VMware NSX Component Overview w Tim Davis @aldtd #vBrownBag #RunNSX

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

good evening everyone thanks for joining us first night speed brown bag and you're in for a treat we have Tim Davis from VMware it's going to be talking to us about NSX he is the NSX ninja and sir VX Lancelot himself it's going to give us a 101 overview what is NSX and he's going to talk about the components and the magic now I have to talk a little bit more so if you want to interact with Tim it's going to be a fun show join us on Twitter that we'll be monitoring that V brown-bag handle and also I'll be watching the hashtag V brown-bag any questions funny gifts or snide comments please send them that way as you can see our worldwide show listings there is a lot of good stuff going on please join in if you've got time and with all that said I'm going to introduce our special guest Tim that make you very odd so like you said I'm an se with VMware specifically I'm a senior systems engineer for the nsx product working in the networking security business unit and I work with enterprise and enterprise select accounts in the tolas territory Texas Oklahoma Louisiana Arkansas most likely if you're on the V brown-bag you've seen me running my mouth on Twitter I also am a moderator on the reddit VMware page I'm one of three people who administrate the expert slack so uh definitely around today we're going to be talking network virtualization with NSX we're going to go over the 101 and we're going to go over the components of what they are and how they interact alright Tim I'll go ahead and make you presenter now perfect I didn't want to catch you in the middle of that all right so what can you see here it looks great I see your slide deck perfect all right so what kind of a start off here with the with the 101 of understanding network virtualization we'll kind of talk about what we're doing and how we're doing it look here's my remember so network virtualization is kind of the core platform of the sddc or software-defined data center approach and this is kind of an overall vision within VMware of what we think a great an efficient data set looks and runs like and really what we mean with the sddc approach is kind of abstracting all of your secret sauce your your agility and your speed and your functions kind of decoupling from the hardware and bringing it up into the software space so that you're not dependent on a certain manufacturer a certain series of hardware whether that be compute storage networking or anything like that so let's kind of take a look at the data center as it exists today and kind of build up a little bit you have your network layer this can be leaf spine this can be three-tier this could be cisco brocade Arista really anything that you have in your data center today as long as you're able to talk from point A to point B it's kind of what we're working with connected to that we have our compute infrastructure and also our storage infrastructure so these are going to be your hosts your storage if you're using hosts with storage really anything connecting through that's hosting your virtual machines you VMware has taken that compute layer and turned it into your hypervisor layer so you've got your hypervisor you've got your v switches and things like that what we're doing with nsx is we're kind of building a platform on top of that that can be thought of as a network hypervisor now that's not exactly what we have going but that's kind of sort of what we're working in building and giving you we're able to kind of give you the same services with networking and security as vmware gave you with the virtual machine so for awhile in deploying VMs and services into your infrastructure you just had to go out rack and stack a server install an OS on it cable it give it an IP give it some firewall rules and all that and get your services off to the races vmware went and took your compute infrastructure and turned it into a set of files so you could create you could delete you could snap shot you could migrate all these things where you could deliver a server in 30 seconds with a click of a button as opposed to racking and stacking doing all this stuff but the long pole in the tent with that if you can use that verbage was still networking security so you still had to give it a VLAN you still had to give it an IP address you still had to create firewall policy for that we go into customers today that are running you know cloud management platforms like VRA that they can deliver an entire application stack in the click of a button when less than a couple of minutes but they still have to manually give it an IP they still have to manually put in firewall policy so we're kind of completing that piece of the deployment and letting you virtualize your networking and security services just like you do a virtual machine supposed to be found and I don't hear it but this is just kind of a little video that shows you how it looks when you deploy a service with NSX you're able to kind of select all of your different services put them together and it will also do all of your networking services at the same time so you can go through and look and say that you're deploying a three-tier app all at once and do you realize Automation this is going to be a multi machine blueprint so you can go through and say I need a couple of virtual machines for web I need one Tomcat VM for app I need a my sequel server for database I want those each to be on their own logical layer to segment so that gives it each a layer to switch I want all those to be able to talk together so you're going to give it a router distribute logical router then you're also going to say well I need these to be little balanced on the web I need them to have firewall policy a B and C all of this can be put together and then put into a multi machine blueprint where you're then cookie cutter in those out and can spin those out anytime somebody specifically asks for it allowing you to speed up your deployment times rapidly if you're in a heavy development shop this is going to help out a whole lot because of the fact that rather than going and spinning up all these sand boxes left and right and destroying them whenever they're done you can go through and say well I'm going to give them portal they're going to be able to click the button and make a sandbox as soon as they're done it's going to wipe it out so now I can go off and do the important things instead of spinning up these dev environments all the time so this is kind of a look at a one of those mould machine blueprints kind of looks like this isn't a direct view of that but you can kind of see that you have two web beams those are on a layer three subnet technically