Jun 07

NSX F5 Design Guide

Created by ddesmidt on May 7, 2015 1:19 PM. Last modified by ddesmidt on May 7, 2015 1:29 PM.
Version 2

Intended Audience

The intended audience for this document includes virtualization and network architects seeking to deploy VMware® NSX™ for vSphere® in combination with F5® BIG-IP® Local Traffic Manager™ devices.
Note: A solid understanding based on hands-on experience with both NSX-v and F5 BIG-IP LTM is a pre-requisite to successfully understanding this design guide.

NSX deployments can be today coupled with F5 BIG-IP appliances or Virtual Edition.
Such deployment gives to NSX customers a flexible, powerful, and agile infrastructure with the richness of F5 ADC service.
Note: F5 deployment + configuration done from F5.

Overview

The Software Defined Data Center is defined by server virtualization, storage virtualization and network virtualization and server virtualization has already proved the value of SDDC architectures in reducing costs and complexity of compute infrastructure. VMware NSX network virtualization provides the third critical pillar of the SDDC and extends the same benefits to the data center network to accelerate network service provisioning, simplify network operations and improve network economics.

VMware NSX-v is the leading network virtualization solution in the market today and is being deployed across all vertical markets and market segments. NSX reproduces L2-L7 networking and security including L2 Switching, L3 Routing, Firewalling, Load Balancing, and IPSEC/VPN secure access. services completely in software and allows programmatic provisioning and management of these services. More information about these functions is available in the NSX Design Guide.

F5 BIG-IP is the leading application delivery controller in the market today. The BIG-IP product family provides Software-Defined Application Services™ (SDAS) designed to improve the performance, reliability and security of mission-critical applications. BIG-IP is available in a variety of form factors, ranging from ASIC-based physical appliances to vSphere-based virtual appliances. NSX deployments can be coupled with F5 BIG-IP appliances or Virtual Edition form factors.

Furthermore, F5 offers a centralized management and orchestration platform called BIG-IQ.
By deploying BIG-IP and NSX together, organizations are able to achieve service provisioning automation and agility enabled by the SDDC combined with the richness of the F5 application delivery services they have come to expect.
This design guide provides recommended practices and topologies to optimize interoperability between the NSX platform and F5 BIG-IP physical and virtual appliances. This interoperability design guide is intended for those customers who would like to adopt the SDDC while ensuring compatibility and minimal disruption to their existing BIGIP environment. The Recommended practice guide will provide step-by-step guidance to implement the topologies outlined in this document.

NSX/F5 Topology Options

“BIG-IP Form Factor” / “NSX overlay or not” / “BIG-IP placement” Relationships

There are about 20 possible topologies that can be used when connecting BIG-IP to an NSX environment but this Design Guide will focus on the three that best represent the form factor, connection method, and logical topology combinations. In addition, the Design Guide will highlight the Pros and Cons of each of the three topologies.

The following figure describes the relationship of:

  • BIG-IP form factor:
    o BIG-IP Virtual Edition (“VE”)
    o BIG-IP physical appliance
  • With NSX overlay/Without NSX overlay:
    o VXLAN
    o non-VXLAN (VLAN tagged on untagged)

  • BIG-IP placement:
  • o BIG-IP parallel to NSX Edge
    o BIG-IP parallel to DLR
    o BIG-IP One-Arm connected to server network(s)
    o BIG-IP on top of NSX Edge
    o BIG-IP on top of NSX DLR

“BIG-IP Form Factor” / “NSX overlay or not” / “BIG-IP placement” Relationships

Figure 1 – “BIG-IP Form Factor” / “NSX overlay or not” / “BIG-IP placement” Relationships

This design guide provides recommended practices and topologies to optimize interoperability between the NSX platform and F5 BIG-IP physical and virtual appliances.

