Sei sulla pagina 1di 480
VMware NSX: Install, Configure, Manage Lecture Manual NSX 6.0 VMware® Education Services VMware , Inc.
VMware NSX:
Install, Configure, Manage
Lecture Manual
NSX 6.0
VMware® Education Services
VMware , Inc.
www.vmware.com/education
VMware NSX: Install, Configure, Manage NSX 6.0 Part Number EDU-EN -NSXICM6-LECT Lecture Manual Copyright/Trademark
VMware NSX:
Install, Configure, Manage
NSX 6.0
Part Number EDU-EN -NSXICM6-LECT
Lecture Manual
Copyright/Trademark
Copyright © 2014 VMware , Inc. All rights reserved . This manual and its accompanying
materials are protected by U.S. and international copyright and intellectual property laws.
VMware products are covered by one or more patents listed at http ://www.vmware.com/go/
patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States
and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks
of the ir respective companies.
The tra ining material is prov ided "as is," and all express or implied cond itions,
representations, and warranties,
includ ing any implied warranty of merchantability, fitness for
a particular purpose or noninfringement,
are discla imed, even if VMware, Inc., has been
advised of the possibility of such claims. This training mate rial is designed to support an
instructor-led training course and is intended to be used for reference purposes in
conjunction with the instructor-led training course. The train ing material is not a standalone
tra ining tool. Use of the training material for self-study without class attendance is not
recommended.
These materials and the computer programs to which it relates are the property of, and
embody trade secrets and confidential information proprietary to, VMware, Inc., and may not
be reproduced, copied, disclosed, transferred, adapted or modified without the express
written approval of VMware, Inc.
Course development: Rob Nendel , John Tuffin, Jerry Ozbun
Technical
review : Elver Sena, Chris McCain
Technical
editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner
Production and publishing: Ron Morton, Regina Aboud
The courseware for VMware instructor-led training relies on materials developed by the
VMware Technical Communications writers who produce the core technical documentation ,
available at http://www.vmware .com/supportlpubs.
www.vmware.com/education
TABLE OF CONTENTS MODULE 1 Course Introduction 1 . Learner Objectives Learner Objectives (2) Importance.
TABLE
OF
CONTENTS
MODULE
1
Course Introduction
1
.
Learner Objectives
Learner Objectives (2)
Importance.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
2
3
"". ""
"
"
"
"
4
You Are Here . """""". "". ""
Typographical Conventions. ""
"". ""
"
"
"
5
"
"
"
6
References """. """""". "".
"".
"
7
About NSX "". """""". "". ""
NSX Certification
"". ""
"
"
"
"
8
9
VMware Learning
NSX Resources
Path Tool.
"
10
11
MODULE
2
NSX Networking"
"""". """""". "". ""
"". ""
"
"
"
"
13
You Are Here """""""""""""". "". """. "". ""
Importance" """""""""""""""". """""". "". ""
"
""
"
"
14
"". ""
"
"
15
Module Lessons" """"". """""". "". ""
"". ""
"
"
"
"
16
Lesson I: Introduction to vSphere Virtualization
17
Learner Objectives
Virtual Machines
18
19
Benefits ofVirtuaI Machines
ESXi Hypervisor
"
"
20
21
vCenter
Server. "
""
"
"
"
22
vCenter
vSphere vMotion
Shared Storage. "
Features That Use Shared Storage
Virtual Networking
Virtual Switch Types
Networking Features
vSphere Product Placement.
Review of Learner Objectives
Lesson 2: Overview of the Software-Defined Data Center.
Server Management Features
"
23
"
"
25
""
"
"
"
26
27
28
29
30
32
33
34
Learner Objectives.
Choices for IT . "
Data Center Models"
"
"
35
"
"
"
36
"
37
Advantage of Software-Defined Data Center
Choice for New IT
Software-Defined Data Center as New IT.
Components of a Software-Defined Data Center
Vision and Strategy
Virtual Compute, Storage, and Network
Data Center
"
38
39
40
41
42
43
44
Hypervisors and Virtual Switches
45
VMware NSX: Install, Configure, Manage
NSX: Network Virtualization Platform About a Virtual Network Network Virtualization: Layer 2 Network Virtualization:
NSX: Network Virtualization Platform
About a Virtual Network
Network Virtualization: Layer 2
Network Virtualization: Layer 3
Concept Summary
Review of Learner Objeetives
46
47
48
49
50
51
Lesson 3: Introduction to NSX and NSX Manager.
Learner Objectives
NSX Capabilities
52
53
54
Prepare
for Installation:
Client and User Access
Port Requirements
55
Prepare for Installation:
56
Installation: Manager OVA
57
Initial Configuration:
Initial Configuration:
Management UI
Time and Syslog Settings
58
59
Initial Configuration: Network Settings
60
Initial
Configuration:
vCenter Server Connection
61
NSX Overview: Planes
62
NSX Overview:
NSX Overview:
Data Plane Components
Control Plane Components
63
64
NSX Overview:
Management Plane Component
65
NSX Overview: Consumption
Enterprise Topology
66
67
Servicer Provider: Multiple Tenant Topology
Multiple Tenant Topology: Scalable Desigu
Scalability
68
69
70
NSX
for vSphere:
Scale Boundaries
71
NSX Manager
72
Building the NSX Platform
73
Lab
I: Introduction
74
Lab
I:
Configuring NSX Manager
75
Concept Summary
Review of Learner Objectives
Lesson 4: NSX Controller
Learner Objectives
NSX Controller
76
77
78
79
80
NSX
Controller Cluster Deployment
82
Control Plane Interaction
Control Plane Security
Control Plane Security: Diagram
User World Agent
NSX Controller: Master Election
Master Failure Scenario
NSX Controller Workload Distribution
83
84
85
86
87
88
89
ii
VMware NSX: Install, Configure, Manage
Slicing Assignment Slicing Distribution 90 91 Slice Redistribution Component Interaction: Configuration 92 93 Lab
Slicing Assignment
Slicing Distribution
90
91
Slice Redistribution
Component Interaction: Configuration
92
93
Lab
2:
Introduction
(I)
.
"
" "
"
"
"
94
Lab
2:
Introduction
(2)
. "
""
"
"
"
95
96
Review of Learner Objectives
Key Points
Lab 2: Configuring and Deploying an NSX Controller Cluster
"
"
97
98
MODULE
3
Logical Switch Networks and VXLAN Overlays. "
You Are Here
"
"
"
"". "99
100
Lesson 1: Ethernet Fundamentals "". ""
Importance" """"""""""""""""""""""""""""""""""""""""""""""101
Module Lessons" """"""""""""""""""""""""""""""""""""""""""102
"
"
"
103
Learner Objectives" """"""""""""""""""""""""""""""". """""". "104
Review: Networking Definitions. "
Ethernet
""
"
"
"
105
"
"
"". "".
"""""""""""106
MAC Tables
Broadcast Domain
Address Resolution Protocol
From Packets to Frames
Segmentation and Encapsulation
Layer 3: IPv4 Datagram
Layer 4: TCP Segment
Concept Summary. "
Review of Learner Objectives
Lesson 2: Overview ofvSphere Distributed Switch
Learner Objectives
VMkernel Networking
Advantages ofvSphere Distributed Switch
Distributed Switch Architecture
vSphere Distributed Switch Enhancements in ESXi 5.5
Design Considerations
Teaming Best Practices
Load-Based Teaming
Distributed Switch in Enterprise
107
108
109
110
111
112
113
114
115
".116
".117
".118
119
120
121
122
123
124
125
Lab
3: Introduction (1)
3: Introduction (2)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.126
Lab
127
Lab
3: Preparing for Virtual Networking
".128
Concept Summary
Review of Learner Objectives
129
130
Lesson 3: Link Aggregation
131
Contents
iii
Learner Objectives Ethernet Loop Spanning Tree Protocol 132 133 134 STP Diagram" .
Learner Objectives
Ethernet Loop
Spanning Tree Protocol
132
133
134
STP Diagram" . """""". "". """. "". """. "". """. "". """. "". """. "135
Bandwidth Constraint """"""""""""""""""""""""""""""""""""""136
Link Aggregation Control Protocol.
Enhanced LACP in vSphere 5.5
137
138
Enhanced LACP ". """. "". """. "". """. "". """. "". """. "". """. "139
Concept Summary
Review of Learner Objectives
Lesson 4: Virtual LANs
Learner Objectives
140
141
142
143
Virtual LANs" """"""""""""""""""""""""""""""""""""""""""" "144
"
Switches and Routers with VLANs
"
145
VLANsand ARP" """"""""""""""""""""""""". """""". """""". "146
VLANs Across switches" ". """. "". """. "". """. "". """. "". """. "147
VLAN Scalability """"""""""""""""""""""""". """""". """""". "148
802.1Q
149
802.1Q Frame
Native VLAN
150
151
Concept Summary
Review of Learner
Lesson 5: VXLAN:
152
Objectives
Logical Switch Networks
"
153
154
Learner Objectives. ""
VXLAN Tenus" ". ""
"
"
"
"
"
"
"
"
155
"
""
"
""
"
""
"
"
"
"
"156
Bidirectional PIM . "
VXLAN Protocol Overview
Virtual Extensible LAN
NSX Use Cases
VXLAN Frame Format
Multicast: Network Components
Internet Group Management Protocol
"
157
158
159
160
161
162
"
"
"
"
"
"
163
NSX for vSphere VXLAN Replication Modes
164
VXLAN Replication:
Control Plane
165
VXLAN Replication:
Data Plane
166
Unicast Mode
167
Multicast Mode
168
Hybrid Mode
169
Unicast
and Hybrid Mode: Same Host
" .170
Unicast Mode: Different Hosts
Hybrid Mode: Different Hosts
Multicast Mode: Different Hosts
172
173
174
Quality of Service
175
iv
VMware NSX: Install, Configure, Manage
QoS Tagging Physical Network Congestion NSX Component Interaction: Configuration NSX Logical Switching Logical Switch
QoS Tagging
Physical Network Congestion
NSX Component Interaction: Configuration
NSX Logical Switching
Logical Switch
Lab 4: Introduction (l)
Lab 4: Introduction (2)
Lab 4: Configuring and Testing Logical Switch Networks
Concept Summary
Review of Leamer Objectives
Key Points
176
177
178
179
180
181
182
183
184
185
186
MODULE
4
NSX Routing
You Are Here
Importance
Module Lessons
Lesson 1: NSX Routing
Learner Objectives
Supported Routing Protocols
OSPF Features
About OSPF
OSPF Neighbor Relationships
OSPF Packet Types
OSPF Hello Packets
Other OSPF Packets
OSPF Neighbor States
OSPF Router Types
OSPF Areas
OSPF Area Types
OSPF Normal Area
OSPF Stub Area
OSPF NSSA
OSPF Area and Router Types Example
Intermediate System to Intermediate System
IS-IS Features
IS-IS Areas
IS-IS Router Levels
IS-IS Neighbor Adjacency
IS-IS Design Considerations
BGP Features
Border Gateway Protocol
BGP AS Numbers
BGP Peers
187
188
189
190
191
192
193
194
195
196
197
198
200
201
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
Contents
v
BOP Peers Example BOP Route Selection Concept Summary Review of Learner Objectives Lesson 2: NSX
BOP Peers Example
BOP Route Selection
Concept Summary
Review of Learner Objectives
Lesson 2: NSX Logieal Router
Learner Objectives
220
221
222
223
224
225
Layer
226
Layer
3 Networking Overview
3 Enables Larger Networks
227
Distributed Logical Router
Hairpinning
Distributed Logical Router: Logical View
Distributed Logical Router: Physical View
Data Path: Host Components
VLAN LIF
Designated Instance
VXLAN LIF
Control Plane: Components
Logical Router Control Virtual Machine
228
229
231
232
233
234
235
236
237
238
Management, Control, and Data Communication
239
Deployment Models:
One Tier
240
Deployment Models:
Two Tier
241
Distributed Router Traffic Flow:
Same Host
242
Distributed Router
Lab 5: Introduction
Lab 5: Introduction
Lab 5: Introduction
Lab 5: Introduction
Traffic
Flow:
Different Host.
243
(1)
244
(2)
245
(3)
246
(4)
247
Lab 5: Configuring and Deploying an NSX Distributed Router
Concept Summary
Review of Learner Objectives
Lesson 3: Layer 2 Bridging
Learner Objectives
VXLAN to VLAN Layer 2 Bridging
Use Cases
Layer 2 Bridging Details
Bridge Instance
Bridge Instance Failure
248
249
250
251
252
253
254
255
256
257
Layer 2 Bridging: Flow Overview
Design Considerations
ARP Request from VXLAN
ARP Response from the VLAN
Unicast Traffic
ARP Request from VLAN
258
259
260
262
263
264
vi
VMware NSX: Install, Configure, Manage
Concept Summary Learner Objectives Lesson 4: NSX Edge Learner Objectives 265 266 Services Gateway 267
Concept Summary
Learner Objectives
Lesson 4: NSX Edge
Learner Objectives
265
266
Services Gateway
267
" ".
" ".
" " ".
" ".
" " ".
" ".
" " ".
" ".
" " ".
" " ".
" ".
" " ".
" " ".
"268
NSX Edge Gateway" " ". " ". " " ".
" ".
Integrated Network Services" "
NSX Edge Services Gateway Sizing
Features Summary. " " ". " ". " " ". " ". " " ".
NSX Edge Routing
Routing Verification
Lab 6: Introduction (I)
Lab 6: Introduction (2)
"
" " ".
"
" ".
" " ".
"
" ".
" ".
"269
270
271
" ".
" " ".
" ".
" " ".
" ".
" " ". "272
273
274
275
276
Lab
7:
Introduction"
"
" "
"
"
" "
"
" "
"
" "
"
" "
"
" "
" "
" "
" " " " " " " " "
" " " " ".
