VmWare NSX Student Guide PDF [PDF]
VMware NSX: Install, Configure, Manage Lecture Manual NSX 6.0 VMware® Education Services VMware , Inc. www.vmware.com/e
33 0 41MB
Papiere empfehlen
![VmWare NSX Student Guide PDF [PDF]](https://vdoc.tips/img/200x200/vmware-nsx-student-guide-pdf.jpg)
- Author / Uploaded
- Felipe Aggressive Grajales
Datei wird geladen, bitte warten...
Zitiervorschau
VMware NSX: Install, Configure, Manage Lecture Manual NSX 6.0
VMware® Education Services VMware , Inc. www.vmware.com/education
VMware NSX: Install, Configure, Manage NSX 6.0 Part Number EDU-EN -NSXICM6-LECT Lecture Manual Copyright/Trademark Copyright © 2014 VMware , Inc. All rights reserved . This manual and its accompanying materials are protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http ://www.vmware.com/go/ patents . VMware is a registered trademark or trademark of VMware , Inc. in the United States and/or other jurisdictions. All other marks and names ment ioned herein may be trademarks of the ir respective companies. The training material is provided "as is," and all express or implied cond itions, representations, and warranties, includ ing any implied warranty of merchantability, fitness for a particular purpose or noninfringement, are discla imed , even if VMware, Inc., has been advised of the possibility of such claims. This training mate rial is designed to support an instructor-led training course and is intended to be used for reference purposes in conjunction with the instructor-led training course. The train ing material is not a standalone tra ining tool. Use of the training material for self-study without class attendance is not recommended. These materials and the computer programs to which it relates are the property of, and embody trade secrets and confidential information proprietary to, VMware, Inc., and may not be reproduced, copied, disclosed, transferred, adapted or modified without the express written approval of VMware, Inc. Course development: Rob Nendel , John Tuffin, Jerry Ozbun Technical review : Elver Sena, Chris McCain Technical editing : Jim Brook , Shalini Pallat , Jeffrey Gardiner Production and publishing: Ron Morton, Regina Aboud The courseware for VMware instructor-led training relies on materials developed by the VMware Technical Communications writers who produce the core technical documentation , available at http://www.vmware .com/supportlpubs.
www.vmware.com/education
TABLE OF CONTENTS
MODULE 1
Course Introduction Importance. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Learner Objectives ".. " Learner Objectives (2) .. " ". " ".. ".. " " You Are Here . " " " " " ". " ". " ".. " ". " ".. ".. " " Typographical Conventions. " ".. ".. " References " " ". " " " " " ". " ". " ". . " ". " ". . ". . ". . . ". . " ".. " About NSX " ". " " " " " ". " ". " ".. " ". " ".. ".. " NSX Certification VMware Learning Path Tool. NSX Resources
MODULE 2
NSX Networking" " " " ". " " " " " ". " ". " ".. " ". " ".. ".. "... ".. You Are Here " " " " " " " " " " " " " ". " ". " " ". " ". " ".. ".. " ".. ".. Importance" " " " " " " " " " " " " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. ".. Module Lessons" " " " " ". " " " " " ". " ". " ".. " ". " ".. ".. " Lesson I: Introduction to vSphere Virtualization Learner Objectives Virtual Machines Benefits ofVirtuaI Machines " ESXi Hypervisor " vCenter Server. ".. " ".. ".. " vCenter Server Management Features ".. " vSphere vMotion .. " " Shared Storage. ".. " ".. ".. " Features That Use Shared Storage Virtual Networking Virtual Switch Types Networking Features vSphere Product Placement. Review of Learner Objectives Lesson 2: Overview of the Software-Defined Data Center. Learner Objectives. " " ".. " Choices for IT . ".. " Data Center Models" " Advantage of Software-Defined Data Center Choice for New IT Software-Defined Data Center as New IT. Components of a Software-Defined Data Center Vision and Strategy Virtual Compute, Storage, and Network Data Center Hardware. . . . . . . . . . . . . . . . . . . . Hypervisors and Virtual Switches
VMware NSX: Install, Configure, Manage
1 2 3 4 5 6 7 8 9 ".. 10 11 " " " "
13 14 15 16 17 18 19 ".. 20 21 22 23 25 26 27 28 29 30 32 33 34 35 36 37 " .. 38 39 40 41 42 43 44 45
NSX: Network Virtualization Platform About a Virtual Network Network Virtualization: Layer 2 Network Virtualization: Layer 3 Concept Summary Review of Learner Objeetives Lesson 3: Introduction to NSX and NSX Manager. Learner Objectives NSX Capabilities Prepare for Installation: Client and User Access Prepare for Installation: Port Requirements Installation: Manager OVA Initial Configuration: Management UI Initial Configuration: Time and Syslog Settings Initial Configuration: Network Settings Initial Configuration: vCenter Server Connection NSX Overview: Planes NSX Overview: Data Plane Components NSX Overview: Control Plane Components NSX Overview: Management Plane Component NSX Overview: Consumption Enterprise Topology Servicer Provider: Multiple Tenant Topology Multiple Tenant Topology: Scalable Desigu Scalability NSX for vSphere: Scale Boundaries NSX Manager Building the NSX Platform Lab I: Introduction Lab I: Configuring NSX Manager Concept Summary Review of Learner Objectives Lesson 4: NSX Controller Learner Objectives NSX Controller NSX Controller Cluster Deployment Control Plane Interaction Control Plane Security Control Plane Security: Diagram User World Agent NSX Controller: Master Election Master Failure Scenario NSX Controller Workload Distribution ii
46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 82 83 84 85 86 87 88 89
VMware NSX: Install, Configure, Manage
Slicing Assignment Slicing Distribution Slice Redistribution Component Interaction: Configuration " Lab 2: Introduction (I) . " .. " " .. " .. " Lab 2: Introduction (2) . ".. " ".. ".. " " Lab 2: Configuring and Deploying an NSX Controller Cluster ".. " Review of Learner Objectives Key Points
MODULE 3
Contents
90 91 92 93 94 95 96 97 98
" .. " .. " " . "99 Logical Switch Networks and VXLAN Overlays. ".. " You Are Here 100 Importance" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "101 Module Lessons" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "102 " 103 Lesson 1: Ethernet Fundamentals " ". " ".. ".. " Learner Objectives" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "104 Review: Networking Definitions. ".. " ".. ".. " " 105 Ethernet " .. " .. " " . " " . " " " " " " " " " " "106 MAC Tables 107 Broadcast Domain 108 Address Resolution Protocol 109 From Packets to Frames 110 111 Segmentation and Encapsulation Layer 3: IPv4 Datagram 112 Layer 4: TCP Segment 113 Concept Summary. " 114 115 Review of Learner Objectives Lesson 2: Overview ofvSphere Distributed Switch " .116 Learner Objectives " .117 VMkernel Networking " .118 Advantages ofvSphere Distributed Switch 119 Distributed Switch Architecture 120 vSphere Distributed Switch Enhancements in ESXi 5.5 121 Design Considerations 122 Teaming Best Practices 123 Load-Based Teaming 124 Distributed Switch in Enterprise 125 Lab 3: Introduction (1) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126 Lab 3: Introduction (2) 127 Lab 3: Preparing for Virtual Networking " .128 Concept Summary 129 130 Review of Learner Objectives Lesson 3: Link Aggregation 131 iii
Learner Objectives 132 Ethernet Loop 133 Spanning Tree Protocol 134 STP Diagram" . " " " " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "135 Bandwidth Constraint " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "136 Link Aggregation Control Protocol. 137 Enhanced LACP in vSphere 5.5 138 Enhanced LACP ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "139 Concept Summary 140 Review of Learner Objectives 141 Lesson 4: Virtual LANs 142 Learner Objectives 143 Virtual LANs" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "144 Switches and Routers with VLANs .. " " 145 VLANsand ARP" " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "146 VLANs Across switches" ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "147 VLAN Scalability " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". " " " " " ". "148 802.1Q 149 802.1Q Frame 150 Native VLAN 151 Concept Summary 152 Review of Learner Objectives 153 Lesson 5: VXLAN: Logical Switch Networks 154 Learner Objectives. " ".. ".. " ".. " ".. " ".. " " 155 VXLAN Tenus" ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " "156 VXLAN Protocol Overview 157 Virtual Extensible LAN 158 NSX Use Cases 159 VXLAN Frame Format 160 Multicast: Network Components 161 Internet Group Management Protocol 162 Bidirectional PIM . " ".. " ".. " " " " 163 NSX for vSphere VXLAN Replication Modes 164 VXLAN Replication: Control Plane 165 VXLAN Replication: Data Plane 166 Unicast Mode 167 Multicast Mode 168 Hybrid Mode 169 Unicast and Hybrid Mode: Same Host " .170 Unicast Mode: Different Hosts 172 Hybrid Mode: Different Hosts 173 Multicast Mode: Different Hosts 174 Quality of Service 175 iv
VMware NSX: Install, Configure, Manage
MODULE 4
Contents
QoS Tagging Physical Network Congestion NSX Component Interaction: Configuration NSX Logical Switching Logical Switch Lab 4: Introduction (l) Lab 4: Introduction (2) Lab 4: Configuring and Testing Logical Switch Networks Concept Summary Review of Leamer Objectives Key Points
176 177 178 179 180 181 182 183 184 185 186
NSX Routing You Are Here Importance Module Lessons Lesson 1: NSX Routing Learner Objectives Supported Routing Protocols OSPF Features About OSPF OSPF Neighbor Relationships OSPF Packet Types OSPF Hello Packets Other OSPF Packets OSPF Neighbor States OSPF Router Types OSPF Areas OSPF Area Types OSPF Normal Area OSPF Stub Area OSPF NSSA OSPF Area and Router Types Example Intermediate System to Intermediate System IS-IS Features IS-IS Areas IS-IS Router Levels IS-IS Neighbor Adjacency IS-IS Design Considerations BGP Features Border Gateway Protocol BGP AS Numbers BGP Peers