those are layer two adjacent you've got your app tearing DB tier all of those meet with a router device and this one says NAT specifically so we can actually provide overlapping IP spaces on the same host using that we can also provide you load balancing services and all that kind of stuff right in the software so in your data center environment today you're actually already doing a little bit of virtual networking there's a lot of people to think that when we acquired nice era in 2013 we just slapped a label on their product and shipped it out as NSX and that's really not the case VMware has been in the virtual networking game for quite some time obviously your ESXi servers and stuff have had virtual switches but then also with the V cloud networking security suite of products as well as the VCO products those are all what kind of came together with the stuff from nice era to become NSX so if you've got two virtual machines that are in the same host today and they're layer two adjacent your virtual switch is going to make that packet switch without having to hit the wire it knows hey these VMs are on the same layer two segments I'm going to forward it through leaving the host comes when you have to hit a layer three boundary so you've got a couple of VMs that are on different layer three segments they're on the same host so it's going to have to hairpin that traffic out whether it be a top of rack device or an edge firewall or even a router somewhere in your environment it has to go out to hit that layer three and then straight back this causes a little bit of congestion and inefficiencies really in the grand scheme of things it's not a lot most people design their data centers today around that but it's just kind of how things are going today with a virtual network we actually go into your distributed switch which distributed switch is a requirement for NSX and we install three verbs into ESXi and that's a VMware installation bundle and we tell that virtual switch well while you already have that packet bust open and you're doing layer 2 checks go ahead and check it for layer 3 will give you the access to the fire or the routing tables - that will give you the control plane to be able to handle that we also tell it well we also have a firewall that's stateful up to layer 4 just go ahead and check it against that table while you're in there there's been some people who have kind of come up and talk against NSX saying that we're basically loading up your hosts with a bunch of overhead to do these checks and really even if you don't have NSX you're already busting that packet open the virtual switch we're adding just a little bit more overhead to make layer three decisions firewall decisions and things like that so now inside of your hosts were able to do switching routing firewall and even load balancing right there in the host without having to hit that wire so nsx is also meant to be programmatically provisioned and really what that means is that we have an API that doesn't suck there's been a lot of vmware products in the past that have not necessarily had the most graceful of api if they even had an api at all now i will definitely say that with six five and some of the newer products were working really diligently to kind of standardize the api game a little bit and to bring things up into the future and with nsx that was actually a big catalyst nsx was built from the ground up to be utilized with an api and we have a 400-page api guide which if you're into that kind of thing is awesome if you're not into that kind of thing it'll put your sleep a real fast it's a it's rough but you can do so many things with that API so much so that one of our principle engineers for NSX will tell you that if you're using the graphical user interface for NSX you're doing it wrong now he's one of the biggest proponents for OpenStack that I've ever seen so obviously he's going to be a real big proponent of the API but really utilizing nsx can be done in a multitude of different ways you can use a cloud for a cloud management platform like VRA or OpenStack you can write your own Python scripts or power CLI scripts we actually have a new set of command --let's for power CLI called power NSX that allows you to do the same kind of scripting you can with vSphere now with NSX components but if you want to you can also open up postman and push a single API call to our open API or you can go into the UI and do it yourself really there's lots of ways that we can allow you to deliver the networking and security services as fast as the vSphere admins can deliver a virtual machine good question for you man so you mentioned VRA you mentioned OpenStack open API is is this VMware solutions only that can talk of the api's or or can I use some other CMT if it's out of the state you can use absolutely anything that can push a restful api call with a xml anything you can make your own Python scripts we've got customers that have their own cloud management platforms that just do the ro scripts and stuff in the background absolutely anything you can use to push a restful api call you can do within a set so we kind of make it easy to automate your environment well like it so even we've got those two VMs and they can outtalk over layer three to each other in the same host but we've also got two VMs that are on the same layer two segments that exist on different hosts so let's say we're sitting in a datacenter and we've got a leaf spine architecture and what that is is you bring brought layer three to the top of rack and you're using equal cost multi path routing in order to go from racked Iraq so basically track might be its own subnet and you're using routing all the way through the infrastructure so how do we get two VMs in two different subnets to be layer two adjacent well we do that with the excellent and what this is this is an encapsulation technology this is an open standard this is not some VMware thing that we worked on ourselves and nobody else uses its proprietary this is a standard that's been worked on by Cisco brocade Arista my believe juniper was also when that as well VMware so it's kind of a standard that everybody uses cisco actually uses a version of VX lan in api i believe its ivx LAN they just kind of took it and tweaked it a little bit for you know their devices but we also have a bunch of hardware partners including Cisco that can talk our version of the X LAN so if you've got these two VMs that are going from host to host over layer three boundaries that need two adjacent then we take with NSX and we put what's called a V tap or a VX LAN tunnel endpoint which is just basically a new VM kernel stack in all of your ESX hosts and this does an encapsulation so this actually brings up a requirement