© Copyright 2017 Dell Inc.2
• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer• This presentation may contain product features that are currently under development.
• This overview of new technology represents no commitment from VMware to deliver these features in any generally available product.
• Features are subject to change, and must not be included in contracts, purchase orders, or sales agreements of any kind.
• Technical feasibility and market demand will affect final delivery.
• Pricing and packaging for any new technologies or features discussed or presented have not been determined.
Disclaimer
2
Session Agenda
3
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
2,400+ customers100% YoY growth
Broad adoptionSmall, mid- and large enterprisesacross all verticals
NSX is growing in momentum
License Bookings >50% YoY growth in Q4
Q416
NSX customer use casesSecurity
Inherently secure infrastructureAutomation
Apps at the speed of businessApplication continuityData center anywhere
Micro-segmentation
DMZ Anywhere
Secure End User
IT Automating IT
Multi-tenant Infrastructure
Developer Cloud
Disaster Recovery
Cross Cloud
Multi Data Center Pooling
NSX vision
6
Traditionalapplications
Cloud-nativeapplications
Anyapplication
Anycomputeplatform
Build-your-own Converged infrastructure
Hyper-convergedinfrastructure
Anyinfrastructure
Security AvailabilityConnectivity
Unified management and policy framework with ecosystem
Logi
cal
netw
ork
NSX Architecture and Components
7
• Self-service portal• vRealize Automation, OpenStack,
vCloud Director, Custom CMP
NSX Edge
• High-performance data plane• Scale-out distributed forwarding model• Flexibility for connecting logical networks
to physical
NSX Manager• Single configuration portal• REST API entry-point
NSX Controller • Manages logical networks• Control plane protocol• Separation of control and data plane• Controller is not in the data path
Phys
ical
netw
ork
HW VTEP
HV Kernel Modules
FirewallDistributed Logical Router
LogicalSwitch
vCenter ServerManagement plane
Control plane
Cloud consumptio
n
Data plane
Hypervisor
Distributed Services
VDS
How do I get started with NSX ?
Learn about NSX1 Start small
and grow2 Leverage best practices and validated designs
3
12
Start Small with Specific Use Case
13
Single Cluster with NSXVDI microsegmentation –Security only - NSX MgrDEV/QA Services/Security– ESG – LB/Security
Satellite/ROBO one or two rack
Host 32
WANInternet
L3
L2
Host 1
Host 3
Host 2
Host y
Host x
Separate Compute. Common Edge and Management ClusterMulti-workload & VDIMulti-rack QA/DEVGrow to large DC
Management&
Edge Clusters
ComputeCluster
WANInternet
L3
L2
Host 1
Host 3
Host 2
Host 32
Host y
Host x
Flexible, Scalable, Secure & Multi-use
ExternalNetworks
Dynamic Routing(OSPF, BGP)
ECMP Edges
Web Logical Switch (Routed) App LS (Routed) DB LS (Routed)
In-line LB
Routed
172.16.20.0/29 172.16.20.8/29 172.16.20.16/29
Web Logical Switch (NAT) App LS (Private) DB LS (Private)
In-line LBNAT & Private
172.16.100.0/24
172.16.101.0/24
172.16.102.0/24
Web Logical Switch (Routed)
DB Logical Switch(Routed)
App LS (Routed)
172.16.10.0/29 172.16.10.8/29 172.16.10.16/29
Distributed Logical Router
• Flexibility – DLR, Stand-alone, Services & Isolation
• DLR for production workload• DevOps & QA isolation• Per app services
• Scalability• ECMP BW as needed• Edge-HA based on use case• In line routed LB segment• In line NAT & private segment
• Secure• DFW and Edge FW• Multi-vendor integration
• Automation – Blueprints and Security• Multi-use topology
• Automated DevOps segments• VDI Segments• Enterprise work load
NSX Reference Design 3.0 https://communities.vmware.com/docs/DOC-27683
Session Agenda
15
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
NSX customer use cases – SecuritySecurity
Inherently secure infrastructureAutomation
Apps at the speed of businessApplication continuityData center anywhere
Micro-segmentation
DMZ Anywhere
Secure End User
IT Automating IT
Multi-tenant Infrastructure
Developer Cloud
Disaster Recovery
Cross Cloud
Multi Data Center Pooling
NSX Security Architecture Overview
17
Any App, Any VM,
Anywhere
DFW
Service Composer
Security Groups
Policy
Eco System
• Design and Architectural Benefits Built-in and not bolt on On demand and dynamic security