187 188 189 190 191 192 193 194 195 196 197 198 200 201 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 v
BOP Peers Example BOP Route Selection Concept Summary Review of Learner Objectives Lesson 2: NSX Logieal Router Learner Objectives Layer 3 Networking Overview Layer 3 Enables Larger Networks Distributed Logical Router Hairpinning Distributed Logical Router: Logical View Distributed Logical Router: Physical View Data Path: Host Components VLAN LIF Designated Instance VXLAN LIF Control Plane: Components Logical Router Control Virtual Machine Management, Control, and Data Communication Deployment Models: One Tier Deployment Models: Two Tier Distributed Router Traffic Flow: Same Host Distributed Router Traffic Flow: Different Host. Lab 5: Introduction (1) Lab 5: Introduction (2) Lab 5: Introduction (3) Lab 5: Introduction (4) Lab 5: Configuring and Deploying an NSX Distributed Router Concept Summary Review of Learner Objectives Lesson 3: Layer 2 Bridging Learner Objectives VXLAN to VLAN Layer 2 Bridging Use Cases Layer 2 Bridging Details Bridge Instance Bridge Instance Failure Layer 2 Bridging: Flow Overview Design Considerations ARP Request from VXLAN ARP Response from the VLAN Unicast Traffic ARP Request from VLAN vi
220 221 222 223 224 225 226 227 228 229 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 262 263 264
VMware NSX: Install, Configure, Manage
Concept Summary 265 Learner Objectives 266 Lesson 4: NSX Edge Services Gateway 267 Learner Objectives.. " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "268 NSX Edge Gateway" " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "269 " 270 Integrated Network Services" ".. ".. " NSX Edge Services Gateway Sizing 271 Features Summary. " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . " " . " " " . "272 NSX Edge Routing 273 Routing Verification 274 275 Lab 6: Introduction (I) Lab 6: Introduction (2) 276 Lab 7: Introduction" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " . "277 Lab 6: Deploying an NSX Edge Services Gateway and Configuring Static Routing " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "278 Lab 7: Configuring and Testing Dynamic Routing on NSX Edge Appliances" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " "279 " .280 Review of Learner Objectives Key Points 281
MODULE 5
Contents
NSX Edge Services Gateway Features " .. " " .. " .. " " .283 You Are Here. ".. " ".. ".. " ".. ".. " ".. ".. " ".. " ".. "... "284 Importance" " " . " " . " " " . " " . " " " . " " . " " " . " " . " ".. " " . " ".. " " . " ".. "285 ".. " "286 Module Lessons" .. " ".. ".. " ".. ".. " ".. ".. "... ".. " 287 Lesson 1: NSX Edge Network Address Translation ".. " ".. " ".. " " 288 Learner Objectives. " ".. ".. " Private IPv4 IP addresses 289 IPv4 Overlapping Space 290 Managing NAT Rules 291 " .292 Source NAT Deployment Using NSX Edge Example: Set Up External Access to Web Server. " " .293 Add a Second External IP Address for NAT Use 294 295 Destination NAT Deployment Using NSX Edge 296 Creating a Destination NAT Rule for Inbound External Access 297 Create a Destination NAT Rule and Test Inbound Connectivity 299 Creating a Source NAT Rule and Testing Outbound Connectivity Lab 8: Introduction (I) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300 Lab 8: Introduction (2) 301 302 Lab 8: Introduction (3) Lab 8: Configuring and Testing Network Address Translation on 303 an NSX Edge Services Gateway Concept Summary 304 Review of Learner Objectives 305 vii
Lesson 2: NSX Edge Load Balancing 306 Learner Objectives 307 NSX Edge Load Balancer 308 NSX Edge Load Balancer Modes " 309 ".. " "310 Load-Balancer Operation .. " ".. ".. " ".. ".. " ".. ".. " " 311 One-Ann Load Balancer" .. " ".. ".. " One-Ann Load Balancer Traffic Flow 312 Inline Load Balancer" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "313 Inline Load Balancer Traffic Flow " .314 Lab 9: Introduction 315 Lab 10: Introduction 316 Lab 9: Configuring Load Balancing with NSX Edge Gateway (1)" " " "317 Lab 9: Configuring Load Balancing with NSX Edge Gateway (2) 318 " 319 Lab 10: Advanced Load Balancing .. " Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "320 ".. " 321 Review of Learner Objectives" .. " ". " ".. ".. " Lesson 3: NSX Edge High Availability " " " " " " " ". " ". " " ". " ". " ".. "322 Learner Objectives 323 High Availability 324 NSX Edge High Availability Operation 325 Stateful High Availability 326 ".. " ".. " " " 328 NSX Edge Failure. " ".. " NSX Edge Services Gateway High Availability 329 330 Virtual Machine and Appliance Failure .. ".. " ESXi Host Failure. " ".. " ".. " ".. " " " 331 Lab 11: Introduction " " " " 332 " .333 Lab II: Configuring NSX Edge High Availability Concept Summary 334 335 Review of Learner Objectives Lesson 4: NSX Edge and VPN 336 Learner Objectives 337 ".. " ".. " ".. " " " 338 Logical L2 VPN .. " 339 Overview of Layer 2 VPN Logical User (SSL) and Site-to-Site (IPsec) VPN 340 ".. " ".. " ".. " " " 341 NSX IPsec VPN .. " IPsec Security Protocols: Internet Key Exchange " .. " . " " " "342 IPsec Security Protocols: Encapsulating Security Payload. " .. " . " " " "344 IPsec ESP Tunnel Mode Packet " .. " .. " " .345 Configuration Example for IPsec VPN " .346 IPsec with AES-NI 347 Add an IPsec VPN 348 " .349 NSX SSL VPN-Plus Service " .. " SSL VPN-Plus 350 viii
VMware NSX: Install, Configure, Manage
MODULE 6
Contents
NSX Edge SSL VPN-Plus Secure Management Access Server Use Cases for SSL VPN-Plus Services Lab 12: Introduction Lab 13: Introduction Lab 14: Introduction (1) Lab 14: Introduction (2) Lab 12: Configuring Layer 2 VPN Tunnels Lab 13: Configuring IPsec Tunnels Lab 14: Configuring and Testing SSL VPN-Plus Concept Summary Review of Leamer Objectives Key Points
351 352 353 354 355 356 357 358 359 360 361 362
NSX Seeurity You Are Here Importance Module Lessons Lesson 1: NSX Edge Firewall Leamer Objectives NSX Edge and Distributed Firewall: Security Comparison NSX Edge Firewall Firewall Rule Types Virtualization Context Awareness Populating Firewall Rules Source and Destination of a Rule Firewall Service Create a Firewall Serviee Action Option Publish Changes NSX Edge Services Gateway: Form Factors Lab 15: Introduction (I) Lab 15: Introduction (2) Lab 15: Using NSX Edge Firewall Rules to Control Network Traffic Concept Summary Review of Learner Objectives Lesson 2: Distributed Firewall Learner Objectives Evolution of Firewall Placement. Distributed Firewall Overview Distributed Firewall Filtering Distributed Firewall Location and Policy Independence Distributed Firewall Policy Enforcement
363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 ix
Distributed Firewall Components: Communication 392 Distributed Data Path 393 Policy Rule Objects 394 Layer 2 Policy Rules" ". " ". " " ". " ". " " ". " ". " ".. " ". " ".. " ". " ".. "395 Layer 3 and Layer 4 Policy Rules 396 397 Centralized Management of the Distributed Firewall Using Distributed Firewall Sections 398 Policy Rule Objects" " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". " ". " " ". "399 " .400 Logical Switch Rule-Based Example " .. " Security Groups 401 Security Group Components 402 " .403 Rule-Based Security Group Example " .. " Applied To: Example "" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .404 Lab 16: Introduction" ". " " " " " ". " " " " " ". " " " " " ". " " " " " ". " ". " " ". .405 Lab 16: Using NSX Distributed Firewall Rules to Control Network Traffic" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " .406 Concept Summary" " " " " " " " " " " " " " " " " " " " " " " " " " " " " " " ". " " " " " ". "407 " .408 Review of Learner Objectives Lesson 3: Flow Monitoring .409 Learner Objectives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .410 Flow Monitoring 411 Enable Flow Monitoring .412 ".. " ".. " ".. " " .413 Exclusion Settings. " ".. ".. " ".. " .414 Viewing Flows. " ". " ".. ".. " ".. ".. " ".. ".. " ".. ".. " Flow Views by Service .415 ".. " ".. " .416 Live Monitoring" .. " ".. ".. " ".. ".. " ".. ".. " Live Monitoring Output Example .417 Lab 17: Introduction .418 Lab 17: Using Flow Monitoring .419 Concept Summary .420 .421 Review of Learner Objectives Lesson 4: Role-Based Access Control .422 ".. " ".. " " " .423 Learner Objectives. " ".. " Authentication, Authorization, and Accounting Model .424 ".. " ".. " ".. " .425 Identity Sources" .. " ".. ".. " ".. ".. " Identity Source vSphere Requirements " .426 Role-Based Access Control for NSX for vSphere " .. " .. "" "427 NSX User Roles 428 Scopes " .. " .. " " "429 NSX Role Guidelines .430 Permission Inheritance Example: Single Group 431 Permission Inheritance Example: Multiple Groups 432 Configure Role-Based Access Control 433
x
VMware NSX: Install, Configure, Manage
Define Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .434 Lab 18: Introduction 435 436 Lab 18: Managing NSX Users and Roles Concept Summary 437 Review of Learner Objectives .438 Lesson 5: Service Composer 439 Learner Objectives 440 Service Composer 441 Using Service Composer 442 NSX Integrated Partners 443 NSX: Third-Party End-to-End Workflow 444 Registering Partner Services 445 Partner Service Registration: Palo Alto Networks 446 Partner Service Registration: Symantec 447 Service Installation 448 Security Policy 449 Service Composer Canvas 450 Canvas View (1) 451 Canvas View (2) 452 Canvas View (3) 453 Service Composer: Vulnerability Scan Example .454 Serviee Composer: Traffic Redirection with PAN Example (1) .455 Service Composer: Traffic Redirection with PAN Example (2) .456 Concept Summary .457 458 Review of Learner Objectives Lesson 6: Other Monitoring Options 459 Learner Objectives .460 About Syslog .461 Syslog Format .462 vCenter Log Insight. .463 Concept Summary .464 .465 Review of Learner Objeetives Key Points .466
Contents
xi
xii
VMware NSX: Install , Config ure, Manage
MODULE 1
II
Course Introduction Slide 1-1
oa c Cil (1)
Module 1
:J
......