"277
Lab 6: Deploying an NSX Edge Services Gateway and Configuring
Static Routing
" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "278
Lab 7: Configuring and Testing Dynamic Routing on NSX Edge
Appliances" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "279
Review of Learner Objectives
Key Points
".280
281
MODULE
5
NSX Edge Services Gateway Features
"
"
"
"
"
" ".283
You Are Here. "
" "
" "
"
" "
"
"
"
"
"
"
"284
"285
Module Lessons"
Importance" " ". " ". " " ". " ". " " ". " ". " " ". " ". " "
"
" "
" "
"
" "
"
"
" ". " "
"
"
" ". " "
"
"
"286
Lesson 1: NSX Edge Network Address Translation
Learner Objectives. " "
Private IPv4 IP addresses
IPv4 Overlapping Space
Managing NAT Rules
Source NAT Deployment Using NSX Edge
Example: Set Up External Access to Web Server.
Add a Second External IP Address for NAT Use
Destination NAT Deployment Using NSX Edge
Creating a Destination NAT Rule for Inbound External Access
287
"
"
"
"
"
"
"
"
"
288
289
290
291
" .292
"
" .293
294
295
296
Create a Destination NAT Rule and Test Inbound Connectivity
Creating a Source NAT Rule and Testing Outbound Connectivity
297
299
Lab
8: Introduction (I)
8: Introduction (2)
8: Introduction (3)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.300
Lab
301
Lab
302
Lab 8: Configuring and Testing Network Address Translation on
an NSX Edge Services Gateway
Concept Summary
Review of Learner Objectives
303
304
305
Contents
vii
Lesson 2: NSX Edge Load Balancing Learner Objectives NSX Edge Load Balancer 306 307 308
Lesson 2: NSX Edge Load Balancing
Learner Objectives
NSX Edge Load Balancer
306
307
308
NSX
Edge
Load
Balancer Modes
"
309
Load-Balancer Operation
One-Ann Load Balancer"
""
"
""
"
""
"
"
"
"
"310
""
"
"
"
311
One-Ann Load
Balancer Traffic Flow
312
Inline Load Balancer" ". "". """. "". """. "". ""
"". ""
"". ""
"313
Inline
Load
Balancer Traffic
Flow
".314
Lab 9: Introduction
315
Lab
10: Introduction
316
Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" """317
Lab 9: Configuring Load Balancing with NSX Edge Gateway (2)
"
318
Lab
10: Advanced Load Balancing
"
319
Review of Learner Objectives"
Concept Summary" """"""""""""""""""""""""""""""". """""". "320
"
"". ""
"
"
"
321
Lesson 3: NSX Edge High Availability """""""". "". """. "". ""
Learner Objectives
High Availability
NSX Edge High Availability Operation
Stateful High Availability
"
"322
323
324
325
326
NSX
Edge
Failure. "
"
"
"
"
"
"
"
328
NSX Edge Services Gateway High Availability
329
Virtual Machine and Appliance Failure
"
"
"
330
ESXi Host Failure. "
Lab 11: Introduction
"
"
"
"
"
"
"
331
"
"
"
"
332
Lab II: Configuring NSX Edge High Availability
Concept Summary
Review of Learner Objectives
Lesson 4: NSX Edge and VPN
Learner Objectives
Logical L2 VPN
Overview of Layer 2 VPN
Logical User (SSL) and Site-to-Site (IPsec) VPN
".333
334
335
336
337
"
"
"
"
"
"
"
"
"
338
339
340
NSX IPsec VPN
IPsec Security Protocols: Internet Key Exchange
"
"
"
"
"
"
"
"
"
341
"
". """"342
IPsec
Security Protocols:
". """"344
IPsec
ESP Tunnel Mode Packet
Encapsulating Security Payload. "
"
"
"".345
Configuration Example for IPsec VPN
".346
IPsec with AES-NI
Add an IPsec VPN
NSX SSL VPN-Plus Service
SSL VPN-Plus
347
348
"
"
".349
350
viii
VMware NSX: Install, Configure, Manage
NSX Edge SSL VPN-Plus Secure Management Access Server Use Cases for SSL VPN-Plus Services 351
NSX Edge SSL VPN-Plus Secure Management Access Server
Use Cases for SSL VPN-Plus Services
351
352
Lab
12: Introduction
13: Introduction
14: Introduction (1)
14: Introduction (2)
12: Configuring Layer 2 VPN Tunnels
353
Lab
354
Lab
355
Lab
356
Lab
357
Lab
358
Lab
13: Configuring IPsec Tunnels
14: Configuring and Testing SSL VPN-Plus
359
Concept Summary
Review of Leamer Objectives
Key Points
360
361
362
MODULE
6
NSX Seeurity
You Are Here
Importance
363
364
365
Module Lessons
Lesson 1: NSX Edge Firewall
Leamer Objectives
NSX Edge and Distributed Firewall: Security Comparison
NSX Edge Firewall
Firewall Rule Types
Virtualization Context Awareness
Populating Firewall Rules
Source and Destination of a Rule
Firewall Service
Create a Firewall Serviee
Action Option
Publish Changes
NSX Edge Services Gateway: Form Factors
366
367
368
369
370
371
372
373
374
375
376
377
378
379
Lab
15: Introduction (I)
380
Lab 15: Introduction (2)
381
Lab 15: Using NSX Edge Firewall Rules to Control
Network Traffic
Concept Summary
Review of Learner Objectives
382
383
384
Lesson 2: Distributed
Learner Objectives
Evolution of Firewall
Firewall
385
386
Placement.
387
Distributed Firewall Overview
Distributed Firewall Filtering
Distributed Firewall Location and Policy Independence
388
389
390
Distributed Firewall Policy Enforcement
391
Contents
ix
Distributed Firewall Components: Communication Distributed Data Path Policy Rule Objects 392 393 394 Layer 2
Distributed Firewall Components: Communication
Distributed Data Path
Policy Rule Objects
392
393
394
Layer 2 Policy Rules" ". "". """. "". """. "". ""
"". ""
"". ""
"395
Layer
3 and Layer 4 Policy Rules
396
Centralized Management of the Distributed Firewall
Using Distributed Firewall Sections
397
398
Logical Switch Rule-Based Example
Security Groups
Security Group Components
Rule-Based Security Group Example
Policy Rule Objects" "". "". """. "". """. "". """. "". """. "". """. "399
"
"
".400
401
402
"
"
".403
Applied To: Example "" """"""""""""""""""""""""""""""""""".404
Lab 16: Introduction" ". """""". """""". """""". """""". "".
Lab 16: Using NSX Distributed Firewall Rules to Control
""".
.405
Network Traffic" """"""""""""""""""""""""""""""""""""""""".406
Concept Summary" """"""""""""""""""""""""""""""". """""". "407
Review of Learner Objectives
Lesson 3: Flow Monitoring
".408
.409
Learner Objectives.
Flow Monitoring
Enable Flow Monitoring
""
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.410
411
.412
Exclusion Settings.
"
"
"
"
"
"
"
"
"
.413
Viewing Flows. "". ""
Flow Views by Service
Live Monitoring"
Live Monitoring Output Example
Lab 17: Introduction
Lab 17: Using Flow Monitoring
Concept Summary
Review of Learner Objectives
Lesson 4: Role-Based Access Control
"
""
"
""
"
""
"
"
"
"
.414
.415
""
"
""
"
""
"
"
"
"
"
"
.416
.417
.418
.419
.420
.421
.422
Learner Objectives. "
"
"
"
"
"
"
"
"
.423
Authentication, Authorization, and Accounting Model
.424
Identity Sources"
Identity Source vSphere Requirements
Role-Based Access Control for NSX for
NSX User Roles
Scopes
NSX Role Guidelines
""
"
""
"
"
"
"
"
"
"
"
.425
".426
vSphere
"
"
"" "427
428
"
"
"""429
.430
Permission Inheritance Example:
Single Group
431
Permission Inheritance Example:
Multiple Groups
432
Configure Role-Based Access Control
433
x
VMware NSX: Install, Configure, Manage
. Lab 18: Introduction Lab 18: Managing NSX Users and Roles Concept Summary Review of
.
Lab 18: Introduction
Lab 18: Managing NSX Users and Roles
Concept Summary
Review of Learner Objectives
Lesson 5: Service Composer
Learner Objectives
Service Composer
Using Service Composer
NSX Integrated Partners
Define Scope
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.434
435
436
437
.438
439
440
441
442
443
NSX: Third-Party End-to-End Workflow
Registering Partner Services
444
445
Partner Service Registration:
446
Partner Service Registration:
Palo Alto Networks
Symantec
447
Service Installation
Security Policy
Service Composer Canvas
448
449
450
Canvas View
(1)
451
Canvas View
(2)
452
Canvas View
(3)
453
Service Composer: Vulnerability Scan Example
Serviee Composer: Traffic Redirection with PAN Example (1)
Service Composer: Traffic Redirection with PAN Example (2)
.454
.455
.456
Concept Summary
Review of Learner Objectives
Lesson 6: Other Monitoring Options
Learner Objectives
About Syslog
Syslog Format
vCenter Log Insight.
Concept Summary
Review of Learner Objeetives
Key Points
.457
458
459
.460
.461
.462
.463
.464
.465
.466
Contents
xi
MODULE 1 Course Introduction II Slide 1-1 o a c Module 1 Cil (1) :J
MODULE
1
Course Introduction
II
Slide 1-1
o
a
c
Module 1
Cil
(1)
:J
i3
c.
c
VMware NSX: Install, Configure, Manage
Q.
o'
:J
VMware NSX: Install , Configure , Manage
1
Importance Slide 1-2 VMware NSXTM is the network virtualization and security platform for the software-defined
Importance
Slide 1-2
VMware NSXTM is the network virtualization and security platform for
the software-defined data center. NSX brings virtualization to your
existing network and transforms network operations and economics.
2
VMwa re NSX: Install , Configure, Manage
Learner Objectives II Slide 1-3 By the end of this course, you should be able
Learner Objectives
II
Slide 1-3
By the end of this course, you should be able to meet the following
objectives:
o
a
c
Cil
(1)
• Describe the evolution of the software-defined data center
::J
a
• Describe how NSX is the next step in the evolution of the software-
defined data center
c.
c
Q.
o'
• Describe data center prerequisites for NSX deployment
::J
• Describe basic NSX layer 2 networking
• Configure, deploy , and use logical switch networks
• Configure and deploy NSX distributed routers to establish East-West
connectivity
• Configure and
deploy
VMware NSX Edge ™ services gateway appliances
to establish North-South connectivity
• Configure and use all the main features of the NSX Edge services
gateway
Module 1
Cou rse Introduction
3
Learner Objectives (2) Slide 1-4 By the end of this course, you should be able
Learner Objectives (2)
Slide 1-4
By the end of this course, you should be able to meet the following
objectives:
• Configure NSX Edge firewall rules to restrict network traffic
• Configure Distributed Firewall rules to restrict network traffic
• Use role-based access to control user account privileges
• Use Activity Monitoring
to determine if a security policy is effective
• Use Flow Monitoring to monitor network traffic streams
• Configure Service Composer policies
4
VMwa re NSX: Install , Configure, Manage
You Are Here II Slide 1-5 o a c Cil (1) VMware N5X: Install Configure
You Are Here
II
Slide 1-5
o
a
c
Cil
(1)
VMware N5X: Install Configure Manage
:J
i3
c.
IE
c
Course Introduction
Q.
o'
:J
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway Features
NSX Security
Module 1
Course Introduction
5
Typographical Conventions Slide 1-6 The following typographical conventions are used in this course. Monospace
Typographical Conventions
Slide 1-6
The following typographical conventions are used in this course.
Monospace
Filenames, folder names , path
names , and command names :
Navigate to the VMS folder.
Monospace bold
What the user types :
Enter ipconfig
/release.
Boldface
User interface controls:
Click the Configuration tab.
Italic
Book titles and placeholder
variables :
• vSphere Virtual Machine
Admin istration
• ESXi host name
-
-
6
VMwa re NSX: Install , Configure, Manage
References II Slide 1-7 o a c Cil (1) ::J a c. c Title Location
References
II
Slide 1-7
o
a
c
Cil
(1)
::J
a
c.
c
Title
Location
Q.
o'
::J
NSX Installation and Upgrade Guide
http://pubs .vmware .com/NSX-6/index.jsp
NSX Administration Guide
http://pubs.vmware.com/NSX-6/index.jsp
Module 1
Course Introduction
7
About NSX Slide 1-8 NSX is a network virtualization platform that enables you to build
About NSX
Slide 1-8
NSX is a network virtualization platform that enables you to build a
rich set of logical networking services.
Logical Switching: Layer 2 over Layer 3,
decoupled from the physical network
Logical Routing: Routing between virtual
networks without exiting the software
container
Logical Firewall: Distributed Firewall,
Kernel Integrated, High Performance
Logical Load Balancer: Application Load
Balancing in software
Any Network Hardware
Logical VPN: Site-to-site and remote
access VPN in software
NSX API: REST API for integration into
any cloud management platform
Partner Ecosystem
8
VMware NSX: Install, Configure, Manage
NSX Cert ification II Slide 1-9 For details about VMware certifications, go to: o a
NSX Cert ification
II
Slide 1-9
For details about VMware certifications, go to:
o
a
c
http://mylearn.vmware.com/portals/certification
Cil
(1)
::J
a
c.
c
Q.
o'
::J
Module 1
Course Introduction
9
VMware Learning Path Tool Slide 1-10 vmwareEDUCATION SERVICES Learning Path Tool Learn by SolutionTrack. Role.
VMware Learning Path Tool
Slide 1-10
vmwareEDUCATION SERVICES
Learning Path Tool
Learn by SolutionTrack. Role. Product. or Certification
Choose YourPath'
Leamby
Leamby
Leamby
Achieve
Solution Track
Role
Product
Certification
To determine your learning path for VMware training, go to:
http://vmwarelearningpaths.com
To make the VMware training that you take most valuable, you must decide which learning path to
take. Your learning path can be based upon a solution track that you want to pursue or a role in your
organization that you want to take on. Your learning path can also be based on a product that you
want to master or a VMware certification that you want to achieve. Regard less of wh ich path you
choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.