that we have in your physical underlay which we don't have a lot really just need to be able to talk from point A to point B and we need a 1600 MTU or greater and that's because we take the standard 1500 byte frame and we add a 50 byte header on to that for the encapsulation an important thing to note here is that we do have the do not fragment bits lacked so that if you have an empty use match somewhere in any of the interfaces between those two hosts have 1500 it's going to drop that frame we see a lot in our customers these days that are using like IP storage and things like that they've already gone jumbo frames so generally that's not a problem but that is one thing to kind of keep in mind when you're designing a solution involving nsx and just in case if somebody fat-fingers and this is an MC on the virtual or physical side there's this thing called network inside that oh yeah so two weeks ago Shaun did weekend at bernie's and we talked about the realized network insight which is the tool that we use for nsx for monitoring and that will absolutely tell you that there's an MTU mismatch and we'll tell you why you're dropping the eggplant frames so Tim we do have a question that's come in from Graham absolutely I can I run VX LAN on my network then at NSX later so can you run VX LAN on your network now and that's actually a great question if you're using say for instance a CI for your underlay that does be excellent encapsulation with our encapsulation you can absolutely add that in later it will do double encapsulation and the only thing you would need to worry about at that time is your MTU so not only are you adding the header for the encapsulation the already you'll need enough room to add the NSX header later so you absolutely can do doubling capsulation and we have lots of customers that are doing that in production today even if they don't necessarily know it or planned for that that's just kind of how it's worked out in their environment so the one good thing with VX LAN when it comes to encapsulation is that the VMS have no idea they were encapsulated all of that is done at the V cap on the egress of the host or the ingress of the destination post so when the VM send their lair to stuff out it gets encapsulated it gets sent over the wire and that is just an ID IP UDP frame and then it just gets D capsulated at the other side and sent up to the other VM as layer two they have no idea this is happening now we get a lot of things we say IP UDP where people say well hey this is going to break TTP really it's not so the difference between TCP and UDP TCP is acknowledged so if something gets dropped it gets retransmitted with UDP it doesn't just get sent on and drops so if you encapsulate a TCP packet in a UDP packet and send it across the UDP is going to break and drop but the TCP will not have been acknowledged on the other side so it'll get retransmitted so we do have ways of working around that native isolation so I talked about a little bit ago how we can have overlapping IP spaces this is extremely important to a lot of our customers there was a very very large transportation company that I worked with very recently and one of their biggest use cases was consolidation so they used HPC 7000 chassis and they kind of had one for dev one for staging one for the prod and QA and all that and they kind of were having problems where if they were running to congestion in one environment they couldn't just simply move resources over or move that workload over with NSX they're going to use our distributed firewall as well as our virtual networking in order to consolidate all those environments so that they can pull all of their resources together for better utilization so support for physical workloads we've got a lot of customers that are not 100% virtualized can we can absolutely provide a software VTech for that through our edge services gateway which allows us to do a VLAN to VX Land Bridge and give you later to adjacency even over layer three obviously these days one or two layers layer three hops is not really a big deal so we definitely recommend you do that if you can but if it absolutely has to be layer two adjacent then we can definitely work with you we've also got some hardware partners like Dell brocade juniper Arista that do hardware B tip which basically brings the control plane from NSX into that physical device allowing you to do the VLAN to vehicle and bridging with the top of racks which we've got a lot of customers that hear that and they say great we need that brocade for a while with their smart fabric was going around and telling people you're doing insects awesome we integrate put top hardware Vita everywhere I think maybe maybe 1% of the customer use cases that have been interested in hardware vtf it was actually necessary so you really have to work with your se and see if that's for you most of the time it's just not necessary when you do a software so non-disruptive deployments this just kind of shows the hair pinning that we're doing for layer 3 in the same host layer 3 and different host see this is the same thing for our security so if you're doing east-west security today in your hair pinning your traffic to a physical firewall we can take that off since we're doing firewall and kernel now and you're not having to hairpin that traffic out so a use case of sddc data center network security in the past we kind of shoveled all of our cache into perimeter firewalls which was great when our traffic flows were really heavy north-south so we had a lot of customers that were coming into the data center they were going down the stack and out out the stack and then heading out of the data center with virtualization that traffic pattern has shifted very heavily east-west instead of north-south so nowadays we've got people who have these data centers and if these giant steel ions at the perimeter and absolutely nothing in the center my best analogy for that target so when target got breached they hired a penetration testing company who came in and started working and by the end of their time there they came back and handed them their PII database and they were actually able to get that by coming in and finding a device I believe is a deli meat scanner that was running Windows and they were able to use that to infiltrate the network and then move laterally until they found what they were looking for so with devices these days lots of end-user devices and of course the biggest security risk ever of people it's just one of those things where you really need to kind of protect your east-west traffic a lot more than you used to it's great we never suggest that you get rid of your north-south firewalls perimeter just kind of take a look internally as well so our approach