i3
c. c
VMware NSX: Install, Configure, Manage
VMware NSX: Install , Configure , Manage
Q.
o' :J
1
Importance Slide 1-2
VMware NSXTM is the network virtualization and security platform for the software-defined data center. NSX brings virtualization to your existing network and transforms network operations and economics.
2
VMwa re NSX: Install , Configure, Manage
II
Learner Objectives Slide 1-3
oa
By the end of this course, you should be able to meet the following objectives: •
c Cil (1)
Describe the evolution of the software-defined data center
::J
......
Describe how NSX is the next step in the evolution of the softwaredefined data center
ac.
•
Describe data center prerequisites for NSX deployment
o' ::J
•
Describe basic NSX layer 2 networking
•
c
Q.
• Configure, deploy , and use logical switch networks • Configure and deploy NSX distributed routers to establish East-West connectivity • Configure and deploy VMware NSX Edge ™ services gateway appliances to establish North-South connectivity • Configure and use all the main features of the NSX Edge services gateway
Module 1
Cou rse Introduct ion
3
Learner Objectives (2) Slide 1-4
By the end of this course, you should be able to meet the following objectives: • Configure NSX Edge firewall rules to restrict network traffic • Configure Distributed Firewall rules to restrict network traffic • Use role-based access to control user account privileges •
Use Activity Monitoring to determine if a security policy is effective
• Use Flow Monitoring to monitor network traffic streams • Configure Service Composer policies
4
VMwa re NSX: Install , Configure, Manage
II
You Are Here Slide 1-5
oa c Cil (1)
VMware N5X: Install Configure Manage
:J
......
i3
c.
IE
c
Q.
o' :J
Course Introduction NSX Networking Logical Switch Networks and VXLAN Overlays NSX Routing NSX Edge Services Gateway Features NSX Security
Module 1 Course Introduction
5
Typographical Conventions Slide 1-6
The following typographical conventions are used in this course.
6
Monospace
Filenames, folder names , path names , and command names : Navigate to the VMS folder.
Monospace bold
What the user types : Enter ipconfig /release.
Boldface
User interface controls: Click the Configuration tab.
Italic
Book titles and placeholder variables : • vSphere Virtual Machine Admin istration • ESXi- host- name
VMwa re NSX: Install , Configure, Manage
II
References Slide 1-7
oa c Cil (1)
::J
......
ac. Title
Location
NSX Installation and Upgrade Guide
http://pubs .vmware .com/NSX-6/index.jsp
NSX Administration Guide
http://pubs.vmware.com/NSX-6/index.jsp
Module 1
Course Introduction
c
Q.
o' ::J
7
About NSX Slide 1-8
NSX is a network virtualization platform that enables you to build a rich set of logical networking services. Logical Switching: Layer 2 over Layer 3, decoupled from the physical network Logical Routing: Routing between virtual networks without exiting the software container Logical Firewall: Distributed Firewall, Kernel Integrated, High Performance Logical Load Balancer: Application Load Balancing in software Any Network Hardware
Logical VPN: Site-to-site and remote access VPN in software NSX API: REST API for integration into any cloud management platform Partner Ecosystem
8
VMware NSX: Install, Configure, Manage
II
NSX Cert ification Slide 1-9
oa
For details about VMware certifications, go to:
c Cil (1)
http://mylearn.vmware.com/portals/certification
::J
......
ac. c
Q.
o' ::J
Module 1
Course Introduction
9
VMware Learning Path Tool Slide 1-10
vmwareEDUCATION SERVICES
Learning Path Tool Learn by SolutionTrack. Role. Product. or Certification
Choose YourPath'
Leamby
Leamby
Leamby
Solution Track
Role
Product
Achieve Certification
To determine your learning path for VMware training, go to: http://vmwarelearningpaths.com To make the VMware training that you take most valuable, you must decide which learning path to take. Your learning path can be based upon a solution track that you want to pursue or a role in your organization that you want to take on. Your learning path can also be based on a product that you want to master or a VMware certification that you want to achieve. Regard less of wh ich path you choose, the VMware Learning Path Tool can help you to succeed and achieve your goal.
10
VMware NSX : Install , Configure, Manage
II
NSX Resources Slide 1- 11
oa
For NSX technical information, use the following resources: • •
c Cil (1)
NSX Resources • http://www.vmware.com/products/nsx/resources.html
::J
......
ac.
VMware Communities • http://communities.vmware.com/
•
VMware Support • http://www.vmware.com/support/
•
VMware Education • http://www.vmware.com/education
•
VMware Support Toolbar • http://vmwaresupport.toolbar.fm
c
Q.
o' ::J
Making full use of VMware technical resources can save you time and money. The following are extensive VMwa re Web-based resources: • The VMware Communities Web page provides tools and know ledge to help users maximize their invest ment in VMware products. VMware Communities provides information about virtua lization technology in technical papers, documentation, a know ledge base , discussion forums , user groups , and technical newsletters. • The VMware Support page provides a central point from which you can view support offerings, create a support request, and download products, updates, drivers and tools, and patches. • You can view the course catalog and the latest schedu le of courses offered worldwide on the VMwa re Education page. This page also provides access to informat ion about the latest advanced courses offered worldwide. • For quick access to commu nities, documentation, downloads, support information, and more , install the VMware Support Toolbar, which is a free download . • VMware vSphere® documentation is availab le on the VMware Web site. From this page, you can access all the vSphere guides , which also include guides for optional modules or products.
Module 1
Cou rse Introduction
11
12
VMware NSX: Install , Configure, Manage
MODULE 2
N5X Networking Slide 2- 1
Module 2
II z >< zCD en
?o .....
~ ::J
to
VMwa re NSX: Install , Configure , Manage
13
You Are Here Slide 2-2
VMware NSX: Install Configure Manage
IE
Course Introduction NSX Networking Logical Switch Networks and VXLAN Overlays NSX Routing NSX Edge Services Gateway NSX Security
14
VMware NSX: Install , Configu re, Manage
Importance Slide 2-3
Understanding the high level concepts of the software-defined data center and network virtualization using VMware NSXTM is critical to efficiently using NSX in the virtualized environment that enterprises are moving to.
II z >
< zCD
Less overhead than hosted hypervisors
en
Flexible installation options
?o .....