10
VMware NSX : Install , Configure, Manage
NSX Resources II Slide 1-11 For NSX technical information, use the following resources: o a
NSX Resources
II
Slide 1-11
For NSX technical information, use the following resources:
o
a
c
• NSX Resources
Cil
(1)
• http://www.vmware.com/products/nsx/resources.html
::J
a
• VMware Communities
c.
c
• http://communities.vmware.com/
Q.
o'
• VMware Support
::J
• http://www.vmware.com/support/
• VMware Education
• http://www.vmware.com/education
• VMware Support Toolbar
• http://vmwaresupport.toolbar.fm
Making full use of VMware technical resources can save you time and money. The following are
extensive VMwa re Web-based resources:
• The VMware Communities Web page provides tools and knowledge to help users maximize
their investment in VMware products. VMware Communities provides information about
virtua lization technology in technical papers, documentation, a know ledge base , discussion
forums , user groups , and technical newsletters.
• The VMware Support page provides a central point from which you can view support offerings,
create a support request, and download products, updates, drivers and tools, and patches.
• You can view the course catalog and the latest schedule of courses offered worldwide on the
VMwa re Education page. This page also provides access to informat ion about the latest
advanced courses offered worldwide.
• For quick
access to
commu nities, documentation, downloads, support information, and more ,
install the VMware Support Toolbar, which is a free download .
• VMware vSphere® documentation is availab le on the VMware Web site. From this page, you
can access all the vSphere guides , which also include guides for optional modules or products.
Module
1
Cou rse Introduction
11
MODULE 2 N5X Networking Slide 2-1 Module 2 II z en >< z CD ?
MODULE
2
N5X Networking
Slide 2-1
Module 2
II
z
en
><
z
CD
?
o
~
::J
to
VMwa re NSX: Install , Configure , Manage
13
You Are Here Slide 2-2 VMware NSX: Install Configure Manage Course Introduction IE NSX Networking
You Are Here
Slide 2-2
VMware NSX: Install Configure Manage
Course Introduction
IE
NSX Networking
Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway
NSX Security
14
VMware NSX: Install , Configu re, Manage
Importance Slide 2-3 Understanding the high level concepts of the software-defined data center and network
Importance
Slide 2-3
Understanding the high level concepts of the software-defined data
center and network virtualization using VMware NSXTM is critical to
efficiently using NSX in the virtualized environment that enterprises
are moving to.
II
z
(j)
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
15
Module Lessons Slide 2-4 Lesson 1: Lesson 2: Lesson 3: Lesson 4: Introduction to vSphere
Module Lessons
Slide 2-4
Lesson 1:
Lesson 2:
Lesson 3:
Lesson 4:
Introduction to vSphere Virtualization
Overview of the Software-Defined Data Center
Introduction to NSX and NSX Manager
NSX Controller
16
VMware NSX: Install , Configu re, Manage
Lesson 1: Introduction to vSphere Virtualization Slide 2-5 II z (j) Lesson 1: >< Z
Lesson 1: Introduction to vSphere Virtualization
Slide 2-5
II
z
(j)
Lesson 1:
><
Z
CD
Introduction to vSphere Virtualization
?
o
~
:::J
to
Module 2
NSX Networking
17
Learner Objectives Slide 2-6 By the end of this lesson, you should be able to
Learner Objectives
Slide 2-6
By the end of this lesson, you should be able to meet the following
objectives:
• Discuss the features of VMware vSphere®
• Provide an overview of the challenges that vSphere is intended to
resolve
18
VMware NSX: Install , Configu re, Manage
Virtual Machines Slide 2-7 II Real Operating System z (j) >< Dedicated Virtual Hardware Z
Virtual Machines
Slide 2-7
II
Real Operating System
z
(j)
><
Dedicated Virtual Hardware
Z
CD
?
o
Real Applications
~
:::J
to
Stable and Dependable
No Need for Modification
No Special Changes to as
Virtual machines look and behave like physical servers .
Users might not be able to distinguish a virtual machine from a physical server. Subtle differences
make virtual machines unique and helpful in the data center. The hardware of a virtual machine is
softwa re.
This feature gives you many advantages, such as the ability to replace and upgrade components of
the virtual hardware quickly.
Virtual hardware also allows you to add hardware devices such as network cards and processors
without rebooting the virtual machine.
Ultimately, virtual hardware can help reduce your downtim e because you do not need to reboot your
virtual machines every time you want to upgrade their capabilities.
Module 2
NSX Networking
19
Benefits of Virtual Machines Slide 2-8 Image Backups Bare-Metal Backups File-Based Restores Hardware Independence for
Benefits of Virtual Machines
Slide 2-8
Image Backups
Bare-Metal Backups
File-Based Restores
Hardware Independence for Restores
Virtual machines can be used to host any application from file servers, database serve rs, email
serve rs, and even high-perform ance application servers.
Organizations might choose to virtualize their servers for the followin g reasons:
Consolidate lightly used servers to conserve space and power in their data center. These
workloads are ideal for virtualization because you can often place many virtual machines on a
single physic al host.
Increase availability, whether as a protection scheme against common hardware failures or
compl ete site-level disasters. Virtual machines are easy to move, copy, and restore, so they
make disaster recovery simple.
Provision new servers quickl y because new virtual machines can be created and deployed in
minut es.
20
VMware NSX: Install , Configure, Manage
ESXi Hypervisor Slide 2-9 VMware ESXi™ benefits: II Direct hardware access Type 1 Hypervisor Type
ESXi Hypervisor
Slide 2-9
VMware ESXi™
benefits:
II
Direct hardware access
Type 1 Hypervisor
Type 2 Hypervisor
z
Less overhead than hosted hypervisors
en
><
z
Flexible installation options
CD
?
o
~
::J
to
11
L -
0
I:l
---
ESXi =Lower resource overhead
VMware ESXi™
is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor
performs the role of resource management while enjoying direct access to the underlying physical
hardware.
This hypervisor can improve your resource efficiency because of less operating system overhead . In
addition, the stability of the ESXi hypervisor is not dependent on another operating system.
ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be
installed onto flash drives, SO cards, and USB drives.
You can also network-boot an ESX i host using traditional boot from network tools such as preboo t
execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers.
VMware provides several ways to deploy your ESXi hosts because each organization's needs vary.
ESXi hosts your virtual machines and provides some basic management functions to help you
deploy and control your virtual mach ines.
Module 2
NSX Networking
21
vCenter Server Slide 2-10 vSphere Client Active Directory VMware vCenter Server" dom ain is scalable
vCenter Server
Slide 2-10
vSphere Client
Active Directory
VMware vCenter Server"
dom ain
is scalable
ESXi host
ESXi host
ESXi host
vCenter Server
Components:
Identity Management Server
Database Server
Application Server
Web Server
VMware vSphere® Web Client
1,000 ESXi hosts
10,000 VMs
VMware vCenter Server"
is a multitier application designed for the enterpris e, but is capable of
managing even the smallest of organizations. The vCenter Server system is designed to be highly
scalable and can expand with your data center virtu alization initiatives. The vCenter Server system
includes components for an Identity Management Server, Database Server, Application Server, Web
Server, and VMware vSph ere® Web Client.
You can deploy the vCenter Server system in various forms and install the roles onto a single server
or multipl e servers depending on your needs. The vCenter Server system can be installed on a
Windows system or deployed as a virtual appliance to give you more flexibility.
A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi
hosts. The
vCenter
Server
system can also manage up to 10,000 pow ered on virtual machines, which
is ju st one vCenter
Server instance.
As an organization expands, you can add more vCenter Server instances and even migrate into a
cloud-b ased configuration to provid e more management and provisioning abiliti es.
22
VMware NSX: Install, Configure, Manage
vCenter Server Management Features Slide 2-11 The vCenter Server system is a centralized platform for
vCenter Server Management Features
Slide 2-11
The vCenter Server system is a centralized platform for management
features.
II
The vCenter Server system includes the following management
features:
z
(j)
• VMware vSphere® vMotion®
><
Z
• VMware vSphere® Distributed Resource Scheduler"
(DRS)
CD
?
• VMware vSphere® Distributed Power Manaqernent"
(DPM)
o
~
• VMware vSphere® Storage vMotion®
VIT1W<lre
:::J
to
• VMware
vSphere®
Storage
DRS ™
VMwar e v Center
Server
• VMware vSphere® Data Protection ™
• VMware
vSphere®
High Ava ilability
• VMwa re vSphere®
Fault Tolera nce
• VMware vSphere® Replication ™
The vCenter Server system manag es each of your ESXi hosts. The vCenter Server system can
perform operations that require multiple ESXi hosts.
The vCen ter Server system includes the following featur es:
• VMware vSphere ® vMotion® enabl es you to migrate running virtua l machines from one ESXi
host to another without disrupting the virtua l machine.
• VMware vSphere® Distributed Resource Scheduler" (DRS) provid es load
balancing for your
virtual machines acros s the ESXi hosts. DRS leverages vSphere vMo tion to balanc e these
worklo ads.
• If configured, VMw are vSph ere® Distribu ted Power Management" (DPM) can be used to
power off unused ESXi hosts in your environment. DPM can also pow er on the unused EXI
hosts at the correct time.
• VMware vSphere® Storage vMotion® allows you to migrate a running virtual machine 's hard
disks from one storage device to another devic e.
• VMware vSphere® Storage DRSTM automates load balancing from a storag e perspective.
• VMware
vSphere®
Data Protection"
enab les
you to back up your virtual machines.
Module 2
NSX Networking
23
• VMware vSphere® also has availability features such as VMware vSphere® High Availability'P' to restart
• VMware vSphere® also has availability features such as VMware vSphere® High
Availability'P' to restart your
virtual mac hines on another host if you have a hardware problem.
· If a virtual machine restart is too slow, VMware vSphere® Fault Tolerance provides
uninterrupted availability for your virtual machines.
• VMware vSphere® Replication"
recovery.
can copy your virtual machines to another site for disaster
24
VMware NSX: Install ,
Configure , Manage
vSphere vMotion Slide 2- 12 •z en X Z ro ~ o ~ <0'" vSphere
vSphere vMotion
Slide 2- 12
•z
en
X
Z
ro
~
o
~
<0'"
vSphere vMutiun allows yuu tu migrate a running virtual machine from one ESXi host to another,
even during norm al business hours.
You can
usc vSphere vMotion to help load balance your ESX i hosts in a cluster.
vCenter Server orchestrates a copy process between the ESXi hosts. The memory is copied between
the hosts and the virtual machioe is transferred to the new host.
vSphere vMutiun can operate without shared storage, mean ing that you can migra te
a runni ng
virtual machine between hosts, even if the ESXi hosts have no shared storage in common.
Module 2
NSX Networking
25
Shared Storage Slide 2- 13 Shared Storage Virtual Machines Applications and Operating Systems Visible to
Shared Storage
Slide 2- 13
Shared Storage
Virtual Machines
Applications and Operating Systems
Visible to multiple ESXi hosts
Typically used to store
virtual machines and ISO files
ESXi Hosts
Storage Array
vSphere supports Fibre Channel, Fibre Channel over Ethernet (FCoE), iSCSI, and NFS for Shared
storage. vSphere also supports local storage .
Each storage option has its own strengths and weaknesses. So VMware does not cons ider one
storage type as better than another for virtualization.
26
VMware NSX: Install, Configu re, Manage
Features That Use Shared Storage Slide 2- 14 The following features use shared storage: Virtual
Features That Use Shared Storage
Slide 2- 14
The following features use
shared storage:
Virtual Machines
II
Applications and Operating Systems
DRS
DPM
z
en
vSphere Storage DRS
><
z
vSphere HA
CD
?
vSphere FT
o
~
::J
to
ESXi Hosts
Storage Array
Features that are listed in the slide require a shared storage infrastructure to work properly.
Module 2
NSX Networking
27
Virtual Networking Slide 2-15 Virtual networking is similar to physical networking. Each virtual machine and
Virtual Networking
Slide 2-15
Virtual networking is similar to physical networking. Each virtual machine and ESXi host on the
network has an address and a virtual network card. These virtual network cards are connected to
virtual Ethernet switc hes.
Virtual switches attach your virtual machines to the physical network, or you can create isolated
networks to be used during testing and development. Virtual networking provides the same
flexibility as server virtualization.
28
VMware NSX: Install , Configu re, Manage
Virtual Switch Types Slide 2-16 Virtual switches are of the following types: • Standard switch
Virtual Switch Types
Slide 2-16
Virtual switches are of the following types:
• Standard switch architecture: Manages virtual machine and networking
at the host level
II
• VMware vSphere® Distributed Sw itch™ architecture: Manages virtual
machine and networking at the data center level
z
(j)
><
Z
CD
?
o
~
:::J
to
Virtual switches can be of different forms, each with a different feature set. vSphere supports two
main categories of virtual switches: the standard switch and the VMware vSphere® Distributed
Switcht>'. Both switches help you to reduce network clutter by reducing the number of physical
network cab les plugged into your ESXi hosts .
Each ESXi host is preb uilt with a standard switch that provides basic connectivity and management
features . The distributed switch expands upon that model by providing a central interface to manage
the different connections and features found in the virtual switches . The distributed switch can
provide more features as
a resu lt of this centralized management approach.
Module 2
NSX Networking
29
Networking Features Slide 2-17 Networking has the following features: • VLANs • Traffic shaping •
Networking Features
Slide 2-17
Networking has the following features:
• VLANs
• Traffic shaping
• Port mirrorin g
• Q08, D8CP
• CPD/LLDP
Virtual networking can be as simpl e or as comp lex as you need. The following features are
supported by vSphere:
VLANs provide logieal separation of your network traffic , and are often used to isolate different
subnetworks. such as a test or restore network.
Traffic shaping is a feature that allows you to restrict the inbound and outbound network
bandwidth ofa group of virtual machine s. This feature can help reduc e congestion in your
virtual network.
Port mirroring enables you lu monitor a virtual machin e's traffic for troubleshooting or intrusion
prev ention. This feature allows you to capt ure all the traffic sent to or from a virtual machine
for later inspec tion.
