt
Services/Manage
ment
Group
Perim
eter
firewa
ll
DMZ/
Web
A
p
p
D
B
HR Group
App
DMZ/Web
DB
Finance
Group
Servic
es
Mg
mt
Services/Manage
ment
Group
No traffic
between networks
Completely separate unrelated networks
Add advanced services based on virtual network, network segment, or Security Group
30
Use case 3: VDI
3
0
Eliminate complex
policy sets and
topologies for different
VDI users
Align policies to logical
grouping
Decouple network
topology from VDI
security
Simplify VDI deployments
AP
P1
We
b 1
Ap
p 1
AP
P2
We
b 2
Ap
p 2
Engineering External Contract
or 1
External Contract
or 2
Eng Eng net 4
“External 1*” APP 1 4
“External 2*” APP 2 4 AP
P1
We
b 1
Ap
p 1
AP
P2
We
b 2
Ap
p 2
Engineering External Contract
or 1
External Contract
or 2
Traditional Data Center NSX Data Center
VLANs
Engineering
External
Contractor 1
External
Contractor 2
En
g
Web
1 4
En
g
App
1 4
En
g
Web
2 4
En
g
App
2 4
Ext
1
Web
1 4
Ext
1
App
1 5
Ext
2
Web
2 4
Ext
2
App
2 5
VLAN IP Identity Security Group
Eng
The information on the roadmap is intended to outline our general product direction and it should not be relied on in making a purchasing decision. It is for informational purposes only and may not be incorporated into any contract.
The power of
distribution
32
The Power of Distribution
33
The Power of Distribution
http://blogs.vmware.com/networkvirtualization/2013/09/vmware_nsx_cisco.html
34
Differenza di prestazioni
35
Lab live
36
Per saperne di più
http://vcdx133.com/2014/10/05/nsx-link-o-rama/
http://virtualpatel.blogspot.ca/2013/11/vmware-nsx-resources.html
http://networkinferno.net/nsx-compendium
http://vinfrastructure.it/it/2015/03/come-studiare-vmware-nsx-
senza-poterlo-provare/
http://vinfrastructure.it/it/2014/09/micro-segmentare-rete-nsx/
http://vinfrastructure.it/it/2014/06/report-seminario-nsx/
37
Enjoy The Day!
Join the Conversation!
@vmugit
@MyVMUG
#VMUGIT
www.vmug.com/italy