~ ::J
to
11 ESXi
L
-
0
I:l
---
=Lower resource overhead
VMware ESXi™ is a VMware type I hypervisor. ESX i is a bare-metal hypervisor. This hypervisor performs the role of resource management while enjoying direct access to the underlying physical hardware. This hypervisor can improve your resource efficiency because of less operating system overhead . In addition, the stability of the ESX i hypervisor is not dependent on another operating system. ESXi is commonly insta lled directly on hard drives in your physical server, but ESXi can also be installed onto flash drives, SO cards, and USB drives. You can also network-boot an ESX i host using traditional boot from network tools such as preboo t execution environment (PXE) and Trivial File Transfer Protocol (TFTP) servers. VMware provides several ways to deploy your ESXi hosts because each organization's needs vary. ESXi hosts your virtua l machines and provides some basic management functions to help you deploy and control your virtual mach ines.
Module 2
NSX Networking
21
vCenter Server Slide 2-10
VMware vCenter Server"
Active Directory dom ain
vSphere Client
is scalable
ESXi host
ESXi host
ESXi host
vCenter Server Components: Identity Management Server Database Server
1,000 ESXi hosts
Application Server Web Server
10,000 VMs
VMware vSphere® Web Client
VMware vCenter Server" is a multitier application designed for the enterpris e, but is capabl e of managing even the smallest of organizations. The vCenter Server system is designed to be highly scalabl e and can expand with your data center virtu alization initiatives. The vCenter Server system includes components for an Identity Management Server, Database Server, Application Server, Web Server, and VMware vSph ere® Web Client. You can deploy the vCenter Server system in various forms and install the roles onto a single server or multipl e servers depending on your needs. The vCenter Server system can be installed on a Windows system or deployed as a virtual appliance to give you more flexibility. A single vCenter Server system can scale from managing a single ESXi host up to 1,000 ESXi hosts. The vCenter Server system can also manage up to 10,000 pow ered on virtual machin es, which is ju st one vCenter Server instance. As an organization expands, you can add more vCent er Server instances and even migrate into a cloud-b ased configuration to provid e more management and provisioning abiliti es.
22
VMware NSX: Install, Configure, Manage
vCenter Server Management Features Slide 2-1 1
The vCenter Server system is a centralized platform for management features.
II
The vCenter Server system includes the following management features:
z >
< zCD en
?o .....
~ ::J
to
. INetwork Existing PhyslC3
The slide shows an example where NSX virtualizes the layer 3 connectivity between two virtual machin es on the same hypervisor and host. NSX virtualizes the layer 3 connectivity in different IP subnets and logical switch es with out leaving the hypervisor to use a physical router. This virtualization also provides routing between two virtual machin es on two different sides of the data center across multipl e layer 3 subnets and availability zones.
Module 2
NSX Networking
49
Concept Summary Slide 2-36
A review of concepts discussed in this lesson:
What is the layer where management components operate?
The management plane
What is the layer where control components operate? What is the layer where data is transmitted?
The data plane
What is a vSphere port group created on a distributed switch with NSX modules installed called?
A logical switch
What are multiple tenants connected to the same egress point segregated by isolating the tenant networks called? What handles NSX communications between the VMware NSX Manager!" , VMware NSX Controller!" , and ESXi host? What uses layer 3 UDP encapsulation to extend logical layer 2 networks across layer 3 boundaries? What is used for integration into cloud management platform? What is the virtual machine used by NSX for control plane operations?
50
The control plane
Multitenant User World Agent (UWA) Virtual Extensible Local Area Network (VXLAN) Representational State Transfer API (REST API)
NSX Controller
VMware NSX: Install, Configure, Manage
Review of Learner Objectives Slide 2-37
You should be able to meet the following objectives: •
Describe advantages of the software-defined data center
•
Identify components of the software-defined data center
•
Explain the role of the virtual network in the software-defined data center
II z >
< zCD
Guaranteed correctness (not necessarily convergence).
en
?o .....
~ ::J
to
Two roles are used for NSX Contro ller workloads. These roles are called logical switches and logical routers. A master election determines the NSX Controller instance that is the master for a particular role. Every role has a master. The master selects the NSX Controller instances and allocates the portion of work for that role . Paxos is a family of protocols for solving consens us in a network of unreliable processors.
Module 2
NSX Networking
87
Master Failure Scenario Slide 2-73
A node failure triggers an election for roles when the master is no longer available for that role. A new node is promoted to master after the election process.
~
'ii.vXLAN
.•-
If a master NSX Controller instance for a role fails, the cluster elects a new master for that role from the available NSX Controller instances. The new master NSX Controller instance for that role reallocates the lost portions of work among the remaining NSX Controller instances. NSX Controller instances are on the control plane. So an NSX Contro ller failure does not affect data plane traffic. For example, if the host requests the MAC address for an lP address through an ARP request, and the NSX Controller instance does not respond, then the ARP is processed. The normal ARP request process does not wait for the NSX Controller instance.
88
VMware NSX: Install , Configu re, Manage
NSX Controller Workload Distribution Slide 2-74
The NSX Controller cluster must:
II
•
Dynamically distribute workloads across all available NSX Controller cluster nodes
•
Redistribute workloads when a cluster member is added
•
Have the ability to sustain failure of any cluster node
(j)
•
Perform the workload distribution so that it is transparent to applications
Z
z >< CD
?o .....
~
:::J
Solution: Slicing
to
Slicing is the action of dividin g NSX Controller workloads into different slices so that each NSX Controller instance has an equal portion of the work.
Module 2
NSX Networking
89
Slicing Assignment Slide 2-75
For a given role, create a number of slices. Define objects that are to be sliced. Assign objects into their slices.
Logical Switches / VNls
Logical Switch Slices
Objects
Logical Routers
Logical Router Slices
After a master NSX Controller instance is chosen for a role, that NSX Contro ller divid es the different logical switches and routers among all available NSX Controllers in a cluster. Each numbered box on the slide represents slices that the master uses to divide the workloads . The logical switch master divides the logical switches into slices and assigns these slices to different NSX Controller instances. The master for the logica l routers does the same .
90
VMware NSX: Install, Configure, Manage
Slicing Distribution Slide 2-76
For a given role, create a number of slices
II
Define objects that are to be sliced. Assign objects into their slices.
z >< zCD
Distribute slices across NSX Controller cluster nodes.
en
?o .....
~ ::J
to
Logical Switch Slices
Logical Router Slices
These slices are assigned to the different NSX Controller instances in that cluster. The master for a role dec ides which NSX Controller instances are assigned to which slices. If a request comes in on router slic e 6, the slice is to ld to connect to the third NSX Controller inst anc e. If a req uest comes in on logical switch slic e 2, that req uest is processed by the second NSX Controller instance.
Module 2
NSX Networking
91
Slice Redistribution Slide 2-77
When an NSX Controller fails, the master for the role redistributes slices among remaining nodes Slice redistribution happens on: •
Creation of the NSX Controller cluster.
•
A reduction in the number of available NSX Controller nodes in the cluster.
•
An increase in the number of available NSX Controller nodes in the cluster.
When one of the NSX Controller instances in a cluster fails, the masters for the roles redis tribute the slices to the remaining available clusters.
92
VMwa re NSX: Install , Configure, Manage
Component Interaction: Configuration Slide 2-78
The components of the NSX platform are configured in a specific order. vCenter Server
A V
Register with vCenter Server
II
NSX Manager . . DeployNSX . . Manager
~epl~ oy ~
NSX . Controller Cluster ~
z >< zCD en
Deploy the NSX Edge gateway and configure network services
:.
?o .....
NSX Controller
~ ::J
NSX Edge Gateway
to r- --- - ----- -···--~
x
l .
' - - I~ ;:::;:~ ,~ ~ I r.::! ~ · ·_
l_ vSpher e ClusteL 1
r --.. . I~,. •• I
.
~=-::
~ L:
,._._.vSphere ClusteL2 _J
,
I
• :::=::E I~ : ~·~I ~ --=
._- .
•
l _.VSPhere CI,usteL N j
The components of the NSX platform are configured in the following order: 1. Only NSX Manager is installed. 2. Durin g NSX Manager installation, the vCenter Server IP address and credentials are provided and the NSX Manager instance conn ects to the vCenter Server system. The NSX Manager instance enables the NSX components in the VMware vSphere® Web Client. 3. The vSphere Web Client is used to deploy the NSX Controller instances through NSX Manager. 4. After NSX Controller instances are deployed, hosts are prepared by using NSX Manager to install the VIBs on the ESXi hosts in the cluster. 5. After the components are installed and deployed, you define the logical networking components, such as adding distributed routers and creating firewall policies. This procedur e is repeated for each vSphere clust er.
Module 2
NSX Networking
93
Lab 2: Introduction (1) Slide 2-79
Add NSX Controller clusters in odd numbers. ~
Home
Net w orking & Security
.
E!NSXHome
I 'LO
•V
I
Install atioll Mana g ement
I Host Prepar ation
L ogical Netw
1 _0.- '
V
Manag em enl
.
i
Installation
1 Ho st Prepara tion
Logical NeIWo
NSXManayer
l:! LogicalSwitches
~ NSXEdges
NSX lJI, n, gtr
n Firewall
E! 192.168.110.42
Iif3 scoorouaro 't\ ServiceDefinitions 8 ServiceComposer GlFlow Monitorin g !!!B Activity Monito ring .. Networking & Security Inventm y
.. >
+ N~m.