Download NSX F5 Design Guide v1.6


Jun 07

VMware® NSX for vSphere Network Virtualization Design Guide ver 3.0

Created by RobertoMari on Aug 21, 2014 5:52 PM. Last modified by nikhilvmw on Dec 22, 2015 9:03 AM

Intended Audience

This document is targeted toward virtualization and network architects interested in deploying VMware® NSX network virtualization solution in a vSphere environment.

This is a updated edition of the VMware® NSX for vSphere Network Virtualization Design Guide
Authors:VMware NSX Technical Product Management Team

Overview

IT organizations have gained significant benefits as a direct result of server virtualization. Tangible advantages of server consolidation include reduced physical complexity, increased operational efficiency, and simplified dynamic repurposing of underlying resources. These technology solutions have delivered on their promise of helping IT to quickly and optimally meet the needs of increasingly dynamic business applications.

VMware’s Software Defined Data Center (SDDC) architecture moves beyond the server, extending virtualization technologies across the entire physical data center infrastructure. VMware NSX, the network virtualization platform, is a key product in the SDDC architecture. With VMware NSX, virtualization now delivers for networking what it has already delivered for compute. Traditional server virtualization programmatically creates, snapshots, deletes, and restores virtual machines (VMs); similarly, network virtualization with VMware NSX programmatically creates, snapshots, deletes, and restores software-based virtual networks. The result is a completely transformative approach to networking, enabling orders of magnitude better agility and economics while also vastly simplifying the operational model for the underlying physical network.

NSX is a completely non-disruptive solution which can be deployed on any IP network from any vendor – both existing traditional networking models and next generation fabric architectures. The physical network infrastructure already in place is all that is required to deploy a software-defined data center with NSX.

This document is targeted toward virtualization and network architects interested in deploying VMware® NSX Network virtualization solution in a vSphere environment.

Stack diagram for VMware Integrated OpenStack

Figure 1 – Server and Network Virtualization Antology

Figure 1 draws an analogy between compute and network virtualization. With server virtualization, a software abstraction layer (i.e., server hypervisor) reproduces the familiar attributes of an x86 physical server (e.g., CPU, RAM, Disk, NIC) in software. This allows components to be programmatically 5 assembled in any arbitrary combination to produce a unique VM in a matter of seconds.

With network virtualization, the functional equivalent of a “network hypervisor” reproduces layer 2 to layer 7 networking services (e.g., switching, routing, firewalling, and load balancing) in software. These services can then be programmatically assembled in any arbitrary combination, producing unique, isolated virtual networks in a matter of seconds.

Network Virtualization Abstraction Layer and Underlying Infrastructure

Figure 2 – Network Virtualization Abstraction Layer and Underlying Infrastructure

Where VMs are independent of the underlying x86 platform and allow IT to treatphysical hosts as a pool of compute capacity, virtual networks are independent of the underlying IP network hardware. IT can thus treat the physical network as a pool of transport capacity that can be consumed and repurposed on demand.
This abstraction is illustrated in Figure 2. Unlike legacy architectures, virtual networks can be provisioned, changed, stored, deleted, and restored programmatically without reconfiguring the underlying physical hardware or topology. By matching the capabilities and benefits derived from familiar server and storage virtualization solutions, this transformative approach to networking unleashes the full potential of the software-defined data center.

With VMware NSX, existing networks are immediately ready to deploy a next generation software defined data center. This paper will highlight the range of functionality provided by the VMware NSX for vSphere architecture, exploring design factors to consider to fully leverage and optimize existing network investments.

NSX Primary Use Cases

Customers are using NSX to drive business benefits as show in the figure below.
The main themes for NSX deployments are Security, IT automation and Application Continuity.