or our I guess the term of the week for this is the micro segmentation there's lots of companies that have done words like micro segmentation I've heard macro segmentation I even heard the joke of Pico segmentation once and a lot of people mean that is different things some people mean that is using VLANs all over the place there's one vendor that uses P VLANs and top-of-rack ACLs all over the place ours means one thing and one thing only and that is putting a firewall bubble around every single one of your VMs running right at the v-neck so if you think of your VMs as a physical server plugged into a physical switch our VM sits right on that wire between the VM and the virtual switch we use a technology called DB filter groups there 16 of them the first four are reserved for ESXi and the last four reserved we kind of set up right there in the middle of that and we also use something called service chaining where we can use our firewall and then we can put in partners such as like Palo Alto or checkpoint McAfee for ids/ips and we can kind of put those in a row so that all of your traffic that's coming out of the VM can get checked by our firewall if you need a deep inspected we can redirect to Palo Alto if you need it ids/ips we can redirect their service VM and kind of work to get you the security you need and all of this is done in kernel memory speed so you're not having to hairpin that traffic out either to a virtual machine or to a physical device this is going to shows that so I'm defining security policies we have ways of building security policy based on a lot of different context we'll get into this I think in two weeks when I do the distributive firewall portion but really we're able to build policy since we're connected to B Center not just on IPS like a whole thing of you know fifty to a hundred thousand lines of 5-tuple IP scheme we can actually connect there and read VMware tools and say I know what OS this is running I know what the VM name is so you can build policy based on VMs that are named web dash or VMs that are running Windows Server 2003 and create a policy based on that we can also log all of this we have integrations with of course our login site product we can also dump that syslog out to a sim if you have one in your environment we have lots of ways of working with that we have tons of customers that are passing PCI audits today using nothing but our distributed firewall we've got tons of customers doing HIPAA with our firewall and we actually have a template for the epic application which if you work in healthcare you northeast that can be there's a couple of the guys in the NSP you that are absolute rock stars at Jeff Wilmington if you're out there he's the big one on that go and harass him about epoch he'll tell you all about it so we're definitely taking over in the industry in terms of security people are starting to you know look at us and say hey Lee you know they're not necessarily dumb they know what they're doing and we've also got I think it's five DoD sticks for implementing NSX that's a really really big deal if you're really heavy into compliance so if we look at physical firewalls in virtual firewalls we're kind of distributing the technology and we're turning all of your ESXi hosts into a firewall if you've got to ten gig NICs in there or we're going to be running it just about 20 gigs just under line rate for your firewall we are scale out in that regard so instead of taking your east-west traffic if you have 100 gigs and you go up to 120 gigs you don't need to go out and buy a bigger firewall with a bigger interface in order to firewall that traffic you can scale out your hosts and kind of distribute that load we're also only firewall checking the VMS that are on that host at that specific time so you're not firewalling a hundred percent of your traffic on each host at one hundred percent of the time you're only checking the VM that are there that the policy applies to so we're able to be a lot more efficient with our firewalling as opposed to taking all the traffic and just putting it out to a physical device I just heard mute on can you hear me yeah I can hear you okay yes it started it me to me okay so this is kind of a look at our distributive firewalling performance on the 20 gig host with zero filters you're on just under line rate and you can kind of see that when you start adding on our firewall rules it really drops it just a little bit and I know that these numbers don't do justice if you're interested we can definitely get you our high performance scale numbers I know we've got one of our PMS that works really hard making sure that all of our scale numbers and our performance numbers are kind of up-to-date we have a whole range of things that we can do for really really high throughput and high performance options getting certain NIC cards that do the excellent offload turning things on like larger sieve offload and receive side scaling we can kind of bump those numbers up we also have the ability to do multiple V Tepes per host if you're pushing the limit of your one NIC so we can kind of work and push that performance through the roof while still making everything distributed so that you're not here printing all that traffic out so this is just kind of a locum 80,000 connections per second with a hundred plus rules per host there's a typical virtual appliance for firewall and we'll do about 6,000 connections per VM the physical appliance will of course do like 300 400 thousand per VM but you're also hair painting all that traffic apps check it so native security capabilities we're hypervisor based we're not going through we're not throwing out this service VM will not Harappan all the traffic to it we're running everything right internal natively on your ESXi host we're also giving you the ability to automate your security policy with api's or even things like dynamic security groups where you can say no matter what any BM that has web dash in it gets the web policy so you can create and delete VMs all day long and they'll automatically have that policy so looking at here we have you know no no isolation segmentation isolation and then service insertion the service insertion is what we mean we're talking about adding in you know our distributed firewall and then changing it things like a Palo Alto or a checkpoint or anything like that so this is just kind of shows you how the advanced service insertion works I really don't like this slide because it has panorama connected the nsx controller which it doesn't it that actually should be the nsx manager so when you create and you connect panorama which is Palo Alto is management platform when you connect it to nsx it automatically goes out form nsx and deploys a service vm on