NSX M , n,~. ,
n Firewall
E!! 192 .168. 110.42
.. seetce Definitions
EJ Service Com pose r ~ DataSecurity
NSXliU'"'~8t
e L1 92 ~ 1 1 ~
~ Flow Monitor ing
ll_..".,
·1
gg ActiVity Moniloring
(: Iu~.,-,: , Pil'Qt
-I
.. Networking & Se&ur ity Invent ory
C1IU~1Of4'
·1
HNSX Controller node
~ NSXEdges
IiI5 SpoofGuard
.."....-
~ DataSecurity
E!! NSX Managers
Home
Networkin g & Security
R!N8XHome
NSX Manager
~ Logical Switc he s
I
.t ~
I
Conn"",-" ro Fe. .
·1
~ NSX Managers
.. > NSX Cont roller nodes
+
~
N ~m .
Nod.
eonnoner-e connouer-7
192.168110 201
confroner-a
192.16B.110.203
192 ,168,110,202
~
94
VMwa re NSX: Install , Configure, Manage
Lab 2: Introduction (2) Slide 2-80
Use the CLI to confirm the NSX Controller status. nvp-e co nt.r o I Le r Type
II
# shOIJ co nt.r o.l c-c Lua te r status
Join status: Majority status : :Restart status: ClustEr ID: NodE UUID:
5tatus
5ince
Join complEtE ConnEctEd to clustEr majority This controller can be safely restarted
07/14 17:53:22 07/14 18:04:46 07/14 18:04:47
z >
< (J)
0 /0 0 /0 0/ 0 0/0 0/0
::0 o c ~
:::J (C
OSPF -enabled routers keep the link state databas e curren t at all times. This database is used to determine where to send traffic by the most efficient path: • Down indicates that the neighbor has not been heard from within the RouterDeadInterval time . • Attempt is only used for manually configured neighbors. The current router is send ing Hello packe ts to any router in the Attemp t state. • When the status is Init, the router has received a Hello packet from this neighbor and replied but has not completed the process for establishing adjacency. • A 2-Way state indicates that bidirectional comm unication is established with the neighbor router. • Exstart indica tes that the routers are beginning the link state information exchange. • Exchange is the state when neighbor routers exchange the Databas e Descriptor packets. • In the Loading state, based on the information in the Database Descrip tor packets, routers are exchanging the link state information. • The Full state indica tes that routers are synced and in adjacency.
Module 4
NSX Routing
201
The Designated Router (DR) is an OSP F-enabled router interface. This interface is elected by all the other routers in an area to be a centralized router that keeps a topology table of the entire network. The Backup Designated Router (BDR) is designated if the DR fails. When a DR is present, other OSPF-enabled routers form adjacencies only with the DR and BDR. Non-DR or BDR rout ers send updates directl y to the DR and BDR. The DR multi casts updates out to all other routers in the area. The use of this centra lized maintenance coupled with the use of multi casting conserves network bandwidth. The DR is determi ned throu gh an election proc ess where the OSP F-enabled router interface with the highest priority is elected as the DR. The BDR is the OSPF-enabled router interface with the next highest priority. If the DR fails, the BDR assumes the DR role and a new BDR is elected.
202
VMware NSX: Install , Configure, Manage
OSPF Router Types Slide 4-15
The OSPF router type is a property of the OSPF process. A physical router can host more than a single OSPF router type with one type on each port. Routers can have the following OSPF router types: • Area Border Routers (ABR): Connect one or more areas to the backbone network. • Autonomous System Boundary Routers (ASBR): Connect to other autonomous systems and exchange routing information. •
II
Internal Routers (IR): Connect all interfaces in a single OSPF area .
z >< (J)
::0 o c ~
:::J (C
The main router types are the following: • Area Border Routers (ABR) connect one or more OSPF areas to the backbone network. The ABR keeps an individual copy of the link-sta te database in memory for each connec ted area . • Autonomous System Boundary Routers (ASBR) connect to other routers that belong to other areas using other routing protcols or static routing. The static routing or additional routing protoco l, such as IS-IS is in addition to OSPF. The ASBRs distrib ute routes discovered from external systems to other OSPF -enab led routers . • The Interna l Router (IR) is an OSPF-enabled router that belongs to only one area and has neighbors only within that area .
Module 4
NSX Routing
203
OSPF Areas Slide 4- 16
An OSPF AS includes all routers that run OSPF and these routers exchange link-state information with each other: • An AS is also called a routing domain . In the OSPF AS, each router interface that is participating in the OSPF process is placed in an area: • A router can have interfaces in more than one area. • A router with interfaces in more than one area must have one of those interfaces in the backbone area, or area O. • A router only forms neighbor adjacencies with another router in a local segment if both routers are in the same area . • The default OSPF area for NSX is Area 51.
Areas are sets of networks that are grouped together. Areas are a collection of routers, links, and networks that have the same area identification. Each OSPF area can combine with other areas and form a backbone area . Backbone areas combine multipl e indepe ndent areas into one logical routing domain. This backbone area has an ID of 0 or (0.0.0.0). The primary responsibility of the backbone area is to distribute routing information between nonbackbone areas .
204
VMwa re NSX: Install , Configure, Manage
OSPF Area Types Slide 4- 17
OSPF defines the following types of areas: •
Normal area
• Stub area • Not so stubby area (NSSA)
II z >< (J)
::0 o c ~
:::J (C
Each area maintains a separa te link-state database. Stub areas are areas that do not receive route advertisements externa l to the AS. Not so stubby area (NSSA) is a stub area that can import AS external routes and send them to other areas . But NSSA cannot receive AS externa l routes from other areas .
Module 4
NSX Routing
205
OSPF Normal Area Slide 4- 18
An OSPF normal area is a nonbackbone area that receives full routing updates from the backbone: •
Routers in the area have full visibility of all networks in the OSPF AS.
No special configuration is needed in the routers.
In an OSPF normal area, routers have full visibility to all networks in the AS. Every router in a normal area knows about every route.
206
VMwa re NSX: Install , Configure, Manage
OSPF Stub Area Slide 4-19
An OSPF stub area is a nonbackbone area that receives only a default route from the backbone. Routers within the area continue to exchange routing updates and intra-area routes:
•
Routers in the area have full visibility of only networks in their area .
The stub area is configured at the area border router.
II z >< (J)
::0 o c ~
:::J (C
A stub area is usefu l if routers do not need to know about every route. Routers contin ue to exchange information in their area but not external destinations. Instead, routers in the area must send external packe ts to an area border router (ABR). The area border router advertises a default route in place of external routes and generates a network summary link-state advertisement (LSA). Packets destined for an external route are sent to the ABR .
Module 4
NSX Routing
207
OSPF NSSA Slide 4-20
An OSPF NSSA is a nonbackbone area that receives only a default route from the backbone: • The NSSA also has an AS boundary router that injects external routes to the area. • The external routes are advertised to the backbone area. •
Routers in the area continue to exchange routing information for intraarea networks.
The NSSA is configured on an area border router.
An OSPF NSSA allows external routing information to be imported in a limited fashion into the stub area. OSPF NSSA is useful for making an area aware of a non-O SPF router. This information can be flooded within the area, but the area remai ns protected from being flooded with all routes.
208
VMwa re NSX: Install , Configure, Manage
OSPF Area and Router Types Example Slide 4-21
Areas are logical groupings of hosts, networks, and routers. Area 0
Area 813 Normal • •) Internal
:l"t~lf-----{O
Router
II z >< (J)
Internal Router
::0 o c
Area 829 Stub
~
:::J
c.c
The diagram shows the interaction s of the different areas with each other.
Module 4
NSX Routing
209
Intermediate System to Intermediate System Slide 4-22
IS-IS is a routing protocol that uses the router's link states to determine the optimal path to reach a destination: • Similar in design to OSPF. •
IS-IS can route non-IP traffic.
•
IS-IS was originally defined by OSI/IEC 10589:2002.
•
IS-IS is the preferred IGP used by large Internet Service Providers (ISPs) globally.
•
In ISO terminology, IS-IS is a router.
IS-IS is an interdomain dynamic routing protocol used to support large routing domains. OSPF is designed to support only TCP/IP networks whereas IS-IS started as an ISO protoco l. Both protoco ls are interior gateway protocols (lOP), but IS-IS runs over layer 2 and is intended to support multiple routed protocols.