NSX Use Cases

Figure 3 – NSX Use Cases

Security:

  • NSX can be used to create a secure infrastructure, which can create a zero-trust security model. Every virtualized workload can be protected with a full stateful firewall engine at a very granular level. Security can be based on constructs such as MAC, IP, ports, vCenter objects and tags, active directory groups, etc. Intelligent dynamic security grouping can drive the security posture within the infrastructure.
  • NSX can be used in conjunction with 3rd party security vendors such as Palo Alto Networks, Checkpoint, Fortinet, or McAffee to provide a complete DMZ like security solution within a cloud infrastructure.
  • NSX has been deployed widely to secure virtual desktops to secure some of the most vulnerable workloads, which reside in the data center to prohibit desktop-to-desktop hacking.

Automation:

  • VMware NSX provides a full RESTful API to consume networking, security and services, which can be used to drive automation within the infrastructure. IT admins can reduce the tasks and cycles required to provision workloads within the datacenter using NSX.
  • NSX is integrated out of the box with automation tools such as vRealize automation, which can provide customers with a one-click deployment option for an entire application, which includes the compute, storage, network, security and L4-L7 services.
  • Developers can use NSX with the OpenStack platform. NSX provides a neutron plugin that can be used to deploy applications and topologies via OpenStack.

Application Continuity:

  • NSX provides a way to easily extend networking and security up to eight vCenters either within or across data center In conjunction with vSphere 6.0 customers can easily vMotion a virtual machine across long distances and NSX will ensure that the network is consistent across the sites and ensure that the firewall rules are consistent. This essentially maintains the same view across sites.
  • NSX Cross vCenter Networking can help build active – active data centers. Customers are using NSX today with VMware Site Recovery Manager to provide disaster recovery solutions. NSX can extend the network across data centers and even to the cloud to enable seamless networking and security.

The use cases outlined above are a key reason why customers are investing in NSX. NSX is uniquely positioned to solve these challenges as it can bring networking and security closest to the workload itself and carry the policies along with the workload.

Overview of NSX Network Virtualization Solution

An NSX deployment consists of a data plane, control plane, and management plane, as shown in Figure 4.

NSX-components.jpg

Figure 4 – NSX Components


The NSX architecture has built in separation of data, control, and management layers. The NSX components that maps to each layer and each layer’s architectural properties are shown in above Figure 4. This separation allows the architecture to grow and scale without impacting workload.

In this version 3.0 edition the guide was updated to provide new additional context around:
1. Sizing for small and medium data centers with NSX
2. Routing best practices
3. Micro-segmentation and service composer design guidance

Thanks to all the contributors and reviewers to various sections of the document.
A final version of this Reference Guide will be posted soon on our NSX Technical Resources website (link below): http://www.vmware.com/products/nsx/resources.html

Download NSX Reference Design Version 3.0 Guide

Rating: 5/5


May 30

VMware NSX Technical Introduction

VMware NSX is the network virtualization platform that delivers the operational model of a VM for the network to transform data center operations and economics.

Rating: 5/5


May 19

VMware vRA + NSX Technical Deep-dive Presentation

VMware vRealize Automation (vRA) is the powerful automation engine within VMware’s vRealize Cloud Management Platform (CMP). vRA is designed to automate not just applications and service delivery, but also the infrastructure ecosystem around them, resulting in an app-centric authoring, provisioning and lifecycle management solution. A critical component of that infrastructure is a Networking and Security strategy that can meet the demands of new and existing applications while protecting enterprises against a modern threat.

While vRA has provided enhanced networking and security integration in the form of NSX in the past, the latest release, vRA 7.x, ups the ante to make building, consuming, and lifecycle managing application-centric network services a core function of service delivery.

This presentation is a technical overview of the integration, services and capabilities delivered with vRA 7 + NSX.
NOTE: This video is roughly 50 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5


May 15

What’s New in VMware vSphere™ 5.0 Networking

Introduction

With the release of VMware vSphere™ 5.0 (“vSphere”), VMware brings a number of powerful new features and enhancements to the networking capabilities of the vSphere platform. These new network capabilities enable customers to run business-critical applications with confidence and provide the flexibility to enable customers to respond to business needs more rapidly. All the networking capabilities discussed in this document are available only with the VMware vSphere Distributed Switch (Distributed Switch).