every single one of your hosts so we're able to take that traffic and redirect it in kernel to their service module in order to do their layer seven deep inspection and all the cool stuff that Palo Alto does you are also now as a version eight able to create rules in the distributed firewall from panorama without having to go into our firewall so you can create those redirect policies natively and of course in the panorama you can also do your physical firewalls from the same device so now if you're using a third-party integration like panorama you're able to take advantage of all of the internal stuff that we're doing with nsx but also using the same tool that you've been making policy with forever to make these new policies I think this slide just kind of shows you distributing your workloads everywhere and having your policy follow it so of course since we have policy that's wrapped around the VM itself whenever that VM migrate that policy migrates with it and that's from host host from clustered cluster from the center to V Center in a multi V center environment that policy can follow that VM no matter where it goes so why looking at it is a best approach if you're looking at some of the most efficient data centers on the planet your Google's your Amazon's your Facebook's when you go into Amazon you create a new V PC and you start creating all these services there's not a guy that's going back in the closet moving you know switch chords around and stuff like that and creating all this stuff for you all that's done in software which is why developers and things like that are flocking to them because of the fact that they are able to click a button and get what they want now when it comes to compliance and things like that as well as costing you don't necessarily want them running off and doing the shadow I teasing in Amazon now you can of course give them the ability to go to Amazon or you can do it in your own data center so we can kind of give you the same abilities that you could with Amazon now you can have it on Prem and we can give you those services like firewalling load-balancing l-2 and l-3 all with the click of a button right into your sddc platform and not not to go into a rat hole here but I do want to mention for the team sake Tim is talking specifically about you know sddc environments VMware environment and and really calling out really the questions our customers and concerns our customers have had in any asher's and the AWS face and Google compute and so on so one thing to note and we announced it we actually show the last year at VMworld and it's actually the team that I'm a part of now we're actually going to extend the NSX function to an Amazon and to an azure and those types of things and so remember this is focused on the the private cloud and we want to continue that fashion but we have a plan moving forward for native AWI in those types of things so keep that's just a little cheap infomercial but I do think it's pertinent to now and you're hearing that straight from the mouth of the new guy that does cross cloud services so of course he wants to push that heavily so everybody clear eyes open I've got seriously I plead the fifth now we showed it last year of damn world and now we got a lot of things that account for our customers this year and and really the key here is the the foundational layer is an FX and then you get so you're going to see much moving forward and that's one thing that a lot of people that know VMware know that just like any other company we want you to use VMware we absolutely want you to use VMware everything all the time it's great use it buy it but you're going to get a little bit different message from the networking and security business unit I have to kind of put my hand up and pretend like I'm not talking near my core cam reps when I'm talking to customers because from the NSX side we know that our customers necessarily aren't going to shy away from public cloud they're going to look there you're most likely if you're signing an ela with Microsoft they're throwing as your credits at you faster than you can stock them you've got developers that are going out to Amazon whether you know it or not so we know that this is going to happen we know you're looking in this direction we know that CIOs have gone out golfing with their buddies and hurt the work cloudy cloud and they have to go there so as an nsx person we want you to be able to leverage those kind of utilities but still keep the same networking and security platform that you have across the board so we've got another product called NSX transformers that allows you to do multi hypervisor including not just vSphere but KVM we've got working with Amazon obviously and we're also working towards possibly working in Azure so it's one of those things where we know you're going to go that direction but we want to make sure that everything is secure and stable across the board so nfx will obviously come up in any conversation with VMware when it comes to multi-platform services now this next slide that I have here a pendant sitting for a little bit it's just kind of a look at our partner ecosystem and this slide is actually out of date because we've got some other stuff in here this just kind of shows who we're working with now we're not going to come into the industry doing networking insecurity and say we're obviously gonna be better than Palo Alto we're going to do load balancing better than f5 no we're not going to do that we don't have the time or the experience for that but what we can do is say well we'll give you connection to our kernel and allow you to do what you do best directly integrated with our platform so most likely you have these kind of tools in your environment and we give you the ability to kind of connect and extend those and still use the same nsx platform but then get your layer seven inspection from Palo Alto you're super crazy I rules from that five and stuff like that just Mina might wanna take for this one yeah all right one say we're going to switch gears to the component overview here Tim I do have one question while you're kind of getting that yes sir and let me know if you are going to get into this but let's say I've got existing VLANs with subnets and I'm going to implement in a sex what I have to get all new subnets provisioned out for that or would I be able not so that's one of the things where with nsx we allow you to kind of simplify your underlay we work really well with customers that have a segmentation push where they're going out and be landing everything everywhere we've got green field deployment guides with little-to-no VLANs and we've got brown field deployment guides we help to kind of minimize that segmentation push with VLANs so you can