210
VMwa re NSX: Install , Configure, Manage
IS-IS Features Slide 4-23
Router-level support: • Area 10, system 10 (default router-id), IS-Type (default level -1-2), domain password , and area password
Area-level support: •
Up to 3 IP addresses per area
Interface-level support: • vNIC name •
Hello timer, hello multiplier
•
Metric, priority
•
Circuit type
•
LSP interval
z >
< (J)
::0 o c ~
:::J
c.c
Leve l l routers belonging to a level 1 area only form neighbor adjacencies with level 1 routers in the same area and have full visibi lity of their area . Leve l 2 routers belonging to a level 2 area can form neigh bor adjace ncies with any level 2 router, including in other areas and advertise interarea routes. Level 1-2 routers belong to both level 1 and level 2 areas at the same time. Similar to OSPF 's AB R, level 1-2 routers can form neighbor adjace ncies with any othe r router in any area. Level 1-2 router takes level 1 area routing updates and propagates them to level 2 areas and the other way round. Only level 2 routers can connect to an external netwo rk.
Module 4
NSX Routing
213
IS-IS Neighbor Adjacency Slide 4-26
IS·IS routers exchange Hello Protocol Data Units (Hello PDU) to discover IS·IS speakers in the segment and to form neighbor adjacencies. Level 1 Area
Level 2 Backbone
All IS-IS speakers in a segment form neighbor adjacencies with each other: • Levell routers send and listen for level I Hello Protocol Data Units (PDUs). • Level 2 routers send and listen for level 2 Hello PDUs. • Level 1-2 routers send and listen for levell and level 2 Hello PDUs.
214
VMware NSX: Install , Configure, Manage
IS-IS Design Considerations Slide 4-27
IS-IS has more flexible rules than OSPF regarding neighbor adjacencies and route advertisement: •
Level 2 only routers are not needed.
•
Multiple level 1 areas can be joined with level 1 or 2 routers .
• An area cannot be disjointed. • All routers in the same area should have an area path to every other router in the area. • Area boundaries exist in the links, not routers.
II z >< (J)
::0 o c ~
:::J (C
Module 4
NSX Routing
215
BGP Features Slide 4-28
iBGP and eBGP support Router-level configuration Local AS Neighbor-level configuration: •
Keep alive timer (default 60)
•
Hold-down timer (default 180)
• Authentication MD5 •
Per neighbor filtering • Inbound or outbound accept or deny by prefix range
The BOP is an interAS routing protocol. BOPs can be either internal BOP (iBOP) or externa l BOP (eBOP) . eBO P is used when talking to a router that has an AS number that is different from its own. iBOP is used with routers in the same local AS. You can use neighbor-level configurations to configure various settings to customize the BOP configuration.
216
VMwa re NSX: Install , Configure, Manage
Border Gateway Protocol Slide 4-29
BGP is a routing protocol that provides route reachability while avoiding path loops:
•
BGP is an external gateway protocol (EGP) because BGP is used between different AS under different management controls to advertise routes.
•
Each AS administrator chooses which routes to advertise through BGP.
•
Each AS administrator chooses which routes to receive through BGP.
•
BGP is the standard route advertisement protocol on the Internet.
•
Latest BGP version is 4, RFC 4271.
II z >< (J)
::0 o c ~
:::J (C
BOP is a standardize d exterior gateway protocol designed to exchange routin g and reachability inform ation between AS on the Internet.
Module 4
NSX Routing
217
BGP AS Numbers Slide 4-30
BGP speakers are assigned an AS number (ASN). An ASN uniquely identifies all the BGP speaking routers under the same management control:
• The Internet Assigned Numbers Authority (lANA) assigns public ASNs. Originally BGP supported 2 A16, or 65,536 ASNs:
• RFC 6793 expanded ASN support for 2"32, or 4,294,967,296 ASNs. • ASNs 64,512 through 65,534 and 4,200,000,000 through 4,294,967,294 are internal ASNs for anyone to use. • These internal ASNs cannot be advertised on the Internet.
An AS is a set of routers under a single technical administration . The AS uses an interior gateway protocol (lOP) and common metr ics to determin e how to route packe ts in the AS. The AS uses an interAS routing protocol to determine how to route packe ts to other AS. Each of these AS is uniquely identified using an AS numb er (ASN) .
218
VMwa re NSX: Install , Configu re, Manage
BGP Peers Slide 4-31
BGP neighbor adjacencies, called peers, are manually configured. Each BGP speaker must have information about the other BGP router before the BGP speaker starts sending hello packets:
rep
•
BGP peers establish a communication over
port 179.
•
If two BGP peers have different BGP ASNs , the peers are called eBGP and BGP assumes that they are under different management control.
•
If two BGP peers have the same BGP ASN, the peers are called iBGP and BGP assumes that they are under one management control.
II z >< (J)
::0 o c ~
:::J (C
Peers are manually configured to exchange routing information and form TCP connections. A peer in a different AS is called an external peer, while a peer in the same AS is called an internal peer.
Module 4
NSX Routing
219
BGP Peers Example Slide 4-32
A BGP router is only aware of its BGP neighbors and conducts all control plane communication with them.
AS 90
r
iBG P
~
220
VMwa re NSX: Install , Configure, Manage
BGP Route Selection Slide 4-33
A BGP router only installs one path to a route in its routing table. If multiple paths exist for the route, the BGP router selects the best route based on the following criteria:
1. Prefer the path with the highest local preference. 2. Prefer the locally originated path. 3. Prefer the shortest AS path. 4. Choose the path with the lowest origin code . 5. Choose the path with the lowest multiexit discriminator. 6. Choose an eBGP over an iBGP. 7. Choose a route through the nearest IGP neighbor as determined by the lowest IGP metric . 8. Choose a path with the lowest router 10.
II z >< (J)
::0 o c ~
:::J (C
BOP routers typically receive multipl e paths to the same destination. The BOP best path algorithm is used to determin e which path is best to install in the BOP routing table.
Module 4
NSX Routing
221
Concept Summary Slide 4-34
A review of terms used in this lesson: Which is the interior routing protocol that uses link state tables to map network topology?
222
Open Shortest Path First (OSPF)
Which protocol floods link state information through a network of routers to map network topology?
Intermediate System to Intermediate System (IS-IS) protocol
Which protocol manually configures and uses rep to connect to peers?
Border Gateway Protocol (BGP)
VMwa re NSX: Install , Configure, Manage
Review of Learner Objectives Slide 4-35
By the end of this lesson, you should be able to meet the following objectives: •
Compare OSPF , IS-IS, and BGP
•
Describe OSPF area types
•
Describe IS-IS routing levels
•
Describe the BGP
II z >< (J)
::0 o c ~
:::J (C
Module 4
NSX Routing
223
Lesson 2: NSX Logical Router Slide 4-36
Lesson 2: NSX Logical Router
224
VMware NSX: Install , Configure, Manage
Learner Objectives Slide 4-37
By the end of this lesson, you should be able to meet the following objectives: •
Describe the role of the distributed logical router
•
Deploy a distributed logical router
II z >< (J)
::0 o c ~
:::J (C
Module 4
NSX Routing
225
Layer 3 Networking Overview Slide 4-38
The network layer handles the following: • Selecting routes • Knowing the addresses of neighboring network nodes •
Prioritizing traffic based on quality of service
•
Forwarding messages for local host domains to the transport layer
Router Endpoint
These tasks are performed by the router that allows the routing between different nodes without broadcasting all traffic to all nodes.
226
VMware NSX: Install , Configure, Manage
Layer 3 Enables Larger Networks Slide 4-39
Layer 3 routers can be linked to other routers and endpoints. Inter-router links allow for much larger networks. Series
Central
II z >< (J)
::0 o c ~
:::J
c.c
In addition to being linked to endpoints in a local network, the router can be linked to other routers . Nodes that are separated by distance communicate with each other witho ut extending miles of network cables. Placing a router at each group of endpoints and running a single line from router to router is a practica l solution . Rout ers can be chain ed in series , or connected by a centra l router.
Module 4
NSX Routing
227
Distributed Logical Router Slide 4-40
The distributed routing capability in the NSX platform provides an optimized and scalable way of handling East-West traffic in a data center. Overview •Routing between virtual netwo rks without leaving virtual space 'Layer 3 data plane distriOOOOOObuted in hypervisor
;:..)
• Layer 3 control plane running in a virtual
machine -Dynarnic routing protocols for route discovery and adve rtiseme nt 'Simplified deployment using VMwa re NSX Manaqer " UI or API Scale & Performance ' 1000 Logical Interfaces per distributed logical router instance '1 200 distributed logical router instances total '1 00 per VMware ESXi™ host 'Line rate performance per hyperviso r
MM
Use Cases ' Optimize routing and data path in virtual networks ' Supports single tenant or multitenant deployment models
Routin g between virtual networks, layer 3 is distributed in the hypervisor. The distributed logical router optimizes the routing and data path, and supports single-tenant or mult itenant deployments. For example, a network that contains two VNls that have the same IP address ing. Two different distribut ed routers must be deployed with one distribut ed router conn ecting to tenant A and one to tenant B.
228
VMware NSX: Install , Configure, Manage
Hairpinning Slide 4-41
The distributed logical router prevents hairpinning. NSX
Edge Galeway
Packet is de livered to the destination .
Packet is delivered to the gateway interface
t:l~ ii VM on green logical switch communicates with VM on red logical ..... "" , switch.
for routing.