There are two broad types of networking capabilities that are new or enhanced in the VMware vSphere 5.0
release. The first type improves the network administrator’s ability to monitor and troubleshoot virtual
infrastructure traffic by introducing features such as:

  • NetFlow
  • Port mirror

The second type focuses on enhancements to the network I/O control (NIOC) capability first released in
vSphere 4.1. These NIOC enhancements target the management of I/O resources in consolidated I/O
environments with 10GB network interface cards. The enhancements to NIOC enable customers to provide
end-to-end quality of service (QoS) through allocating I/O shares for user-defined traffic types as well as tagging packets for prioritization by external network infrastructure. The following are the key NIOC
enhancements:

  • User-defned resource pool
  • vSphere replication trafc type
  • IEEE 802.1p tagging

The following sections will provide higher-level details on new and enhanced networking capabilities in vSphere 5.0.

Network Monitoring and Troubleshooting

In a vSphere 5.0 environment, virtual network switches provide connectivity for virtual machines running on VMware® ESXi™ hosts to communicate with each other as well as connectivity to the external physical
infrastructure. Network administrators want more visibility into this traffic that is flowing in the virtual infrastructure. This visibility will help them monitor and troubleshoot network issues. VMware vSphere 5.0 introduces two new features in the Distributed Switch that provide the required monitoring and troubleshooting capability to the virtual infrastructure.

NetFlow

NetFlow is a networking protocol that collects IP traffic information as records and sends them to a collector such as CA NetQoS for traffic flow analysis. VMware vSphere 5.0 supports NetFlow v5, which is the most common version supported by network devices. NetFlow capability in the vSphere 5.0 platform provides visibility into virtual infrastructure traffic that includes:

  • Intrahost virtual machine traffic (virtual machine–to–virtual machine traffic on the same host)
  • Interhost virtual machine traffic (virtual machine–to–virtual machine traffic on different hosts)
  • Virtual machine–physical infrastructure traffic

Figure 1 shows a Distributed Switch configured to send NetFlow records to a collector that is connected to an external network switch. The blue dotted line with arrow indicates the NetFlow session that is established to send flow records for the collector to analyze.

NetFlow Traffic

Figure 1. NetFlow Traffic

Usage

NetFlow capability on a Distributed Switch along with a NetFlow collector tool helps monitor application flows and measures flow performance over time. It also helps in capacity planning and ensuring that I/O resources are utilized properly by different applications, based on their needs.

IT administrators who want to monitor the performance of application flows running in the virtualized
environment can enable flow monitoring on a Distributed Switch.

Configuration

NetFlow on Distributed Switches can be enabled at the port group level, at an individual port level or at the uplink level. When configuring NetFlow at the port level, administrators should select the NetFlow override tab, which will make sure that flows are monitored even if the port group–level NetFlow is disabled.

Port Mirror

Port mirroring is the capability on a network switch to send a copy of network packets seen on a switch port to a network monitoring device connected to another switch port. Port mirroring is also referred to as Switch Port Analyzer (SPAN) on Cisco switches. In VMware vSphere 5.0, a Distributed Switch provides a similar port mirroring capability to that available on a physical network switch. After a port mirror session is configured with a destination—a virtual machine, a vmknic or an uplink port—the Distributed Switch copies packets to the destination. Port mirroring provides visibility into:

  • Intrahost virtual machine traffic (virtual machine–to–virtual machine traffic on the same host)
  • Interhost virtual machine traffic (virtual machine–to–virtual machine traffic on different hosts)

Figure 2 shows different types of traffic flows that can be monitored when a virtual machine on a host acts as a destination or monitoring device. All traffic shown by the orange dotted line with arrow is mirrored traffic that is sent to the destination virtual machine.