Quality of service (QoS) and DSCP
are networkin g standard s that allow network switches to
prioritize certain network traffic over others. An exampl e is prioritizing the voice traffic from a
call manager server to improve performance .
NetFlow is a network monitoring tool that allows you to determin e your top talkers on the
network and other metadata about the comm unications that occur on your network.
30
VMware NSX: Install, Configure , Manage
vSphere Product Placement Slide 2- 18 '- >. r::: 0 r::: 0 Q) ;t::: 1/1
vSphere Product Placement
Slide 2- 18
'-
>.
r:::
0
r:::
0
Q)
;t:::
1/1
0
u
:;:;
:;:;
r:::
en
.~
.c
-
0
u
r:::
III
!!!
::!:
0::
Q)
'-
"C
Q)
0
>
0
-
Q)
Q)
Q,
III
0
(1);
>.
r:::
Q)
Q)
'-
::l
'-
III
J:
~
0
~
r::: u
0
:;:;
-
Q)
Cl
Cl
.- .c
r::::= u
III
III
r:::
~
vSphere
X
III
-
en
0
'-
::!:
-
'--
'-
Q,Q,
- .-
::l
en
Cl
en
0
0
::!:
III
0::
0
.!!!
~
Q)
III
Edition
w
>
~
0
>0::
en
en
oen
LL
0
0
Essentials
X
Essentials Plus
X
X
X
X
X
Standard
X
X
X
X
X
X
X
Enterprise
X
X
X
X
X
X
X
X
X
Enterprise Plus
X
X
X
X
X
X
X
X
X
X
X
32
VMware NSX: Install , Configure, Manage
Review of Learner Objectives Slide 2-19 You should be able to meet the following objectives:
Review of Learner Objectives
Slide 2-19
You should be able to meet the following objectives:
• Discuss the features of vSphere
II
• Provide an overview of the challenges that vSphere is intended to
resolve
z
(j)
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
33
Lesson 2: Overview of the Software-Defined Data Center Slide 2-20 Lesson 2: Overview of the
Lesson 2: Overview of the Software-Defined Data Center
Slide 2-20
Lesson 2:
Overview of the Software-Defined Data
Center
34
VMware NSX: Install , Configu re, Manage
Learner Objectives Slide 2-21 By the end of this lesson, you should be able to
Learner Objectives
Slide 2-21
By the end of this lesson, you should be able to meet the following
objectives:
II
• Describe advantages of the software-defined data center
• Identify components of the software-defined data center
z
(j)
• Explain the role of the virtual network in the software-defined data
center
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
35
Choices for IT Slide 2-22 Software is the foundation that is powering the evolution of
Choices for IT
Slide 2-22
Software is the foundation that is powering the evolution of networks
and data center infrastructure.
New IT
Software-Defined
Data Center
Hardware Defined
Data Center
(
No IT
Outsourced
Today, enterprise busin ess leaders want their
IT to create applic ations quickly and
easily. Enterprise
business leaders must decide whether to build in-house IT or to outsourc e their IT and app lications.
36
VMware NSX: Install , Configure, Manage
Data Center Models Slide 2-23 Businesses that want to deploy applications and their necessary server
Data Center Models
Slide 2-23
Businesses that want to deploy applications and their necessary
server infrastructure quickly, choose between the current hardware-
based model and the software-defined data center.
II
Hardware-Defined
Data Center
OR
Software-Defined
Data Center
z
(j)
><
Z
Any Application
Any Application
.~
CD
?
o
~ ~ ~~~~~~ i5l
App lication-Specific P olicies
~
:::J
to
Data Center Virtualization
Any x86
Any Storage
App lication -Specific Policies
Any IP Network
The hardware-defined data center is the traditional model. This model includes racks of equipment
and each piece of hardware includes one or more specific defined tasks. Email, database, and other
business-criti cal applications run on specific servers . This mod el is not the answer for futur e
requirements.
Module 2
NSX Networking
37
Advantage of Software-Defined Data Center Slide 2-24 Some of the most agile providers and consumers
Advantage of Software-Defined Data Center
Slide 2-24
Some of the most agile providers and consumers are moving system
intelligence into software through custom applications or platforms.
Google I Facebook I
Amazon Data Centers
":oftwa re I Hardware
Abstraction
oftware I Hardware Abstraction
Any x86
Any Storage
Any IP network
Providers are decoupled from physical infrastructure, allowing them to use any x86, any storage,
and any IP networking hardware. This approac h increases agility, reduces cost, and provides a
highly scalable infrastructure with a softwa re-defined data center approach. These benefits resu lt
from a hardware-abstraction layer software that runs on top.
38
VMwa re NSX: Install , Configu re, Manage
Choice for New IT Slide 2-25 Software can innovate much faster than hardware. II Software-Defined
Choice for New IT
Slide 2-25
Software can innovate much faster than hardware.
II
Software-Defined
Google I Facebook I
Amazon Data Centers
Hardware-Defined
Data Cente r
z
(j)
Data Center
><
Z
Any Application
Any Application
CD
?
o
~
:::J
to
Any x86
Any Storage
~J
Any IP network
The software-defined data center is similar to the approach taken by Amazon, Goog le, and
Facebook. This approach does not include a vertically integrated hardware-specific approach. For
example, with a hardware-centric infrastructure, you must buy in-unit networking hardware for the
network to function. With the software-defined data center approach, you can run any network
switch.
Module 2
NSX Networking
39
Software-Defined Data Center as New IT Slide 2-26 The software-defined data center can span across
Software-Defined Data Center as New IT
Slide 2-26
The software-defined data center can span across multiple data
centers and into hybrid service providers, independent of physical
infrastructure.
Software-Defined
Inter-Data Center
Hybrid Data Center
Data Center
Any Application
Any Application
Any Application
. .
.
Data Center vutuanzauon
Any x86
Any x86
Any x86
Any Storage
Any Storage
Any Storage
Any IP network
Any IP network
Any IP network
VMware NSX TM ca n d o l ayer 2 , SS L, an d I PSEC V PNs. This fu nctionalit y provi des bu sin e ss
continuance and disaster recovery capab ilities, which are not otherwise avai lable. NSX can be
combined with VMware vCloud® Hybrid Service"
to provi de a hybrid cloud strategy.
40
VMwa re NSX: Install , Configu re, Manage
Components of a Software-Defined Data Center Slide 2-27 The software-defined data center extends virtualization. II
Components of a Software-Defined Data Center
Slide 2-27
The software-defined data center extends virtualization.
II
Applications
App lications
Applications
Softw are-Defined
Software-De fi ned
Data Center
Software-Defined
z
Data Center
Data Center
en
Virtual Compute
Virtual Compute
Virtual Compute
><
Virtual Storage
Virtual Storage
Virtual Storage
z
Virtual Network
Virtual Network
Virtual Network
CD
Policy
Policy
Policy
?
Security
Security
Security
o
Scale
Scale
Scale
~
::J
Desktop
to
Internet
Storage
Virtual Desktop
Laptop
Tablet
~ Admin ---~--------------------------------------------
Mobile
Policy Configuration
Hardware Independence
Operational Visibility
IP Network
Server
Sto rage
Clo ud Manageme nt
Hardware
Hardware
Hardware
Location Independence
Data Cen ter 1
Data Ce nter 2
Public DC
The software-defined data center extends the virtualization conc epts like abstraction, poolin g, and
automation to all data center resources and services. Components of the software-defined data center
can be implemented together, or in phases:
• Compute virtualization, network virtualization, and software-defined storage deliver
abstraction, pooling, and automation of the compute, network, and storage infrastructure
services.
• Automated management delivers a framework for policy-based management of data center
application and services.
Module 2
NSX Networking
41
Vision and Strategy Slide 2-28 The software-defined data center is not a product, but it
Vision and Strategy
Slide 2-28
The software-defined data center is not a product, but it is an
approach.
The software-defined data center leverages products from VMware and other companies.
Management and orchestration are used to configure, manage, monitor, and operationalize a
software-defined data center. Produc ts like VMware vCloud® Automation Center'?', VMware
vCe nter™ O perations M anagement Suitet>' , a nd VMware vCe nte r™ L og In sight" a nd a lso third -
party solutions or custom cloud management platforms can be used.
The software-defined data center has the following advantages :
• A software-defined data center is decoupled from the und erlying hardware, and takes advantage
of underlying network, server, and storage hardware.
• A software-defined data center is location-independent and can be in a single data center, span
multi ple private data centers, or span hybrid public data centers
• A software-defined data center leverages a data center virtualization layer to enable
independent, isolated application environments to be deployed on top of the hardware and
location-independent infrastructure.
42
VMware NSX: Install , Configu re, Manage
Virtual Compute , Storage, and Network Slide 2-29 The pooling of hardware resources provides many
Virtual Compute , Storage, and Network
Slide 2-29
The pooling of hardware resources provides many advantages.
II
z
(j)
><
Z
CD
Virtual
Virtual
Virtual
?
o
Software
Machines
Networks
Storage
Application
-------------------------- Consumption
~
:::J
to
Hardware
Compute
Network
Storage
Capacity
Capacity
Capacity
Desktop
Internet
Virtual Desktop
Laptop
Tablet
Mobi le
• Location Independence
The software-defined data center is a unified data center platform that provides automation,
flexibility, and efficiency. Compute, storage , networking, security, and availability services are
pooled, aggregated, and delivered as softwa re. These services are also managed by intelligent,
policy-driven software.
Module 2
NSX Networking
43
Data Center Hardware Slide 2-30 NSX uses existing data center hardware. 'ca l Networ k
Data Center Hardware
Slide 2-30
NSX uses existing data center hardware.
'ca l Networ k
,ling phySI
EX l5u
NSX enables you to start with your existing network and server hardware in the data center.
44
VMware NSX: Install , Configu re, Manage
Hypervisors and Virtual Switches Slide 2-3 1 ESXi hosts, virtual switches, and distributed switches run
Hypervisors and Virtual Switches
Slide 2-3 1
ESXi hosts, virtual switches, and distributed switches run on the
hardware.
•z
en
X
Z
ro
~
o
~
<0'"
Module 2
NSX Networking
45
NSX: Network Virtualization Platform Slide 2-32 NSX handles the data across the virtual switches. NSX
NSX: Network Virtualization Platform
Slide 2-32
NSX handles the data across the virtual switches.
NSX adds nothing to
the physic al switching environment. NSX exists in the ESXi environment and
is independent of the network hardware.
46
VMware NSX: Install , Configure, Manage
About a Virtual Network Slide 2-33 A virtual network is a software container that delivers
About a Virtual Network
Slide 2-33
A virtual network is a software container that delivers network
services. These network services are expected from a network by
connected workloads.
II
z
en
><
z
CD
?
o
~
::J
to
Module 2
NSX Networking
47
Network Virtualization: Layer 2 Slide 2-34 NSX virtualizes logical switching. The slide shows an example
Network Virtualization: Layer 2
Slide 2-34
NSX virtualizes logical switching.
The slide shows an example of layer 2 connectivity between two virtual machines on the same
hypervisor and host. Traffic on the layer 2 network never leaves the hypervisor.
48
VMware NSX: Install , Configu re, Manage
Network Virtualization: Layer 3 Slide 2-35 NSX virtualizes logical routing. II z en >< z
Network Virtualization: Layer 3
Slide 2-35
NSX virtualizes logical routing.
II
z
en
><
z
CD
?
o
~
::J
to
. INetwork
ExistingPhyslC3
The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual
machines on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP
subnets and logical switch es with out leaving the
hypervisor to use a physical router. This
virtualization also provides routing between two virtual machines on two different sides of the data
center across multipl e layer 3 subnets and availability zones.
Module 2
NSX Networking
49
Concept Summary Slide 2-36 A review of concepts discussed in this lesson: What is the
Concept Summary
Slide 2-36
A review of concepts discussed in this lesson:
What is the layer where management components
operate?
The management plane
What is the layer where control components operate?
The control plane
What is the layer where data is transmitted?
The data plane
What is a vSphere port group created on a distributed
switch with NSX modules installed called?
A logical switch
What are multiple tenants connected to the same egress
point segregated by isolating the tenant networks called?
Multitenant
What handles NSX communications between the
VMware NSX Manager!" , VMware NSX Controller!" ,
and ESXi host?
User World Agent (UWA)
What uses layer 3 UDP encapsulation to extend logical
layer 2 networks across layer 3 boundaries?
Virtual Extensible Local Area Network
(VXLAN)
What is used for integration into cloud management
platform?
Representational State Transfer API
(REST API)
NSX Controller
What is the virtual machine used by NSX for control
plane operations?
50
VMware NSX: Install, Configure, Manage
Review of Learner Objectives Slide 2-37 You should be able to meet the following objectives:
Review of Learner Objectives
Slide 2-37
You should be able to meet the following objectives:
• Describe advantages of the software-defined data center
II
• Identify components of the software-defined data center
• Explain the role of the virtual network in the software-defined data
center
z
(j)
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
51
Lesson 3: Introduction to NSX and NSX Manager Slide 2-38 Lesson 3: Introduction to NSX
Lesson 3: Introduction to NSX and NSX Manager
Slide 2-38
Lesson 3:
Introduction to NSX and NSX Manager
52
VMware NSX: Install , Configu re, Manage
Learner Objectives Slide 2-39 By the end of this lesson, you should be able to
Learner Objectives
Slide 2-39
By the end of this lesson, you should be able to meet the following
objectives:
II
• Describe capabilities of NSX
• Explain differences between the data, control, and management planes
z
(j)
• Recognize NSX topologies
><
Z
• Illustrate the role of NSX Manager
CD
?
o
~
:::J
to
Module 2
NSX Networking
53
NSX Capabilities Slide 2-40 NSX has a number of features. Lo gical Switching : Layer
NSX Capabilities
Slide 2-40
NSX has a number of features.
Lo gical Switching : Layer 2
over Layer 3,
decoupled from the physical network
Logical Routing : Routing between virtual
networks without exiting the software container
Logical Firewall: Distributed firewall, kernel
integrated, high performance
Logical Load Balancer: Application load
balancing in software
Logical Virtual Private Network (VPN): Site-
to-site and remote access VPN in software
Any Network Hardware
VMware NSX APITM : REST API for integration
into any cloud management platform
Partner Ecosystem
NSX provides the following function al services:
• Logical layer 2 to enable the extension of a layer 2 segment or IP subnet anywhere in the fabric
irrespective of the physical network design.