absolutely utilize the VLANs that you used today or you can migrate that infrastructure into X lands nsx is kind of a suite of products so you can use just our network virtualization or you can use just the firewall or you can use both we're really not going to dictate that you have to use all or you know nothing and that's one great thing with our distributed firewall product it's probably 60% of our users at this point went within effects just for that product and that has none of those physical underlay requirements like the MTU size and any of that doesn't encapsulate doesn't do any of that you can just drop distributed firewall on your existing VLANs and start making policy today that answer your question yes perfectly thank you all right so we're going to switch gears here into the component overview section and I'm a little behind on that last one so I'm going to go a little faster here but no worries we'll get there look it'll let me okay so the vSphere components we're going to kind of build here I know some people don't like build slides but I really like this one we have our consumption plane and this is really going to be anything how do you access NSX as we talked about before that could be cloud management Bowl platform that could be the graphical user interface that could be command line lots of different ways to consume the platform connect to that we have our management planning this is going to be your standard vCenter server then we also have the nsx manager now now the nsx manager is connected one to one with vCenter server there is no caveat to that there is no one too many or many to one they are just flat out one to one nsx manager with the center sir so we also have in our management plane our message bus and this is our internal communication channel so our awesome open API is available from the consumption plane to the management plane so when you pushing API calls you're doing that directly in nsx manager anything from the nsx manager down is a closed secured api you don't have access to it you don't have the ability to get into it you won't really have the need to do that at all all of that is self secured self signed and all that so you can do all of your API calls externally but you won't be able to get into it internally moving down to the control plane and this is really the the bread and butter that we got from the nice era acquisition the control plane is what allows us to do network virtualization without requiring PIM multicast routing on the underlay so we're able to do it in what we call unicast mode which we'll get into next week in the switching and routing segment but really if you thought that we just kind of bought Neisseria and slapped the label and called an NSX this is really what we got from them now in the control plane we also have our logical router control VM this is for our distributed logical router that lives in all of our ESXi hosts you know none of this for the control point is in data path so you're not actually passing traffic through these at all the user old agents that's here for your control point this is just part of our internal communication path from the nsx manager down it's kind of what does the puppet master in between nsx manager and your ESXi hosts so moving down this is where we have the data plane this is where the actual data traverses now I really truly hate these slides that say NSX V switch because it makes it sound like we have some kind of like different switch and we really don't when you ever see or hear NSX V switch all that means is the virtual distributed switch that you know and love today with the VIPs from NSX and really that's just our kind of beefed up VDS you cannot do NSX with standard switch and obviously you can't use the Nexus 1000v II that's going away so is the IP m1 on the HP you want those are going bye-bye as well you probably saw that announcement here recently so in our data plane you have the ESXi hosts that's got your VDS with the vids and also our nsx edge services gateways now these are virtual appliances that get spun out into your environment those are in the data path that is kind of a a hang-up for some people that we've got virtual machines in a data path but really you're not passing necessarily all of your traffic through that depending on how you everything set up most likely is an ingress point you are but these things are ten gigabit throughput and we can scale those with an active standby pair or even up to 80 of them or I'm sorry eight of them aggregating 88 through put in an equal cost multi path fashion so the nsx manager is we said it's mapped one to one with vCenter server this is where you're going to see that new tab in V Center for networking security so where you're going to do all of the initial configuration as well as all of your day-to-day operations unless you're utilizing it with an API the is the only virtual appliance that you will actually go out to the center and say you know file deployed you know template once you do that and it's connected through to the API of E Center all of the little sub things like the controllers the controls VM and the edge services gateway all of those are templates that exist inside of the nsx manager they get deployed automatically depending on what settings you pick so the nsx controllers these are kind of the brains of the operation when it comes to the virtual networking piece you don't need these at all if you're only doing distributed firewall these provide the control point for distributing network information to your ESXi hosts so they're holding on to your forwarding tables they're holding on to your V tap tables so when you've got a VM that reaches out and says hey I need to contact another VM and it sends an arm out that ARP is actually answered by the nsx controllers now before these control plane was in if you are using like V cloud networking and security you are needing multicast in order to take care of answering that but with us we're sending out basically a bunch of unicast in order to take care of that now the nsx controller has a bunch of different roles it handles a lot of API stuff handled by nsx manager it handles all of your switching and rounding tables and things like that and it also handles a lot of your configuration information and it holds the active state of the environment now all of your controllers which we recommend three and really that's not not a minimum recommendation or anything just three they're set up in a way and they're developed in a way that you can do one for a completely non prod home lab type environment but as soon as you deploy two you have to deploy three they're just consider it a triplet and that's whether you have five hosts or 5000 hosts in eight different V centers