enforcement Follow life cycle of resources Run time redirection and insertion Topology Independent, Not tied to
physical DR and multi-site capable Platform eco-systems Protect, detect, inoculate - Any
application, any time, anywhere
NSX Micro-segmentationSegmentationIsolation
Controlled communication path within a single networkEach VM can now be its own perimeterPolicies align with logical groups Prevents threats from spreading
Addition of third-party security from NSX Ecosystem, as needed by policy
Compliance (PCI, HIPPA)
No communication path between unrelated networks
Advanced Services
18
Securing east-west traffic within VDI environments
19
With VDI your data center has a much larger security surface area
Internet
Data center perimeter
West East
VDI
VDI
VDI
High cost of physical security environment
Hard to implement
Complex to manage
NSX for VDI environments
20
• Desktop-to-desktop control
• Desktop-to-enterprise control
• Security servicesagentless AV, NGFW, IPS
• Load balancing
• Edge firewall
• NAT
• VPN
• Elasticity to spin new pools
• Capacity expansion
VDI VDI
VDI VDI
Secure DMZ
21
Delivering inherently secure infrastructure
Business value
More secure and 1/3 the cost of less secure infrastructure
Data center perimeter
DMZ
Secure user environments
Security policies simplified
Logical groups enabled
Threats contained
Internet
Micro-segmentation simplifies network security
22
• Each VM can now be its own perimeter• Policies align with logical groups • Prevents threats from spreading
App
DMZ
Services
DB
Perimeterfirewall
AD NTP DHCP DNS CERT
Insidefirewall
Finance EngineeringHR
Security Evaluation Workflow
23
Identify Group/Apps/Zone
Decide Default Allow or Deny &
Log
On-Board New Apps
Monitor Logs to R/Define
Rules
Shared Services
Rules
E-W Intra-App
Rules
1. Prepare Infrastructure for NSX
2. Create Default Rules to allow all and log traffic
3. Create Shared Services Rules
4. On-board new application or start with an existing application
5. Use NSX toolset to dynamically determine required ruleset
a) Syslogb) IPFIXc) vRealize Network Insight
6. Create E-W Intra-Application or Intra-Zone Rules
7. Continue for other applications or workloads
Data center 2 Perimeter
Customer Story: Secure Datacenter connectivity
24
• The problem statement
Internet
Data center 1 Perimeter
Production
PCI
Non-production
Shared services
1. Need to provide granular segmentation and reduce risk
2. Simplify access to shared services for new apps
3. Automate app deployment with security
CHALLENGES
25
• NSX solution
InternetInternet
Data center 1 Perimeter
Data center 2 Perimeter
Production
PCI
Non-production
Shared services
1. Start on existing brownfield network
2. Map environments to security groups
4. Leverage NSX Security tagging to classify workloads
IMPLEMENTATION
3. Security group for Shared Services
5. Simplify and automate by leveraging NSX Security Policy
Customer Story: Secure Datacenter connectivity
NSX Customer References –Security
Tackle The Security Challenge Of Endpoints Without End
Learn How To Put Security At the Very Core of Your Organization With Secure Infrastructure
Hands on Labs: HOL-1703-SDC (NSX), 1723(Palo Alto), 1724(Check Point) and 1741(Horizon VDI)https://HOL.VMWARE.COM
Session Agenda
28
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
NSX customer use cases – AutomationSecurity
Inherently secure infrastructureAutomation
Apps at the speed of businessApplication continuityData center anywhere
Micro-segmentation
DMZ Anywhere
Secure End User
IT Automating IT
Multi-tenant Infrastructure
Developer Cloud
Disaster Recovery
Cross Cloud
Multi Data Center Pooling
Automating IT processes
30
Delivering IT at the speed of business
Management APIs, UI
Policies, groups, tags
Switching
Routing/NAT
Load balancing
Connectivity to physical networks
Firewalling
VPN
Data security
Activity monitoring
IT automating IT
Multi-tenant Infrastructure
Business value
Reduce infrastructure provisioning time from weeks to minutes
Developer cloud
Traditional infrastructure provisioning with networking
31
Days - weeks
Wait WorkWaitWait
Manual efforts
Network
Infrastructure service
FirewallSwitch Router Load balancer
Connect Ethernet cables, configure
switch port, VLANs, access control lists, assign IP addresses
Configure router interface to
connect to switch ports. Configure routing protocols.