• Distributed routin g to enable routin g between IP subnets without traffic going out to the
physical router.
• Distributed firewall to enable security enforcement at the kernel and VNIC level.
• Logical load balancing to provid e support for layer 4 throu gh layer 7 load balancin g with the
ability to do SSL termination,
• SSL VPN services to enable layer 2 VPN services.
54
VMware NSX: Install, Configure, Manage
Prepare for Installation: Client and User Access Slide 2-41 The requirements for deploying NSX to
Prepare for Installation: Client and User Access
Slide 2-41
The requirements for deploying NSX to a vSphere environment are
the following:
II
• Management system and browser requirements:
• A supported web browser:
z
- Internet Explorer 8, 9 (54-bit), and 10.
(j)
><
- The two most recent versions of Mozilla Firefox.
Z
CD
- The two most recent versions of Google Chrome.
?
o
• The vSphere Web Client.
~
:::J
• Cookies enabled in the browser used for management.
to
• Environment requirements:
• Correct DNS configuration for ESXi hosts added by name.
• User permissions to add and power on virtual machines.
• Permissions to add files to the virtual machine datastore.
NSX has the following requirements:
• vCenter Server 5.5 or later
• ESXi 5.0 or later for each server
• VMware Tools'P'
Module 2
NSX Networking
55
Prepare for Installation: Port Requirements Slide 2-42 NSX components require a number of ports for
Prepare for Installation: Port Requirements
Slide 2-42
NSX components require a number of ports for NSX
communications:
• 443
between
the ESXi hosts , vCenter
Server, and NSX Manager.
• 443 between the REST client and NSX Manager.
• TCP 902 and 903 between the vSphere Web Client and ESXi hosts.
• TCP 80 and 443 to access the NSX Manager management user
interface and initialize the vSphere and NSX Manager connection.
• TCP 22 for CLI troubleshooting.
NSX requires these port s for installation and daily operations.
56
VMware NSX: Install , Configu re, Manage
Installation: Manager OVA Slide 2-43 After ensuring the correct preparation steps, install the OVA: 1.
Installation: Manager OVA
Slide 2-43
After ensuring the correct preparation steps, install the OVA:
1. Obtain the NSX Manager OVA file.
II
2. Deploy the NSX Manager OVA file.
3. Log in to the NSX Manager.
z
(j)
4. Establish the NSX Manager and vCenter Server connection.
><
Z
5. Back up the NSX Manager data.
CD
?
o
~
:::J
to
To install the OVA
1. Place the NSX Manager Open Virtualization Appliance (OVA) file in a location access ible to
your vCenter server and ESXi hosts.
2. Import the OVA like any other virtua l machine.
During the import process you are prompted to configure the initial network settings.
3. Power on the NSX Manager.
4. Log in to the administrative interface to configure the NSX Manager.
5. Configure the different NSX settings.
The NSX features are ready to use.
Module 2
NSX Networking
57
Initial Configuration: Management UI Slide 2-44 Access the NSX Manager user interface to configure the
Initial Configuration: Management UI
Slide 2-44
Access the NSX Manager user interface to configure the manager
initially.
--.,
• I
J
"
"'
~ -----------------------1
NSX ManagerVirtualAppliance Management
Download Tech sccccn LOg
~ Manage Appll3nte settIf'lgs
BackUp & Restore
Manage vCenter PegrstranOll
upgraoe
After logging in to the NSX Manager, click Manage App liance Settings to configure the initial
settings.
58
VMware NSX: Install , Configure, Manage
Initial Configuration: Time and Syslog Settings Slide 2-45 Configure the time server and syslog settings.
Initial Configuration: Time and Syslog Settings
Slide 2-45
Configure the time server and syslog settings.
II
-
- " .,
I
'
_,
~
z
en
st11lNC'J,
rimes.n mg.
Uneontlgur. HTP serv!i!"] ~
><
,
Gene ral
Spttll'1 P'lTP urvtr t1etow Fot 590 ton"atlon 10work cor~tIYIt II reQulrt d 1tl0i1 tt
~
on !tit, 'tIrtlJll aoppllinu ~n13tffP UM'r ItlOuk!
z
be I n sync 11'5 lecOftlfMnd~ lo U'58the same mp UM."t tJ'5edbY1M!'sao 51-rver
CD
NTP$eM'1
192 168 no 10
?
Tim.lone
tJTC
o
D e!Jlme
01108f1Q14 21 35 U
~
::J
to
S}osIogSefwf
(
Unc(Ml(lgurt
J ~
You( an s~1ftthe IP ad4feu
Ot ".me oftrle "rs," S.t"Mlf Sh.' elln De rnolYe'd uSIng1M!'abO'tementioned ONS Sel't'tf{'S)
Syttog StfWf
"<'C-I-Q1 a corp local
PM
51'
ProtocOl
UOP
l
• us
On the general page, configure the time and Syslog services.
Module 2
NSX Networking
59
Initial Configuration: Network Settings Slide 2-46 Assign the NSX Manager to the correct IP address
Initial Configuration: Network Settings
Slide 2-46
Assign the NSX Manager to the correct IP address and configure
other IP settings.
51 II IHGS
Hostn~
ns:.mgr·I-Ota
Dom aItl N ."
SSL Ctl1U'Iutft
1PY4 lnfonn.allOn
Inl68"OU
Ne1mask
155255 ''55 0
Df'f~I1. Oartway
191 168110 :1
IP¥6InfOfftUlllon
Acld,e ",
Prtl'ilLengttl
OtfaulOa~
To rnOfwto ~Iloblecti lert'n~nc:t'Gustng ill hOi~ilme,'l'OO mus.l prtMde one 01'mQfe ONS Unotf'S commonlO
c~r.ESXhOm
and
~r ~tl.'. co~nts (Ifl)llmiliTYo r s t< ol\dary UMf I
mO\Ot<l.lle
fleld Mllablt (In s
, In ItItllntwouhJ a Uumt tnt ""POn s.lbl!lt'J')
lP¥t ONSStrm1
PJ1m;wy~
In 168 110 10
Sf' COndiitY S eolWf
Ifl\ofiONSStt\l\"fs
Pr1rn¥tSef'm
SecondaryStfWr
Verify that the network settings are correc t.
60
VMwa re NSX: Install , Configu re, Manage
Initial Configuration: vCenter Server Connection Slide 2-47 Register the NSX Manager with a vCenter Server
Initial Configuration: vCenter Server Connection
Slide 2-47
Register the NSX Manager with a vCenter Server to begin using NSX
capabiIities.
II
~
1' ''''_
z
~ , . "'IjI"+C.1~
en
'1'1'110;1'
'-
-'
><
z
lookup SeNe
CD
F'or~.'*r "r~", S 1 _~, lOU","confgur, LOOI<UD s.rw:. ""'d Pf~ tie sao MmInI'tr~fOr
crt1lIff\ll.Io~'l"NSlC
M~~I'lCS.Mt lsotlAOn\It III•• lto ~(~lM<JIlot
tlheNTP
?
ttMl' lOt sse ton6gu'.lIbtlrllOw()t', (NQ('"
o
~
::J
:-,,-
to
E
,
(:
~
"" Cl IlO " .c.,
Urvtf .,
atI\f1I
NSX " 1!'lIQ'~~ StiNK' to dflotaYfJ •
,.II'lft.W1I(t./rt'
l1Wtntott HTTPS ll'Ol1{~~»l'I"iU IOll.OO'tflHfOf(Clf'lVnUl'll{a~ll"""tfl H$l( Ml nl9 tmt"' StMt:•.
ESlCalIdVC For.U 1l.lafportS "~ .'" IHtotI1:lltnllln(l U"rN.(.t.·OfC",,~"'.pannolol'
c
,
lMlIII~bon'lfIt1\ot'N$XMtalIWOf'l and UP",ad'0\Ii" WIl)ufI'C.'" "l'Wf" t1O$Uocf Dr•
S''''''-'''O~In(• • pl.n. trltvf''''iC~'CPV and IMfl'oOlYrn.,
ontl -
!JfWtfltot'M1 i1I~h¥lC'W
.c'MltS.!'Wtr
10 . 1 0 .1 0 .1 1
1(:,,.,
,
N.me
roo!
SlIIIn
Conn«Ifd
Connect the NSX Manager to the desired vCenter Server and the initial configuration is complete.
Module 2
NSX Networking
61
NSX Overview: Planes Slide 2-48 Each component operates in a specific plane. Consumption Model Management
NSX Overview: Planes
Slide 2-48
Each component operates in a specific plane.
Consumption
Model
Management
Plane
- - ----- - - - - - - - - - ------ - - - - - - ------ - - - - - - - - -- ---- - - - - - - - --
----.- - - - - - -------- - - - - ---------- - - - - -- - - ----- - -- - - ----
Control
Plane
------------- .--- - -- ---- - ------
------ - -- -----. -- - - --------- - ----------
.--- - - ---
-
- - -- -------- ------- -- ----
-
- - ---
Data
Plane
NSX uses the management plane, control plane, and data plane models. Components on one plane
have minimal or no effec t on the functi ons of the planes below.
62
VMware NSX: Install , Configu re,
Manage
NSX Overview: Data Plane Components Slide 2-49 The data plane handles the flow of data
NSX Overview: Data Plane Components
Slide 2-49
The data plane handles the flow of data between endpoints.
Consumption
II
Model
Management
z
(j)
Plane
><
---------------------------------------------------
------ - - - - - - - - ------ - - - - - - - - - ------ - - - - - ---- - - - - - - - --- -------
Z
CD
?
o
Control
Plane
~
:::J
to
-- ------ - - - - ------- - - - --
-
- - - - - - ---- - - - --
----- - - --- - ----- - - -------- - - - ---
-
-- - --
-------- -- ------ ---------- - ------
NSX Virtual Switch
NSX Edge
Services
VMware NSX Virtual Switch ™
Distributed network edge
Line rate performance
+ ··~ ·····lti······~ ··'Gateway
= -liDii,stil,rib~~uted :
~
:
.
h
: VXLAN
Distri buted
Firewall
:
Data
~
I.:C? g .i~_<!I.f~.C?!J_t~_r
':
'
Plane
Hypervisor Kernel Modules
ESXi
VMware NSX Edge ™ gateway
virtual machine form factor
Data plane for North-South
traffic
Routing and advanced
services
Switch Security
The data plane is defined by the distributed switch. The distributed switch does only layer 2
switching. Hosts have to be on the same layer 2 network so that virtual machines on each host can
communicate with virtual machines on the other host.
NSX installs three vSphere Installation Bundles (VlB) that enable NSX functionality to the host.
One VlB enables the layer 2 VXLAN functionality, another VlB enables the distributed router, and
the final VlB enables the distributed firewall. After adding the VlBs to a distributed switch, that
d istributed swi tch is ca lled V Mware NSX Virtu a l Swi tc h™ . On NSX Virtual Sw itch , h osts a re n ot
restricted to the same layer 2 domain for virtual machine to virtual machine communic ation across
hosts. You must migrate virtual machines from a host before installing the VlBs . If the VlBs must
be removed , the ESXi host requires a reboot.
VMware NSX Edge" gateway is not distributed and so the gateway lacks a control entity. NSX
Edge gateway handles control traffic. Conceptually, an NSX Edge gateway should be on the barrier
between the data and control planes.
Module 2
NSX Networking
63
NSX Overview: Control Plane Components Slide 2-50 The control plane handles the implementation. Consumption Model
NSX Overview: Control Plane Components
Slide 2-50
The control plane handles the implementation.
Consumption
Model
Management
Plane
- ----- - - - - - - ----
- - - - - - - -
------
- - - - - - ------- - - - - - - - - --
----- - - - - -
---- - - - - - - - -------- - - - - - - - ------ - - - - - - - -- ~-
NSX Controller
NSX Logical
Router Control VM
User World Agent
Control
Plane
Manages logical networks
Run-time state
Does not sit in the dat a path
Control plane protocol
------ - --- ---
.--- ----- --- --- - --
-
---------- - ----------
-
- - - ----
--
- --------- - -- ---------- - -
---
--- ------ - ----
NSX Virtual Sw itch
NSX Edge
.
Services
NSX Virtual Sw itch
Distributed network edge
Li ne rat e performance
Gateway
NSX Edge gateway
Data
Plane
Virtual mach ine form factor
Data pl ane fo r North-South
t raffic
Routing and advanced
services
Switch Security
The NSX logica l router control virt ual machine and VMware NSX Con troller"
are virtua l
machi nes
that are dep loyed by VMware NSX Managert'<,
The user world agent (UWA) is composed of the ntcpad and vsfwd daemons on the ESXi host.
Communication related to NSX between the NSX Manager instance or the NSX Con troller
instance s and the ESXi hos t happen thro ugh the UWA.
The logical router control virtual machine hand les routing network relationships. This virtual
mach ine gives the
routing table to the NSX Manager instance .
The NSX Virtual Switch does not control routing plane traffic . So the NSX logical router control
virtua l mach ine is instantiated on its beha lf to handle that func tion. One NSX Controller virtual
machine gets dep loyed for
each distributed logical router instance. The NSX Controller instanc e
retains information for the media access control (MAC), Address Resolution Protocol (ARP), and
Virtua l Tunne l End Poin t (VTEP) tab les. VMware reco mmends that you deploy NSX Controller
instances in clusters of three to preve nt situatio ns where the NSX Controller clusters are split even ly.
If the control plane components are lost, the ability to form new paths between virtual mac hines is
also lost and the current paths age out as the
TTLs exp ire.
64
VMware NSX: Install , Configu re, Manage
NSX Overview: Management Plane Component Slide 2-51 The management plane handles the user management input.
NSX Overview: Management Plane Component
Slide 2-51
The management plane handles the user management input.