Com pu te
NSX
Rack 1
Edge/Managemen l Rack Frame are sent over VXLAN transport
fter the Routing decision , the frame is sent to the VM on Red Logical Switch
network to the gateway IP of green logical switch.
~
II
r •
~
z >
~
VXLAN Transport Network
:::J (C
Without the distributed router, routin g is done in one of the following ways: • A physical appliance is used. All traffic has to go to a physical appliance and come back regardless of whether the virtual machin es are on the same host. • Routing is perform ed on a virtual router such as the VMwa re NSX Edge" gateway. This method uses a virtual machine runnin g on one of the hosts to act as the router. If virtual machin es runnin g on a hypervisor are connected to different subnets, the communication between these virtual machines has to go throu gh a router. This nonoptimal traffic flow is sometimes called hairpinning. The example in the slide illustrates the traffic flow without the distributed logical router: 1. A virtual machine on the first VMware ESXi™
host wants to communicate with a virtual machin e on the same ESXi host. The two virtual machines are on separate subnets.
2. A frame is sent by the green virtual machine to the distributed switch. Because the virtual machin es are on different subnets, the host forwards the frame to the default gateway. 3. The frame is received by the ESXi host that is hosting the NSX Edge gateway.
4. The packet is delivered to the NSX Edge gateway for routin g. Module 4
NSX Routing
229
5. The NSX Edge gateway makes a routing decision and sends the packet back to the ESXi host, which forwards the packe t back to the red logical switch. 6. The ESXi host that is hosting the red virtual machine receives the packe t and forwards the frame to the red virtual machine. 7. The packet is delivered to the red virtual machine. If the red virtual machine responds, the traffic flow is reversed.
230
VMware NSX: Install , Configure, Manage
Distributed Logical Router: Logical View Slide 4-42
The distributed logical router kernel modules can route between physical and virtual subnets. VXLAN
logical Router Instance 1
WebVM
AppVM
VXLAN 5001
II
Router Instance 2
VLAN
z >< (J)
AppVM
::0 o c ~
:::J VLAN 10
(C
VLAN 20
The distributed logical router rout es between YXLAN subnets. Two virtual machin es might be on the same host and the Web YM on YXLAN 500 I might want to communicate with the App YM on YXLAN 5002. The distributed logical router routes traffic between the two virtual machin es on the same host. The distributed logical router can also route between physical and virtua l subnets.
Module 4
NSX Routing
231
Distributed Logical Router: Physical View Slide 4-43
The distributed logical routers run at the kernel module level. Physical
NSX Co ntrolle r
Cl u-ster
VXLAN Transport and Management Network
VMware NSX Manager" configures and manages the routing service. During the configuration process, NSX Manager deploys the logical router control virtual machine and pushes the logical interface configurations to each host through the control cluster. The logical router control virtual machine is the control plane component ofthe routin g process. The logical router control virtual machin e supports the OSPF and BGP protocols. The logical router kernel module is configured as part of the preparation through NSX Manager. The kernel modul es are similar to line cards in a modul ar chassis supporting layer 3 routing. The kernel modul es have a routing inform ation base that is pushed through the VMware NSX Controller" cluster. The kernel modul e performs all the data plane functions of route lookup and Address Resoluti on Protocol (ARP) entry lookup. The NSX Controller cluster is responsible for distributing routes learned from the logical router control virtual mach ine across the hypervisors. Each control node in the cluster takes responsibility for distributing the information for a particular distributed logical router instanc e. In a deployment where multipl e distributed logical router instances are deployed, the load is distributed across the NSX Controller nodes .
232
VMware NSX: Install, Configure, Manage
Data Path: Host Components Slide 4-44
The distributed logical router instance owns the logical interfaces (L1Fs): •
IP addresses are ass igned on the L1Fs .
•
Multiple L1Fs can be configured on one distributed logical router instance.
•
The L1F configuration is distributed to every host.
•
An ARP table is maintained per L1F.
The virtual MAC (vMAC) is the MAC address of the L1F: •
vMAC is the same across all the hosts and it is never seen by the physical netwo rk, only by virtual machines.
•
Virtual machines use the vMAC as thei r default gateway MAC address .
II
The physical MAC (pMAC) is the MAC address of the uplink through which traffic flows to the physical network: •
z >< (J)
For VLAN L1Fs the pMAC is seen by the physical network.
::0 o c ~
:::J (C
The distribu ted logica l router owns the logical interface (LIF). This concep t is simi lar to interfaces on a physical router. But on the distribu ted router, the interfaces are called LIFs. The LIF connects to logical switches or distributed port groups. A distributed logical router can have a maximum of 1,000 LIFs . For each segment that the distrib uted logical router is connected to, the distr ibuted logical router has one ARP tab le. The media access control (MAC) addresses in this environment are the virtua l MAC (vMAC) addresses and the physical MAC (pMAC) addresses. If a LIF connects to a logical switch, the virtual machines use the MAC addresses associated with that LIF as their next hop for the default gateway. When a virtua l mach ine does an ARP request, the virtua l machine's MAC address is called a vMAC. A virtual machine 's vMAC is never stored in the MAC table of a physical switch because the virtua l machine's vMAC address is interna l to the VXLAN domain. Every host running the same distributed logical router instance presents the same vMAC for each LIF to the virtual machines in the logical switc h. If an interface on the distrib uted logical router connects to a distrib uted port group , the distributed router might talk to a physical entity by using the source MAC address . So a physica l switch sees the pMAC and has the pMAC in the MAC table .
Module 4
NSX Routing
233
VLAN L1F Slide 4-45
The distributed logical router supports distributed port groups that are backed by VLAN: •
First hop routing is handled on the host and traffic is switched to the appropriate VLAN.
• A designated instance is required per VLAN L1F.
A VLAN 10 must be defined on the distributed port group: • VLAN 10 of
a is not supported.
VLAN L1Fs can only span one distributed virtual switch.
The logical interface can be one of the following types: • VXLAN LIF: You connect the router to a logical switch. • VLAN LIF: You connect the router to a distributed port group that has one or mor e VLANs. When the LIF is connected to a VLAN , the LIF has a pMAC and when the LIF is connected to a VXLAN, the LIF has a vMAC. VLAN LIFs can only span one distributed switch because the VLAN LIF is a port group and can only belong to one distribut ed switch. But a logical switch can be configured in mu ltiple distributed switches.
234
VMware NSX: Install, Configure , Manage
Designated Instance Slide 4-46
The designated instance is the host responsible for resolving ARP on
a VLAN L1F: • One designated instance exists per VLAN L1F. • Any ARP request in the distributed port group is handled by the designated instance. VMware NSX Controller" selects the designated instance: •
NSX Controller pushes designated instance selection to all other hosts.
When the designated instance fails, NSX Controller does the following: •
Elects another host as the designated instance
•
Informs the remaining host about the new designated instance
II z >< (J)
::0 o c ~
:::J (C
The distributed logica l router is connec ted to a port group that gives access to the physical network. The physical network might not be able to determine which of the different hosts own the MAC address for that VLAN LIF at any point in time . To overcome this problem, each host has its own pMAC address for the VLAN LIF, but only one host responds to ARP requests for the VLAN LIF. The host that responds to the ARP requests for the VLAN LIFs is called the designated instance and this host is chosen by NSX Controller. The designated instance also sends ARP requests on behalf of all other hosts . All ingress traffic to the VLAN LIF is received by the designated instance. All egress traffic from the VLAN LIF leaves the originating host directly without going through the designated instance.
Module 4
NSX Routing
235
VXLAN L1F Slide 4-47
The distributed logical router supports logical switches that are backed by VXLAN : •
First hop routing is handled on the host and traffic is switched to the appropriate logical switch: • If the destination is at another host, the Ethernet frame is placed in a VXLAN frame and forwarded .
• A designated instance is not required. Only one VXLAN L1F can connect to a logical switch: • The next hop router can be an NSX Edge services gateway VXLAN IF can span all distributed switches in the transport zone. Distributed logical routers perform best with VXLAN L1Fs.
If the VXLAN LIF connects to a VXLAN port group or logical switch, the LIF has a vMAC that is used by all hosts. No designated instance exists because the vMAC is never visible in the physical network.
You can have only one VXLAN LIF connecti ng to a logical switch. Only one distributed logica l router can be connected to a logical switch.
236
VMwa re NSX: Install , Configure, Manage
Control Plane: Components Slide 4-48
Distributed logical router control plane is provided by a per instance logical router control virtual machine and NSX Controller. Supports dynamic routing protocols: •
OSPF
•
BGP
High availability supported through active-standby configuration. Logical router control virtual machine
II
Communi cates with NSX Manager and NSX Controller cluster : -
NSX Manager sends L1F information to the control virtual machine and NSX Controller cluster.