you only need three since they're not in the data path or anything like that they're perfectly sized to be able to handle even the largest of environments in a three pack now these are in a control or in a cluster and they do have masters but it's not what you would typically think of where one controller is master since there's a bunch of different roles there's could be a different controller that's a different master for a different role at any given time this master election process is done under the hood you don't really have to go in and mess with it you don't have to set anything up or anything like that now each role requires that there be a master controller any of those controllers as I said can be a controller at any time so let's say we have one fail the master election process between the other two automatically happens you don't have to go in and set anything up you don't have to make any API calls it just happens for you when the third controller comes back it rebalances all of its rules or roles sorry so if we've got a bunch of objects in our environment a bunch of logical switches logical routers and objects and things like that how do we kind of evenly distribute all those services across your controllers to make sure that one of them is not overloaded the answer that we came up with was slicing for that and what that saying is that if we have a whole bunch of different slices for these services like a bunch of different logical switches and logical routers we're going to kind of pepper these slices throughout the controller clusters so that they're evenly distributed and since each one is a different master for a different role it's also going to have a bunch of different slices on it now let's say we have a failure of control 3 just like the master re-election we're also going to take and redistribute those slices so that everything is even and as soon as that control node comes back on everything is going to rebalance so our controllers when you deploy them they're automatically sized they're all 4 V CPU and 4 gigs of RAM each modifying those settings is not supported you will not gain or lose anything by changing these well you can lose something by changing it down but you're not going to gain anything performance wise by scaling these up at all the controller password is defined during your first deployment this is actually a real strong password I think like 12 characters if you ever do the hands-on labs for NSX you'll notice that it's the same default password just done twice as soon as you set that password the first time every subsequent controller deployment is going to automatically take that password so that you don't have to do it again now controller nodes do have to be deployed under the same vCenter server that an nsx manager is connected to that doesn't necessarily have to be the same D Center that you've got all of your nsx stuff working in but the controllers do have to be in the same D Center where nsx manager is connected the nsx manager itself could be hosted off at a management V Center elsewhere with these since there are three nodes we do recommend that go into your vSphere management cluster and we do recommend that you manually put anti affinity rules to make sure that those three controllers stay on different hosts all the you know at the same time that way if you lose a host you're not necessarily losing an entire control point so the user world agent here this is kind of our internal communication channel it is secured and it runs as the net CPA agent on all of your hosts this is what allows NSX to kind of communicate through the stack now here's that NSX V switch term that I hate again again this is just your distributed switch with the vids that we've got so the logical router control VM now this is absolutely not in the data path when you deploy a distributed logical router which is our router that runs in colonel of all of your hosts if you're going to be doing dynamic routing like OSPF or BGP you have to have a static point to peer - you can't peer to a IP address that exists on all of these different hosts at the same time so we deploy that logical router control VM if you're just going to be doing static routing in and out of your environment you don't even have to deploy this actually just a checkbox when you're creating a distributed logical router now the edge services gateway is absolutely in the data path and that does our layer 3 through layer 7 services so when I talked about earlier about doing overlapping IP addresses on hosts that in effect said services gateway is where that matting is going to happen to make that work that's also our peer from your physical interfaces or from your physical routing devices downstream into nsx edge services gateway will always be the ingress and egress point you could technically peer a distributed logical router straight to a physical device but we don't recommend that in the architecture so component interactions the management plane talks control plane talks the data point this is just kind of a look at the one time versus recurring tasks with nsx deploying nsx manager in the controller cluster is going to be a one-time thing it's actually pretty quick post preparation this is where we go out and actually install those installation bundles now this is going to be a no reboot process for that and up until version 6 3 of nsx updating or removing the VIPs did require reboot but as a 6 3 and up that does not require a reboot so we can do updates and stuff like that non-disruptive leave 4 6 3 on logical network preparation so doing the v taps and stuff on the host that's definitely going to be a one-time thing once you get that set up you're good to go the recurring tasks are going to be basically the same tasks that you do every day today in your environment creating new VLANs or in our term VX LAN or VN is creating new routing devices routing interfaces creating networks and network services all these things that you do on a recurring basis you're still going to do an nsx we're just going to give you a new tool to do it in or even automate that task so that you're not having to sit there and cut VLAN sald a long cylinder since you're there and you're talking networking who owns an effect in your customers so the networking was of a DMR team is Olympia mastic question we've had a lot of networking vendors that in the beginning of NSX would come in and tell their networking engineers that VMware is going to come in and take away the job of the network engineer and give it to the vmware guy and that's simply not the case I straight that in my meetings by looking at the VMware guy and asking them how to troubleshoot OSPF or BGP nine times out of ten they lays over and wonder you know what