Consumption
II
Model
NSX Manager
vCenter Server
Message Bus
Management
z
A
ent
Single point of configuration
REST API and UI interface
en
Plane
><
- - - ----- - - - - - - - ----- -- - ------------ - - - - - -
----- - - - - - - --
------ - - - - - - - ----- - - - - - - - - ------- - - - - - - ------- -- - - - - - ---
z
NSX Logical
Router Control VM
NSX Controller
CD
User World Agent
Control
Plane
Manages logical networks
Run-time st ate
Does not sit in the data path
Con trol plane protocol
?
o
~
::J
to
NSX Virtual Switch
NSX Edge
.
Services
NSX Virtual Sw itch
Distributed network edge
Line rate performance
+ -~ ------dS------~ --j
Gateway
Distributed
:
.~
:
.
h
VXLAN
Distributed
Firewall
:
Data
t .
!-~9 !l?~ ~ _~_~ L!!~ ~
j
Plane
NSX Edge gateway
vi rtu al machine form factor
Data plane for North-South
traffic
Routing and advanced
services
Switch Security
NSX
Manager comm unicates with a vCenter Server system and is the interface for the VMware
NSX APJTM for third-party applications that integrate with NSX. The NSX Controller instances are
deployed by the NSX Manager instance. NSX Manager requests the vCenter Server system to
deploy the NSX Controller virtual machines from OVA files.
Module 2
NSX Networking
65
NSX Overview: Consumption Slide 2-52 These planes build a virtualized network that is consumed by
NSX Overview: Consumption
Slide 2-52
These planes build a virtualized network that is consumed by customers.
Self-service portal
Co nsumption
,.,
Cloud management
VMware vCloud®
Model
Automation c enter w
NSX Manager
ve enter Server
Message Bus
Management
Single point of configuration
A ant
REST API and UI interface
Plane
NSX Logical
NSX Controller
Manages
Logical networks
User World Agen t
Router Control VM
Run-t Ime state
Con trol
Does
n ot
sit in the data path
Plane
Control plane protocol
NSX Virt ual Switch
NSX Edg e
Services
NSX Virtual Swi tch
Distributed network edge
Line rate performance
EB~i
Gatew ay
NSX Edge gateway
Dis t rib ut ed
Fl m wal l
:
Data
Virtual machine form factor
L\>9jc~1RQI,lt\"
:
Plane
Data plane fo r North-South
Hypervisor Kernel Modules
traffic
Routing and advanced
services
Switch Security
All of these components build an infrastructure for networking thai is consumed in the same fashion
as compute, memory, and storage resources in the software-defined data center.
66
VMware NSX: Install, Configure, Manage
Enterprise Topology Slide 2-53 A common enterprise-level topology. II External Network ~------- z Physical Router
Enterprise Topology
Slide 2-53
A common enterprise-level topology.
II
External Network
~-------
z
Physical Router
en
><
z
VLAN 20
CD
Uplink
?
o
NSX Edge Services
~
Gateway
::J
to
VXLAN 5020
Uplink
LR Instance 1
NSX Manager helps to configure and manage logical routin g services. During the configuration
process, you can deploy either a distributed or a centralized logical router. If the distributed router is
selected, the NSX Manager instance deploys the logical router control virtual machine and pushes
the logical interface confi gurations to each host throu gh the N SX Controller cluster.
In centralized routing, NSX Manager deploys the NSX Edge services router virtual machine. The
API interface of NSX Manager helps automate deployment and management of these logical routers
through a cloud management platform .
Module 2
NSX Networking
67
Servicer Provider: Multiple Tenant Topology Slide 2-54 Multiple tenants to the same NSX Edge gateway.
Servicer Provider: Multiple Tenant Topology
Slide 2-54
Multiple tenants to the same NSX Edge gateway.
External Network
NSX Edge Services
Gateway
Tenant 2
In a a service provider environment, multipl e tenants exist. Each tenant can have different
requirements in terms of number of isolated logical networks and other network services, such as
load balancing, firewall, and VPN. In such deployments, NSX Edge services router provides
network services capabilities and dynamic routing protocol support.
As shown in the slide, the two tenants are connected to the external network through the NSX Edge
services router. Each tenant has its logical router instance that provid es routin g in the tenant. A
dynamic routin g protocol is configured between the tenant logical router and the NSX Edge services
router. This routin g protoc ol provides the connectivity from the tenant virtual machin es to the
external network.
In this topolo gy the East-West traffic routing is handled by the distributed router in the hypervisor
and the North-South traffic flows through the NSX Edge services router.
68
VMware NSX: Install , Configure, Manage
Multiple Tenant Topology: Scalable Design Slide 2-55 This multitenant topology is more flexible. II External
Multiple Tenant Topology: Scalable Design
Slide 2-55
This multitenant topology is more flexible.
II
External Network
z
en
><
z
NSX Edge Services
CD
Gatew ay
?
o
~
::J
to
Web logical
Switch
The service provider topology can be scaled out as shown in the slide. The diagram shows nine
tenants served by an NSX Edge instance on the left and the other nine tenants served by an NSX
Edge instance on the right. The service provider can easily provision another NSX Edge instance to
serve additional tenants.
Module 2
NSX Networking
69
Scalability Slide 2-56 Scaling compute infrastructure: Adding hosts to clusters Add ing new clusters Effect
Scalability
Slide 2-56
Scaling compute infrastructure:
Adding hosts to clusters
Add ing new clusters
Effect on distributed switch design : Distributed
switch can span across 1,000 hosts.
Scaling number of users or applications:
More virtual machines are connected to isolated
networks (VLANs)
Q;
Effects on distributed switch design:
c
Q)
• Separate port groups for each application
o
.!!l
ro
• 10,000 port groups are supported
o
Cluster 1
Cluster 2
Cluster 3
• The number of virtual ports is 60,000
• Dynam ic port management (static ports)
The distributed switch supports up to 1,000 hosts that allow for a wide variety of scaling options.
These options range from a model where every clust er has its own distributed switch to a mod el
with a single distributed switch spanning all clust ers. NSX even supports multipl e distributed
switches in the same cluster.
If a distributed switch spans multipl e clust ers, when you create a port group, every host connected to
that distributed switch knows about the new port group. Thus , every new port group can cause
additional resource consumption. The main reason to span distributed switch across clusters is to
support virtual machine migration with vSph ere vMo tion.
70
VMware NSX: Install, Configure, Manage
NSX for vSphere : Scale Boundaries Slide 2-57 II 1:1 Mapping of the vCenter Server
NSX for vSphere : Scale Boundaries
Slide 2-57
II
1:1 Mapping of
the
vCenter Server
System to the
NSX Cluster
z
en
><
z
CD
?
o
~
::J
to
,
-
.
I
_
.
•------ -- ---- - ------.
I
.,
p
~!
!i
r ]
r
'
'
1
I
I
I:
i
.
-,
l
:
I
-
.
:
• L
I
"L q
I I
I
.~
'- '- '-'- '- '- '- '-'
v 8phere vnaonon
based on DRS
Manua l
1-------
1-1--------1
vSpherevMotlon
Logical Network Span
NSX is coupl ed with the vCenter Server system to provide enhanced functionality on VMware
hypervisors so that it scales in parallel with the vCenter Server system. Typically a cloud
management system is used to aggregate multiple vCenter Server systems and NSX Manager
instances to enable horizontal scalability.
NSX Manager and vCenter Server systems are linked I: I and NSX Controller clusters are deployed
by NSX Manager. In addition to
the vSphere vMo tion bound aries, VMware NSXTM for vSphere®
enables layer 2 connectivity that spans the entire vCenter Server using VXLAN. The vCenter Server
system includes 1,000 hosts and 10,000 virtual machines.
NSX provides
a simil ar architecture. The main difference is that
the NSX Controller cluster scales
independently from vCenter Server system. So the vSphere vMotion boundaries are the same, but
NSX allows logical networks and layer 2 boundaries to extend beyond a single vCenter Server
system. The limit is still 1,000 hypervisors, but multipl e hypervisor platforms are supported.
Module 2
NSX Networking
71
NSX Manager Slide 2-58 NSX centralized management plane: • Provides the management UI and NSX
NSX Manager
Slide 2-58
NSX centralized management plane:
• Provides the management UI and NSX API.
• Installs UWA, VXLAN, distributed routing , and
modules.
distributed firewall kernel
• Configures the NSX Controller cluster through a REST API.
• Configures hosts through
a message bus.
,,-,=,--_
- '-
o ·
• Generates certificates to
secure control plane
communications.
_ H$I. •
-
-
~
.-.-,
w
_
-0
_
~
-0-1
IIfMIN
tI'OII'-
NSlI-.,
.
_1IIOal_-OO:-
fII~
-
.~
1e9a1
III9CIII-"o.- _
.t_~
"'
1
111-
0
"
, '*"4""""
-
-.~
,,-
--
tlI_~
-
-_~
"-"'-'
-d_
-oo4~QIl
--.,
-~"-
-.4
,
.--
-
n
1 "'-t
~
NSX Manager is the only component that is installed. NSX Manager handles all the management
tasks. A direct correlation of one vCenter Server system to one NSX Manager exists. So if vCloud
Automation Center is present with multiple vCenter Server systems, each of those vCenter Server
systems has an NSX Manager instance.
An installation ofNSX Manager includ es OVA files to deploy the NSX Edge gateways, NSX
Controller, and the VIBs that get pushed to the ESXi hosts for the distributed switches. NSX
Manager uses REST API for external communications from third-party applications such as
firewa lls and security software that integrate with NSX.
72
VMware NSX: Install , Configu re, Manage
Building the NSX Platform Slide 2-59 Consumption You can deploy NSX by using this process.
Building the NSX Platform
Slide 2-59
Consumption
You can deploy NSX by using this process.
~~~
II
Prerequisites:
/ P rogrammati
Physical Network-
Virtual
VXLAN Transport
Network Deployment
z
Network, MTU
B ~ [!] [i] [!]
en
VM
vCenter Server 5.5 and
ESXi 5.5
><
z
B [!][I][!]~ B
CD
vSphere Distributed
?
Switch
o
VM ~[!]~ B
~
::J
to
Logical Networks
Log ical Network or Secu rity Serv ices
Ql
E
Deploy Logical Switches per tier
j::
Ql
l:
Prepa rat ion
Deploy Distributed Logical Router
or Connect to Existing Router
0 1_ =--
-
-
-
-
-
-
-
-
-
Host Preparation
Create Bridged Network
Logical Network Preparation
Connect to Centralized Router
NSX deploys
into vSphere clusters. The NSX platform has basic requirements. Any serve r on which
you can install ESXi 5.5 can run NSX , connected to any physical network. Multicast over the
physical infrastructure is an added benefit but not required. After you deploy NSX Manager, you
deploy NSX Controller instances, VIBs, and configure the virtual network.
Module 2
NSX Networking
73
Lab 1: Introduction Slide 2-60 At the beginning of lab 1, the installation of NSX
Lab 1: Introduction
Slide 2-60
At the beginning of lab 1, the installation of NSX Manager is
complete. The focus of this lab is verification of the initial
configuration.
Manage
SfTlIHC$
(jener 31network settings
SETTltIGS
TimeSetlings
General
Hos1n ame
SpecifllNTP serverbetov
General
Network
Demain Name
sst. cenncates
Network
NTPServer
1P'f4 Information
Backup s s Restore
Address
SSL Certificates
Timezone
UOQlacle
Netmask
Backups & Restore
Manage
DefaultOalewav
Upgrade
t aervce
IPv61nformabon
COMPOtlEtlTS
looJ(upservice
SETTINGS
Address
NSXManagement Service
PrefiXLength
Fcr vce nter verstons 5.1 a
General
Default Gateway
Netwo rk
Loo kup Service
SSL Certificates
ONSSerwrs
Backups & Resto re
To resofve all objects refiner
vcenter server
Upgrade
1p.,.4 DNS sewers
Connecting to a vc ent er s
COMPONENTS
Prima!y Server
Access'of Chapter 'Prepal
NSX Management Service
SecondaryServer
If yourvcenter serveris he
vcenter Server
1M DNS sewers
Prima!y Server
SecondaryServer
vcenter User Name
SearchDomains
Status'
74
VMware NSX: Install , Configu re, Manage
Lab 1: Configuring NSX Manager Slide 2-61 Attach an NSX Manager appliance to a vCenter
Lab 1: Configuring NSX Manager
Slide 2-61
Attach an NSX Manager appliance to a vCenter Server system
1. Access Your Lab Environment
II
2. Review the NSX Manager Configuration
3. Verify That the vSphere Web Client Plug-In for NSX Manager Is
Installed
z
(j)
><
Z
4. License vCenter Server, the ESXi Hosts, and NSX Manager
CD
?
5. Clean Up for the Next Lab
o
~
:::J
to
Module 2
NSX Networking
75
Concept Summary Slide 2-62 A review of concepts discussed in this les son: Routing Protocols
Concept Summary
Slide 2-62
A review
of concepts discussed in this les son:
Routing Protocols
What is the set of rules used by routers to determine paths called?
Which protocol facilitates the propaga tion of multicast traffic across a routed network?
Protocol Independent Multicast (PIM)
What is used to acquire the MAC addresses asso ciated with IP add resses?
Address Resolution Protocol (ARP)
What is the layer 2 address of a network interface?
Media Access Control (MAC) address
What is used to issue textual commands to NSX components?
Command Line Interface (CLI)
What is the file format used to store and import virtual machines?
Open Virtualization Format (OVF)
What is a network device used to restrict and filter traffic between networks and endpo ints?
A Firewall
What is a serv ice embedded in the ESXi kernel that is used to protect virtual machines calle d?
What is the method for dividing workloads among NSX controllers ?
Distributed Firewall
What is an appliance deployed by the NSX manager , primarily used for perimeter services?