NetFlow Traffic

Figure 2. Port Mirror Traffic Flows When Destination Where Packets Are Mirrored Is a Virtual Machine

Usage

The port mirroring capability on a Distributed Switch is a valuable tool that helps network administrators in debugging network issues in a virtual infrastructure. The granular control over monitoring ingress, egress or all trafc of a port helps administrators fne-tune what trafc is sent for analysis.

Configuration

Port mirror configuration can be done at the Distributed Switch level, where a network administrator can create a port mirror session by identifying the traffic source that needs monitoring and the traffic destination where the traffic will be mirrored. The traffic source can be any port with ingress, egress or all traffic selected. The traffic destination can be any virtual machine, vmknic or uplink port.

Download

Download a full What’s New in VMware vSphere™ 5.0 Networking Technical White Paper.

Rating: 5/5


Apr 23

NSX-v Operations Guide

Purpose

This guide shows how to perform day-to-day management of an NSX for vSphere (“NSX-v”) deployment. This information can be used to help plan and carry out operational monitoring and management of your NSX-v implementation.
To monitor physical network operations, administrators have traditionally collected various types of data from the devices that provide network connectivity and services. Broadly the data can be categorized as:

    Statistics and events
    ■ Flow level data
    ■ Packet level data

Monitoring and troubleshooting tools use the above types of data and help administrators manage and operate networks. Collectively, these types of information are referred to as “network and performance monitoring and diagnostics” (NPMD) data. The diagram below summarizes the types of NPMD data and the tools that consume this information.

NPMD data diagram

NPMD data diagram

The tools used for monitoring physical networks can be used to monitor virtual networks as well. Using standard protocols, the NSX platform provides network monitoring data similar to that provided by physical devices, giving administrators a clear view of virtual network conditions.
In this document, we’ll describe how an administrator can monitor and retrieve network statistics, network flow information, packet information, and NSX system events.

Audience

This document is intended for those involved in the configuration, maintenance, and administration of VMware NSX-v. The intended audience includes the following business roles:

    – Architects and planners responsible for driving architecture-level decisions.
    – Security decision makers responsible for business continuity planning.
    – Consultants, partners, and IT personnel, who need the knowledge for deploying the solution.

This guide is written with the assumption that an administrator who will use these procedures is familiar with VMware vSphere and NSX-v, and we assume the reader has as strong networking background. For detailed explanations of NSX-v concepts and terminology, please refer to the NSX for vSphere documentation website.

Scope

This guide covers NSX-v and its integration with core VMware technologies such as vSphere and Virtual Distributed Switch (vDS). It does not attempt to cover architectural design decisions or installation. Also, while there are third-party integrations and extensive APIs available to programmatically program and manage NSX, this document does not focus on APIs or third-party integration including other VMware products. We do mention specific APIs when they offer a recommended or efficient method for configuring NSX, and when there is no direct UI function available to perform the desired action.

Download

Download out the full NSX-v Operations Guide, rev 1.5

Rating: 5/5


Mar 03

vCloud Automation Center and NSX Integration Technical Deep Dive

VMworld 2014 MGT1969 vCloud Automation Center and NSX Integration Technical Deep Dive.

NOTE: This video is roughly 60 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5


Apr 30

Live Stream – VMware NSX: Training & Demo

Tech Data hosted a live stream event with special guests from VMware for a training and demo on NSX.
NOTE: This video is roughly 18 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5


Apr 23

VMware NSX Security and Micro Segmentation

Raj is back to tell the team all about one of VMware NSX’s top security benefit, micro segmentation!

Rating: 5/5


Apr 23

VMworld 2013: Session NET5847- NSX: Introducing the World to VMware NSX

This session will focus on introducing NSX. It will detail the product and its components, the key use cases, partner integrations and pricing and packaging.
NOTE: This video is roughly 50 minutes in length so it would be worth blocking out some time to watch it!

Rating: 5/5