Connect networks to firewall appliances,
configure firewall rules based on physical constructs e.g. IP
address and VLANs
Connect networks to load balancer appliances,
create and populate load balancer pool, assign Virtual IP address to
external interface
NETOPS SECOPS LOAD BALANCER ADMIN
NSX IT automation capabilities
GUI API Cloud managementplatform
• UI and workflow-based consumption of networking and security
• Programmatic consumption
• Enables easy automation of both installation and deployment processes
• Networking and security deployment as a part of application deployment
32Github Repo - https://powernsx.github.io/ & https://github.com/vmware/powernsx
Customer Story: Automate IT Delivery
33
The problem statement
Manual and labor intensive deployment of IT services
Slow Day 2 Operations
Business works around IT with cloud services
CHALLENGES
Data center
CloudLine of
Business
Inconsistent results
Internal IT
Physical Devices
Dissatisfied LoB users
Customer Story: Automate IT Delivery
34
NSX solution
Wait WorkWait
Automatedapplicationdeployment
Manualnetwork
configuration
VMware NSXNetwork
virtualization
Minutes
“Zero Touch”deployment
VMware ESXCompute
virtualization
Weeks or days
vRealize Automation
OS Automated delivery of multi-tier applications
Security and consistency built into the provisioning process
Improved service level for business users avoiding Shadow IT
BENEFITS
Automation Topology
ToR
• Pre-created Construct • Provider ECMP for scale• DLR e.g. production traffic
• All app segments can be dynamically created and attached to DLR with security group
• QA/DevOps Topology• Provider Edge HA
• Common transit VXLAN segment • Allows provider Edge in Edge Cluster
• QA/DevOps Tenant Edge/Segments • Resides in compute for growth and agility• NAT with In line LB• Create as many Edge with NAT• No need to advertise subnets of each
NATed QA segments
Web Logical Switch (NAT) App LS (Private) DB LS (Private)
In-line LBNAT
172.16.100.0/24
172.16.101.0/24
172.16.102.0/24
ToR
Web Logical Switch (NAT) App LS (Private) DB LS (Private)
In-line NAT
172.16.100.0/24
172.16.101.0/24
172.16.102.0/24
Edge - HA
Web Logical Switch (Routed)
DB Logical Switch(Routed)
App LS (Routed)
172.16.11.0/29
172.16.11.8/29
172.16.11.16/29
ECMP
Edges
Web Logical Switch (Routed)
DB Logical Switch(Routed)
App LS (Routed)
172.16.10.0/29
172.16.10.8/29
172.16.10.16/29
Distributed Logical Router
vRealize Automation and NSX Extensibility Kit https://communities.vmware.com/docs/DOC-30791
NSX Customer References –Automation
Enterprise Hybrid Cloud – Dell/ECM Converged Solution
Hands on Labs: HOL-1720-SDC and 1721https://HOL.VMWARE.COM
Session Agenda
37
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
NSX customer use cases – Application ContinuitySecurity
Inherently secure infrastructureAutomation
Apps at the speed of businessApplication continuityData center anywhere
Micro-segmentation
DMZ Anywhere
Secure End User
IT Automating IT
Multi-tenant Infrastructure
Developer Cloud
Disaster Recovery
Cross Cloud
Multi Data Center Pooling
Application continuityDelivering data center anywhere
Data center #1
Disaster recovery
Active Active
Hybrid cloud networking
Business value
Reduce RTOnew availability modelData center #2 Cloud
Multisite networking and security (Cross-vCenter NSX)
vCenter-A
< 150 msLocal storage Local storage
Site-A Site-B
vCenter-B
Universal distributed logical router
Secure, high availability, distributed, virtualized resource pool
NSX Primary NSX Secondary
40NSX-V Multi-site Options and Cross-VC NSX Design Guide
https://communities.vmware.com/docs/DOC-32552
Cross Cloud Connectivity
Connect at layer 2 or layer 3
Secure L2/L3 connectivity between on-premises and providers enabling hybrid cloud
Private cloud Cloud provider
VMware
VMware
41
Customer Story: Simplified Disaster Recovery
10.0.10/24 10.0.20/24
10.0.10.21 10.0.20.21
Change IP Address (or stretch L2)Reconfigure Security andNetwork Services
4
Recoverthe VM3
Replicate VM & Storage
2Physical Network Infrastructure Physical Network Infrastructure
SAN
1Protect VM
Step 1&2(eg VMware SRM)
vSphere
Primary Site Recovery Site
MajorRTOImpact
SAN vSphere
The problem statement
Complex DR processes with manual, error prone steps
Overprovisioned capacity
Lengthy RTO to recover applications
CHALLENGES
No granularity for DR, all or nothing only
42
Customer Story: Simplified Disaster Recovery
10.0.20.0/24 10.0.30.0/24
10.0.10.21 10.0.10.21
Physical network infrastructure Physical network infrastructure
SAN
1Protect VM
Step 1&2(e.g VMware SRM)
vSphere
Primary site Recovery site