Slice
NSX Edge
76
VMware NSX: Install, Configure, Manage
Review of Learner Objectives Slide 2-63 You should be able to meet the following objectives:
Review of Learner Objectives
Slide 2-63
You should be able to meet the following objectives:
• Describe capabilities of NSX
II
• Explain differences between the data , control, and management planes
• Recognize NSX topologies
z
(j)
• Illustrate the role of NSX Manager
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
77
Lesson 4: NSX Controller Slide 2-64 Lesson 4: NSX Controller 78 VMware NSX: Install ,
Lesson 4: NSX Controller
Slide 2-64
Lesson 4:
NSX Controller
78
VMware NSX: Install , Configu re, Manage
Learner Objectives Slide 2-65 By the end of this lesson, you should be able to
Learner Objectives
Slide 2-65
By the end of this lesson, you should be able to meet the following
objectives:
II
• Describe NSX Controller instances
• Explain NSX Controller clustering
z
(j)
• Determine NSX Controller roles
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
79
NSX Controller Slide 2-66 NSX Controller provides: • VXLAN distribution and logical routing network information
NSX Controller
Slide 2-66
NSX Controller provides:
• VXLAN distribution and logical routing network information to ESXi
hosts.
• Clustering for scale out and high availability.
• Workload distribution within an NSX Controller cluster.
• Removal of multicast routing and PIM dependency in the physical
network.
• Suppression of ARP broadcast traffic in VXLAN networks.
NSX Controller
VXLAN Directory
Service
MAC table
ARPlable
VTEP table
VMware recommends that you have three NSX Controller instances for each NSX Controller
cluster. You should always have an odd number ofNSCX Controller instances to avoid a situation in
which the NSX Controller
instances are split evenly on a decisio n.
NSX Controller stores four types of tables:
• The
ARP tab le
• The MAC table
• VTEP table
• Routing table
The ESXi host, with NSX Virtual Switch, intercepts the following types of traffic:
• Virtual machine broadcast
• Virtual machine unicast
• Virtual machine multicast
• Ethernet requests
• Queries to the NSX Controller instance to retrieve the correct response to those requests
80
VMwa re NSX: Install , Configu re, Manage
For example, when a virtual machine sends an ARP request to get the MAC address
For example, when a virtual machine sends an ARP request to get the MAC address for another
virtual machine, that ARP request is intercepted by the host and sent to the NSX Controller instance.
If the NSX Controller instance has the correct information, the information is returned to the host
and the host replies to
the virtual machin e locally. Thu s, broadcast traffic
is reduced across the
VXL AN and the various tables on the NSX Controller instance are built. NSX Controller gets the
routing tables from the logical routing controller virtual machine.
II
z
(j)
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
81
NSX Controller Cluster Deployment Slide 2-67 NSX Controller nodes are deployed as virtual machines. Each
NSX Controller Cluster Deployment
Slide 2-67
NSX Controller nodes are deployed as virtual machines.
Each virtual machine consumes 4 vCPU and 4 GB of RAM.
NSX Controller password is defined during the deployment of the
first node and is consistent across all nodes.
NSX Controller nodes must be deployed in the same vCenter Server
instance that NSX Manager is connected to.
A cluster size of 3 NSX Controller nodes is recommended.
NSX Controller interaction is through CLI, and configuration
operations are available through NSX API.
The first NSX Controller instance that is deployed requests a password and all future NSX
Controller instances that are deployed use this password. This password is used by a user to connect
through SSH into NSX Manager or NSX Controller. NSX Controller must be connected to the same
vCenter Server system as NSX Manager. VMware recommends that you deploy NSX Controller
instances in clusters of three. Each NSX Controller instance in a cluster must be deployed
individually.
82
VMware NSX: Install, Configure, Manage
Control Plane Interaction Slide 2-68 ESXi hosts and NSX logical router virtual machines learn network
Control Plane Interaction
Slide 2-68
ESXi hosts and NSX logical router
virtual machines learn network
information and send it to NSX
Controller through UWA.
II
NSX Manager
!
z
en
><
NSX Controller
z
The NSX Controller CLI provides a
consistent interface to verify
VXLAN and logical routing
network state information.
Cluster
CD
?
o
~
::J
to
NSX Manager also provides APls
to programmatically retrieve data
from the NSX Controller nodes in
future.
NSX Controller uses the UWA daemons to communicate from the hosts management address. NSX
Controller instances in a cluster replicate the different ARP, MAC, and VTEP tables in that cluster.
Module 2
NSX Networking
83
Control Plane Security Slide 2-69 All NSX Control communication is protected with SSL encryption over
Control Plane Security
Slide 2-69
All NSX Control communication is protected with SSL encryption
over the management network.
NSX Manager creates and installs self-signed certificates to each
ESXi host and NSX Controller cluster.
Mutual authentication of NSX entities occurs by verifying certificates.
The control plane is secured with SSL encryption by using certificates that are managed by NSX
Ma nager.
84
VMware NSX: Install , Configu re, Manage
Control Plane Security: Diagram Slide 2-70 The control plane requires certificate-based authentication. II NSX Manager
Control Plane Security: Diagram
Slide 2-70
The control plane requires certificate-based authentication.
II
NSX Manager
~
EJ
·
Create
certificate
REST
NSX Manager
API
z
Database
en
A
Message
><
W
Bus
z
CD
?
o
~
::J
to
NSX Manager creates certificates and stores them in a database. NSX Manager pushes these
certific ates to the NSX Contro ller
instances as they are deployed . NSX Manager uses the message
bus to talk to the
daemons.
host for dep loying the VlBs . NSX Controller and the host go through the UWA
Module 2
NSX Networking
85
User World Agent Slide 2-71 The UWA has the following features: • Runs as a
User World Agent
Slide 2-71
The UWA has the following features:
• Runs
as a service daemon called netcpa .
• Uses SSL to communicate with NSX Controller on the control plane.
• Mediates between NSX Controller and the hypervisor kernel modules ,
except the distributed firewall
• Retrieves information from NSX Manager through the message bus
agent.
The Distributed Firewall kernel modules communicate directly with
NSX Manager through the vsfwd service daemon.
-'-1 ,
NSX Controller
NSX Controller
NSX Controller
iL_~:W==-
-~
!1···- ------ ------------- _····_---- - ----- -----_·_-- -
.---------.--.-----.---.--------.---------
-------
-----1
i
iI
Kernel Modules
.
-
!
I
ll- - ----
-----
- ---- -
------
-
----
- - ----
-
-------------------
----.-----.---.-
--
-
1
i
,
I
i
ESXi Host
i
L
"
J
The UWA includes two daemons that run on the host. The UWA is responsible for comm unication
between NSX Controller and ESXi host for layers 2 and 3, and for VXLAN communications. The
UWA can connect to multiple NSX Controller instances and maintains logs at / v a r /l o g /
ne tcpa . log . The distributed firewa ll has its own daemon. This daemon talks directly to NSX
Manager.
86
VMware NSX : Install , Configure, Manage
NSX Controller: Master Election Slide 2-72 Each role needs a master. Masters for different roles
NSX Controller: Master Election
Slide 2-72
Each role needs a master.
Masters for different roles can sit on different nodes.
NSX Controller uses Paxos-based algorithm.
Guaranteed correctness (not necessarily convergence).
II
z
en
><
z
CD
?
o
~
::J
to
Two roles are used for NSX Contro ller workloads. These roles are called logical switches and
logical routers. A master election determines the NSX Controller instance that is the master for a
particular role. Every role has a master. The master selects the NSX Controller instances and
allocates the portion of work for that role .
Paxos is a family of protocols for solving consensus in a network of unreliable processors.
Module 2
NSX Networking
87
Master Failure Scenario Slide 2-73 A node failure triggers an election for roles when the
Master Failure Scenario
Slide 2-73
A node failure triggers an election for roles when the master is no
longer available for that role.
A new node is promoted to master after the election process.
~ 'ii.vXLAN
.•-
If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from
the available NSX Controller instances. The new master NSX Controller instance for that role
reallocates the lost portions of work among the remaining NSX Controller instances.
NSX Controller instances are on the control plane. So an NSX Controller failure does not affect data
plane traffic. For example, if the host requests the MAC address for an lP address through an ARP
request, and the NSX Controller instance does not respond, then the ARP is processed. The normal
ARP request process does not wait for the NSX Controller instance.
88
VMware NSX: Install , Configu re, Manage
NSX Controller Workload Distribution Slide 2-74 The NSX Controller cluster must: • Dynamically distribute workloads
NSX Controller Workload Distribution
Slide 2-74
The NSX Controller cluster must:
• Dynamically distribute workloads across all available NSX Controller
cluster nodes
II
• Redistribute workloads when a cluster member is added
z
(j)
• Have the ability to sustain failure of any cluster node
><
Z
• Perform the workload distribution so that it is transparent to applications
CD
?
o
~
:::J
Solution: Slicing
to
Slicing is the action of dividing NSX Controller workloads into different slices so that each NSX
Controller instance has an equal portion of the work.
Module 2
NSX Networking
89
Slicing Assignment Slide 2-75 For a given role, create a number of slices. Define objects
Slicing Assignment
Slide 2-75
For a given role, create a number of slices.
Define objects that are to be sliced.
Assign objects into their slices.
Logical Switches / VNls
Objects
Logical Routers
Logical Switch Slices
Logical Router Slices
After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the
different logical switches and routers among all available NSX Controllers in a cluster. Each
numbered box on the slide represents slices that the master uses to divide the workloads . The logical
switch master divides the logical switches into slices and assigns these slices to different NSX
Controller instances. The
master for the logica l routers does the same .
90
VMware NSX: Install, Configure, Manage
Slicing Distribution Slide 2-76 For a given role, create a number of slices Define objects
Slicing Distribution
Slide 2-76
For a given role, create a number of slices
Define objects that are to be sliced.
Assign objects into their slices.
Distribute slices across NSX Controller cluster nodes.
II
z
en
><
z
CD
?
o
~
::J
to
Logical Switch Slices
Logical Router Slices
These slices are assigned to the different NSX Controller instances in that cluster. The master for a
role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on
router slic e 6, the slice is
to ld to connect to the third NSX Controller inst ance. If a req uest comes in
on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.
Module 2
NSX Networking
91
Slice Redistribution Slide 2-77 When an NSX Controller fails, the master for the role redistributes
Slice Redistribution
Slide 2-77
When an NSX Controller fails, the master for the role redistributes slices
among remaining nodes
Slice redistribution happens on:
• Creation of the NSX Controller cluster.
• A reduction in the number of available NSX Controller nodes in the cluster.
• An increase in the number of available NSX Controller nodes in the cluster.
When one of the NSX Controller instances in a cluster fails, the masters for the roles redistribute the
slices to the remaining available clusters.
92
VMware NSX: Install , Configure, Manage
Component Interaction: Configuration Slide 2-78 The components of the NSX platform are configured in a
Component Interaction: Configuration
Slide 2-78
The components of the NSX platform are configured in a specific
order.
A
Register with
NSX Manager
II
V
vCenter Server
vCenter
DeployNSX
Manager
Server
~
z
~eployNSX .
~
en
><
Controller Cluster ~
:
.
Deploy the NSX Edge
gateway and configure
network services
z
CD
?
o
NSX Controller
NSX Edge
~
::J
Gateway
to
r- ---
-
-
---- -
···--
~
x
,
I
r
--
I~
,
-
l
'--I~
~
­
• :::=::EI~:~ ·~I
. ;:::;:~
,~
Ir.::!~ ·· _
L: - ••
I
. ~=-::
~
~
--=
l_
vSphere ClusteL 1
, vSphere
ClusteL2 _J
l
VSPhere
CI,usteLN j
The components of the NSX platform are configured in the following order:
1. Only NSX Manager is installed.
2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided
and the NSX Manager instance conn ects to the vCe nter Server system. The NSX Manager
instance enables the NSX components in the VMware vSphere® Web Client.
3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager.
4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to
install the VIBs on the ESXi hosts in the cluster.
5. After the components are installed and deployed, you define the logical networking
components, such as adding distributed routers and creating firewall policies.
This procedure is repeated for each vSphere clust er.
Module 2
NSX Networking
93
Lab 2: Introduction (1) Slide 2-79 Add NSX Controller clusters in odd numbers. i ~
Lab 2: Introduction (1)
Slide 2-79
Add NSX Controller clusters in odd numbers.
i
~ Home
I'LO •
Install atioll
I
.t ~ Home
1 _0.- '
Installation
Networking & Security
E!NSXHome
Networkin g & Security
VMana g ement I Host Prepar ation L ogical Netw
VManagemenl 1 Host Prepara tion Logical
NeIWo
.
R!N8XHome
.
NSX Manager
NSXManayer
~
Logical Switc he s
l:! LogicalSwitches
~
~
NSXEdges
NSXEdges
NSX lJI, n, gtr
NSX M , n,~. ,
n
n
Firewall
Firewall
E!
192.168.110.42
E!!192 .168. 110.42
Iif3
scoorouaro
IiI5 SpoofGuard
seetce Definitions
I 't\ ServiceDefinitions
" -
EJ
Service C om poser
8 ServiceComposer
~ DataSecurity
~ DataSecurity
~
Flow Monitor ing
NSXliU'"'~8t
eL192~ 11~
GlFlow Monitoring
ll
".,
·1
gg ActiVity Moniloring
!!!BActivity Monito ring
(: Iu
~
. , -,: , P il'Qt - I
N etw orkin g & Se& urity I nvent ory
Networking &
Security Inventm y
·1
C1IU~1Of4'
~
NSX Managers
>
E!! NSX Managers
>
H-
I
NSX Cont roller nodes
NSX Controller node
Conn"",-" ro
Fe
·1
+
~
+
N
~m
.
Nod.
N~m.
eonnoner-e
connouer-7
192.168110 201
192 ,168,110 ,202
confroner-a
192.16B.110.203
~
94
VMwa re NSX: Install , Configure, Manage
Lab 2: Introduction (2) Slide 2-80 Use the CLI to confirm the NSX Controller status.
Lab 2: Introduction (2)
Slide 2-80
Use the CLI to confirm the NSX Controller status.