you're asking them network I still do Network things security guys still do security things it's just a different interface or even not even in the face if they're using automation so really it's one of those things where if you're saying moving from Cisco IOS to nx-os and you you have to learn something new anyways why not use our tool and stick with the older physical devices and use virtual networking overlays to do all the new fun stuff it's just one of those things where you definitely absolutely have to have network guys still you have to have security guys still that's never going to change it's just where they're going to to make the changes that they need so configuration of the curtain oh yeah so configuration from a component interaction standpoint I know our closer the nsx manager talks directly one-to-one with vCenter when you make a change to your virtual network it's going to talk to the control cluster control cluster Zen I'm going to push the information out to all of your ESX iOS it's going to work as the puppet master the difference is going to be is when you have something like just a distributed firewall since we don't require that controller cluster that communication goes straight from nsx manager to your ESXi host and that's across however many clusters you may have i'm control playing security obviously I said this is a closed API it's a closed communication channel but you self-signed certificates you do not have the ability to go in and change that you can't use your own certificate infrastructure we take care of all of it you won't have a need to or anything like that now I really hate this slide because it has the nsx manager it's kind of a adjacency to nsx manager you don't have the ability to get that it doesn't require a sequel server or anything like that it's embedded into nsx manager you won't have access to it you don't need to offload it somewhere nor do you have the option during installation to offload it somewhere so I really don't like that it illustrates it that way but really the nsx manager goes into its database and does the certificate generation and then passes it down to the control clusters and it also passes it down to the ESXi host it does this communication all through our user world agents in our message bus and that's how it kind of sets up that closed communication loop between all the components now looks like we've come through to the end of the the components as well as the 101 do we have any other questions or anything that we're hanging around I've seen a few come through saying how can I get my hands on this that's a great question so up until recently we were pretty tight with NSX you had to contact your se in order to get your hands on it you can go into hands-on laps today and play with it I believe it's hands-on labs 1703 and 1724 the 1703 will be the basic I think it's split up into three different groups for networking in security and then 17 25 or 24 whichever one it is is going to be your multi-site and multi V Center NSX you can also of course contact your se and get a Pio senior environment if you feel so inclined or the the big new thing is you can go sign up for the mug advantage which I believe is two hundred bucks at this point and you will get just about every piece of software VMware makes including now NSX so if you want in your home lab which is really awesome to play with and I'm staring at a giant rack of gear as we speak that I got started on the tennis x-u that's a really really a great way to get your hands on it that will come through with your recenter licensing your vSphere licensing the NSX licensing and the whole works for you to kind of get your hands dirty and play with it awesome thanks for franching that I've put out on Twitter the hands-on lab numbers you said the raita be right because I've dis quoted you on this so it's 25 another question about licensing is this part of this come with vSphere Enterprise Plus awesome thing for the hosts so licensing is completely separate for nsx nsx is not in a bundle it doesn't come with anything Enterprise Plus does have your virtual distributed switch which is required for NSX but a cool things that if you get nsx no matter what licensing you have for vSphere we will give you distributed switch I believe there's some smaller essentials kits for vSphere that don't come with distributed switch so if you were to say attach it nsx license to that distributed switch would turn on to that but as far as Suites or anything like that nsx does have three tiers of licensing but they are all separate SKUs we have standard which is just network virtualization so your VX LAN switching and rounding and stuff like that advanced is where you enable the distributive firewall and then Enterprise Edition is where you're going to get into the multi V Center or multi-site so the there was a visual component that came with Enterprise Plus is that separate not as something that's all gets in Vanessa yeah so V shield which used to be used for agent lists in a virus that has been deprecated and there is now nsx manager and you're absolutely right I completely forgot nsx manager is available for HLS antivirus for free just like the shield was and that's specifically going to be the guest introspection that's used for that so if you have a V Center license today you can go and download an nsx manager but unless you were to give it a license you're not going to be able to do any of the really cool stuff with it but you can absolutely use it today for agentless antivirus that you were using Disha for all right that's all the questions that I've seen come through oh yeah guess we can call it a wrap thank you so much for all that great information I'm a VMware guy who's kind of got drool on the side of his mouth whenever you asked about those acronyms I'm not even going to pretend to say OSPF and BGP which are in fact the the two dynamic routing protocols that we support with nsx great well thank you very much Tim we have appreciate it we're looking forward to the next two weeks sounds great next week we're going to be doing virtual or logical switching and logical routing so that should be where we get into the really cool stuff networking last awesomo we'll see you then all right I'm good thank you

Info

Channel: vBrownBag

Views: 30,623

Rating: 4.9506173 out of 5

Keywords: nsx 101, technology education, network, vsphere, enterprise network education, sdn, software defined, #vBrownBag, components, vbrownbag.com, software defined networking, vbrownbag Enterprise IT Education, overview, networking, infrastructure, vmware nsx, vmware, virtual networking, vbrownbag nsx, mini-nsx, nsx

Id: zPax2KTQzpA

Channel Id: undefined

Length: 60min 20sec (3620 seconds)

Published: Tue May 23 2017