SAN vSphere
Synchronize network &security
2b
Recoverthe VM
3
2aReplicate
VM & Storage
ReduceRTO
Virtual network10.0.10/24
NSX Manager(Primary)
NSX Manager(Secondary)
Network & securityalready exists
Virtual network10.0.10/24
Consistent Networking and Security across sites
VM mobility and granular Disaster Recovery
Integration with Site Recovery Manager
BENEFITSNSX solution
Significantly reduced complexity
43Disaster Recovery with NSX and SRM https://communities.vmware.com/docs/DOC-31692
44 of Y
Dell EMC Enterprise Hybrid Cloud 4.1.1 platformEngineered Modular Add-ons
Pre-packaged options maintained and supported with the platformProfessional
ServicesPre-packaged
services portfolio
Public CloudIaaS Providers
Software-Defined InfrastructureElastic, automated & software-controlled infrastructure
Dell EMC Converged & Hyper-Converged InfrastructureFactory-integrated data center building blocks
Cloud Management & OperationsSelf-service portal with a catalog, orchestration engine,
operations management & cost transparency
Prepare
Required components Customizable options
Co-existingSolutions
Engineered Automation
IntegrationsCustomized extensions implemented in the field
More coming… Deploy
Extend
Manage
Backup Protection Continuous AvailabilityDisaster Recovery
VMware IntegratedOpenStack
Future
VMware vRealize Code Stream
Microsoft Apps Oracle DBaaS SAP / SAP HANA
Encryption Services Multi-Site ManagementFuture
Session Agenda
46
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
47
Best practices and guidance based on production customers
Not complicated, minimal changes, and clear path for success
More than 850+ enterprises have operationalized NSX
The maturity model: the path to the vision
48
Blended Cross-domain and discipline
Siloed Specialization
Organization(Structure)
People(Roles &
Responsibilities)
People
Automated Modern
Manual Legacy
Processes Tooling
Process
Leaf-spine fabric Virtual
3-tier Physical
Architecture Infrastructure
Architecture
Networking and Security Operations Requirements
Monitoring Troubleshooting Change And Audit Management
Capacity Management
NSX Operation Guide https://communities.vmware.com/docs/DOC-30079
NSX Provides Highest Level of Visibility
vRealize Network InsightFormally ARKIN Log Insight
NSX Content Pack
SDDC Event CorrelationAlerting
Centralized LoggingPer Service Dashboards
• P+V TopologiesImpact Analysis
• Tunnel VisibilityBandwidth Utilization
• Distributed MonitoringApplication Performance Monitoring
Native Capabilities
Integration withVMware Tools
Integration withPartner Ecosystem
NSX API
Syslog
IPFIX
Port Mirroring
SNMP
Traceflow
And more…
• Log Monitoring and Analytics
Session Agenda
51
1 NSX introduction and use cases
2 NSX security and micro-segmentation
3 Automation with VMware NSX
4 Application continuity with NSX
5 NSX operations
6 Close
IT Automation
Private CloudReduce infrastructure provisioning time from weeks to minutes
Security
Micro-segmentationSecure infrastructure at 1/3 of the cost
Application Continuity
Disaster Recovery
Reduce RTO by 50%
NSX is Mainstream
52
1 2 3
Next steps on the path to NSX
Understand your key challenges and how NSX can help
Define requirements for your solution
Try NSX out with HOL
Learn about NSX1 Start small
and grow
Start with a small project and add functionality in phases
Brownfield vs Greenfield
NSX implementation can begin at an Environment or Cluster level
Define operational model
2 Leverage validated designs
NSX Design Guides
VVD
EHC
Partners
Engage the VMUG NSX community
3
53
NSX Vision
54
Managing Security and Connectivity for many Heterogeneous End Points
New app frameworks
Branch offices/Edge Computing/IOT
End UsersOn-prem
BARE METAL
Cloud
vCloud AirNetwork
LearnJoin the NSX VMUG Communityvmug.com/nsx
NSX Product Page & Technical Resourcesvmware.com/products/nsx
Network Virtualization Blogblogs.vmware.com/networkvirtualization
VMware NSX on YouTubeyoutube.com/user/vmwarensx
Where to get startedExperience
Visit the VMware BoothUse case demos, chat with SDDC Expert
Test Drive NSX with free Hands-on LabsExpert-led or Self-paced. labs.hol.vmware.com
Join the VMUG Advantage Program access a 1-year NSX Eval and exclusive trainings and certsvmug.com/VMUG-Join/VMUG-Advantage
UseNSX Proactive Support ServiceOptimize performance based on data monitoring and analytics to help resolve problems, mitigate risk and improve operational efficiency. vmware.com/consulting
TakeTraining and CertificationSeveral paths to professional certifications. Learn more at the Education & Certification Lounge.vmware.com/go/nsxtraining
55