-
Control virtual machine sends routing updates to the controller cluster.
z >< (J)
::0 o c ~
:::J (C
When a distributed logical router is deployed, the logical router control virtua l machine is also deployed. The logical router control virtua l machine handles all control plane communications for the distributed logical router. To enable high availability, deploy two logical router control virtual machines and designate one as active and one as passive. If the active logical router control virtual machine fails, the passive logical router contro l virtual machine takes 15 secon ds to take over. Because the control virtual machine is not in the data plane, data plane traffic is not affected. Controlling high availability resu lts in the addition or remova l of additional logical router control virtual machines. When high availability is enabled, NSX Manage r enables the VMwa re vCenter Server" system to deploy another logical control router virtua l machine. The logical router control virtua l machine handles the OSPF and BOP protocols. So without a passive logical router control virtual machine, you might lose neighbor adjace ncies if the active logical router control virtual machine has a problem.
Module 4
NSX Routing
237
Logical Router Control Virtual Machine Slide 4-49
The logical router control virtual machine is a control plane component: • The logical router control virtual machine does perform any routing. •
Routing is performed by the distributed logical router in the data plane.
• The firewall on the distributed logical router only secures the control virtual machine. Control Plane
NSX Log ical Router Control VM
---- - - _.-- - ----- -----
< (J)
::0 o c ~
:::J
c.c
The topology needs firewa lling at the perimeter to restrict access between the distributed routers. On each distr ibuted router, firewa ll rules only allow traffic between certa in devices and selected traffic on the outside.
The topology can easily be converted to a multitenancy configuration by inserting an NSX Edge instance above each of the three logical routers . The original NSX Edge instance becomes the perimeter NSX Edge instance that is shared by the three NSX Edge instances . The NSX Edge instances allow each tenant their own config uration. Often , the NAT dev ice also belongs to the tenant.
Module 4
NSX Routing
241
Distributed Router Traffic Flow: Same Host Slide 4-53
DA: vMAC r;;-:.,.=~=---:::----="':I SA : MAC 1 ~~~~~
Logical Router Control VM
192 .168.10.10
.".
DA: 192.168.10.10
....
~kLlF
SA: 192 .168.20.10
L1 F1
Internal L1Fs L1F1 : 192.168. 20.1 L1F2 : 192.168.10.1
Host 1
L1F2 ~
vMAC
Host 2
192.168.10.0
255.255.255.0
0.0.0.0
Direct
192. 168 .20.0
25 5.255.255.0
0.0.0.0
Direct
VXLAN Transport Network
The diagram is a packet walk through the network: 1. Virtual machine I (VM I) on VXLAN 500 I attempts to communicate with virtual machine 2 (VM2) on VXLAN 5002 . 2. VM I sends a frame with the layer 3 IP on the payload to its default gateway. The default gateway uses the destination IP address to determine that it is directly conn ected to that subnet. 3. The default gateway checks its ARP table and sees the correct MAC address for that destina tion. 4. VM2 is running on the same host. The default gateway passes the frame to VM2.
242
VMware NSX : Install , Configure, Manage
Distributed Router Traffic Flow: Different Host Slide 4-54
DA: MAC2 SA: vMAC
Ho st 1 _-.III~
Host 2
II z >< (J)
VXLAN Transport Network
::0 o c
DA: MAC2 SA: pMAC 1
•
~
:::J
t.t
c.c
In the example, virtual machin e I (VMI ) on VXLAN 500 I attempts communication to virtual machin e 2 (VM2) on VXLAN 5002 : 1. VM2 is on a different subnet. So VM I sends the frame to the default gateway.
2. The default gateway sends the traffic to the router and the router determin es that the destination IP address is on a directly conn ected interface. 3. The router checks its ARP table to obtain the MAC address of the destination virtual machine. But the MAC address is not listed. The router sends the frame to the logical switch for VXLAN 5002. 4. The source and destination MAC addresses on the internal frame are changed. So the destination MAC address is the address for VM2 and the source MAC address is the vMAC LIF for that subnet. The logical switch in the source host determin es that the destin ation is on host number 2.
5. The logical switch puts the Ethernet frame in a VXLAN frame and sends the frame to host 2. 6. Host 2 takes out the layer 2 frame, looks at the destination mac address, and delivers it to the destination virtual machine.
Module 4
NSX Routing
243
Lab 5: Introduction (1) Slide 4-55
Add an NSX Edge as a distributed router virtual machine. Ic· _
O .
1lI--
'8 'ilflT.iiM" ,j,, _ 1. CU tredal1llals
" '-.1
] Coof";!Ule
IIJ-
Install Twa
deplo"TlIl!1~
~ s.-. (: CIIlI(lOUt
S conr'llQ" pHA
~ o.. ~_
6 Ready to c OfIJlIlel e
... --....
.-.....~tffDC llan~
.
N"",e lin d descript IO"
o
E d ~e seot ces GatS'W< (J)
_
::0 o c Port 1
Port2
~
MAC 1
:::J
c.c
MAC3
The example shows the traffic flow from the virtual machin e to the physical server after the initial ARP request is resolved: 1. The virtual machine sends a packet destined for the physical server.
2. The ESXi host locates the destination MAC address in its MAC address table. 3. The ESXi host sends the traffic to the bridge instanc e.
4. The bridge instance receives the packet and locates the destination MAC address. 5. The bridg e instance forwards the packet to the physical network. 6. The switch on the physical server receives the traffic and forwards the traffic to the physical host.
The physical host receives the traffic.
Module 4
NSX Routing
263
ARP Request from VLAN Slide 4-74
MAC3
Layer 2 Network
The slide shows an example of an ARP request from a physical host on a VLAN to a virtual machine on VXLAN : 1. An ARP request is receive d from the physical server on the VLAN that is destined for a virtual machine on the VXLAN through broadcast. 2. The frame is sent to the physical switch where it is forwarded to all ports on VLAN 100. 3. The ESXi host receives the frame and passes it up to the bridge instance. 4. The bridge instance receives the frame and looks up the destination IP address in its MAC address table. 5. Because the bridge instance does not know the destination MAC address, it sends a broadcast on VXLAN 500 1 to resolve the MAC address. 6. All ESX i hosts on the VXLAN receive the broadcast and forwar d the frame to their virtual machines. VM2 drops the frame, but VM 1 sends an ARP response.
264
VMwa re NSX: Install , Configure, Manage
Concept Summary Slide 4-75
A review of terms used in this lesson: Which action connects a VLAN and a VXLAN network as the same logical network?
Bridging
II z >< (J)
::0 o c ~
:::J (C
Module 4
NSX Routing
265
Learner Objectives Slide 4-76
By the end of this lesson, you should be able to meet the following objectives: •
Describe layer 2 bridging between VXLANs and VLANs
•
Describe the traffic flow between VXLAN and VLAN
• Configure layer 2 bridging
266
VMwa re NSX: Install , Configure, Manage
Lesson 4: NSX Edge Services Gateway Slide 4-77
Lesson 4: NSX Edge Services Gateway
II z >< (J)
::0 o c ~
:::J (C
Module 4
NSX Routing
267
Learner Objectives Slide 4-78
By the end of this lesson, you should be able to meet the following objectives: •
Deploy NSX Edge gateway
•
Deploy OSPF on NSX Edge
268
VMware NSX: Install , Configure, Manage
NSX Edge Gateway Slide 4-79
The NSX Edge gateway connects isolated stub networks to shared (uplink) networks. NSX
NSX Edge Services Ga teway
logic al Router C ontr ol
NSX Manager
II z >< (J)
Physical Network
::0 o c
----
~
:::J
c.c
NSX Edge supports OS PF, an lOP that routes IP packets only in a single routing domain. NSX Edge gathers link state information from avai lable routers and constructs a topology map of the network. The topology determines the routing table presented to the Internet layer, which makes routing decisions based on the destination IP address found in IP packe ts.
Module 4
NSX Routing
269
Integrated Network Services Slide 4-80
NSX Edge provides common gateway services such as DHCP, VPN, NAT, dynamic routing, and load balancing.
Firewall Load balancer
VPN Routing and NAT DHCP and DNS relay
Overview • Integrated L3 to L7 services • Virtual appliance model to provide rapid deployment and scale-out Benefits • Real-time service instantiation • Support for dynamic service differentiation per tenant or application • Uses x86 compute capacity
Several perimeter services are available for the NSX Edge gateway. These services are not embedded in the distributed router. NSX Edge gateway is a virtual machine that has one interface connected to the virtual mach ine segment through logical switches or distributed and standard port groups.
These services are meant to work in environments where a third-p arty solution might not exist. Sometimes a third-p arty solution might be more effective than NSX Edge service because that solution is a dedicated device and not a multipurpose device like NSX Edge . All of these services can be disabled to allow a third-party solution to be deployed. In a multitenancy environment, NSX Edge for NAT might exist if duplicate IP segments exist.
270
VMware NSX: Install , Configure, Manage
NSX Edge Services Gateway Sizing Slide 4- 81
NSX Edge can be deployed in four different configurations. X-Large 6vCPU
Suitable for high performance layer 7 load balancer
8192 MB vRAM
Quad-Large 4vCPU 1024 MB vRAM
Suitable for high performance firewall and routing
II
Large
z >