II
nvp-e co nt.r o I Le r
Type
#
shOIJ
co nt.r o.l c-c Lua te r
status
5tatus
5ince
Join
status:
Join
complEtE
07/14
17:53:22
z
(j)
Majority
status :
ConnEctEd
to
clustEr
majority
07/14
18:04:46
><
:Restart
status:
This
controller
can
be
safely
restarted
07/14
18:04:47
Z
ClustEr
ID:
47b40b57-fbdf-4fcE-a171-bff6a36345bO
CD
NodE
UUID:
47b40b57-fbdf-4fcE-a171-bff6a36345bO
?
o
~
:::J
to
Module 2
NSX Networking
95
Lab 2: Configuring and Deploying an NSX Controller Cluster Slide 2-81 Deploy a three-node NSX
Lab 2: Configuring and Deploying an NSX Controller Cluster
Slide 2-81
Deploy a three-node NSX Controller Cluster
1. Prepare for the Lab
2. Deploy the First NSX Controller Instance
3. Verify That the First NSX Controller Instance Is Operational
4. Deploy the Second NSX Controller Instance
5. Verify That the Second NSX Controller Instance Is Operational
6. Deploy the Third NSX Controller Instance
7. Verify That the Third NSX Controller Instance Is Operational
8. Clean Up for the Next Lab
96
VMware NSX: Install , Configu re, Manage
Review of Learner Objectives Slide 2-82 You should be able to meet the following objectives:
Review of Learner Objectives
Slide 2-82
You should be able to meet the following objectives:
• Describe NSX Controller instances
II
• Explain NSX Controller clustering
• Determine NSX Controller roles
z
(j)
><
Z
CD
?
o
~
:::J
to
Module 2
NSX Networking
97
Key Points Slide 2-83 • Software is the foundation that is powering the evolution of
Key Points
Slide 2-83
• Software is the foundation that is powering the evolution of networks
and data center infrastructure.
• NSX uses the management plane, control plane, and data plane
models.
• NSX Controller provides VXLAN distribution and logical routing network
information to ESXi hosts.
Questions?
98
VMware NSX: Install , Configu re, Manage
MODULE 3 Logical Switch Networks and VXLAN Overlays Slide 3-1 Module 3 II r o
MODULE
3
Logical Switch Networks and VXLAN
Overlays
Slide 3-1
Module 3
II
r
o
co
0"
OJ
(j)
s
;:::;:
o
:::r
Z
CD
:?
o
,
"
en
OJ
:::J
C.
~
r
»
z
o
<
CD
,
OJ
-c
en
VMware NSX: Install , Configure , Manage
99
You Are Here Slide 3-2 VMware NSX: Install Configure Manage Course Introduction NSX Networking I
You Are Here
Slide 3-2
VMware NSX: Install Configure Manage
Course Introduction
NSX Networking
I
IE Logical Switch Networks and VXLAN Overlays
NSX Routing
NSX Edge Services Gateway
NSX Security
100
VMware NSX: Install , Configu re, Manage
Importance Slide 3-3 Virtual Extensible LAN (VXLAN) enables you to create a logical network for
Importance
Slide 3-3
Virtual Extensible LAN (VXLAN) enables you to create a logical
network for your virtual machines across different networks. You can
create a layer 2 network on top of your layer 3 networks.
II
r
o
co n"
0)
(j)
s
;:::;:
o
::r
Z
CD
~
o
,
"
en
0)
:::J
C.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
101
Module Lessons Slide 3-4 Lesson 1: Lesson 2: Lesson 3: Lesson 4: Lesson 5: Ethernet
Module Lessons
Slide 3-4
Lesson 1:
Lesson 2:
Lesson 3:
Lesson 4:
Lesson 5:
Ethernet Fundamentals
Overview of vSphere Distributed Switch
Link Aggregation
Virtual LANs
VXLAN: Logical Switch Networks
102
VMware NSX: Install , Configu re, Manage
Lesson 1: Ethernet Fundamentals Slide 3-5 Lesson 1: II Ethernet Fundamentals r o co n"
Lesson 1: Ethernet Fundamentals
Slide 3-5
Lesson 1:
II
Ethernet Fundamentals
r
o
co n"
0)
(j)
s
;:::;:
o
::r
Z
CD
~
o
,
"
en
0)
:::J
C.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
103
Learner Objectives Slide 3-6 By the end of this lesson, you should be able to
Learner Objectives
Slide 3-6
By the end of this lesson, you should be able to meet the following
objectives:
• Describe Ethernet frames
• Describe segmentation and encapsulation
• Explain the Address Resolution Protocol (ARP) process
104
VMware NSX: Install , Configu re, Manage
Review: Networking Definitions Slide 3-7 Network: Physical connection that enables computers to communicate Frame: Unit
Review: Networking Definitions
Slide 3-7
Network: Physical connection that enables computers to communicate
Frame: Unit of transfer, Layer 2 of the OSI model
• Packets (a layer 3 unit of transfer) are segmented into Frames for transmission
• Frames are transmitted across the physical medium and assembled by the target/destination device
Protocol: An agreement between two devices about how information is to be transmitted.
Broadcast Domain: Shared communication medium.
II
Delivery: The way a receiver identifies the destination of a frame :
• The header is in the front of the frames [Header][Payload]
r
o
• Many nodes might receive a frame, but only the identified destination keeps the frame (all others
discard)
co n'
0)
Arbitration : The act of negotiating the use of a shared medium.
(j)
s
Point-to-point network: A network in which every physical wire is connected to only two devices.
;:::;:
o
::r
Switch: A bridge that transforms a shared-bus (broadcast) configuration into a point-to-point
network.
Z
CD
~
Router: A device that acts as a junction between two layer 3 networks to transfer packets between
them.
o
,
en
'"
0)
Gateway: A device that connects two networks communicating over different protocols.
:::J
C.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
105
Ethernet Slide 3-8 Source and destination identification uses media access control (MAC) addresses: • Listen
Ethernet
Slide 3-8
Source and destination identification uses media access control (MAC)
addresses:
• Listen and wait for channel to be available
• Carrier Sense Multiple Access with Collision Detection (CSMA-CD): If a
collision occurs, wait a random period before retrying.
I Preamble 1Destination I Source 1 Type 1---'-.-.-- r-I-c-R-c-I
8 bytes
6 bytes
6 bytes
2 bytes
46 to 1,500 bytes
4 bytes
• Destination and source are 48-bit MAC addresses (for example ,
OO:26:4a:18:f6:aa)
• The Type indicates the protocol that the Data portion of the frame contains:
• Type Ox0800 is IPv4
• Type Ox0806 is ARP
• Type Ox86DD is IPv6
• Data part of layer 2 frame contains a layer 3 datagram
Ethernet is the most commo nly used layer 2 system in data centers. The main purpose of Ethernet is
to define the source and destination of frames and ensure that the shared medium is used efficiently
among all hosts.
106
VMware NSX: Install , Configu re, Manage
MAC Tables Slide 3-9 The MAC address tables associate MAC addresses with LAN ports on
MAC Tables
Slide 3-9
The MAC address tables associate MAC addresses with LAN ports
on the switch.
VlaIl
I·fac
Addr
ess
Type
Po r ts
- --- ---- -- -
-
--- - - --
-- -- -
All
657 0 .7367
.745 0
S TATIC
All
gefa
.2
054
.4465
S TATIC
II
1 Ob 9 f. 5
a g e. 7 6 a8
DYNAMI C
1 .5
7 1d5
1c4 .dcc4
DYNAlofIC
r
1 .463d
d7c b
. e5dc
DYNAlofI C
o
co n'
1 .eb 09 .f9ac
6fb2
DYNAlofIC
0)
1 l a 4 7. 9 400. e 4 67
DYNAlofIC
(j)
s
1 d 8fd
. 8d 8f .9ged
DYNAlofIC
;:::;:
o
1 b7
05
.b e 8b .6
2
8
e
DYNAlofI C
::r
1 13 5 3.0 7 2 a.
b
9
4 b
DYNAlofIC
Z
CD
1 c6c b .73g
e .
lb2c
DYNAlofIC
~
o
,
1 f3 8c
.3 17b .b9 0 0
DYNAlofI C
CPU
CPU
Fa O/5
Fa O/ 8
Fa O/ 2
FaO/ ll
Fa O/ 9
Fa O/7
F a O/4
Fa O/ 13
Fa O/6
Fa O/3
"
en
0)
:::J
C.
A switch uses a media access control (MAC) address table to direct frames from a sending network
device to a destination network device. The switch builds this table as it receives frames. The switch
associates the MAC address of the sending device with the LAN port on which the frame is received
by using the source MAC address in the frame.
~
r
»
z
o
<
CD
,
When the switch receives a communication for an unknown destination address, the switch sends
the frame to all other LAN ports of the same VLAN . When the destination device replies, the switch
adds the relevant MAC source address and port ID in the address table. The switch sends all
subsequent frames for that destination to the correct LAN port without sending to all LAN ports.
0)
-c
en
Module 3
Logical Switch Networks and
VXLAN Overlays
107
Broadcast Domain Slide 3- 10 A broadcast domain is a logical division of a computer
Broadcast Domain
Slide 3- 10
A broadcast domain is a logical division of a computer network, in
which all hosts can reach each other by broadcast at the data link
layer.
Router
/~
Switch
Switch
~
/
Hub
Hub
/\
/\
Broadcast Domain
Collision Domain
108
VMware NSX: Install, Configure, Manage
Address Resolution Protocol Slide 3-11 ARP provides a mechanism for a device to map an
Address Resolution Protocol
Slide 3-11
ARP provides a mechanism for a device to map an IP address to a
MAC address.
When a device needs to communicate with another device for which
the IP address is known but the MAC address is unknown:
• The source device creates an ARP packet with the destination's IP
address.
II
• The source places the packet in a Broadcast Ethernet frame.
r
• The Broadcast Ethernet Frame is transmitted across the local subnet.
o
co n'
• The destination device receives a copy of the frame and opens the
copy to check the IP address in the destination field.
0)
(j)
s
;:::;:
• The destination responds to the ARP request with a frame to the source
with the destination's MAC address as the source MAC address.
o
::r
Z
CD
• The source receives frames and reads the destination's MAC address.
~
o
,
"
en
0)
:::J
C.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
109
From Packets to Frames Slide 3-12 An Ethernet Ethertype of Ox0800 indicates that the payload
From Packets to Frames
Slide 3-12
An Ethernet Ethertype of Ox0800 indicates that the payload is an IP
packet:
• When putting a packet into a frame, the end station uses the
destination MAC address that corresponds to the destination IP
address.
• If the destination IP address is not in the same subnet as the source
end station, the end station uses the MAC address of the default
gateway as the destination MAC address.
• If the end station does not know the destination MAC address that
corresponds with the destination IP address, the end station cannot
send the frame.
• All network data moves through a network as frames
110
VMware NSX: Install , Configure, Manage
Segmentation and Encapsulation Slide 3- 13 Lower layers add headers (and sometimes trailers) to data
Segmentation and Encapsulation
Slide 3- 13
Lower layers add headers (and sometimes trailers) to data from
higher layers.
Network entities (switches/routers) move traffic based on header
information at the appropriate 051 layer.
Advanced features like intrusion detection and firewalls look deeper
beyond the header.
II
r
Application
Data
o
co n"
0)
Transport
(j)
s
;:::;:
o
::r
Network
Z
CD
~
o
Data Link
,
"
en
0)
:::J
C.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
111
Layer 3: IPv4 Datagram Slide 3-14 IP packets are carried in Ethernet frames. Version I
Layer 3: IPv4 Datagram
Slide 3-14
IP packets are carried in Ethernet frames.
Version I
IHL
IDifferentiated Services
Identification
Flags
I
Time to Live
Protocol
Total Length
Fragment Offset
Header Checks um
I
Source Address (32-bit IPv4 address)
Destination Address (32-bit IPv4 address)
Options
Padding
I
IilmDr
In.
•••
.
, -'"
.
.
-
Version =4
If no options, IHL =5
Source and Destination are 32 bit
IPv4 addresses
Protocol =6 means that the data
portion contains a TCP segment.
Protocol = 17 means UDP
Routers and switches review the header information of the frame to route
and switch traffic , app ly
policy contro ls, and build routing and switching tables. IP headers enab le quality of service (QoS)
application, control layer 3 loops using Time To Live (TTL), and congestion control using explicit
congestion notification bits. In the IP packet, UDP/TCP segments are embedded with their protoco l
numbers identified in the header for the host or gateway to process.
112
VMware NSX: Install , Configure, Manage
Layer 4: TCP Segment Slide 3-15 Source and destination are 16·bit TCP port numbers. Source
Layer 4: TCP Segment
Slide 3-15
Source and destination are 16·bit TCP port numbers.
Source Port
Destination Port
Sequence Number
Acknowledgement Number
II
Data
Reserved
E
R S
F
Window
Offset
U A
R C 0
G K
S
Y
I
r
o
L
T
N N
co n"
0)
(j)
s
Checksum
Urgent Pointer
;:::;:
o
::r
Options
Padding
-
I
Z
.
.
--
-
CD
IilmDr
•.
1I11e.'
III
m" .JiUi.'
~
o
,
"
en
0)
:::J
C.
TCP is a connection-based protocol with guaranteed delivery. Devices send data over a connection
socket.
~
r
»
z
o
<
CD
,
0)
-c
en
Module 3
Logical Switch Networks and VXLAN Overlays
113
Concept Summary Slide 3- 16 A review of terms used in this lesson: What is
Concept Summary
Slide 3- 16
A review of terms used in this lesson:
What is the data encapsulation for layer 2
transmission across the physical network
medium called?
Ethernet frame
What is the data encapsu lation fo r layer 3 for
Packet
transm ission across routed
networks called?
Which is the data link layer of the OSI model of
Layer 2
a network?
Which is the network layer of the OSI model of a
Layer 3
network?
Which is the transport layer of the OSI model of
Layer 4
a network?
114
VMware NSX: Install , Configu re, Manage
Review of Learner Objectives Slide 3-17 You should be able to meet the following objectives:
Review of Learner Objectives
Slide 3-17
You should be able to meet the following objectives:
• Describe Ethernet frames
• Describe segmentation and encapsulation
• Explain the ARP process
II
r
o
co n"
0)
(j)
s
;:::;:
o